Instal ModSecurity 3 dengan Apache di Docker Container

Selamat datang di panduan kami tentang cara Menginstal ModSecurity 3 dengan Apache dalam wadah Docker. Libmodsecurity (Modsecurity v3), adalah open source, lintas platform web application firewall (WAF) yang dikembangkan oleh Trustwave’s SpiderLabs. Ini adalah penulisan ulang lengkap ModSecurity v2 dan menyediakan bahasa pemrograman berbasis peristiwa yang kuat yang melindungi aplikasi web terhadap berbagai serangan seperti injeksi SQL, Cross-site Scripting (XSS), Local File Include, Remote File Include e. tc. Hal ini juga memungkinkan untuk pemantauan lalu lintas HTTP, logging dan analisis real-time.

Instal ModSecurity 3 dengan Apache di Docker Container

Untuk menginstal ModSecurity 3 dalam wadah Docker, kami akan membuat gambar Docker kami sendiri berdasarkan tutorial kami sebelumnya tentang cara menginstal ModSecurity 3, tautan yang diberikan di bawah ini;

Instal LibModsecurity dengan Apache di Debian 10

Instal LibModsecurity dengan Apache di Ubuntu 20.04

Konfigurasikan LibModsecurity dengan Apache di CentOS 8

Konfigurasikan LibModsecurity dengan Nginx di CentOS 8

Instal Docker

Di OS dasar Anda masing-masing, Anda harus menginstal Docker. Dalam panduan kami, kami menggunakan server Ubuntu 20.04 untuk meng-host wadah Docker. Dengan demikian, jalankan perintah di bawah ini untuk menginstal Docker di Ubuntu 20.04.

apt install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
echo "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker-ce.list
apt update

Instal Docker CE dan alat lainnya termasuk  containerd.io, Runtime container yang terbuka dan andal.

apt install docker-ce docker-ce-cli containerd.io

Buat Dockerfile

Karena kami akan membangun wadah Modsecurity kami berdasarkan perintah instalasi Modsecurity, Anda perlu membuat Dockerfile. Dockerfile adalah dokumen teks yang berisi semua perintah yang dapat dipanggil user pada command line untuk merakit gambar.

vim Dockerfile

Rekatkan konten di bawah ini ke dalam Dockerfile.

Kami akan menggunakan gambar Ubuntu untuk membuat wadah Modsecurity kami, oleh karena itu, instal perintah dari panduan, Instal LibModsecurity dengan Apache di Ubuntu 20.04, digunakan.

# Running Modsecurity in a Docker container; FROM ubuntu:latest ARG DEBIAN_FRONTEND=noninteractive # Run system update/upgrade RUN apt update -y && apt upgrade -y # Install Required Build Tools and Dependencies RUN apt install -y g++ flex bison curl apache2-dev  	doxygen libyajl-dev ssdeep liblua5.2-dev  	libgeoip-dev libtool dh-autoreconf  	libcurl4-gnutls-dev libxml2 libpcre++-dev  	libxml2-dev git wget tar apache2 # Download LibModsecurity Source Code RUN wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.4/modsecurity-v3.0.4.tar.gz # Extract the ModSecurity source code. RUN tar xzf modsecurity-v3.0.4.tar.gz && rm -rf modsecurity-v3.0.4.tar.gz # Compile and Install LibModsecurity RUN cd modsecurity-v3.0.4 &&  	./build.sh &&./configure &&  	make && make install # Install ModSecurity-Apache Connector RUN cd ~ && git clone https://github.com/SpiderLabs/ModSecurity-apache RUN cd ~/ModSecurity-apache &&  	./autogen.sh &&  	./configure --with-libmodsecurity=/usr/local/modsecurity/ &&  	make &&  	make install # Load the Apache ModSecurity Connector Module RUN echo "LoadModule security3_module /usr/lib/apache2/modules/mod_security3.so" >> /etc/apache2/apache2.conf # Configure ModSecurity RUN mkdir /etc/apache2/modsecurity.d &&  	cp modsecurity-v3.0.4/modsecurity.conf-recommended /etc/apache2/modsecurity.d/modsecurity.conf &&  	cp modsecurity-v3.0.4/unicode.mapping /etc/apache2/modsecurity.d/ &&  	sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/apache2/modsecurity.d/modsecurity.conf ADD modsec_rules.conf /etc/apache2/modsecurity.d/ # Install OWASP ModSecurity Core Rule Set (CRS) on Ubuntu RUN git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/apache2/modsecurity.d/owasp-crs &&  	cp /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf.example /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf # Activate ModSecurity RUN mv /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.old ADD 000-default.conf /etc/apache2/sites-available/ EXPOSE 80 CMD apachectl -D FOREGROUND

Tentukan gambar dasar untuk wadah Docker. Ini dapat dilakukan dengan menggunakanFROMperintah instruksi. Gambar akan ditarik dari  Repositori Publik.

Instal ModSecurity 3 dengan Apache di Docker Container

Bangun ModSecurity 3 dengan Apache di Gambar Docker

Setelah Anda mengatur Dockerfile Anda, Anda sekarang dapat membuat gambar darinya.

Pastikan service buruh pelabuhan berjalan;

systemctl status docker
● docker.service - Docker Application Container Engine Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-05-06 05:19:12 UTC; 1s ago TriggeredBy: ● docker.socket Docs: https://docs.docker.com Main PID: 8542 (dockerd) Tasks: 8 Memory: 40.5M CGroup: /system.slice/docker.service └─8542 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock May 06 05:19:08 kifarunix.com dockerd[8542]: time="2021-05-06T05:19:08.455064769Z" level=warning msg="Your kernel does not support CPU realtime scheduler" May 06 05:19:08 kifarunix.com dockerd[8542]: time="2021-05-06T05:19:08.455517885Z" level=warning msg="Your kernel does not support cgroup blkio weight" May 06 05:19:08 kifarunix.com dockerd[8542]: time="2021-05-06T05:19:08.455936526Z" level=warning msg="Your kernel does not support cgroup blkio weight_device" May 06 05:19:08 kifarunix.com dockerd[8542]: time="2021-05-06T05:19:08.456858801Z" level=info msg="Loading containers: start." May 06 05:19:09 kifarunix.com dockerd[8542]: time="2021-05-06T05:19:09.970095995Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. D> May 06 05:19:10 kifarunix.com dockerd[8542]: time="2021-05-06T05:19:10.589619449Z" level=info msg="Loading containers: done." May 06 05:19:11 kifarunix.com dockerd[8542]: time="2021-05-06T05:19:11.360156761Z" level=info msg="Docker daemon" commit=8728dd2 graphdriver(s)=overlay2 version=20.10.6 May 06 05:19:11 kifarunix.com dockerd[8542]: time="2021-05-06T05:19:11.362448498Z" level=info msg="Daemon has completed initialization" May 06 05:19:12 kifarunix.com systemd[1]: Started Docker Application Container Engine. May 06 05:19:12 kifarunix.com dockerd[8542]: time="2021-05-06T05:19:12.141070774Z" level=info msg="API listen on /run/docker.sock"

Jika tidak, maka mulai service Docker menggunakan;

systemctl start docker

Sebelum Anda dapat membangun image, ada file yang perlu dicopy dari host sesuai dengan Dockerfile. Ini adalah aturan modsecuriry dan file konfigurasi situs Apache.

Jadi buat file-file ini;

cat > modsec_rules.conf << 'EOL' Include "/etc/apache2/modsecurity.d/modsecurity.conf" Include "/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf" Include "/etc/apache2/modsecurity.d/owasp-crs/rules/*.conf" EOL
cat > 000-default.conf << 'EOL' <VirtualHost *:80> 	modsecurity on 	modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf 	ServerAdmin [email protected] 	DocumentRoot /var/www/html 	ErrorLog ${APACHE_LOG_DIR}/error.log 	CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> EOL

Anda sekarang dapat melanjutkan untuk
membangun gambar buruh pelabuhan.

Untuk membangun gambar Docker menggunakan Dockerfile, cukup gunakan docker build <path to Dockerfile>.

docker build.

saya menggunakan dot (.) untuk menandakan lokasi Dockerfile saya saat ini.

Jika tidak ada di direktori kerja saat ini, gunakan -fopsi untuk menentukan jalur:

docker build -f /path/to/a/Dockerfile.

Contoh keluaran dari perintah build;

... Step 14/18 : RUN mv /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.old ---> Running in ac6525e24f7d Removing intermediate container ac6525e24f7d ---> ec6d4457b765 Step 15/18 : ADD 000-default.conf /etc/apache2/sites-available/ ---> 7c4201ccfd92 Step 16/18 : VOLUME /var/log/apache2 ---> Running in 9919d9cf570d Removing intermediate container 9919d9cf570d ---> aa45b6406512 Step 17/18 : EXPOSE 80 ---> Running in 368fc959c99d Removing intermediate container 368fc959c99d ---> 210d4c2df36e Step 18/18 : CMD apachectl -D FOREGROUND ---> Running in dfea7e1352ee Removing intermediate container dfea7e1352ee ---> 229edcf62162 Successfully built 229edcf62162

Anda telah berhasil membangun Modsecurity 3 dengan Apache di Docker Image.

Daftar gambar yang tersedia saat ini;

docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE <none> <none> 229edcf62162 2 hours ago 2.48GB...

ID gambar buruh pelabuhan ModSecurity 3 kami adalah, 229edcf62162.

Menjalankan ModSecurity 3 dengan Apache Docker Container

Anda sekarang dapat membuat wadah ModSecurity Docker berdasarkan gambar yang dibuat di atas menggunakan docker run memerintah;

docker run [OPTIONS] IMAGE [COMMAND] [ARG...]

Misalnya, kita dapat meluncurkan Server Apache kita dengan wadah ModSecurity dengan menjalankan perintah di bawah ini;

docker run --name modsec3-apache -dp 80:80 229edcf62162

Perintah di atas memulai Apache dengan wadah ModSecurity yang disebut modsec3-apachedi latar belakang (-b) berdasarkan gambar yang dibuat. Itu juga memperlihatkan port kontainer 80 ke port 80 di server host.

Daftar kontainer;

docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ae4017bdaf23 229edcf62162 "/bin/sh -c 'apachec…" About a minute ago Up About a minute 0.0.0.0:80->80/tcp, :::80->80/tcp modsec3-apache

Anda juga dapat membuat daftar container yang sedang berjalan menggunakan docker ps memerintah.

Dan itu saja. Apache Anda dengan ModSecurity yang berjalan sebagai wadah buruh pelabuhan telah disiapkan.

Anda dapat menguji apakah ModSecurity sekarang melindungi Apache yang berjalan di wadah buruh pelabuhan sebagai berikut.

Buka port 80/tcp pada firewall di host;

ufw allow 80/tcp

Sekarang, di host, jalankan perintah di bawah ini;

ss -altnp | grep :80
LISTEN 0 4096 0.0.0.0:80 0.0.0.0:* users:(("docker-proxy",pid=29372,fd=4)) LISTEN 0 4096 [::]:80 [::]:* users:(("docker-proxy",pid=29377,fd=4)) 

Jadi, di host, kita dapat mengakses kontainer buruh pelabuhan Apache/Modsecurity menggunakan alamat apa pun;

karenanya, untuk menguji keefektifan ModSecurity dalam wadah;

curl localhost?doc=/bin/ls
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at localhost Port 80</address> </body></html>

Anda dapat masuk ke wadah dan memeriksa log;

docker exec -it modsec3-apache /bin/bash
tail /var/log/apache2/error.log
[Thu May 06 17:12:15.526844 2021] [:notice] [pid 16:tid 139891014069312] ModSecurity: ModSecurity-Apache v0.1.1-beta configured. AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Thu May 06 17:12:15.592630 2021] [mpm_event:notice] [pid 16:tid 139891014069312] AH00489: Apache/2.4.41 (Ubuntu) configured -- resuming normal operations [Thu May 06 17:12:15.592655 2021] [core:notice] [pid 16:tid 139891014069312] AH00094: Command line: '/usr/sbin/apache2 -D FOREGROUND' [Thu May 06 17:32:37.690656 2021] [:error] [pid 17:tid 139890944558848] [client 172.17.0.1:60688] ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `/bin/ls' ) [file "/etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "496"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/ls found within ARGS:doc: /bin/ls"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "172.17.0.2"] [uri "/"] [unique_id "162032235753.217056"] [ref "o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"] [Thu May 06 17:35:30.014353 2021] [:error] [pid 17:tid 139890927757056] [client 172.17.0.1:60692] ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `/bin/ls' ) [file "/etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "496"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/ls found within ARGS:doc: /bin/ls"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "172.17.0.2"] [uri "/"] [unique_id "16203225307.958576"] [ref "o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]...

Anda juga dapat memeriksa cara melihat log menggunakan docker logsperintah.

Anda juga dapat mengatur wadah untuk menyimpan log di host menggunakan docker run –volume/-v pilihan.

docker run --name modsec3-apache -v /var/log/apache2:/var/log/apache2 -dp 80:80 229edcf62162

Log sekarang harus ditulis ke /var/log/apache2host.

tail -f /var/log/apache2/error.log
[Thu May 06 17:55:35.007467 2021] [:notice] [pid 16:tid 139799054105664] ModSecurity: ModSecurity-Apache v0.1.1-beta configured. AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Thu May 06 17:55:35.066755 2021] [mpm_event:notice] [pid 16:tid 139799054105664] AH00489: Apache/2.4.41 (Ubuntu) configured -- resuming normal operations [Thu May 06 17:55:35.066783 2021] [core:notice] [pid 16:tid 139799054105664] AH00094: Command line: '/usr/sbin/apache2 -D FOREGROUND' [Thu May 06 17:55:56.640042 2021] [:error] [pid 18:tid 139798870210304] [client 172.17.0.1:60700] ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `/bin/ls' ) [file "/etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "496"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/ls found within ARGS:doc: /bin/ls"] [severity "2"] [ver "OWASP
_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "172.17.0.2"] [uri "/"] [unique_id "162032375634.996239"] [ref "o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]

Dan itu saja tentang bagaimana Anda dapat menginstal ModSecurity 3 dengan Apache di Wadah Docker.

Related Posts

© 2022 Tekno Sridianti