Apache下ModSecurity的安装启用与配置

（1）2.7版本

vim /etc/apache2/mods-available/security2.conf
修改

<IfModule security2_module>
# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity
# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional /usr/share/modsecurity-crs/*.conf
IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf
</IfModule>

（2）2.6版本

‍‍vim /etc/apache2/mods-available/mod-security.conf‍‍
修改

Include /etc/modsecurity/*.conf
Include /usr/share/modsecurity-crs/*.conf
Include /usr/share/modsecurity-crs/activated_rules/*.conf

第四步：启用modsecurity模块

a2enmod headersa2enmod security2 (版本2.6： a2enmod mod-security)service apache2 restart

第五步：测试真实的攻击payload

看是否能拦截

http://www.tanjiti.com/?case=archive&act=orders&aid[typeid`%3D1%20and%20ord(mid((select/**/concat(username,0x3a,password)%20from%20cmseasy_user),1,1))%3C49%23]=1
我们发现请求包被403拦截了，

可以查看modsecurity日志文件看具体的拦截情况

tail /var/log/apache2/modsec_audit.log
message: Access denied with code 403 (phase 2). Pattern match "(/*!?|*/|[';]--|--[srnvf]|(?:--[^-]*?-)|([^-&])#.*?[srnvf]|;?x00)" at ARGS_NAMES:aid[typeid`=1 and ord(mid((select/**/concat(username,0x3a,password) from cmseasy_user),1,1))
<49#].
[file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."] [data "Matched Data: /* found within ARGS_NAMES:aid[typeid`=1 and ord(mid((select/**/concat(username,0x3a,password) from cmseasy_user),1,1))<49#]: aid[typeid`=1 and ord(mid((select/**/concat(username,0x3a,password) from cmseasy_user),1,1))<49#]"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

可以看到是被base规则集的modsecurity_crs_41_sql_injection_attacks.conf文件的规则981231拦截，命中了SQL注释语句。
对于网站结构比较了解的站长们，完全可以自定义规则，特别是白名单规则来防护我们的网站。

第六步：自定义WAF规则

规则语法快速入门参考 ModSecurity SecRule cheatsheets

WAF规则实例1：上传文件名白名单，只允许上传图片文件

vim /usr/share/modsecurity-crs/activated_rules/MY.conf
添加规则

SecRule FILES "!.(?i:jpe?g|gif|png|bmp)$" "deny,tag:'WEB_ATTACK/FILEUPLOAD',msg:'upload no-picture file',id:0000001,phase:2"