admin

centos7基于 Nginx + ModSecurity V3实现waf功能

admin WEB运维 2023-02-14 394浏览 0

ModSecurity-官网:

 http://www.modsecurity.cn

相关依赖安装

yum install -y wget epel-release
yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake

Modsecurity 安装

cd /home/modsecurity
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.3.tar.gz
tar -zxvf modsecurity-v3.0.3.tar.gz
mv modsecurity-v3.0.3 /usr/local/modsecurity/modsecurity
sh build.sh
./configure
make
make install

注意:请忽略 sh build.sh 中有关的git错误:

fatal: Not a git repository (or any of the parent directories): .git


ModSecurity-nginx 安装

ModSecurity-nginx 下载地址:

https://github.com/SpiderLabs/ModSecurity-nginx

mkdir modsecurity-nginx
unzip ModSecurity-nginx-master.zip
mv ModSecurity-nginx-master /usr/local/modsecurity-nginx


nginx 安装

mkdir /home/nginx
cd /home/nginx
wget http://nginx.org/download/nginx-1.16.1.tar.gz
tar -zxvf nginx-1.16.1.tar.gz
cd nginx-1.16.1/
./configure --add-module=/usr/local/modsecurity-nginx
make
make install

nginx + ModSecurity-nginx 配置

在nginx的conf下创建文件夹modsecurity

并把 /usr/local/modsecurity/ 下的配置文件

modsecurity.conf-recommended > /usr/local/nginx/conf/modsecurity/modsecurity.conf 移动并重命名

unicode.mapping > /usr/local/nginx/conf/modsecurity

mkdir /usr/local/nginx/conf/modsecurity
cd /usr/local/modsecurity/
cp modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity/modsecurity.conf
cp unicode.mapping /usr/local/nginx/conf/modsecurity

nginx.conf

在http或server节点中添加以下内容(在http节点添加表示全局配置,在server节点添加表示为指定网站配置)

    modsecurity on;
    modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;

modsecurity.conf修改

SecRuleEngine DetectionOnly > SecRuleEngine On

#SecRuleEngine DetectionOnly

SecRuleEngine On

确保ModSecurity在记录审计日志时保存请求体IJ 改为 C

#SecAuditLogParts ABIJDEFHZ

SecAuditLogParts ABCDEFHZ

添加以下内容:

Include /usr/local/nginx/conf/modsecurity/crs-setup.conf
Include /usr/local/nginx/conf/modsecurity/rules/*.conf

配置规则文件

下载规则文件压缩包

cd /home/modsecurity
wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip
unzip owasp-modsecurity-crs-3.3-dev.zip
cd owasp-modsecurity-crs-3.3-dev


复制crs-setup.conf.example到/usr/local/nginx/conf/modsecurity/下并重命名为crs-setup.conf

cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf

复制rules文件夹到==/usr/local/nginx/conf/modsecurity/==

修改文件名称,去掉 .example

REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example

RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example


cp -r rules /usr/local/nginx/conf/modsecurity/
cd /usr/local/nginx/conf/modsecurity/rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

重启nginx

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

测试

可以清楚的看到后两条测试结果403,被拦截成功

[root@master conf.d]# curl http://localhost -I

HTTP/1.1 200 OK

Server: nginx/1.16.1

Date: Tue, 18 Aug 2020 11:32:03 GMT

Content-Type: text/html

Content-Length: 612

Last-Modified: Tue, 18 Aug 2020 11:17:22 GMT

Connection: keep-alive

ETag: "5f3bb8c2-264"

Accept-Ranges: bytes

[root@master conf.d]# curl 'http://localhost/?id=1 AND 1=1' -I

HTTP/1.1 403 Forbidden

Server: nginx/1.16.1

Date: Tue, 18 Aug 2020 11:32:35 GMT

Content-Type: text/html

Content-Length: 153

Connection: keep-alive

[root@master conf.d]# curl 'http://localhost/?search=<scritp>alert('xss');</script>' -I

HTTP/1.1 403 Forbidden

Server: nginx/1.16.1

Date: Tue, 18 Aug 2020 11:32:53 GMT

Content-Type: text/html

Content-Length: 153

Connection: keep-alive



版权声明

本站《作品展示》类文章均为原创,转载必须注明出处,技术分享类文章部分来源于网络,版权归原作者所有,若侵权请留言。

发表评论