OWASP 규칙과 ModSecurity를 사용하여 Ubuntu 22.04 서버에서 Apache2 설치를 보호하려고 하는데 v3.3.4 규칙을 설치하고 modsecurity를 활성화하면 Apache2가 시작되지 않습니다.
설치된 패키지:
apache2 2.4.52-1ubuntu4.3
apache2-bin 2.4.52-1ubuntu4.3
apache2-data 2.4.52-1ubuntu4.3
apache2-dev 2.4.52-1ubuntu4.3
apache2-utils 2.4.52-1ubuntu4.3
apachetop 0.19.7-3
libapache2-mod-perl2 2.0.12-1build1
libapache2-mod-php 2:8.2+93+ubuntu22.04.1+deb.sury.org+2
libapache2-mod-php8.1 8.1.16+repack-1+ubuntu22.04.1+deb.sury.org+1
libapache2-mod-php8.2 8.2.3-1+ubuntu22.04.1+deb.sury.org+1
libapache2-mod-security2 2.9.5-1
libapache2-mod-wsgi 4.6.8-1ubuntu3.1
libapache2-reload-perl 0.13-3
python3-certbot-apache 1.21.0-1
libpcre16-3:amd64 2:8.39-13ubuntu0.22.04.1
libpcre2-16-0:amd64 10.40-1+ubuntu22.04.1+deb.sury.org+1
libpcre2-8-0:amd64 10.40-1+ubuntu22.04.1+deb.sury.org+1
libpcre3:amd64 2:8.39-13ubuntu0.22.04.1
libpcre3-dev:amd64 2:8.39-13ubuntu0.22.04.1
libpcre32-3:amd64 2:8.39-13ubuntu0.22.04.1
libpcrecpp0v5:amd64 2:8.39-13ubuntu0.22.04.1
설치 규칙:
https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.4.tar.gz
아파치 오류 로그에 다음이 표시됩니다.
systemd[1]: Starting The Apache HTTP Server...
apachectl[632035]: AH00526: Syntax error on line 43 of /etc/modsecurity/rules/REQUEST-922-MULTIPART-ATTACK.conf:
apachectl[632035]: Error creating rule: Unknown variable: &MULTIPART_PART_HEADERS
apachectl[632032]: Action 'start' failed.
apachectl[632032]: The Apache error log may have more information.
systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
systemd[1]: apache2.service: Failed with result 'exit-code'.
Feb 17 14:33:40 belleville systemd[1]: Failed to start The Apache HTTP Server.
문제의 파일과 줄은 다음과 같습니다.
1 # ------------------------------------------------------------------------
2 # OWASP ModSecurity Core Rule Set ver.3.3.4
3 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
4 # Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
5 #
6 # The OWASP ModSecurity Core Rule Set is distributed under
7 # Apache Software License (ASL) version 2
8 # Please see the enclosed LICENSE file for full details.
9 # ------------------------------------------------------------------------
10
11 #
12 # -= Paranoia Level 0 (empty) =- (apply unconditionally)
13 #
14
15 # This file is to address the 3UWMWA6W vulnerability.
16 # It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports
17 # of the security fixes in these versions) or a compatible engine supporting these changes.
18 #
19 # If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start.
20 # In that case, you can temporarily delete this file. However, you will be missing
21 # protection from these rules. Therefore, we recommend upgrading your engine instead.
22
23 # The rules in this file will be part of the 920 / 921 in the future.
24
25 # Only allow specific charsets when using "_charset_"
26 # Note: this is in phase:2 because these are headers that come in the body
27 SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
28 "id:922100,\
29 phase:2,\
30 block,\
31 t:none,\
32 msg:'Multipart content type global _charset_ definition is not allowed by policy',\
33 logdata:'Matched Data: %{ARGS._charset_}',\
34 tag:'application-multi',\
35 tag:'language-multi',\
36 tag:'platform-multi',\
37 tag:'attack-multipart-header',\
38 tag:'OWASP_CRS',\
39 tag:'capec/1000/255/153',\
40 tag:'paranoia-level/1',\
41 ver:'OWASP_CRS/3.3.4',\
42 severity:'CRITICAL',\
43 chain"
44 SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \
45 "t:lowercase,\
46 setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
47
답변1
요컨대 문제는 최신 우분투 버전(당시 22.04)에서도 모드 보안 패키지가 오래됐다는 점이다.
여기에서 닫힌 질문을 찾았습니다. https://github.com/coreruleset/coreruleset/issues/3129
이 저장소를 사용하는 것이 좋습니다https://modsecurity.digitalwave.hu/패키지 libapache2-mod-security2및 libmodsecurity3.modsecurity-crs
답변2
구성 파일에서 읽을 수 있듯이:
ModSecurity 버전 2.9.6 또는 3.0.8이 필요합니다.
당신은
libapache2-mod-security2 2.9.5-1
따라서 이 라이브러리를 업그레이드해 볼 수 있습니다.