Instalando Apache 2.2.22 com modsecurity (standard)

Neste artigo, ensinarei como configurar o Apache 2.2.22 com Web Application Firewall Modsecurity.

ModSecurity é um engine de detecção e prevenção contra intrusos para aplicações web. Operando como um módulo do Apache, se propõe a incrementar a segurança nas aplicações web, protegendo-as de ataques conhecidos e desconhecidos.

Obs: Neste howto foram utilizados as regras padrões do modsecurity. Lembrando que o ideal, é deixar up somente as regras que forem nescessarias para o seu ambiente, pois o modsecurity gasta uma memória considerável.

Laboratório utilizado:

Red Hat EL 5.7 X64
Apache 2.2.22
modsecurity-2.6.7
modsecurity-crs_2.2.5

Pré-requisitos:

curl
curl-devel
libxml
libxml-devel
expat
expat-devel
pcre
pcre-devel
lua
lua-devel
lua-static

  1. Instalando Apache.

    tar xzvf httpd-2.2.22.tar.gz
    ./configure --prefix=/app/apache/httpd-2.2.22 --with-mpm=worker --enable-so --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http --enable-headers --enable-rewrite --enable-status --enable-info --enable-deflate --enable-mem-cache --enable-cache --enable-ssl --with-ssl=/app/ssl/openssl/bin/ --with-pcre=/usr/bin/pcre-config --enable-unique-id --enable-mods-shared=all
    make
    make install

  2. Compilando mod security

    tar xzvf modsecurity-apache_2.6.7.tar.gz
    ./configure --prefix=/app/modsecurity-2.6.7 --with-apxs=/app/apache/httpd-2.2.22/bin/apxs --with-apr=/app/apache/httpd-2.2.22/bin/apr-1-config --with-apu=/app/apache/httpd-2.2.22/bin/apu-1-config --with-lua --with-pcre=/usr/bin/pcre-config --with-curl=/usr/bin/curl-config
    make
    make install

Copiando modulo para o Apache:

cp -prf /app/modsecurity-2.6.7/lib/mod_security2.so /app/apache/httpd-2.2.22/modules/
  1. Configurando modsecurity-crs:

Criando estrutura de diretorios do modsecurity-crs:

tar xzvf modsecurity-crs_2.2.5.tar.gz
mkdir -p /app/apache/httpd-2.2.22/conf/modsecurity/crs	
cp -prf /app/packages/modsecurity-crs_2.2.5/* /app/apache/httpd-2.2.22/conf/modsecurity/crs/

Criando white list de acls:

touch /app/apache/httpd-2.2.22/conf/modsecurity/whitelist.conf
  1. Configurando mod security:

    cp -prf /app/packages/modsecurity-apache_2.6.7/modsecurity.conf-recommended /app/apache/httpd-2.2.22/conf/modsecurity/modsecurity.conf
    cp -prf /app/apache/httpd-2.2.22/conf/modsecurity/crs/modsecurity_crs_10_setup.conf.example /app/apache/httpd-2.2.22/conf/modsecurity/crs/modsecurity_crs_10_setup.conf

Configurando acls (regras):

cd /app/apache/httpd-2.2.22/conf/modsecurity/crs/
for f in `ls base_rules/` ; do ln -s ../base_rules/$f activated_rules/$f ; done

Criando arquivo para ser carregado no Apache:

touch /app/apache/httpd-2.2.22/conf/modsecurity/modsecurity.load

Inserir o seguinte conteúdo:

# Carregando modulos e libs necessarias para funcionamento do modsecurity
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so

<IfModule security2_module>
Include conf/modsecurity/modsecurity.conf
Include conf/modsecurity/whitelist.conf
Include conf/modsecurity/crs/modsecurity_crs_10_setup.conf
Include conf/modsecurity/crs/activated_rules/*.conf
</IfModule>

Inserir entradas no arquivo httpd.conf:

# Include modsecurity
Include conf/modsecurity/modsecurity.load
Configurando o arquivo /app/apache/httpd	2.2.22/conf/modsecurity/modsecurity.conf

Alterar os parametros abaixo:

DE:

SecRuleEngine DetectionOnly

PARA:

SecRuleEngine On

DE:

SecAuditLog /var/log/modsec_audit.log

PARA:

SecAuditLog /logs/apache/modsecurity/modsec_audit.log
  1. Testando / Iniciando Apache.

    apachectl -t
    apachectl start.

Logs:

[Fri Aug 24 15:49:03 2012] [notice] ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured.
[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: PCRE compiled version="6.6 "; loaded version="6.6 06-Feb-2006"
[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: LIBXML compiled version="2.6.26"
  1. Como realizer um teste:

Crie um arquivo chamado teste.cfg no htdocs do vhost:

Conteúdo do teste.cfg:

<p>TESTE</p>

Execute via browser http://site/teste.cfg devera aparar algo como::

Forbidden
You don’t have permission to access /teste.cfg on this server.

Analisando os logs:

more /logs/apache/modsecurity/modsec_audit.log

Message: Access denied with code 403 (phase 2). String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/app/apache/httpd-2.2.22/conf/modsecurity/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "88"] [id "960035"] [msg "URL file extension is restricted by policy"] [data ".cfg"] [severity "CRITICAL"] [tag "POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 2)
Stopwatch: 1345833422962130 1764 (- - -)
Stopwatch2: 1345833422962130 1764; combined=832, p1=412, p2=365, p3=0, p4=0, p5=55, sr=106, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.

Server: Apache
Como podemos ver, funcionou! A extensão *.cfg é bloqueada conforme a ACL descrita acima.

Show Comments