|
||
| Editor Login | Register | ||
| > Bilgisayar > Linux |
|
|
| Mod_Security web uygulamalarının güvenliğinin sağlanması |
|
Mod_Security web uygulamalarının güvenliğinin sağlanmasında kullanılabilecek bir açık kaynak kodlu saldırı önleme sistemidir.Apache ye bir modül gibi eklenip çalıştırılabilir.Mod_security kullanımının amacı web uygulamalarını bilinen ve bilinmeyen saldırı yöntemlerine karşı korumaktır.Bu yönüyle ids sistemlerine benzemektedir http trafiğini izleyip bunu verilen kurallar doğrultusunda yorumlayabilmektedir.İds sistemelerinden farkı bu saldırıları önleyebilmektedir.Sunucu ile kişi arasında bir sunucu uygulamalarının güvenlliğini sağlayan firewall görevi üstlenir gelen istekleri belirlenen kurallar dahilinde yorumlayarak gerekli işlemi gerçekleştir. Mod_Security"nin Yetenekleri * Slash karakterleri url lerden silinir *Null-bytes (%00) lar silinir * URL şifreli karakter koruması * URL encoding onaylaması * Unicode encoding onaylaması * Shellcode koruması * Her siteye ayrı kural koyabilme imkanı sağlar * Headerların analiz eder * Cookieleri analiz eder * Çevre değişkenlerini analiz eder * Sunucu değişkenlerini analiz eder * Sayfa değişkenlerini analiz eder * Post isteklerini analiz eder * Script değişkenlerini analiz eder Yapılabileceği Eylemler * İsteğin 406 status kodu ile geri çevrilmesi * İsteğin yönlendirilerek geri çevirilmesi * İsteklerin loglanması * Kurallnrın değiştirilmesi * Kural atlama * Belirli bir süre istek dışı kalma * Sunucu tarafından dosya yüklenmesini engelliyebilme * Yüklenen dosyaların kontrolü * Antivirus-Firewall programlarına entegre edilebilme Diğerleri * Sunucunuzun tanımlanma bilgisini değiştirir. * Chroot kullanım kolaylığı getirir. * Kendi log dosyasını oluşturur . *Kendi kurallarınızı oluşturabilirsiniz. Dafa fazla bilgiyi kendi sitesinden alabilirsiniz . http://www.modsecurity.org/ ve 39 sayfalık kullanım klavuzu http://www.modsecurity.org/documentation/modsecurity-manual.pdf Kurulum Adımları 1.)Dosyayı sunucuya indiriyoruz Kod: wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz 2.)Sıkıştırılmış arşiv dosyasını açıyoruz. Kod: tar zxvf modsecurity-1.8.7.tar.gz 3.)Web sunucusu olarak Apache 1.x kullanıyorsanız Apache1 klasörüne giriyorsunuz. Kod: cd modsecurity-1.8.7/apache1 3.)Web sunucusu olarak Apache 2.x kullanıyorsanız Apache2 klasörüne giriyorsunuz. Kod: cd modsecurity-1.8.7/apache1 4.)Mod_security" yi bir modül olarak derliyoruz. Kod: /etc/httpd/bin/apxs -cia mod_security.c 5.)httpd.conf dosyamızı olabilecek aksaklıklara karşı yedekliyoruz. Kod: cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-yedek 6.)Apache ayar dosyasını açıyoruz Kod: pico -w /etc/httpd/conf/httpd.conf 7.)Apache 1.x için AddModule mod_security.c yazan kısımı httpd.conf dosyası içinde buluyoruz altına aşağıdaki kural zincirini ekliyoruz Kod: <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Change Server: string SecServerSignature "" # Only allow bytes from this range SecFilterForceByteRange 1 255 # This setting should be set to On only if the Web site is # using the Unicode encoding. Otherwise it may interfere with # the normal Web site operation. SecFilterCheckUnicodeEncoding Off # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis. "On" will log everything, # "DynamicOrRelevant" will log dynamic requests or violations, # and "RelevantOnly" will only log policy violations SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog logs/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:403" ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## # Require HTTP_USER_AGENT and HTTP_HOST in all requests # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don"t accept transfer encodings we know we don"t handle # (and you don"t need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" # Protecting from XSS attacks through the PHP session cookie SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" SecFilter "viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" "deny,log" ##########Eklenenler#################### #Directory traversal SecFilter "\.\./" # Weaker XSS protection but allows common HTML tags SecFilter "<[[:space:]]*script" # Very crude filters to prevent SQL injection attacks SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" # Block various methods of downloading files to a server SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST "lynx " SecFilterSelective THE_REQUEST "scp " SecFilterSelective THE_REQUEST "ftp " SecFilterSelective THE_REQUEST "cvs " SecFilterSelective THE_REQUEST "rcp " SecFilterSelective THE_REQUEST "curl " SecFilterSelective THE_REQUEST "telnet " SecFilterSelective THE_REQUEST "ssh " SecFilterSelective THE_REQUEST "echo " SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-charset " SecFilterSelective THE_REQUEST "links -dump-width " SecFilterSelective THE_REQUEST "links http:// " SecFilterSelective THE_REQUEST "links ftp:// " SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "mkdir " SecFilterSelective THE_REQUEST "cd /tmp " SecFilterSelective THE_REQUEST "cd /var/tmp " SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " </IfModule> 7.) Apache 2.x için LoadModule security_module modules/mod_security.so yazan kıısmı bulup Apache 1.x için eklediğimiz yukarıdaki kural serisini ekliyoruz. 8.)Http sunucumuzu yeniden başlatıyoruz herhangi bir sorunla karşılaşırsanız yukarıdkai adımları kontrol etmelisiniz. Kod: service httpd restart 9.)Eklediğiniz kuralların hehrangi bir soruna yol açıp açmadığını log dosyasına bakarak anlayabilirsiniz Kod: cat /etc/httpd/logs/audit_log 10.)Mod_security yi kapatmak isterseniz Apache 1.x için AddModule mod_security.c yazan kıısmın başına bir # işareti koyun ; Apache 2.x için LoadModule security_module modules/mod_security.so yazan kısımın başına # koyun. Bu makalede verilmiş olan kural ile hiç bir sorun yaşamayacaksınız ama istiyorsanız daha etkili kuralları deneyebilirsiniz.Fakat bu kurallar bir çok scriptin işleyişini bozabilir Kod: # Turn the filtering engine On or Off SecFilterEngine On # Change Server: string SecServerSignature "" # This setting should be set to On only if the Web site is # using the Unicode encoding. Otherwise it may interfere with # the normal Web site operation. SecFilterCheckUnicodeEncoding Off # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis. "On" will log everything, # "DynamicOrRelevant" will log dynamic requests or violations, # and "RelevantOnly" will only log policy violations SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog logs/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:406" # Require HTTP_USER_AGENT and HTTP_HOST in all requests # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Only allow bytes from this range SecFilterForceByteRange 1 255 # Prevent path traversal (..) attacks SecFilter "\.\./" # Weaker XSS protection but allows common HTML tags SecFilter "<[[:space:]]*script" # Phpmyadmin de insert yapılırken 406 veriyor sunucuda phpmyadmin varsa kapatın SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" # Son Eklenenler Başlangıç # WEB-CLIENT Javascript URL host spoofing attempt SecFilter "javascript\://" # WEB-MISC cross site scripting \(img src=javascript\) attempt SecFilter "img src=javascript" # WEB-MISC cd.. SecFilterSelective THE_REQUEST "cd\.\." # Son Eklenener Bitti # Dizin Erisim Engelleme SecFilter /boot/ # SecFilter /bin/ SecFilter /dev/ SecFilter /etc/ SecFilter /initrd/ SecFilter /lib/ SecFilter /lost+found/ # SecFilter /misc/ vbulletinin bir dizini o yüzden bütün vbulletin kullanıcılarına 406 veriyor SecFilter /mnt/ SecFilter /proc/ SecFilter /root/ SecFilter /sbin/ # SecFilter /scripts/ # SecFilter /tmp/ # SecFilter /usr/ SecFilter /usr/local/apache/ SecFilter /usr/local/cpanel/ SecFilter /usr/local/mysql/ SecFilter /var/ SecFilter /bin/cc SecFilter /bin/gcc # WEB-ATTACKS ps command attempt SecFilterSelective THE_REQUEST "/bin/ps" # WEB-ATTACKS /bin/ps command attempt SecFilterSelective THE_REQUEST "ps\x20" # WEB-ATTACKS wget command attempt SecFilter "wget" # WEB-ATTACKS uname -a command attempt SecFilter "uname\x20-a" # WEB-ATTACKS /usr/bin/id command attempt SecFilterSelective THE_REQUEST "/usr/bin/id" # WEB-ATTACKS id command attempt SecFilter "\;id" # WEB-ATTACKS kill command attempt SecFilterSelective THE_REQUEST "/bin/kill" # WEB-ATTACKS chsh command attempt SecFilterSelective THE_REQUEST "/usr/bin/chsh" # WEB-ATTACKS tftp command attempt SecFilter "tftp\x20" # WEB-ATTACKS /usr/bin/gcc command attempt SecFilterSelective THE_REQUEST "/usr/bin/gcc" # WEB-ATTACKS gcc command attempt SecFilter "gcc\x20-o" # WEB-ATTACKS bin/tclsh execution attempt SecFilter "bin/tclsh" # WEB-ATTACKS tclsh execution attempt SecFilter "tclsh8\x20" # WEB-ATTACKS bin/nasm command attempt SecFilterSelective THE_REQUEST "bin/nasm" # WEB-ATTACKS nasm command attempt SecFilter "nasm\x20" # WEB-ATTACKS perl execution attempt SecFilter "perl\x20" # WEB-ATTACKS traceroute command attempt SecFilter "traceroute\x20" # WEB-ATTACKS ping command attempt SecFilterSelective THE_REQUEST "/bin/ping" # WEB-ATTACKS netcat command attempt SecFilter "nc\x20" # WEB-ATTACKS nmap command attempt SecFilter "nmap\x20" # WEB-ATTACKS xterm command attempt SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm" # WEB-ATTACKS X application to remote host attempt SecFilter "\x20-display\x20" # WEB-ATTACKS lsof command attempt SecFilter "lsof\x20" # WEB-ATTACKS rm command attempt SecFilter "rm\x20" # WEB-ATTACKS /bin/ls command attempt SecFilterSelective THE_REQUEST "/bin/ls" # WEB-ATTACKS /etc/shadow access SecFilter "/etc/shadow" # WEB-ATTACKS .htgroup access SecFilterSelective THE_REQUEST "\.htgroup" # WEB-CGI rksh access SecFilterSelective THE_REQUEST "/rksh" # WEB-CGI bash access SecFilterSelective THE_REQUEST "/bash" log,pass # WEB-CGI zsh access SecFilterSelective THE_REQUEST "/zsh" # WEB-CGI csh access SecFilterSelective THE_REQUEST "/csh" # WEB-CGI tcsh access SecFilterSelective THE_REQUEST "/tcsh" # WEB-CGI rsh access SecFilterSelective THE_REQUEST "/rsh" # WEB-CGI ksh access SecFilterSelective THE_REQUEST "/ksh" # WEB-MISC .history access SecFilterSelective THE_REQUEST "/\.history" # WEB-MISC .bash_history access SecFilterSelective THE_REQUEST "/\.bash_history" # Don"t accept transfer encodings we know we don"t handle # (and you don"t need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" # Protecting from XSS attacks through the PHP session cookie SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" SecFilter "viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" "deny,log" # Block various methods of downloading files to a server SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST "lynx " SecFilterSelective THE_REQUEST "scp " SecFilterSelective THE_REQUEST "ftp " SecFilterSelective THE_REQUEST "cvs " SecFilterSelective THE_REQUEST "rcp " SecFilterSelective THE_REQUEST "curl " SecFilterSelective THE_REQUEST "telnet " SecFilterSelective THE_REQUEST "ssh " SecFilterSelective THE_REQUEST "echo " SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-charset " SecFilterSelective THE_REQUEST "links -dump-width " SecFilterSelective THE_REQUEST "links http:// " SecFilterSelective THE_REQUEST "links ftp:// " SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "mkdir " SecFilterSelective THE_REQUEST "cd /tmp " SecFilterSelective THE_REQUEST "cd /var/tmp " SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " # Rule ID: 11 # Safety: Safe # # # phpBB: highlight vulnerability # # phpBB viewtopic.php fails to properly sanitize input passed to the "highlight" parameter # # References: # # http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 # http://www.kb.cert.org/vuls/id/497400 # http://secunia.com/advisories/13239/ SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$" chain SecFilterSelective ARG_highlight "%27" # Exploit phpBB Highlighting SQL Injection SecFilter "&highlight=\"\.mysql_query\(" # Exploit phpBB Highlighting Code Execution - Santy.A Worm SecFilter "&highlight=\"\.fwrite\(fopen\(" # Exploit phpBB Highlight Exploit Attempt SecFilter "&highlight=\x2527\x252Esystem\( # Rule ID: 36 # Safety: Safe # # # PHPNuke: Safe Rules #Nuke Bookmarks XSS SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)" #Nuke Bookmarks Marks.php SQL Injection Vulnerability SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)" #PHPNuke general XSS attempt #/modules.php?name=News&file=article&sid=1&optionbox= SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script" # PHPNuke SQL injection attempt SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory=" #phpnuke sql insertion SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\"/" # phpBB: Safe rules # # WEB-PHP phpbb quick-reply.php arbitrary command attempt SecFilterSelective THE_REQUEST "/quick-reply\.php" chain SecFilter "phpbb_root_path=" #Topic Calendar Mod for phpBB Cross-Site Scripting Attack SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)" # phpMyAdmin: Safe #phpMyAdmin Export.PHP File Disclosure Vulnerability SecFilterSelective SCRIPT_FILENAME "export\.php$" chain SecFilterSelective ARG_what "\.\." #phpMyAdmin path vln SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc" # # Currently, there are no known upgrades, patches, or workarounds available to correct this issue. # # References: # # OSVDB: http://www.osvdb.org/displayvuln.php?osvdb_id=15408 # Vendor URL: http://phpnuke.org/ # Security Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0105.html # # Credit: # # * Maksymilian Arciemowicz - securityreason.com SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_email "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_ratenum "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_min "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_show "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_orderby "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_url "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" ############################################################ ############################################################ ############################################################ ############################################################ # Rule ID: 42 # Safety: Safe # # # OSVDB ID: 6533 (http://www.osvdb.org/displayvuln.php?osvdb_id=6533) # Disclosure Date: May 29, 2004 # # Description: # # e107 contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "list" variable in the news.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries. # # Technical Description: # # Two conditions must be met on victim server to be vulnerable: # 1. "register_globals" must be "on" # 2. mysql must be version 4.x with enabled UNION functionality. # # Through SQL injection a potential attacker can extract any information from the database, including admin"s username and password MD5 hash. # # Vulnerability Classification: # # * Remote/Network Access Required # * Information Disclosure Attack # * Input Manipulation # * Loss Of Confidentiality # * Loss Of Integrity # * Exploit Available # * Verified # * Web Related # # # Products: # # * e107.org e107 0.614 # * e107.org e107 0.615 # # # Solution: # # Upgrade to version 0.616 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. # # External References: # # * Related OSVDB ID: 6532 # * Related OSVDB ID: 6531 # * Related OSVDB ID: 6530 # * Related OSVDB ID: 6529 # * Related OSVDB ID: 6528 # * Related OSVDB ID: 6527 # * Related OSVDB ID: 6526 # * Related OSVDB ID: 6525 # * Secunia Advisory ID: 11740 # * Other Advisory URL: http://www.waraxe.us/index.php?modname=sa&id=31 # # # Credit: # # * Janek Vind "waraxe" SecFilterSelective SCRIPT_FILENAME "news\.php$" chain SecFilterSelective ARG_list "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" |
|
| Bağlantılar: bilgininefendisi.net |
| Open Source Document Project | AUP&TOS |