Rocky_Linux_8
Sponsored Link

Apache httpd : Configure mod_security2021/08/03
 
Enable [mod_security] module to configure Web Application Firewall (WAF).
[1] Install [mod_security].
[root@www ~]#
dnf -y install mod_security
[2] After installing, configuration files are placed under the directory like follows and the setting is enabled. Some settings are already set in it and also you can add your own rules.
[root@www ~]#
cat /etc/httpd/conf.d/mod_security.conf 

<IfModule mod_security2.c>
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" \
.....
.....
# if you would not like to block requests if matchs rules,
# specify change to the parameter [SecRuleEngine DetectionOnly]
[3]
It's possible to write a rule like follows.
    ⇒ SecRule VARIABLES OPERATOR [ACTIONS]
Each parameter has many kind of values, refer to official documents below.
https://github.com/SpiderLabs/ModSecurity/wiki
[4] For Exmaple, set some rules and verify it works normally.
[root@www ~]#
vi /etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf
# default action when matching rules

SecDefaultAction "phase:2,deny,log,status:406"
# [etc/passwd] is included in request URI

SecRule REQUEST_URI "etc/passwd" "id:'500001'"
# [../] is included in request URI

SecRule REQUEST_URI "\.\./" "id:'500002'"
# [<SCRIPT] is included in arguments

SecRule ARGS "<[Ss][Cc][Rr][Ii][Pp][Tt]" "id:'500003'"
# [SELECT FROM] is included in arguments

SecRule ARGS "[Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+[Ff][Rr][Oo][Mm]" "id:'500004'"
[root@www ~]#
systemctl restart httpd
[5] Access to the URI which includes words you set and verify it works normally.
[6] The logs for [mod_security] is placed in the directory like follows.
[root@www ~]#
cat /var/log/httpd/modsec_audit.log 

--672fc27b-A--
[03/Aug/2021:11:23:18 +0900] YQiolifSa3q4gR@WWuGuKgAAQCQ 10.0.0.205 54575 10.0.0.31 443
--672fc27b-B--
GET /?q=%3Cscript%3E HTTP/2.0
Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,ja;q=0.8
Host: www.srv.world

--672fc27b-F--
HTTP/1.1 406 Not Acceptable
Content-Length: 249
Connection: close
Content-Type: text/html; charset=iso-8859-1

--672fc27b-E--

--672fc27b-H--
Message: Access denied with code 406 (phase 2). Pattern match "<[Ss][Cc][Rr][Ii][Pp][Tt]" at ARGS:q. [file "/etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf"] [line "15"] [id "500003"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 10.0.0.205] ModSecurity: Access denied with code 406 (phase 2). Pattern match "<[Ss][Cc][Rr][Ii][Pp][Tt]" at ARGS:q. [file "/etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf"] [line "15"] [id "500003"] [hostname "www.srv.world"] [uri "/"] [unique_id "YQiolifSa3q4gR@WWuGuKgAAQCQ"]
Action: Intercepted (phase 2)
Stopwatch: 1627957398013045 1145 (- - -)
Stopwatch2: 1627957398013045 1145; combined=62, p1=18, p2=34, p3=0, p4=0, p5=10, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

.....
.....
[7] General rules are provided from official repository and it's easy to apply them like follows. But maybe you need to customize them for your own web sites not to block necessary requests.
[root@www ~]#
dnf -y install mod_security_crs
# rules are placed like follows

# they are linked into the directory [/etc/httpd/modsecurity.d/activated_rules]

[root@www ~]#
ll /usr/share/mod_modsecurity_crs/rules 

total 544
-rw-r--r--. 1 root root   659 Apr 12 13:54 crawlers-user-agents.data
-rw-r--r--. 1 root root   551 Apr 12 13:54 iis-errors.data
-rw-r--r--. 1 root root   264 Apr 12 13:54 java-code-leakages.data
-rw-r--r--. 1 root root   240 Apr 12 13:54 java-errors.data
-rw-r--r--. 1 root root 30167 Apr 12 13:54 lfi-os-files.data
-rw-r--r--. 1 root root  5409 Apr 12 13:54 php-config-directives.data
-rw-r--r--. 1 root root  9144 Apr 12 13:54 php-errors.data
-rw-r--r--. 1 root root   589 Apr 12 13:54 php-function-names-933150.data
-rw-r--r--. 1 root root 21376 Apr 12 13:54 php-function-names-933151.data
-rw-r--r--. 1 root root   224 Apr 12 13:54 php-variables.data
-rw-r--r--. 1 root root 10363 Apr 12 13:54 REQUEST-901-INITIALIZATION.conf
-rw-r--r--. 1 root root 13332 Apr 12 13:54 REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
-rw-r--r--. 1 root root 15476 Apr 12 13:54 REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
-rw-r--r--. 1 root root  1394 Apr 12 13:54 REQUEST-905-COMMON-EXCEPTIONS.conf
-rw-r--r--. 1 root root 10155 Apr 12 13:54 REQUEST-910-IP-REPUTATION.conf
-rw-r--r--. 1 root root  2679 Apr 12 13:54 REQUEST-911-METHOD-ENFORCEMENT.conf
-rw-r--r--. 1 root root  8582 Apr 12 13:54 REQUEST-912-DOS-PROTECTION.conf
-rw-r--r--. 1 root root  7590 Apr 12 13:54 REQUEST-913-SCANNER-DETECTION.conf
-rw-r--r--. 1 root root 47012 Apr 12 13:54 REQUEST-920-PROTOCOL-ENFORCEMENT.conf
-rw-r--r--. 1 root root 12577 Apr 12 13:54 REQUEST-921-PROTOCOL-ATTACK.conf
-rw-r--r--. 1 root root  6362 Apr 12 13:54 REQUEST-930-APPLICATION-ATTACK-LFI.conf
-rw-r--r--. 1 root root  5735 Apr 12 13:54 REQUEST-931-APPLICATION-ATTACK-RFI.conf
-rw-r--r--. 1 root root 47293 Apr 12 13:54 REQUEST-932-APPLICATION-ATTACK-RCE.conf
-rw-r--r--. 1 root root 30948 Apr 12 13:54 REQUEST-933-APPLICATION-ATTACK-PHP.conf
-rw-r--r--. 1 root root 40051 Apr 12 13:54 REQUEST-941-APPLICATION-ATTACK-XSS.conf
-rw-r--r--. 1 root root 57035 Apr 12 13:54 REQUEST-942-APPLICATION-ATTACK-SQLI.conf
-rw-r--r--. 1 root root  5459 Apr 12 13:54 REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
-rw-r--r--. 1 root root  3190 Apr 12 13:54 REQUEST-949-BLOCKING-EVALUATION.conf
-rw-r--r--. 1 root root  3812 Apr 12 13:54 RESPONSE-950-DATA-LEAKAGES.conf
-rw-r--r--. 1 root root 19941 Apr 12 13:54 RESPONSE-951-DATA-LEAKAGES-SQL.conf
-rw-r--r--. 1 root root  3792 Apr 12 13:54 RESPONSE-952-DATA-LEAKAGES-JAVA.conf
-rw-r--r--. 1 root root  5154 Apr 12 13:54 RESPONSE-953-DATA-LEAKAGES-PHP.conf
-rw-r--r--. 1 root root  5994 Apr 12 13:54 RESPONSE-954-DATA-LEAKAGES-IIS.conf
-rw-r--r--. 1 root root  2843 Apr 12 13:54 RESPONSE-959-BLOCKING-EVALUATION.conf
-rw-r--r--. 1 root root  4410 Apr 12 13:54 RESPONSE-980-CORRELATION.conf
-rw-r--r--. 1 root root   713 Apr 12 13:54 restricted-files.data
-rw-r--r--. 1 root root   216 Apr 12 13:54 scanners-headers.data
-rw-r--r--. 1 root root   418 Apr 12 13:54 scanners-urls.data
-rw-r--r--. 1 root root  4075 Apr 12 13:54 scanners-user-agents.data
-rw-r--r--. 1 root root   717 Apr 12 13:54 scripting-user-agents.data
-rw-r--r--. 1 root root  1894 Apr 12 13:54 sql-errors.data
-rw-r--r--. 1 root root  1981 Apr 12 13:54 sql-function-names.data
-rw-r--r--. 1 root root   943 Apr 12 13:54 unix-shell.data
-rw-r--r--. 1 root root  3920 Apr 12 13:54 windows-powershell-commands.data
Matched Content