1.首先把需要得规则策略包丢到/usr/local目录下
下载链接:
owasp-modsecurity-crs/rules at v3.3/dev · SpiderLabs/owasp-modsecurity-crs · GitHub
2.安装依赖工具
yum install -y epel-release
yum install -y readline-devel curl-devel gcc gcc-c++ python-devel lua-devel doxygen perl yajl-devel GeoIP-devel lmdb-devel ssdeep-devel flex bison autoconf automake
3.安装Modsecurity
cd /usr/local
#git clone https://github.com/SpiderLabs/ModSecurity
#cd ModSecurity
#git checkout -b v3/master origin/v3/master
#git submodule init
#git submodule update
#sh build.sh
#./configure
#make
#make install
#2024年4月7日更新,由于直接git clone高版本会在make时出现错误,因此改为直接下载tar包进行安装
wget --no-check-certificate https://github.com/owasp-modsecurity/ModSecurity/releases/download/v3.0.12/modsecurity-v3.0.12.tar.gz
tar -zxvf modsecurity-v3.0.12.tar.gz
cd /usr/local/modsecurity-v3.0.12
./configure
make -j4
make install
4.安装Nginx和ModSecurity-nginx(此处由于该测试服务器已安装有nginx,所以下载的同版本源码重新编译安装)
cd /usr/local
git clone https://github.com/SpiderLabs/ModSecurity-nginx
wget http://nginx.org/download/nginx-1.17.10.tar.gz
tar -zxvf nginx-1.17.10.tar.gz
cd /usr/local/nginx-1.17.10
./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--user=nginx \
--group=nginx \
--build=CentOS \
--http-log-path=/var/log/nginx/access.log \
--with-http_stub_status_module\
--add-module=/usr/local/ModSecurity-nginx
make
make install
5.nginx启动正常
6.最终配置
mkdir -p /etc/nginx/modsecurity/rules
cp /usr/local/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity/modsecurity.conf
cp /usr/local/ModSecurity/unicode.mapping /etc/nginx/modsecurity/
7.下载规则文件压缩包
cd /usr/local/
wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip
unzip owasp-modsecurity-crs-3.3-dev.zip
cd owasp-modsecurity-crs-3.3-dev
复制crs-setup.conf.example到/etc/nginx/modsecurity/下并重命名为crs-setup.conf
cd /usr/local/owasp-modsecurity-crs-3.3-dev
cp crs-setup.conf.example /etc/nginx/modsecurity/crs-setup.conf
将下载的策略规则包解压后的rules文件夹里面的所有规则复制到/etc/nginx/modsecurity/rules下
cp -r rules/ /etc/nginx/modsecurity/
最终得目录下面有如下文件
[root@IT3 modsecurity]# ls
crs-setup.conf modsecurity.conf rules unicode.mapping
上面的rules是目录,其他是文件
同时修改REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example与RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example两个文件的文件名,将".example"删除,这两个文件用于自定义规则;
cd rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
编辑nginx.conf
在http或server节点中添加以下内容(在http节点添加表示全局配置,在server节点添加表示为指定网站配置)这里看具体需要,实际生产业务推荐写在server,这样方便控制
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
编辑modsecurity.conf
SecRuleEngine DetectionOnly改为SecRuleEngine On
同时添加以下内容:
Include /etc/nginx/modsecurity/crs-setup.conf
Include /etc/nginx/modsecurity/rules/*.conf
确保ModSecurity在记录审计日志时保存请求体IJ 改为 C
#SecAuditLogParts ABIJDEFHZ
SecAuditLogParts ABCDEFHZ
8.重启nginx
service nginx restart
注:此处可能重启报错
[root@WoMusic-test02 sbin]# nginx -t
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity/rules/REQUEST-910-IP-REPUTATION.conf. Line: 75. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support. in /etc/nginx/nginx.conf:22
ref:Nginx + ModSecurity 报错_莫忘、初心的博客-CSDN博客
注释这条规则即可
测试访问:http://localhost:5080/?id=2%27or%201-3
返回403
[root@WoMusic-test02 sbin]# curl 'http://localhost:5080/?id=1 AND 1=1' -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.10
Date: Wed, 07 Apr 2021 06:41:22 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
[root@WoMusic-test02 sbin]#
ref:
CentOS7.7下源码安装3.x.x版本ModSecurity+Nginx及配置策略 - 简书 CentOS7: Nginx+ModSecurity 安装教程_莫忘、初心的博客-CSDN博客_modsecurity nginx CentOS下Nginx+ModSecurity(3.0.x)安装教程及配置WAF规则文件_使用教程_ModSecurity-应用实践