HowTo - detektera och försvåra intrång i Apache2
Postat: 30 dec 2007, 17:27
Har man en webbserver och vill förstärka skyddet från Internet för sina webbapplikationer och databaser finns Modul_Security att tillgå. Den kan ses som en brandvägg i Apache. Ett förstärkt grundskydd är enkelt att installera. Ska man anpassa till sina specifika applikationer och behov får man läsa på lite mer. T.ex. kan man finlira för att skydda sin Blogg. Man kan även konstatera om lyckade intrång skett. Mer om ModSecurity finns på http://www.modsecurity.org/
Nedan visas hur man installerar ModSecurity och lägger in en rekommenderad konfigurering. Vidare visas som ett exempel den konfigurering jag justerat till efter mina egna önskemål. Bl.a finns ett enklare skydd mot sql-injection i MySQL.
Jag kör modulen på Debian Etch server med Apache2 och är lite osäker på huruvida modulen finns i förråden för 7.10 server, men det borde åtminstone finnas för 6.06 LTS server.
Det finns ett Debianförråd http://etc.inittab.org/~agi/debian/liba ... security2/ med den senaste versionen av ModSecurity(2) Ev. skulle man kunna (på egen risk) testa mod-security2-common_2.1.2-1_all.deb på de senare versionerna av Ubuntu.
Installera ModSecurity på Apache2
Konfigurera
1. Öppna apache2.conf
2. Klistra in nedanstående rekommenderade konfigurering längst ned på sidan ovanför raden # Include the virtual host configurations: och spara.
<IfModule mod_security.c>
# Turn ModSecurity On
SecFilterEngine On
# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/apache2/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/apache2/modsec_debug_log
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type \
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"Prev
</IfModule>
3. Starta om Apache
4. Kontrollera i error.log att allt ok.
Det ska finnas en rad liknande:
........ [notice] ModSecurity for Apache 2.1.1 configured
5. Kolla i loggen då och då:
Ett ytterligare exempel på konfigurering
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature " "
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/apache2/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/apache2/modsec_debug_log
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective HTTP_Content-Type \
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Maximum request body size we will accept for buffering
SecRequestBodyLimit 131072
SecRequestBodyLimit 1048576
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to 512 KB in length
SecResponseBodyLimit 524288
# Command execution attacks
SecFilter /etc/password
SecFilter /bin/ls
# Prevent path traversal (..) attacks
SecFilter "../"
# Directory traversal attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS attacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilter "drop[[:space:]]table"
# MS SQL specific SQL injection attacks
SecFilter xp_enumdsn
SecFilter xp_filelist
SecFilter xp_availablemedia
SecFilter xp_cmdshell
SecFilter xp_regread
SecFilter xp_regwrite
SecFilter xp_regdeletekey
# Output filtering can also be used to detect successful intrusions.
# These rules will monitor output and detect typical keywords
# resulting from a command execution on the server.
SecFilterSelective OUTPUT "Volume Serial Number"
SecFilterSelective OUTPUT "Command completed"
SecFilterSelective OUTPUT "Bad command or filename"
SecFilterSelective OUTPUT "file(s) copied"
SecFilterSelective OUTPUT "Index of /cgi-bin/"
SecFilterSelective OUTPUT ".*uid\=\("
</IfModule>
Nedan visas hur man installerar ModSecurity och lägger in en rekommenderad konfigurering. Vidare visas som ett exempel den konfigurering jag justerat till efter mina egna önskemål. Bl.a finns ett enklare skydd mot sql-injection i MySQL.
Jag kör modulen på Debian Etch server med Apache2 och är lite osäker på huruvida modulen finns i förråden för 7.10 server, men det borde åtminstone finnas för 6.06 LTS server.
Det finns ett Debianförråd http://etc.inittab.org/~agi/debian/liba ... security2/ med den senaste versionen av ModSecurity(2) Ev. skulle man kunna (på egen risk) testa mod-security2-common_2.1.2-1_all.deb på de senare versionerna av Ubuntu.
Installera ModSecurity på Apache2
Kod: Markera allt
sudo apt-get install libapache2-mod-security
sudo a2enmod mod-security
sudo /etc/init.d/apache2 force-reload
1. Öppna apache2.conf
Kod: Markera allt
sudo nano /etc/apache2/apache2.conf<IfModule mod_security.c>
# Turn ModSecurity On
SecFilterEngine On
# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/apache2/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/apache2/modsec_debug_log
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type \
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"Prev
</IfModule>
3. Starta om Apache
Kod: Markera allt
sudo /etc/init.d/apache2 force-reloadKod: Markera allt
sudo nano /var/log/apache2/error.log........ [notice] ModSecurity for Apache 2.1.1 configured
5. Kolla i loggen då och då:
Kod: Markera allt
sudo nano /var/log/apache2/audit_logEtt ytterligare exempel på konfigurering
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature " "
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/apache2/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/apache2/modsec_debug_log
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective HTTP_Content-Type \
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Maximum request body size we will accept for buffering
SecRequestBodyLimit 131072
SecRequestBodyLimit 1048576
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to 512 KB in length
SecResponseBodyLimit 524288
# Command execution attacks
SecFilter /etc/password
SecFilter /bin/ls
# Prevent path traversal (..) attacks
SecFilter "../"
# Directory traversal attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS attacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilter "drop[[:space:]]table"
# MS SQL specific SQL injection attacks
SecFilter xp_enumdsn
SecFilter xp_filelist
SecFilter xp_availablemedia
SecFilter xp_cmdshell
SecFilter xp_regread
SecFilter xp_regwrite
SecFilter xp_regdeletekey
# Output filtering can also be used to detect successful intrusions.
# These rules will monitor output and detect typical keywords
# resulting from a command execution on the server.
SecFilterSelective OUTPUT "Volume Serial Number"
SecFilterSelective OUTPUT "Command completed"
SecFilterSelective OUTPUT "Bad command or filename"
SecFilterSelective OUTPUT "file(s) copied"
SecFilterSelective OUTPUT "Index of /cgi-bin/"
SecFilterSelective OUTPUT ".*uid\=\("
</IfModule>
