首页 > 其他分享 >安全:modsecurity配置

安全:modsecurity配置

时间:2024-09-05 10:47:27浏览次数:10  
标签:multi 配置 modsecurity OWASP --- 安全 tag id

一,日志在哪里查看?

# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log

# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/

从配置文件中可以看到:

日志位于: /var/log/modsec_audit.log

查看:

[root@localhost modsecurity]# more /var/log/modsec_audit.log
---HwxpvSzz---A--
[04/Sep/2024:16:50:45 +0800] 172543984560.438043 192.168.219.1 53408 192.168.219.14 80
---HwxpvSzz---B--
GET /index.html?param=%22%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1
Host: 192.168.219.14
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6
If-None-Match: "66d81282-2c"
If-Modified-Since: Wed, 04 Sep 2024 07:55:46 GMT

---HwxpvSzz---D--

---HwxpvSzz---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx/1.26.1</center>\x0d\x0a</body>\x0d\
x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a paddin
g to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome fr
iendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---HwxpvSzz---F--
HTTP/1.1 403
Server: nginx/1.26.1
Date: Wed, 04 Sep 2024 08:50:45 GMT
Content-Length: 555
Content-Type: text/html
Connection: keep-alive

---HwxpvSzz---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)' against variable `REQUEST_HEADERS:Host' (Value: `192.168.219.14' )
[file "/opt/soft/nginx-1.26.1/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "772"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "19
2.168.219.14"] [severity "4"] [ver "OWASP_CRS/4.7.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-prot
ocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "192.168.219.14"] [uri "/index.html"] [unique_id "172543984560.438043"]
 [ref "o0,14o0,14v75,14"]
ModSecurity: Warning. detected XSS using libinjection. [file "/opt/soft/nginx-1.26.1/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941100"] [rev "
"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:param: \x22<script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/4.7.0-dev"
] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag
 "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.219.14"] [uri "/index.html"] [unique_id "172543984560.438043"] [ref "v22,27t:utf8toUnicode,t:urlDecodeUni,t:htmlEntit
yDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<script[^>]*>[\s\S]*?' against variable `ARGS:param' (Value: `"<script>alert(1);</script>' ) [file "/opt/soft/ng
inx-1.26.1/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "108"] [id "941110"] [rev ""] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data
: <script> found within ARGS:param: \x22<script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/4.7.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "lan
guage-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.219.14"
] [uri "/index.html"] [unique_id "172543984560.438043"] [ref "o1,8v22,27t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-
9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A (4341 characters omitted)' against variable `ARGS:param' (Value: `"<script>alert(1);</script
>' ) [file "/opt/soft/nginx-1.26.1/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "200"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Inje
ction"] [data "Matched Data: <script found within ARGS:param: \x22<script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/4.7.0-dev"] [maturity "0"] [accuracy "0"] [tag "app
lication-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
[hostname "192.168.219.14"] [uri "/index.html"] [unique_id "172543984560.438043"] [ref "o1,7v22,27t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:remo
veNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\x0b]*\(' against va
riable `ARGS:param' (Value: `"<script>alert(1);</script>' ) [file "/opt/soft/nginx-1.26.1/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "713"] [id "941390"]
[rev ""] [msg "Javascript method detected"] [data "Matched Data: alert( found within ARGS:param: \x22<script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/4.7.0-dev"] [mat
urity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/100
0/152/242"] [hostname "192.168.219.14"] [uri "/index.html"] [unique_id "172543984560.438043"] [ref "o9,6v22,27t:htmlEntityDecode,t:jsDecode"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/opt/soft/nginx-1.26.1/modsecurity/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev
 ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: son(1 found within ARGS:param: \x22<script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/4
.7.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [
tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.219.14"] [uri "/index.html"] [unique_id "172543984560.438043"] [ref "v22,27"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `28' ) [file "/opt/sof
t/nginx-1.26.1/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [s
everity "0"] [ver "OWASP_CRS/4.7.0-dev"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "192.168.219.14"] [uri "/index.html"] [unique_id "1
72543984560.438043"] [ref ""]

---HwxpvSzz---I--

---HwxpvSzz---J--

---HwxpvSzz---Z--

---X0io3vO2---A-- 

二,如何增加一条自定义的规则?

1,创建规则

[root@localhost modsecurity]# mkdir custom_rules
[root@localhost modsecurity]# cd custom_rules/
[root@localhost custom_rules]# vi custom_rule1.conf 

内容:

SecRule ARGS:param "@contains laowang" "id:1235,deny,log,status:403"
SecRule ARGS "@contains laoliu" "id:1236,deny,log,status:403"

说明:

第一条是指当param这个参数包含 laowang时,
第二条是指当任意参数包含 laoliu时,

2, 把自定义规则文件包含到配置文件:

[root@localhost nginx-1.26.1]# cd modsecurity/
[root@localhost modsecurity]# vi modsecurity.conf 

增加一行:

include /opt/soft/nginx-1.26.1/modsecurity/custom_rules/*.conf

3,重启nginx服务:

[root@localhost conf]# systemctl restart nginx 

三,如何禁用一条规则?

用id指定要关闭的规则,写入到modsecurity.conf中,
或者单用一个conf再include也可以

#禁用ID为942100的规则
SecRuleRemoveById 942100

#禁用ID为942100、942100的两条规则
SecRuleRemoveById 942100 942101

#禁用ID在941000-942000区间(包含前后ID)的所有规则
SecRuleRemoveById 941000-942000

 

标签:multi,配置,modsecurity,OWASP,---,安全,tag,id
From: https://www.cnblogs.com/architectforest/p/18397945

相关文章

  • 网站提示“PHP配置错误:如内存限制、执行时间限制等问题”错误如何解决
    当您遇到“PHP配置错误”,如内存限制、执行时间限制等问题时,这通常意味着您的PHP脚本超过了PHP.ini配置文件中设定的某些限制。这类问题可能导致脚本执行中断或产生错误。以下是一些解决这些问题的方法:常见的PHP配置错误内存限制(memory_limit):当PHP脚本消耗的内存超过memory_l......
  • 网站提示“Apache/Nginx配置错误:如虚拟主机配置错误、重写规则错误等”错误如何解决
    当您遇到“Apache/Nginx配置错误”,如虚拟主机配置错误、重写规则错误等问题时,这通常意味着您的Web服务器配置文件中存在一些问题,导致服务无法正常工作或某些功能无法正常使用。以下是一些解决这类问题的方法:Apache配置错误1.检查虚拟主机配置定位配置文件:Apache的虚拟主机......
  • MySQL配置文件my.cnf与my.ini的区别
    MySQL配置文件my.cnf与my.ini的区别+目录一、my.cnf与my.ini二、my.cnf与my.ini的路径2.1默认路径2.2查找my.cnf路径2.2.1、命令行查找配置文件2.2.2、多个my.cnf配置文件2.2.3 my.cnf不存在怎么办一、my.cnf与my.iniwin系统,MySQL配置文件为my.ini其他系统(Ubuntu、CentOS......
  • Egg.js配置登录验证中间件jwt
    Egg.js配置登录验证中间件一、安装jwtnpminstallegg-jwt二、安装完成后在config--》plugin.js文件中开启jwt插件"usestrict";module.exports={jwt:{enable:true,package:"egg-jwt",},}三、在app文件夹下创建middleware文件夹,创建verif......
  • idea的配置
    1 第一个项目,StepbyStep 1.1 Idea启动面板首先,打开Idea,看到这个面板:1.2 创建一个项目点击CreateNewProject,会看到这个面板:1.3 创建完的项目界面1.4 创建一个服务器服务器创建页面:1.5 部署当前项目到服务器1.6 添加需要的jar包要确保添加的jar包被添加到了......
  • Docker 配置国内镜像源
    由于GFW的原因,在下载镜像的时候,经常会出现下载失败的情况,此时就可以使用国内的镜像源。什么是镜像源:简单来说就是某个组织(学校、公司、甚至是个人)先通过某种手段将国外的镜像下载下来,然后上传到国内的网站,这样我们在国内就可以通过这个网站下载到镜像源‍起因笔者有一次在......
  • 2024最新最全【Android Studio 】下载及安装和【Gradle配置】零基础入门到精通
    文章目录下载安装修改Sdk的位置创建项目修改Gradle的位置查看AS版本工具栏–View项工具栏–Build下的功能说明BuildVariants视图说明下载模拟器(avd)/安卓虚拟设备屏幕熄灭功能关闭虚拟设备功能删除自己开发的应用软件将开发的应用运行到虚拟设备上。修改模拟器的位置下......
  • 海外合规|新加坡网络安全认证计划简介(三)-Cyber Trust认证
      一、认证简介:     Cyber Trust标志是针对数字化业务运营更为广泛的组织的网络安全认证。该标志针对的是规模较大或数字化程度较高的组织,因为这些组织可能具有更高的风险水平,需要他们投资专业知识和资源来管理和保护其IT基础设施和系统。CyberTrust标志采用基......
  • 【web安全】横向越权,纵向越权
    纵向越权纵向越权,‌也称为垂直越权,‌是指不同级别或不同层次的用户、‌系统或组件之间,‌未经授权地访问或操作更高级别或更低级别的资源或数据。‌这通常涉及到权限的升级或降级使用。‌示例:在一个学校管理系统中,老师可以审批班级学生的请假申请。学生可以为自己提交请假申......
  • 深入探讨Java中的分布式配置管理:从理论到实践
    在当今微服务和分布式系统的世界中,配置管理变得尤为重要。随着应用程序的规模和复杂性增加,传统的配置管理方法已经无法满足分布式系统的需求。本篇博客将深入探讨Java中的分布式配置管理,包括其基本概念、常见工具的对比、以及详细的代码示例,帮助你在实际项目中实现高效的配置管......