WAF
Web Application Firewall
WAS + 추가모듈(mod_security)
기존 방화벽과의 차이.
기존 방화벽 : selinux, iptables, firewalld(ufw), tcp wrapper
--> 주로 헤더의 확인을 통한 접근제어
WAF : WAS의 앞단에서 공격을 감지. 공격 감지 대상은 웹 패킷의 Payload(웹 해킹)
WAF의 필요성
- payload를 검사.
- web(http/https) 프로토콜
- 동적 언어(PHP, ASP, JSP)
- system 언어 perl / cgi / fcgi / wcgi --> 사용상 편리. 단, 시스템 명령어 처리가능.
- DBMS 연동 룰
- was가 없음 --> waf를 못함.
설치
1. Apache 동작 확인
[root@rocky-9 named]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Tue 2024-12-03 18:27:39 KST; 1 week 0 days ago
Docs: man:httpd.service(8)
Process: 1500533 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/S>
Main PID: 900837 (httpd)
Status: "Total requests: 11144; Idle/Busy workers 100/0;Requests/sec: 0.0168; Bytes serv>
Tasks: 230 (limit: 10754)
Memory: 16.6M
CPU: 4min 28.885s
CGroup: /system.slice/httpd.service
├─ 900837 /usr/sbin/httpd -DFOREGROUND
├─1500573 /usr/sbin/httpd -DFOREGROUND
├─1500574 /usr/sbin/httpd -DFOREGROUND
├─1500575 /usr/sbin/httpd -DFOREGROUND
├─1500580 /usr/sbin/httpd -DFOREGROUND
└─1500837 /usr/sbin/httpd -DFOREGROUND
2. mod_secrutiy 설치
# Redhat
dnf -y install mod_security
# Debian
apt-get install libapache2-mod-security2
a2enmod mod-security
3. 공식 룰 적용
Url : https://github.com/coreruleset/coreruleset/archive/refs/heads/v3.4/dev.zip
Path : /etc/httpd/modsecurity.d
기본 룰셋
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
해당 기본 룰셋을 active_rules에 넣기
cp -ap RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example ../../activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cp -ap REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example ../../activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
기존 snort/ mod_security --> SIG와 일치하는 payload값을 검출. 정규화 표현식을 적용하기 위해 pcre설치
dnf -y install pcre-devel
4. 설정파일 변경
# path : /etc/httpd/conf.d/mod_security.conf
SecAuditEngine RelevantOnly --> mod_secrity 감사 동작 모드
감사 동작 모드
- On : mod_security 기능 활성화.(IPS Mode)
- Off : mod_security 기능 비활성화.
- RelevantOnly : 활성화를 하지만 차단하지 않으며 탐지만 한다. (IDS mode)
5. 재시작 후 로그파일 확인
/var/log/httpd/modsec_audit.log,
/var/log/httpdmodsec_debug.log
6. Tool을 이용한 WAF 탐지 및 로그 확인
--67baae6f-B--
GET /9PF8pkrX.shm HTTP/1.1
Host: 172.16.20.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive
--67baae6f-F--
HTTP/1.1 500 Proxy Error
Content-Length: 264
Connection: close
Content-Type: text/html; charset=iso-8859-1
--67baae6f-E--
--67baae6f-H--
Apache-Error: [file "proxy_util.c"] [line 415] [level 3] [status 670002] AH00898: DNS lookup failure for: w4.tired.com returned by /9PF8pkrX.shm
Apache-Handler: proxy-server
Stopwatch: 1733884925756790 3304168 (- - -)
Stopwatch2: 1733884925756790 3304168; combined=14, p1=2, p2=8, p3=1, p4=1, p5=2, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/).
Server: Apache/2.4.62 (Rocky Linux) OpenSSL/3.2.2
Engine-Mode: "ENABLED"
--67baae6f-Z--
Wafw00f
WAF 감지 툴
# WAF 미설정시
┌──(root㉿kaya)-[~]
└─# wafw00f http://172.16.20.6
______
/ \
( W00f! )
\ ____/
,, __ 404 Hack Not Found
|`-.__ / / __ __
/" _/ /_/ \ \ / /
*===* / \ \_/ / 405 Not Allowed
/ )__// \ /
/| / /---` 403 Forbidden
\\/` \ | / _ \
`\ /_\\_ 502 Bad Gateway / / \ \ 500 Internal Error
`_____``-` /_/ \_\
~ WAFW00F : v2.2.0 ~
The Web Application Firewall Fingerprinting Toolkit
[*] Checking http://172.16.20.6
[+] Generic Detection results:
[-] No WAF detected by the generic detection
[~] Number of requests: 7
┌──(root㉿kaya)-[~]
└─# nmap -p 80,443 --script=http-waf-detect 172.16.20.6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-11 10:46 KST
Nmap scan report for 172.16.20.6
Host is up (0.00052s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: 00:50:56:2B:51:F3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds
'네트워크 및 서버 > 서버' 카테고리의 다른 글
DNSSec (0) | 2024.12.10 |
---|---|
SSH 인증서 로그인 (0) | 2024.12.10 |
비동기식 DB 백업(Mysql/Mariadb) (0) | 2024.12.04 |
Web Server 로드밸런싱 구현 (2) (0) | 2024.12.03 |
Web Server 로드밸런싱 (0) | 2024.12.02 |