WAF应用ModSecurity 3.x + Nginx 编译安装

备注:

ModSecurity-官网: http://www.modsecurity.cn

安装步骤如下:

1,卸载系统自带的nginx

1.1 停止nginx
ps -ef | grep nginx
kill -9 pid
1.2 删除nginx文件夹
whereis nginx
rm -rf *
1.3 yum清理nginx
yum remove nginx

2, 安装相关包依赖

yum install -y wget epel-release
yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf unzip automake

3, Modsecurity安装

cd /home/modsecurity
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.3.tar.gz
tar -zxvf modsecurity-v3.0.3.tar.gz
mv modsecurity-v3.0.3 /usr/local/modsecurity/modsecurity
sh build.sh
./configure
make
make install

4, ModSecurity-nginx 安装

ModSecurity-nginx 下载地址:
https://github.com/SpiderLabs/ModSecurity-nginx

git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
mkdir modsecurity-nginx
unzip ModSecurity-nginx-master.zip
mv ModSecurity-nginx-master /usr/local/modsecurity-nginx

5, nginx安装

mkdir /home/nginx
cd /home/nginx
wget http://nginx.org/download/nginx-1.16.1.tar.gz
tar -zxvf nginx-1.16.1.tar.gz
cd nginx-1.16.1/
./configure --add-module=/usr/local/modsecurity-nginx
make -j2
make install

6,nginx + ModSecurity-nginx 配置

在nginx的conf下创建文件夹modsecurity
并把 /usr/local/modsecurity/ 下的配置文件

  • modsecurity.conf-recommended > /usr/local/nginx/conf/modsecurity/modsecurity.conf 移动并重命名
  • unicode.mapping > /usr/local/nginx/conf/modsecurity
mkdir /usr/local/nginx/conf/modsecurity
cd /usr/local/modsecurity/
cp modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity/modsecurity.conf
cp unicode.mapping /usr/local/nginx/conf/modsecurity

7, nginx.conf配置

在http或server节点中添加以下内容(在http节点添加表示全局配置,在server节点添加表示为指定网站配置)

modsecurity on;
    modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;

8, modsecurity.conf

编辑配置文件:

8.1 打开规则
#SecRuleEngine DetectionOnly
SecRuleEngine On
8.2 确保ModSecurity在记录审计日志时保存请求体IJ 改为 C
#SecAuditLogParts ABIJDEFHZ
SecAuditLogParts ABCDEFHZ
8.3在配置文件中添加一下内容
Include /usr/local/nginx/conf/modsecurity/crs-setup.conf
Include /usr/local/nginx/conf/modsecurity/rules/*.conf

9,配置规则文件

  • 下载规则文件压缩包:
cd /home/modsecurity
wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip
unzip owasp-modsecurity-crs-3.3-dev.zip
cd owasp-modsecurity-crs-3.3-dev
  • 复制crs-setup.conf.example到/usr/local/nginx/conf/modsecurity/下并重命名为crs-setup.conf
cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf
  • 复制rules文件夹到==/usr/local/nginx/conf/modsecurity/==
    修改文件名称,去掉 .example
    REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
    RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
cp -r rules /usr/local/nginx/conf/modsecurity/
cd /usr/local/nginx/conf/modsecurity/rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

10,重启ngnx

/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx 

11, 模拟攻击测试

  • 正常访问:
~$ curl http://localhost -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 01 Jun 2019 13:00:38 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Sat, 01 Jun 2019 12:34:27 GMT
Connection: keep-alive
ETag: "5cf270d3-264"
Accept-Ranges: bytes

返回200,正常访问。

  • 简单sql注入
~$ curl 'http://localhost/?id=1 AND 1=1' -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Sat, 01 Jun 2019 13:01:30 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

返回403,禁止访问。

  • 简单xss攻击
~$ curl 'http://localhost/?search=<scritp>alert('xss');</script>' -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.2
Date: Sat, 01 Jun 2019 13:01:15 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

返回403,禁止访问。

12,日志查看

  • 默认情况下,ModSecurity是开启了审计日志的,会把审计日志打到modsec_audit.log,以下就是上面执行xss攻击时候的日志,可以在配置文件中查看审计日志的位置:
tail -f /var/log/modsec_audit.log
  • nginx中也可以查看到相关日志:
/var/log/nginx/error.log
  • 正式环境下,如果访问量很大,建议关闭审计日志,开启审计日志会导致以下问题:
    • 写入大量的日志数据,会消耗磁盘容量。
    • 大量的IO操作会影响设备的性能。
      关闭审计日志需要在/etc/nginx/modsecurity.conf中添加配置:
SecAuditEngine off

13,优化

13.1 不检查静态内容
location / {
 modsecurity on;
    modsecurity_rules_file /etc/xxxx/main.conf;
    root html;
}
location ~ \.(gif|jpg|png|jpeg|svg)$ {
    root /data/images; 
}
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 游动-白 设计师: 上身试试
应支付0元
点击重新获取
扫码支付

支付成功即可阅读