• Авторизация
Дневник CrazyAdmin_Admin Лента друзей - Дневник - Полная версия


Защита web-сервера Апача от ДОС аттак !!! 04-02-2010 12:54 к комментариям - к полной версии - понравилось!


CentOS 5.2 ModSecurity Installation

Saturday, October 25th, 2008 

While this guide is CentOS specific, it contains enough detail to be adaptable to most other distributions.

ModSecurity is essentially a firewall for Apache, it checks all traffic against a set of rules which detect and prevent potentially malicious activity. There are three parts to this ModSec installation.

1. ModSecurity
2. mlogc
3. ModSecurity Console

Modsecurity is the ‘firewall’, mlogc is responsible for sending logs to the management console.

The console can be downloaded from BREACH, I used the Windows version for simplicity. Each console installation can support multiple sensors (ModSec installations), so it provides centralised monitoring. The console installation isn’t covered here, theres nothing to it – download, install, create sensors – done. Just make sure to install a valid license (BREACH offer a free 3 sensor license)

Versions used:

Apache: 2.2.3
ModSecurity: 2.5.7

Install Dependencies:

yum install httpd-devel libxml2 libxml2-devel curl-devel pcre-devel gcc-c++

note: curl-devel is only required for mlogc

Download and Installation

wget http://www.modsecurity.org/download/modsecurity-apache_2.5.7.tar.gz

or, get the latest from http://www.modsecurity.org/download/direct.html

Stop Apache

service httpd stop

Untar it and install:

tar -xvzf modsecurity-apache_2.5.7.tar.gz
 
cd modsecurity-apache_2.5.7/apache2/
 
./configure
make
make mlogc
make install

Configuration

Configure mlogc:

Copy the binary from mlogc-src/ to /usr/local/bin/

cp mlogc-src/mlogc /usr/local/bin/

Copy the default config to /etc/

cp mlogc-src/mlogc-default.conf /etc/mlogc.conf

Edit the configuration file: /etc/mlogc.conf:

Change the following:

#URL TO CONSSOLE LOG RECEIVER
ConsoleURI          https://CONSOLE_IP_ADDRESS:8886/rpc/auditLogReceiver
 
#SENSOR CREDENTIALS
SensorUsername      "SENSOR_USERNAME"
SensorPassword      "SENSOR_PASSWORD"

The above values need to reflect the Console installation and sensor configuration, also ensure the port is correct, it should be either 8886 or 8888. Save and exit

Configure ModSecurity:

Edit httpd.conf and add the following

# ModSecurity
 
Include conf/modsecurity/*.conf
LoadFile /usr/lib/libxml2.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

Still in the httpd.conf, go down to the main server configuration section and add:

# ModSecurity Configuration
 
 
    # Turn the filtering engine On or Off
    SecFilterEngine On
 
    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On
 
    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off
 
    # Only allow bytes from this range
    SecFilterForceByteRange 0 255
 
    # Only log suspicious requests
    SecAuditEngine RelevantOnly
 
    # Debug level set to a minimum
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0
 
    # Should mod_security inspect POST payloads
    SecFilterScanPOST On
 
    # By default log and deny suspicious requests
    # with HTTP status 500
    SecFilterDefaultAction "deny,log,status:500"
 
    # Use ReleventOnly auditing
    SecAuditEngine RelevantOnly
 
    # Must use concurrent logging
    SecAuditLogType Concurrent
 
    # Send all audit log parts
    SecAuditLogParts ABIDEFGHZ
 
    # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf
    SecAuditLogStorageDir /var/log/mlogc/data
 
    # Pipe audit log to mlogc with your configuration
    SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"
 

Save and Exit.

Copy rules to Apache directory

mkdir /etc/httpd/conf/modsecurity

from the rules direcotry: 

cp *.conf /etc/httpd/conf/modsecurity

make necessary changes to modsecurity_crs_10_config.conf (mainly the logging section – use values from httpd.conf)

# Log files structure
 
SecAuditLogType Concurrent
SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"
SecAuditLogStorageDir /var/log/mlogc/data
 
SecAuditLogParts "ABIDEFGHZ"

Create mlogc logs direcotry and configure permissions

mkdir /var/log/mlogc
mkdir /var/log/mlogc/data
 
chown :apache /var/log/mlogc
chown :apache /var/log/mlogc/data
 
chmod g+w /var/log/mlogc
chmod g+w /var/log/mlogc/data

Restart Apache

service httpd start

Confirm ModSecurity is running:

tail /var/log/httpd/error_log
 
[Wed Oct 22 21:37:45 2008] [notice] ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/) configured.
[Wed Oct 22 21:37:45 2008] [notice] Digest: generating secret for digest authentication ...
[Wed Oct 22 21:37:45 2008] [notice] Digest: done
[Wed Oct 22 21:37:46 2008] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations

Done! Generate some suspicous traffic (ie. run an nmap scan against port 80) and check the console for alerts.

Files to check if things don’t work:

/var/log/httpd/error_log
/var/log/mlogc/mlogc-error.log
/var/log/messages

Also check the Administrative Events in the Console.

Я постоянно что-то читаю. Черезмерное обучение еще никому не мешало в этой жизни, а зачастую помагало. Что знаеш - за плечами не носишь! И за свою жизнь научился я аж на два настоящих диплома. У меня два высших образования. Но недавно наткнулся вот на что. Для тех кому тяжело учиться, а хочется работать можно купить диплом

 

вверх^ к полной версии понравилось! в evernote


Вы сейчас не можете прокомментировать это сообщение.

Дневник Защита web-сервера Апача от ДОС аттак !!! | CrazyAdmin_Admin - Дневник Айтишника | Лента друзей CrazyAdmin_Admin / Полная версия Добавить в друзья Страницы: раньше»