Apache安全防护WAF,安装配置mod_security模块
在不改动现有系统任何代码的前提下,防止SQL注入
比如下面这个场景:服务器中难免有些安全性比较差的程序,或者某个程序在SQL处理上,没有使用参数查询,而是直接拼接字符串,还没有类型检查。 这时可以考虑使用WAF (Web Application Firewall)。
安装配置
http://www.apachelounge.com/download/
首先安装好Apache 2.4 和相应版本mod_security
解压后,里面有两个文件夹,mod_security和mlogc中readme.txt有安装过程。
安装Security2
- 复制 mod_security2.so 到 apache24/modules 目录中
- 复制 yajl.dll 到 apache24/bin folder
配置mod_security
修改httpd.conf
# Add to your httpd.conf
LoadModule security2_module modules/mod_security2.so
# Enable the module unique_id by uncommenting:
LoadModule unique_id_module modules/mod_unique_id.so
# Configuration: see the included documentation=
# Rules and documentation : http://www.modsecurity.org/
# A very quick start:
SecRuleEngine On
SecDefaultAction "deny,phase:2,status:403"
## -- rule --
SecRule ARGS "\.\./" "t:normalizePathWin,id:50904,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Drive Access'"
验证mod_security
重启: httpd.exe -k
访问: http://localhost/?abc=…/…/
安装成功则会如果返回: 403
Forbidden
You don’t have permission to access this resource.
安全防护
安装modsecurity-crs
添加规则要参考: http://www.modsecurity.org/rules.html
官方推荐: https://github.com/SpiderLabs/owasp-modsecurity-crs
参考文档: https://coreruleset.org/documentation/
下载规则并解压
复制rules到 apache24\conf\modsecurity-crs下
复制crs-setup.conf.example 到 modsecurity-crs/crs-setup.conf
配置crs-setup.conf 使支持pug,delete,patch方法的请求。 找到“HTTP Policy Settings”,内容如下:
#
# -- [[ HTTP Policy Settings ]] ------------------------------------------------
#
# This section defines your policies for the HTTP protocol, such as:
# - allowed HTTP versions, HTTP methods, allowed request Content-Types
# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy)
#
# These variables are used in the following rule files:
# - REQUEST-911-METHOD-ENFORCEMENT.conf
# - REQUEST-912-DOS-PROTECTION.conf
# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf
# HTTP methods that a client is allowed to use.
# Default: GET HEAD POST OPTIONS
# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE
# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
# Uncomment this rule to change the default.
#SecAction \
# "id:900200,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
这里默认启用了GET HEAD POST OPTIONS方法的支持,但我们项目是采用RESTful APIs,会用到PUT, PATCH, DELETE方法,所以修改以下的配置去掉注解:
SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
设置配置文件httpd.conf
<IfModule security2_module>
Include conf/modsecurity-crs/crs-setup.conf
Include conf/modsecurity-crs/rules/*.conf
</IfModule>
验证mod_security
重启: httpd.exe -k
访问: http://localhost/?abc=alert(1)
安装成功则会如果返回: 403
Forbidden
You don’t have permission to access this resource.
安全防护日志
mlogc可以记录所有被规则拦截的日志。请参考ReadMe.txt
复制 mlogc.exe 到 apache24/bin 复制 mlogc-default.conf 到 apache24/conf/mlogc.conf
调整mlogc.conf 中的CollectorRoot 指定到apache24目录下
CollectorRoot “E:/Apache/Apache24/log/mlogc”
修改httpd.conf配置,添加mlogc:
<IfModule security2_module>
Include conf/modsecurity-crs/crs-setup.conf
Include conf/modsecurity-crs/rules/*.conf
# mlogc.exe 配置文件
SecDataDir logs
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
SecAuditLogType Concurrent
SecAuditLogParts ABCDEFGHZ
SecAuditLogStorageDir logs/mod_security/
SecAuditLog "${SRVROOT}/bin/mlogc.exe"
</IfModule>
主要防护规则
REQUEST-910-IP-REPUTATION.conf(可疑IP匹配)
REQUEST-912-DOS-PROTECTION.conf(DDOS攻击)
REQUEST-913-SCANNER-DETECTION.conf(扫描器检测)
REQUEST-920-PROTOCOL-ENFORCEMENT.conf(HTTP协议规范相关规则)
REQUEST-921-PROTOCOL-ATTACK.conf(协议攻击)
REQUEST-930-APPLICATION-ATTACK-LFI.conf(应用攻击-路径遍历)
REQUEST-931-APPLICATION-ATTACK-RFI.conf(远程文件包含)
REQUEST-932-APPLICATION-ATTACK-RCE.conf(远程命令执行)
REQUEST-933-APPLICATION-ATTACK-PHP.conf(PHP注入攻击)
REQUEST-941-APPLICATION-ATTACK-XSS.conf(XSS)
REQUEST-942-APPLICATION-ATTACK-SQLI.conf(SQL注入)
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf(会话固定)
REQUEST-949-BLOCKING-EVALUATION.conf
RESPONSE-950-DATA-LEAKAGES.conf(信息泄露)
RESPONSE-951-DATA-LEAKAGES-SQL.conf(SQL信息泄露)
RESPONSE-952-DATA-LEAKAGES-JAVA.conf(JAVA源代码泄露)
RESPONSE-953-DATA-LEAKAGES-PHP.conf(PHP信息泄露)
RESPONSE-954-DATA-LEAKAGES-IIS.conf(IIS信息泄露)