ํƒœ๊ทธ ๋ณด๊ด€๋ฌผ: apache2

apache2

์•…์˜์  ์ธ Apache ์—ฐ๊ฒฐ์„ ๋Š๋Š” ๊ทœ์น™์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค -m string โ€“string โ€œcgiโ€ โ€“algo bm

์›น ์„œ๋ฒ„์˜ 80์„ ์ œ์™ธํ•œ ํฌํŠธ์˜ ๋ชจ๋“  ํŠธ๋ž˜ํ”ฝ์„ ์‚ญ์ œํ•ฉ๋‹ˆ๋‹ค.

iptables์— ์ด์™€ ๊ฐ™์€ ๊ทœ์น™์ด ์žˆ์Šต๋‹ˆ๋‹ค.

iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "cgi" --algo bm --to 1000 -j DROP

๋” ๋งŽ์€ ์‚ฌ๋žŒ์ด ๊ณต์œ  ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๊นŒ? ๋‚˜๋Š” ํ•ญ์ƒ ๋‚˜์œ ํ•ด์ปค๋“ค์ด ์—ฌ์ „ํžˆ ์—…๋ฐ์ดํŠธํ•˜๊ณ  ์žˆ๋‹ค๋Š” ๊ฒƒ์„ ์•Œ๊ณ  ์žˆ์ง€๋งŒ ๊ทธ๋“ค ์ค‘ ์ผ๋ถ€๋Š” ํ•ญ์ƒ ๊ฐ™์€ ์ฝ”๋“œ๋กœ ์‹œ์ž‘ํ•ฉ๋‹ˆ๋‹ค. ์ผ๋ถ€ ๊ธฐ์ค€์— ๋”ฐ๋ผ ์—ฐ๊ฒฐ์„ ๋Š์–ด์•ผํ•ฉ๋‹ˆ๋‹ค. ๋‹ค์Œ์€ ์ผ๋ถ€ Apache ๋กœ๊ทธ์ž…๋‹ˆ๋‹ค (ips๋Š” ์ œ๊ฑฐํ•˜์ง€๋งŒ ๊ฐ ๊ณต๊ฒฉ์€ ๋™์ผํ•ฉ๋‹ˆ๋‹ค).

๊ณต๊ฒฉ 1 : ์ด๊ฒƒ์€ ๋ฌด์—‡์„ํ•˜๋ ค๊ณ ํ•˜๋Š”์ง€ ๋ชจ๋ฅด๊ฒ ์ง€๋งŒ ๊ฐ™์€ IP์—์„œ 50 ๋ฒˆ ๋งŒ๋“ญ๋‹ˆ๋‹ค.

GET / HTTP/1.1  301 224 -   Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22
GET / HTTP/1.1  302 3387    -   Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22

๊ณต๊ฒฉ 2 : ์„œ๋ฒ„์— ๋Œ€ํ•œ ์ •๋ณด ๋งŒ ์–ป์œผ๋ ค๊ณ ํ•ฉ๋‹ˆ๋‹ค.

GET / HTTP/1.1  301 224 http://myip:80/ Go-http-client/1.1
GET / HTTP/1.1  302 3228    http mywebsite  Go-http-client/1.1
GET /es/ HTTP/1.1   200 40947   https mywebsite Go-http-client/1.1

๊ณต๊ฒฉ 3 : ๋กœ๊ทธ์ธ ํŽ˜์ด์ง€ ์ทจ์•ฝ์ ์— ์ ‘๊ทผํ•˜๋ ค๊ณ ํ•ฉ๋‹ˆ๋‹ค.

GET /userlogin/login.aspx HTTP/1.1  302 186 -   -

๊ณต๊ฒฉ 4 : ์ฒซ ๋ฒˆ์งธ ์š”์ฒญ์—์„œ cgi์— ์•ก์„ธ์Šคํ•˜๋ ค๊ณ ํ•ฉ๋‹ˆ๋‹ค (์ด๋ฅผ ์‚ญ์ œํ•˜๋ ค๋ฉด ์ฒซ ๋ฒˆ์งธ iptables ๊ทœ์น™ ์ฐธ์กฐ).

GET /hndUnblock.cgi HTTP/1.0    302 186 -   Wget(linux)
GET /tmUnblock.cgi HTTP/1.0 302 186 -   Wget(linux)

๋‚˜๋Š”์ด ์ƒˆ๋กœ์šด ๊ณต๊ฒฉ์ด ์ง€๋‚œ 12 ์‹œ๊ฐ„ ๋™์•ˆ ๋งŒ ์ด๋ฃจ์–ด์ง„ ์„œ๋ฒ„์— ๋Œ€ํ•ด ๋งค์šฐ ์ƒˆ๋กญ๋‹ค.



๋‹ต๋ณ€

์—…๋ฐ์ดํŠธ : ํ˜„์žฌ ๋‹ต๋ณ€์ด ์™„์ „ํžˆ ์—…๋ฐ์ดํŠธ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.

์ด ํ† ๋ก  ์— ๋”ฐ๋ฅด๋ฉด WWW Security Assistant ๋ผ๋Š” GitHub ๋ฆฌํฌ์ง€ํ† ๋ฆฌ๋ฅผ ๋งŒ๋“ค์—ˆ์Šต๋‹ˆ๋‹ค . ask_ubuntu์ด ๋‹ต๋ณ€์— ์ „๋… ํ•˜๋Š” ์ง€์  ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ด์ „์— ์—ฌ๊ธฐ์„œ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ–ˆ๋˜ ๋ชจ๋“  ์ฐธ์กฐ ๋Š” ๋ฌธ์ž ์ œํ•œ์œผ๋กœ ์ธํ•ด ์ œ๊ฑฐ๋ฉ๋‹ˆ๋‹ค. GitHub์—์„œ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

๋‹ค์Œ์€ Ubuntu 16.04 ๋‚ด์—์„œ Apache2 ๋ณด์•ˆ์„ ๊ฐ•ํ™”ํ•˜๋Š” ๋ฐฉ๋ฒ• ์ธ ์™„์ „ํ•œ ๋ฉ”์ปค๋‹ˆ์ฆ˜๊ณผ ๊ด€๋ จ๋œ ๋ช‡ ๊ฐ€์ง€ ๋ฐฉ๋ฒ•์„ ๊ฐ„๊ณผ ํ•œ ๊ฒƒ์ž…๋‹ˆ๋‹ค.

๋‚ด์šฉ์˜ ํ…Œ์ด๋ธ”:

  • WWAS (WWW Security Assistant Script) โ–บ IP ํ…Œ์ด๋ธ”
  • IPtables โ€“ ๊ธฐ๋ณธ ๊ตฌ์„ฑ โ€“ ์ €์žฅ ๋ฐ ๋ณต์›
  • Apache2 ์šฉ ModEvasive
  • ModEvasive โ–บ WSAS โ–บ IP ํ…Œ์ด๋ธ”
  • Apache2 ์šฉ ModSecurity 2.9
  • ModSecurity OWASP ํ•ต์‹ฌ ๊ทœ์น™ ์„ธํŠธ 3.x
  • ModSecurity ๊ทœ์น™ ํ—ˆ์šฉ ๋ชฉ๋ก
  • ModSecurity ๊ทœ์น™ โ–บ WSAS โ–บ IP ํ…Œ์ด๋ธ”
  • ModSecurity ๋ฐ Apache ๋กœ๊ทธ ํŒŒ์ผ
  • ModSecurity ๋กœ๊ทธ ํŒŒ์ผ โ–บ Fail2Ban โ–บ Iptables
  • ModSecurity GuardianLog โ–บ HTTPD Guardian โ–บ WSAS โ–บ IP ํ…Œ์ด๋ธ”
  • ModSecurity GuardianLog โ–บ HTTPD ์‚ฌ์šฉ์ž ์ •์˜ ๋ถ„์„ โ–บ WSAS โ–บ IP ํ…Œ์ด๋ธ”

๋˜ํ•œ ํ•ญ์ƒ HTTPS๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ด ์ข‹๋‹ค๊ณ  ๊ฐ€์ • ํ•ด ๋ด…์‹œ๋‹ค.

WWW ๋ณด์•ˆ ๋„์šฐ๋ฏธ ์Šคํฌ๋ฆฝํŠธ โ–บ IP ํ…Œ์ด๋ธ”

๋‹ค์Œ์€ ์Šคํฌ๋ฆฝํŠธ www-security-assistant.bash์ž…๋‹ˆ๋‹ค. ์•…์˜์  ์ธ IP ์ฃผ์†Œ๋ฅผ ์ฒ˜๋ฆฌํ•˜๋Š” ๋ฐ ๋„์›€์ด ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์Šคํฌ๋ฆฝํŠธ์—๋Š” ๋‘ ๊ฐ€์ง€ ๋ชจ๋“œ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

์ž๋™ ๋ชจ๋“œ

Apache์˜ ์™ธ๋ถ€ ํ”„๋กœ๊ทธ๋žจ mod_security์ด ์•…์„ฑ $IP์ฃผ์†Œ๋ฅผ ์ œ๊ณตํ•˜๋Š” ๊ฒฝ์šฐ ์ด ๊ฒฝ์šฐ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ํ˜ธ์ถœํ•˜๋Š” ๊ตฌ๋ฌธ์€ ๋‹ค์Œ๊ณผ ๊ฐ™์•„์•ผํ•ฉ๋‹ˆ๋‹ค.

www-security-assistant.bash <ip-address> Guardian
www-security-assistant.bash <ip-address> ModSecurity
www-security-assistant.bash <ip-address> ModEvasive
www-security-assistant.bash <ip-address> a2Analyst

์ด ๋ชจ๋“œ์—์„œ ์Šคํฌ๋ฆฝํŠธ๋Š” ๋‘ ๊ฐ€์ง€ ์ž‘์—… ๋‹จ๊ณ„๋ฅผ ์ œ๊ณต ํ•˜๋ฉฐ ๋ชจ๋“  ์ž‘์—… ์— ๋Œ€ํ•ด ๊ด€๋ฆฌ์ž ์—๊ฒŒ ์ „์ž ๋ฉ”์ผ ์„ ๋ณด๋ƒ…๋‹ˆ๋‹ค .

  • ์ฒซ ๋ฒˆ์งธ ๋‹จ๊ณ„ : ์ฒ˜์Œ ๋ช‡ ๊ฐœ์˜ โ€˜๋ฒ”์ฃ„โ€™์— ๋Œ€ํ•ด ์†Œ์Šค ์˜ ๊ฐ’๊ณผ ๋™์ผํ•œ ๊ธฐ๊ฐ„ ๋™์•ˆ ์†Œ์Šค $IP๊ฐ€ ์ฐจ๋‹จ๋ฉ๋‹ˆ๋‹ค$BAN_TIME . ์ด ๋ชจ๋“œ๋Š” ๋ช…๋ น์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค at.

  • ๋‘ ๋ฒˆ์งธ ๋‹จ๊ณ„ : ํŠน์ • ๋ฒ”์ฃ„์˜ ์ˆซ์ž $IP๊ฐ€์˜ ๊ฐ’๊ณผ ๊ฐ™์„ $LIMIT๋•Œ์ด $IP์ฃผ์†Œ๋Š” IP ํ…Œ์ด๋ธ”์„ ํ†ตํ•ด ์˜๊ตฌ์  ์œผ๋กœ ๊ธˆ์ง€ ๋˜๋ฉฐ์— ์ถ”๊ฐ€๋ฉ๋‹ˆ๋‹ค $BAN_LIST.

์ˆ˜๋™ ๋ชจ๋“œ

์ด ๋ชจ๋“œ๋Š” ๋‹ค์Œ ์˜ต์…˜์„ ํ—ˆ์šฉํ•ฉ๋‹ˆ๋‹ค.

  • www-security-assistant.bash <ip-address> --DROP "log notes"

    ํŒŒ์ผ์— ํ•ญ๋ชฉ์„ ์ž‘์„ฑ /var/www-security-assistant/iptables-DROP.listํ•˜๊ณ  ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๊ทœ์น™์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.

    iptables -A GUARDIAN -s $IP -j DROP
    
  • www-security-assistant.bash <ip-address> --DROP-CLEAR "log notes"

    ํŒŒ์ผ์— ํ•ญ๋ชฉ์„ ์ž‘์„ฑํ•˜๊ณ  /var/www-security-assistant/iptables-DROP-CLEAR.list, ํŠน์ • Iptables ๊ทœ์น™์„ ์ œ๊ฑฐํ•˜๊ณ  $IP, ๊ธฐ๋ก์—์„œ ๋‹ค์Œ์„ ์ œ๊ฑฐ ํ•ฉ๋‹ˆ๋‹ค $BAN_LIST.

    iptables -D GUARDIAN -s $IP -j DROP
    
  • www-security-assistant.bash <ip-address> --ACCEPT "log notes"

    ํŒŒ์ผ์— ํ•ญ๋ชฉ ๋งŒ ์ž‘์„ฑํ•ฉ๋‹ˆ๋‹ค /var/www-security-assistant/iptables-ACCEPT.list.

  • www-security-assistant.bash <ip-address> --ACCEPT-CHAIN "log notes"

    ํŒŒ์ผ์— ํ•ญ๋ชฉ์„ ์ž‘์„ฑ /var/www-security-assistant/iptables-ACCEPT.listํ•˜๊ณ  ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๊ทœ์น™์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.

    iptables -A GUARDIAN -s $IP -j ACCEPT
    

์˜์กด์„ฑ

์Šคํฌ๋ฆฝํŠธ๋Š” ๋‹ค์Œ ์„น์…˜์—์„œ ์„ค๋ช… iptables-save.shํ•˜๋Š” iptables์ฒด์ธ์„ ์‚ฌ์šฉ GUARDIANํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๊ฒƒ์€ ์•ˆ์— ๋ช‡ ๊ฐœ์˜ ํŒŒ์ผ์„ ์ƒ์„ฑํ•˜๊ณ  ์œ ์ง€ํ•ฉ๋‹ˆ๋‹ค $WORK_DIR:

  • www-security-assistant.history -์ด์ „ IP์˜ ๋ฒ”์ฃ„์— ๋Œ€ํ•œ ๋ฐ์ดํ„ฐ๋ฅผ ํฌํ•จํ•ฉ๋‹ˆ๋‹ค.
  • www-security-assistant.mail -์Šคํฌ๋ฆฝํŠธ๊ฐ€ ๋ณด๋‚ธ ๋งˆ์ง€๋ง‰ ์ด๋ฉ”์ผ์˜ ๋‚ด์šฉ.
  • iptables-ACCEPT.list; iptables-DROP.list๊ทธ๋ฆฌ๊ณ  iptables-DROP-CLEAR.list.

์ด๋ฉ”์ผ์„ ๋ณด๋‚ด๋ ค๋ฉด ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ตœ์†Œํ•œ์œผ๋กœ ๊ตฌ์„ฑํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.

sudo apt install s-nail mutt mailutils postfix
sudo dpkg-reconfigure postfix  # For General type: Internet Site
echo 'Test passed.' | mail -s Test-Email email@example.com

๊ตฌ์„ฑ๋œ HTTPS ์„œ๋น„์Šค๊ฐ€ ์žˆ์œผ๋ฉด Postfix ์„œ๋น„์Šค ๋‚ด์—์„œ TLS ์ธ์ฆ์„œ๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๋˜ํ•œ ์Šคํฌ๋ฆฝํŠธ๋Š” at๋‹ค์Œ์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค sudo apt install at.

์„ค์น˜

  • ์ž‘์—… ๋””๋ ‰ํ† ๋ฆฌ๋ฅผ ๋งŒ๋“ค๊ณ  ํ˜ธ์ถœํ•˜์ž /var/www-security-assistant. ๋‹ค์šด๋กœ๋“œ www-security-assistant.bashํ•˜์—ฌ ์‹คํ–‰ ๊ฐ€๋Šฅํ•˜๊ฒŒํ•˜์‹ญ์‹œ์˜ค.

    sudo mkdir /var/www-security-assistant
    sudo wget https://raw.githubusercontent.com/pa4080/www-security-assistant/ask_ubuntu/www-security-assistant.bash -O /var/www-security-assistant/www-security-assistant.bash
    sudo chmod +x /var/www-security-assistant/www-security-assistant.bash
  • ํ™•์ธ www-security-assistant.bash์‚ฌ์šฉ์ž ์ •์˜ ๋ช…๋ น์œผ๋กœ ์‚ฌ์šฉํ•  ์ˆ˜ :

    sudo ln -s /var/www-security-assistant/www-security-assistant.bash /usr/local/bin/
  • ๋ฅผ ํ†ตํ•ด ๋น„๋ฐ€๋ฒˆํ˜ธ์—†์ด www-data์‹คํ–‰ํ•  ์ˆ˜์žˆ๋Š” ๊ถŒํ•œ์„ ๋ถ€์—ฌํ•˜์‹ญ์‹œ์˜ค . ๋‹ค์Œ ๋ช…๋ น์„ ์‚ฌ์šฉ ํ•˜์—ฌ ์ถ”๊ฐ€ โ€˜ โ€˜๊ทœ์น™์„ ์‚ฌ์šฉํ•˜์—ฌ ์ƒˆ ํŒŒ์ผ์„ ์•ˆ์ „ํ•˜๊ฒŒ ์ž‘์„ฑํ•˜๊ณ  ํŽธ์ง‘ ํ•˜์‹ญ์‹œ์˜ค .www-security-assistant.bashsudosudoers

    sudo visudo -f /etc/sudoers.d/www-security-assistant

    ํŒŒ์ผ ์•ˆ์— ๋‹ค์Œ ์ค„์„ ์ถ”๊ฐ€ํ•˜์‹ญ์‹œ์˜ค-ํŒŒ์ผ์„ ์ €์žฅํ•˜๊ณ  ์ข…๋ฃŒํ•˜์‹ญ์‹œ์˜ค :

    www-data ALL=(ALL) NOPASSWD: /var/www-security-assistant/www-security-assistant.bash
  • ์กฐ์ • www-security-assistant.bash. ์ ์–ด๋„ ๋ณ€์ˆ˜ ๊ฐ’์„ ๋ณ€๊ฒฝํ•˜์‹ญ์‹œ์˜ค $EMAIL_TO.

๊ฑด๊ฐ• ์ง„๋‹จ

  • ์ž์‹ ์„ $AGENT๋‚˜ํƒ€๋‚ด๊ณ  ์ž๋™ ๋ชจ๋“œ๊ฐ€ ์ œ๋Œ€๋กœ ์ž‘๋™ํ•˜๋Š”์ง€ ํ™•์ธํ•˜์‹ญ์‹œ์˜ค.

    www-security-assistant.bash 192.168.1.177 Guardian

    ๊ทธ๋Ÿฐ ๋‹ค์Œ ์ „์ž ๋ฉ”์ผ์„ ํ™•์ธํ•˜๊ณ ์„ ์ž…๋ ฅ ํ•œ iptables -L GUARDIAN -n๋‹ค์Œ ํŒŒ์ผ์„ ๊ฒ€ํ†  www-security-assistant.historyํ•˜๊ณ  www-security-assistant.mail. ์œ„์˜ ๋ช…๋ น 5 ๋ฒˆ ์‹คํ–‰ํ•˜๊ณ  ํŒŒ์ผ์„ ๊ฒ€ํ†  iptables-DROP.listํ•˜๊ณ  iptables-CURRENT.conf.

  • ์ˆ˜๋™ ๋ชจ๋“œ๊ฐ€ ์ œ๋Œ€๋กœ ์ž‘๋™ํ•˜๋Š”์ง€ ํ™•์ธํ•˜์‹ญ์‹œ์˜ค. ํ™”์ดํŠธ๋ฆฌ์ŠคํŠธ์— ๋กœ์ปฌ ํ˜ธ์ŠคํŠธ๋ฅผ ์ถ”๊ฐ€ํ•˜์‹ญ์‹œ์˜ค.

    www-security-assistant.bash 127.0.0.1 --ACCEPT "Server's localhost IP"

    ๊ทธ๋Ÿฐ ๋‹ค์Œ ํŒŒ์ผ์„ ํ™•์ธํ•˜์‹ญ์‹œ์˜ค iptables-ACCEPT.list.

์ด ํ•™์Šต์„œ์˜ ๋‚˜๋จธ์ง€ ๋ถ€๋ถ„์€ www-security-assistant์‹œ์Šคํ…œ๊ณผ ํ†ตํ•ฉํ•˜๋Š” ๋ฐฉ๋ฒ• ์ž…๋‹ˆ๋‹ค.

IPtables โ€“ ๊ธฐ๋ณธ ๊ตฌ์„ฑ โ€“ ์ €์žฅ ๋ฐ ๋ณต์›

๊ธฐ๋ณธ ๊ตฌ์„ฑ

๋‹ค์Œ ๊ทœ์น™์„ ์ถ”๊ฐ€ํ•˜๊ธฐ ์ „์—์ด ์„ค๋ช…์„œ ๋ฅผ ์ฝ์œผ์‹ญ์‹œ์˜ค .

sudo iptables -F

sudo iptables -I INPUT 1 -i lo -j ACCEPT
sudo iptables -I INPUT 2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# This rule may lock you out of the system!
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT ACCEPT

๋‹ค์Œ ์ž‘์—…์„ ์ˆ˜ํ–‰ํ•˜๊ธฐ ์ „์— ์ƒˆ SSH ์—ฐ๊ฒฐ์„ ์—ด๊ณ  ์‹œ์Šคํ…œ์— ๋กœ๊ทธ์ธํ•˜์—ฌ ๋ชจ๋“  ๊ฒƒ์ด ์ œ๋Œ€๋กœ ์ž‘๋™ํ•˜๋Š”์ง€ ํ™•์ธํ•˜์‹ญ์‹œ์˜ค!

์ €์žฅ ๋ฐ ๋ณต์›

์ด๊ฒƒ์€ iptables์‹œ์Šคํ…œ์˜ ์ •์ง€-์‹œ์ž‘ (๋˜๋Š” ์žฌ๋ถ€ํŒ…) ๊ณผ์ • ์—์„œ coning์„ ์ €์žฅํ•˜๊ณ  ๋ณต์›ํ•˜๋Š” ์‚ฌ์šฉ์ž ์ง€์ • ์Šคํฌ๋ฆฝํŠธ๋ฅผ ํ†ตํ•ด ๋‹ฌ์„ฑ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค . (UFW๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ IPtables ๊ทœ์น™์„ ์„ค์ •ํ•˜๋Š” ๊ฒฝ์šฐ์ด ๋‹จ๊ณ„๋Š” ํ•„์š”ํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.)

printf '#!/bin/sh\n/sbin/iptables-save > /var/www-security-assistant/iptables-CURRENT.conf\nexit 0\n' | sudo tee /var/www-security-assistant/iptables-save.sh
printf '#!/bin/sh\n/sbin/iptables-restore < /var/www-security-assistant/iptables-CURRENT.conf\nexit 0\n' | sudo tee /var/www-security-assistant/iptables-restore.sh
sudo chmod +x /var/www-security-assistant/iptables-restore.sh /var/www-security-assistant/iptables-save.sh
sudo ln -s /var/www-security-assistant/iptables-save.sh /etc/network/if-post-down.d/iptables-save
sudo ln -s /var/www-security-assistant/iptables-restore.sh /etc/network/if-pre-up.d/iptables-restore

์ƒˆ๋กœ์šด ์ฒด์ธ ๋งŒ๋“ค๊ธฐ

ํ˜ธ์ถœ ๋œ ์ƒˆ ์ฒด์ธ์„ ์ž‘์„ฑํ•˜๊ณ  ์ฒด์ธ์— GUARDIAN๋ฒˆํ˜ธ 3์œผ๋กœ ์‚ฝ์ž…ํ•˜์‹ญ์‹œ์˜ค INPUT.

sudo iptables -N GUARDIAN
sudo iptables -I INPUT 3 -j GUARDIAN

๊ฑด๊ฐ• ์ง„๋‹จ

์‹œ์Šคํ…œ์„ ์žฌ๋ถ€ํŒ…ํ•˜๊ณ  ๊ตฌ์„ฑ์„ ํ™•์ธํ•˜์‹ญ์‹œ์˜ค. ์‚ฌ์šฉํ•˜์‹œ๊ธฐ ๋ฐ”๋ž๋‹ˆ๋‹ค sudo systemctl reboot(๊ฐ•์ œ ์˜ต์…˜์„ ์‚ฌ์šฉํ•˜์ง€ ๋งˆ์‹ญ์‹œ์˜ค reboot -f). ์‹œ์Šคํ…œ์ด ์˜จ๋ผ์ธ ์ƒํƒœ๊ฐ€๋˜๋ฉด ์ƒˆ๋กœ ์ƒ์„ฑ ๋œ ์ฒด์ธ์ด ์กด์žฌํ•˜๋Š”์ง€ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

sudo iptables -L GUARDIAN -n

Apache2 ์šฉ ModEvasive

ModEvasive๋Š” HTTP DoS ๋˜๋Š” DDoS ๊ณต๊ฒฉ ๋˜๋Š” ๋ฌด์ฐจ๋ณ„ ๋Œ€์ž… ๊ณต๊ฒฉ์‹œ Apache๊ฐ€ ํšŒํ”ผ ์กฐ์น˜๋ฅผ ์ œ๊ณตํ•˜๋Š” ํšŒํ”ผ ๊ธฐ๋™ ๋ชจ๋“ˆ์ž…๋‹ˆ๋‹ค. ๋” ์ฝ์–ด๋ณด๊ธฐ โ€ฆ

์„ค์น˜

  • ๋ชจ๋“ˆ์„ ์„ค์น˜ํ•˜๊ณ  ํ™œ์„ฑํ™”ํ•˜์‹ญ์‹œ์˜ค :

    sudo apt install libapache2-mod-evasive
    sudo a2enmod evasive
  • ๋กœ๊ทธ ๋””๋ ‰ํ† ๋ฆฌ๋ฅผ ์ž‘์„ฑํ•˜์—ฌ ๋‹ค์Œ์— ์•ก์„ธ์Šค ํ•  ์ˆ˜์žˆ๊ฒŒํ•˜์‹ญ์‹œ์˜ค www-data.

    sudo mkdir -p /var/log/apache2_mod_evasive
    sudo chown www-data /var/log/apache2_mod_evasive
  • ๊ธฐ๋ณธ ๊ตฌ์„ฑ์„ ์กฐ์ • โ€“ ๊ตฌ์„ฑ ํŒŒ์ผ์—์„œ ํŠน์ • ์ง€์‹œ๋ฌธ์„ ์ฃผ์„ ํ•ด์ œํ•˜๊ณ  ํŽธ์ง‘ํ•˜์‹ญ์‹œ์˜ค.

    /etc/apache2/mods-enabled/evasive.conf
  • Apache๋ฅผ ๋‹ค์‹œ ์‹œ์ž‘ํ•˜์‹ญ์‹œ์˜ค sudo systemctl restart apache2.service.

๊ฑด๊ฐ• ์ง„๋‹จ

  • ์„œ๋ฒ„์—์„œ ์›น ํŽ˜์ด์ง€๋ฅผ ์—ด๊ณ  ๋ธŒ๋ผ์šฐ์ € ์ฐฝ์„ ์ง‘์ค‘์ ์œผ๋กœ ๋ช‡ ๋ฒˆ ์ƒˆ๋กœ ๊ณ ์น˜์‹ญ์‹œ์˜ค (๋ฅผ ๋ˆ„๋ฅด์‹ญ์‹œ์˜ค F5) . 403 Forbidden ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€๊ฐ€ ํ‘œ์‹œ ๋˜์–ด์•ผํ•ฉ๋‹ˆ๋‹ค . ๋กœ๊ทธ ๋””๋ ‰ํ† ๋ฆฌ์— ์ƒˆ๋กœ์šด ์ž ๊ธˆ ํŒŒ์ผ์ด ์ƒ์„ฑ๋ฉ๋‹ˆ๋‹ค. ์ด IP ์ฃผ์†Œ์—์„œ ์ถ”๊ฐ€ ์œ„๋ฐ˜์„ ๊ฐ์ง€ํ•˜๋ ค๋ฉด์ด ํŒŒ์ผ์„ ์‚ญ์ œํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.

ModEvasive โ–บ WSAS โ–บ IP ํ…Œ์ด๋ธ”

์—ฌ๊ธฐ์„œ ์šฐ๋ฆฌ๋Š” ์œ„ ์„น์…˜์—์„œ ์ƒ์„ฑ mod_evasive๋œ๋ฅผ iptablesํ†ตํ•ด ๋Œ€ํ™” ํ•˜๋„๋ก ๊ตฌ์„ฑ ํ•  ๊ฒƒ www-security-assistant.bash์ž…๋‹ˆ๋‹ค.

  • /etc/apache2/mods-available/evasive.conf์ด ๋ฐฉ๋ฒ•์œผ๋กœ ํŽธ์ง‘ํ•˜์‹ญ์‹œ์˜ค :

    <IfModule mod_evasive20.c>
        DOSHashTableSize    3097
        DOSPageCount        9
        DOSSiteCount        70
        DOSPageInterval     2
        DOSSiteInterval     2
        DOSBlockingPeriod   10
    
        #DOSEmailNotify     your@email.foo
        DOSLogDir           "/var/log/apache2_mod_evasive"
        DOSSystemCommand    "sudo /var/www-security-assistant/www-security-assistant.bash %s 'ModEvasive' 'AutoMode' >> /var/www-security-assistant/www-security-assistant.execlog 2>&1"
    </IfModule>
  • ๋กœ๊ทธ ํŒŒ์ผ์„ ์ž‘์„ฑํ•˜๊ณ  Apache๋ฅผ ๋‹ค์‹œ ์‹œ์ž‘ํ•˜์‹ญ์‹œ์˜ค.

    sudo touch /var/www-security-assistant/www-security-assistant.execlog && sudo chown www-data /var/www-security-assistant/www-security-assistant.execlog

์šฐ๋ฆฌ๋Š”์„ ํ†ตํ•ด DDoS ๊ณต๊ฒฉ์„ ์‹œ๋ฎฌ๋ ˆ์ด์…˜ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค์ด ๊ตฌ์„ฑ์„ ํ…Œ์ŠคํŠธํ•˜๊ธฐ ์œ„ํ•ด F5๋ฐฉ๋ฒ•์„, ์œ„์—์„œ ์–ธ๊ธ‰ ํ•œ, ๋˜๋Š” ์šฐ๋ฆฌ๋Š” ๊ฐ™์€ ๋ช…๋ น์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค ab, hping3๋“ฑ

์ฃผ์˜ :iptables WSAS์—์„œ ์‚ฌ์šฉ๋˜๋Š” ๊ทœ์น™์€ SSH ์—ฐ๊ฒฐ์„ ํฌํ•จํ•˜์—ฌ ์†Œ์Šค์˜ ๋ชจ๋“  ์ƒˆ ์—ฐ๊ฒฐ์„ ์‚ญ์ œ ํ•˜๋ฏ€๋กœ ์ฃผ์˜ ํ•˜์‹ญ์‹œ์˜ค $IP. ํ…Œ์ŠคํŠธํ•˜๋Š” ๋™์•ˆ ์„œ๋ฒ„์— ์—ฐ๊ฒฐํ•˜๋Š” ๋ฐฑ์—… ๋ฐฉ๋ฒ•์ด ์ข‹์Šต๋‹ˆ๋‹ค. HTTP / HTTPS ํฌํŠธ์—์„œ๋งŒ ์ž‘๋™ํ•˜๋„๋ก์ด ๊ทœ์น™์„ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Apache2 ์šฉ ModSecurity 2.9

ModSecurity ๋Š” ์ž์ฒด์ ์œผ๋กœ ๊ฑฐ์˜ ๋ณดํ˜ธ ๊ธฐ๋Šฅ์„ ์ œ๊ณตํ•˜์ง€ ์•Š๋Š” ์›น ์‘์šฉ ํ”„๋กœ๊ทธ๋žจ ๋ฐฉํ™”๋ฒฝ ์—”์ง„์ž…๋‹ˆ๋‹ค. ์œ ์šฉํ•˜๊ฒŒ ์‚ฌ์šฉํ•˜๋ ค๋ฉด ModSecurity๋ฅผ โ€‹โ€‹๊ทœ์น™์œผ๋กœ ๊ตฌ์„ฑํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค. Trustwave์˜ Spider Labs๋Š” ์‚ฌ์šฉ์ž๊ฐ€ ์ฆ‰์‹œ ModSecurity๋ฅผ โ€‹โ€‹์ตœ๋Œ€ํ•œ ํ™œ์šฉํ•  ์ˆ˜ ์žˆ๋„๋ก ๋ฌด๋ฃŒ๋กœ ์ธ์ฆ ๋œ ๊ทœ์น™ ์„ธํŠธ๋ฅผ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค .

์„ค์น˜

  • ๋ชจ๋“ˆ์„ ์„ค์น˜ํ•˜๊ณ  ํ™œ์„ฑํ™”ํ•˜์‹ญ์‹œ์˜ค :

    sudo apt install libapache2-mod-security2
    sudo a2enmod security2
  • ๊ตฌ์„ฑ ํŒŒ์ผ์„ ์ž‘์„ฑํ•˜์‹ญ์‹œ์˜ค.

    sudo cp /etc/modsecurity/modsecurity.conf ๊ถŒ์žฅ /etc/modsecurity/modsecurity.conf

    /etc/modsecurity/modsecurity.conf์ฃผ์˜ ๊นŠ๊ฒŒ ์ฝ๊ณ  ํŽธ์ง‘ํ•˜์‹ญ์‹œ์˜ค ! ์ตœ์†Œํ•œ ๋‹ค์Œ ์ง€์‹œ๋ฌธ์„ ์ถ”๊ฐ€ํ•˜๊ฑฐ๋‚˜ ๋ณ€๊ฒฝํ•˜์‹ญ์‹œ์˜ค.

    # -- Rule engine initialization ----------------------------------------------
    SecRuleEngine On
    
    # -- Debug log configuration -------------------------------------------------
    SecDebugLogLevel 2
    SecDebugLog "/var/log/apache2_mod_security/modsec_debug.log"
    
    # -- Audit log configuration -------------------------------------------------
    SecAuditLog "/var/log/apache2_mod_security/modsec_audit.log"
    
    # -- Guardian log configuration -------------------------------------------------
    SecGuardianLog /var/log/apache2_mod_security/modsec_guardian.log
  • ์ด ํŒŒ์ผ /etc/apache2/mods-enabled/security2.conf์€ /etc/modsecurity/modsecurity.confApache ๊ตฌ์„ฑ๊ณผ ๊ด€๋ จ ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ด ๋‹จ๊ณ„์—์„œ security2.conf๋‹ค์Œ๊ณผ ๊ฐ™์ด ๋ณด์ผ ๊ฒƒ์ž…๋‹ˆ๋‹ค :

    <IfModule security2_module>
        SecDataDir /var/cache/modsecurity
        IncludeOptional /etc/modsecurity/*.conf
    </IfModule>
  • ๋กœ๊ทธ ๋””๋ ‰ํ† ๋ฆฌ๋ฅผ ์ž‘์„ฑํ•˜์‹ญ์‹œ์˜ค.

    sudo mkdir -p /var/log/apache2_mod_security
  • ์„ค์ • ๋กœ๊ทธ ํšŒ์ „. ๋จผ์ € ๊ตฌ์„ฑ ํŒŒ์ผ์„ ์ž‘์„ฑํ•˜์‹ญ์‹œ์˜ค.

    sudo cp /etc/logrotate.d/apache2 /etc/logrotate.d/apache2-modsec

    ๊ทธ๋Ÿฐ ๋‹ค์Œ์ด ๋ฐฉ๋ฒ•์œผ๋กœ ์ƒˆ โ€‹โ€‹ํŒŒ์ผ์„ ํŽธ์ง‘ํ•˜์‹ญ์‹œ์˜ค.

    /var/log/apache2_mod_security/*.log { โ€ฆ }
  • Apache๋ฅผ ๋‹ค์‹œ ์‹œ์ž‘ํ•˜์‹ญ์‹œ์˜ค.

๊ฑด๊ฐ• ์ง„๋‹จ

  • ์— ์ถ”๊ฐ€ ๊ตฌ์„ฑ ํŒŒ์ผ์„ ์ž‘์„ฑํ•˜๊ณ  /etc/modsecurity์˜ˆ๋ฅผ ๋“ค์–ด ํ˜ธ์ถœ ํ•œ z-customrules.confํ›„ ๋‹ค์Œ ๊ทœ์น™์„ ์ปจํ…์ธ ๋กœ ์ถ”๊ฐ€ํ•˜์‹ญ์‹œ์˜ค.

    # Directory traversal attacks
    SecRule REQUEST_URI "../" "t:urlDecodeUni, deny, log, id:109"

    ์„œ๋ฒ„๋ฅผ ๋‹ค์‹œ ์‹œ์ž‘ํ•˜์‹ญ์‹œ์˜ค sudo systemctl restart apache2.service.. ๋ธŒ๋ผ์šฐ์ €๋ฅผ ์—ด๊ณ ์„ ์ž…๋ ฅํ•˜์‹ญ์‹œ์˜ค https://example.com/?abc=../. ๊ฒฐ๊ณผ : 403 Forbidden . /var/log/apache2_mod_security์ž์„ธํ•œ ๋‚ด์šฉ ์€ ๋กœ๊ทธ ํŒŒ์ผ์„ ํ™•์ธ ํ•˜์‹ญ์‹œ์˜ค.

  • ๋ฌผ๊ฑด์„ ๋” ์žฌ๋ฏธ์žˆ๊ฒŒ ๋งŒ๋“ค๊ธฐ ์œ„ํ•ด ์Šคํฌ๋ฆฝํŠธ issues.php๋ฅผ ๊ท€ํ•˜์˜ ์ ์ ˆํ•œ ์œ„์น˜์— ๋ฐฐ์น˜ํ•˜์‹ญ์‹œ์˜ค DocumentRoot(์—ฌ๊ธฐ์„œ๋Š”์ด ์žฅ์†Œ๊ฐ€ ์žˆ๋‹ค๊ณ  ๊ฐ€์ •ํ•ฉ๋‹ˆ๋‹ค /var/www/html).

    sudo wget https://raw.githubusercontent.com/pa4080/www-security-assistant/ask_ubuntu/appendix/var/www/html/issues.php -O /var/www/html/issues.php

    ๊ทธ๋Ÿฐ ๋‹ค์Œ ๋‹ค์Œ ๋ฐฉ๋ฒ•์œผ๋กœ ์œ„ ๊ทœ์น™์„ ์ˆ˜์ •ํ•˜์‹ญ์‹œ์˜ค.

    # Directory traversal attacks with redirection (or use URL instead of URI: redirect:'https://example.com/issues.php')
    SecRule REQUEST_URI "../" "t:urlDecodeUni, deny, log, id:109, redirect:'/issues.php'"

    Apache๋ฅผ ๋‹ค์‹œ ์‹œ์ž‘ํ•œ ๋‹ค์Œ ๋ธŒ๋ผ์šฐ์ €๋ฅผ ์—ด๊ณ  https://example.com/?abc=../;-)๋ฅผ ์ž…๋ ฅํ•˜์‹ญ์‹œ์˜ค . ์•„์ด๋””์–ด๋Š” SE์˜ ์Šคํฌ๋ฆฝํŠธ์—์„œ ๋นŒ ๋ ธ์Šต๋‹ˆ๋‹ค BotLovin.cs.

  • /etc/modsecurity/z-customrules.conf๋‹ค์‹œ ํ•œ ๋ฒˆ ํŽธ์ง‘ ํ•˜๊ณ  ๊ทœ์น™์„ ์ฃผ์„ ์ฒ˜๋ฆฌ (๋น„ํ™œ์„ฑํ™”)ํ•ฉ๋‹ˆ๋‹ค. ์ด๊ฒƒ์€ ํ…Œ์ŠคํŠธ ์˜ˆ์ œ ์ผ ๋ฟ์ด๋ฉฐ ๋‹ค์Œ ์„น์…˜์—์„œ ์„ค๋ช…ํ•˜๋Š” OWASP CRS์— ์˜ํ•ด ์„ค๋ช…๋ฉ๋‹ˆ๋‹ค.

  • ๋‹ค์Œ์€ ๋ชจ๋“  wp-adminํŽ˜์ด์ง€ ์š”์ฒญ ์„ ๋ฆฌ๋””๋ ‰์…˜ ํ•˜์ง€๋งŒ ํŠน์ • IP ์ฃผ์†Œ์˜ ์š”์ฒญ์„ ์ œ์™ธํ•œ ๋‹ค๋ฅธ ์˜ˆ์ž…๋‹ˆ๋‹ค (์ฐธ๊ณ  chain).

    # Block wp-admin access
    SecRule REQUEST_URI "^/wp-admin" "id:108, log, deny, status:403, t:lowercase, chain, redirect:'/issues.php'"
        SecRule REMOTE_ADDR "!@ipMatch 192.168.1.11,99.77.66.12"

    ์—ฌ๊ธฐ์—๋Š” (1) deny, status:403๊ณผ (2)์˜ ๋‘ ๊ฐ€์ง€ ํŒŒ๊ดด์ ์ธ ํ–‰๋™์ด redirect:'/issues.php'์žˆ์Šต๋‹ˆ๋‹ค. ์‹ค์ œ๋กœ deny์กฐ์น˜์— ์˜ํ•ด ๋Œ€์ฒด๋˜๋ฏ€๋กœ ์กฐ์น˜ ๊ฐ€ ํ•„์š”ํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค redirect.

ModSecurity OWASP ํ•ต์‹ฌ ๊ทœ์น™ ์„ธํŠธ 3.x

Ubuntu 16.04์—์„œ๋Š” CSR 2.x๋ฅผ ์„ค์น˜ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค apt install modsecurity-crs. ์—ฌ๊ธฐ์„œ๋Š” CSR 3.x ๋ฅผ ์„ค์น˜ํ•ฉ๋‹ˆ๋‹ค . ์ž์„ธํ•œ ์ง€์นจ์€ ์„ค์น˜ ์„ค๋ช…์„œ์— ๋‚˜์™€ ์žˆ์Šต๋‹ˆ๋‹ค ( gitํ•„์ˆ˜).

์„ค์น˜

  • ํด๋”์—์„œ CSR์„ ๋ณต์ œํ•˜์‹ญ์‹œ์˜ค /usr/share/modsecurity-crs.3.

    sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs /usr/share/modsecurity-crs.3
  • GeoIP ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค๋ฅผ ์—…๊ทธ๋ ˆ์ด๋“œํ•˜๊ณ  ์ž๋™ ๊ฐฑ์‹ ํ•ฉ๋‹ˆ๋‹ค. (GeoIP DB๋Š” ๋” ์ด์ƒ CRS์— ํฌํ•จ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ๋Œ€์‹  ์ •๊ธฐ์ ์œผ๋กœ ๋‹ค์šด๋กœ๋“œํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.)์ด ์Šคํฌ๋ฆฝํŠธ util/upgrade.py๋Š”์ด ๊ธฐ๋Šฅ์„ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค. cron-์—์„œ ๋‹ค์Œ๊ณผ ๊ฐ™์ด ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค sudo crontab -e.

    0 2 * * * /usr/share/modsecurity-crs.3/util/upgrade.py --geoip --crs --cron >> /var/log/apache2_mod_security/owasp-crs-upgrade.log 2>&1
  • ๊ตฌ์„ฑ ํŒŒ์ผ์„ ์ž‘์„ฑํ•˜์‹ญ์‹œ์˜ค.

    sudo cp /usr/share/modsecurity-crs.3/crs-setup.conf{.example,}
    sudo cp /usr/share/modsecurity-crs.3/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf{.example,}
    sudo cp /usr/share/modsecurity-crs.3/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf{.example,}

    ์ด ํŒŒ์ผ๋“ค์„์ฃผ์˜ ๊นŠ๊ฒŒ ์ฝ๊ณ  ํŽธ์ง‘ํ•˜์‹ญ์‹œ์˜ค! ์ตœ์†Œํ•œ SecGeoLookupDB์ง€์‹œ๋ฌธ์˜ ์ฃผ์„์„ ํ•ด์ œํ•˜์‹ญ์‹œ์˜ค .

    SecGeoLookupDB util/geo-location/GeoIP.dat
  • Apache์˜ ๊ตฌ์„ฑ์„ ์ ์šฉํ•˜์‹ญ์‹œ์˜ค. /etc/apache2/mods-available/security2.conf์ด ๋ฐฉ๋ฒ•์œผ๋กœ ํŽธ์ง‘ํ•˜์‹ญ์‹œ์˜ค :

    <IfModule security2_module>
        SecDataDir /var/cache/modsecurity
        IncludeOptional /etc/modsecurity/*.conf
        IncludeOptional /usr/share/modsecurity-crs.3/crs-setup.conf
        IncludeOptional /usr/share/modsecurity-crs.3/rules/*.conf
    </IfModule>

    ํŒŒ์ผ์„ ์ €์žฅ ํ•œ ๋‹ค์Œ Apache๋ฅผ ๋‹ค์‹œ ์‹œ์ž‘ํ•˜์‹ญ์‹œ์˜ค.

ModSecurity ๊ทœ์น™ ํ—ˆ์šฉ ๋ชฉ๋ก

ModSecurity ๊ทœ์น™์˜ ํ™”์ดํŠธ๋ฆฌ์ŠคํŠธ๋Š” ๋‹ค์Œ ModSec ์ง€์‹œ๋ฌธ์„ ํ†ตํ•ด ์ˆ˜ํ–‰ ํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์‹œ์Šคํ…œ ์ „์ฒด ๋˜๋Š” ๊ฐ€์ƒ ํ˜ธ์ŠคํŠธ ๊ตฌ์„ฑ ๋‚ด์—์„œ ํŠน์ • ๋””๋ ‰ํ† ๋ฆฌ ๋˜๋Š” ์œ„์น˜ ์ผ์น˜๋ฅผ ์œ„ํ•ด ์ „์ฒด์ ์œผ๋กœ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

SecRuleRemoveById
SecRuleRemoveByMsg
SecRuleRemoveByTag
SecRuleUpdateTargetById
SecRuleUpdateTargetByMsg
SecRuleUpdateTargetByTag
SecRuleUpdateActionById

mod_security2PhpMyAdmin์„ ๋น„ํ™œ์„ฑํ™” ํ•ฉ๋‹ˆ๋‹ค. /etc/phpmyadmin/apache.conf์ด ๋ฐฉ๋ฒ•์œผ๋กœ ๋ณ€๊ฒฝํ•˜์‹ญ์‹œ์˜ค :

<Directory /usr/share/phpmyadmin>
    <IfModule security2_module>
        SecRuleEngine Off
    </IfModule>
</Directory>

ํŠน์ • ๋””๋ ‰ํ† ๋ฆฌ์— ๋Œ€ํ•œ ํŠน์ • ๊ทœ์น™์„ ๋น„ํ™œ์„ฑํ™”ํ•˜์‹ญ์‹œ์˜ค.

<Directory /var/www/html>
    <IfModule security2_module>
        SecRuleRemoveById 973301
    </IfModule>
</Directory>

์ „์—ญ ์ ์œผ๋กœ ๊ทœ์น™์„ ๋น„ํ™œ์„ฑํ™”ํ•ฉ๋‹ˆ๋‹ค. ์ด๋ฅผ ์œ„ํ•ด Apache ๊ตฌ์„ฑ ํŒŒ์ผ ์–ด๋”˜๊ฐ€์— ์ง€์‹œ๋ฌธ์„ ์ถ”๊ฐ€ํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค /etc/modsecurity/z-customrules.conf.

  • ์ „์ฒด Apache ๊ตฌ์„ฑ ๋‚ด์—์„œ ๊ทœ์น™์„ ๋น„ํ™œ์„ฑํ™”ํ•˜์‹ญ์‹œ์˜ค.

    SecRuleRemoveById 973301 950907
  • ModSecurity๋ฅผ โ€‹โ€‹ํ†ต๊ณผ ํ•  ์ˆ˜ ์žˆ๋„๋ก IP ์ฃผ์†Œ๋ฅผ ํ™”์ดํŠธ๋ฆฌ์ŠคํŠธ์— ์ถ”๊ฐ€ํ•˜์‹ญ์‹œ์˜ค.

    SecRule REMOTE_ADDR "@ipMatch 192.168.110.1" "phase:1,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
  • ๋””๋ ‰ํ† ๋ฆฌ ์ผ์น˜ ๋‚ด ๊ทœ์น™์„ ์‚ฌ์šฉ ์ค‘์ง€ํ•ฉ๋‹ˆ๋‹ค.

    <Directory /var/www/mediawiki/core>
        SecRuleRemoveById 973301 950907
    </Directory>
  • ์œ„์น˜ ์ผ์น˜ ๋‚ด์—์„œ ID๋ณ„๋กœ ๊ทœ์น™ ๋™์ž‘ ์—…๋ฐ์ดํŠธ :

    <LocationMatch "/index.php.*">
        SecRuleUpdateActionById 973301 "pass"
        SecRuleUpdateActionById 950907 "pass"
    </LocationMatch>

์œ„์˜ ์˜ˆ์—์„œ ์šฐ๋ฆฌ๋Š” ๊ฐ€์ • 973301๋ฐ 950907์šฐ๋ฆฌ์˜ ์›น ์‘์šฉ ํ”„๋กœ๊ทธ๋žจ์˜ ์ •์ƒ ์ž‘๋™์„ ๋ฐฉํ•ด ๊ทœ์น™ ID๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ์˜ ๋ถ„์„์„ ํ†ตํ•ด ์ด์™€ ๊ฐ™์€ ๊ทœ์น™์„ ์ฐพ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค modsec_audit.log.

ModSecurity ๊ทœ์น™ โ–บ WSAS โ–บ IP ํ…Œ์ด๋ธ”

๋‹ค์Œ์€ ์‚ฌ์šฉ์ž ์ •์˜ SecRules๋ฅผ ์ž‘์„ฑํ•˜๋Š” ๋ฐฉ๋ฒ•๊ณผ WWAS (WWW Security Assistant Script)๋ฅผ ํ˜ธ์ถœํ•˜๋Š” ๋ฐฉ๋ฒ•์— ๋Œ€ํ•œ ๋ช‡ ๊ฐ€์ง€ ์˜ˆ์ž…๋‹ˆ๋‹ค.

์ดˆ๊ธฐ ์„ค์ •

์ถ”๊ฐ€ ์‹œ์ž‘ ์Šคํฌ๋ฆฝํŒ…์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค modsecurity-assistant.sh. ๊ทธ ์ด์œ ๋Š” ModSecurity์˜ exec๋™์ž‘์ด ๋„ˆ๋ฌด ๋‹จ์ˆœํ•˜๊ณ  ์ œํ•œ์ ์ธ ๊ตฌ๋ฌธ์„ ๊ฐ€์ง€๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค .

sudo wget https://raw.githubusercontent.com/pa4080/www-security-assistant/ask_ubuntu/modsecurity-assistant.sh -O /var/www-security-assistant/modsecurity-assistant.sh
sudo chmod +x /var/www-security-assistant/modsecurity-assistant.sh

์Šคํฌ๋ฆฝํŠธ ๋‚ด๋ถ€๋ฅผ ๋ณด๋ฉด ModSecurity์—์„œ ๋‚ด ๋ณด๋‚ธ ๋ณ€์ˆ˜๊ฐ€ ๊ฑฐ์˜ ์—†์Šต๋‹ˆ๋‹ค. ์ด๋“ค์€ : $REQUEST_URI, $ARGS, $SERVER_NAME, $REMOTE_ADDR, $REMOTE_HOST์™€ $UNIQUE_ID. ๋‹ค๋ฅธ ๋ณ€์ˆ˜๋Š” ์Šคํฌ๋ฆฝํŠธ ๋‚ด๋ถ€์— ์„ค๋ช…๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

์‚ฌ์šฉ์ž ์ •์˜ ๊ทœ์น™์„ ์ž‘์„ฑํ•˜๊ณ ์ด๋ฅผ ํ†ตํ•ด ์Šคํฌ๋ฆฝํŠธ๋ฅผ ํ˜ธ์ถœํ•˜์‹ญ์‹œ์˜ค.

๋จผ์ € ์š”์ฒญ URI์— ๋ธ”๋ž™๋ฆฌ์ŠคํŠธ์— ํฌํ•จ ๋œ ๋‹จ์–ด๊ฐ€ ํฌํ•จ๋˜์–ด์žˆ์„ ๋•Œ ์‹คํ–‰๋  modsecurity-assistant.sh(๋ฐ ํ˜ธ์ถœ www-security-assistant.bash) ๊ทœ์น™์„ ์ž‘์„ฑํ•ด ๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค . /etc/modsecurity/z-customrules.conf์•„๋ž˜ ์ค„์„ ์—ด๊ณ  ์•„๋ž˜์— ์ถ”๊ฐ€ํ•˜์‹ญ์‹œ์˜ค.

# REQUEST_URI words blacklist
#
SecRule REQUEST_URI "@pmFromFile /var/www-security-assistant/modsecurity-uri-black.list" \
    "id:150, log, t:lowercase, chain, \
    drop, deny, status:403, redirect:'/issues.php'"
    SecRule REMOTE_ADDR "!@ipMatchFromFile /var/www-security-assistant/modsecurity-ip-white.list" \
        "setenv:REMOTE_HOST=%{REMOTE_HOST}, \
         setenv:ARGS=%{ARGS}, \
         exec:/var/www-security-assistant/modsecurity-assistant.sh"
  • REQUEST_URI-์ด ๋ณ€์ˆ˜์—๋Š” ํ˜„์žฌ ์š”์ฒญ์˜ ์ „์ฒด URI๊ฐ€ ํฌํ•จ๋ฉ๋‹ˆ๋‹ค. ๊ทœ์น™์€ ๋” ๋„“์Šต๋‹ˆ๋‹ค.SecRule REQUEST_URI|ARGS|REQUEST_BODY ...

  • @pmFromFilemodsecurity-uri-black.list๊ฐ ํŠน์ • ๋ฌธ๊ตฌ ๋‚˜ ๋‹จ์–ด๊ฐ€ ์ƒˆ ์ค„์— ๋ฐฐ์น˜๋˜๋Š” ๋ฌธ๊ตฌ ๋ชฉ๋ก์ด ํฌํ•จ ๋œ ํŒŒ์ผ ์„ ์ฝ์Šต๋‹ˆ๋‹ค . ๋กœ๊ทธ ํŒŒ์ผ์—์„œ ํฅ๋ฏธ๋กœ์šด ๋‹จ์–ด์™€ ๋ฌธ๊ตฌ๋ฅผ ์ˆ˜์ง‘ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ํŒจํ„ด ๋ชฉ๋ก๊ณผ ํŒจํ„ด ๋ชฉ๋ก ์‚ฌ์ด์— ํŠน์ • ์ผ์น˜ ํ•ญ๋ชฉ ์ด ์žˆ์œผ๋ฉด REQUEST_URI๊ทœ์น™์ด ์ ์šฉ๋ฉ๋‹ˆ๋‹ค. ํŒŒ์ผ์ด ๋น„์–ด์žˆ์„ ์ˆ˜ ์žˆ์ง€๋งŒ ํŒŒ์ผ์„ ์ž‘์„ฑ ( touch)ํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.

  • ์ด log์ž‘์—…์„ ์ˆ˜ํ–‰ํ•˜๋ฉด์ด ๊ทœ์น™์— ๋Œ€ํ•œ ๋กœ๊ทธ ํŒŒ์ผ์— ๋กœ๊ทธ ํ•ญ๋ชฉ์ด ์ƒ์„ฑ๋ฉ๋‹ˆ๋‹ค id:150.

  • drop, deny(ํฌํ•จ status) ๋ฐ redirect์ž‘์—…์€ ํŒŒ๊ดด์ ์ธ ์ž‘์—… ๊ทธ๋ฃน์— ์†ํ•˜๋ฉฐ ๊ทœ์น™์˜ ์‹œ์ž‘ ๋ถ€๋ถ„์— ์žˆ์–ด์•ผํ•ฉ๋‹ˆ๋‹ค chain(์ฒด์ธ์ด์žˆ๋Š” ๊ฒฝ์šฐ). ๋‘ ๋ฒˆ์งธ ์ž‘์—…์€ ์ฒซ ๋ฒˆ์งธ ์ž‘์—…๋ณด๋‹ค ์šฐ์„ ํ•˜๊ณ  ์„ธ ๋ฒˆ์งธ ์ž‘์—…์€ ๋‘ ๋ฒˆ์งธ ์ž‘์—…๋ณด๋‹ค ์šฐ์„ ํ•˜๋ฏ€๋กœ ์ˆ˜ํ–‰ ํ•  ์ž‘์—…์„ ์„ ํƒํ•˜๊ณ  ๋‹ค๋ฅธ ์ž‘์—…์„ ์‚ญ์ œํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  • chainaction์€ ์ฒด์ธ์˜ ๋‹ค์Œ ๊ทœ์น™์„ ํ˜ธ์ถœํ•ฉ๋‹ˆ๋‹ค. ๋‘ ๋ฒˆ์งธ ๊ทœ์น™์—๋Š” ์—†์Šต๋‹ˆ๋‹ค id.

  • REMOTE_ADDR ์š”์ฒญ์˜ IP ์ฃผ์†Œ๋ฅผ ํฌํ•จํ•ฉ๋‹ˆ๋‹ค.

  • @ipMatchFromFilemodsecurity-ip-white.listIP ์ฃผ์†Œ์˜ ํ™”์ดํŠธ๋ฆฌ์ŠคํŠธ๋ฅผ ํฌํ•จ ํ•˜๋Š” ํŒŒ์ผ ์ด ์ƒˆ ์ค„๋กœ ๋ถ„๋ฆฌ๋ฉ๋‹ˆ๋‹ค. CIDR ํ•ญ๋ชฉ๋„ ํ—ˆ์šฉ๋ฉ๋‹ˆ๋‹ค. ๋•Œ๋ฌธ์— ํŒŒ๊ดด์ ์ธ ํ–‰๋™์ด ํ•ญ์ƒ ์ ์šฉ๋ฉ๋‹ˆ๋‹ค ์ฒด์ธ์˜ ์„ ๋‘ ๊ทœ์น™์— ์œ„์น˜ํ•˜๊ณ  ์žˆ์ง€๋งŒ ํŠน์ • IP์ด ํ™”์ดํŠธ๋ฆฌ์ŠคํŠธ์—์žˆ์„ ๋•Œ exec์กฐ์น˜๊ฐ€ ์ ์šฉ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ํŒŒ์ผ์ด ๋น„์–ด์žˆ์„ ์ˆ˜ ์žˆ์ง€๋งŒ ํŒŒ์ผ์„ ์ž‘์„ฑ ( touch)ํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.

  • exec์•ก์…˜์€ ์™ธ๋ถ€ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ํ˜ธ์ถœํ•ฉ๋‹ˆ๋‹ค. ์ด ์ž‘์—…์€ ์ค‘๋‹จ ๋˜์ง€ ์•Š์œผ๋ฉฐ ํ˜„์žฌ ๊ทœ์น™์ด true๋ฅผ ๋ฐ˜ํ™˜ํ•˜๋ฉด ์‹คํ–‰๋ฉ๋‹ˆ๋‹ค. ์ด ์กฐ์น˜๊ฐ€ ์ ์šฉ๋˜๋ฉด ์›๊ฒฉ IP๋Š” ์Šคํฌ๋ฆฝํŠธ๋ฅผ ํ†ตํ•ด ์ฒ˜๋ฆฌ๋ฉ๋‹ˆ๋‹ค.

  • setenv์ด ์กฐ์น˜๋Š” ํŠน์ • ๋‚ด๋ถ€ ๋ณ€์ˆ˜ =%{...} ๋ฅผ envvar๋กœ ๋‚ด ๋ณด๋‚ด๋ฉฐ ๋‚ด ๋ณด๋‚ธ ์ด๋ฆ„์€ ๋‚ด๋ถ€ ๋ณ€์ˆ˜ ์™€ ๋‹ค๋ฅผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ผ๋ถ€ ๋ณ€์ˆ˜๋Š” ์ˆ˜๋™์œผ๋กœ ๋‚ด ๋ณด๋‚ด์•ผํ•˜๊ณ  ๋‹ค๋ฅธ ๋ณ€์ˆ˜๋Š” ์ž๋™์œผ๋กœ ๋‚ด ๋ณด๋‚ด์•ผํ•ฉ๋‹ˆ๋‹ค. ์ž‘์€ ๋ฒ„๊ทธ setenv:REQUEST_URI=%{REQUEST_URI}์ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค ( ์˜ˆ : ๊ฐ™์€ ์ด๋ฆ„์„ ๊ฐ€์ง„ ์ˆ˜๋™ ๋‚ด๋ณด๋‚ด๊ธฐ ๋Š” ๋‚ด ๋ณด๋‚ธ ๋ณ€์ˆ˜์˜ ๋นˆ ๊ฐ’์„ ์œ ๋ฐœํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค).

๊ฑด๊ฐ• ์ง„๋‹จ

์„œ๋ฒ„์— Joomla๊ฐ€ ์—†๋‹ค๊ณ  ๊ฐ€์ •ํ•˜๊ณ  ํŒŒ์ผ์„ ํŽธ์ง‘ํ•˜๊ณ  modsecurity-uri-black.listcontent ํ–‰์„ ์ถ”๊ฐ€ํ•˜์‹ญ์‹œ์˜ค /joomla. ๊ทธ๋Ÿฐ ๋‹ค์Œ ๋ธŒ๋ผ์šฐ์ €์— ์ž…๋ ฅํ•˜์‹ญ์‹œ์˜ค https://exemple.com/joomla. Iptables๋ฅผ ํ†ตํ•ด ๋ฆฌ๋””๋ ‰์…˜๋˜๊ณ  ์ฐจ๋‹จ๋˜์–ด์•ผํ•ฉ๋‹ˆ๋‹ค. ๊ธฐ๋ก์„ ์ง€์šฐ๊ณ  sudo www-security-assistant.bash <your-ip> --DROP-CLEAR 'some note'IP๋ฅผ ์ถ”๊ฐ€ ํ•œ modsecurity-ip-white.listํ›„ ๋‹ค์‹œ ์—ฐ์Šตํ•˜์‹ญ์‹œ์˜ค. ์ด์ œ ๋ฆฌ๋””๋ ‰์…˜๋˜์–ด์•ผํ•˜์ง€๋งŒ ์ฐจ๋‹จ๋˜์ง€ ์•Š์•„์•ผํ•ฉ๋‹ˆ๋‹ค.

์Šคํฌ๋ฆฝํŠธ๋ฅผ OWASP Core Rule Set 3.x์™€ ์—ฐ๊ฒฐ

์ด๋ฅผ ์œ„ํ•ด Anomaly Mode Rules (949110 ๋ฐ 959100) ์˜ ๊ธฐ๋ณธ ๋™์ž‘์„ ์—…๋ฐ์ดํŠธํ•ฉ๋‹ˆ๋‹ค . ์ด๋ฅผ ์œ„ํ•ด ํŒŒ์ผ์„ ํŽธ์ง‘ํ•˜๊ณ  /usr/share/modsecurity-crs.3/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf๋‹ค์Œ ํ–‰์„ ๋งจ ์•„๋ž˜์— ์ถ”๊ฐ€ํ•˜์‹ญ์‹œ์˜ค.

# -- Anomaly Mode - Update actions by ID -----
#

SecRuleUpdateActionById 949110 "t:none, drop, deny, status:403, redirect:'/issues.php', \
     setenv:REMOTE_HOST=%{REMOTE_HOST}, setenv:ARGS=%{ARGS}, \
     exec:/var/www-security-assistant/modsecurity-assistant.sh"

SecRuleUpdateActionById 959100 "t:none, drop, deny, status:403, redirect:'/issues.php', \
     setenv:REMOTE_HOST=%{REMOTE_HOST}, setenv:ARGS=%{ARGS}, \
     exec:/var/www-security-assistant/modsecurity-assistant.sh"

# -- Anomaly Mode - Whitelist some URI and IP addresses -----
#

SecRule REQUEST_URI "^/wp-admin/admin-ajax.php*|^/index\.php\?title=.*&action=(submit|raw&ctype=text/javascript|raw&ctype=text/css)$" \
    "id:'999010', t:none, phase:1, pass, \
     ctl:ruleRemoveById=949110, \
     ctl:ruleRemoveById=959100"

SecRule REMOTE_ADDR "@ipMatchFromFile /var/www-security-assistant/modsecurity-ip-white.list" \
    "id:'999020', t:none, phase:1, pass, \
     ctl:ruleRemoveById=949110, \
     ctl:ruleRemoveById=959100"

๊ฑด๊ฐ• ์ง„๋‹จ

๊ตฌ์„ฑ ๋ณ€๊ฒฝ ์‚ฌํ•ญ์„ ์ ์šฉํ•˜๊ธฐ ์œ„ํ•ด Apache๋ฅผ ๋‹ค์‹œ ์‹œ์ž‘ํ•˜๊ฑฐ๋‚˜ ๋‹ค์‹œ๋กœ๋“œํ•˜๋Š” ๊ฒƒ์„ ์žŠ์ง€ ๋งˆ์‹ญ์‹œ์˜ค. ํ…Œ์ŠคํŠธํ•˜๋Š” ๋™์•ˆ ์ •๊ธฐ์ ์œผ๋กœ ๊ธฐ๋ก์„ ์ง€์šฐ๋Š” ๊ฒƒ์„ ์žŠ์ง€ ๋งˆ์‹ญ์‹œ์˜ค. ๊ทธ๋ ‡์ง€ ์•Š์œผ๋ฉด ์˜๊ตฌ์ ์œผ๋กœ ์ฐจ๋‹จ ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค ๐Ÿ™‚

๋””๋ ‰ํ† ๋ฆฌ ์ˆœํšŒ ๊ณต๊ฒฉ์„ ์‹œ๋ฎฌ๋ ˆ์ด์…˜ํ•˜์‹ญ์‹œ์˜ค.

https://example.com/?abc=../../../                         # This should be redirected and blocked
https://example.com/wp-admin/admin-ajax.php?abc=../../../  # This should pass because of the whitelist rule

SQL ์ธ์ ์…˜ ๊ณต๊ฒฉ ์‹œ๋ฎฌ๋ ˆ์ด์…˜ :

https://example.com/?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1
https://example.com/index.php?username=1'%20or%20'1'%20=%20'1'))/*&password=foo

ModSecurity ๋ฐ Apache ๋กœ๊ทธ ํŒŒ์ผ

Apache ์›น ์„œ๋ฒ„๋Š” ์„œ๋ฒ„ ๊ด€๋ฆฌ์ž์—๊ฒŒ ์ž‘๋™ ๋ฐฉ์‹์— ๋Œ€ํ•œ ์ค‘์š”ํ•œ ์ •๋ณด๋ฅผ ์ œ๊ณตํ•˜๋„๋ก ๊ตฌ์„ฑ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๊ด€๋ฆฌ์ž์—๊ฒŒ ํ”ผ๋“œ๋ฐฑ์„ ์ œ๊ณตํ•˜๋Š” ์ฃผ์š” ๋ฐฉ๋ฒ•์€ ๋กœ๊ทธ ํŒŒ์ผ์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. ๋” ์ฝ์–ด๋ณด๊ธฐ โ€ฆ

ModSecurity ์—๋Š” ๊ฐ•๋ ฅํ•œ ๋กœ๊น… ๋ฉ”์ปค๋‹ˆ์ฆ˜์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ง€์‹œ๋ฌธ์— ์˜ํ•ด SecGuardianLog์™ธ๋ถ€ ์Šคํฌ๋ฆฝํŠธ์™€ ํ•จ๊ป˜ ์ž‘๋™ํ•˜๋„๋ก ํŠน๋ณ„ํžˆ ์„ค๊ณ„๋œ ๋กœ๊ทธ ํ”ผ๋“œ๋ฅผ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค.

ํ˜„์žฌ์™€ ์ž‘์—…์— ์•Œ๋ ค์ง„ ์œ ์ผํ•œ ๋„๊ตฌ ๋ณดํ˜ธ์ž ๋กœ๊น… ์ž…๋‹ˆ๋‹ค
httpd-guardian์˜ ์ผ๋ถ€์ž…๋‹ˆ๋‹ค, ์•„ํŒŒ์น˜ ์•„ํŒŒ์น˜ ๋„๊ตฌ ํ”„๋กœ์ ํŠธ . ์ด httpd-guardian๋„๊ตฌ๋Š” ์„œ๋น„์Šค ๊ฑฐ๋ถ€ ๊ณต๊ฒฉ์„ ๋ฐฉ์–ดํ•˜๋„๋ก ์„ค๊ณ„๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๊ฒƒ์€ blacklist tooliptables ๊ธฐ๋ฐ˜ ๋ฐฉํ™”๋ฒฝ๊ณผ ์ƒํ˜ธ ์ž‘์šฉ ํ•˜๊ธฐ ์œ„ํ•ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ฌธ์ œ์˜ IP ์ฃผ์†Œ๋ฅผ ๋™์ ์œผ๋กœ ๋ธ”๋ž™๋ฆฌ์ŠคํŠธ์— ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค. ๋” ์ฝ์–ด๋ณด๊ธฐ โ€ฆ

ModSecurity ๋กœ๊ทธ ํŒŒ์ผ โ–บ Fail2Ban โ–บ Iptables

Apache ๋กœ๊ทธ ํŒŒ์ผ์˜ ๋ฐ์ดํ„ฐ ๊ตฌ๋ฌธ ๋ถ„์„์„ ์œ„ํ•ด Fail2Ban์„ ์„ค์ •ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. modsec_audit.log์•„๋งˆ๋„ ์ตœ์„ ์˜ ์„ ํƒ ์ผ์ง€ ๋ชจ๋ฅด์ง€๋งŒ์— ๋Œ€ํ•ด ์ด์•ผ๊ธฐํ•˜๋Š” ์„น์…˜๋„ ์ฐธ์กฐํ•˜์‹ญ์‹œ์˜ค SecGuardianLog.

์ฃผ์˜ ๊ฐ€์ง€๊ณ  ์žˆ์Œ SecAuditLogRelevantStatus์—์ด /etc/modsecurity/modsecurity.conf์ฃผ์„์„. ๊ทธ๋ ‡์ง€ ์•Š์œผ๋ฉด 404 ์˜ค๋ฅ˜ ํŽ˜์ด์ง€๋ฅผ ์ˆ˜์‹ ํ•˜๋Š” ๋ชจ๋“  ์‚ฌ๋žŒ์ด fail2ban์— ์˜ํ•ด ์ฐจ๋‹จ๋ฉ๋‹ˆ๋‹ค.

SecAuditEngine RelevantOnly
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"

ํ˜„์žฌ Fail2Ban์€์ด ํ”„๋กœ์ ํŠธ์—์„œ ๊ตฌํ˜„๋˜์ง€ ์•Š์•˜์Šต๋‹ˆ๋‹ค.

ModSecGuardianLog โ–บ HTTPD-Guardian โ–บ WSAS โ–บ IPtables

httpd-guardian-์š”์ฒญ์„ ๋ชจ๋‹ˆํ„ฐ๋งํ•˜์—ฌ DoS ๊ณต๊ฒฉ ํƒ์ง€ Apache Security, Copyright (C) 2005 Ivan Ristic-ํŒŒ์ดํ”„ ๋กœ๊น… ๋ฉ”์ปค๋‹ˆ์ฆ˜์„ ํ†ตํ•ด ๋ชจ๋“  ์›น ์„œ๋ฒ„ ์š”์ฒญ์„ ๋ชจ๋‹ˆํ„ฐ๋งํ•˜๋„๋ก ์„ค๊ณ„๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๊ฒƒ์€ ๊ฐ IP ์ฃผ์†Œ์—์„œ ๋ณด๋‚ธ ์š”์ฒญ ์ˆ˜๋ฅผ ์ถ”์ ํ•ฉ๋‹ˆ๋‹ค โ€ฆ httpd-guardian์€ IP ์ฃผ์†Œ๋ฅผ ์ฐจ๋‹จํ•˜๊ธฐ ์œ„ํ•ด ๊ฒฝ๊ณ ๋ฅผ ๋ณด๋‚ด๊ฑฐ๋‚˜ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค โ€ฆ

์ด ์Šคํฌ๋ฆฝํŠธ๋Š” Apache2 ๋กœ๊น… ๋ฉ”์ปค๋‹ˆ์ฆ˜ ๋˜๋Š” ModSecurity (๋” ๋‚˜์€) ์™€ ํ•จ๊ป˜
์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค .

ํ˜„์žฌ ์ƒํ™ฉ์—์„œ ์„ค์น˜ ๋ฐ ์„ค์ •

๋‹ค์šด๋กœ๋“œ httpd-guardianํ•˜์—ฌ ์‹คํ–‰ ๊ฐ€๋Šฅํ•˜๊ฒŒํ•˜์‹ญ์‹œ์˜ค.

sudo wget https://raw.githubusercontent.com/pa4080/www-security-assistant/ask_ubuntu/httpd-guardian.pl -O /var/www-security-assistant/httpd-guardian.pl
sudo chmod +x /var/www-security-assistant/httpd-guardian.pl

98-119์Šคํฌ๋ฆฝํŠธ๋ฅผ WSAS ์Šคํฌ๋ฆฝํŠธ์™€ ์—ฐ๊ฒฐํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ๋ณด๋ ค๋ฉด ํ–‰ ์„ ์ฝ์œผ์‹ญ์‹œ์˜ค .

Apache ๊ตฌ์„ฑ ( /etc/modsecurity/modsecurity.conf) ๋‚ด์—์„œ ๋‹ค์Œ ๋ณ€๊ฒฝ ์‚ฌํ•ญ์„ ์ ์šฉํ•œ ํ›„ ๋‹ค์‹œ ์‹œ์ž‘ํ•˜์‹ญ์‹œ์˜ค.

#SecGuardianLog /var/log/apache2_mod_security/modsec_guardian.log
SecGuardianLog "|/var/www-security-assistant/httpd-guardian.pl"

๊ฑด๊ฐ• ์ง„๋‹จ

์Šคํฌ๋ฆฝํŠธ๋ฅผ ํ…Œ์ŠคํŠธํ•˜๋ ค๋ฉด ModEvasive๋ฅผ ๋น„ํ™œ์„ฑํ™”ํ•˜๊ณ  ( sudo a2dismod evasive๋‚˜์ค‘์— ํ™œ์„ฑํ™”ํ•ด์•ผ ํ•จ์„ ์žŠ์ง€ ๋งˆ์‹ญ์‹œ์˜ค) Apache๋ฅผ ๋‹ค์‹œ ์‹œ์ž‘ํ•˜์‹ญ์‹œ์˜ค. ๊ทธ๋Ÿฐ ๋‹ค์Œ tailexec ๋กœ๊ทธ :

tail -F /var/www-security-assistant/www-security-assistant.execlog

๊ทธ๋ฆฌ๊ณ  ๋‹ค๋ฅธ ์ธ์Šคํ„ด์Šค์—์„œ DoS ๊ณต๊ฒฉ์„ ์ˆ˜ํ–‰ํ•˜์‹ญ์‹œ์˜ค (์˜ˆ ab: ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋ฐฉ์‹์œผ๋กœ ์‚ฌ์šฉ).

for i in {1..20}; do (ab -n 200 -c 10 https://example.com/ &); done

ModSecGuardianLog โ–บ ์‚ฌ์šฉ์ž ์ •์˜ ๋ถ„์„ โ–บ WSAS โ–บ IP ํ…Œ์ด๋ธ”

์—ฌ๊ธฐ์— httpd-custom-analyze.bashํŠน๋ณ„ํ•œ ์Šคํฌ๋ฆฝํŠธ ๋Š” ์•„๋‹ˆ์ง€๋งŒ ์ข‹์€ ์˜ˆ์ œ๊ฐ€ ๋  ์ˆ˜ ์žˆ๋Š” ๊ฐ„๋‹จํ•œ ์Šคํฌ๋ฆฝํŠธ ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ๊ทธ ๊ธฐ๋Šฅ์€ ์Šคํฌ๋ฆฝํŠธ ๋ณธ๋ฌธ์— ์„ค๋ช…๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

์„ค์น˜ ๋ฐ ์„ค์ •

๋‹ค์šด๋กœ๋“œ httpd-custom-analyze.bashํ•˜์—ฌ ์‹คํ–‰ ๊ฐ€๋Šฅํ•˜๊ฒŒํ•˜์‹ญ์‹œ์˜ค.

sudo wget https://raw.githubusercontent.com/pa4080/www-security-assistant/ask_ubuntu/httpd-custom-analyze.bash -O /var/www-security-assistant/httpd-custom-analyze.bash
sudo chmod +x /var/www-security-assistant/httpd-custom-analyze.bash

Apache ๊ตฌ์„ฑ ( /etc/modsecurity/modsecurity.conf) ๋‚ด์—์„œ ๋‹ค์Œ ๋ณ€๊ฒฝ ์‚ฌํ•ญ์„ ์ ์šฉ ํ•˜๊ณ  ๋‹ค์‹œ ์‹œ์ž‘ํ•˜์‹ญ์‹œ์˜ค.

#SecGuardianLog /var/log/apache2_mod_security/modsec_guardian.log
#SecGuardianLog "|/var/www-security-assistant/httpd-guardian.pl"
SecGuardianLog "|/var/www-security-assistant/httpd-custom-analyze.bash"
  • ์ž„๊ณ„ ๊ฐ’์— ๋„๋‹ฌํ•˜๋ฉด ์Šคํฌ๋ฆฝํŠธ๊ฐ€ WSAS๋ฅผ ํ˜ธ์ถœํ•ฉ๋‹ˆ๋‹ค (์ฝ๊ธฐ ํ–‰ 86๋ฐ) 35.

  • ๋‘ httpd-์Šคํฌ๋ฆฝํŠธ๊ฐ€ ๋™์‹œ์— ์ž‘๋™ํ•˜๊ฒŒ ํ•˜๋ ค๋ฉด ๋‘ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ๋ชจ๋‘ ํŽธ์ง‘ modsecurity.confํ•˜๊ณ  ํŒŒ์ดํ”„ํ•˜์‹ญ์‹œ์˜ค SecGuardianLog.

  • ํ…Œ์ŠคํŠธ๋ฅผ ์ˆ˜ํ–‰ํ•˜๋ ค๋ฉด ์œ„ ์„น์…˜์˜ ํŒ์„ ๋”ฐ๋ฅด์‹ญ์‹œ์˜ค.


๋‹ต๋ณ€

pa4080์ด์ด ๋ชจ๋“  ๊ฒƒ์„ ์Šค์Šค๋กœ ๊ด€๋ฆฌํ•˜๋Š” ๋ฐ ๋„์›€์ด๋˜๋Š” ์ƒ์„ธํ•˜๊ณ  ์œ ์šฉํ•œ ๋‹ต๋ณ€์„ ์ œ๊ณตํ•œ๋‹ค๋Š” ๊ฒƒ์„ ์•Œ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ํ˜ผ์ž์„œ ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ•˜๋Š” ๊ฒƒ์€ ๊ธฐ๋ถ„์ด ์ข‹์ง€๋งŒ ์‹œ๊ฐ„์ด ์˜ค๋ž˜ ๊ฑธ๋ฆด ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค .

  1. ๋ฌด๋ฃŒ DDoS ๋ณดํ˜ธ ๊ธฐ๋Šฅ์„ ์ œ๊ณต ํ•˜๋ฏ€๋กœ Cloudflare์— ์ต์ˆ™ํ•ด ์ง€์‹ญ์‹œ์˜ค .
  2. ํ˜„์žฌ Apache ๋งŒ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ NGINX๊ฐ€๋กœ๋“œ ๊ท ํ˜•์„ ๋งž์ถ”๋Š” ๋ฐฉ๋ฒ•์„ ๋ฐฐ์šฐ์‹ญ์‹œ์˜ค. NGINX๋Š” ์—ฌ๊ธฐ ์™€ ์—ฌ๊ธฐ์— ํ‘œ์‹œ๋œ Apache๋กœ๋“œ ๋ฐธ๋Ÿฐ์‹ฑ์— ์œ ์šฉ ํ•ฉ๋‹ˆ๋‹ค .
  3. ๋ฌธ์„œ ๋ณด์•ˆ์— ๋Œ€ํ•œ Apache์˜ ํŒ์„ ๊ฒ€ํ† ํ•˜์‹ญ์‹œ์˜ค .

๋‹ต๋ณ€


์ด ๊ธ€์€ ubuntu ์นดํ…Œ๊ณ ๋ฆฌ์— ๋ถ„๋ฅ˜๋˜์—ˆ๊ณ  , ํƒœ๊ทธ๊ฐ€ ์žˆ์œผ๋ฉฐ ๋‹˜์— ์˜ํ•ด ์— ์ž‘์„ฑ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.