星期三, 2月 18, 2009

Apache內新增security模組

可於Apache內新增了一個模組,以保護系統不受到攻擊。
可以用來抵擋知名及不知名的攻擊如 SQL injection attacks
、cross-site scripting、path traversal attacks。
但網頁部分仍須注意是否有漏洞。

以下說明安裝過程:

1.
wget http://www.modsecurity.org/download/modsecurity-apache_1.9.5.tar.gz

2.
tar zxvf modsecurity-apache_1.9.5.tar.gz


3.
cd modsecurity-apache_1.9.5

4.
cd apache2

5.請先進行httpd-devel*.rpm的安裝,接著才能編譯模組。
(這部分很多部落格都遺漏了..)
[root@xxx apache2]# yum install httpd-devel
Loading "fastestmirror" plugin
Loading mirror speeds from cached hostfile
* base: ftp2.tnc.edu.tw
* updates: ftp2.riken.jp
* addons: ftp2.tnc.edu.tw
* extras: ftp.cs.pu.edu.tw
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package httpd-devel.i386 0:2.2.3-11.el5_1.centos.3 set to be updated
--> Processing Dependency: apr-devel for package: httpd-devel
--> Processing Dependency: apr-util-devel for package: httpd-devel
---> Package httpd-devel.x86_64 0:2.2.3-11.el5_1.centos.3 set to be updated
--> Running transaction check
---> Package apr-devel.i386 0:1.2.7-11 set to be updated
---> Package apr-util-devel.i386 0:1.2.7-7.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
httpd-devel i386 2.2.3-11.el5_1.centos.3 base 146 k
httpd-devel x86_64 2.2.3-11.el5_1.centos.3 base 147 k
Installing for dependencies:
apr-devel i386 1.2.7-11 base 237 k
apr-util-devel i386 1.2.7-7.el5 base 54 k

Transaction Summary
=============================================================================
Install 4 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 584 k
Is this ok [y/N]: y
Downloading Packages:
(1/4): httpd-devel-2.2.3- 100% |=========================| 147 kB 00:00
(2/4): apr-util-devel-1.2 100% |=========================| 54 kB 00:00
(3/4): apr-devel-1.2.7-11 100% |=========================| 237 kB 00:00
(4/4): httpd-devel-2.2.3- 100% |=========================| 146 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: apr-devel ######################### [1/4]
Installing: apr-util-devel ######################### [2/4]
Installing: httpd-devel ######################### [3/4]
Installing: httpd-devel ######################### [4/4]

Installed: httpd-devel.i386 0:2.2.3-11.el5_1.centos.3 httpd-devel.x86_64 0:2.2.3-11.el5_1.centos.3
Dependency Installed: apr-devel.i386 0:1.2.7-11 apr-util-devel.i386 0:1.2.7-7.el5
Complete!
[root@xxx apache2]#

6.
/usr/sbin/apxs -cia mod_security.c


編譯完成後,/usr/lib/httpd/modules/ 下會生成一個 mod_security.so 模組檔
安裝時會自動在 /etc/httpd/conf/httpd.conf 內加入以下內容:
LoadModule security_module /usr/lib/httpd/modules/ mod_security.so


以下為設定 mod_security 模組,在 /etc/httpd/conf/httpd.conf 內加入以下內容:
#開頭的是註解,建議將註解刪除後再拷貝至httpd.conf內

# 打開過濾引擎開關。如果是Off,那麼下面這些都不起作用了。
SecFilterEngine On
# 把設置傳遞給字目錄
SecFilterInheritance Off
# 檢查url編碼
SecFilterCheckURLEncoding On
# 檢測內容長度以避免堆溢出攻擊
#SecFilterForceByteRange 32 126
# 日誌的文件和位置。一定要先建立好目錄,否則apache重新啟動的時候會報錯。
SecAuditLog /var/log/httpd/mod_security_audit_log
# debug的設置
SecFilterDebugLog /var/log/httpd/mod_security_debug_log
SecFilterDebugLevel 9
#當匹配chmod,wget等命令的時候,重新定向到一個特殊的頁面,讓攻擊者知難而退
SecFilter chmod redirect:http://www.google.com
SecFilter wget redirect:http://www.google.com
# 預設的動作
SecFilterDefaultAction "deny,log,status:406"
# 防止操作系統關鍵詞攻擊
SecFilter /etc/*passwd
SecFilter /bin/*sh
# 防止double dot攻擊
SecFilter "\.\./"
# 防止跨站腳本(CSS)攻擊
SecFilter "<( |\n)*script" # Prevent XSS atacks (HTML/Javascript injection) SecFilter "<(.|\n)+>"
# 防止sql注入式攻擊
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
#偽裝服務器標識
SecServerSignature "Microsoft-IIS/6.0"



完成之後, restart httpd 即可
service httpd restart



參考網站:
http://www.xspace.idv.tw/bo_blog/post/139.htm
http://calos-tw.blogspot.com/2008/07/apache-modsecurity.html

官方首頁:
http://www.modsecurity.org/index.php

簡介:
http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html

你也可以使用專家寫好的規則:
http://www.gotroot.com/tiki-index.php?page=mod_security+rules

沒有留言:

張貼留言