modsecurity:WAF防火墙

                               WEB waf应用

 

Nginx+modsecurity WAF防火墙

ModSecurity是一个开源的跨平台Web应用程序防火墙(WAF)模块。它被称为WAF的“瑞士军刀”,它使Web应用程序防御者能够了解HTTP(S)流量,并提供强大的规则语言和API来实现高级保护。

ModSecurity有以下作用:

SQL Injection (SQLi):阻止SQL注入

Cross Site Scripting (XSS):阻止跨站脚本攻击

Local File Inclusion (LFI):阻止利用本地文件包含漏洞进行攻击

Remote File Inclusione(RFI):阻止利用远程文件包含漏洞进行攻击

Remote Code Execution (RCE):阻止利用远程命令执行漏洞进行攻击

PHP Code Injectiod:阻止PHP代码注入

HTTP Protocol Violations:阻止违反HTTP协议的恶意访问

HTTPoxy:阻止利用远程代理感染漏洞进行攻击

Sshllshock:阻止利用Shellshock漏洞进行攻击

Session Fixation:阻止利用Session会话ID不变的漏洞进行攻击

Scanner Detection:阻止黑客扫描网站

Metadata/Error Leakages:阻止源代码/错误信息泄露

Project Honey Pot Blacklist:蜜罐项目黑名单

GeoIP Country Blocking:根据判断IP地址归属地来进行IP阻断

 

准备环境:

1.克隆github存储库

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
1 1

 

2.ModSecurity-nginx(nginx连接器)【需要编译进NGINX模块里】

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
1 1

 

3.准备一个nginx压缩包

wget http://nginx.org/download/nginx-1.13.1.tar.gz
1 1

 

 

步骤一:安装依赖

yum -y install httpd-devel pcre pcre-devel libxml2-devel libxml2 git(后面编译的时候缺啥装啥)

步骤二.进入ModSecurity目录进行编译

modsecurity:WAF防火墙

                   目录内容如图


#编译安装modsecurity
[root@xx ModSecurity]# git submodule init
 [root@xx ModSecurity]# git submodule update
[root@xx ModSecurity]# ./build.sh
 [root@xx ModSecurity]#./configure
[root@xx ModSecurity]# make
[root@xx ModSecurity]# make install
7 1234567

注意:在构建过程中忽略以下消息是安全的。即使它们出现,编译也会完成并创建一个工作对象。

fatal: No names found, cannot describe anything.

步骤二:编译添加新模块   
--add-dynamic-module=$PATH【连接器编译进入】
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

进入将解压后的nginx包
1.[root@xx nginx-1.10.2]# ./configure --help 选择你要编译的模块

2.如果你之前编译过nginx,,也需要完整的编译添加动态模块
#由于之前我已经编译好nginx,
编译添加 --add-dynamic-module=/tmp/ModSecurity-nginx

#【我自己测试的编译模块】
[root@xx nginx-1.10.2]# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.10.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) 
built with OpenSSL 1.1.0b  26 Sep 2016
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --without-http_memcached_module \
--user=www --group=www --with-http_stub_status_module --with-http_ssl_module \ 
--with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.1.0b \
--with-zlib=/usr/local/src/zlib-1.2.11 --with-pcre=/usr/local/src/pcre-8.39 
[#上面测试仅供参考!]
make && make install
21 123456789101112131415161718192021 modsecurity:WAF防火墙
步骤三:复制文件
./configure后
 make && make install 
 如果是make && make install
 会直接在编译的nginx路径生成一个
 /opt/nginx/modules/ngx_http_modsecurity_module.so


make modules【官方提供的命令】
如果是make modules则会在/Modescurity/生成一个objs
#编译完成后生成一个objs的目录,目录下面也会有一个ngx_http_modsecurity_module.so 文件 拷贝到/nginx/modules下面
 cp objs/ngx_http_modsecurity_module.so /opt/nginx/modules
 

14 1234567891011121314 modsecurity:WAF防火墙
步骤四:加载NGINX ModSecurity连接器动态模块

load_module modules/ngx_http_modsecurity_module.so;
添加到/opt/nginx/conf/nginx.conf中
2 12 modsecurity:WAF防火墙
步骤五:配置启动和测试ModSecurity
1.#设置适当的ModSecurity配置文件。在这里,
我们使用由ModSecurity的企业赞助商TrustWave Spiderlabs提供的推荐的ModSecurity配置。
mkdir /opt/nginx/modsec
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
2.#更改SecRuleEngine配置中的指令以从默认的“仅检测”模式更改为主动丢弃恶意流量。
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity. 
#或者vim配置【第七行】::
[root@xx ~]# vim /opt/nginx/modsec/modsecurity.conf
7 SecRuleEngine On
x
 12345678910
1.规则简单测试
配置一个或者多个规则,创建一个简单的规则,该规则删除了一个请求,其中调用的URL参数在其值中testparam包含字符串test.将以下文本放在/opt/nginx/modsec/main.conf中
# From https://github.com/SpiderLabs/ModSecurity/blob/master/
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/etc/nginx/modsec/modsecurity.conf"

# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
8 12345678
  1. 在生产环境中,您可能会使用实际防止恶意流量的规则,例如免费的OWASP核心规则集
modsecuritymodsecurity_rules_file指令添加到NGINX配置以启用ModSecurity;3.进行curl命令,返回403状态码确认规则工作 modsecurity:WAF防火墙modsecurity:WAF防火墙测试成功
报错小提示:如果配置中提示unicode.mapping字段错误,把Modsecurity目录下unicode.mapping复制到/opt/nginx/modsec/下面
modsecurity:WAF防火墙

步骤六:OWASP CRS规则与NGINX WAF配合使用
1.下载
#下载规则
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz
#解压
$ tar -xzvf v3.0.2.tar.gz
#移动目录【自定义】
$ sudo mv owasp-modsecurity-crs-3.0.2 /opt/
 123456
2.创建CRS-setup.conf文件的副本CRS-setup.conf.example 
#进入解压目录
cd /usr/local/owasp-modsecurity-crs-3.0.2
#创建副本
sudo cp crs-setup.conf.example crs-setup.conf
4 1234
 3.添加Include的主要NGINX WAF配置文件中的指令(/etc/nginx/modsec/main.conf,在步骤4中创建保护演示Web应用程序)的CRS配置和规则来读取。注释掉文件中可能已存在的任何其他规则,例如SecRule在该部分中创建的示例指令。
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/opt/nginx/modsec/modsecurity.conf"

# Basic test rule
#SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
Include /opt/owasp-modsecurity-crs-3.0.2/crs-setup.conf
#Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-901-INITIALIZATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
#Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-910-IP-REPUTATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-912-DOS-PROTECTION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-980-CORRELATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
x
739 123456789101112131415161718192021222324252627282930313233【tip:有些报错仔细审审,owasp中的部分模板是.exmple结尾的,修改一下即可】
4.重启nginx
 sudo nginx -s reload
 1参考文章woasp--modsecurity-crshttps://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/?_ga=2.148823095.1414711676.1561905441-608380671.1561619637
nginx+modsecurityhttps://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/


来自为知笔记(Wiz)

上一篇:安装ORACLE高可用RAC集群11g执行root脚本的输出信息


下一篇:开源WAF(mod_security)的搭建和分析