ModSec Rules - Update
Aus HS Syswiki
(Unterschied zwischen Versionen)
(→Prepare Rules) |
(→Prepare Rules) |
||
Zeile 105: | Zeile 105: | ||
215090 | 215090 | ||
</pre> | </pre> | ||
+ | |||
+ | 2. Comment out rules with mentioned IDs within those files (Overworked version since 1.124): | ||
+ | <pre> | ||
+ | 02_Global_Generic.conf | ||
+ | 210480 | ||
+ | 210481 | ||
+ | 210681 | ||
+ | 210682 | ||
+ | 210685 | ||
+ | 210686 | ||
+ | 210687 | ||
+ | 210688 | ||
+ | 210691 | ||
+ | 210692 | ||
+ | 210693 | ||
+ | 210695 | ||
+ | 210696 | ||
+ | 210698 | ||
+ | 210760 | ||
+ | 210761 | ||
+ | 210762 | ||
+ | 210763 | ||
+ | 210765 | ||
+ | 210767 | ||
+ | 210771 | ||
+ | 210772 | ||
+ | 210773 | ||
+ | 210775 | ||
+ | 210776 | ||
+ | 210777 | ||
+ | 210778 | ||
+ | 210779 | ||
+ | |||
+ | 03_Global_Agents.conf | ||
+ | 210831 | ||
+ | |||
+ | 21_Outgoing_FilterInFrame.conf | ||
+ | 214530 | ||
+ | |||
+ | 26_Apps_Joomla.conf | ||
+ | 220240 | ||
+ | |||
+ | 28_Apps_WordPress.conf | ||
+ | 225030 | ||
+ | 225031 | ||
+ | |||
+ | 32_Apps_OtherApps.conf | ||
+ | 222131 | ||
+ | 242380 | ||
+ | 220795 | ||
+ | |||
+ | 08_XSS_XSS.conf | ||
+ | 212000 | ||
+ | |||
+ | 09_Global_Other.conf | ||
+ | 210580 | ||
+ | 215090 | ||
+ | </pre> | ||
+ | |||
'''Attention:''' Comment our whole Block sticking together, like this: | '''Attention:''' Comment our whole Block sticking together, like this: | ||
<pre> | <pre> |
Version vom 23. Mai 2017, 10:09 Uhr
Inhaltsverzeichnis |
Changelog
Used version in prod: 1.123 (09.05.2017/DNA)
Download
Download from https://waf.comodo.com/user/cwaf_revisions on your workstation credentials:
jezejisy-8475@yopmail.com:testor1234
Copy downloaded files to bkp001
Prepare Rules
This all is to be done on bkp001
1. Go to a temporary (or your own) directory:
mkdir cwaf_rules_<ver> cd cwaf_rules_<ver> tar xvzf ../tar xvzf ../cwaf_rules-<ver>.tgz
2. Comment out rules with mentioned IDs within those files:
01_Global_Generic.conf 210480 210481 02_Global_Agents.conf: 210830 210831 07_XSS_XSS.conf: 212660 212510 212540 212750 213020 212800 26_Apps_Joomla.conf: 220240 32_Apps_OtherApps.conf: 222131 242380 20_Outgoing_FilterInFrame.conf: 214530 214540 21_Outgoing_FiltersEnd.conf: 214940 16_Outgoing_FilterPHP.conf: 214420 29_Apps_WPPlugin.conf: 226680 28_Apps_WordPress.conf: 225030 225031 225110
2. Comment out rules with mentioned IDs within those files (Overworked version since 1.114):
01_Global_Generic.conf 210480 210481 12_HTTP_Protocol.conf 217250 217270 02_Global_Agents.conf 210831 20_Outgoing_FilterInFrame.conf 214530 24_SQL_SQLi.conf 218540 218550 26_Apps_Joomla.conf 220240 218550 28_Apps_WordPress.conf 225030 225031 32_Apps_OtherApps.conf 222131 242380 220795 08_Global_Other.conf 210580 215090
2. Comment out rules with mentioned IDs within those files (Overworked version since 1.124):
02_Global_Generic.conf 210480 210481 210681 210682 210685 210686 210687 210688 210691 210692 210693 210695 210696 210698 210760 210761 210762 210763 210765 210767 210771 210772 210773 210775 210776 210777 210778 210779 03_Global_Agents.conf 210831 21_Outgoing_FilterInFrame.conf 214530 26_Apps_Joomla.conf 220240 28_Apps_WordPress.conf 225030 225031 32_Apps_OtherApps.conf 222131 242380 220795 08_XSS_XSS.conf 212000 09_Global_Other.conf 210580 215090
Attention: Comment our whole Block sticking together, like this:
#<LocationMatch "/index\.php$"> #SecRule REQUEST_METHOD "@streq POST" \ # "id:220240,chain,msg:'COMODO WAF: found CVE 2013-5576 attack',phase:2,deny,status:403,log" #SecRule ARGS_GET:option "@streq com_media" \ # "chain" #SecRule ARGS_GET:task "@rx ^file\.upload$" \ # "chain" #SecRule ARGS_GET:tmpl "@streq component" \ # "chain" #SecRule FILES_NAMES "@rx ^Filedata\[\]$" \ # "chain" #SecRule MULTIPART_FILENAME "@rx \..+\.$" #</LocationMatch>
or
#SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bbackground-image:" \ # "id:212660,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack',phase:2,severity:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'htmlEntityDecode',t:'compressWhiteSpace',t:'lowercase'"
3. Change standard error code (because fail2ban watches for this status code for modsec action):
sed -i 's|status:403|status:510|g' *
Test
Test on one server (e.g. tux3) by
- backing up current rule fieles:
cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I`
- coping the (modified) cwaf files to the server:
scp * tux3:/usr/local/apache2/conf/mod_security2/cwaf-rules/
- test configuration with
/usr/local/apache2/sbin/apache2ctl -t
- restarting apache web server with
/etc/init.d/apache2 restart
- check default error log with
tail -fF /var/log/httpd/error_log | grep -i modsec
Deploy
If all went fine, do the same using dscp and dssh:
dssh cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I` dscp * []:/usr/local/apache2/conf/mod_security2/cwaf-rules/ dssh /etc/init.d/apache2 reload