ModSec Rules - Update
Aus HS Syswiki
(Unterschied zwischen Versionen)
Mrh (Diskussion | Beiträge) (→Update of ModSec Rules) |
Mrh (Diskussion | Beiträge) (→Update of ModSec Rules) |
||
| Zeile 67: | Zeile 67: | ||
sed -i 's|status:403|status:510|g' * | sed -i 's|status:403|status:510|g' * | ||
</pre> | </pre> | ||
| + | |||
| + | 5. Test on one server (e.g. tux3) by | ||
| + | * coping the (modified) cwaf files to <code>/usr/local/apache2/conf/mod_security2/cwaf-rules</code> | ||
| + | * restarting apache web server with <code>/etc/init.d/apache2 restart</code> | ||
| + | * check default error log (<code>/var/log/httpd/error_log</code>) | ||
| + | |||
| + | 6. If all went fine, do the same using dscp and dssh | ||
| + | |||
| + | |||
| + | 6. | ||
Version vom 12. August 2015, 11:41 Uhr
Update of ModSec Rules
1. Download from https://waf.comodo.com/user/cwaf_revisions
2. Go to a temporary (or your own) directory:
mkdir cwaf_rules_<ver> cd cwaf_rules_<ver> tar xvzf ../tar xvzf ../cwaf_rules-<ver>.tgz
3. Comment out rules with mentioned IDs within those files:
02_Global_Agents.conf: 210830 07_XSS_XSS.conf: 212660 212510 212540 212750 213020 212800 25_Apps_Joomla.conf: 220240 31_Apps_OtherApps.conf: 222131 20_Outgoing_FilterInFrame.conf: 214530 21_Outgoing_FiltersEnd.conf: 214940 16_Outgoing_FilterPHP.conf: 214420 28_Apps_WPPlugin.conf: 226680
Attention: Comment our whole Block sticking together, like this:
#<LocationMatch "/index\.php$"> #SecRule REQUEST_METHOD "@streq POST" \ # "id:220240,chain,msg:'COMODO WAF: found CVE 2013-5576 attack',phase:2,deny,status:403,log" #SecRule ARGS_GET:option "@streq com_media" \ # "chain" #SecRule ARGS_GET:task "@rx ^file\.upload$" \ # "chain" #SecRule ARGS_GET:tmpl "@streq component" \ # "chain" #SecRule FILES_NAMES "@rx ^Filedata\[\]$" \ # "chain" #SecRule MULTIPART_FILENAME "@rx \..+\.$" #</LocationMatch>
or
#SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bbackground-image:" \
# "id:212660,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack',phase:2,severity:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'htmlEntityDecode',t:'compressWhiteSpace',t:'lowercase'"
4. Change standard error code (because fail2ban watches for this status code for modsec action):
sed -i 's|status:403|status:510|g' *
5. Test on one server (e.g. tux3) by
- coping the (modified) cwaf files to
/usr/local/apache2/conf/mod_security2/cwaf-rules - restarting apache web server with
/etc/init.d/apache2 restart - check default error log (
/var/log/httpd/error_log)
6. If all went fine, do the same using dscp and dssh
6.
