ModSecurity+Nginx构建WAF

栏目: 服务器 · Nginx · 发布时间: 6年前

内容简介：ModSecurity+Nginx构建WAF

A+

所属分类：Nginx

+++++++++++++++++++++++++++

os: centos7.2_64bit

modsecurity: 2.9.1

nginx: 1.10.3

by: chenb

at: 2017-03-22

+++++++++++++++++++++++++++

modsecurity原本是Apache上的一款开源waf，可以有效的增强web安全性，目前已经支持nginx和IIS，配合nginx的灵活和高效，可以打造成生产级的WAF，是保护和审核web安全的利器。

一、安装ModSecurity

yum -y install httpd-devel pcre pcre-devel libxml2-devel libxml2
cd /home/tools
wget  https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
tar zxvf modsecurity-2.9.1.tar.gz
cd modsecurity-2.9.1
./autogen.sh
./configure --enable-standalone-module --disable-mlogc
make

二、编译nginx并添加modsecurity和nginx-sticky模块

cd /home/tools
unzip nginx-sticky-module-ng.zip
解压后从命名为：nginx-goodies-nginx-sticky
 
groupadd nginx
useradd -r -g nginx -s /sbin/nologin -M nginx
 
cd /home/tools
tar zxvf nginx-1.10.3.tar.gz
cd nginx-1.10.3/
 
./configure \
--with-pcre \
--prefix=/usr/local/nginx \
--user=nginx  \
--group=nginx  \
--with-http_ssl_module \
--with-http_flv_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-http_realip_module \
--add-module=/home/tools/modsecurity-2.9.1/nginx/modsecurity \
--add-module=/home/tools/nginx-goodies-nginx-sticky
 
make && make install

三、下载OWASP规则

cd /home/tools/
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
mv owasp-modsecurity-crs  /usr/local/nginx/conf  #移动到nginx配置目录下
cd /usr/local/nginx/conf/owasp-modsecurity-crs
cp crs-setup.conf.example  crs-setup.conf   #拷贝模板配置文件
cd /home/tools/modsecurity-2.9.1/
cp modsecurity.conf-recommended  /usr/local/nginx/conf  #拷贝配置文件
cp unicode.mapping  /usr/local/nginx/conf  #拷贝配置文件
mv /usr/local/nginx/conf/modsecurity.conf-recommended  /usr/local/nginx/conf/modsecurity.conf  #重命名
vim /usr/local/nginx/conf/modsecurity.conf   #修改添加
SecRuleEngine DetectionOnly #修改为SecRuleEngine On
在最后加上如下：
#Include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
#Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
#Include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
#Include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
#Include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
#Include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
#Include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
#Include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
#Include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
:wq! #保存退出

四、配置nginx支持Modsecurity

在需要启用modsecurity的主机的location下面加入下面两行即可：

ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
location / {
            root   html;
            index  index.html index.htm;i
            ModSecurityEnabled on;
            ModSecurityConfig modsecurity.conf;
}

至此，Modsecurity模块+nginx的安装完成。

五、查看ip地址的连接数前十：

netstat -nt | awk '{print $5}' | awk -F: '{print ($1>$4?$1:$4)}' | \
sort | uniq -c | sort -nr | head 10

微信公众号

扫一扫关注运维生存时间公众号，获取最新技术文章~

以上就是本文的全部内容，希望本文的内容对大家的学习或者工作能带来一定的帮助，也希望大家多多支持码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络，本站转载出于传递更多信息之目的，版权归原作者或者来源机构所有，如转载稿涉及版权问题，请联系我们。

码农书籍

Domain-Driven Design

Eric Evans / Addison-Wesley Professional / 2003-8-30 / USD 74.99

"Eric Evans has written a fantastic book on how you can make the design of your software match your mental model of the problem domain you are addressing. "His book is very compatible with XP. It is n......一起来看看《Domain-Driven Design》这本书的介绍吧!

码农工具

CSS 压缩/解压工具

在线压缩/解压 CSS 代码

HTML 编码/解码

HEX CMYK 转换工具

HEX CMYK 互转工具