ModSec Rules - Update
Aus HS Syswiki
(Unterschied zwischen Versionen)
(→Changelog) |
|||
(79 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt) | |||
Zeile 3: | Zeile 3: | ||
https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/rules-updates-changelog-t101377.30.html | https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/rules-updates-changelog-t101377.30.html | ||
− | Used version in prod: 1. | + | Used version in prod: 1.159 (21.03.2018/dna) |
== Download == | == Download == | ||
Zeile 13: | Zeile 13: | ||
</pre> | </pre> | ||
Copy downloaded files to bkp001 | Copy downloaded files to bkp001 | ||
+ | |||
+ | NOTE: | ||
+ | https://github.com/SpiderLabs/owasp-modsecurity-crs | ||
== Prepare Rules == | == Prepare Rules == | ||
Zeile 24: | Zeile 27: | ||
</pre> | </pre> | ||
− | 2. Comment out rules with mentioned IDs within those files: | + | 2. Comment out rules with mentioned IDs within those files (Overworked version since 1.123): |
<pre> | <pre> | ||
− | + | Rules with counters | |
− | + | ||
+ | 00_Init_Initialization.conf | ||
+ | 210030 | ||
+ | |||
+ | 10_Bruteforce_Bruteforce.conf | ||
+ | 230000 | ||
+ | 230001 | ||
+ | 230005 | ||
+ | 230006 | ||
+ | 230007 | ||
+ | 230011 | ||
+ | 230021 | ||
+ | 230031 | ||
+ | |||
+ | 12_HTTP_HTTPDoS.conf | ||
+ | 230040 | ||
+ | 217100 | ||
+ | 217130 | ||
+ | 217140 | ||
+ | 217160 | ||
+ | 217170 | ||
+ | |||
+ | 32_Apps_OtherApps.conf | ||
+ | 240332 | ||
+ | 240333 | ||
+ | 240335 | ||
+ | 240336 | ||
+ | </pre> | ||
+ | |||
+ | <pre> | ||
+ | Rule to disable For PostFinance payment module | ||
+ | 03_Global_Agents.conf | ||
210831 | 210831 | ||
+ | </pre> | ||
− | + | <pre> | |
− | + | OLD Disabled Rules | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | 01_Init_AppsInitialization.conf | |
− | + | 209500 | |
+ | 209501 | ||
+ | 209502 | ||
+ | 209503 | ||
+ | 209510 | ||
+ | 209520 | ||
+ | 209530 | ||
+ | 219000 | ||
− | + | 02_Global_Generic.conf | |
− | + | 210480 | |
+ | 210481 | ||
+ | 210484 | ||
+ | 210681 | ||
+ | 210682 | ||
+ | 210685 | ||
+ | 210686 | ||
+ | 210687 | ||
+ | 210688 | ||
+ | 210691 | ||
+ | 210692 | ||
+ | 210693 | ||
+ | 210695 | ||
+ | 210696 | ||
+ | 210698 | ||
+ | 210760 | ||
+ | 210761 | ||
+ | 210762 | ||
+ | 210763 | ||
+ | 210764 | ||
+ | 210765 | ||
+ | 210767 | ||
+ | 210771 | ||
+ | 210772 | ||
+ | 210773 | ||
+ | 210775 | ||
+ | 210776 | ||
+ | 210777 | ||
+ | 210778 | ||
+ | 210779 | ||
− | + | 03_Global_Agents.conf | |
+ | 210831 | ||
+ | |||
+ | 12_HTTP_HTTPDoS.conf | ||
+ | 217110 | ||
+ | 217120 | ||
+ | 217160 | ||
+ | 217170 | ||
+ | |||
+ | 21_Outgoing_FilterInFrame.conf | ||
214530 | 214530 | ||
− | + | 26_Apps_Joomla.conf | |
− | + | 220240 | |
− | + | 28_Apps_WordPress.conf | |
− | + | 225030 | |
+ | 225031 | ||
− | + | 32_Apps_OtherApps.conf | |
− | + | 222131 | |
+ | 242380 | ||
+ | 220795 | ||
+ | |||
+ | 08_XSS_XSS.conf | ||
+ | 212000 | ||
+ | |||
+ | 09_Global_Other.conf | ||
+ | 210580 | ||
+ | 215090 | ||
</pre> | </pre> | ||
+ | |||
'''Attention:''' Comment our whole Block sticking together, like this: | '''Attention:''' Comment our whole Block sticking together, like this: | ||
<pre> | <pre> | ||
Zeile 85: | Zeile 171: | ||
== Test == | == Test == | ||
Test on one server (e.g. tux3) by | Test on one server (e.g. tux3) by | ||
− | * backing up current rule fieles: <code>cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf- | + | * backing up current rule fieles: <code>cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I`</code> |
− | * coping the (modified) cwaf files to the | + | * coping the (modified) cwaf files to test servers: <code>scp * tux3:/usr/local/apache2/conf/mod_security2/cwaf-rules/</code> |
+ | * coping the (modified) cwaf files to test servers: <code>scp * tux339:/usr/local/apache2/conf/mod_security2/cwaf-rules/</code> | ||
+ | * coping the (modified) cwaf files to test servers: <code>scp * tux259:/usr/local/apache2/conf/mod_security2/cwaf-rules/</code> | ||
+ | * Check following files: <code>ssh tux{3,339,259} hslsof</code> | ||
* test configuration with <code>/usr/local/apache2/sbin/apache2ctl -t</code> | * test configuration with <code>/usr/local/apache2/sbin/apache2ctl -t</code> | ||
* restarting apache web server with <code>/etc/init.d/apache2 restart</code> | * restarting apache web server with <code>/etc/init.d/apache2 restart</code> | ||
− | * check default error log with <code> | + | * check default error log with <code>tail -fF /var/log/httpd/error_log | grep -i modsec</code> |
== Deploy == | == Deploy == | ||
If all went fine, do the same using dscp and dssh: | If all went fine, do the same using dscp and dssh: | ||
<pre> | <pre> | ||
− | dssh cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf- | + | dssh cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I` |
− | dscp * []: | + | dssh "rm /usr/local/apache2/conf/mod_security2/cwaf-rules/*" |
− | dssh / | + | dscp * []:/usr/local/apache2/conf/mod_security2/cwaf-rules/ |
+ | dssh " > /var/asl/data/msa/default_SESSION.pag && service apache2 restart " | ||
</pre> | </pre> | ||
[[Category:ServerAdmin]] | [[Category:ServerAdmin]] |
Aktuelle Version vom 21. März 2018, 11:36 Uhr
Inhaltsverzeichnis |
[Bearbeiten] Changelog
Used version in prod: 1.159 (21.03.2018/dna)
[Bearbeiten] Download
Download from https://waf.comodo.com/user/cwaf_revisions on your workstation credentials:
jezejisy-8475@yopmail.com:testor1234
Copy downloaded files to bkp001
NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs
[Bearbeiten] Prepare Rules
This all is to be done on bkp001
1. Go to a temporary (or your own) directory:
mkdir cwaf_rules_<ver> cd cwaf_rules_<ver> tar xvzf ../tar xvzf ../cwaf_rules-<ver>.tgz
2. Comment out rules with mentioned IDs within those files (Overworked version since 1.123):
Rules with counters 00_Init_Initialization.conf 210030 10_Bruteforce_Bruteforce.conf 230000 230001 230005 230006 230007 230011 230021 230031 12_HTTP_HTTPDoS.conf 230040 217100 217130 217140 217160 217170 32_Apps_OtherApps.conf 240332 240333 240335 240336
Rule to disable For PostFinance payment module 03_Global_Agents.conf 210831
OLD Disabled Rules 01_Init_AppsInitialization.conf 209500 209501 209502 209503 209510 209520 209530 219000 02_Global_Generic.conf 210480 210481 210484 210681 210682 210685 210686 210687 210688 210691 210692 210693 210695 210696 210698 210760 210761 210762 210763 210764 210765 210767 210771 210772 210773 210775 210776 210777 210778 210779 03_Global_Agents.conf 210831 12_HTTP_HTTPDoS.conf 217110 217120 217160 217170 21_Outgoing_FilterInFrame.conf 214530 26_Apps_Joomla.conf 220240 28_Apps_WordPress.conf 225030 225031 32_Apps_OtherApps.conf 222131 242380 220795 08_XSS_XSS.conf 212000 09_Global_Other.conf 210580 215090
Attention: Comment our whole Block sticking together, like this:
#<LocationMatch "/index\.php$"> #SecRule REQUEST_METHOD "@streq POST" \ # "id:220240,chain,msg:'COMODO WAF: found CVE 2013-5576 attack',phase:2,deny,status:403,log" #SecRule ARGS_GET:option "@streq com_media" \ # "chain" #SecRule ARGS_GET:task "@rx ^file\.upload$" \ # "chain" #SecRule ARGS_GET:tmpl "@streq component" \ # "chain" #SecRule FILES_NAMES "@rx ^Filedata\[\]$" \ # "chain" #SecRule MULTIPART_FILENAME "@rx \..+\.$" #</LocationMatch>
or
#SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bbackground-image:" \ # "id:212660,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack',phase:2,severity:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'htmlEntityDecode',t:'compressWhiteSpace',t:'lowercase'"
3. Change standard error code (because fail2ban watches for this status code for modsec action):
sed -i 's|status:403|status:510|g' *
[Bearbeiten] Test
Test on one server (e.g. tux3) by
- backing up current rule fieles:
cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I`
- coping the (modified) cwaf files to test servers:
scp * tux3:/usr/local/apache2/conf/mod_security2/cwaf-rules/
- coping the (modified) cwaf files to test servers:
scp * tux339:/usr/local/apache2/conf/mod_security2/cwaf-rules/
- coping the (modified) cwaf files to test servers:
scp * tux259:/usr/local/apache2/conf/mod_security2/cwaf-rules/
- Check following files:
ssh tux{3,339,259} hslsof
- test configuration with
/usr/local/apache2/sbin/apache2ctl -t
- restarting apache web server with
/etc/init.d/apache2 restart
- check default error log with
tail -fF /var/log/httpd/error_log | grep -i modsec
[Bearbeiten] Deploy
If all went fine, do the same using dscp and dssh:
dssh cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I` dssh "rm /usr/local/apache2/conf/mod_security2/cwaf-rules/*" dscp * []:/usr/local/apache2/conf/mod_security2/cwaf-rules/ dssh " > /var/asl/data/msa/default_SESSION.pag && service apache2 restart "