WAF, IDS/IPS を設定してみた。

・WAF
# yum -y install mod_security mod_security_crs 
# cp -p /etc/httpd/conf.d/mod_security.conf /etc/httpd/conf.d/mod_security.conf-org
# vi /etc/httpd/conf.d/mod_security.conf (defaultだと色々入って面倒なので XSS, SQL INJECTIONを有効にする)
Include modsecurity.d/*.conf
#Include modsecurity.d/activated_rules/*.conf
Include modsecurity.d/activated_rules/modsecurity_crs_41_xss_attacks.conf
Include modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf

# systemctl restart httpd
/etc/httpd/logs/modsec_audit.log に書かれる。
SecRuleEngine DetectionOnly 検出のみ



・IDS/IPS(suricata) (epel.repoが必要)
# yum -y install suricata
# vi /etc/suricata/suricata.yaml
HOME_NETに除外IPを設定

# vi /etc/sysconfig/suricate
eth0 → bond0(必要に応じて)

# systemctl enable suricata
# systemctl start suricata