# Enable ModSecurity, attaching it to every transaction. Use detection # only to start with, because that minimises the chances of post-installation # disruption. # SecRuleEngine On
# -- Request body handling ---------------------------------------------------
# Allow ModSecurity to access request bodies. If you don't, ModSecurity # won't be able to see any POST parameters, which opens a large security # hole for attackers to exploit. # SecRequestBodyAccess On
#Enable XML request body parser. # Initiate XML Processor in case of xml content-type # SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# Maximum request body size we will accept for buffering. If you support # file uploads then the value given on the first line has to be as large # as the largest file you are willing to accept. The second value refers # to the size of data, with files excluded. You want to keep that value as # low as practical. # SecRequestBodyLimit 419430400 SecRequestBodyNoFilesLimit 131072
# Store up to 128 KB of request body data in memory. When the multipart # parser reachers this limit, it will start using your hard disk for # storage. That is slow, but unavoidable. # SecRequestBodyInMemoryLimit 131072
# What do do if the request body size is above our configured limit. # Keep in mind that this setting will automatically be set to ProcessPartial # when SecRuleEngine is set to DetectionOnly mode in order to minimize # disruptions when initially deploying ModSecurity. # SecRequestBodyLimitAction Reject
# Verify that we've correctly processed the request body. # As a rule of thumb, when failing to process a request body # you should reject the request (when deployed in blocking mode) # or log a high-severity alert (when deployed in detection-only mode). # SecRule REQBODY_ERROR "!@eq 0" \ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# By default be strict with what we accept in the multipart/form-data # request body. If the rule below proves to be too strict for your # environment consider changing it to detection-only. You are encouraged # _not_ to remove it altogether. # SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "id:'200002',phase:2,t:none,log,deny,status:44, \ msg:'Multipart request body failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_MISSING_SEMICOLON}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ IP %{MULTIPART_INVALID_PART}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary? # SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ "id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# PCRE Tuning # We want to avoid a potential RegEx DoS condition # SecPcreMatchLimit 1000 SecPcreMatchLimitRecursion 1000
# Some internal errors will set flags in TX and we will need to look for these. # All of these are prefixed with "MSC_". The following flags currently exist: # # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. # SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
# -- Response body handling --------------------------------------------------
# Allow ModSecurity to access response bodies. # You should have this directive enabled in order to identify errors # and data leakage issues. # # Do keep in mind that enabling this directive does increases both # memory consumption and response latency. # SecResponseBodyAccess Off
# Which response MIME types do you want to inspect? You should adjust the # configuration below to catch documents but avoid static files # (e.g., images and archives). # SecResponseBodyMimeType text/plain text/html text/xml
# Buffer response bodies of up to 512 KB in length. SecResponseBodyLimit 524288
# What happens when we encounter a response body larger than the configured # limit? By default, we process what we have and let the rest through. # That's somewhat less secure, but does not break any legitimate pages. # SecResponseBodyLimitAction ProcessPartial
# The location where ModSecurity stores temporary files (for example, when # it needs to handle a file upload that is larger than the configured limit). # # This default setting is chosen due to all systems have /tmp available however, # this is less than ideal. It is recommended that you specify a location that's private. # SecTmpDir /tmp/
# The location where ModSecurity will keep its persistent data. This default setting # is chosen due to all systems have /tmp available however, it # too should be updated to a place that other users can't access. # SecDataDir /tmp/
# The location where ModSecurity stores intercepted uploaded files. This # location must be private to ModSecurity. You don't want other users on # the server to access the files, do you? # #SecUploadDir /opt/modsecurity/var/upload/
# By default, only keep the files that were determined to be unusual # in some way (by an external inspection script). For this to work you # will also need at least one file inspection rule. # #SecUploadKeepFiles RelevantOnly
# Uploaded files are by default created with permissions that do not allow # any other user to access them. You may need to relax that if you want to # interface ModSecurity to an external program (e.g., an anti-virus). # #SecUploadFileMode 0600
# The default debug log configuration is to duplicate the error, warning # and notice messages from the error log. # #SecDebugLog /opt/modsecurity/var/log/debug.log #SecDebugLogLevel 3
# Log the transactions that are marked by a rule, as well as those that # trigger a server error (determined by a 5xx or 4xx, excluding 404, # level response status codes). # SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction. SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but # assumes that you will use the audit log only ocassionally. # SecAuditLogType Serial SecAuditLog /var/log/apache2/modsec_audit.log
# Specify the path for concurrent audit logging. #SecAuditLogStorageDir /opt/modsecurity/var/audit/
# Use the most commonly used application/x-www-form-urlencoded parameter # separator. There's probably only one application somewhere that uses # something else so don't expect to change this value. # SecArgumentSeparator &
# Settle on version 0 (zero) cookies, as that is what most applications # use. Using an incorrect cookie version may open your installation to # evasion attacks (against the rules that examine named cookies). # SecCookieFormat 0
# Specify your Unicode Code Point. # This mapping is used by the t:urlDecodeUni transformation function # to properly map encoded data to your language. Properly setting # these directives helps to reduce false positives and negatives. # SecUnicodeMapFile unicode.mapping 20127
제가사용하는 버전은 2.7.3 웹지기님이 사용하는 것은 2.7.7 버전 차이가 있을 수 있고. 제사이트는 거의 xe 순정 상태입니다.
사용하시는 프로그램이 많으면 해당 프로그램에서 걸리는 것이 있으므로 해당 id 제거해야 합니다.
일단 xe등 프로그램에서 해킹, 스팸 패턴을 사용하지 말아야 하는데 (패턴은 발표됩니다.) 그게 현실적으로 어렵고 사이트에 적용하려면 룰을 수정하거나 해야 하는데 많은 공부가 필요하니 이것도 현실적으로 어렵고 공기관에서 만들어 주면 좋은데 (예전에 인터넷진흥원에서 시도 했었죠. 하지만 모든 프로그래머의 프로그램 패턴을 적용할 수 없으므로 현재는 중단된 상태이고)
xe 순정에서는 위 id만 제거하면 문제 없습니다. 그런데 관리하는 사이트 중에 쪽지 에디터에서 사이트 글을 복붙하면 에러 발생하더군요. 게시판 글쓰기는 같은 상황에서 에러가 안나는데. 패턴을 정의할 수 없어 할 수 없이 modsecurity_crs_41_sql_injection_attacks.conf modsecurity_crs_41_xss_attacks.conf
댓글 38
SecRuleEngine Off
로 하니 로그인은 되었습니다.
뭘 제대로 못한건지 알수가 없네요.. XE에 사용할때 주의사항이 있을까요?
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine On
# -- Request body handling ---------------------------------------------------
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On
#Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 419430400
SecRequestBodyNoFilesLimit 131072
# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072
# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
# -- Response body handling --------------------------------------------------
# Allow ModSecurity to access response bodies.
# You should have this directive enabled in order to identify errors
# and data leakage issues.
#
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess Off
# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml
# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288
# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial
# -- Filesystem configuration ------------------------------------------------
# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
#
# This default setting is chosen due to all systems have /tmp available however,
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir /tmp/
# The location where ModSecurity will keep its persistent data. This default setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/
# -- File uploads handling configuration -------------------------------------
# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/
# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly
# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600
# -- Debug log configuration -------------------------------------------------
# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/
# -- Miscellaneous -----------------------------------------------------------
# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &
# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0
# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
SecUnicodeMapFile unicode.mapping 20127
위 문서의 내용중
step-5 를 제외한 나머지 대부분을 해 준 상태입니다.
기타 문제가 생길뿐이라.=ㅅ=
Message: Rule 7f4acb225160 [id "981172"][file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null).
Apache-Handler: application/x-httpd-php
Stopwatch: 1468590880228387 127922 (- - -)
Stopwatch2: 1468590880228387 127922; combined=6013, p1=208, p2=5786, p3=4, p4=2, p5=10, sr=62, sw=3, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
Server: Apache/2.4.20 (Ubuntu)
Engine-Mode: "DETECTION_ONLY"
--addcdf75-Z--
이런 내용이 보이는데요...
sql 인젝션 관련 룰 같은데 'SecRuleRemoveById 981172'로 제외시키면 될 거예요.
일단 아래 정도 적용하세요
SecRuleRemoveById 958030
SecRuleRemoveById 950109
SecRuleRemoveById 973304
SecRuleRemoveById 950120
SecRuleRemoveById 981257
SecRuleRemoveById 981242
SecRuleRemoveById 981248
SecRuleRemoveById 960014
SecRuleRemoveById 960018
SecRuleRemoveById 960913
SecRuleRemoveById 960010
SecRuleRemoveById 960015
SecRuleRemoveById 960024
SecRuleRemoveById 950911
SecRuleRemoveById 981318
SecRuleRemoveById 950901
SecRuleRemoveById 950007
SecRuleRemoveById 981173
SecRuleRemoveById 981245
SecRuleRemoveById 981247
SecRuleRemoveById 981243
SecRuleRemoveById 950020
SecRuleRemoveById 950103
SecRuleRemoveById 973338
SecRuleRemoveById 960915
SecRuleRemoveById 200003
SecRuleRemoveById 973306
서버 전체에 적용하려면
conf.d/mod_security.conf 맨밑에 복사해 넣으세요.
IncludeOptional "/usr/share/modsecurity-crs/activated_rules/*.conf"
이걸 빼버리면 어떻게 되나요? 설치 의미가 없어지나요?
접속 ip가 본인 것인지 확인하시구요.
제가사용하는 버전은 2.7.3 웹지기님이 사용하는 것은 2.7.7 버전 차이가 있을 수 있고.
제사이트는 거의 xe 순정 상태입니다.
사용하시는 프로그램이 많으면 해당 프로그램에서 걸리는 것이 있으므로 해당 id 제거해야 합니다.
일단 xe등 프로그램에서 해킹, 스팸 패턴을 사용하지 말아야 하는데 (패턴은 발표됩니다.)
그게 현실적으로 어렵고
사이트에 적용하려면 룰을 수정하거나 해야 하는데 많은 공부가 필요하니 이것도 현실적으로 어렵고
공기관에서 만들어 주면 좋은데 (예전에 인터넷진흥원에서 시도 했었죠. 하지만 모든 프로그래머의 프로그램 패턴을 적용할 수 없으므로 현재는 중단된 상태이고)
로그에 나오는 모든 id가 아니라 에러가 나는 id입니다.
modsecurity_crs_41_sql_injection_attacks.conf
modsecurity_crs_41_xss_attacks.conf
2개 정도는 제외 하세요
xe에서 방어하고 있을 테니
httpd restart 확인
로그에 계속 뜨는건 왜 그럴까요.. 흠.. 넣으라는건 넣었는데 로그에 계속 검출되서 남는거 같네요.
다른 브라우저로 접속해 보세요.
service apache2 reload
이 두가지 말고 다르게 명령어를 줘야 하나요?
On / Off 이런건 즉시 먹습니다.
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000
적용해보세요
구굴링한 것이고 저는 테스트 안해보았습니다.
이렇게 설정하고 쓰면 된다면 이렇게 써야겠습니다.
혹시 신디케이션 모듈을 사용중이신가요?
아니면 웹마스터도구에 등록만 하고 사용하고 계시나요?
신기하게 웹지기님사이트만 게시물 등록일자가 나타나더라구요
같은 서버라서 같은 IP인데 클플 적용되서 해외 IP쓰는 도메인은 같은 더미 사이트라
글 내용도 똑같은데 월등히 색인이 많이 되더라구요..
저도, IDC측에 IP변경 요청을 해봐야겠네요.
다만 IP바꿨다가:) 구글이나 기타 서비스 장애가 올까봐 조금 고민되네요..
한가지 더 여쭤보고싶은게 있는데 혹시
네이버 웹마스터도구에도 등록 안하고 계신가요.?
클라우드플레어 무료플랜 ssl 사용자분들은 사이트분석 안되고 있는지 꼭 확인해 보셔야 합니다.
그런데 관리하는 사이트 중에 쪽지 에디터에서 사이트 글을 복붙하면 에러 발생하더군요. 게시판 글쓰기는 같은 상황에서 에러가 안나는데.
패턴을 정의할 수 없어 할 수 없이
modsecurity_crs_41_sql_injection_attacks.conf
modsecurity_crs_41_xss_attacks.conf
두개 제외했습니다.