Threaded Mode | Linear Mode

nex89 · 02-18-2010 02:18 AM

Hallo,

bin nun weitergekommen. Habe die modsecurity_crs_10_config.conf gelöscht und stattdessen die modsecurity.conf-minimal in das Verzeichnis gepackt und in modsecurity-minimal.conf umbenannt.

Die sieht jetzt so aus:

Code:

server:/etc/modsecurity2# cat modsecurity-minimal.conf 

# Basic configuration options

SecRuleEngine On

SecRequestBodyAccess On

SecResponseBodyAccess Off

SecDataDir /etc/modsecurity2/logs

# PCRE Tuning

SecPcreMatchLimit 1000

SecPcreMatchLimitRecursion 1000

# Handling of file uploads

# TODO Choose a folder private to Apache.

# SecUploadDir /opt/apache-frontend/tmp/

SecUploadKeepFiles Off

SecUploadFileLimit 10

# Debug log

SecDebugLog /etc/modsecurity2/logs/modsec_debug.log

SecDebugLogLevel 0

# Serial audit log

SecAuditEngine RelevantOnly

SecAuditLogRelevantStatus ^5

SecAuditLogParts ABIFHZ

SecAuditLogType Serial

SecAuditLog /etc/modsecurity2/logs/modsec_audit.log

# Maximum request body size we will

# accept for buffering

SecRequestBodyLimit 131072

# Store up to 128 KB in memory

SecRequestBodyInMemoryLimit 131072

# Buffer response bodies of up to

# 512 KB in length

SecResponseBodyLimit 524288

# Verify that we've correctly processed the request body.

# As a rule of thumb, when failing to process a request body

# you should reject the request (when deployed in blocking mode)

# or log a high-severity alert (when deployed in detection-only mode).

SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \

"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"

# By default be strict with what we accept in the multipart/form-data

# request body. If the rule below proves to be too strict for your

# environment consider changing it to detection-only. You are encouraged

# _not_ to remove it altogether.

SecRule MULTIPART_STRICT_ERROR "!@eq 0" \

"phase:2,t:none,log,deny,msg:'Multipart request body \

failed strict validation: \

PE %{REQBODY_PROCESSOR_ERROR}, \

BQ %{MULTIPART_BOUNDARY_QUOTED}, \

BW %{MULTIPART_BOUNDARY_WHITESPACE}, \

DB %{MULTIPART_DATA_BEFORE}, \

DA %{MULTIPART_DATA_AFTER}, \

HF %{MULTIPART_HEADER_FOLDING}, \

LF %{MULTIPART_LF_LINE}, \

SM %{MULTIPART_SEMICOLON_MISSING}, \

IQ %{MULTIPART_INVALID_QUOTING}, \

IH %{MULTIPART_INVALID_HEADER_FOLDING}, \

IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

# Did we see anything that might be a boundary?

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \

"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

# Some internal errors will set flags in TX and we will need to look for these.

# All of these are prefixed with "MSC_".  The following flags currently exist:

#

# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.

#

SecRule TX:/^MSC_/ "!@streq 0" \

        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

server:/etc/modsecurity2#

Wenn ich nun auf meiner Homepage auf eine .php Datei mit ?page=/etc/passwd zugreife, sagt die Debug Log mit Loglevel 5 folgendes:

Code:

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Initialising transaction (txid S3wot1jGtk0AAEjUCqkAAAAA).

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Adding request argument (QUERY_STRING): name "page", value "/etc/passwd"

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transaction context created (dcfg 16b8708).

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase REQUEST_HEADERS.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] PdfProtect: Not enabled here.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Second phase starting (dcfg 16b8708).

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Input filter: This request does not have a body.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Time #1: 393

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase REQUEST_BODY.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e0090; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "45"].

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e0090: SecRule "REQBODY_PROCESSOR_ERROR" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Failed to parse request body.',severity:2"

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 1 usec.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against REQBODY_PROCESSOR_ERROR.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 9 usec.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17daac0; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "64"].

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17daac0: SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 1 usec.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against MULTIPART_STRICT_ERROR.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 1 usec.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e2708; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "68"].

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e2708: SecRule "MULTIPART_UNMATCHED_BOUNDARY" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 0 usec.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against MULTIPART_UNMATCHED_BOUNDARY.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 2 usec.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e31b8; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "76"].

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e31b8: SecRule "TX:/^MSC_/" "!@streq 0" "phase:2,log,auditlog,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Time #2: 629

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Hook insert_filter: Adding PDF XSS protection output filter (r 184d3f8).

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Hook insert_filter: Adding output filter (r 184d3f8).

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase RESPONSE_HEADERS.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Response body buffering is not enabled.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Completed receiving response body (non-buffering).

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase RESPONSE_BODY.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Output forwarding complete.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Initialising logging.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase LOGGING.

[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Audit log: Ignoring a non-relevant request.

Da frage ich mich nur:

0) Läuft es nun wirklich richtig? (Kann es garnicht glauben)
1) Warum fehlten die Einstellungen (SecDataDir, SecAuditLog, SecDebugLog in der modsecurity_crs_10_config.conf? In der minimal waren sie ja enthalten...
2) Warum gibt er dem möglichen Angreifer keinen Fehler aus oder leitet ihn auf eine Fehlerseite? Also bei dem Aufruf der php mit phpinfo.php?page=/etc/passwd ?
3) Reicht die minimal für die meisten Angriffe aus? Habe gehört die ganzen anderen .conf Dateien können schnell für Probleme sorgen..

Vielen Dank!

Threaded Mode \| Linear Mode Installation mod_security
Author	Message