RE: Installation mod_security - nex89 - 02-19-2010 12:28 AM
Hallo,
es lag wohl daran, dass ich nur die minimal.conf im config Verzeichnis hatte und diese den Aufruf nicht blockt. Habe nun einmal alle modsecurity*.conf in mein config Verzeichnis gepackt und Apache neugestartet.
Code:
-rw-r--r-- 1 root root 2133 18. Feb 15:18 modsecurity_35_bad_robots.data
-rw-r--r-- 1 root root 175 18. Feb 15:18 modsecurity_35_scanners.data
-rw-r--r-- 1 root root 2645 18. Feb 15:18 modsecurity_40_generic_attacks.data
-rw-r--r-- 1 root root 1328 18. Feb 15:18 modsecurity_41_sql_injection_attacks.data
-rw-r--r-- 1 root root 488 18. Feb 15:18 modsecurity_42_comment_spam.data
-rw-r--r-- 1 root root 6038 18. Feb 15:18 modsecurity_46_et_sql_injection.data
-rw-r--r-- 1 root root 917 18. Feb 15:18 modsecurity_46_et_web_rules.data
-rw-r--r-- 1 root root 2305 18. Feb 15:18 modsecurity_50_outbound.data
-rw-r--r-- 1 root root 56714 18. Feb 15:18 modsecurity_50_outbound_malware.data
-rw-r--r-- 1 root root 16786 18. Feb 15:17 modsecurity_crs_20_protocol_violations.conf
-rw-r--r-- 1 root root 7001 18. Feb 15:17 modsecurity_crs_21_protocol_anomalies.conf
-rw-r--r-- 1 root root 3509 18. Feb 15:17 modsecurity_crs_23_request_limits.conf
-rw-r--r-- 1 root root 6710 18. Feb 15:17 modsecurity_crs_30_http_policy.conf
-rw-r--r-- 1 root root 2884 18. Feb 15:17 modsecurity_crs_35_bad_robots.conf
-rw-r--r-- 1 root root 134391 18. Feb 15:17 modsecurity_crs_40_generic_attacks.conf
-rw-r--r-- 1 root root 11551 18. Feb 15:17 modsecurity_crs_41_phpids_converter.conf
-rw-r--r-- 1 root root 91728 18. Feb 15:17 modsecurity_crs_41_phpids_filters.conf
-rw-r--r-- 1 root root 74868 18. Feb 15:17 modsecurity_crs_41_sql_injection_attacks.conf
-rw-r--r-- 1 root root 113795 18. Feb 15:17 modsecurity_crs_41_xss_attacks.conf
-rw-r--r-- 1 root root 1467 18. Feb 15:17 modsecurity_crs_42_tight_security.conf
-rw-r--r-- 1 root root 3219 18. Feb 15:17 modsecurity_crs_45_trojans.conf
-rw-r--r-- 1 root root 1501 18. Feb 15:17 modsecurity_crs_47_common_exceptions.conf
-rw-r--r-- 1 root root 2763 18. Feb 15:17 modsecurity_crs_48_local_exceptions.conf
-rw-r--r-- 1 root root 1985 18. Feb 15:17 modsecurity_crs_49_enforcement.conf
-rw-r--r-- 1 root root 1187 18. Feb 15:17 modsecurity_crs_49_inbound_blocking.conf
-rw-r--r-- 1 root root 59859 18. Feb 15:17 modsecurity_crs_50_outbound.conf
-rw-r--r-- 1 root root 1278 18. Feb 15:17 modsecurity_crs_59_outbound_blocking.conf
-rw-r--r-- 1 root root 2553 18. Feb 15:17 modsecurity_crs_60_correlation.conf
-rw-r----- 1 root root 2512 18. Feb 15:21 modsecurity-minimal.conf
Nun verstößt z.B. der Aufruf von index.php?page=/etc/passwd gegen mehrere Regeln. Ich frage mich nur ob nun wirklich alles läuft wenn ihr die Logs so seht? Müsste er den Besucher nicht normal auf eine Fehlerseite oder so umleiten? Ich meine als Besucher öffnet er ganz normal die index.php bei dem Aufruf von index.php?page=/etc/passwd
Hier die modsec_audit.log:
Code:
--22d16a0d-A--
[18/Feb/2010:15:21:31 +0100] S31M61jGtk0AADs7DCwAAAAA 79.196.44.234 57725 88.198.182.77 80
--22d16a0d-B--
GET /index.php?page=/etc/passwd HTTP/1.1
Host: meine-seite.de
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; de-de) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de
Accept-Encoding: gzip, deflate
Connection: keep-alive
--22d16a0d-F--
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 567
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
--22d16a0d-E--
--22d16a0d-H--
Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/modsecurity2/modsecurity_crs_30_http_policy.conf"] [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
Message: Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/modsecurity2/modsecurity_crs_30_http_policy.conf"] [line "77"] [id "960034"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [tag "POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]
Message: Pattern match "\/etc\/" at ARGS:page. [file "/etc/modsecurity2/modsecurity_crs_40_generic_attacks.conf"] [line "220"] [id "958700"] [rev "2.0.5"] [msg "Remote File Access Attempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"]
Message: Pattern match "\/etc\/" at REQUEST_URI. [file "/etc/modsecurity2/modsecurity_crs_40_generic_attacks.conf"] [line "243"] [id "958710"] [rev "2.0.5"] [msg "Remote File Access Attempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"]
Message: Pattern match "(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))|(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:page. [file "/etc/modsecurity2/modsecurity_crs_41_phpids_filters.conf"] [line "86"] [id "900011"] [msg "Detects specific directory and path traversal"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Pattern match "(?:etc\/\W*passwd)" at ARGS:page. [file "/etc/modsecurity2/modsecurity_crs_41_phpids_filters.conf"] [line "131"] [id "900012"] [msg "Detects etc/passwd inclusion attempts"] [data "etc/passwd"] [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Operator GE matched 0 at TX:anomaly_score. [file "/etc/modsecurity2/modsecurity_crs_49_inbound_blocking.conf"] [line "18"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10, SQLi=, XSS=): 900012-Detects etc/passwd inclusion attempts"]
Message: Warning. Operator GE matched 0 at TX:inbound_anomaly_score. [file "/etc/modsecurity2/modsecurity_crs_60_correlation.conf"] [line "35"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10, SQLi=, XSS=): 900012-Detects etc/passwd inclusion attempts"]
Apache-Handler: fcgid-script
Stopwatch: 1266502891824070 26192 (853 7567 -)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g
--22d16a0d-Z--
Vielen Dank für euere Hilfe!
------------- EDIT ---------------
Die modsecurity_crs_10_config.conf war wohl doch wichtig, die musste auch in dem Ordner liegen, wo alle anderen configs liegen
Habe jetzt die minimal.conf, die modsecurity_crs_10_config.conf und alle basic rules geladen. Nun läuft es wunderbar, nur bei ispcp hat es direkt in der auditlog fehler gegeben....
Habe dann in der 00_master.conf modsecurity für ispcp deaktiviert, dann hat er auch keine Fehler mehr in der auditlog ausgegeben!
So, dann müsste doch jetzt alles gut sein oder? Muss ich halt nur -wenn ich was neues installiere- die Auditlog checken, ob es mit anderen Sachen auch Probleme gibt, oder?
Vielen Dank an alle für ihre Hilfe!
|