Current time: 11-23-2024, 06:10 AM Hello There, Guest! (LoginRegister)


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Installation mod_security
Author Message
nex89 Offline
Junior Member
*

Posts: 30
Joined: Feb 2010
Reputation: 1
Post: #13
RE: Installation mod_security
Hallo,

bin nun weitergekommen. Habe die modsecurity_crs_10_config.conf gelöscht und stattdessen die modsecurity.conf-minimal in das Verzeichnis gepackt und in modsecurity-minimal.conf umbenannt.

Die sieht jetzt so aus:
Code:
server:/etc/modsecurity2# cat modsecurity-minimal.conf
# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecDataDir /etc/modsecurity2/logs

# PCRE Tuning
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off
SecUploadFileLimit 10

# Debug log
SecDebugLog /etc/modsecurity2/logs/modsec_debug.log
SecDebugLogLevel 0

# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog /etc/modsecurity2/logs/modsec_audit.log

# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072

# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072

# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"

# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

# Did we see anything that might be a boundary?
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_".  The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

server:/etc/modsecurity2#


Wenn ich nun auf meiner Homepage auf eine .php Datei mit ?page=/etc/passwd zugreife, sagt die Debug Log mit Loglevel 5 folgendes:
Code:
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Initialising transaction (txid S3wot1jGtk0AAEjUCqkAAAAA).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Adding request argument (QUERY_STRING): name "page", value "/etc/passwd"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transaction context created (dcfg 16b8708).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase REQUEST_HEADERS.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] PdfProtect: Not enabled here.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Second phase starting (dcfg 16b8708).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Input filter: This request does not have a body.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Time #1: 393
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase REQUEST_BODY.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e0090; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "45"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e0090: SecRule "REQBODY_PROCESSOR_ERROR" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 1 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against REQBODY_PROCESSOR_ERROR.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 9 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17daac0; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "64"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17daac0: SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 1 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against MULTIPART_STRICT_ERROR.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 1 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e2708; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "68"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e2708: SecRule "MULTIPART_UNMATCHED_BOUNDARY" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 0 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against MULTIPART_UNMATCHED_BOUNDARY.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 2 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e31b8; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "76"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e31b8: SecRule "TX:/^MSC_/" "!@streq 0" "phase:2,log,auditlog,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Time #2: 629
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Hook insert_filter: Adding PDF XSS protection output filter (r 184d3f8).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Hook insert_filter: Adding output filter (r 184d3f8).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase RESPONSE_HEADERS.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Response body buffering is not enabled.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Completed receiving response body (non-buffering).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase RESPONSE_BODY.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Output forwarding complete.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Initialising logging.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase LOGGING.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Audit log: Ignoring a non-relevant request.




Da frage ich mich nur:

0) Läuft es nun wirklich richtig? (Kann es garnicht glauben)
1) Warum fehlten die Einstellungen (SecDataDir, SecAuditLog, SecDebugLog in der modsecurity_crs_10_config.conf? In der minimal waren sie ja enthalten...
2) Warum gibt er dem möglichen Angreifer keinen Fehler aus oder leitet ihn auf eine Fehlerseite? Also bei dem Aufruf der php mit phpinfo.php?page=/etc/passwd ?
3) Reicht die minimal für die meisten Angriffe aus? Habe gehört die ganzen anderen .conf Dateien können schnell für Probleme sorgen..


Vielen Dank!
(This post was last modified: 02-18-2010 04:27 AM by nex89.)
02-18-2010 02:18 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Messages In This Thread
Installation mod_security - nex89 - 02-17-2010, 02:44 AM
RE: Installation mod_security - ZooL - 02-17-2010, 02:59 AM
RE: Installation mod_security - nex89 - 02-17-2010, 03:06 AM
RE: Installation mod_security - menki - 02-17-2010, 03:55 AM
RE: Installation mod_security - ZooL - 02-17-2010, 05:20 AM
RE: Installation mod_security - nex89 - 02-17-2010, 06:07 AM
RE: Installation mod_security - gOOvER - 02-17-2010, 06:13 AM
RE: Installation mod_security - nex89 - 02-17-2010, 06:59 AM
RE: Installation mod_security - BeNe - 02-17-2010, 05:10 PM
RE: Installation mod_security - nex89 - 02-17-2010, 06:20 PM
RE: Installation mod_security - BeNe - 02-17-2010, 07:31 PM
RE: Installation mod_security - menki - 02-17-2010, 09:35 PM
RE: Installation mod_security - nex89 - 02-18-2010 02:18 AM
RE: Installation mod_security - menki - 02-18-2010, 05:18 AM
RE: Installation mod_security - ZooL - 02-18-2010, 05:38 AM
RE: Installation mod_security - nex89 - 02-18-2010, 06:28 AM
RE: Installation mod_security - tango - 02-18-2010, 07:07 AM
RE: Installation mod_security - nex89 - 02-18-2010, 08:01 AM
RE: Installation mod_security - tango - 02-18-2010, 05:15 PM
RE: Installation mod_security - nex89 - 02-18-2010, 06:41 PM
RE: Installation mod_security - nex89 - 02-19-2010, 12:28 AM

Forum Jump:


User(s) browsing this thread: 3 Guest(s)