ModSecurity: Web Application Firewall

ModSecurity ist eine Open-Source WAF (Web Application Firewall), die Webanwendungen vor Angriffen wie SQL-Injection, XSS und anderen OWASP Top 10 Bedrohungen schützt.

Installation (Apache)

# Ubuntu/Debian
sudo apt update
sudo apt install libapache2-mod-security2 -y

# Modul aktivieren
sudo a2enmod security2

# Basis-Konfiguration aktivieren
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

# Apache neustarten
sudo systemctl restart apache2

Installation (Nginx)

# ModSecurity für Nginx kompilieren
sudo apt install -y libmodsecurity3 libmodsecurity-dev

# Nginx ModSecurity Connector
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

# Nginx mit Modul kompilieren (oder dynamisch laden)

ModSecurity aktivieren

sudo nano /etc/modsecurity/modsecurity.conf

# Von DetectionOnly auf On ändern
SecRuleEngine On

# Audit-Log aktivieren
SecAuditEngine On
SecAuditLog /var/log/apache2/modsec_audit.log

# Request Body prüfen
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

OWASP Core Rule Set (CRS)

# CRS herunterladen
cd /etc/modsecurity
sudo git clone https://github.com/coreruleset/coreruleset.git

# Konfiguration
sudo cp coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf

# In Apache einbinden
sudo nano /etc/apache2/mods-enabled/security2.conf

<IfModule security2_module>
    SecDataDir /var/cache/modsecurity
    IncludeOptional /etc/modsecurity/*.conf
    IncludeOptional /etc/modsecurity/coreruleset/crs-setup.conf
    IncludeOptional /etc/modsecurity/coreruleset/rules/*.conf
</IfModule>

Wichtige Regeln

Das CRS schützt vor:

• SQL-Injection (SQLi)
• Cross-Site Scripting (XSS)
• Local File Inclusion (LFI)
• Remote Code Execution (RCE)
• Session Fixation
• Scanner Detection

Eigene Regeln

sudo nano /etc/modsecurity/custom-rules.conf

# IP blockieren
SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "id:1001,phase:1,deny,status:403,msg:'IP blocked'"

# User-Agent blockieren
SecRule REQUEST_HEADERS:User-Agent "BadBot" "id:1002,phase:1,deny,status:403"

# SQL-Injection Pattern
SecRule ARGS "@detectSQLi" "id:1003,phase:2,deny,status:403,msg:'SQL Injection detected'"

# Path Traversal
SecRule REQUEST_URI "\.\./" "id:1004,phase:1,deny,status:403,msg:'Path traversal'"

Whitelist / False Positives

# Regel deaktivieren
SecRuleRemoveById 941100

# Für bestimmten Pfad deaktivieren
<Location /admin/editor>
    SecRuleRemoveById 941100 942100
</Location>

# Für bestimmten Parameter
SecRuleUpdateTargetById 941100 "!ARGS:content"

Logs analysieren

# Audit-Log
sudo tail -f /var/log/apache2/modsec_audit.log

# Blockierte Requests
sudo grep "Access denied" /var/log/apache2/error.log

# ModSecurity Debug
SecDebugLog /var/log/modsec_debug.log
SecDebugLogLevel 3

Paranoia Level

# In crs-setup.conf
# Level 1 = Standard (wenig False Positives)
# Level 2 = Strenger
# Level 3 = Noch strenger
# Level 4 = Paranoid (viele False Positives)
SecAction "id:900000,phase:1,nolog,pass,t:none,setvar:tx.paranoia_level=1"

Weitere Hilfe

• 📖 OWASP CRS Dokumentation
• 📧 E-Mail: support@enjyn.de