next up previous contents
Next: 實機操作練習題 Up: SQL Injection 注入 Previous: 限制輸入字元   Contents   DYWANG_HOME

modsecurity

  1. mod_security 是 Apache 的一個模組,可以提供入侵偵測及防禦,如同 web 應用程式的防火牆,用來抵擋如 SQL injection attacks, cross-site scripting, path traversal attacks。
  2. 沒有安裝 mod_security 模組時,injection.php 存在 sql injection 漏洞。
    [root@kvm3 src]# curl -s http://kvm3/injection.php?"user='a'%20or%201" \
     | sed 's/<br> */\n/g'
    HOST: 127.0.0.1
    User: root
    --------------------------------
    HOST: 192.168.122.1
    User: hosttest
    --------------------------------
    HOST: 192.168.122.1
    User: user2
    --------------------------------
    HOST: ::1
    User: root
    --------------------------------
    HOST: kvm3.deyu.wang
    User: root
    --------------------------------
    HOST: localhost
    User: dywang
    --------------------------------
    HOST: localhost
    User: root
    --------------------------------
    HOST: localhost
    User: user1
    --------------------------------
    HOST: localhost
    User: user3
    --------------------------------
    Fetched data successfully
    
  3. 安裝 mod_security 模組。
    [root@kvm3 src]# yum install mod_security
    Complete!
    
  4. 查看 mod_security 模組訊息,版本是 2.9.2。
    [root@kvm3 src]# yum info mod_security
    Repository AppStream is listed more than once in the configuration
    Repository BaseOS is listed more than once in the configuration
    Last metadata expiration check: 0:08:40 ago on Tue 28 Apr 2020 03:14:41 PM CST.
    Installed Packages
    Name         : mod_security
    Version      : 2.9.2
    Release      : 8.el8
    Arch         : x86_64
    Size         : 1.0 M
    Source       : mod_security-2.9.2-8.el8.src.rpm
    Repo         : @System
    From repo    : AppStream
    Summary      : Security module for the Apache HTTP Server
    URL          : http://www.modsecurity.org/
    License      : ASL 2.0
    Description  : ModSecurity is an open source intrusion detection and prevention
                 : engine for web applications. It operates embedded into the web
                 : server, acting as a powerful umbrella - shielding web
                 : applications from attacks.
    
  5. 查看 mod_security 模組,rpm 安裝的檔案。
    [root@kvm3 src]# rpm -ql mod_security
    /etc/httpd/conf.d/mod_security.conf
    /etc/httpd/conf.modules.d/10-mod_security.conf
    /etc/httpd/modsecurity.d
    /etc/httpd/modsecurity.d/activated_rules
    /etc/httpd/modsecurity.d/local_rules
    /etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf
    /usr/lib/.build-id
    /usr/lib/.build-id/c1
    /usr/lib/.build-id/c1/678c921f1523a225ddb40d90c86efeb1106371
    /usr/lib64/httpd/modules/mod_security2.so
    /usr/share/doc/mod_security
    /usr/share/doc/mod_security/CHANGES
    /usr/share/doc/mod_security/LICENSE
    /usr/share/doc/mod_security/NOTICE
    /usr/share/doc/mod_security/README.TXT
    /var/lib/mod_security
    
  6. 安裝 git。
    [root@kvm3 src]# yum install git
    
  7. 使用 git 下載 owasp modsecurity core rule 集合。
    [root@kvm3 src]# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
    Cloning into 'owasp-modsecurity-crs'...
    remote: Enumerating objects: 10292, done.
    remote: Total 10292 (delta 0), reused 0 (delta 0), pack-reused 10292
    Receiving objects: 100% (10292/10292), 3.29 MiB | 1.17 MiB/s, done.
    Resolving deltas: 100% (7547/7547), done.
    
  8. 複製 crs-setup.conf.example 到 /etc/httpd/conf.d/crs-setup.conf。
    [root@kvm3 src]# cd owasp-modsecurity-crs/
    [root@kvm3 owasp-modsecurity-crs]# cp crs-setup.conf.example \
    /etc/httpd/conf.d/crs-setup.conf
    
  9. 複製包含所有規則的目錄 rules 到 /etc/httpd/modsecurity.d/
    [root@kvm3 owasp-modsecurity-crs]# cp -a rules /etc/httpd/modsecurity.d/
    
  10. 編輯 /etc/httpd/conf.d/mod_security.conf,將規則目錄 modsecurity.d/rules/ 中的所 *.conf 規則檔加入模組。
    [root@kvm3 owasp-modsecurity-crs]# vim /etc/httpd/conf.d/mod_security.conf
    [root@kvm3 owasp-modsecurity-crs]# vim /etc/httpd/conf.d/mod_security.conf
    [root@kvm3 owasp-modsecurity-crs]# grep rules -A3 /etc/httpd/conf.d/mod_security.conf
    	IncludeOptional modsecurity.d/activated_rules/*.conf
    	IncludeOptional modsecurity.d/local_rules/*.conf
    	IncludeOptional modsecurity.d/rules/*.conf
        
    </IfModule>
    
  11. 因為 rules 是由下載目錄複製到 /etc/httpd 目錄,所以必須恢得其 selinux file context。
    [root@kvm3 owasp-modsecurity-crs]# restorecon -Rv /etc/httpd/mod_security.conf
    
  12. 重啟 httpd 服務。
    [root@kvm3 owasp-modsecurity-crs]# systemctl restart httpd.service
    
  13. 再連線存在 sql injection 漏洞的 injection.php,回應 403 Forbidden。
    [root@kvm3 owasp-modsecurity-crs]# curl -s \
    http://kvm3/injection.php?"user='a'%20or%201" | sed 's/<br> */\n/g'
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>403 Forbidden</title>
    </head><body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /injection.php
    on this server.<br />
    </p>
    </body></html>
    



De-Yu Wang 2020-09-18