ModSec Rules - Update
Aus HS Syswiki
Version vom 18. Oktober 2017, 10:23 Uhr von 84.253.15.193 (Diskussion)
Inhaltsverzeichnis |
Changelog
Used version in prod: 1.143 (09.10.2017/dna)
Download
Download from https://waf.comodo.com/user/cwaf_revisions on your workstation credentials:
jezejisy-8475@yopmail.com:testor1234
Copy downloaded files to bkp001
Prepare Rules
This all is to be done on bkp001
1. Go to a temporary (or your own) directory:
mkdir cwaf_rules_<ver> cd cwaf_rules_<ver> tar xvzf ../tar xvzf ../cwaf_rules-<ver>.tgz
2. Comment out rules with mentioned IDs within those files:
01_Global_Generic.conf 210480 210481 02_Global_Agents.conf: 210830 210831 07_XSS_XSS.conf: 212660 212510 212540 212750 213020 212800 26_Apps_Joomla.conf: 220240 32_Apps_OtherApps.conf: 222131 242380 20_Outgoing_FilterInFrame.conf: 214530 214540 21_Outgoing_FiltersEnd.conf: 214940 16_Outgoing_FilterPHP.conf: 214420 29_Apps_WPPlugin.conf: 226680 28_Apps_WordPress.conf: 225030 225031 225110
2. Comment out rules with mentioned IDs within those files (Overworked version since 1.114):
01_Global_Generic.conf 210480 210481 12_HTTP_Protocol.conf 217250 217270 02_Global_Agents.conf 210831 20_Outgoing_FilterInFrame.conf 214530 24_SQL_SQLi.conf 218540 218550 26_Apps_Joomla.conf 220240 218550 28_Apps_WordPress.conf 225030 225031 32_Apps_OtherApps.conf 222131 242380 220795 08_Global_Other.conf 210580 215090
2. Comment out rules with mentioned IDs within those files (Overworked version since 1.123):
01_Init_AppsInitialization.conf 209500 209501 209502 209503 209510 209520 209530 219000 02_Global_Generic.conf 210480 210481 210484 210681 210682 210685 210686 210687 210688 210691 210692 210693 210695 210696 210698 210760 210761 210762 210763 210764 210765 210767 210771 210772 210773 210775 210776 210777 210778 210779 03_Global_Agents.conf 210831 12_HTTP_HTTPDoS.conf 217110 217120 217160 217170 21_Outgoing_FilterInFrame.conf 214530 26_Apps_Joomla.conf 220240 28_Apps_WordPress.conf 225030 225031 32_Apps_OtherApps.conf 222131 242380 220795 08_XSS_XSS.conf 212000 09_Global_Other.conf 210580 215090
Attention: Comment our whole Block sticking together, like this:
#<LocationMatch "/index\.php$"> #SecRule REQUEST_METHOD "@streq POST" \ # "id:220240,chain,msg:'COMODO WAF: found CVE 2013-5576 attack',phase:2,deny,status:403,log" #SecRule ARGS_GET:option "@streq com_media" \ # "chain" #SecRule ARGS_GET:task "@rx ^file\.upload$" \ # "chain" #SecRule ARGS_GET:tmpl "@streq component" \ # "chain" #SecRule FILES_NAMES "@rx ^Filedata\[\]$" \ # "chain" #SecRule MULTIPART_FILENAME "@rx \..+\.$" #</LocationMatch>
or
#SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bbackground-image:" \
# "id:212660,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack',phase:2,severity:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'htmlEntityDecode',t:'compressWhiteSpace',t:'lowercase'"
3. Change standard error code (because fail2ban watches for this status code for modsec action):
sed -i 's|status:403|status:510|g' *
Test
Test on one server (e.g. tux3) by
- backing up current rule fieles:
cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I` - coping the (modified) cwaf files to test servers:
scp * tux3:/usr/local/apache2/conf/mod_security2/cwaf-rules/ - coping the (modified) cwaf files to test servers:
scp * tux339:/usr/local/apache2/conf/mod_security2/cwaf-rules/ - coping the (modified) cwaf files to test servers:
scp * tux259:/usr/local/apache2/conf/mod_security2/cwaf-rules/ - Check following files:
ssh tux{3,339,259} hslsof - test configuration with
/usr/local/apache2/sbin/apache2ctl -t - restarting apache web server with
/etc/init.d/apache2 restart - check default error log with
tail -fF /var/log/httpd/error_log | grep -i modsec
Deploy
If all went fine, do the same using dscp and dssh:
dssh cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I` dssh "rm /usr/local/apache2/conf/mod_security2/cwaf-rules/*" dscp * []:/usr/local/apache2/conf/mod_security2/cwaf-rules/ dssh /etc/init.d/apache2 reload
