WAF

Apache+PHP+Waffle+Tomcat

Installation

====== Apache Tomcat Setting ======

Apache 설치

필수 패키지 설치

]# sudo apt-get update

]# sudo aptitude install gcc make libapr0 libapr0-dev autoconf automake flex libtool

sudo apt-get install gcc build-essential

]# sudo aptitude install libapr1 libaprutil1 libpcre3 libpcre3-dev libxml2 libxml2-dev liblua5.1-0-dev libexpat1-dev

]# wget http://archive.apache.org/dist/httpd/httpd-2.2.18.tar.gz

]# tar -zxvf httpd-2.2.18.tar.gz

]# cd httpd-2.2.18

]#./configure –prefix=/home/ubuntu/server/httpd-2.2.18 –enable-so –with-included-apr –with-mpm=prefork –enable-unique-id –enable-rewrite

]# make

]# sudo make install

=> mod_rewirte가 설치되어있지 않을 경우 아래와 같이 설치

httpd-2.2.18/modules/mappers$ /home/ubuntu/server/httpd-2.2.18/bin/apxs -cia mod_rewrite.c

]# cd [[/home/ubuntu/server/httpd-2.2.18/bin]]

]# sudo [[./apachectl]] -k start

tomcat 설치

]# wget http://mirror.apache-kr.org/tomcat/tomcat-7/v7.0.50/bin/apachetomcat-7.0.50.tar.gz

]# tar -zxvf [[http://mirror.apache-kr.org/tomcat/tomcat-7/v7.0.50/bin/apachetomcat-7.0.50.tar.gz|apache-tomcat-7.0.50.tar.gz]]

]# mv [[http://mirror.apache-kr.org/tomcat/tomcat-7/v7.0.50/bin/apachetomcat-7.0.50.tar.gz|apache-tomcat-7.0.50]] [[/home/ubuntu/server]]

mod_jk 설치

]# wget http://apache.mirror.cdnetworks.com//tomcat/tomcat-connectors/jk/tomcatconnectors-

1.2.37-src.tar.gz

]# tar -zxvf tomcat-connectors-1.2.37-src.tar.gz

]# cd tomcat-connectors-1.2.37-src/native/

]# ./configure –with-apxs=/home/ubuntu/server/httpd-2.2.18/bin/apxs

]# make

]# sudo make install

=> apache 설치 디렉토리 modules 에서 mod_jk.so 확인

mod_jk 설정

]# cd [[/home/ubuntu/server/httpd-2.2.18/conf]]

]# sudo vim workers.properties

————————————————————————-

worker.list= ajp13web

#worker.ajp13web.host=localhost

worker.ajp13web.port=10009

worker.ajp13web.type=ajp13

————————————————————————-

apache 설정

]# cd [[/home/ubuntu/server/httpd-2.2.18/conf]]

]# sudo vim http.conf

=> Include conf/httpd.web.conf

추가

]# sudo vim httpd.web.conf

————————————————————————-

NameVirtualHost *:80

LoadModule jk_module modules/mod_jk.so

<IfModule jk_module>

JkLogFile logs/mod_jk.log

JkLogLevel info

JkLogStampFormat “[%a %b %d %H:%M:%S %Y]”

JkWorkersFile conf/workers.properties

</IfModule>

<VirtualHost *:80>

DocumentRoot “/home/ubuntu/server/web_root”

AddType application/x-httpd-php .html .htm .php

<Directory “/home/ubuntu/server/web_root”>

DirectoryIndex index.php

Options FollowSymLinks MultiViews

#Deny from env=notaccept

AllowOverride all

Order allow,deny

Allow from all

AuthType None

#Require all granted

</Directory>

<IfModule jk_module>

JkMount /* ajp13web

SetEnvIf Request_URI “/waf-fle/*” no-jk

SetEnvIf Request_URI “/controller/*” no-jk

#SetEnvIf Request_URI “/*.html” no-jk

SetEnvIf Request_URI “/*.php” no-jk

</IfModule>

LogFormat “%{X-Forwarded-For}i %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-agent}i\”” combined_ec2

CustomLog “|/home/ubuntu/server/httpd-2.2.18/bin/rotatelogs /home/ubuntu/server/httpd-2.2.18/logs/ws_apache.access_log.%Y-%m-%d 86400” combined_ec2

ErrorLog “|/home/ubuntu/server/httpd-2.2.18/bin/rotatelogs /home/ubuntu/server/httpd-2.2.18/logs/ws_apache.error_log.%Y-%m-%d 86400”

<Location /WEB-INF>

SetHandler WEB-INF

Order deny,allow

Deny from all

</Location>

</VirtualHost>

————————————————————————-

PHP설치

]# sudo aptitude install build-essential libtool

안먹히면 /usr/bin/aptitude 의 권한 확인

* PHP Extension 설치를 위한 php-pear 설치

]# sudo aptitude install php-pear libssh2-php

* PHP 설치 (APC5.5부터는 지원되지 않으므로 Waffle때문에 5.4 설치)

]# sudo aptitude install libpcre3-dev

]# wget http://www.php.net/get/php-5.4.23.tar.gz/from/this/mirror -O php-5.4.23.tar.gz

]# tar -zxvf php-5.4.23.tar.gz

]# cd php-5.4.23/ext

=> php APC 설치

]# pecl download apc

]# gzip -d < APC-3.1.13.tgz | tar -xvf –

]# mv APC-3.1.13 apc

=> php geoip 설치

]# sudo aptitude install libgeoip-dev

]# pecl download geoip

]# gzip -d < geoip-1.0.8.tgz | tar -xvf –

]# mv geoip-1.0.8 geoip

* [[MySQL]] 설치 (5.1 or later)

– Package를 이용한 설치

]# sudo aptitude install mysql-server

=> root password : tkatjdsds0

설치 확인

]# mysql -hlocalhost -uroot -p

PHP Build

]# cd ~_download/php-5.4.23

]# rm configure

]# ./buildconf –force

]# ./configure –prefix=/home/ubuntu/server/php-5.4.23 –with-apxs2=/home/ubuntu/server/httpd-2.2.18/bin/apxs –with-mysql –with-pdo-mysql –with-mysql-sock=/var/run/mysqld/mysqld.sock –with-zlib –with-geoip –enable-apc

]# make

]# sudo make install

libxml2 오류시

sudo apt-get update

sudo apt-get install libxml2-devel

apc가 설치되지 않았을때

sudo ./pecl install apc

]# cp php.ini-development /home/ubuntu/server/php-5.4.23/lib/php.ini

]# sudo vi /home/ubuntu/server/php-5.4.23/lib/php.ini

아래 내용을 php.ini에 추가 (geoip database 경로 → geoip 다운로드는 아래에서)

————————————————————————-

[geoip]

geoip.custom_directory=/home/ubuntu/server/httpd-2.2.18/conf/geoip

————————————————————————-

]# cd /home/ubuntu/server/httpd-2.2.18/conf/

=> <IfModule dir_module> DirectoryIndexindex.php 추가

* [[GeoIP]] 준비

– PHP-GeoIP extension 설치

root]# aptitude install php5-geoip

– [[MaxMind]] [[GeoIP]] Database 다운로드

root]# mkdir /home/ubuntu/server/httpd-2.2.18/conf/geoip

root]# cd /home/ubuntu/server/httpd-2.2.18/conf/geoip

root]# wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/

GeoIP.dat.gz

root]# wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

root]# wget -N http://geolite.maxmind.com/download/geoip/database/asnum/

GeoIPASNum.dat.gz

root]# gzip -d GeoIP.dat.gz

root]# gzip -d GeoLiteCity.dat.gz

root]# gzip -d GeoIPASNum.dat.gz

root]# mv GeoLiteCity.dat GeoIPCity.dat

root]# cp GeoIPASNum.dat GeoIPISP.dat

ModSecurity 설치설정

– mod_unique_id 확인 / 설치

=> apache 컴파일 시 [[./configure]] –enable-unique-id 옵션을 추가 했다면 설치되어 있음

=> apache 설치 폴더 아래의 modules/mod_unique_id.so 확인 && httpd.conf 파일에

LoadModule unique_id_module modules/mod_unique_id.so 확인

: mod_unique_id 설치

apache 소스 폴더 아래의 modules/metadata로 이동하여 apxs로 설치

[[/tmp/httpd-2.2.18/modules/metadata]$]] sudo /home/ubuntu/server/httpd-2.2.18/bin/apxs -cia mod_unique_id.c

– mod_headers 확인 / 설치

=> [[SpiderLabs]] Ruleset 사용을 위해 mod_headers 필요

apache 소스 폴더 아래의 modules/metadata로 이동하여 apxs로 설치

[[/tmp/httpd-2.2.18/modules/metadata]$]] sudo /home/ubuntu/server/httpd-2.2.18/bin/

apxs -cia mod_headers.c

* lua v5.1.x 옵션

]# wget http://www.lua.org/ftp/lua-5.1.5.tar.gz

]# tar -zxvf lua-5.1.5.tar.gz

]# cd lua-5.1.5

]# make linux

]# make install

* libcurl v7.15.1 은 옵션

]# wget http://curl.haxx.se/download/curl-7.33.0.tar.gz

]# tar -zxvf curl-7.33.0.tar.gz

]# cd curl-7.33.0/

]# [[./configure]]

]# make

]# sudo make install

]# sudo ln -s /usr/local/lib/libcurl.so.4 /usr/lib/libcurl.so.4 (curl이 정상 실행 안될 때 옵션으로 실행)

– Stable Version 설치

]# wget sudo apt-get install libcurl4-dev

]# wget –no-check-certificate https://www.modsecurity.org/tarball/2.7.5/modsecurityapache_2.7.5.tar.gz

]# tar -zxvf modsecurity-apache_2.7.5.tar.gz

]# cd modsecurity-apache_2.7.5/

]# ./configure –with-apxs=/home/ubuntu/server/httpd-2.2.18/bin/apxs –with-apr=/home/ubuntu/server/httpd-2.2.18 –with-apu=/home/ubuntu/server/httpd-2.2.18

]# make

make 오류(curl)가 날경우

]# make clean

다시 make 실행

]# sudo make install

]# sudo cp modsecurity.conf-recommended /home/ubuntu/server/httpd-2.2.18/conf/modsecurity.conf

root]# wget –no-check-certificate -O crs.tar.gz https://github.com/SpiderLabs/owaspmodsecurity-crs/tarball/master

root]# tar -zxvf src.tar.gz

root]# mv SpiderLabs-owasp-modsecurity-crs-0f07cbb/ /home/ubuntu/server/

httpd-2.2.18/conf/crs

root]# cd /home/ubuntu/server/httpd-2.2.18/conf/crs

root]# mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

modsecuriy rule 정의 (필요한 룰들만 activated_rules에 링크)

————————————————————————-

## robot에 의한 공격 Rule Data

root]# sudo ln -s /home/ubuntu/server/httpd-2.2.18/conf/crs/base_rules/modsecurity_35_bad_robots.data activated_rules/modsecurity_35_bad_robots.data

## 웹에 의한 scanner 공격 Rule Data

root]# sudo ln -s /home/ubuntu/server/httpd-2.2.18/conf/crs/base_rules/modsecurity_35_scanners.data activated_rules/modsecurity_35_scanners.data

## OWASP의 웹공격에 대한 기본 Rule Data

root]# sudo ln -s /home/ubuntu/server/httpd-2.2.18/conf/crs/base_rules/modsecurity_40_generic_attacks.data activated_rules/modsecurity_40_generic_attacks.data

## RobotScanner에 대한 기본 SecRule

root]# sudo ln -s /home/ubuntu/server/httpd-2.2.18/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf activated_rules/modsecurity_crs_35_bad_robots.conf

## OWASP의 웹공격에 대한 기본 SecRule

root]# sudo ln -s /home/ubuntu/server/httpd-2.2.18/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf activated_rules/modsecurity_crs_40_generic_attacks.conf

## Sql Injection공격에 대한 SecRule

root]# sudo ln -s /home/ubuntu/server/httpd-2.2.18/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf activated_rules/modsecurity_crs_41_sql_injection_attacks.conf

## xss공격에 대한 SecRule

root]# sudo ln -s /home/ubuntu/server/httpd-2.2.18/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf activated_rules/modsecurity_crs_41_xss_attacks.conf

## trojan 공격에 대한 SecRule

root]# sudo ln -s /home/ubuntu/server/httpd-2.2.18/conf/crs/base_rules/modsecurity_crs_45_trojans.conf activated_rules/modsecurity_crs_45_trojans.conf

## 상관관계(Inbound Outbound) 공격에 대한 SecRule

root]# sudo ln -s /home/ubuntu/server/httpd-2.2.18/conf/crs/base_rules/modsecurity_crs_60_correlation.conf activated_rules/modsecurity_crs_60_correlation.conf

————————————————————————-

– httpd.web.conf 수정

블릭리스트 아이피 설정 (아래 파일에 아이피를 입력하면 403 오류)

root]# vi /home/ubuntu/server/httpd-2.2.18/conf/crs/blacklist.data

=========================================================================

0.0.0.0

1.1.1.1

2.2.2.2

위 아이피는 예시입니다.

=========================================================================

modsecurity_crs_custom.conf 셋팅 (사용자 정의 SecRule)

root]# vi /home/ubuntu/server/httpd-2.2.18/conf/crs/modsecurity_crs_custom.conf

=========================================================================

## blacklist.data 파일을 가져와 해당 ip를 막는다.

SecRule REMOTE_ADDR “@pmFromFile blacklist.data”\

“id:’800001′, \

rev:’2′, \

phase:1, \

t:none, \

setvar:’tx.msg=%{rule.msg}’, \

setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/IP_BLOCKING-%{matched_var_name}=%{tx.0} \

setvar:tx.real_ip=%{remote_addr}, \

logdata:’IP Address Blocking’, \

tag:’OWASP_CRS/WEB_ATTACK/IP_BLOCKING’, \

msg:’IP Address Blocking'”

## drop에 대한 SQLInject 공격을 방어

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* “drop.+index” “id:’800002′,phase:2,capture,block,t:none,t:urlDecodeUni,msg:’SQL injection attack'”

## create,drop,delete 에 대한 SQLInject 공격을 방어

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* “(create|drop|delete)” “id:’800003′,phase:2,capture,block,t:none,t:urlDecodeUni,chain,msg:’SQL injection attack'”

=========================================================================

httpd.web.confmodsecurity 설치 추가

————————————————————————-

LoadModule security2_module modules/mod_security2.so

<IfModule security2_module>

Include conf/crs/modsecurity_crs_10_setup.conf

Include conf/crs/activated_rules/*.conf

Include conf/crs/modsecurity_crs_custom.conf

Include conf/modsecurity.conf

</IfModule>

————————————————————————

mlogc 설정

]# sudo vi /home/ubuntu/httpd-2.2.18/conf/mlogc.conf

아래 내용중 파란색부분에 waffle sensor에 추가한 id/password 을 넣어준다

Load Balancing의 경우 차례대로 서버마다 waffle1,waffle2…

————————————————————————-

# Points to the root of the installation. All relative
# paths will be resolved with the help of this path.
CollectorRoot “/var/log/mlogc”

# ModSecurity Console receiving URI. You can change the host
# and the port parts but leave everything else as is.
ConsoleURI “http://ec2-54-200-118-132.us-west-2.compute.amazonaws.com/controller/”

# Sensor credentials
SensorUsername “waffle”
SensorPassword “waffle”

# Base directory where the audit logs are stored. This can be specified
# as a path relative to the CollectorRoot, or a full path.
LogStorageDir “data”

# Transaction log will contain the information on all log collector
# activities that happen between checkpoints. The transaction log
# is used to recover data in case of a crash (or if Apache kills
# the process).
TransactionLog “mlogc-transaction.log”

# The file where the pending audit log entry data is kept. This file
# is updated on every checkpoint.
QueuePath “mlogc-queue.log”

# The location of the error log.
ErrorLog “mlogc-error.log”

# The location of the lock file.
LockFile “mlogc.lck”

# Keep audit log entries after sending? (0=false 1=true)
# NOTE: This is required to be set in SecAuditLog mlogc config if you
# are going to use a secondary console via SecAuditLog2.
KeepEntries 0

##########################################################################
# Optional configuration
##########################################################################

# The error log level controls how much detail there
# will be in the error log. The levels are as follows:
# 0 – NONE
# 1 – ERROR
# 2 – WARNING
# 3 – NOTICE
# 4 – DEBUG
# 5 – DEBUG2
#
ErrorLogLevel 3

# How many concurrent connections to the server
# are we allowed to open at the same time? Log collector uses
# multiple connections in order to speed up audit log transfer.
# This is especially needed when the communication takes place
# over a slow link (e.g. not over a LAN).
MaxConnections 10

# How many requests a worker will process before recycling itself.
# This is to help prevent problems due to any memory leaks that may
# exists. If this is set to 0, then no maximum is imposed. The default
# is 1000 requests per worker (the number of workers is controlled by the
# MaxConnections limit).
MaxWorkerRequests 1000

# The time each connection will sit idle before being reused,
# in milliseconds. Increase if you don’t want ModSecurity Console
# to be hit with too many log collector requests.
TransactionDelay 50

# The time to wait before initialization on startup in milliseconds.
# Increase if mlogc is starting faster then termination when the
# sensor is reloaded.
StartupDelay 5000

# How often is the pending audit log entry data going to be written
# to a file. The default is 15 seconds.
CheckpointInterval 15

# If the server fails all threads will back down until the
# problem is sorted. The management thread will periodically
# launch a thread to test the server. The default is to test
# once in 60 seconds.
ServerErrorTimeout 60

# The following two parameters are not used yet, but
# reserved for future expansion.
# KeepAlive 150
# KeepAliveTimeout 300

 

————————————————————————-

modsecurity.conf 수정

]# sudo vi /home/ubuntu/httpd-2.2.18/conf/modsecurity.conf

————————————————————————-


# …
# — Audit log configuration ————————————————-

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus “^(?:5|4(?!04))”

# Log everything we know about a transaction.
SecAuditLogParts ABIDEFGHZ

SecAuditLogType Concurrent

SecAuditLog “|/usr/local/modsecurity/bin/mlogc /home/ubuntu/server/httpd-2.2.18/conf/mlogc.conf

# Specify the path for concurrent audit logging.
SecAuditLogStorageDir /var/log/mlogc/data
# … Continue with your current modsecurity.conf

————————————————————————-

* Apache log rotate

Apache HTTPD 1.3, 2.x 공히 httpd.conf에서 아래와 같이 지정

————————————————————————-

CustomLog “|/usr/apache/bin/rotatelogs /usr/apache/logs/access_log.%Y-%m-%d 86400

+540″ common

ErrorLog “|/usr/apache/bin/rotatelogs /usr/apache/logs/error_log.%Y-%m-%d 86400+540”

————————————————————————-

아파치를 재시작한다.

86400 은 하루 24시간 단위로 access_log.xxxxxxxxxxerror_log.xxxxxxxxxx 라는 이름으로 파

일 이름을 전환하라는 의미이다. xxxxxxxxxx는 년월일이다.

GMT 기준 시간을 우리나라 시간으로 바꾸려면 GMT 와 우리나라의 시간 차이(+9)에다 60()

곱한 값을 옵션으로 주면된다.. , +540을 옵션으로 추가한다. 이후부터는 우리나라 시간에 맞게

로그 파일이 변경된다. 이것은 HTTPD 버전에 관계 없다.

* DDoS 테스트 툴

: http://resources.infosecinstitute.com/dos-attacks-free-dos-attacking-tools/

WAF-FLE 설정

* WAF-FLE 설치

]# wget http://www.waf-fle.org/wp-content/uploads/2013/04/waf-fle_0.6.0.tar.gz

]# tar -zxvf waf-fle_0.6.0.tar.gz

]# cd waf-fle

]# cp extra/waf-fle.conf /home/ubuntu/server/httpd-2.2.18/conf/waf-fle.conf

]# sudo vi /home/ubuntu/server/httpd-2.2.18/conf/waf-fle.conf

파란색 부분 수정

————————————————————————-


RewriteRule ^/controller$ /controller/ [R]
RedirectMatch ^/controller$ /controller/
alias /controller/ /home/ubuntu/server/web_root/waf-fle/controller/
<Location /controller>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</Location>
<Directory
/home/ubuntu/server/web_root/waf-fle/controller/>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

DirectoryIndex index.php
Options -Indexes
# On some installation, as FreeBSD you need to adjust the ‘Allow from’ directive bellow
#Order allow,deny
#Allow from all
AddType application/x-httpd-php .php
</Directory>

RedirectMatch ^/waf-fle$ /waf-fle/
RedirectMatch ^/dashboad$ /waf-fle/
alias /waf-fle /home/ubuntu/server/web_root/waf-fle/dashboard/
<Location /waf-fle>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</Location>

<Directory /home/ubuntu/server/web_root/dashboard/>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

DirectoryIndex index.php
Options -Indexes
AllowOverride all

# On some installation, as FreeBSD you need to adjust the ‘Allow from’ directive bellow
#Order allow,deny
#Allow from all
AddType application/x-httpd-php .php
</Directory>

————————————————————————-

]# vim /home/ubuntu/server/httpd-2.2.18/conf/httpd.web.conf

=> Include conf/waf-fle.conf 추가

* Database 생성

]# cd /home/ubuntu/web_root/waf-fle

]# mysql -hlocalhost -uroot -p

mysql> CREATE DATABASE waffle;

mysql> CREATE USER ‘waffle’@’localhost’ IDENTIFIED BY ‘waffle!@#’;

mysql> GRANT SELECT , INSERT , UPDATE , DELETE, CREATE TEMPORARY

TABLES ON waffle . * TO ‘waffle’@’localhost’;

mysql> use waffle;

mysql> source extra/waffle.mysql;

mysql> exit;

WAF-FLE config 설정

]# cd /home/ubuntu/web_root/waf-fle

]# cp config.php.example config.php

]# vi config.php

파란색 부분 수정

————————————————————————-

<?PHP
/** WAF-FLE configuration file
* Define the database parameters, cache and session timeout
*
*/
$DB_HOST = “localhost”;
$DB_USER = “waffle”;
$DB_PASS = “waffle!@#”;
$DATABASE = “waffle”;

// To enable full events compression in database use ‘TRUE’, to disable compression use ‘FALSE’
$COMPRESSION = true;

// Define the performance timing presentation, set ‘mili’ for miliseconds (1/1000 seconds), or ‘micro’ for microseconds (1/1000000 seconds).
$timePreference = ‘mili’;

// To enable APC cache use ‘TRUE’, to disable APC cache use ‘FALSE’
$APC_ON = true;

// Max events in events list
$max_event_number = “25”;

// CACHE_TIMEOUT=30; // This is used to make data cache of frequent used data
$CACHE_TIMEOUT = 30;
$SESSION_TIMEOUT = 600;

// Debug enable/disable
$DEBUG = false;

// Enable setup to initial run of WAF-FLE, it check prerequisite and configure database schema. Upgrade of version and database can be available too.
// While this is enable, no event is received or view.
$SETUP = false;

// Probably you will not need to change nothing after this point
//

?>

————————————————————————-

modsecurity 기본수정

]# vi modsecurity_crs_10_setup.conf 수정

————————————————————————-

20 번째 줄에 아래 내용 추가

SecRuleEngine On
SecDataDir /home/ubuntu/server/httpd-2.2.18/logs/data

SecDefaultAction 검색후 (70번째줄)

SecDefaultAction “deny, status:403, phase:2”

위와 같이 수정

————————————————————————-

# Load Balancing(IP)의 경우 Client IPLB서버의 아이피로 표시되는것을 대비해 mod_rpaf를 설치

]# wget https://github.com/ttkzw/mod_rpaf-0.6/archive/master.zip

]# unzip master.zip

]# rm master.zip

]# cd mod_rpaf-0.6-master

]# sudo /home/ubuntu/server/httpd-2.2.18/bin/aspx -i -c -n mod_rpaf-2.0.s o mod_rpaf-2.0.c

]# vi /home/ubuntu/server/httpd-2.2.18/conf/httpd.web.conf

httpd.web.conf 에 아래 내용 추가

————————————————————————-

LoadModule rpaf_module modules/mod_rpaf-2.0.so

<IfModule rpaf_module>

RPAFenable On

RPAFsethostname On

RPAFproxy_ips 10.

RPAFheader X-Forwarded-For

</IfModule>

————————————————————————-

* Apache 재시작

]# apachectl restart

전체 httpd.web.conf

————————————————————————-

NameVirtualHost *:80

LoadModule rpaf_module modules/mod_rpaf-2.0.so

<IfModule rpaf_module>

RPAFenable On

RPAFsethostname On

RPAFproxy_ips 10.

RPAFheader X-Forwarded-For

</IfModule>

LoadModule jk_module modules/mod_jk.so

#LoadFile /usr/lib/x86_64-linux-gnu/libxml2.so

#LoadFile /usr/lib/x86_64-linux-gnu/liblua5.1.so

LoadModule security2_module modules/mod_security2.so

<IfModule security2_module>

Include conf/crs/modsecurity_crs_10_setup.conf

Include conf/crs/activated_rules/*.conf

Include conf/crs/modsecurity_crs_custom.conf

Include conf/modsecurity.conf

</IfModule>

<IfModule jk_module>

JkLogFile logs/mod_jk.log

JkLogLevel info

JkLogStampFormat “[%a %b %d %H:%M:%S %Y]”

JkWorkersFile conf/workers.properties

</IfModule>

<VirtualHost *:80>

DocumentRoot “/home/ubuntu/server/web_root”

AddType application/x-httpd-php .html .htm .php

<Directory “/home/ubuntu/server/web_root”>

DirectoryIndex index.php

Options FollowSymLinks MultiViews

#Deny from env=notaccept

AllowOverride all

Order allow,deny

Allow from all

AuthType None

#Require all granted

</Directory>

<IfModule jk_module>

JkMount /* ajp13web

SetEnvIf Request_URI “/waf-fle/*” no-jk

SetEnvIf Request_URI “/controller/*” no-jk

#SetEnvIf Request_URI “/*.html” no-jk

SetEnvIf Request_URI “/*.php” no-jk

</IfModule>

LogFormat “%{X-Forwarded-For}i %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-agent}i\”” combined_ec2

CustomLog “|/home/ubuntu/server/httpd-2.2.18/bin/rotatelogs /home/ubuntu/server/httpd-2.2.18/logs/ws_apache.access_log.%Y-%m-%d 86400” combined_ec2

ErrorLog “|/home/ubuntu/server/httpd-2.2.18/bin/rotatelogs /home/ubuntu/server/httpd-2.2.18/logs/ws_apache.error_log.%Y-%m-%d 86400”

#CustomLog “/home/chaton/server/httpd-2.2.18/logs/DenyIP_access.log” combined_ec2 env=notaccept

# <Location />

# SetEnvIf X-Forwarded-For “216.144.252.114” notaccept

# SetEnvIf X-Forwarded-For “208.115.226.250” notaccept

# SetEnvIf X-Forwarded-For “54.200.149.67” notaccept

# SetEnvIf X-Forwarded-For “209.141.9.0/24” notaccept

# SetEnvIf X-Forwarded-For “216.245.200.122” notaccept

# SetEnvIf X-Forwarded-For “203.244.212.25” notaccept

# SetEnvIf X-Forwarded-For “107.21.199.144” notaccept

# SetEnvIf X-Forwarded-For “50.16.101.179” notaccept

# Order allow,deny

# Deny from env=notaccept

# Allow from all

#</Location>

<Location /WEB-INF>

SetHandler WEB-INF

Order deny,allow

Deny from all

</Location>

<Location /server-status>

SetHandler server-status

Order deny,allow

Deny from all

Allow from 210.94.41.89/32

Allow from 203.244.218.0/24

Allow from 203.244.197.0/24

Allow from 203.244.212.0/24

</Location>

Include conf/waf-fle.conf

</VirtualHost>

* WAF-FLE 접속

http://url/waf-fle

위 경로 에서 admin/admin 으로 접속하여 패스워드를 입력

상단메뉴의 MANAGEMENT 클릭후 Add New Sensor 클릭

Sensor : waffle

Password : waffle

입력후 Save

Load Balancing을 사용할때는

만약 1.0.0.1 이라는 Apache(Waffle) 서버가 있을때

Add New Sensor 클릭

Sensor : waffle1

Password : waffle1

입력후 Save

Add New Sensor 클릭

Sensor : waffle2

Password : waffle2

입력후 Save

위와 같이 셋팅

]# sudo vi /home/ubuntu/httpd-2.2.18/conf/mlogc.conf

파란색부분에 waffle sensor에 추가한 id/password 을 넣어준다

Load Balancing의 경우 차례대로 서버마다 waffle1,waffle2…

————————————————————————-

# Points to the root of the installation. All relative
# paths will be resolved with the help of this path.
CollectorRoot “/var/log/mlogc”

# ModSecurity Console receiving URI. You can change the host
# and the port parts but leave everything else as is.
ConsoleURI “http://ec2-54-200-118-132.us-west-2.compute.amazonaws.com/controller/”

# Sensor credentials
SensorUsername “waffle”
SensorPassword “waffle”

————————————————————————-

modsecurity 테스트URL

Case.1-1 : http://localhost/?sqlinjection=(create

Case.1-2 : http://localhost/?sqlinjection=(delete

Case.1-3 : http://localhost/?sqlinjection=|create

Case.1-4 : http://localhost/?sqlinjection=|delete

Case.1-5 : http://localhost/?sqlinjection=drop’

Case.1-6 : http://localhost/?sqlinjection=create’

Case.1-7 : http://localhost/?sqlinjection=drop’

Case.2-1 : http://localhost/?sqlinjection=(%27|;|%)

Case.2-2 : http://localhost/?sqlinjection=||

Case.2-3 : http://localhost/?sqlinjection=|;

Case.2-4 : http://localhost/?sqlinjection=(%27

Case.2-5 : http://localhost/?sqlinjection=|%%|

Case.2-6 : http://localhost/?sqlinjection=’%

Case.3-1 : http://localhost/?jsessionid=6B1043C6507BFFFE8A6E16B3F2F91C5A

Case.4-1 : http://localhost/?xss=%3Cscript

Case.4-2 : http://localhost/index.php?{SESSION_ID}&SESSION_ID=

Case.4-3 : http://localhost/index.php?../../../../../../../../etc/passwd

Case.4-4 : http://localhost/index.php?%3CIMG%20SRC=%22javascript:alert(%27XSS%27);%22%3E

Case.4-5 : http://localhost/index.php?%3CIFRAME%20SRC=javascript:alert(%27XSS%27)%3E%3C/IFRAME%3E

Case.5-1 : http://localhost/?sqlinjection=drop.+index

Case.6-1 : http://localhost/?sqlinjection=alter[[:%20:]]table