์นดํ…Œ๊ณ ๋ฆฌ ์—†์Œ

[11์›” 27์ผ] Mod_security ๊ตฌ์ถ•ํ•˜๊ธฐ

ljm 2025. 11. 27. 17:43

Mod_security ๊ตฌ์ถ•ํ•˜๊ธฐ

 

๐Ÿ›ก๏ธ 1๋‹จ๊ณ„: ModSecurity ์ฝ”์–ด ์—”์ง„ ๋ฐ ๋ชจ๋“ˆ ์„ค์น˜

Apache ์›น ์„œ๋ฒ„์— ModSecurity ๋ชจ๋“ˆ์„ ์„ค์น˜ํ•œ๋‹ค.

 

  1. ํŒจํ‚ค์ง€ ๋ชฉ๋ก ์—…๋ฐ์ดํŠธ: 
    sudo apt update

     

  2. ModSecurity ํŒจํ‚ค์ง€ ์„ค์น˜: Apache์šฉ ModSecurity ๋ชจ๋“ˆ์„ ์„ค์น˜ํ•œ๋‹ค. 
    sudo apt install libapache2-mod-security2

     

  3. Apache ModSecurity ๋ชจ๋“ˆ ํ™œ์„ฑํ™” ํ™•์ธ: ์„ค์น˜ ์‹œ ์ž๋™์œผ๋กœ ํ™œ์„ฑํ™”๋˜์ง€๋งŒ, ํ•œ ๋ฒˆ ๋” ํ™•์ธํ•œ๋‹ค. 
    sudo a2enmod security2

     

  4. ์›น ์„œ๋ฒ„ ์žฌ์‹œ์ž‘: ๋ชจ๋“ˆ ์ ์šฉ์„ ์œ„ํ•ด Apache๋ฅผ ์žฌ์‹œ์ž‘ํ•œ๋‹ค. 
    sudo systemctl restart apache2

     

 

๐Ÿ›ก๏ธ 2๋‹จ๊ณ„: ModSecurity ๊ธฐ๋ณธ ์„ค์ • ๋ณ€๊ฒฝ (Detection → Prevention ๋ชจ๋“œ)

ModSecurity๋Š” ๊ธฐ๋ณธ์ ์œผ๋กœ ํƒ์ง€ ๋ชจ๋“œ(Detection Only) ๋กœ ๋˜์–ด ์žˆ์–ด. ์‹ค์ œ ์ฐจ๋‹จ ๊ธฐ๋Šฅ์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด ์„ค์ •์„ ๋ณ€๊ฒฝํ•ด์•ผ ํ•œ๋‹ค.

 

โœ… 2-1. ModSecurity ์„ค์ • ํŒŒ์ผ ๋ฐฑ์—…

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

 

โœ… 2-2. ModSecurity ์„ค์ • ์—ด๊ธฐ

sudo nano /etc/modsecurity/modsecurity.conf

 

โœ… 2-3. ์ด ๋ถ€๋ถ„์„ ์ˆ˜์ •

SecRuleEngine DetectionOnly 
→ SecRuleEngine On ์œผ๋กœ ๋ณ€๊ฒฝ

 

์ด์ œ ์‹ค์ œ ๊ณต๊ฒฉ ์š”์ฒญ์„ ์ฐจ๋‹จํ•˜๊ฒŒ ๋จ.

 

 

๐Ÿ›ก๏ธ 3๋‹จ๊ณ„: OWASP Core Rule Set(CRS) ์„ค์น˜

ModSecurity๋Š” ์—”์ง„์ผ ๋ฟ์ด๊ณ , ์‹ค์ œ ๋ณด์•ˆ ๊ทœ์น™์€ ๋”ฐ๋กœ ์„ค์น˜ํ•ด์•ผ ํ•œ๋‹ค. ๊ฐ€์žฅ ๋งŽ์ด ์‚ฌ์šฉํ•˜๋Š” ๊ทœ์น™์€ OWASP CRS์ด๋‹ค.

 

โœ… 3-1. CRS ๋‹ค์šด๋กœ๋“œ

cd /usr/share/modsecurity-crs/ sudo git clone https://github.com/coreruleset/coreruleset.git

 

* Ubuntu ๊ธฐ๋ณธ ์„ค์น˜์— /usr/share/modsecurity-crs/ ๋””๋ ‰ํ† ๋ฆฌ๊ฐ€ ์ด๋ฏธ ์žˆ์„ ์ˆ˜๋„ ์žˆ์œผ๋‹ˆ ์•„๋ž˜ ๋ช…๋ น์œผ๋กœ ํ™•์ธ:

ls /usr/share/

 

* ๋งŒ์•ฝ ํ•ด๋‹น ๋””๋ ‰ํ† ๋ฆฌ๊ฐ€ ์—†๋‹ค๋ฉด:

sudo git clone https://github.com/coreruleset/coreruleset.git /usr/share/modsecurity-crs

 

โœ… 3-2. ์‹ค์ œ ์œ„์น˜ ํ™•์ธ

ls /usr/share/modsecurity-crs/coreruleset

 

์ด ๊ฒฝ๋กœ ์•ˆ์— crs-setup.conf.example๊ฐ€ ์žˆ๋Š”์ง€ ํ™•์ธํ•œ๋‹ค.

 

 

โœ… 3-3. ํŒŒ์ผ ๋ณต์‚ฌ

์œ„ ๋ช…๋ น์—์„œ ํŒŒ์ผ์ด ๋ณด์˜€๋‹ค๋ฉด:

sudo cp /usr/share/modsecurity-crs/coreruleset/crs-setup.conf.example /usr/share/modsecurity-crs/coreruleset/crs-setup.conf

 

๐Ÿงฉ ์ฐธ๊ณ : CRS v4.x๋Š” ๊ตฌ์กฐ๊ฐ€ ๋ฐ”๋€œ

CRS 4.x์—์„œ๋Š” ๋””๋ ‰ํ† ๋ฆฌ ๊ตฌ์กฐ๊ฐ€ ์ด๋ ‡๊ฒŒ ์ƒ๊น€:

coreruleset/ crs-setup.conf.example rules/

/usr/share/modsecurity-crs/์—๋Š” ์ถ”๊ฐ€ ํŒŒ์ผ๋งŒ ์žˆ์Œ.

 

 

๐Ÿ›ก๏ธ 4๋‹จ๊ณ„: Apache์— CRS Include ์„ค์ • ํ™•์ธ

 

security2.conf ํŒŒ์ผ์— ์ •ํ™•ํ•œ Include ๊ฒฝ๋กœ๊ฐ€ ๋“ค์–ด๊ฐ”๋Š”์ง€ ๋‹ค์‹œ ํ™•์ธํ•œ๋‹ค.

sudo nano /etc/apache2/mods-enabled/security2.conf

 

 

๋งจ ์•„๋ž˜์— ๋‹ค์Œ ๋‘ ์ค„์ด ์žˆ์–ด์•ผ ํ•œ๋‹ค (๊ฒฝ๋กœ๋Š” CRS v4 ๊ธฐ์ค€):

IncludeOptional /usr/share/modsecurity-crs/coreruleset/crs-setup.conf

IncludeOptional /usr/share/modsecurity-crs/coreruleset/rules/*.conf

 

 

๋‹ค์Œ๋ถ€๋ถ„์„ ์ฃผ์„ ์ฒ˜๋ฆฌํ•œ๋‹ค.

# IncludeOptional /usr/share/modsecurity-crs/*.load

 

์ €์žฅ ํ›„ ์ข…๋ฃŒ.

 

๐Ÿ›ก๏ธ 5๋‹จ๊ณ„: Apache ์„ค์ • ๊ตฌ๋ฌธ ๊ฒ€์‚ฌ

 

์˜คํƒ€๋‚˜ ์ž˜๋ชป๋œ ์„ค์ •์ด ์žˆ์œผ๋ฉด ์—ฌ๊ธฐ์„œ ์žก์•„๋‚ธ๋‹ค.

sudo apachectl configtest

 

์ •์ƒ์ด๋ผ๋ฉด:

Syntax OK

 

 

๐Ÿ›ก๏ธ 6๋‹จ๊ณ„: Apache ์žฌ์‹œ์ž‘

 

๊ทœ์น™ ์ ์šฉ์„ ์œ„ํ•ด ์›น ์„œ๋ฒ„๋ฅผ ์žฌ์‹œ์ž‘ํ•œ๋‹ค

sudo systemctl restart apache2

 

 

๐Ÿงช 7๋‹จ๊ณ„: ๊ธฐ๋ณธ ํ…Œ์ŠคํŠธ

 

์•„๋ž˜ URL์„ ํ˜ธ์ถœํ•ด๋ณด๋ฉด ModSecurity๊ฐ€ ์ฐจ๋‹จํ•˜๋Š”์ง€ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

http://your-server/?test=../etc/passwd

 

→ ์ •์ƒ์ด๋ผ๋ฉด 403 Forbidden ๋˜๋Š” ModSecurity ์ฐจ๋‹จ ํŽ˜์ด์ง€๊ฐ€ ๋œฌ๋‹ค.

 

 

๐Ÿ“œ 8๋‹จ๊ณ„: ๋กœ๊ทธ ํ™•์ธ (๊ฐ€์žฅ ์ค‘์š”)

 

 

ModSecurity๋Š” ๋ชจ๋“  ์ฐจ๋‹จ ๊ธฐ๋ก์„ /var/log/apache2/modsec_audit.log ์— ๊ธฐ๋กํ•œ๋‹ค.

 

๋กœ๊ทธ๊ฐ€ ๊ธฐ๋ก๋˜๋Š”์ง€ ํ™•์ธ

sudo tail -f /var/log/apache2/modsec_audit.log

 

→ ์œ„์—์„œ ํ…Œ์ŠคํŠธํ•œ ๊ณต๊ฒฉ ํŒจํ„ด์ด ๋กœ๊ทธ์— ๊ธฐ๋ก๋˜๋ฉด ModSecurity + CRS ์ ์šฉ ์™„๋ฃŒ.

 

 

 

์ปค์Šคํ…€ ๋ฃฐ ์ž‘์„ฑํ•˜๊ธฐ

 

โœ… 1๋‹จ๊ณ„: Audit ๋กœ๊ทธ๊ฐ€ ํ™œ์„ฑํ™”๋˜์–ด ์žˆ์–ด์•ผ ํ•จ

sudo nano /etc/modsecurity/modsecurity.conf
#๋‹ค์Œ๊ณผ ๊ฐ™์ด ์ˆ˜์ •
SecAuditEngine On
SecAuditLog /var/log/apache2/modsec_audit.log
SecAuditLogParts ABIJDEFHZ
sudo systemctl restart apache2

 

 

โœ… 2๋‹จ๊ณ„: ์ปค์Šคํ…€ ๋ฃฐ ํŒŒ์ผ ์ƒ์„ฑ

sudo nano /etc/modsecurity/custom_rules.conf

 

 

๐ŸŽฏ 3๋‹จ๊ณ„: “ํƒ์ง€๋˜๋ฉด ๋ฌด์กฐ๊ฑด audit log์— ๋‚จ๋Š”” ๋ฃฐ ์ž‘์„ฑ

์˜ˆ๋ฅผ ๋“ค์–ด URL ํŒŒ๋ผ๋ฏธํ„ฐ์— attack_test ๋ผ๋Š” ๊ฐ’์ด ์˜ค๋ฉด ๋ฐ˜๋“œ์‹œ modsec_audit.log์— ๊ธฐ๋ก๋˜๋„๋ก ํ•  ์ˆ˜ ์žˆ๋‹ค.

โœ” ์˜ˆ์‹œ ๋ฃฐ

 
SecRule ARGS "attack_test" \ "id:100001, \ phase:2, \ t:none, \ log, \ auditlog, \ msg:'Custom test rule triggered', \ severity:2"

 

์˜ต์…˜์„ค๋ช…

 

auditlog ํ•ญ์ƒ modsec_audit.log์— ๊ธฐ๋ก๋จ (ํ•ต์‹ฌ!)
log → error.log์—๋„ ๊ธฐ๋ก๋จ
id:100001 ๋ฃฐ ID (๊ฒน์น˜์ง€ ์•Š๋„๋ก 100k๋Œ€ ์ถ”์ฒœ)
phase:2 ์š”์ฒญ ๋ณธ๋ฌธ/ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฒ€์‚ฌ phase
msg ๋กœ๊ทธ์— ํ‘œ์‹œ๋  ๋ฉ”์‹œ์ง€

 

 

๐Ÿ”— 4๋‹จ๊ณ„: Apache์— ๋ฃฐ ํฌํ•จ์‹œํ‚ค๊ธฐ

sudo nano /etc/apache2/mods-enabled/security2.conf
๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋ฃฐ์ด ์žˆ๋Š”์ง€ ํ™•์ธํ•œ๋‹ค.

 

 

๐Ÿ”„ 5๋‹จ๊ณ„: Apache ์žฌ์‹œ์ž‘

sudo systemctl restart apache2

 

 

๐Ÿงช 6๋‹จ๊ณ„: ํ…Œ์ŠคํŠธ

 

 

attack_test๋ฅผ ๋„ฃ์–ด์„œ ๊ณต๊ฒฉ

http://your-ip/?test=attack_test

 

๊ทธ ๋‹ค์Œ audit ๋กœ๊ทธ ํ™•์ธ

sudo tail -f /var/log/apache2/modsec_audit.log

 

์—ฌ๊ธฐ์„œ ์•„๋ž˜์™€ ๋น„์Šทํ•œ ๋กœ๊ทธ๊ฐ€ ๋ณด์—ฌ์•ผ ํ•œ๋‹ค.

Message: Custom test rule triggered RuleId: 100001

 

๐ŸŽ‰ ๊ฒฐ๊ณผ

 

์ด์ œ ModSecurity๋Š” ํŠน์ • ํŒจํ„ด์„ ํƒ์ง€ํ•˜๋ฉด audit log์— ๋ฐ˜๋“œ์‹œ ๊ธฐ๋กํ•˜๋„๋ก ์ž‘๋™ํ•˜๊ฒŒ ๋จ.

 

'์นดํ…Œ๊ณ ๋ฆฌ ์—†์Œ'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€[11์›” 27์ผ] Mod_security ๊ตฌ์ถ•ํ•˜๊ธฐ

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”