用ModSecurity启动WAF的一次小试
来源:岁月联盟
时间:2020-03-16
curl http://localhost/adminaccess
403 Forbidden
403 Forbidden
nginx/1.17.8
而/var/log/nginx/error.log文件显示:
2020/02/07 16:04:08 [error] 17871#17871: *3 [client 127.0.0.1]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator
`BeginsWith' with parameter `/admin' against variable `REQUEST_URI'
(Value: `/adminaccess' ) [file "/usr/local/nginx/etc/modsec/main.conf"]
[line "7"] [id "2222"] [rev ""] [msg "block admin"] [data ""] [severity
"0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri
"/adminaccess"] [unique_id "158108784890.091254"] [ref
"o0,6v4,12t:lowercase"], client: 127.0.0.1, server: localhost, request:
"GET /adminaccess HTTP/1.1", host: "localhost"
差不多好了
此时,ModSecurity正在NGINX上运行,因此所需的就是核心规则集(CRS)。一旦达到这一目标,接下来就轻而易举了。
cd /usr/local/nginx/etc
tar -xvf ~/owasp/CRS_v3.2.0.tar.gz
ln -s owasp-modsecurity-crs-3.2.0 owasp-crs
cp -p /usr/local/nginx/etc/owasp-crs/crs-setup.conf.example /usr/local/nginx/etc/owasp-crs/crs-setup.conf
将这些行添加到: /usr/local/nginx/etc/modsec/main.conf
Include "/usr/local/nginx/etc/owasp-crs/crs-setup.conf"
Include "/usr/local/nginx/etc/owasp-crs/rules/*.conf"
还要确保文件/usr/local/nginx/etc/owasp-crs/crs-setup.conf包含以下行
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
如果curl发出了正常状态,例如, curl http://localhost/trololo_singer.html这不会触发任何安全规则,并且404会显示一个普通错误:
404 Not Found
404 Not Found
nginx/1.17.8
但是,如果curl命令正在请求一个受保护的文件(如.htaccess文件),则将触发“核心规则集”并发出拒绝访问错误。
403 Forbidden
403 Forbidden
nginx/1.17.8
而/var/log/nginx/error.log文件显示:
2020/02/07 16:17:28 [error] 2724#2724: *8 [client 127.0.0.1]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator
`PmFromFile' with parameter `restricted-files.data' against variable
`REQUEST_FILENAME' (Value: `/.htaccess' ) [file
"/usr/local/nginx/etc/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"]
[line "104"] [id "930130"] [rev ""] [msg "Restricted File Access
Attempt"] [data "Matched Data: .htaccess found within REQUEST_FILENAME:
/.htaccess"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"]
[accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag
"platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS"] [tag
"OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag
"OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "127.0.0.1"] [uri
"/.htaccess"] [unique_id "15813292242.837003"] [ref
"o1,9v4,10t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"],
client: 127.0.0.1, server: localhost, request: "GET /.htaccess
HTTP/1.1", host: "localhost"
上一页 [1] [2] [3] [4] [5]
上一篇:避免凭证转储攻击的5个技巧
