nginx利用ModSecurity构建WAF环境

发表评论
5,043

A+

所属分类：WEB应用

owasp-modsecurity-crs:https://github.com/SpiderLabs/owasp-modsecurity-crs.git

OWASP是一个安全社区，开发和维护着一套免费的应用程序保护规则，这就是所谓OWASP的ModSecurity的核心规则集（即CRS）

安装：nginx之前已经安装过，这里直接添加模块

modsecurity安装：

cd /usr/local/
wget https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz
tar -xf modsecurity-2.9.2.tar.gz 
cd modsecurity-2.9.2
yum install -y httpd-devel
./configure --enable-standalone-module --disable-mlogc
make

cd /usr/local/

wget https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz

tar -xf modsecurity-2.9.2.tar.gz

cd modsecurity-2.9.2

yum install -y httpd-devel

./configure --enable-standalone-module --disable-mlogc

make

nginx添加模块，先查看以前参数

cd /usr/local/src/ &&wget http://nginx.org/download/nginx-1.12.2.tar.gz
./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-ipv6 --with-http_sub_module --with-ld-opt=-ljemalloc --add-module=/usr/local/modsecurity-2.9.2/nginx/modsecurity/
make
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.old
cp -rf objs/nginx /usr/local/nginx/sbin/
make upgrade

cd /usr/local/src/ &&wget http://nginx.org/download/nginx-1.12.2.tar.gz

./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-ipv6 --with-http_sub_module --with-ld-opt=-ljemalloc --add-module=/usr/local/modsecurity-2.9.2/nginx/modsecurity/

make

mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.old

cp -rf objs/nginx /usr/local/nginx/sbin/

make upgrade

下载OWASP安全规则，放在nginx目录的conf里面

cd /usr/local/nginx/conf/ 
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp crs-setup.conf.example crs-setup.conf
vim crs-setup.conf  
修改：
1.默认是只记录日志，不拦截，需要注释下面两行
   # SecDefaultAction "phase:1,nolog,auditlog,pass"
   # SecDefaultAction "phase:2,nolog,auditlog,pass"
2.打开新规则，当触发规则，返回403
   SecDefaultAction "phase:1,log,auditlog,deny,status:403"
   SecDefaultAction "phase:2,log,auditlog,deny,status:403"
cd /usr/local/nginx/conf/owasp-modsecurity-crs/rules  #进去打开两个规则
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

cd /usr/local/nginx/conf/

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

cd owasp-modsecurity-crs/

cp crs-setup.conf.example crs-setup.conf

vim crs-setup.conf

修改：

1.默认是只记录日志，不拦截，需要注释下面两行

# SecDefaultAction "phase:1,nolog,auditlog,pass"

# SecDefaultAction "phase:2,nolog,auditlog,pass"

2.打开新规则，当触发规则，返回403

SecDefaultAction "phase:1,log,auditlog,deny,status:403"

SecDefaultAction "phase:2,log,auditlog,deny,status:403"

cd /usr/local/nginx/conf/owasp-modsecurity-crs/rules #进去打开两个规则

cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

modsecurity配置：

拷贝配置文件到nginx conf目录：
cp /usr/local/modsecurity-2.9.2/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
cp /usr/local/modsecurity-2.9.2/unicode.mapping /usr/local/nginx/conf/
vim modsecurity.conf 
SecRuleEngine On  #修改引擎为开启
最后面插入规则：(这个是3.0的，如果有其他更新可以再owasp-modsecurity-crs/rules/查看模板)
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

拷贝配置文件到nginx conf目录：

cp /usr/local/modsecurity-2.9.2/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf

cp /usr/local/modsecurity-2.9.2/unicode.mapping /usr/local/nginx/conf/

vim modsecurity.conf

SecRuleEngine On #修改引擎为开启

最后面插入规则：(这个是3.0的，如果有其他更新可以再owasp-modsecurity-crs/rules/查看模板)

include owasp-modsecurity-crs/crs-setup.conf

include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf

Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf

include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf

include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf

include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf

include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf

include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf

include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf

include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf

include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf

include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf

include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf

include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf

include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf

include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf

include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf

include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

nginx配置启用规则,在location启用规则

vim /usr/local/nginx/conf/nginx.conf
location / {
                ModSecurityEnabled on;
                ModSecurityConfig modsecurity.conf;
  root html;
}
/usr/local/nginx/sbin/nginx -t&&/usr/local/nginx/sbin/nginx -s reload