ModSecurity简介
ModSecurity是一个开源的、跨平台的Web应用防火墙(WAF),被称为WAF界的“瑞士军刀”。它可以通过检查Web服务接收到的数据,以及发送出去的数据来对网站进行安全防护。
系统环境
System:CentOS 7
部署细节
1.安装依赖
yum install -y epel-release
yum install -y git wget gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake
2.编译并安装ModSecurity
cd /opt
git clone https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity
git checkout -b v3/master origin/v3/master
git submodule init
git submodule update
./build.sh
./configure
make
make install
3.克隆ModSecurity-nginx(ModSecurity与Nginx的连接插件)
cd /opt
git clone https://github.com/SpiderLabs/ModSecurity-nginx
4.编译并安装Nginx
cd /opt
yum install -y perl gcc wget net-tools tar
tar -xvzf nginx-1.23.0.tar.gz
cd /usr/local/nginx-1.23.0
./configure --with-http_ssl_module --with-http_v2_module --add-module=/opt/ModSecurity-nginx
make
make install
考虑到WAF可能会被用于加密解密HTTPS流量,所以加入了–with-http_ssl_module –with-http_v2_module参数
此处未考虑OpenSSL是否安装以及版本信息,如需要安装与更新需自行解决
为了方便后期管理,将Nginx加入“服务”,并刷新服务列表
cat > "/lib/systemd/system/nginx.service" <<-EOF
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
调整Nginx的pid位置
sed -i 's/#pid logs/nginx.pid;/pid /run/nginx.pid;/g' /usr/local/nginx/conf/nginx.conf
为了方便使用,将Nginx链接到系统环境变量目录
ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
ln -s /usr/local/nginx/conf/ /etc/nginx
5.配置
mkdir /usr/local/nginx/conf/ModSecurity
cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/ModSecurity/modsecurity.conf
cp /opt/ModSecurity/unicode.mapping /usr/local/nginx/conf/ModSecurity/unicode.mappingc
从OWASP下载规则库:https://coreruleset.org/installation/
因为下载版本不同,设下载文件名为“规则库.zip”
unzip 规则库.zip
cd 规则库
cp crs-setup.conf.example /usr/local/nginx/conf/ModSecurity/crs-setup.conf
cp -r rules /usr/local/nginx/conf/ModSecurity/
cd /usr/local/nginx/conf/ModSecurity/rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
编辑Nginx的配置文件/usr/local/nginx/conf/nginx.conf
在http或server中添加以下内容,其中在http添加表示全局配置,在server添加表示为指定网站配置
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/ModSecurity/modsecurity.conf;
编辑/usr/local/nginx/conf/ModSecurity/modsecurity.conf
将SecRuleEngine DetectionOnly改为SecRuleEngine On并添加以下内容
Include /usr/local/nginx/conf/ModSecurity/crs-setup.conf
Include /usr/local/nginx/conf/ModSecurity/rules/*.conf
6.启动Nginx并测试
systemctl start nginx
使用浏览器访问服务,看到nginx欢迎界面
使用浏览器访问服务并进行模拟攻击,看到403拒绝服务界面
因本站受到WAF保护,无法提供模拟攻击payload,请自行搜索尝试
成功看到403拒绝服务界面后,可配置proxy_pass正向代理web页面服务器
发表回复