ModSecurity si sta comportando in modo buffo in apache2.4 su ubuntu 14.04

1

Sto cercando di mettere il modsecurity in apache 2.4.7 un proxy inverso per un'applicazione di tomcat. Per una richiesta normale, genera molti registri sui metodi consentiti anche se il metodo utilizzato è get.

[Wed Mar 11 10:35:33.187404 2015] [:error] [pid 26124:tid 140113409455872] [client 41.66.208.198] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "pentest.mydomain.com"] [uri "/favicon.ico"] [unique_id "VQAadQoAAGwAAGYM9ykAAABE"]
[Wed Mar 11 10:35:33.187627 2015] [:error] [pid 26124:tid 140113409455872] [client 41.66.208.198] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "78"] [id "960034"] [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname "pentest.mydomain.com"] [uri "/favicon.ico"] [unique_id "VQAadQoAAGwAAGYM9ykAAABE"]

Ma in base ai post di security.stackexchange e serverfault non avrei dovuto incorrere in quello problema.

Ho il seguente in /usr/share/modedurity-crs/modsecurity_crs_10_setup.conf

#
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.  
# If you run into false positves, you can adjust the settings here.
#
SecAction \
   "id:'900012', \
    phase:1, \
    t:none, \
    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \
    setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
    setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
    nolog, \
    pass"

Ho usato il pacchetto libapache2-modsecurity ed ecco cosa si trova nel file /etc/apache2/mods-enabled/security2.conf

 <IfModule security2_module>
    # Default Debian dir for modsecurity's persistent data
    SecDataDir /var/cache/modsecurity

    # Include all the *.conf files in /etc/modsecurity.
    # Keeping your local configuration in that directory
    # will allow for an easy upgrade of THIS file and
    # make your life easier
    IncludeOptional /etc/modsecurity/*.conf
    Include /usr/share/modsecurity-crs/activated_rules/*.conf
 </IfModule>

C'è qualcosa che non sto facendo bene? Apprezzerei se qualcuno potesse gettare delle luci per me.

Grazie in anticipo

    
posta black sensei 12.03.2015 - 10:30
fonte

2 risposte

1

Da quello che posso vedere da la risposta che hai collegato , il nome del file dovrebbe essere modsecurity_crs_10_config.conf . Nel tuo post, tu dici che il tuo è invece chiamato modsecurity_crs_10_setup.conf .

Due altri possibili problemi che vedo sono che le tue setvar linee hanno tutti spazi davanti a loro, mentre la risposta no (ma dubito strongmente che possa causare problemi). Inoltre, il tuo tx.allowed_request_content_type è separato da | anziché .

Cambiare quelli renderebbe il tuo file:

#
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.  
# If you run into false positves, you can adjust the settings here.
#
SecAction \
"id:'900012', \
phase:1, \
t:none, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf application/json', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
nolog, \
pass"

Se nessuna delle soluzioni precedenti risolve il problema, suggerisco semplicemente di caricare lo snippet direttamente dalla risposta e vedere se questo funziona per rassicurazione:

#
# -=[ HTTP Policy Settings ]=-
#
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.  
# If you run into false positves, you can adjust the settings here.
#
SecAction "phase:1,id:'981212',t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"
    
risposta data 12.03.2015 - 12:09
fonte
1

Ci scusiamo per il tempo perso per tutti, l'ho causato io stesso. Ho continuato a leggere su SpiderLabs github page page 41 e la prima cosa che si è verificata per me era che dovevo includere il file con xx_10_setup.conf in mods-enabled / security2.conf o fare un link simbolico a activated_rules.

Quindi il nome del file non ha importanza.

Grazie per tutto.

    
risposta data 12.03.2015 - 14:47
fonte

Leggi altre domande sui tag