WEB waf应用
Nginx+modsecurity WAF防火墙
ModSecurity是一个开源的跨平台Web应用程序防火墙(WAF)模块。它被称为WAF的“瑞士军刀”,它使Web应用程序防御者能够了解HTTP(S)流量,并提供强大的规则语言和API来实现高级保护。
ModSecurity有以下作用:
SQL Injection (SQLi):阻止SQL注入
Cross Site Scripting (XSS):阻止跨站脚本攻击
Local File Inclusion (LFI):阻止利用本地文件包含漏洞进行攻击
Remote File Inclusione(RFI):阻止利用远程文件包含漏洞进行攻击
Remote Code Execution (RCE):阻止利用远程命令执行漏洞进行攻击
PHP Code Injectiod:阻止PHP代码注入
HTTP Protocol Violations:阻止违反HTTP协议的恶意访问
HTTPoxy:阻止利用远程代理感染漏洞进行攻击
Sshllshock:阻止利用Shellshock漏洞进行攻击
Session Fixation:阻止利用Session会话ID不变的漏洞进行攻击
Scanner Detection:阻止黑客扫描网站
Metadata/Error Leakages:阻止源代码/错误信息泄露
Project Honey Pot Blacklist:蜜罐项目黑名单
GeoIP Country Blocking:根据判断IP地址归属地来进行IP阻断
准备环境:
1.克隆github存储库
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecuritygit clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
2.ModSecurity-nginx(nginx连接器)【需要编译进NGINX模块里】
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.gitgit clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
3.准备一个nginx压缩包
wget http://nginx.org/download/nginx-1.13.1.tar.gzwget http://nginx.org/download/nginx-1.13.1.tar.gz
步骤一:安装依赖
yum -y install httpd-devel pcre pcre-devel libxml2-devel libxml2 git(后面编译的时候缺啥装啥)
步骤二.进入ModSecurity目录进行编译
目录内容如图
#编译安装modsecurity
[root@xx ModSecurity]# git submodule init
[root@xx ModSecurity]# git submodule update
[root@xx ModSecurity]# ./build.sh
[root@xx ModSecurity]#./configure
[root@xx ModSecurity]# make
[root@xx ModSecurity]# make install#编译安装modsecurity2
[root@xx ModSecurity]# git submodule init3
[root@xx ModSecurity]# git submodule update4
[root@xx ModSecurity]# ./build.sh5
[root@xx ModSecurity]#./configure6
[root@xx ModSecurity]# make7
[root@xx ModSecurity]# make install
注意:在构建过程中忽略以下消息是安全的。即使它们出现,编译也会完成并创建一个工作对象。
fatal: No names found, cannot describe anything.步骤二:编译添加新模块
--add-dynamic-module=$PATH【连接器编译进入】git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
进入将解压后的nginx包
1.[root@xx nginx-1.10.2]# ./configure --help 选择你要编译的模块
2.如果你之前编译过nginx,,也需要完整的编译添加动态模块
#由于之前我已经编译好nginx,
编译添加 --add-dynamic-module=/tmp/ModSecurity-nginx
#【我自己测试的编译模块】
[root@xx nginx-1.10.2]# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.10.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.1.0b 26 Sep 2016
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --without-http_memcached_module \
--user=www --group=www --with-http_stub_status_module --with-http_ssl_module \
--with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.1.0b \
--with-zlib=/usr/local/src/zlib-1.2.11 --with-pcre=/usr/local/src/pcre-8.39
[#上面测试仅供参考!]
make && make installgit clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git23
进入将解压后的nginx包4
1.[root@xx nginx-1.10.2]# ./configure --help 选择你要编译的模块56
2.如果你之前编译过nginx,,也需要完整的编译添加动态模块7
#由于之前我已经编译好nginx,8
编译添加 --add-dynamic-module=/tmp/ModSecurity-nginx910
#【我自己测试的编译模块】11
[root@xx nginx-1.10.2]# /opt/nginx/sbin/nginx -V12
nginx version: nginx/1.10.213
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)14
built with OpenSSL 1.1.0b 26 Sep 201615
TLS SNI support enabled16
configure arguments: --prefix=/opt/nginx --without-http_memcached_module \17
--user=www --group=www --with-http_stub_status_module --with-http_ssl_module \18
--with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.1.0b \19
--with-zlib=/usr/local/src/zlib-1.2.11 --with-pcre=/usr/local/src/pcre-8.3920
[#上面测试仅供参考!]21
make && make install
步骤三:复制文件
./configure后
make && make install
如果是make && make install
会直接在编译的nginx路径生成一个
/opt/nginx/modules/ngx_http_modsecurity_module.so
make modules【官方提供的命令】
如果是make modules则会在/Modescurity/生成一个objs
#编译完成后生成一个objs的目录,目录下面也会有一个ngx_http_modsecurity_module.so 文件 拷贝到/nginx/modules下面
cp objs/ngx_http_modsecurity_module.so /opt/nginx/modules
./configure后2
make && make install3
如果是make && make install4
会直接在编译的nginx路径生成一个5
/opt/nginx/modules/ngx_http_modsecurity_module.so678
make modules【官方提供的命令】9
如果是make modules则会在/Modescurity/生成一个objs10
#编译完成后生成一个objs的目录,目录下面也会有一个ngx_http_modsecurity_module.so 文件 拷贝到/nginx/modules下面11
cp objs/ngx_http_modsecurity_module.so /opt/nginx/modules12
1314
步骤四:加载NGINX ModSecurity连接器动态模块
load_module modules/ngx_http_modsecurity_module.so;
添加到/opt/nginx/conf/nginx.conf中load_module modules/ngx_http_modsecurity_module.so;2
添加到/opt/nginx/conf/nginx.conf中
步骤五:配置启动和测试ModSecurity
1.#设置适当的ModSecurity配置文件。在这里,
我们使用由ModSecurity的企业赞助商TrustWave Spiderlabs提供的推荐的ModSecurity配置。
mkdir /opt/nginx/modsec
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
2.#更改SecRuleEngine配置中的指令以从默认的“仅检测”模式更改为主动丢弃恶意流量。
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.
#或者vim配置【第七行】::
[root@xx ~]# vim /opt/nginx/modsec/modsecurity.conf
7 SecRuleEngine Onx1
1.#设置适当的ModSecurity配置文件。在这里,2
我们使用由ModSecurity的企业赞助商TrustWave Spiderlabs提供的推荐的ModSecurity配置。3
mkdir /opt/nginx/modsec4
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended5
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf6
2.#更改SecRuleEngine配置中的指令以从默认的“仅检测”模式更改为主动丢弃恶意流量。7
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.8
#或者vim配置【第七行】::9
[root@xx ~]# vim /opt/nginx/modsec/modsecurity.conf10
7 SecRuleEngine On
1.规则简单测试
配置一个或者多个规则,创建一个简单的规则,该规则删除了一个请求,其中调用的URL参数在其值中testparam包含字符串test.将以下文本放在/opt/nginx/modsec/main.conf中# From https://github.com/SpiderLabs/ModSecurity/blob/master/
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/etc/nginx/modsec/modsecurity.conf"
# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"# From https://github.com/SpiderLabs/ModSecurity/blob/master/2
# modsecurity.conf-recommended3
#4
# Edit to set SecRuleEngine On5
Include "/etc/nginx/modsec/modsecurity.conf"67
# Basic test rule8
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
- 在生产环境中,您可能会使用实际防止恶意流量的规则,例如免费的OWASP核心规则集。
modsecurity和modsecurity_rules_file指令添加到NGINX配置以启用ModSecurity;3.进行curl命令,返回403状态码确认规则工作 报错小提示:如果配置中提示unicode.mapping字段错误,把Modsecurity目录下unicode.mapping复制到/opt/nginx/modsec/下面
步骤六:OWASP CRS规则与NGINX WAF配合使用
1.下载
#下载规则
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz
#解压
$ tar -xzvf v3.0.2.tar.gz
#移动目录【自定义】
$ sudo mv owasp-modsecurity-crs-3.0.2 /opt/#下载规则2
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz3
#解压4
$ tar -xzvf v3.0.2.tar.gz5
#移动目录【自定义】6
$ sudo mv owasp-modsecurity-crs-3.0.2 /opt/
2.创建CRS-setup.conf文件的副本CRS-setup.conf.example。
#进入解压目录
cd /usr/local/owasp-modsecurity-crs-3.0.2
#创建副本
sudo cp crs-setup.conf.example crs-setup.conf#进入解压目录2
cd /usr/local/owasp-modsecurity-crs-3.0.23
#创建副本4
sudo cp crs-setup.conf.example crs-setup.conf
3.添加Include的主要NGINX WAF配置文件中的指令(/etc/nginx/modsec/main.conf,在步骤4中创建保护演示Web应用程序)的CRS配置和规则来读取。注释掉文件中可能已存在的任何其他规则,例如SecRule在该部分中创建的示例指令。
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/opt/nginx/modsec/modsecurity.conf"
# Basic test rule
#SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
Include /opt/owasp-modsecurity-crs-3.0.2/crs-setup.conf
#Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-901-INITIALIZATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
#Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-910-IP-REPUTATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-912-DOS-PROTECTION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-980-CORRELATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.confx739 1
# modsecurity.conf-recommended2
#3
# Edit to set SecRuleEngine On4
Include "/opt/nginx/modsec/modsecurity.conf"56
# Basic test rule7
#SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"8
Include /opt/owasp-modsecurity-crs-3.0.2/crs-setup.conf9
#Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf10
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-901-INITIALIZATION.conf11
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-905-COMMON-EXCEPTIONS.conf12
#Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-910-IP-REPUTATION.conf13
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-911-METHOD-ENFORCEMENT.conf14
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-912-DOS-PROTECTION.conf15
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-913-SCANNER-DETECTION.conf16
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf17
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-921-PROTOCOL-ATTACK.conf18
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf19
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf20
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf21
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf22
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf23
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf24
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf25
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf26
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-950-DATA-LEAKAGES.conf27
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf28
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf29
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf30
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf31
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-959-BLOCKING-EVALUATION.conf32
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-980-CORRELATION.conf33
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf【tip:有些报错仔细审审,owasp中的部分模板是.exmple结尾的,修改一下即可】
4.重启nginx
sudo nginx -s reloadsudo nginx -s reload参考文章woasp--modsecurity-crshttps://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/?_ga=2.148823095.1414711676.1561905441-608380671.1561619637
nginx+modsecurityhttps://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
来自为知笔记(Wiz)