Apache + mod_security 網站應用程式防火牆阻擋攻擊(WAF)

quote: http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/html-multipage/introduction.html

ModSecurity is a web application firewall (WAF). With over 70% of attacks now carried out over the web application level, organisations need all the help they can get in making their systems secure. WAFs are deployed to establish an increased external security layer to detect and/or prevent attacks before they reach web applications. ModSecurity provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.

安裝--

下載套件: http://www.modsecurity.org/download/

編譯

tar zxvf modsecurity-apache_2.5.12.tar.gz
cd modsecurity-apache_2.5.12/apache2
./configure;make;make install

設定--

複製conf檔

cd ..
cp -rp modsecurity.conf-minimal /etc/httpd/conf.d/modsecurity.conf

編輯 conf

vi /etc/httpd/conf.d/modsecurity.conf

# 在開頭加入以下三行
LoadFile /usr/lib/libxml2.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
# 在結尾加入 ***
Include mod_security/*.conf

建立目錄

mkdir /etc/httpd/mod_security

複製 rules

cp -rp rules/base_rules/* /etc/httpd/mod_security/

重啟 apache

apachectl -t
Service httpd restart

Rules說明
參考: http://wiki.oss.org.tw/index.php/ModSecurity
語法: SecRule VARIABLES OPERATOR [ACTIONS]
   1. VARIABLES：指定哪些變數要進行處理
   2. OPERATOR：要如何處理這些變數取得我們想要的
   3. ACTIONS (optional)：當達到上述的處理時，要做什麼動作

Rules下載
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download


參考文件
http://www.modsecurity.org/documentation/
http://wiki.oss.org.tw/index.php/ModSecurity
http://phorum.study-area.org/index.php?topic=39489.0

範例
SecServerSignature "Cross/1.0“
SecRule REMOTE_ADDR "^10.10.10.63$" "phase:1,deny,log,msg:'deny from 10.10.10.63'"
or 1=1


FQA
安裝 mod_security
設定 mod_security
隱藏 apache 版本
阻擋某一來源 IP
阻擋 SQL Injection
如何重導網頁
如何讓自訂的msg顯示在瀏覽器上