Document

apache2安装owasp-modsecurity-src

一、安装靶场

首先先在kali中安装sqli靶场环境用来测试WAF的可用性,然后安装所需要的WAF,安装owasp src规则库,最后启用WAF。

1.检测必备环境是否已经开启

service apache2 start

访问 http://127.0.0.1,显示页面出来,即表示apache启动成功

2.安装sqli-labs

git clone https://github.com/mukkul007/sqli-labs-kali2 sqli-labs

这里注意:kali中自带的PHP版本在7.0以上,无法直接使用一般版本的Sqli-labs,必须用这个版本的才行

3.添加数据量信息

service mysql start
mysql -uroot

登录后,创建新用户名和密码

grant all on dvwa.* to root@localhost identified by '123456';

成功后刷新权限 

flush privileges;

然后exit退出数据库

4.配置文件设定

cd /var/www/html/sqli-labs/sql-connections
gedit db-creds.inc

5.启动sqli-labs

http://127.0.0.1/sqli-labs/ 点击setup

开启靶场要注意要提前开启数据库服务和apache2服务

二、安装ModSecurity

1.安装modsecurity-crs

apt-get install modsecurity-crs

安装完之后自己就跑到目录/etc/modsecurity下了,这里应该就是默认的吧

查看目录下的内容

将第二个文件改名

2.在apache2配置文件中安装modsecurity crs规则库

比较长的命令打一下

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs

安装完成后,当前目录下会多出一个owasp-modsecurity-crs目录,这里存放的就是在apache下运行的规则库了,只需要配置规则库,就可以了

owasp crs规则库的内容如下

3.将crs-setup.conf.example改名为crs-setup.conf

4.在rules目录下重命名两个规则库

mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

5.在apache2的配置文件/etc/apache2/apache2.conf的最后添加内容

<IfModule security2_module>
    Include modsec/owasp-modsecurity-crs/crs-setup.conf
    Include modsec/owasp-modsecurity-crs/rules/*.conf
</IfModule>

6.编辑crs-setup.conf文件(使用命令)

# sed -ie 's/SecDefaultAction "phase:1,log,auditlog,pass"/#SecDefaultAction "phase:1,log,auditlog,pass"/g' crs-setup.conf
# sed -ie 's/SecDefaultAction "phase:2,log,auditlog,pass"/#SecDefaultAction "phase:2,log,auditlog,pass"/g' crs-setup.conf
# sed -ie 's/#.*SecDefaultAction "phase:1,log,auditlog,deny,status:403"/SecDefaultAction "phase:1,log,auditlog,deny,status:403"/g' crs-setup.conf
# sed -ie 's/# SecDefaultAction "phase:2,log,auditlog,deny,status:403"/SecDefaultAction "phase:2,log,auditlog,deny,status:403"/g' crs-setup.conf

7.生成例外排除请求的配置文件

cp rules/*.data /etc/apache2/modsec

除了这个目录,其他都是刚刚copy过来的

8.添加规则

在/etc/apache2/modsec下添加一个main.conf配置文件,并添加我们想要的规则:

# Include the recommended configuration
include etc/modsecurity/modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
# A test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

【注】考虑到可能对主机性能上的损耗,可以根据实际需求加入对应的漏洞的防护规则即可。

9.重启apache2服务

apache2 --help  //查看具体错误在哪

看到说${APACHE_RUN_DIR}没有定义

解决方法:

.   /etc/apache2/envvars

10.处理apache2服务开启时的错误

在/etc/apache2/apache2.conf下更改成正确的crs-setup.conf路径

又出现的错误是找不到这个,于是我把它删了emmm

知道出现running,说明apache2服务可以正常运行了

11.打开规则库的使用

将SecRuleEngine打开

三、配置虚拟主机

新增虚拟主机映射

四、测试结果

加了个分号,WAF会拒绝访问

如果,将/etc/modsecurity/modsecurity.conf的SecRuleEngine改回DetectionOnly,

再重启一下apache2之后再注入单引号,发现WAF没有起到作用

说明安装成功

【注】这里的环境我的/etc/apache2/modsec是自己创建的,里面的owasp-modsecurity-src的文件是我之前在哪里的GitHub下载,之后又用xftp传进去的,如果Apache开启的时候有其他报错现象,要自己解决。

五、参考链接

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/INSTALL 
https://www.cnblogs.com/Hi-blog/p/OWASP-ModSecurity-Core-Rule-Set-CRS.html 
https://klionsec.github.io/2017/07/31/waf-for-modsecurity/ 

 

posted @ 2020-07-27 11:14  dummersoul  阅读(652)  评论(0编辑  收藏  举报