1、下载OWASP的ModSecurity规则
cd /etc/httpd git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
mv owasp-modsecurity-crs modsecurity-crs
cd modsecurity-crs
mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2、在Apache中启用规则
vi /etc/httpd/conf/httpd.conf
末尾添加
<IfModule security2_module> Include modsecurity-crs/modsecurity_crs_10_setup.conf Include modsecurity-crs/base_rules/*.conf
Include modsecurity-crs/activated_rules/*.conf </IfModule>
3、创建白名单
vi /etc/httpd/modsecuirty.d/whitelist.conf #Whitelist file to control ModSec <IfModule mod_security2.c> SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecDataDir /tmp </IfModule>
4、自定义规则
vi /etc/httpd/modsecurity-crs/activated_rules/custom.conf
此处可以自己写一些规则或者移除一些规则。
IP白名单
SecRule REMOTE_ADDR "^192.168.1.11" phase:1,log,allow,ctl:ruleEngine=off,id:100001
规则白名单
<LocationMatch .*>
SecRuleRemoveById 960020
</LocationMatch>
目录规则白名单
<LocationMatch “/home/www/test/”>
SecRuleRemoveById 300015 300016 300017
</LocationMatch>
或者
<Directory /path/to/dir> SecRuleEngine Off </Directory>
5、常见问题
本地测试时,如果启用全策略,访问web目录时。
Forbidden
You don't have permission to access /bWAPP/ on this server.
查看modsec日志
Message: Access denied with code 403 (phase 2). Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.14.21"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] Action: Intercepted (phase 2) Apache-Handler: php5-script Stopwatch: 1478141159604281 1340 (- - -) Stopwatch2: 1478141159604281 1340; combined=316, p1=207, p2=82, p3=0, p4=0, p5=27, sr=23, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9. Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Engine-Mode: "ENABLED"
960017对应的规则
# Check that the host header is not an IP address
# This is not an HTTP RFC violation but it is indicative of automated client access.
# Many web-based worms propagate by scanning IP address blocks.
#
# -=[ Rule Logic ]=-
# This rule triggers if the Host header contains all digits (and possible port)
#
# -=[ References ]=-
# http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx
#
SecRule REQUEST_HEADERS:Host "^[d.:]+$" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,block,msg:'Host header is a numeric IP address',logdata:'%{matched_var}',severity:'4',id:'960017',tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
在/etc/httpd/modsecurity-crs/activated_rules/custom.conf加入规则
<LocationMatch .*>
SecRuleRemoveById 960017 </LocationMatch>
去掉对HTTP Header Host字段内容是否为IP地址的检测。默认如果是IP地址就会阻断访问。