「ModSecurity」の版間の差分

提供: セキュリティ
移動: 案内検索
 
(同じ利用者による、間の6版が非表示)
行1: 行1:
<!--
+
[[ModSecurity]] は、[[オープンソース]]の[[Webアプリケーションファイアウォール]] (WAF) です。[[Apache HTTP Server]] のモジュールとして動作します。
vim: filetype=mediawiki
+
-->
+
  
読み方
+
'''読み方'''
 
;[[ModSecurity]]: もど せきゅりてぃ
 
;[[ModSecurity]]: もど せきゅりてぃ
 
__TOC__
 
__TOC__
  
 
== 概要 ==
 
== 概要 ==
 
+
[[ModSecurity]] は、[[オープンソース]]の[[Webアプリケーションファイアウォール]] (WAF) です。[[Apache HTTP Server]] のモジュールとして動作します。
[[ModSecurity]] は、[[オープンソース]]の[[Webアプリケーションファイアウォール]] (WAF) です。
+
[[Apache HTTP Server]] のモジュールとして動作します。
+
  
 
リクエストヘッダやパラメータ、表示するコンテンツなどから攻撃や[[脆弱性]]を検知します。セキュリティフィルタが提供され、[[Lua]]で独自のフィルタを作成できます。
 
リクエストヘッダやパラメータ、表示するコンテンツなどから攻撃や[[脆弱性]]を検知します。セキュリティフィルタが提供され、[[Lua]]で独自のフィルタを作成できます。
行17: 行13:
  
 
[[OWASP]] は、GPLv2で [[ModSecurity]] のルール(シグネチャ)を提供しています。
 
[[OWASP]] は、GPLv2で [[ModSecurity]] のルール(シグネチャ)を提供しています。
 
 
 
== インストール ==
 
== インストール ==
 
 
{{ports|/usr/ports/www/mod_security|mod_security}}
 
{{ports|/usr/ports/www/mod_security|mod_security}}
 
+
{{yum|mod_security}}
 +
{{apt|libapache2-mod-security}}
 
== インストールされたファイル ==
 
== インストールされたファイル ==
 
 
[[FreeBSD]] の場合。
 
[[FreeBSD]] の場合。
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
% pkg_info -L ap22-mod_security-2.6.6_1
 
% pkg_info -L ap22-mod_security-2.6.6_1
行51: 行43:
 
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_003.css
 
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_003.css
 
</syntaxhighlight>
 
</syntaxhighlight>
 
 
== 設定 ==
 
== 設定 ==
 
 
* [[modsecurity.conf]]
 
* [[modsecurity.conf]]
 
+
<syntaxhighlight lang="bash">
 +
sudo cp /usr/local/etc/modsecurity.conf-example /usr/local/etc/apache24/Includes/modsecurity.conf
 +
</syntaxhighlight>
 +
== ルールのダウンロード ==
 +
* [[rules-updater.pl]]
 +
== ルールの配置 ==
 +
<syntaxhighlight lang="bash">
 +
sudo mkdir /usr/local/etc/apache24/Includes/modsecurity-crs
 +
sudo cp ./modsecurity_crs_10_setup.conf.example /usr/local/etc/apache24/Includes/modsecurity/modsecurity_crs_10_setup.conf
 +
sudo cp -r base_rules /usr/local/etc/apache24/Includes/modsecurity-crs/
 +
</syntaxhighlight>
 +
== 設定 ==
 +
<syntaxhighlight lang="apache">
 +
LoadModule security2_module libexec/apache24/mod_security2.so
 +
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
 +
<IfModule security2_module>
 +
      Include /usr/local/etc/apache24/Includes/modsecurity-crs/*.conf
 +
      Include /usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/*.conf
 +
</IfModule>
 +
</syntaxhighlight>
 
== 使い方 ==
 
== 使い方 ==
 +
[[ModSecurity]] は、攻撃の検出モード(ディテクションモード) と 実際に攻撃をブロックするモードがあります。
 +
 +
検出モードの設定は、以下の通りです。
 +
<syntaxhighlight lang="apache">
 +
SecRuleEngine DetectionOnly
 +
</syntaxhighlight>
 +
 +
実際に攻撃と判定したアクセスをブロックする場合は、以下の設定をします。
 +
[[Apache]] は、[[HTTPステータスコード]] 403 を返します。
 +
<syntaxhighlight lang="apache">
 +
SecRuleEngine on
 +
</syntaxhighlight>
 +
== 検証 ==
 +
=== ディテクションモードとブロックモード ===
 +
ディテクションモード (SecRuleEngine Detectiononly) の場合は、ブロックせずに動作します。
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 +
% curl -I "http://localhost/?union+select"
 +
HTTP/1.1 200 OK
 +
Date: Sat, 26 Oct 2013 05:00:29 GMT
 +
Server: Apache/2.4.6 (FreeBSD) PHP/5.4.19
 +
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
 +
ETag: "2d-432a5e4a73a80"
 +
Accept-Ranges: bytes
 +
Content-Length: 45
 +
Content-Type: text/html
 
</syntaxhighlight>
 
</syntaxhighlight>
  
== 関連項目 ==
+
ブロックモードでは、[[HTTPステータスコード]] 403 が返されます。
 +
<syntaxhighlight lang="bash">
 +
% curl -I "http://localhost/?union+select"
 +
HTTP/1.1 403 Forbidden
 +
Date: Sat, 26 Oct 2013 05:01:26 GMT
 +
Server: Apache/2.4.6 (FreeBSD) PHP/5.4.19
 +
Content-Type: text/html; charset=iso-8859-1
 +
</syntaxhighlight>
  
 +
=== XSS ===
 +
[[XSS]] のリクエストを送信するテストです。
 +
<syntaxhighlight lang="bash">
 +
curl 'http://localhost/<script>alert(0)</script>'
 +
</syntaxhighlight>
 +
[[Apache]] のエラーログに出力された警告です。
 +
<syntaxhighlight lang="bash"> [Sat Oct 26 13:35:59.082899 2013] [:error] [pid
 +
5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match
 +
"(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?
 +
([\\\\d\\\\w]+)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?
 +
(?:=|<=>|r?like|sounds\\\\s+like|regexp)
 +
([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?\\\\2|
 +
([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\
 +
..." at REQUEST_FILENAME. [file
 +
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 +
[line "77"] [id "950901"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data
 +
"script>alert"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag
 +
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag
 +
"PCI/6.5.2"] [hostname "localhost"] [uri "/<script>alert(0)</script>"]
 +
[unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.083765 2013]
 +
[:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match
 +
"\\\\balert\\\\b\\\\W*?\\\\(" at REQUEST_FILENAME. [file
 +
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
 +
[line "148"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
 +
Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
 +
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
 +
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
 +
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
 +
26 13:35:59.084020 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
 +
Warning. Pattern match "\\\\< ?script\\\\b" at REQUEST_FILENAME. [file
 +
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
 +
[line "196"] [id "958051"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
 +
Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
 +
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
 +
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
 +
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
 +
26 13:35:59.085223 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
 +
Warning. Pattern match "\\\\balert\\\\b\\\\W*?\\\\(" at REQUEST_URI. [file
 +
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
 +
[line "393"] [id "958120"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
 +
Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
 +
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
 +
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
 +
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
 +
26 13:35:59.086008 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
 +
Warning. Pattern match "\\\\< ?script\\\\b" at REQUEST_URI. [file
 +
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
 +
[line "457"] [id "958119"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
 +
Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
 +
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
 +
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
 +
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
 +
26 13:35:59.086399 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
 +
Warning. Pattern match
 +
"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|
 +
blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|
 +
comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h..."
 +
at REQUEST_FILENAME. [file
 +
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
 +
[line "556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected -
 +
HTML Tag Handler"] [data "<script>"] [hostname "localhost"] [uri
 +
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
 +
26 13:35:59.086563 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
 +
Warning. Pattern match "(fromcharcode|alert|eval)\\\\s*\\\\(" at
 +
REQUEST_FILENAME. [file
 +
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
 +
[line "646"] [id "973307"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data
 +
"alert("] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id
 +
"UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.086782 2013] [:error] [pid
 +
5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:<script.*?>)"
 +
at REQUEST_FILENAME. [file
 +
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
 +
[line "757"] [id "973331"] [rev "2.2.5"] [msg "IE XSS Filters - Attack
 +
Detected"] [data "<script>"] [hostname "localhost"] [uri
 +
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
 +
26 13:35:59.087833 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
 +
Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file
 +
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"]
 +
[line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
 +
Score: 40, SQLi=5, XSS=35): IE XSS Filters - Attack Detected"] [hostname
 +
"localhost"] [uri "/<script>alert(0)</script>"] [unique_id
 +
"UmtGr8CoAMoAABdDeHoAAAAE"]
 +
</syntaxhighlight>
 +
 +
[[XSS]] の攻撃であると認識されました。
 +
<blockquote>
 +
Inbound Anomaly Score Exceeded (Total Inbound Score: 40, SQLi=5, XSS=35): IE XSS Filters - Attack Detected
 +
</blockquote>
 +
=== SQL Injection ===
 +
[[SQL Injection]] を試すときによくありそうなリクエストを送信するテストです。
 +
<syntaxhighlight lang="bash">
 +
curl "http://localhost/?id=' or 1=1"
 +
</syntaxhighlight>
 +
 +
[[Apache]] のエラーログに出力された警告です。
 +
<syntaxhighlight lang="bash">
 +
[Sat Oct 26 13:46:34.340644 2013] [:error] [pid 5954] [client 127.0.0.1]
 +
ModSecurity: Warning. Match of "rx
 +
^(?:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect
 +
(?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options
 +
\\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$"
 +
against "REQUEST_LINE" required. [file
 +
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf"]
 +
[line "37"] [id "960911"] [rev "2.2.5"] [msg "Invalid HTTP Request Line"] [data
 +
"GET /?id=' or 1=1 HTTP/1.1"] [severity "WARNING"] [tag
 +
"https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911"] [tag
 +
"http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] [tag
 +
"RULE_MATURITY/8"] [tag "RULE_ACCURACY/8"] [hostname "localhost"] [uri "/"]
 +
[unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.341882 2013]
 +
[:error] [pid 5954] [client 127.0.0.1] ModSecurity: Warning. Match of "within
 +
%{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file
 +
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"]
 +
%[line "78"] [id "960034"] [msg "HTTP protocol version is not allowed by
 +
%policy"] [data "or 1=1 HTTP/1.1"] [severity "CRITICAL"] [tag
 +
%"POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"]
 +
%[tag "PCI/6.5.10"] [hostname "localhost"] [uri "/"] [unique_id
 +
%"UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.342780 2013] [:error] [pid
 +
%5954] [client 127.0.0.1] ModSecurity: Warning. Pattern match
 +
%"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
 +
%at ARGS:id. [file
 +
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 +
%[line "64"] [id "981318"] [rev "2.2.5"] [msg "SQL Injection Attack: Common
 +
%Injection Testing Detected"] [data "'"] [severity "CRITICAL"] [tag
 +
%"WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"]
 +
%[tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri
 +
%"/"] [unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.343310 2013]
 +
%[:error] [pid 5954] [client 127.0.0.1] ModSecurity: Warning. Pattern match
 +
%"(?i:(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?
 +
(x?or|div|like|between|and)\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]?\\\\d)|
 +
(?:\\\\\\\\x(?:23|27|3d))|(?:^.?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]$)|(?:
 +
(?:^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\\\\\]*?(?:[\\\\
 +
%..." at ARGS:id. [file
 +
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 +
%[line "249"] [id "981242"] [msg "Detects classic SQL injection probings 1/2"]
 +
%[data "'"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname
 +
%"localhost"] [uri "/"] [unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26
 +
%13:46:34.346968 2013] [:error] [pid 5954] [client 127.0.0.1] ModSecurity:
 +
%Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file
 +
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"]
 +
%[line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
 +
%Score: 15, SQLi=6, XSS=): 981242-Detects classic SQL injection probings 1/2"]
 +
%[hostname "localhost"] [uri "/index.html"] [unique_id
 +
%"UmtJKsCoAMoAABdCwPkAAAAD"]
 +
</syntaxhighlight>
 +
 +
[[SQL Injection]] と判定されています。
 +
<blockquote>
 +
Inbound Anomaly Score Exceeded (Total Inbound Score: 15, SQLi=6, XSS=): 981242-Detects classic SQL injection probings 1/2
 +
</blockquote>
 +
== エラー ==
 +
=== ModSecurity requires mod_unique_id to be installed ===
 +
[[ModSecurity]] は、 mod_unique_id.so が必要です。
 +
<syntaxhighlight lang="bash">
 +
ModSecurity: ModSecurity requires mod_unique_id to be installed
 +
</syntaxhighlight>
 +
 +
[[Apache]] の設定ファイルで mod_unique_id.so を LoadModule します。
 +
<syntaxhighlight lang="bash">
 +
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
 +
</syntaxhighlight>
 +
== ログファイル ==
 +
SecAuditLog でログファイルを指定します。
 +
<syntaxhighlight lang="apache">
 +
SecAuditLog /var/log/modsec_audit.log
 +
</syntaxhighlight>
 +
 +
[[FreeBSD]] では、/var/log/modsec_audit.log がデフォルトです。
 +
== 関連項目 ==
 +
* OWASP ModSecurity Core Rule Set
 +
* [[rules-updater.pl]]
 
* [[Webアプリケーションファイアウォール]]
 
* [[Webアプリケーションファイアウォール]]
 
* http://www.modsecurity.org/
 
* http://www.modsecurity.org/
* [[rules-updater.pl]]
 
 
* https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
 
* https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
* [[iLogScanner]]
+
* iLogScanner
 +
* [[Apache HTTP Server]]
 +
<!-- vim: filetype=mediawiki
 +
-->

2016年1月23日 (土) 14:57時点における最新版

ModSecurity は、オープンソースWebアプリケーションファイアウォール (WAF) です。Apache HTTP Server のモジュールとして動作します。

読み方

ModSecurity
もど せきゅりてぃ

概要

ModSecurity は、オープンソースWebアプリケーションファイアウォール (WAF) です。Apache HTTP Server のモジュールとして動作します。

リクエストヘッダやパラメータ、表示するコンテンツなどから攻撃や脆弱性を検知します。セキュリティフィルタが提供され、Luaで独自のフィルタを作成できます。

TrustWave社がGPLv2 とコマーシャルライセンスのデュアルライセンスで提供しています。

OWASP は、GPLv2で ModSecurity のルール(シグネチャ)を提供しています。

インストール

FreeBSDにインストールする場合

ports コレクションからインストールする場合

cd /usr/ports/www/mod_security
sudo make install clean

pkgコマンドでインストールする場合

sudo pkg install mod_security

portmasterコマンドでインストールする場合

sudo portmaster -y -d /usr/ports/www/mod_security

portinstallコマンドでインストールする場合

sudo portinstall /usr/ports/www/mod_security

CentOSにインストールする場合

CentOSyum コマンドでインストールする場合。

sudo yum -y  install mod_security

Ubuntu/Debianにインストールする場合

apt-get コマンドでインストールする場合です。

sudo apt-get install libapache2-mod-security

インストールされたファイル

FreeBSD の場合。

% pkg_info -L ap22-mod_security-2.6.6_1
Information for ap22-mod_security-2.6.6_1:
 
Files:
/usr/local/etc/modsecurity.conf-example
/usr/local/libexec/apache22/mod_security2.so
/usr/local/bin/rules-updater.pl
/usr/local/lib/mod_security2.so
/usr/local/share/licenses/ap22-mod_security-2.6.6_1/catalog.mk
/usr/local/share/licenses/ap22-mod_security-2.6.6_1/LICENSE
/usr/local/share/licenses/ap22-mod_security-2.6.6_1/AL2
/usr/local/share/doc/mod_security2/doc/Reference_Manual.html
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index.css
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/commonPrint.css
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index.php
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/poweredby_mediawiki_88x31.png
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/600px-Apache_request_cycle-modsecurity.jpg
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/ajax.js
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/wikibits.js
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_004.css
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_002.css
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_003.css

設定

sudo cp /usr/local/etc/modsecurity.conf-example /usr/local/etc/apache24/Includes/modsecurity.conf

ルールのダウンロード

ルールの配置

sudo mkdir /usr/local/etc/apache24/Includes/modsecurity-crs
sudo cp ./modsecurity_crs_10_setup.conf.example /usr/local/etc/apache24/Includes/modsecurity/modsecurity_crs_10_setup.conf
sudo cp -r base_rules /usr/local/etc/apache24/Includes/modsecurity-crs/

設定

LoadModule security2_module libexec/apache24/mod_security2.so
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
<IfModule security2_module>
       Include /usr/local/etc/apache24/Includes/modsecurity-crs/*.conf
       Include /usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/*.conf
</IfModule>

使い方

ModSecurity は、攻撃の検出モード(ディテクションモード) と 実際に攻撃をブロックするモードがあります。

検出モードの設定は、以下の通りです。

SecRuleEngine DetectionOnly

実際に攻撃と判定したアクセスをブロックする場合は、以下の設定をします。 Apache は、HTTPステータスコード 403 を返します。

SecRuleEngine on

検証

ディテクションモードとブロックモード

ディテクションモード (SecRuleEngine Detectiononly) の場合は、ブロックせずに動作します。

% curl -I "http://localhost/?union+select"
HTTP/1.1 200 OK
Date: Sat, 26 Oct 2013 05:00:29 GMT
Server: Apache/2.4.6 (FreeBSD) PHP/5.4.19
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
ETag: "2d-432a5e4a73a80"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html

ブロックモードでは、HTTPステータスコード 403 が返されます。

% curl -I "http://localhost/?union+select"
HTTP/1.1 403 Forbidden
Date: Sat, 26 Oct 2013 05:01:26 GMT
Server: Apache/2.4.6 (FreeBSD) PHP/5.4.19
Content-Type: text/html; charset=iso-8859-1

XSS

XSS のリクエストを送信するテストです。

curl 'http://localhost/<script>alert(0)</script>'

Apache のエラーログに出力された警告です。

 [Sat Oct 26 13:35:59.082899 2013] [:error] [pid
5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match
"(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?
([\\\\d\\\\w]+)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?
(?:=|<=>|r?like|sounds\\\\s+like|regexp)
([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?\\\\2|
([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\
..." at REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "77"] [id "950901"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data
"script>alert"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag
"PCI/6.5.2"] [hostname "localhost"] [uri "/<script>alert(0)</script>"]
[unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.083765 2013]
[:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match
"\\\\balert\\\\b\\\\W*?\\\\(" at REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "148"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.084020 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Pattern match "\\\\< ?script\\\\b" at REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "196"] [id "958051"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.085223 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Pattern match "\\\\balert\\\\b\\\\W*?\\\\(" at REQUEST_URI. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "393"] [id "958120"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.086008 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Pattern match "\\\\< ?script\\\\b" at REQUEST_URI. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "457"] [id "958119"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.086399 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|
blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|
comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h..."
at REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected -
HTML Tag Handler"] [data "<script>"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.086563 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Pattern match "(fromcharcode|alert|eval)\\\\s*\\\\(" at
REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "646"] [id "973307"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data
"alert("] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id
"UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.086782 2013] [:error] [pid
5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:<script.*?>)"
at REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "757"] [id "973331"] [rev "2.2.5"] [msg "IE XSS Filters - Attack
Detected"] [data "<script>"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.087833 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"]
[line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
Score: 40, SQLi=5, XSS=35): IE XSS Filters - Attack Detected"] [hostname
"localhost"] [uri "/<script>alert(0)</script>"] [unique_id
"UmtGr8CoAMoAABdDeHoAAAAE"]

XSS の攻撃であると認識されました。

Inbound Anomaly Score Exceeded (Total Inbound Score: 40, SQLi=5, XSS=35): IE XSS Filters - Attack Detected

SQL Injection

SQL Injection を試すときによくありそうなリクエストを送信するテストです。

curl "http://localhost/?id=' or 1=1"

Apache のエラーログに出力された警告です。

[Sat Oct 26 13:46:34.340644 2013] [:error] [pid 5954] [client 127.0.0.1]
ModSecurity: Warning. Match of "rx
^(?:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect
(?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options
\\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$"
against "REQUEST_LINE" required. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf"]
[line "37"] [id "960911"] [rev "2.2.5"] [msg "Invalid HTTP Request Line"] [data
"GET /?id=' or 1=1 HTTP/1.1"] [severity "WARNING"] [tag
"https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911"] [tag
"http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] [tag
"RULE_MATURITY/8"] [tag "RULE_ACCURACY/8"] [hostname "localhost"] [uri "/"]
[unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.341882 2013]
[:error] [pid 5954] [client 127.0.0.1] ModSecurity: Warning. Match of "within
%{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"]
%[line "78"] [id "960034"] [msg "HTTP protocol version is not allowed by
%policy"] [data "or 1=1 HTTP/1.1"] [severity "CRITICAL"] [tag
%"POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"]
%[tag "PCI/6.5.10"] [hostname "localhost"] [uri "/"] [unique_id
%"UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.342780 2013] [:error] [pid
%5954] [client 127.0.0.1] ModSecurity: Warning. Pattern match
%"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
%at ARGS:id. [file
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
%[line "64"] [id "981318"] [rev "2.2.5"] [msg "SQL Injection Attack: Common
%Injection Testing Detected"] [data "'"] [severity "CRITICAL"] [tag
%"WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"]
%[tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri
%"/"] [unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.343310 2013]
%[:error] [pid 5954] [client 127.0.0.1] ModSecurity: Warning. Pattern match
%"(?i:(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?
(x?or|div|like|between|and)\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]?\\\\d)|
(?:\\\\\\\\x(?:23|27|3d))|(?:^.?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]$)|(?:
(?:^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\\\\\]*?(?:[\\\\
%..." at ARGS:id. [file
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
%[line "249"] [id "981242"] [msg "Detects classic SQL injection probings 1/2"]
%[data "'"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname
%"localhost"] [uri "/"] [unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26
%13:46:34.346968 2013] [:error] [pid 5954] [client 127.0.0.1] ModSecurity:
%Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"]
%[line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
%Score: 15, SQLi=6, XSS=): 981242-Detects classic SQL injection probings 1/2"]
%[hostname "localhost"] [uri "/index.html"] [unique_id
%"UmtJKsCoAMoAABdCwPkAAAAD"]

SQL Injection と判定されています。

Inbound Anomaly Score Exceeded (Total Inbound Score: 15, SQLi=6, XSS=): 981242-Detects classic SQL injection probings 1/2

エラー

ModSecurity requires mod_unique_id to be installed

ModSecurity は、 mod_unique_id.so が必要です。

ModSecurity: ModSecurity requires mod_unique_id to be installed

Apache の設定ファイルで mod_unique_id.so を LoadModule します。

LoadModule unique_id_module libexec/apache24/mod_unique_id.so

ログファイル

SecAuditLog でログファイルを指定します。

SecAuditLog /var/log/modsec_audit.log

FreeBSD では、/var/log/modsec_audit.log がデフォルトです。

関連項目