ModSecurity-官网:
http://www.modsecurity.cn
相关依赖安装
yum install -y wget epel-release yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake
Modsecurity 安装
cd /home/modsecurity wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.3.tar.gz tar -zxvf modsecurity-v3.0.3.tar.gz mv modsecurity-v3.0.3 /usr/local/modsecurity/modsecurity sh build.sh ./configure make make install
注意:请忽略 sh build.sh 中有关的git错误:
fatal: Not a git repository (or any of the parent directories): .git
ModSecurity-nginx 安装
ModSecurity-nginx 下载地址:
https://github.com/SpiderLabs/ModSecurity-nginx
mkdir modsecurity-nginx unzip ModSecurity-nginx-master.zip mv ModSecurity-nginx-master /usr/local/modsecurity-nginx
nginx 安装
mkdir /home/nginx cd /home/nginx wget http://nginx.org/download/nginx-1.16.1.tar.gz tar -zxvf nginx-1.16.1.tar.gz cd nginx-1.16.1/ ./configure --add-module=/usr/local/modsecurity-nginx make make install
nginx + ModSecurity-nginx 配置
在nginx的conf下创建文件夹modsecurity
并把 /usr/local/modsecurity/ 下的配置文件
modsecurity.conf-recommended > /usr/local/nginx/conf/modsecurity/modsecurity.conf 移动并重命名
unicode.mapping > /usr/local/nginx/conf/modsecurity
mkdir /usr/local/nginx/conf/modsecurity cd /usr/local/modsecurity/ cp modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity/modsecurity.conf cp unicode.mapping /usr/local/nginx/conf/modsecurity
nginx.conf
在http或server节点中添加以下内容(在http节点添加表示全局配置,在server节点添加表示为指定网站配置)
modsecurity on; modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;
modsecurity.conf修改
SecRuleEngine DetectionOnly > SecRuleEngine On
#SecRuleEngine DetectionOnly
SecRuleEngine On
确保ModSecurity在记录审计日志时保存请求体IJ 改为 C
#SecAuditLogParts ABIJDEFHZ
SecAuditLogParts ABCDEFHZ
添加以下内容:
Include /usr/local/nginx/conf/modsecurity/crs-setup.conf Include /usr/local/nginx/conf/modsecurity/rules/*.conf
配置规则文件
下载规则文件压缩包
cd /home/modsecurity wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip unzip owasp-modsecurity-crs-3.3-dev.zip cd owasp-modsecurity-crs-3.3-dev
复制crs-setup.conf.example到/usr/local/nginx/conf/modsecurity/下并重命名为crs-setup.conf
cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf
复制rules文件夹到==/usr/local/nginx/conf/modsecurity/==
修改文件名称,去掉 .example
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
cp -r rules /usr/local/nginx/conf/modsecurity/ cd /usr/local/nginx/conf/modsecurity/rules mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
重启nginx
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
测试
可以清楚的看到后两条测试结果403,被拦截成功
[root@master conf.d]# curl http://localhost -I
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Tue, 18 Aug 2020 11:32:03 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 18 Aug 2020 11:17:22 GMT
Connection: keep-alive
ETag: "5f3bb8c2-264"
Accept-Ranges: bytes
[root@master conf.d]# curl 'http://localhost/?id=1 AND 1=1' -I
HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Tue, 18 Aug 2020 11:32:35 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@master conf.d]# curl 'http://localhost/?search=<scritp>alert('xss');</script>' -I
HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Tue, 18 Aug 2020 11:32:53 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
转载请注明:梦绘设计 » WEB运维 » centos7基于 Nginx + ModSecurity V3实现waf功能
版权声明
本站《作品展示》类文章均为原创,转载必须注明出处,技术分享类文章部分来源于网络,版权归原作者所有,若侵权请留言。
