- 웹 방화벽이란
웹클라이언트 -------> 방화벽 -----> IPS(침입차단시스템) ----> WAF(웹방화벽) ---> 웹서버
(웹브라우저) (iptables) (snort + prevent) (modsecurity)
- 무료 웹 방화벽
WebKnight
AQTRONIX 사에서 개발한 IIS 웹서버용 공개 웹방화벽으로 SQL Injection 공격 등 IIS 웹서버의 주용 공격 차단 기능을 가지고 있다.
http://www.aqtronix.com/?PageID=99
ModSecurity
Ivan Ristic이 개발한 Apache 웹서버용 공개 웹방화벽으로 PHP Injection 공격등 Apache 웹서버의 주요 공격을 차단하는 기능을 가지고 있다.
http://www.modsecurity.org/
[참고] KISA
https://www.krcert.or.kr/data/secNoticeList.do > modsecurity 검색
- WAF 설치
modsecurity를 설치해 본다.
WAF 서버를 따로 두지 않고 web 서비스를 하고 있는 liunx200 (CentOS 5.X , IP : 192.168.27.200 )에 설정한다.
ModSecurity 사이트 - http://www.modsecurity.org/
> yum으로 설치 하라고 알려 줍니다.
> mod security는 CD에 내장된 프로그램이 아니라서 mod security를 지원하는 yum repository를 추가로 지정합니다.
> 키를 받고 .repo 를 추가하면 되겠습니다.
(linux200)
# cd /etc/pki/rpm-gpg
# ls
|
RPM-GPG-KEY-CentOS-5 RPM-GPG-KEY-beta |
|
# rpm --import http://yum.jasonlitka.com/RPM-GPG-KEY-jlitka
|
CentOS-Base.repo CentOS-Media.repo |
|
# vi utterramblings.repo
|
[utterramblings] name=Jason's Utter Ramblings Repo baseurl=http://yum.jasonlitka.com/EL$releasever/$basearch/ enabled=1 gpgcheck=1 gpgkey=http://yum.jasonlitka.com/RPM-GPG-KEY-jlitka |
|
[주의] 웹 데몬을 내려놓고 설치합니다.
# chkconfig httpd off
# service httpd stop
# yum -y install mod_security
# uname -a
|
Linux linux200.example.com 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux |
|
# yum -y install httpd httpd-devel ( 32bit )
# yum -y install httpd.x86_64 httpd-devel.x86_64 httpd-manual.x86_64 ( 64bit )
# yum -y install pcre pcre-devel
- rule 다운
> github에서 지원하는 것 같습니다. git 명령어가 없으니 https://github.com/SpiderLabs/owasp-modsecurity-crs 로 들어가서
그냥 받아도 상관 없습니다.
/* /etc/httpd/conf 로 옮겨 압축을 풉니다. */
# cd /etc/httpd/conf
# ls
|
httpd.conf httpd.conf.rpmnew magic owasp-modsecurity-crs-3.0-master.zip |
|
# unzip owasp-modsecurity-crs-3.0-master.zip
# ln -s owasp-modsecurity-crs-3.0-master src /* 디렉터리 이름이 너무 기니 src 심볼릭 링크로 걸어 편하게 사용합니다 */
# cd crs
# cat INSTALL | more
|
............. Installing on Apache -------------------- 1. Install ModSecurity for Apache 2. Ensure that ModSecurity is loading correctly by checking error.log at start up for lines indicating ModSecurity is installed. An example might appear as follows: ```ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.``` 3. The most common method of deploying ModSecurity we have seen is to create a new folder underneath the Apache directory (typically /usr/local/apache/, /etc/httpd/, or /etc/apache2). Often this folder is called 'modsecurity.d'. Create this folder and cd into it. 4. Clone the repository into the modsecurity.d folder using: ```git clone https://github.com/SpiderLabs/owasp-modsecurity-crs .``` This will create a new owasp-modsecurity-crs folder. 5. Move the crs-setup.conf.example file to crs-setup.conf. Please take the time to go through this file and customize the settings for your local environment. Failure to do so may result in false negatives and false positives. See the section entitled OWASP CRS Configuration for more detail. 6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the '.example' extension. This will allow you to add exclusions without updates overwriting them in the future. 7. Add the following line to your httpd.conf/apache2.conf (the following assumes you've cloned CRS into modsecurity.d/owasp-modsecurity-crs). You can alternatively place these in any config file included by Apache: ``` <IfModule security2_module> Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf </IfModule> ``` 8. Restart web server and ensure it starts without errors 9. Make sure your web sites are still running fine. 10. Proceed to the section "Testing the Installation" below. .......... |
|
|
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example |
|
# cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
|
210G # # Load config files from the config directory "/etc/httpd/conf.d". # Include conf.d/*.conf |
|
> /etc/httpd/conf.d 디렉토리에 있는 .conf 파일을 모두 포함한다.
# cd /etc/httpd/conf.d
# ls
|
README mod_security.conf php.conf python.conf ssl.conf welcome.conf manual.conf perl.conf proxy_ajp.conf squid.conf webalizer.conf |
|
# cat mod_security.conf
|
# Example configuration file for the mod_security Apache module LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.so <IfModule mod_security2.c> # This is the ModSecurity Core Rules Set. # Basic configuration goes in here Include modsecurity.d/modsecurity_crs_10_config.conf # Protocol violation and anomalies. Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf # HTTP policy rules Include modsecurity.d/modsecurity_crs_30_http_policy.conf # Here comes the Bad Stuff... Include modsecurity.d/modsecurity_crs_35_bad_robots.conf Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf Include modsecurity.d/modsecurity_crs_45_trojans.conf Include modsecurity.d/modsecurity_crs_50_outbound.conf # Search engines and other crawlers. Only useful if you want to track # Google / Yahoo et. al. # Include modsecurity.d/modsecurity_crs_55_marketing.conf # Put your local rules in here. Include modsecurity.d/modsecurity_localrules.conf </IfModule> |
|
> INSTALL 에서 본 것이 그대로 들어가 있다 -> 따로 설정 할 필요 없다.
# service httpd restart
# pgrep -lf httpd /* 데몬 올라왔는지 확인한다. */
'Security > Linux Server' 카테고리의 다른 글
| SELinux (Secure Enhanced Linux)란? (0) | 2017.12.27 |
|---|---|
| 웹 방화벽 (WAF, Web Application Firewall)_ ModSecurity 실습/ 해제 (0) | 2017.12.27 |
| IPS 설정하기 (0) | 2017.12.26 |
| Snort Rule Generator 사용법 (0) | 2017.12.26 |
| IDS (Instrusion Detect System)_ snort rule 구조 (0) | 2017.12.26 |
