CentOS Linux 7 modsecurity-crs 적용

CentOS Linux 7 modsecurity-crs 적용

sudo wget https://github.com/coreruleset/coreruleset/archive/v3.3.4.tar.gz
tar xvfzp v3.3.4.tar.gz

mkdir /etc/httpd/modsecurity-crs
mv coreruleset-3.3.4 /etc/httpd/modsecurity-crs/.

cd /etc/httpd/modsecurity-crs/coreruleset-3.3.4
mv crs-setup.conf.example crs-setup.conf

# OWASP CRS (Core Rule Set) 3.3.4 을 사용하므로 
# &MULTIPART_PART_HEADERS는 ModSecurity v2에서 인식 불가능 
# 파일 이름을 바꿔 비활성화
mv /etc/httpd/modsecurity-crs/coreruleset-3.3.4/rules/REQUEST-922-MULTIPART-ATTACK.conf \
   /etc/httpd/modsecurity-crs/coreruleset-3.3.4/rules/REQUEST-922-MULTIPART-ATTACK.conf.disabled

 

vi /etc/httpd/modsecurity-crs/coreruleset-3.3.4/rules/REQUEST-949-BLOCKING-EVALUATION.conf

#SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
#    "id:949110,\
#    phase:2,\
#    deny,\
#    t:none,\
#    log,\
#    msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
#    tag:'application-multi',\
#    tag:'language-multi',\
#    tag:'platform-multi',\
#    tag:'attack-generic',\
#    ver:'OWASP_CRS/3.3.4',\
#    severity:'CRITICAL',\
#    setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"


# Anomaly Score를 증가시키는 규칙 (setvar 사용)
SecAction "id:949110, phase:2, t:none, pass, nolog, setvar:tx.anomaly_score=+0.5"

# Anomaly Score가 임계값을 초과하면 차단하는 규칙
SecRule TX:ANOMALY_SCORE "@ge 30" \
    "id:949111,\
    phase:2,\
    deny,\
    t:none,\
    log,\
    msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-generic',\
    ver:'OWASP_CRS/3.3.4',\
    severity:'CRITICAL',\
    setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"

 

vi /etc/httpd/conf.d/mod_security.conf

<IfModule mod_security2.c>
	# ModSecurity Core Rules Set configuration
	IncludeOptional modsecurity.d/*.conf
	IncludeOptional modsecurity.d/activated_rules/*.conf

	# coreruleset-3.3.4 예외 설정 추가
	IncludeOptional /etc/httpd/modsecurity-crs/custom_exceptions.conf
    
	# coreruleset-3.3.4 설정 추가
	IncludeOptional /etc/httpd/modsecurity-crs/coreruleset-3.3.4/crs-setup.conf
	IncludeOptional /etc/httpd/modsecurity-crs/coreruleset-3.3.4/rules/*.conf
   
</IfModule>

 

# 예외 설청 추가

vi /etc/httpd/modsecurity-crs/custom_exceptions.conf

SecRule ARGS_NAMES "@rx ^(contents|cf_footer|irs_info|address_email_info|ksc_time|staff_info)$" \
  "id:110001,phase:1,pass,nolog,\
  ctl:ruleRemoveTargetById=941310;ARGS:contents,\
  ctl:ruleRemoveTargetById=941310;ARGS:cf_footer,\
  ctl:ruleRemoveTargetById=941310;ARGS:irs_info,\
  ctl:ruleRemoveTargetById=941310;ARGS:address_email_info,\
  ctl:ruleRemoveTargetById=932130;ARGS:cf_footer"

SecRule ARGS_NAMES "@rx ^(contents|cf_footer|irs_info|address_email_info|ksc_time|staff_info)$" \
  "id:110002,phase:2,pass,nolog,\
  ctl:ruleRemoveTargetById=941310;ARGS:contents,\
  ctl:ruleRemoveTargetById=941310;ARGS:cf_footer,\
  ctl:ruleRemoveTargetById=941310;ARGS:irs_info,\
  ctl:ruleRemoveTargetById=941310;ARGS:address_email_info,\
  ctl:ruleRemoveTargetById=932130;ARGS:cf_footer,\
  ctl:ruleRemoveTargetById=932130;ARGS:address_email_info,\
  ctl:ruleRemoveTargetById=932130;ARGS:contents,\
  ctl:ruleRemoveTargetById=932115;ARGS:contents,\
  ctl:ruleRemoveTargetById=941180;ARGS:contents,\
  ctl:ruleRemoveTargetById=941310;ARGS:ksc_time,\
  ctl:ruleRemoveTargetById=941310;ARGS:staff_info"

 

 

 

vi /etc/httpd/modsecurity-crs/coreruleset-3.3.4/rules/999-whitelist-summernote.conf

# 웹 에디터 콘텐츠 업로드 시 예외 처리
SecRule REQUEST_URI "@beginsWith /" "id:1001,phase:1,nolog,pass,ctl:ruleRemoveById=941100"
SecRule REQUEST_URI "@beginsWith /" "id:1002,phase:1,nolog,pass,ctl:ruleRemoveById=941130"
SecRule REQUEST_URI "@beginsWith /" "id:1003,phase:1,nolog,pass,ctl:ruleRemoveById=941140"
SecRule REQUEST_URI "@beginsWith /" "id:1004,phase:1,nolog,pass,ctl:ruleRemoveById=941160"
SecRule REQUEST_URI "@beginsWith /" "id:1005,phase:1,nolog,pass,ctl:ruleRemoveById=941170"
SecRule REQUEST_URI "@beginsWith /" "id:1006,phase:1,nolog,pass,ctl:ruleRemoveById=941200"