exclude rules

GON-3874-DD-moodle
Manuel Caballero 2022-11-09 23:28:20 +00:00 committed by Evilham
parent cb183de9cf
commit fcff698f6f
No known key found for this signature in database
GPG Key ID: AE3EE30D970886BF
9 changed files with 122 additions and 26 deletions

1
.gitignore vendored
View File

@ -10,6 +10,7 @@ docs.built/
dd-sso/docker/api/src/api/static/templates/*.html dd-sso/docker/api/src/api/static/templates/*.html
dd-sso/docker/api/src/api/static/templates/*.json dd-sso/docker/api/src/api/static/templates/*.json
dd-sso/docker/keycloak/themes/dd-custom dd-sso/docker/keycloak/themes/dd-custom
dd-sso/admin/src/admin/node_modules/
.idea/ .idea/
*.log *.log
# External, unmodified files # External, unmodified files

14
dd-ctl
View File

@ -870,6 +870,17 @@ special_image_tags() {
done done
} }
enable_waf() {
# Enable waf
echo "Enable rules ModSecurity"
docker exec dd-waf-apache bash -c 'sed -i.orig -e "s/modsecurity Off/modsecurity On/" /etc/apache2/sites-enabled/000-default.conf'
echo "Done"
echo "Restart Apache - ModSecurity"
docker restart dd-waf-apache
echo "Done"
}
push_images() { push_images() {
# #
# Note this requires docker login on the registry # Note this requires docker login on the registry
@ -984,6 +995,9 @@ case "$OPERATION" in
securize) securize)
securize securize
;; ;;
waf)
enable_waf
;;
setconf) setconf)
setconf "$@" setconf "$@"
;; ;;

View File

@ -9,5 +9,6 @@ services:
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
- ${SRC_FOLDER}/modsecurity/rules:/etc/apache2/modsecurity.d/dd-rules:rw
networks: networks:
- dd_net - dd_net

View File

@ -38,6 +38,9 @@ frontend tf_waf
acl letsencrypt-acl path_beg /.well-known/acme-challenge/ acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt if letsencrypt-acl use_backend letsencrypt if letsencrypt-acl
# Internal traffic
use_backend bk_web if { src 192.168.0.0/16 }
default_backend bk_waf default_backend bk_waf
# Traffic secured by the WAF arrives here # Traffic secured by the WAF arrives here

View File

@ -1,17 +1,14 @@
<VirtualHost *:80> <VirtualHost *:80>
modsecurity on modsecurity Off
modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf
ServerAdmin webmaster@localhost ServerAdmin webmaster@localhost
DocumentRoot /var/www/html DocumentRoot /var/www/html
#ErrorLog ${APACHE_LOG_DIR}/error.log ErrorLog /var/log/apache2/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined CustomLog /var/log/apache2/access.log combined
ErrorLog /dev/stderr
TransferLog /dev/stdout
ProxyPreserveHost On ProxyPreserveHost On
ProxyRequests off ProxyRequests off
ProxyVia Off ProxyVia Off
ProxyPass "/" "http://dd-waf-haproxy:81/" ProxyPass "/" "http://dd-waf-haproxy:81/"
ProxyPassReverse "/" "http://dd-waf-haproxy:81/" ProxyPassReverse "/" "http://dd-waf-haproxy:81/"
</VirtualHost> </VirtualHost>

View File

@ -1,4 +1,4 @@
# Install Modsecurity in a Docker container; # Install Modsecurity in a Docker container
FROM ubuntu:20.04 as production FROM ubuntu:20.04 as production
ARG DEBIAN_FRONTEND=noninteractive ARG DEBIAN_FRONTEND=noninteractive
# update/upgrade your system # update/upgrade your system
@ -9,8 +9,8 @@ RUN apt-get install -y g++ flex bison curl apache2-dev \
doxygen libyajl-dev ssdeep liblua5.2-dev \ doxygen libyajl-dev ssdeep liblua5.2-dev \
libgeoip-dev libtool dh-autoreconf \ libgeoip-dev libtool dh-autoreconf \
libcurl4-gnutls-dev libxml2 libpcre++-dev \ libcurl4-gnutls-dev libxml2 libpcre++-dev \
libxml2-dev git wget tar apache2 \ libxml2-dev git wget tar apache2
certbot python3-certbot-apache # certbot python3-certbot-apache
# Download LibModsecurity # Download LibModsecurity
RUN wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.8/modsecurity-v3.0.8.tar.gz RUN wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.8/modsecurity-v3.0.8.tar.gz
@ -32,23 +32,31 @@ RUN cd ~/ModSecurity-apache && \
make && \ make && \
make install make install
# logs should go to stdout / stderr
RUN set -ex \
&& ln -sfT /dev/stderr /var/log/apache2/error.log \
&& ln -sfT /dev/stdout /var/log/apache2/access.log \
&& ln -sfT /dev/stdout /var/log/apache2/other_vhosts_access.log
# Load the Apache ModSecurity Connector Module # Load the Apache ModSecurity Connector Module
RUN echo "LoadModule security3_module /usr/lib/apache2/modules/mod_security3.so" >> /etc/apache2/apache2.conf RUN echo "LoadModule security3_module /usr/lib/apache2/modules/mod_security3.so" >> /etc/apache2/apache2.conf
# Configure ModSecurity # Configure ModSecurity
RUN mkdir /etc/apache2/modsecurity.d && \ RUN mkdir -p /etc/apache2/modsecurity.d/dd-rules && \
cp modsecurity-v3.0.8/modsecurity.conf-recommended /etc/apache2/modsecurity.d/modsecurity.conf && \ cp modsecurity-v3.0.8/modsecurity.conf-recommended /etc/apache2/modsecurity.d/modsecurity.conf && \
cp modsecurity-v3.0.8/unicode.mapping /etc/apache2/modsecurity.d/ && \ cp modsecurity-v3.0.8/unicode.mapping /etc/apache2/modsecurity.d/ && \
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/apache2/modsecurity.d/modsecurity.conf sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/apache2/modsecurity.d/modsecurity.conf
ADD modsec_rules.conf /etc/apache2/modsecurity.d/ ADD modsec_rules.conf /etc/apache2/modsecurity.d/
# Install OWASP ModSecurity Core Rule Set (CRS) on Ubuntu # Install OWASP ModSecurity Core Rule Set (CRS) on Ubuntu
RUN git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/apache2/modsecurity.d/owasp-crs && \ RUN git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/apache2/modsecurity.d/owasp-crs
cp /crs-setup.conf /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf ADD crs-setup.conf /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf
# Activate ModSecurity # Activate ModSecurity
RUN mv /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.old RUN mv /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.old
ADD 000-default.conf /etc/apache2/sites-available/ ADD 000-default.conf /etc/apache2/sites-available/
ADD rules_apps.conf /etc/apache2/modsecurity.d/owasp-crs/rules/000-dd-apps.conf
RUN a2enmod proxy_http RUN a2enmod proxy_http
@ -57,3 +65,8 @@ CMD apachectl -D FOREGROUND
# Testing ModSecurity # Testing ModSecurity
#curl http://<SERVER-IP/DOMAIN>/index.php?exec=/bin/bash #curl http://<SERVER-IP/DOMAIN>/index.php?exec=/bin/bash
# TODO
# Juntas capas y reducir peso
# user no root

View File

@ -379,13 +379,13 @@ SecAction \
# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK # Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK # MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
# Uncomment this rule to change the default. # Uncomment this rule to change the default.
#SecAction \ SecAction \
# "id:900200,\ "id:900200,\
# phase:1,\ phase:1,\
# nolog,\ nolog,\
# pass,\ pass,\
# t:none,\ t:none,\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT'"
# Content-Types that a client is allowed to send in a request. # Content-Types that a client is allowed to send in a request.
# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| # Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|

View File

@ -1,4 +1,4 @@
Include "/etc/apache2/modsecurity.d/modsecurity.conf" Include "/etc/apache2/modsecurity.d/modsecurity.conf"
Include "/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf" Include "/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf"
#Include "/etc/apache2/modsecurity.d/dd-rules/*.conf"
Include "/etc/apache2/modsecurity.d/owasp-crs/rules/*.conf" Include "/etc/apache2/modsecurity.d/owasp-crs/rules/*.conf"
Include "/etc/apache2/modsecurity.d/dd-rules.conf"

View File

@ -0,0 +1,67 @@
# Rules
#######
SecRule REQUEST_FILENAME "@endsWith /apps/user_status/heartbeat" \
"id:99000001,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=911100"
SecRule REQUEST_FILENAME "@rx /apps/text/session/(?:create|fetch|sync|close)$" \
"id:99000002,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.2.0',\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
SecRule REQUEST_FILENAME "@contains /auth/saml2/sp/saml2-acs.php" \
"id:99000003,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=920440"
SecRule REQUEST_FILENAME "@contains /auth/saml2/sp/saml2-logout.php" \
"id:99000004,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=920440"
SecRule REQUEST_FILENAME "@contains /apps/text/session" \
"id:99000005,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=911100"
SecRule REQUEST_FILENAME "@contains /apps/user_status/heartbeat" "phase:1,id:99000006,nolog,chain"
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
SecRule REQUEST_FILENAME "@contains /remote.php/dav" "phase:1,id:99000007,nolog,chain"
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
SecRule REQUEST_FILENAME "@contains /apps/text/session" "phase:1,id:99000008,nolog,chain"
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
SecRule REQUEST_FILENAME "@contains /socket.io" "phase:1,id:99000009,nolog,chain"
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
SecRule REQUEST_FILENAME "@contains /auth/realms/master/avatar-provider" "phase:1,id:99000010,nolog,chain"
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
SecRule REQUEST_FILENAME "@contains /lib/ajax/service-nologin.php" "phase:1,id:99000011,nolog,chain"
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
SecRule REQUEST_FILENAME "@contains /lib/ajax/service.php" "phase:1,id:99000012,nolog,chain"
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
SecRule REQUEST_FILENAME "@contains /apps/polls/poll" "phase:1,id:99000013,nolog,chain"
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"