[ 참조 : https://www.manualfactory.net/ / http://sysadmin-notepad.blogspot.com/]
- 설치
# yum install mod_security mod_security_crs
# systemctl restart httpd
- 설치 후 webmail의 메일 내용 보이지 않고 권한 없다는 메세지 표시됨.
에러 로그상의 Rule 번호 확인 후 apache에 해당 페이지에 Rule 제되 처리함.
# tail -f /var/log/httpd/modsec_audit.log
Message: Access denied with code 403 (phase 2). Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:_caps. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within ARGS:_caps: pdf=1,flash=1,tiff=0,webp=0"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client xx.xxx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\\\\\~\\\\\\\\!\\\\\\\\@\\\\\\\\#\\\\\\\\$\\\\\\\\%\\\\\\\\^\\\\\\\\&\\\\\\\\*\\\\\\\\(\\\\\\\\)\\\\\\\\-\\\\\\\\+\\\\\\\\=\\\\\\\\{\\\\\\\\}\\\\\\\\[\\\\\\\\]\\\\\\\\|\\\\\\\\:\\\\\\\\;\\\\"\\\\\\\\'\\\\\\\\\\\\xc2\\\\xb4\\\\\\\\\\\\xe2\\\\x80\\\\x99\\\\\\\\\\\\xe2\\\\x80\\\\x98\\\\\\\\`\\\\\\\\<\\\\\\\\>].*?){4,}" at ARGS:_caps. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within ARGS:_caps: pdf=1,flash=1,tiff=0,webp=0"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "mail.qnct.cn"] [uri "/mail/"] [unique_id "W336PvEeYo-Q4P55eh7fCAAAABE"]
Action: Intercepted (phase 2)
Stopwatch: 1534982718653074 2421 (- - -)
Stopwatch2: 1534982718653074 2421; combined=1768, p1=215, p2=1521, p3=0, p4=0, p5=32, sr=74, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_wsgi/3.4 Python/2.7.5
Engine-Mode: "ENABLED"
# vi /etc/httpd/conf/httpd.conf
<Directory /var/www/webmail/>
<IfModule mod_security2.c>
# SecRuleEngine Off
SecRuleRemoveById 981173
</IfModule>
</Directory>
SecRuleEngine Off : 해당 Directory 적용 해제
SecRuleRemoveById 981173 : 해당 Directory에 특정 Rule만 해제
댓글 없음:
댓글 쓰기