bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CU-cyk0dp Added more rules to modsecurity

Browse Source
This commit is contained in:
Bastian de Byl
2020-09-30 22:58:33 -04:00
parent 888f9dd289
commit 798c3bbb80
4 changed files with 179 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/roles/common/defaults/main.yml
View File

@@ -1,6 +1,7 @@
---
deps: [
docker,
git,
fail2ban,
python-docker
]

126
ansible/roles/http/defaults/main.yml
View File

@@ -5,27 +5,123 @@ deps: [
nginx-mod-modsecurity
]
nginx_dir: /etc/nginx
nginx_conf_dir: "{{ nginx_dir }}/conf"
modsec_rules_dir: "{{ nginx_conf_dir }}/rules"
nginx_path: /etc/nginx
nginx_conf_path: "{{ nginx_path }}/conf"
modsec_rules_path: "{{ nginx_conf_path }}/rules"
modsec_crs_before_rule_conf:
"{{ modsec_rules_dir }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
"{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
modsec_crs_after_rule_conf:
"{{ modsec_rules_dir }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
"{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
ci_server_name: ci.bdebyl.net
modsec_conf_url:
https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
install_path: /usr/share
modsec_path: "{{ install_path }}/modsecurity"
crs_path: "{{ install_path }}/coreruleset"
crs_rules_path: "{{ crs_path }}/rules"
modsec_unicode_url:
https://github.com/SpiderLabs/ModSecurity/raw/v3/master/unicode.mapping
modsec_git_urls:
- src: "https://github.com/coreruleset/coreruleset.git"
dest: "{{ crs_path }}"
ver: "v3.3.0"
- src: "https://github.com/SpiderLabs/ModSecurity.git"
dest: "{{ modsec_path }}"
ver: "v3.0.4"
crs_setup_url:
https://github.com/coreruleset/coreruleset/raw/v3.4/dev/crs-setup.conf.example
modsec_conf_links:
- src: "{{ modsec_path }}/modsecurity.conf-recommended"
dest: "{{ nginx_path }}/modsecurity.conf"
- src: "{{ modsec_path }}/unicode.mapping"
dest: "{{ nginx_path }}/unicode.mapping"
- src: "{{ crs_path }}/crs-setup.conf.example"
dest: "{{ nginx_conf_path }}/crs-setup.conf"
- src: "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example"
dest: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
- src: "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example"
dest: "{{ modsec_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
crs_before_url:
https://github.com/coreruleset/coreruleset/raw/v3.4/dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
crs_rule_links:
- name: REQUEST-901-INITIALIZATION
enabled: true
- name: REQUEST-903.9001-DRUPAL-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9005-CPANEL-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9006-XENFORO-EXCLUSION-RULES
enabled: true
- name: REQUEST-905-COMMON-EXCEPTIONS
enabled: true
- name: REQUEST-910-IP-REPUTATION
enabled: true
- name: REQUEST-911-METHOD-ENFORCEMENT
enabled: true
- name: REQUEST-912-DOS-PROTECTION
enabled: true
- name: REQUEST-913-SCANNER-DETECTION
enabled: true
- name: REQUEST-920-PROTOCOL-ENFORCEMENT
enabled: true
- name: REQUEST-921-PROTOCOL-ATTACK
enabled: true
- name: REQUEST-930-APPLICATION-ATTACK-LFI
enabled: true
- name: REQUEST-931-APPLICATION-ATTACK-RFI
enabled: true
- name: REQUEST-932-APPLICATION-ATTACK-RCE
enabled: true
- name: REQUEST-933-APPLICATION-ATTACK-PHP
enabled: true
- name: REQUEST-934-APPLICATION-ATTACK-NODEJS
enabled: true
- name: REQUEST-941-APPLICATION-ATTACK-XSS
enabled: true
- name: REQUEST-942-APPLICATION-ATTACK-SQLI
enabled: true
- name: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
enabled: true
- name: REQUEST-944-APPLICATION-ATTACK-JAVA
enabled: true
- name: REQUEST-949-BLOCKING-EVALUATION
enabled: true
- name: RESPONSE-950-DATA-LEAKAGES
enabled: true
- name: RESPONSE-951-DATA-LEAKAGES-SQL
enabled: true
- name: RESPONSE-952-DATA-LEAKAGES-JAVA
enabled: true
- name: RESPONSE-953-DATA-LEAKAGES-PHP
enabled: true
- name: RESPONSE-954-DATA-LEAKAGES-IIS
enabled: true
- name: RESPONSE-959-BLOCKING-EVALUATION
enabled: true
- name: RESPONSE-980-CORRELATION
enabled: true
crs_after_url:
https://github.com/coreruleset/coreruleset/raw/v3.4/dev/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
crs_data_links:
- crawlers-user-agents
- iis-errors
- java-classes
- java-code-leakages
- java-errors
- lfi-os-files
- php-config-directives
- php-errors
- php-function-names-933150
- php-function-names-933151
- php-variables
- restricted-files
- restricted-upload
- scanners-headers
- scanners-urls
- scanners-user-agents
- scripting-user-agents
- sql-errors
- unix-shell
- windows-powershell-commands

83
ansible/roles/http/tasks/modsec.yml
View File

@@ -8,39 +8,86 @@
group: root
mode: 0644
with_items:
- "{{ nginx_conf_dir }}"
- "{{ modsec_rules_dir }}"
- "{{ nginx_conf_path }}"
- "{{ modsec_rules_path }}"
tags: modsec
- name: create modsec_includes.conf
become: true
copy:
src: files/nginx/modsec_includes.conf
dest: "{{ nginx_dir }}/modsec_includes.conf"
dest: "{{ nginx_path }}/modsec_includes.conf"
mode: 0644
notify: restart_nginx
tags: modsec
- name: fetch core rule set files for mod-security
- name: clone coreruleset and modsecurity
become: true
get_url:
url: "{{ item.url }}"
git:
repo: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
with_items:
- {"url": "{{ modsec_conf_url }}",
"dest": "{{ nginx_dir }}/modsecurity.conf"}
- {"url": "{{ modsec_unicode_url }}",
"dest": "{{ nginx_dir }}/unicode.mapping"}
- {"url": "{{ crs_setup_url }}",
"dest": "{{ nginx_conf_dir }}/crs-setup.conf"}
- {"url": "{{ crs_before_url }}",
"dest": "{{ modsec_crs_before_rule_conf }}"}
- {"url": "{{ crs_after_url }}",
"dest": "{{ modsec_crs_after_rule_conf }}"}
update: false
version: "{{ item.ver }}"
with_items: "{{ modsec_git_urls }}"
notify: restart_nginx
tags: modsec
- name: setup modsec and coreruleset configs
become: true
file:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
state: link
force: true
mode: 0644
with_items: "{{ modsec_conf_links }}"
notify: restart_nginx
tags: modsec
- name: setup coreruleset rules
become: true
file:
src: "{{ crs_rules_path }}/{{ item.name }}.conf"
dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
state: "{{ item.enabled | ternary('link', 'absent') }}"
force: true
mode: 0644
with_items: "{{ crs_rule_links }}"
notify: restart_nginx
tags: modsec, modsec_rules
- name: setup coreruleset data
become: true
file:
src: "{{ crs_rules_path }}/{{ item }}.data"
dest: "{{ modsec_rules_path }}/{{ item }}.data"
state: link
force: true
mode: 0644
with_items: "{{ crs_data_links }}"
notify: restart_nginx
tags: modsec, modsec_rules
# name: fetch core rule set files for mod-security
# become: true
# get_url:
# url: "{{ item.url }}"
# dest: "{{ item.dest }}"
# mode: 0644
# with_items:
# - {"url": "{{ modsec_conf_url }}",
# "dest": "{{ nginx_path }}/modsecurity.conf"}
# - {"url": "{{ modsec_unicode_url }}",
# "dest": "{{ nginx_path }}/unicode.mapping"}
# - {"url": "{{ crs_setup_url }}",
# "dest": "{{ nginx_conf_path }}/crs-setup.conf"}
# - {"url": "{{ crs_before_url }}",
# "dest": "{{ modsec_crs_before_rule_conf }}"}
# - {"url": "{{ crs_after_url }}",
# "dest": "{{ modsec_crs_after_rule_conf }}"}
# notify: restart_nginx
# tags: modsec
- name: activate mod-security
become: true
lineinfile:

4
ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
View File

@@ -29,14 +29,14 @@ server {
location / {
modsecurity on;
modsecurity_rules_file {{ nginx_dir }}/modsec_includes.conf;
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_pass http://drone;
proxy_redirect off;
proxy_repathect off;
proxy_http_version 1.1;
proxy_buffering off;