본문으로 바로가기

웹 방화벽 (WAF, Web Application Firewall)_ ModSecurity 실습/ 해제

category Security/Linux Server 2017. 12. 27. 19:44

- 실습 환경

Attacker ( KaliLinux )---------> Firewall ( CentOS ) ----------> WAF ( CentOS )

192.168.17.60         192.168.17.100     192.168.27.100        192.168.27.200


WAF 는 OWASP 의 기본 rule 만 설정 

Attacker 에서  wafw00f / paros 툴 공격


- 실습

(WAF)

# cd /etc/httpd/logs

# ls

 

 access_log    error_log    error_log.3       modsec_debug.log  ssl_access_log.2  ssl_error_log.2  ssl_request_log

access_log.1  error_log.1  error_log.4       ssl_access_log    ssl_error_log     ssl_error_log.3  ssl_request_log.1

access_log.2  error_log.2  modsec_audit.log  ssl_access_log.1  ssl_error_log.1   ssl_error_log.4  ssl_request_log.2

 


[TERM1] # tail -0f access_log 

[TERM2] # tail -0f error_log 

[TERM3] # tail -0f modsec_audit.log

[TERM4] # tail -0f modsec_debug.log 



(Attacker)

# wafw00f http://192.168.27.200

 

 


                                 ^     ^

        _   __  _   ____ _   __  _    _   ____

       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/

      | V V // o // _/ | V V // 0 // 0 // _/

      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/

                                <

                                 ...'


    WAFW00F - Web Application Firewall Detection Tool


    By Sandro Gauci && Wendel G. Henrique


Checking http://192.168.27.200

Generic Detection results:

No WAF detected by the generic detection

Number of requests: 13

 

> WAF 를 설치했는데 없다고 나온다. 


(WAF)

[TERM1] # tail -0f access_log

 

 192.168.27.1 - - [28/Dec/2017:04:16:42 +0900] "GET / HTTP/1.1" 400 302 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.0"

192.168.27.1 - - [28/Dec/2017:04:16:42 +0900] "GET /cmd.exe HTTP/1.1" 400 302 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.0"

192.168.27.1 - - [28/Dec/2017:04:16:42 +0900] "GET /../../../../etc/passwd HTTP/1.1" 400 302 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.0"

192.168.27.1 - - [28/Dec/2017:04:16:42 +0900] "GET /<script>alert(1)</script>.html HTTP/1.1" 400 302 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.0"

192.168.27.1 - - [28/Dec/2017:04:16:42 +0900] "GET //Admin_Files/ HTTP/1.1" 400 302 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.0"

......

 

> 여러가지 시도를 한 것을 확인 할 수 있다. 


[TERM2] # tail -0f error_log 

 

 [Thu Dec 28 04:16:42 2017] [error] [client 192.168.27.1] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname "192.168.27.200"] [uri "/"] [unique_id "WkPxmsCoG8gAABMHLHQAAAAF"]

[Thu Dec 28 04:16:42 2017] [error] [client 192.168.27.1] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname "192.168.27.200"] [uri "/cmd.exe"] [unique_id "WkPxmsCoG8gAABMILKUAAAAG"]

[Thu Dec 28 04:16:42 2017] [error] [client 192.168.27.1] Invalid URI in request GET /../../../../etc/passwd HTTP/1.1

[Thu Dec 28 04:16:42 2017] [error] [client 192.168.27.1] ModSecurity: Warning. Match of "rx ModSecurity" against "WEBSERVER_ERROR_LOG" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "65"] [id "960913"] [msg "Invalid request"] [severity "CRITICAL"] [hostname "192.168.27.200"] [uri "etc/passwd"] [unique_id "WkPxmsCoG8gAABMJLN8AAAAH"]

 

> error 발생 -> Modsecurity 에서 접근을 거부 했다. 

> /etc/httpd/modsecurity.d/modesecurity_crs_21_protocal_anomalies.conf 의 60번 째 라인의 rule 에 걸린 것 같다. 


[TERM3] # tail -0f modsec_audit.log

 

 


--e6a28213-A--

[28/Dec/2017:04:16:42 +0900] WkPxmsCoG8gAABMDK5kAAAAB 192.168.27.1 52326 192.168.27.200 80

--e6a28213-B--

GET / HTTP/1.1

Accept-Encoding: identity

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Host: 631944

Accept: */*

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.0


--e6a28213-F--

HTTP/1.1 400 Bad Request

Content-Length: 294

Connection: close

Content-Type: text/html; charset=iso-8859-1

 

> 역시 여러가지 시도를 한 것을 알 수 있다. 


[TERM4] # tail -0f modsec_debug.log 

 

 [28/Dec/2017:04:16:42 +0900] [192.168.27.200/sid#86d5ad0][rid#89a00f8][/][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]

[28/Dec/2017:04:16:42 +0900] [192.168.27.200/sid#86d5ad0][rid#89a00f8][/cmd.exe][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]

[28/Dec/2017:04:16:42 +0900] [192.168.27.200/sid#86d5ad0][rid#89a00f8][etc/passwd][2] Warning. Match of "rx ModSecurity" against "WEBSERVER_ERROR_LOG" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "65"] [id "960913"] [msg "Invalid request"] [severity "CRITICAL"]

[28/Dec/2017:04:16:42 +0900] [192.168.27.200/sid#86d5ad0][rid#89a6110][/<script>alert(1)</script>.html][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]

 

> 더 자세히 출력해준다. 



(Attacker)

# firefox &

# paros &    [참고] paros 사용 : http://5log.tistory.com/194


> WAF 에서 막았기 때문에 Bad Request가 뜬다.



> 간단하게 sql injection만 설정하고 SCAN 해본다. 


(WAF)

[TERM1] # tail -0f access_log 

 

192.168.27.1 - - [28/Dec/2017:04:21:58 +0900] "GET /2738444359075899938 HTTP/1.1" 400 302 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Paros/3.2.13"

 

> 마찬가지로 시도된 것이 로그에 쌓임 


[TERM2] # tail -0f error_log 

 

 

[Thu Dec 28 04:21:58 2017] [error] [client 192.168.27.1] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname "192.168.27.200"] [uri "/2738444359075899938"] [unique_id "WkPy1sCoG8gAABMILKcAAAAG"]

[Thu Dec 28 04:22:00 2017] [notice] SIGHUP received.  Attempting to restart

[Thu Dec 28 04:22:00 2017] [notice] Digest: generating secret for digest authentication ...

[Thu Dec 28 04:22:00 2017] [notice] Digest: done

[Thu Dec 28 04:22:01 2017] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.

[Thu Dec 28 04:22:01 2017] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.

[Thu Dec 28 04:22:01 2017] [notice] Apache/2.2.22 (Unix) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 Apache/2.2.0 (Fedora) mod_perl/2.0.4 Perl/v5.8.8 configured -- resuming normal operations

 


[TERM3] # tail -0f modsec_audit.log

 

 


--e6a28213-A--

[28/Dec/2017:04:21:58 +0900] WkPy1sCoG8gAABMILKcAAAAG 192.168.27.1 52358 192.168.27.200 80

--e6a28213-B--

GET /2738444359075899938 HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Paros/3.2.13

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Connection: keep-alive

Content-length: 0

Host: 192.168.27.200


--e6a28213-C--


--e6a28213-F--

HTTP/1.1 400 Bad Request

Content-Length: 302

Connection: close

Content-Type: text/html; charset=iso-8859-1

 


[TERM4] # tail -0f modsec_debug.log 

 

 


[28/Dec/2017:04:21:58 +0900] [192.168.27.200/sid#86d5ad0][rid#899e0f0][/2738444359075899938][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]

 



- WAF 해제 

# cd /etc/httpd/conf.d

 

README       mod_security.conf  php.conf        python.conf  

ssl.conf        welcome.conf    manual.conf      perl.conf         

proxy_ajp.conf  squid.conf   webalizer.conf

 


# mv mod_security.conf /etc/httpd

/* .conf  파일만 conf.d 디렉토리에 없으면 모듈이 실행되지 못하기 때문에 파일을 옮긴다. */

/* 설정은 그대로 유지하고 있으니 WAF 다시 설정할때는 mod_security.conf 파일을 conf.d 디렉토리에 옮기기만 하면 된다. */

# service httpd restart


'Security > Linux Server' 카테고리의 다른 글

SELinux (Secure Enhanced Linux) 설치 방법 (CentOS 6.4)  (0) 2017.12.27
SELinux (Secure Enhanced Linux)란?  (0) 2017.12.27
웹 방화벽 (WAF, Web Application Firewall)_ ModSecurity 설치 방법  (0) 2017.12.27
IPS 설정하기  (0) 2017.12.26
Snort Rule Generator 사용법  (0) 2017.12.26
댓글 , 엮인글
WE STUDY LOG
블로그 이미지 이만석 님의 블로그
MENU
CATEGORY
VISITOR 오늘 / 전체

티스토리툴바