[研究]IIS 安裝 ModSecurity 2.9.5 (Windows 2019)

[研究]IIS 安裝 ModSecurity 2.9.5 (Windows 2019)

2022-05-16

ModSecurity專案網站
https://modsecurity.org/

ModSecurity為開放原始碼 (Open Source) 的網頁應用程式防火牆 (Web Application Firewall, WAF) 專案，早期僅是Apache網站伺服器的模組(Module)，2012年2.x版支援於IIS及Nginx等網站伺服器。

ModSecurity 3.x版獨立成一個引擎(engine)，稱為 libModSecurity，官方目前僅提供CentOS 6/7, Amazon Linux 1/2, Ubuntu, Mac OSX用Source來安裝的方法。連接器(connector)只支援Nginx。敝人目前嘗試在 CentOS Stream 8, CentOS Stream 9 安裝失敗 (有空再續測)。

********************************************************************************

IIS 上安裝參考

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#installation-for-microsoft-iis

Windows Server 2019 先安裝 IIS (用預設值即可，ASP.NET 相關可以不用安裝)。

Release v2.9.5 · SpiderLabs/ModSecurity · GitHub
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.5

下載 ModSecurityIIS_2.9.5-64b.msi 安裝，預設 ModSecurity 是安裝在 C:\Program Files\ModSecurity IIS 目錄。

C:\Program Files\ModSecurity IIS>dir /s 磁碟區 C 中的磁碟沒有標籤。 磁碟區序號: D2BA-DEE4 C:\Program Files\ModSecurity IIS 的目錄 2022/05/13 下午 03:50 <DIR> . 2022/05/13 下午 03:50 <DIR> .. 2021/11/30 下午 12:46 9,829 EULA.rtf 2021/11/30 下午 12:46 2,042 list_dependencies.bat 2021/11/30 下午 12:46 8,620 modsecurity.conf 2021/11/30 下午 12:46 366 ModSecurity.xml 2021/11/30 下午 12:46 25 modsecurity_iis.conf 2021/11/30 下午 12:46 659 README.TXT 2021/11/30 下午 12:46 53,146 unicode.mapping 7 個檔案 74,687 位元組 檔案數目總計: 7 個檔案 74,687 位元組 2 個目錄 87,525,658,624 位元組可用 C:\Program Files\ModSecurity IIS>

然後參考 C:\Program Files\ModSecurity IIS\README.TXT 檔案內容

Please note that installing ModSecurity for IIS requires IIS to be installed and enabled. After installing ModSecurity for IIS, the module will be running in all websites by default. To remove from a website add to web.config: <modules> <remove name="ModSecurityIIS" /> </modules> To configure module in a website add to web.config: <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <ModSecurity enabled="true" configFile="c:\inetpub\wwwroot\xss.conf" /> </system.webServer> </configuration> where configFile is standard ModSecurity config file. Events from the module will show up in "Application" Windows log.

IIS 預設網站目錄 C:\Program Files\ModSecurity IIS，底下建立一個 modsecurity 目錄，將 C:\Program Files\ModSecurity IIS 目錄中的 modsecurity.conf, modsecurity_iis.conf 及 unicode.mapping 複製到 C:\inetpub\wwwroot\modsecurity 目錄。

新增 C:\inetpub\wwwroot\web.config 檔案，內容如下 (不使用 README.TXT 的 xss.conf )

<?xml version="1.0" encoding="UTF-8"?> <configuration> <!-- others config ...--> <system.webServer> <ModSecurity enabled="true" configFile="c:\inetpub\wwwroot\modsecurity\modsecurity_iis.conf" /> </system.webServer> </configuration>

預設 ModSecurity 是偵測模式，所以請將它改成啟用，修改 c:\inetpub\wwwroot\modsecurity\modsecurity.conf 檔案內容，將 SecRuleEngine DetectionOnly 改成 SecRuleEngine On，存檔關閉。
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecRuleEngine

並在最後加上 Rule 如下

SecRule ARGS:testparam "test" "id:1234,deny,status:403,msg:'Our test rule has triggered'" SecRequestBodyAccess On SecRule ARGS_GET "@detectXSS" "id:152,log,deny" SecRule ARGS_POST "@detectXSS" "id:153,log,deny"

Rule是說，如果 QueryString 的參數為 testparam 而且它的值為 test ，就會被 ModSecurity 拒絕，並回傳 403。 

SecRuleEngine On [On|Off] 設定是否啟用ModSecurity規則解析功能 

SecRequestBodyAccess [On|Off] 用以設定是否要處理Request的內容，針對利用傳入竄改傳入請求的攻擊手法，如injection、XEE、XSS等，可利用檢查Request的方式防禦。

SecResponseBodyAccess [On|Off] 用以設定是否要處理Response的內容，針對網頁伺服器端回傳內容進行檢查，可用於避免機敏資料外洩時使用，如果回傳的內容與符合阻擋規則將不可有效阻擋。

第3、4行是阻擋XSS。

重新啟動IIS，讓設定生效。

********************************************************************************

測試 Rule 1234 是否會被擋

開啟瀏覽器連 http://localhost/?testparam=test ，就可以發現，網頁會被 ModSecurity 給擋住了。可到「Windowsd開始功能表」/「Windows系統管理工具」「事件檢視器」的「Windows記錄」下的「應用程式」找來源「ModSecurity」的。

********************************************************************************

測試 http://localhost/demo.php?id=<script>alert(%27Hello%27);</script> 

找不到來自來源 ModSecurity 之事件識別碼 1 的描述。本機電腦可能並未安裝引發此事件的元件，或安裝已損毀。 您可以在本機電腦上安裝或修復該元件。 如果事件源自其他電腦，則儲存它們時必須一併儲存顯示資訊。 下列資訊已隨附於該事件: [client ] ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "c:\inetpub\wwwroot\modsecurity\modsecurity.conf"] [line "234"] [id "152"] [hostname "WIN-VD8I3DJAJH2"] [uri "/demo.php?id=<script>alert(%27Hello%27);</script>"] [unique_id "18230571306628155301"]

The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair  the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: [client ] ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "c:\inetpub\wwwroot\modsecurity\modsecurity.conf"] [line "234"] [id "152"] [hostname "WIN-VD8I3DJAJH2"] [uri "/demo.php?id=<script>alert(%27Hello%27);</script>"] [unique_id "18230571306628155301"]

********************************************************************************

使用 OWASP ModSecurity  Core Rule Set (核心規則集，CRS)

OWASP ModSecurity  Core Rule Set (核心規則集，CRS)是與 ModSecurity 兼容的檢測規則，係由OWASP所提供，旨在保護Web應用程式避免各種攻擊

https://coreruleset.org/ 

下載 OWASP ModSecurity Core Rule Set 檔案 coreruleset-3.3.2.zip，解壓縮到 C:\Program Files\ModSecurity IIS\，INSTALL 會說明如何安裝。其中 II 部分。

Installing on IIS ----------------- The IIS installer comes with an optional version of CRS built in. To upgrade or install this after the fact follow the following steps. 1. Navigate to "[drive_letters]:\Program Files\ModSecurity IIS\" 2. Download our release from https://coreruleset.org/installation/ and unpack it into the current folder. 3. Move the crs-setup.conf.example file to crs-setup.conf. Please take this time to go through this file and customize the settings for your local environment. Failure to do so may result in false negatives and false positives. See the section entitled OWASP CRS Configuration for more detail. 4. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the '.example' extension. This will allow you to add exceptions without updates overwriting them in the future. 5. Navigate back to the 'ModSecurity IIS' folder and modify the 'modsecurity_iis' to include the following: ``` include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ``` 6. Restart web server and ensure it starts without errors 7. Make sure your web sites are still running fine. 8. Proceed to the section "Testing the Installation" below. Testing the Installation ======================== To test your installation you should be able to use any number of attacks. A typical request which should trigger CRS would be ```http://localhost/?param="><script>alert(1);</script>``` Upon sending this request you should see events reported in the error log (nginx apache) or the event viewer (IIS). If have not changed the defaults with regards to anomaly scoring, blocking and sampling percentage, then this request should have been blocked and access forbidden. Likewise if you have configured ModSecurity debug logging and/or audit logging this event should log to these locations as well.

把解壓產生的 /rules 目錄和 crs-setup.conf.example 檔案拷貝到 C:\inetpub\wwwroot\modsecurity 目錄 (一來疑似會有某些目錄權限問題，所以拷貝到 IIS 所屬目錄會較好，二來原來的可以留著參考)，某些檔案改名，拿掉 .example 副檔名

C:\inetpub\wwwroot\modsecurity\crs-setup.conf.example
改名
C:\inetpub\wwwroot\modsecurity\crs-setup.conf

C:\inetpub\wwwroot\modsecurity\rules\REQUEST-900-EXCLUSION-RULES-BEFORE-
CRS.conf.example
改名
C:\inetpub\wwwroot\modsecurity\rules\REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

C:\inetpub\wwwroot\modsecurity\rules\RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
改名
C:\inetpub\wwwroot\modsecurity\rules\RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

修改 C:\inetpub\wwwroot\modsecurity\modsecurity_iis.conf 內容從

Include modsecurity.conf

改為

Include modsecurity.conf Include crs-setup.conf Include rules\*.conf

存檔，關閉，重新啟動 IIS。

********************************************************************************

結論

以 Windows 的事件檢視器 Event Log Viewer 來看，「找不到來自來源 ModSecurity 之事件識別碼 1 的描述。」暫時不知如何解決，還是 ModSecurity 和 IIS 相容問題？Bug？其他因素。

執行過程疑似還有某些目錄權限的問題，某些目錄可能要給 IIS_IUSRS 權限，可能讀取，甚至寫入權限。

效能不如敝人預期，WAF這類工作，可能有一台硬體 WAF 會比較好，集中於閘道位置管控，不然每台 IIS 去管理很累。

(完)

相關

[研究] ModSecurity 2.x 與 libModSecurity 3.x - 網頁應用程式防火牆(WAF)
https://shaurong.blogspot.com/2022/05/modsecurity-2x-libmodsecurity-3x-waf.html

[研究]IIS 安裝 ModSecurity 2.9.5 (Windows 2019)
https://shaurong.blogspot.com/2022/05/iis-modsecurity-295-windows-2019.html

[研究]XAMPP 7.4.29.0 與 ModSecurity 2.9.5 (WAF, 網頁應用程式防火牆) 安裝測試 (Windows 2019)
https://shaurong.blogspot.com/2022/05/xampp-74290-modsecurity-295-waf-windows.html

Web application firewall - Wikipedia
https://en.wikipedia.org/wiki/Web_application_firewall

OWASP ModSecurity Core Rule Set – The 1st Line of Defense Against Web Application Attacks
https://coreruleset.org/

如何使用 ModSecurity 2.9.4 WAF 來保護 Windows IIS - 安裝 | 亂馬客- Re:從零開始的軟體開發生活
https://rainmakerho.github.io/2021/09/01/secure-iis-with-ModSecurity-WAF/

如何使用 ModSecurity 2.9.4 WAF 來保護 Windows IIS - 設定 | 亂馬客- Re:從零開始的軟體開發生活
https://rainmakerho.github.io/2021/09/02/secure-iis-with-ModSecurity-WAF-Config/

Resolved - ModSecurity is Enabled but is not Working on Windows | Plesk Forum
https://talk.plesk.com/threads/modsecurity-is-enabled-but-is-not-working-on-windows.343239/

c# - ModSecurity default installation running on IIS 10.0 with CRS rule set generating a lot of errors - Stack Overflow
https://stackoverflow.com/questions/43066298/modsecurity-default-installation-running-on-iis-10-0-with-crs-rule-set-generatin

security - Modsecurity doesn't work correctly on Windows Server 2008 R2 - Stack Overflow
https://stackoverflow.com/questions/37615304/modsecurity-doesnt-work-correctly-on-windows-server-2008-r2

4 Open Source Web Application Firewall for Better Security
https://geekflare.com/open-source-web-application-firewall/