WAF(Web Application Firewall)는 웹 어플리케이션을 보호하기 위해 필수라고 볼 수 있는 꽤나 비싼 장비 혹은 솔루션입니다. ModSecurity(이하 ModSec)은 꽤나 오래전부터 알려져 있는 오픈소스 WAF 입니다.
오픈소스이긴 하지만 상용 WAF에 비해 기능이 떨어지지도 않을 뿐더러, 오히려 많은 상용 솔루션에도 ModSec 기반으로 제작되었거나 룰셋 등 일부 시스템을 차용하기도 합니다.
초기부터 Apache를 기반으로 한 WAF로 유명했던 ModSec 외에 Nginx를 기반으로 한 NAXSI(Nginx Anti XSS & SQL Injection)라는 오픈소스 WAF도 있습니다.
ModSec은 v3 부터 아파치와의 종속성을 없애고 독립적인 모듈로써 어떤 플랫폼과도 지원할 수 있도록 변경되었습니다.
Spoa-ModSecurity
HAProxy의 공식 깃허브에서 제공되고 있는 spoa-modsecurity는 ModSec과 HAProxy를 연동할 수 있도록 개발된 모듈입니다. HAProxy에서는 외부 프로그램의 통신을 위해 SPOE(Stream Processing Offload Engine) 모듈을 개발하였습니다.
spoa-modsecurity는 바로 SPOE를 이용한 모듈이라고 보시면 됩니다.
spoa-modsecurity는 ModSec v2 기반으로 개발되었습니다. 또한 설치 및 설정 가이드는 매우 불친절하게 되어 있으며, 잘못된 내용이 많았습니다. 어렵게 모든 설정을 마무리하고 테스트를 진행했지만 remote address가 127.0.0.1로만 출력 된다거나, ModSec 룰셋 적용이 제대로 안된다거나 하는 문제점들이 있었습니다.
이러한 문제들로 인해 직접 모듈 소스를 수정해서 몇 가지 이슈는 해결되었지만 ModSec v2 기반이라는 점도 마음에 썩 들진 않았었습니다.
그러던 중 fork 된 버전이 있는지 확인하게 되었고, 그 중에서 가장 많은 커밋량과 현재까지도 커밋이 진행되고 있는 FireBurn fork를 찾게 되었습니다. 이 fork에는 제가 발견한 문제점들이 모두 수정되었으며, ModSec v3 버전으로 포팅까지 완료되어 있었습니다.
이 fork 버전 또한 설치 및 설정 가이드는 매우 불친절하고 잘못된 내용이 많았지만 결국 설치에 성공하였고 현재 테스트 중에 있습니다.
이 가이드에서는 HAProxy 설치는 다루지 않으며, spoa-haproxy의 FireBurn fork버전을 이용하여 HAProxy에 ModSec v3를 설치하여 WAF를 구성하는 방법에 대해 다루도록 하겠습니다.
include /usr/local/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include /usr/local/coreruleset/rules/REQUEST-901-INITIALIZATION.conf
include /usr/local/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include /usr/local/coreruleset/rules/REQUEST-910-IP-REPUTATION.conf
include /usr/local/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include /usr/local/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
include /usr/local/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
include /usr/local/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include /usr/local/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include /usr/local/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include /usr/local/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include /usr/local/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include /usr/local/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include /usr/local/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include /usr/local/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include /usr/local/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include /usr/local/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include /usr/local/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf
include /usr/local/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include /usr/local/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include /usr/local/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include /usr/local/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include /usr/local/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include /usr/local/coreruleset/rules/RESPONSE-980-CORRELATION.conf
include /usr/local/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
include /usr/local/coreruleset/crs-setup.conf
include /usr/local/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include /usr/local/coreruleset/rules/REQUEST-901-INITIALIZATION.conf
include /usr/local/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include /usr/local/coreruleset/rules/REQUEST-910-IP-REPUTATION.conf
include /usr/local/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include /usr/local/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
include /usr/local/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
include /usr/local/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include /usr/local/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include /usr/local/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include /usr/local/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include /usr/local/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include /usr/local/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include /usr/local/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include /usr/local/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include /usr/local/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include /usr/local/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include /usr/local/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf
include /usr/local/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include /usr/local/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include /usr/local/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include /usr/local/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include /usr/local/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include /usr/local/coreruleset/rules/RESPONSE-980-CORRELATION.conf
include /usr/local/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
include /usr/local/coreruleset/crs-setup.conf
include /usr/local/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include /usr/local/coreruleset/rules/REQUEST-901-INITIALIZATION.conf
include /usr/local/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include /usr/local/coreruleset/rules/REQUEST-910-IP-REPUTATION.conf
include /usr/local/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include /usr/local/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
include /usr/local/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
include /usr/local/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include /usr/local/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include /usr/local/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include /usr/local/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include /usr/local/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include /usr/local/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include /usr/local/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include /usr/local/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include /usr/local/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include /usr/local/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include /usr/local/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf
include /usr/local/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include /usr/local/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include /usr/local/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include /usr/local/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include /usr/local/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include /usr/local/coreruleset/rules/RESPONSE-980-CORRELATION.conf
include /usr/local/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
HAProxy 설정
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
[root 172-19-11-6 modsecurity-v3.0.8]# cd /etc/haproxy/
[root 172-19-11-6 modsecurity-v3.0.8]# cd /etc/haproxy/
[root 172-19-11-6 modsecurity-v3.0.8]# cd /etc/haproxy/
[NOTICE] (123986) : haproxy version is 2.6.7-c55bfdb
[NOTICE] (123986) : path to executable is /usr/local/sbin/haproxy
[WARNING] (123986) : config : 'option forwardfor' ignored for backend 'spoe-modsecurity' as it requires HTTP mode.
Warnings were found.
Configuration file is valid
[root 172-19-11-6 haproxy]# haproxy -c -f haproxy.cfg
[NOTICE] (123986) : haproxy version is 2.6.7-c55bfdb
[NOTICE] (123986) : path to executable is /usr/local/sbin/haproxy
[WARNING] (123986) : config : 'option forwardfor' ignored for backend 'spoe-modsecurity' as it requires HTTP mode.
Warnings were found.
Configuration file is valid
[root 172-19-11-6 haproxy]# haproxy -c -f haproxy.cfg
[NOTICE] (123986) : haproxy version is 2.6.7-c55bfdb
[NOTICE] (123986) : path to executable is /usr/local/sbin/haproxy
[WARNING] (123986) : config : 'option forwardfor' ignored for backend 'spoe-modsecurity' as it requires HTTP mode.
Warnings were found.
Configuration file is valid
안녕하세요 지금 설치는 잘 진행되었는데 modsecurity 데몬 실행이 되질 않습니다… 확인해봐야할 사항이 뭐가 있을까요
journalctl -xeu modsecurity
위 커맨드로 오류 내용을 확인해 보셔야 할거 같아요