ModSecurity v3 部署教程

ModSecurity简介

ModSecurity是一个开源的、跨平台的Web应用防火墙（WAF），被称为WAF界的“瑞士军刀”。它可以通过检查Web服务接收到的数据，以及发送出去的数据来对网站进行安全防护。

系统环境

System:CentOS 7

部署细节

1.安装依赖

yum install -y epel-release
yum install -y git wget gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake

2.编译并安装ModSecurity

cd /opt
git clone https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity
git checkout -b v3/master origin/v3/master
git submodule init
git submodule update
./build.sh
./configure
make
make install

3.克隆ModSecurity-nginx(ModSecurity与Nginx的连接插件)

cd /opt
git clone https://github.com/SpiderLabs/ModSecurity-nginx

4.编译并安装Nginx

cd /opt
yum install -y perl gcc wget net-tools tar

tar -xvzf nginx-1.23.0.tar.gz
cd /usr/local/nginx-1.23.0
./configure --with-http_ssl_module --with-http_v2_module --add-module=/opt/ModSecurity-nginx
make
make install

考虑到WAF可能会被用于加密解密HTTPS流量，所以加入了–with-http_ssl_module –with-http_v2_module参数

此处未考虑OpenSSL是否安装以及版本信息，如需要安装与更新需自行解决

为了方便后期管理，将Nginx加入“服务”，并刷新服务列表

cat > "/lib/systemd/system/nginx.service" <<-EOF
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload

调整Nginx的pid位置

sed -i 's/#pid        logs/nginx.pid;/pid        /run/nginx.pid;/g' /usr/local/nginx/conf/nginx.conf

为了方便使用，将Nginx链接到系统环境变量目录

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
ln -s /usr/local/nginx/conf/ /etc/nginx

5.配置

mkdir /usr/local/nginx/conf/ModSecurity
cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/ModSecurity/modsecurity.conf
cp /opt/ModSecurity/unicode.mapping /usr/local/nginx/conf/ModSecurity/unicode.mappingc

从OWASP下载规则库：https://coreruleset.org/installation/

因为下载版本不同，设下载文件名为“规则库.zip”

unzip 规则库.zip
cd 规则库
cp crs-setup.conf.example /usr/local/nginx/conf/ModSecurity/crs-setup.conf
cp -r rules /usr/local/nginx/conf/ModSecurity/
cd /usr/local/nginx/conf/ModSecurity/rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

编辑Nginx的配置文件/usr/local/nginx/conf/nginx.conf

在http或server中添加以下内容,其中在http添加表示全局配置，在server添加表示为指定网站配置

modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/ModSecurity/modsecurity.conf;

编辑/usr/local/nginx/conf/ModSecurity/modsecurity.conf

将SecRuleEngine DetectionOnly改为SecRuleEngine On并添加以下内容

Include /usr/local/nginx/conf/ModSecurity/crs-setup.conf
Include /usr/local/nginx/conf/ModSecurity/rules/*.conf

6.启动Nginx并测试

systemctl start nginx

使用浏览器访问服务,看到nginx欢迎界面

使用浏览器访问服务并进行模拟攻击,看到403拒绝服务界面

因本站受到WAF保护,无法提供模拟攻击payload,请自行搜索尝试

成功看到403拒绝服务界面后,可配置proxy_pass正向代理web页面服务器