侧边栏壁纸
博主头像
爱运维 博主等级

行动起来,活在当下

  • 累计撰写 197 篇文章
  • 累计创建 143 个标签
  • 累计收到 21 条评论

目 录CONTENT

文章目录

nginx利用ModSecurity构建WAF环境

Administrator
2017-12-06 / 0 评论 / 0 点赞 / 3 阅读 / 0 字
    OWASP是一个安全社区,开发和维护着一套免费的应用程序保护规则,这就是所谓OWASP的ModSecurity的核心规则集(即CRS)

安装:nginx之前已经安装过,这里直接添加模块


modsecurity安装:
cd /usr/local/
wget https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz
tar -xf modsecurity-2.9.2.tar.gz 
cd modsecurity-2.9.2
yum install -y httpd-devel
./configure --enable-standalone-module --disable-mlogc
make



nginx添加模块,先查看以前参数
cd /usr/local/src/ &&wget http://nginx.org/download/nginx-1.12.2.tar.gz
./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-ipv6 --with-http_sub_module --with-ld-opt=-ljemalloc --add-module=/usr/local/modsecurity-2.9.2/nginx/modsecurity/
make
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.old
cp -rf objs/nginx /usr/local/nginx/sbin/
make upgrade
下载OWASP安全规则,放在nginx目录的conf里面


cd /usr/local/nginx/conf/ 
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp crs-setup.conf.example crs-setup.conf
vim crs-setup.conf  
修改:
1.默认是只记录日志,不拦截,需要注释下面两行
   # SecDefaultAction "phase:1,nolog,auditlog,pass"
   # SecDefaultAction "phase:2,nolog,auditlog,pass"
2.打开新规则,当触发规则,返回403
   SecDefaultAction "phase:1,log,auditlog,deny,status:403"
   SecDefaultAction "phase:2,log,auditlog,deny,status:403"
cd /usr/local/nginx/conf/owasp-modsecurity-crs/rules  #进去打开两个规则
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
modsecurity配置:


拷贝配置文件到nginx conf目录:
cp /usr/local/modsecurity-2.9.2/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
cp /usr/local/modsecurity-2.9.2/unicode.mapping /usr/local/nginx/conf/
vim modsecurity.conf 
SecRuleEngine On  #修改引擎为开启
最后面插入规则:(这个是3.0的,如果有其他更新可以再owasp-modsecurity-crs/rules/查看模板)
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
nginx配置启用规则,在location启用规则
vim /usr/local/nginx/conf/nginx.conf
location / {
                ModSecurityEnabled on;
                ModSecurityConfig modsecurity.conf;
  root html;
}
/usr/local/nginx/sbin/nginx -t&&/usr/local/nginx/sbin/nginx -s reload
测试:


0

评论区