我试图使用 OWASP 规则和 ModSecurity 来保护我的 Ubuntu 22.04 服务器上的 Apache2 安装,但是当我安装 v3.3.4 规则并激活 modsecurity 时,Apache2 将无法启动。
安装的软件包:
apache2 2.4.52-1ubuntu4.3
apache2-bin 2.4.52-1ubuntu4.3
apache2-data 2.4.52-1ubuntu4.3
apache2-dev 2.4.52-1ubuntu4.3
apache2-utils 2.4.52-1ubuntu4.3
apachetop 0.19.7-3
libapache2-mod-perl2 2.0.12-1build1
libapache2-mod-php 2:8.2+93+ubuntu22.04.1+deb.sury.org+2
libapache2-mod-php8.1 8.1.16+repack-1+ubuntu22.04.1+deb.sury.org+1
libapache2-mod-php8.2 8.2.3-1+ubuntu22.04.1+deb.sury.org+1
libapache2-mod-security2 2.9.5-1
libapache2-mod-wsgi 4.6.8-1ubuntu3.1
libapache2-reload-perl 0.13-3
python3-certbot-apache 1.21.0-1
libpcre16-3:amd64 2:8.39-13ubuntu0.22.04.1
libpcre2-16-0:amd64 10.40-1+ubuntu22.04.1+deb.sury.org+1
libpcre2-8-0:amd64 10.40-1+ubuntu22.04.1+deb.sury.org+1
libpcre3:amd64 2:8.39-13ubuntu0.22.04.1
libpcre3-dev:amd64 2:8.39-13ubuntu0.22.04.1
libpcre32-3:amd64 2:8.39-13ubuntu0.22.04.1
libpcrecpp0v5:amd64 2:8.39-13ubuntu0.22.04.1
安装规则:
https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.4.tar.gz
我在 apache 错误日志中得到了这个:
systemd[1]: Starting The Apache HTTP Server...
apachectl[632035]: AH00526: Syntax error on line 43 of /etc/modsecurity/rules/REQUEST-922-MULTIPART-ATTACK.conf:
apachectl[632035]: Error creating rule: Unknown variable: &MULTIPART_PART_HEADERS
apachectl[632032]: Action 'start' failed.
apachectl[632032]: The Apache error log may have more information.
systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
systemd[1]: apache2.service: Failed with result 'exit-code'.
Feb 17 14:33:40 belleville systemd[1]: Failed to start The Apache HTTP Server.
这是有问题的文件和行:
1 # ------------------------------------------------------------------------
2 # OWASP ModSecurity Core Rule Set ver.3.3.4
3 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
4 # Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
5 #
6 # The OWASP ModSecurity Core Rule Set is distributed under
7 # Apache Software License (ASL) version 2
8 # Please see the enclosed LICENSE file for full details.
9 # ------------------------------------------------------------------------
10
11 #
12 # -= Paranoia Level 0 (empty) =- (apply unconditionally)
13 #
14
15 # This file is to address the 3UWMWA6W vulnerability.
16 # It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports
17 # of the security fixes in these versions) or a compatible engine supporting these changes.
18 #
19 # If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start.
20 # In that case, you can temporarily delete this file. However, you will be missing
21 # protection from these rules. Therefore, we recommend upgrading your engine instead.
22
23 # The rules in this file will be part of the 920 / 921 in the future.
24
25 # Only allow specific charsets when using "_charset_"
26 # Note: this is in phase:2 because these are headers that come in the body
27 SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
28 "id:922100,\
29 phase:2,\
30 block,\
31 t:none,\
32 msg:'Multipart content type global _charset_ definition is not allowed by policy',\
33 logdata:'Matched Data: %{ARGS._charset_}',\
34 tag:'application-multi',\
35 tag:'language-multi',\
36 tag:'platform-multi',\
37 tag:'attack-multipart-header',\
38 tag:'OWASP_CRS',\
39 tag:'capec/1000/255/153',\
40 tag:'paranoia-level/1',\
41 ver:'OWASP_CRS/3.3.4',\
42 severity:'CRITICAL',\
43 chain"
44 SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \
45 "t:lowercase,\
46 setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
47
答案1
简而言之,问题在于即使在最新的 Ubuntu 版本(当时为 22.04)中,mod 安全包也已经过时。
我在这里发现了一个已关闭的问题: https://github.com/coreruleset/coreruleset/issues/3129
这建议使用这个仓库https://modsecurity.digitalwave.hu/升级/安装软件包libapache2-mod-security2和libmodsecurity3.modsecurity-crs
答案2
正如您可以在配置文件中读到的那样:
它需要 ModSecurity 版本 2.9.6 或 3.0.8
你有
libapache2-mod-security2 2.9.5-1
所以你可以尝试升级这个库