owasp-modsecurity-crs:https://github.com/SpiderLabs/owasp-modsecurity-crs.git
OWASP是一个安全社区,开发和维护着一套免费的应用程序保护规则,这就是所谓OWASP的ModSecurity的核心规则集(即CRS)
安装:nginx之前已经安装过,这里直接添加模块
modsecurity安装:
cd /usr/local/ wget https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz tar -xf modsecurity-2.9.2.tar.gz cd modsecurity-2.9.2 yum install -y httpd-devel ./configure --enable-standalone-module --disable-mlogc make
nginx添加模块,先查看以前参数
cd /usr/local/src/ &&wget http://nginx.org/download/nginx-1.12.2.tar.gz ./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-ipv6 --with-http_sub_module --with-ld-opt=-ljemalloc --add-module=/usr/local/modsecurity-2.9.2/nginx/modsecurity/ make mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.old cp -rf objs/nginx /usr/local/nginx/sbin/ make upgrade
下载OWASP安全规则,放在nginx目录的conf里面
cd /usr/local/nginx/conf/ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git cd owasp-modsecurity-crs/ cp crs-setup.conf.example crs-setup.conf vim crs-setup.conf 修改: 1.默认是只记录日志,不拦截,需要注释下面两行 # SecDefaultAction "phase:1,nolog,auditlog,pass" # SecDefaultAction "phase:2,nolog,auditlog,pass" 2.打开新规则,当触发规则,返回403 SecDefaultAction "phase:1,log,auditlog,deny,status:403" SecDefaultAction "phase:2,log,auditlog,deny,status:403" cd /usr/local/nginx/conf/owasp-modsecurity-crs/rules #进去打开两个规则 cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
modsecurity配置:
拷贝配置文件到nginx conf目录: cp /usr/local/modsecurity-2.9.2/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf cp /usr/local/modsecurity-2.9.2/unicode.mapping /usr/local/nginx/conf/ vim modsecurity.conf SecRuleEngine On #修改引擎为开启 最后面插入规则:(这个是3.0的,如果有其他更新可以再owasp-modsecurity-crs/rules/查看模板) include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
nginx配置启用规则,在location启用规则
vim /usr/local/nginx/conf/nginx.conf location / { ModSecurityEnabled on; ModSecurityConfig modsecurity.conf; root html; } /usr/local/nginx/sbin/nginx -t&&/usr/local/nginx/sbin/nginx -s reload测试:
评论区