Centos7-nginx配置Modsecurity实现Web应用防火墙(WAF)

1:安装依赖

yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake wget epel-release openssl-devel 

2:下载Modsecurity并安装

cd /usr/local/src/wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.8.tar.gz
tar zxf modsecurity-v3.0.8.tar.gz
cd /usr/local/src/modsecurity-v3.0.8 
sh build.sh
./configure
make && make instal

3:下载Modsecurity-nginx与nginx联动

cd /usr/local/src/
wget https://codeload.github.com/SpiderLabs/ModSecurity-nginx/zip/refs/heads/master
unzip ModSecurity-nginx-master.zip
mv ModSecurity-nginx-master /usr/local/modsecurity/modsecurity-nginx

4:查看Nginx编译内容

[root@localhost ~]# nginx -V
nginx version: nginx/1.22.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.1.1o  3 May 2022
TLS SNI support enabled
configure arguments: --user=www --group=www --add-module=/usr/local/modsecurity/modsecurity-nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-openssl=/usr/local/src/openssl-1.1.1o --with-openssl-opt=enable-weak-ssl-ciphers

5:编译nginx

下载已经安装的nginx版本并解压,解压完成后根据之前编译的内容重新进行编译,要加上

--add-module=/usr/local/modsecurity/modsecurity-nginx
./configure --user=www --group=www --add-module=/usr/local/modsecurity/modsecurity-nginx ...........  #后面的就省略了
make #千万不要make install

6:复制nginx启动文件

将已经编译好的nginx启动文件替换至原有的安装目录的nginx

mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.back 
cp objs/nginx /usr/local/nginx/sbin/

7:创建目录设置Modsecurity配置文件

mkdir /usr/local/nginx/conf/modsecurity
cp /usr/local/src/modsecurity-v3.0.8/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity/modsecurity.conf
cp /usr/local/src/modsecurity-v3.0.8/unicode.mapping /usr/local/nginx/conf/modsecurity/

8:修改nginx文件

vim /usr/local/nginx/conf/nginx.conf
#在http块中填写如下两行内容
    modsecurity on;
    modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;

9:修改Modsecurity配置文件

vim /usr/local/nginx/conf/modsecurity/modsecurity.conf
#SecRuleEngine DetectionOnly
SecRuleEngine On   #打开规则引擎 SecRuleEngine On


#SecAuditLogParts ABIJDEFHZ
SecAuditLogParts ABCDEFHZ   #确保ModSecurity在记录审计日志时保存请求体IJ 改为 C
 
#在最底部添加防护规则文件
Include /usr/app/nginx/conf/modsecurity/crs-setup.conf
Include /usr/app/nginx/conf/modsecurity/rules/*.conf

10:下载owasp-modsecurity-crs

这是防火墙规则文件

wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip
unzip owasp-modsecurity-crs-3.3-dev.zip
cd owasp-modsecurity-crs-3.3-dev
cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf
cp -r rules /usr/local/nginx/conf/modsecurity/
cd /usr/local/nginx/conf/modsecurity/rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

11:nginx报错

如果出现nginx报错的情况,把下面的文件中的内容注释掉即可

vim /usr/local/nginx/conf/modsecurity/rules/REQUEST-910-IP-REPUTATION.conf
#将文件内以下内容全部注释
#SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
#    "id:910100,\
#    phase:2,\
#    block,\
#    t:none,\
#    msg:'Client IP is from a HIGH Risk Country Location',\
#    logdata:'%{MATCHED_VAR}',\
#    tag:'application-multi',\
#    tag:'language-multi',\
#    tag:'platform-multi',\
#    tag:'attack-reputation-ip',\
#    tag:'paranoia-level/1',\
#    ver:'OWASP_CRS/3.2.0',\
#    severity:'CRITICAL',\
#    chain"
#    SecRule TX:REAL_IP "@geoLookup" \
#        "chain"
#        SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
#            "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
#            setvar:'ip.reput_block_flag=1',\
#            setvar:'ip.reput_block_reason=%{rule.msg}',\
#            expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"

12:重启nginx

killall nginx
/usr/local/nginx/sbin/nginx

13:查看Modsecurity日志

tail -f /var/log/modsec_audit.log

 

posted @ 2023-02-28 11:46  Old·Artist  阅读(94)  评论(0编辑  收藏  举报