在浏览本文前,先简单体味下甚么是ModSecurity,ModSecurity是一个进侵探测与禁止的引擎。它主如果用于Web利用法度所以也能够叫做Web利用法度防火墙,相信良多商业WAF的签名开辟同窗也参考了ModSecurity的法则吧。
布景:
上周Wordpress网站蒙受了大年夜范围的暴力破解报复打击,报复打击者起首扫描互联网上的Wordpress网站,然后操纵Web办事器组建的僵尸收集不竭测验测验用户名和暗码试图登录治理界面。报复打击者利用了超越9万台Web办事器来进行暴力破解。
本文借用此例,来介绍下若何操纵ModSecurity防御Wordpress的暴力破解。常规的减缓暴力破解编制以下:
1:更改admin默许账户名称,或直接删除admin,添加一个新的治理员帐户。
2:利用双身分认证
3:利用插件限制登录
4:利用.htpasswd对拜候特定页面实现用户名和暗码验证。
这些都有现成的编制往实现了,这里就介绍一下用ModSecurity V2.7.3来呵护Wordpress,避免暴力破解。
1:Wordpress的登录过程阐发
下图为Wordpress的登录页面:
用户登录以后,发送要求到WP-loing.php页面,HTTP要求包内容以下:
POST /wordpress/wp-login.php HTTP/1.1
Host: mywordpress.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; q=0.8
Accept-Language: en-us,en;q=0.5
DNT: 1
Referer: http://freebuf.com/wordpress/wp-login.php
Content-Type: application/x-www-form-urlencoded
Via: 1.1 owaspbwa.localdomain
Connection: Keep-Alive
Content-Length: 73
log=administrator&pwd=freebuf&submit=Login+%C2%BB&redirect_to=wp-admin%2F
payload部门包含了用户名和暗码,和登录成功后转向的页面。OK,体味数据包布局以后,我们可以成立法则,避免未经授权的拜候。
2:查抄Rerfer
正常的用户登录Wordpress,在数据包头部会包含一个Referer字段,可是经由过程人工编写的法度,良多不会包含Referer字段,直接发送登录要求到wp-login.php页面,所以,我们可以按照此成立一个ModSecurity法则来查抄Rerfer字段信息:
SecRule REQUEST_METHOD "@streq POST" "chain,id:'1',phase:2,t:none,block,log,msg:'Warning: Direct Login Missing Referer.'"
SecRule REQUEST_FILENAME "@pm /wp-login.php /wp-admin/" "chain"
ecRule &REQUEST_HEADERS:Referer "@eq 0"
当然经由过程脚本,很等闲实现Rerfer捏造,所以还需要接下来的法则一路共同。
3:限制拜候的IP
假定你不想点窜默许治理员帐号,可以添加一个法则只承诺特定的IP拜候治理页面,以下:
SecRule REQUEST_METHOD "@streq POST" "chain,id:'1',phase:2,t:none,block,log,msg:'Warning: Direct Login Missing Referer.'"
SecRule REQUEST_FILENAME "@pm /wp-login.php /wp-admin/" "chain"
SecRule ARGS:log "@streq freebuf" "chain"
SecRule REMOTE_ADDR !@ipMatch 72.192.214.223
在这个例子里,只承诺名称为freebuf的治理员帐户经由过程72.192.214.223的IP地址来拜候。
4:跟踪治理员帐户的登录测验测验
我们可以经由过程ModSecurity的法则来block掉落歹意IP,以下为登录掉败的返回包:
HTTP/1.1 200 OK
Date: Fri, 11 May 2012 03:24:53 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 11 May 2012 03:24:54 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1697
Connection: close
Content-Type: text/html; charset=UTF-8
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
functionfocusit()
{
document.getElementById('log').focus();}window.onload =focusit;
"chain, phase:4,id:999323,t:none,block,msg:'Authentication Failure Violation .',
logdata:'Number of Authentication Failures: %{ip.failed_auth_ attempt}'"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule ARGS:log "@streq admin" "chain"
SecRule RESPONSE_STATUS "200" "chain"
SecRule RESPONSE_BODY "@contains Error:Incorrect password."
"chain,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
SecRule IP:FAILED_AUTH_ATTEMPT "@gt 5"
5:设置验证要求的次数
ModSecurity可以在指定的时候内跟踪要求的数量,设置阀值来进行阻断报复打击,在它的法则集里已个包含了该法则,modsecurity_crs_10_setup.conf
以下:
#
# -- [[ Brute Force Protection ]] ---------------------------------------------------------
#
# If you are using the Brute Force Protection rule set, then uncomment the following
# lines and set the following variables:
# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
SecAction \
"id:'900014', \
phase:1, \
t:none, \
setvar:'tx.brute_force_protected_urls=/wp-login.php', \
setvar:'tx.brute_force_burst_time_slice=60', \
setvar:'tx.brute_force_counter_threshold=10', \
setvar:'tx.brute_force_block_timeout=300', \
nolog, \
pass"
寄望点窜 setvar:’tx.brute_force_protected_urls=/wp-login.php‘,
设置终了后,激活modsecurity_crs_11_brute_force.conf
#
# Anti-Automation Rule for specific Pages (Brute Force Protection)
# This is a rate-limiting rule set and does not directly correlate whether the
# authentication attempt was successful or not.
#
#
# Enforce an existing IP address block and log only 1-time/minute
# We don't want to get flooded by alerts during an attack or scan so
# we are only triggering an alert once/minute. You can adjust how often
# you want to receive status alerts by changing the expirevar setting below.
#
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "chain,phase:1,id:'981036',block,msg:
'Brute Force Attack Identified from %{tx.real_ip}
(%{tx.brute_force_block_counter} hits since last alert)',
setvar:ip.brute_force_block_counter=+1"
SecRule &IP:BRUTE_FORCE_BLOCK_FLAG "@eq 0" "setvar:ip.brute_force_block_flag=1,
expirevar:ip.brute_force_block_flag=60,
setvar:tx.brute_force_block_counter=%{ip.brute_force_block_counter},
setvar:ip.brute_force_block_counter=0"
#
# Block and track # of requests but don't log
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:1,id:'981037',block,nolog,
setvar:ip.brute_force_block_counter=+1"
#
# skipAfter Checks
# There are different scenarios where we don't want to do checks -
# 1. If the user has not defined any URLs for Brute Force Protection in the 10 config file
# 2. If the current URL is not listed as a protected URL
# 3. If the current IP address has already been blocked due to high requests
# In these cases, we skip doing the request counts.
#
SecRule &TX:BRUTE_FORCE_PROTECTED_URLS "@eq 0" "phase:5,id:'981038',
t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
SecRule REQUEST_FILENAME "!@within %{tx.brute_force_protected_urls}"
"phase:5,id:'981039',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:5,id:'981040',
t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
#
# Brute Force Counter
# Count the number of requests to these resoures
#
SecAction "phase:5,id:'981041',t:none,nolog,pass,setvar:ip.brute_force_counter=+1"
#
# Check Brute Force Counter
# If the request count is greater than or equal to 50 within 5 mins,
# we then set the burst counter
#
SecRule IP:BRUTE_FORCE_COUNTER "@gt %{tx.brute_force_counter_threshold}"
"phase:5,id:'981042',t:none,nolog,pass,t:none,setvar:ip.brute_force_burst_counter=+1,
expirevar:ip.brute_force_burst_counter=%{tx.brute_force_burst_time_slice},
setvar:!ip.brute_force_counter"
#
# Check Brute Force Burst Counter and set Block
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for 5 mins and issue an alert.
#
SecRule IP:BRUTE_FORCE_BURST_COUNTER "@ge 2" "phase:5,id:'981043',
t:none,log,pass,msg:'Potential Brute Force Attack from %{tx.real_ip}
- # of Request Bursts: %{ip.brute_force_burst_counter}',
setvar:ip.brute_force_block=1,expirevar:ip.brute_force_block=%{tx.brute_force_block_timeout}"
SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS
6:利用SecGuardianLog
从 1.9版本后,ModSecurity 撑持一个新的指令,SecGuardianLog,设计此指令用于把所有承诺数据经由过程治理日记功能发送到另外一个法度。自从 apache摆设成典型的多过程编制,信息共享变得坚苦了,这一设法就是摆设一个自力的外部过程利用状况机的编制往不雅察所有的要求,供给额外的呵护。利用编制以下:
语法: SecGuardianLog |/path/to/httpd-guardian
示例: SecGuardianLog |/usr/local/apache/bin/httpd-guardian
范围: Main
版本: 2.0.0
并且SecGuardianLog也能够和 SnortSam协同工作(http://www.snortsam.net)。假定已建设过 httpd-guardian(具体介绍请查看源代码)你只需要在 apache建设中添加一行便可以摆设它:
SecGuardianLog |/path/to/httpd-guardian
法则以下:
# If defined, execute this command when a threshold is reached
# block the IP address for one hour.
# $PROTECT_EXEC = "/sbin/blacklist block %s 3600";
# $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 www.freebuf.com";
my $PROTECT_EXEC;
# For testing only:
# $PROTECT_EXEC = "/sbin/blacklist-webclient %s 3600";
# Max. speed allowed, in requests per
# second, measured over an 1-minute period
my $THRESHOLD_1MIN = 2; # 120 requests in a minute
跟踪httpd守护过程数量,假定超越了限制,可以履行一些把持,如封锁IP一小时。