CentOS 8 搭建ModSecurity开源WAF
ModSecurity简介
ModSecurity是一个开源的、跨平台的Web应用防火墙(WAF),被称为WAF界的“瑞士军刀”。它可以通过检查Web服务接收到的数据,以及发送出去的数据来对网站进行安全防护。
ModSecurity有以下作用:
- SQL Injection (SQLi):阻止SQL注入
- Cross Site Scripting (XSS):阻止跨站脚本攻击
- Local File Inclusion (LFI):阻止利用本地文件包含漏洞进行攻击
- Remote File Inclusione(RFI):阻止利用远程文件包含漏洞进行攻击
- Remote Code Execution (RCE):阻止利用远程命令执行漏洞进行攻击
- PHP Code Injectiod:阻止PHP代码注入
- HTTP Protocol Violations:阻止违反HTTP协议的恶意访问
- HTTPoxy:阻止利用远程代理感染漏洞进行攻击
- Sshllshock:阻止利用Shellshock漏洞进行攻击
- Session Fixation:阻止利用Session会话ID不变的漏洞进行攻击
- Scanner Detection:阻止黑客扫描网站
- Metadata/Error Leakages:阻止源代码/错误信息泄露
- Project Honey Pot Blacklist:蜜罐项目黑名单
- GeoIP Country Blocking:根据判断IP地址归属地来进行IP阻断
安装配置 Nginx
安装Nginx
yum install gcc-c++
yum install -y pcre pcre-devel
yum install -y zlib zlib-devel
yum install -y openssl openssl-devel
如果出现以下错误:
No match for argument: pcre-devel
使用以下命令后重新安装即可
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
继续安装
wget http://nginx.org/download/nginx-1.16.1.tar.gz
tar -xvf nginx-1.16.1.tar.gz -C /usr/local/src/
cd /usr/local/src/nginx-1.16.1
./configure
make && make install
编写Nginx启动脚本
vim /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
After=network-online.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
修改环境PATH
vim /etc/profile.d/nginx.sh
PATH=/usr/local/nginx/sbin:$PATH
source /etc/profile
安装libmodsecurity
安装依赖
yum -y install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel libtool git autoconf automake libxml2-devel zlib-devel libgo-devel openssl-devel
cd /usr/local/src
# --depth用于指定克隆深度,为1即表示只克隆最近一次commit
# 克隆指定的分支: git clone -b 分支名 仓库地址
# --single-branch, 只检查一个branch,要么是默认的master,要么是-b new_branch指定的new_branch
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
这里可能会报错,无视即可
./configure
make && make install
配置ModSecurity
下载ModSecurity和Nginx的连接器
cd /usr/local/src/
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
cd nginx-1.16.1/
./configure --add-dynamic-module=/usr/local/src/ModSecurity-nginx
make modules
make install
cp objs/ngx_http_modsecurity_module.so '/usr/local/nginx/modules/ngx_http_modsecurity_module.so'
加载Nginx ModSecurity
vim /usr/local/nginx/conf/nginx.conf
# 在顶级区间内加上
load_module /usr/local/nginx/modules/ngx_http_modsecurity_module.so;
nginx -t
下载默认的配置文件
cd /usr/local/src
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
vim /usr/local/nginx/conf/modsecurity.conf
# 修改SecRuleEngine
SecRuleEngine On
配置核心规则
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cp -R owasp-modsecurity-crs/rules /usr/local/nginx/conf/
cp owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf
这里需要输入yes,直接回车可能后面会报错
vim /usr/local/nginx/conf/modsecurity.conf
# 在文件最上添加内容
include crs-setup.conf
include rules/*.conf
修改nginx的配置文件
vim /usr/local/nginx/conf/nginx.conf
# 放在server下的话,就是全局,如果只要某一个的话,可以放在location中
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
nginx -t
部分报错
# 报错:
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/conf/modsecurity.conf. Line: 2. Column: 20. rules/*.conf: Not able to open file. Looking at: 'rules/*.conf', 'rules/*.conf', '/usr/local/nginx/conf/rules/*.conf', '/usr/local/nginx/conf/rules/*.conf'. in /usr/local/nginx/conf/nginx.conf:41
# 重新执行,输入yes后回车
cp owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf
nginx -t
systemctl restart nginx
# 报错:
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/conf/rules/REQUEST-910-IP-REPUTATION.conf. Line: 75. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support. in /usr/local/nginx/conf/nginx.conf:39
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
# 这里需要查看具体错误的配置文件,然后删除,简单粗暴
rm -f REQUEST-910-IP-REPUTATION.conf
nginx -t
systemctl restart nginx
结果
正常情况没有拦截
添加参数/?id =1 and 1=1, 成功拦截
至此环境搭键完成,学习于互联网,但是教程略有报错,解决后记录在此
更多操作可移步www.modsecurity.org 或 www.modsecurity.cn