Difference between revisions of "ModSecurity: OWASP CRS3 menambahkan"

From OnnoWiki
Jump to navigation Jump to search
 
(19 intermediate revisions by the same user not shown)
Line 18: Line 18:
 
==Install ModSecurity==
 
==Install ModSecurity==
  
  apt-get install libapache2-modsecurity
+
sudo su
 +
apt update
 +
  apt -y install libapache2-modsecurity
 +
 
 +
Ubuntu 20.04
 +
 
 +
apt -y install libapache2-mod-security2
 +
 
 
cek
 
cek
  
 
  apachectl -M | grep --color security
 
  apachectl -M | grep --color security
 
  
 
==Install ModSecurity Core Rule Set (CRS)==
 
==Install ModSecurity Core Rule Set (CRS)==
  
 
Instalasi dari Github
 
Instalasi dari Github
 +
 +
Ubuntui 20.04
 +
 +
cd ~
 +
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
 +
 +
cd ~/owasp-modsecurity-crs
 +
sudo mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf
 +
sudo mv rules/ /etc/modsecurity/
 +
 +
Versi lama
  
 
  rm -rf /usr/share/modsecurity-crs
 
  rm -rf /usr/share/modsecurity-crs
 
  apt-get install -y git
 
  apt-get install -y git
 
  git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
 
  git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
 +
cp /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
  
rename .conf extension.
 
  
cp /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf.example /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf
+
Silahkan baca2 file crs-setup.conf kalau mau mengerti cara / proses deteksi. Ada bagian PARANOID :) ..
  
 
==Setup ModSecurity CRS==
 
==Setup ModSecurity CRS==
  
 +
 +
mkdir -p /usr/share/modsecurity-crs/activated_rules/
 
  cd /usr/share/modsecurity-crs
 
  cd /usr/share/modsecurity-crs
 +
for f in `ls rules`; do sudo ln -s ../rules/$f activated_rules/$f; done
  
Activate rules
+
==Konfigurasi==
  
$ sudo ln -s ../modsecurity_crs_10_setup.conf activated_rules/modsecurity_crs_10_setup.conf
+
Edit modsecurity.conf agar
 
 
masukan base_rules,
 
 
 
$ for f in `ls base_rules`; do sudo ln -s ../base_rules/$f activated_rules/$f; done
 
 
 
Now you're activated_rules directory should look something like this:
 
 
 
$ ll activated_rules/
 
total 20
 
drwxr-xr-x 2 root root 4096 Jun 26 14:15 ./
 
drwxr-xr-x 9 root root 4096 Jun 26 13:56 ../
 
lrwxrwxrwx 1 root root  44 Jun 26 14:07 modsecurity_35_bad_robots.data -> ../base_rules/modsecurity_35_bad_robots.data
 
lrwxrwxrwx 1 root root  42 Jun 26 14:07 modsecurity_35_scanners.data -> ../base_rules/modsecurity_35_scanners.data
 
lrwxrwxrwx 1 root root  49 Jun 26 14:07 modsecurity_40_generic_attacks.data -> ../base_rules/modsecurity_40_generic_attacks.data
 
lrwxrwxrwx 1 root root  42 Jun 26 14:07 modsecurity_50_outbound.data -> ../base_rules/modsecurity_50_outbound.data
 
lrwxrwxrwx 1 root root  50 Jun 26 14:07 modsecurity_50_outbound_malware.data -> ../base_rules/modsecurity_50_outbound_malware.data
 
lrwxrwxrwx 1 root root  32 Jun 26 14:15 modsecurity_crs_10_setup.conf -> ../modsecurity_crs_10_setup.conf
 
lrwxrwxrwx 1 root root  57 Jun 26 14:07 modsecurity_crs_20_protocol_violations.conf -> ../base_rules/modsecurity_crs_20_protocol_violations.conf
 
lrwxrwxrwx 1 root root  56 Jun 26 14:07 modsecurity_crs_21_protocol_anomalies.conf -> ../base_rules/modsecurity_crs_21_protocol_anomalies.conf
 
lrwxrwxrwx 1 root root  52 Jun 26 14:07 modsecurity_crs_23_request_limits.conf -> ../base_rules/modsecurity_crs_23_request_limits.conf
 
lrwxrwxrwx 1 root root  49 Jun 26 14:07 modsecurity_crs_30_http_policy.conf -> ../base_rules/modsecurity_crs_30_http_policy.conf
 
lrwxrwxrwx 1 root root  48 Jun 26 14:07 modsecurity_crs_35_bad_robots.conf -> ../base_rules/modsecurity_crs_35_bad_robots.conf
 
lrwxrwxrwx 1 root root  53 Jun 26 14:07 modsecurity_crs_40_generic_attacks.conf -> ../base_rules /modsecurity_crs_40_generic_attacks.conf
 
lrwxrwxrwx 1 root root  59 Jun 26 14:07 modsecurity_crs_41_sql_injection_attacks.conf -> ../base_rules/modsecurity_crs_41_sql_injection_attacks.conf
 
lrwxrwxrwx 1 root root  49 Jun 26 14:07 modsecurity_crs_41_xss_attacks.conf -> ../base_rules/modsecurity_crs_41_xss_attacks.conf
 
lrwxrwxrwx 1 root root  52 Jun 26 14:07 modsecurity_crs_42_tight_security.conf -> ../base_rules/modsecurity_crs_42_tight_security.conf
 
lrwxrwxrwx 1 root root  45 Jun 26 14:07 modsecurity_crs_45_trojans.conf -> ../base_rules/modsecurity_crs_45_trojans.conf
 
lrwxrwxrwx 1 root root  55 Jun 26 14:07 modsecurity_crs_47_common_exceptions.conf -> ../base_rules/modsecurity_crs_47_common_exceptions.conf
 
lrwxrwxrwx 1 root root  62 Jun 26 14:07 modsecurity_crs_48_local_exceptions.conf.example -> ../base_rules/modsecurity_crs_48_local_exceptions.conf.example
 
lrwxrwxrwx 1 root root  54 Jun 26 14:07 modsecurity_crs_49_inbound_blocking.conf -> ../base_rules/modsecurity_crs_49_inbound_blocking.conf
 
lrwxrwxrwx 1 root root  46 Jun 26 14:07 modsecurity_crs_50_outbound.conf -> ../base_rules/modsecurity_crs_50_outbound.conf
 
lrwxrwxrwx 1 root root  55 Jun 26 14:07 modsecurity_crs_59_outbound_blocking.conf -> ../base_rules/modsecurity_crs_59_outbound_blocking.conf
 
lrwxrwxrwx 1 root root  49 Jun 26 14:07 modsecurity_crs_60_correlation.conf -> ../base_rules/modsecurity_crs_60_correlation.conf
 
-rw-r--r-- 1 root root 5720 Jul 12  2013 README
 
 
 
 
 
==Konfigurasi==
 
  
  cd /etc/modsecurity
+
  mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
cp modsecurity.conf-recommended modsecurity.conf
+
vi /etc/modsecurity/modsecurity.conf
  
Edit modsecurity.conf agar
+
Ubah
  
 
  SecRuleEngine DetectionOnly
 
  SecRuleEngine DetectionOnly
Line 93: Line 76:
  
  
Edit /etc/apache2/mods-available/security2.conf . Tambahkan IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf
+
Edit security2.conf
 +
 
 +
vi /etc/apache2/mods-available/security2.conf
 +
 
 +
Tambahkan IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf
  
 
  <IfModule security2_module>
 
  <IfModule security2_module>
Line 103: Line 90:
 
         # will allow for an easy upgrade of THIS file and
 
         # will allow for an easy upgrade of THIS file and
 
         # make your life easier
 
         # make your life easier
         IncludeOptional /etc/modsecurity/*.conf
+
         '''IncludeOptional /etc/modsecurity/*.conf'''
         IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf
+
         '''Include "/usr/share/modsecurity-crs/*.conf"'''
 +
        '''Include "/usr/share/modsecurity-crs/activated_rules/*.conf"'''
 
  </IfModule>
 
  </IfModule>
  
Reload apache
+
==Reload Apache==
 +
 
 +
Enable module
  
  $ sudo service apache2 reload
+
  a2enmod headers
 +
a2enmod security2
 +
service apache2 reload
  
  
==Test==
+
Cara Disable module
  
  ## XSS
+
  a2dismod headers
  $ curl 'http://localhost/?q="><script>alert(1)</script>'
+
  a2dismod security2
 +
service apache2 reload
  
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+
==Test==
<html><head>
 
<title>403 Forbidden</title>
 
</head><body>
 
<h1>Forbidden</h1>
 
<p>You don't have permission to access /
 
on this server.</p>
 
<hr>
 
<address>Apache/2.4.7 (Ubuntu) Server at localhost Port 80</address>
 
</body></html>
 
  
## SQLi
+
Jika anda menginstalasi [[DVWA]], bisa di lakukan test ke [[DVWA]] dengan kondisi module di enable / disable.
$ curl "http://localhost/?q='1 OR 1=1"
 
  
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+
===XSS===
<html><head>
 
<title>403 Forbidden</title>
 
</head><body>
 
<h1>Forbidden</h1>
 
<p>You don't have permission to access /
 
on this server.</p>
 
<hr>
 
<address>Apache/2.4.7 (Ubuntu) Server at localhost Port 80</address>
 
</body></html>
 
  
Bisa juga di cek di
+
curl 'http://localhost/?q="><script>alert(1)</script>'
  
/var/log/apache2/modsec_audit.log
+
===SQLi===
  
 +
curl "http://localhost/?q='1 OR 1=1"
  
 +
===Responds===
  
 +
Harusnya akan dapat kode kira-kira
  
 +
403 Forbidden
  
 +
===Cek Log===
  
 +
watch -n 2 "tail /var/log/apache2/modsec_audit.log"
  
 +
atau
  
 +
tail -f /var/log/apache2/modsec_audit.log
  
 
==Referensi==
 
==Referensi==
  
 
* https://2buntu.com/articles/1571/installing-lamp-modsecurity-modsecurity-crs-on-ubuntu-1604/
 
* https://2buntu.com/articles/1571/installing-lamp-modsecurity-modsecurity-crs-on-ubuntu-1604/

Latest revision as of 20:46, 15 January 2021

sumber: https://2buntu.com/articles/1571/installing-lamp-modsecurity-modsecurity-crs-on-ubuntu-1604/


Install Apache

sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
apt-get install apache2 php7.0 php7.0-xmlrpc php7.0-mysql php7.0-gd php7.0-cli \
php7.0-curl mysql-client mysql-server dovecot-common dovecot-imapd \
dovecot-pop3d postfix squirrelmail squirrelmail-decode php7.0 php5.6 \
php5.6-mysql php-gettext php5.6-mbstring php-mbstring php7.0-mbstring \
php-xdebug libapache2-mod-php5.6 libapache2-mod-php7.0
sudo apt-get install libxml2 libxml2-dev libxml2-utils \
libaprutil1 libaprutil1-dev

Install ModSecurity

sudo su
apt update
apt -y install libapache2-modsecurity

Ubuntu 20.04

apt -y install libapache2-mod-security2

cek

apachectl -M | grep --color security

Install ModSecurity Core Rule Set (CRS)

Instalasi dari Github

Ubuntui 20.04

cd ~
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd ~/owasp-modsecurity-crs
sudo mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf
sudo mv rules/ /etc/modsecurity/

Versi lama

rm -rf /usr/share/modsecurity-crs
apt-get install -y git
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
cp /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf


Silahkan baca2 file crs-setup.conf kalau mau mengerti cara / proses deteksi. Ada bagian PARANOID :) ..

Setup ModSecurity CRS

mkdir -p /usr/share/modsecurity-crs/activated_rules/
cd /usr/share/modsecurity-crs
for f in `ls rules`; do sudo ln -s ../rules/$f activated_rules/$f; done

Konfigurasi

Edit modsecurity.conf agar

mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
vi /etc/modsecurity/modsecurity.conf

Ubah

SecRuleEngine DetectionOnly

menjadi

SecRuleEngine On


Edit security2.conf

vi /etc/apache2/mods-available/security2.conf

Tambahkan IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf
        Include "/usr/share/modsecurity-crs/*.conf"
        Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
</IfModule>

Reload Apache

Enable module

a2enmod headers
a2enmod security2
service apache2 reload


Cara Disable module

a2dismod headers
a2dismod security2
service apache2 reload

Test

Jika anda menginstalasi DVWA, bisa di lakukan test ke DVWA dengan kondisi module di enable / disable.

XSS

curl 'http://localhost/?q="><script>alert(1)</script>'

SQLi

curl "http://localhost/?q='1 OR 1=1"

Responds

Harusnya akan dapat kode kira-kira

403 Forbidden

Cek Log

watch -n 2 "tail /var/log/apache2/modsec_audit.log"

atau

tail -f /var/log/apache2/modsec_audit.log

Referensi