Hallo,
bin nun weitergekommen. Habe die modsecurity_crs_10_config.conf gelöscht und stattdessen die modsecurity.conf-minimal in das Verzeichnis gepackt und in modsecurity-minimal.conf umbenannt.
Die sieht jetzt so aus:
Code:
server:/etc/modsecurity2# cat modsecurity-minimal.conf
# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecDataDir /etc/modsecurity2/logs
# PCRE Tuning
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off
SecUploadFileLimit 10
# Debug log
SecDebugLog /etc/modsecurity2/logs/modsec_debug.log
SecDebugLogLevel 0
# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog /etc/modsecurity2/logs/modsec_audit.log
# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
"phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
server:/etc/modsecurity2#
Wenn ich nun auf meiner Homepage auf eine .php Datei mit ?page=/etc/passwd zugreife, sagt die Debug Log mit Loglevel 5 folgendes:
Code:
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Initialising transaction (txid S3wot1jGtk0AAEjUCqkAAAAA).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Adding request argument (QUERY_STRING): name "page", value "/etc/passwd"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transaction context created (dcfg 16b8708).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase REQUEST_HEADERS.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] PdfProtect: Not enabled here.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Second phase starting (dcfg 16b8708).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Input filter: This request does not have a body.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Time #1: 393
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase REQUEST_BODY.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e0090; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "45"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e0090: SecRule "REQBODY_PROCESSOR_ERROR" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 1 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against REQBODY_PROCESSOR_ERROR.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 9 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17daac0; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "64"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17daac0: SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 1 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against MULTIPART_STRICT_ERROR.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 1 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e2708; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "68"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e2708: SecRule "MULTIPART_UNMATCHED_BOUNDARY" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 0 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against MULTIPART_UNMATCHED_BOUNDARY.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 2 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e31b8; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "76"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e31b8: SecRule "TX:/^MSC_/" "!@streq 0" "phase:2,log,auditlog,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Time #2: 629
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Hook insert_filter: Adding PDF XSS protection output filter (r 184d3f8).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Hook insert_filter: Adding output filter (r 184d3f8).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase RESPONSE_HEADERS.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Response body buffering is not enabled.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Completed receiving response body (non-buffering).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase RESPONSE_BODY.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Output forwarding complete.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Initialising logging.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase LOGGING.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Audit log: Ignoring a non-relevant request.
Da frage ich mich nur:
0) Läuft es nun wirklich richtig? (Kann es garnicht glauben)
1) Warum fehlten die Einstellungen (SecDataDir, SecAuditLog, SecDebugLog in der modsecurity_crs_10_config.conf? In der minimal waren sie ja enthalten...
2) Warum gibt er dem möglichen Angreifer keinen Fehler aus oder leitet ihn auf eine Fehlerseite? Also bei dem Aufruf der php mit phpinfo.php?page=/etc/passwd ?
3) Reicht die minimal für die meisten Angriffe aus? Habe gehört die ganzen anderen .conf Dateien können schnell für Probleme sorgen..
Vielen Dank!