Centos7-nginx配置Modsecurity实现Web应用防火墙(WAF)
1:安装依赖
yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake wget epel-release openssl-devel
2:下载Modsecurity并安装
cd /usr/local/src/wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.8.tar.gz tar zxf modsecurity-v3.0.8.tar.gz cd /usr/local/src/modsecurity-v3.0.8 sh build.sh ./configure make && make instal
3:下载Modsecurity-nginx与nginx联动
cd /usr/local/src/ wget https://codeload.github.com/SpiderLabs/ModSecurity-nginx/zip/refs/heads/master unzip ModSecurity-nginx-master.zip mv ModSecurity-nginx-master /usr/local/modsecurity/modsecurity-nginx
4:查看Nginx编译内容
[root@localhost ~]# nginx -V nginx version: nginx/1.22.0 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.1.1o 3 May 2022 TLS SNI support enabled configure arguments: --user=www --group=www --add-module=/usr/local/modsecurity/modsecurity-nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-openssl=/usr/local/src/openssl-1.1.1o --with-openssl-opt=enable-weak-ssl-ciphers
5:编译nginx
下载已经安装的nginx版本并解压,解压完成后根据之前编译的内容重新进行编译,要加上
--add-module=/usr/local/modsecurity/modsecurity-nginx
./configure --user=www --group=www --add-module=/usr/local/modsecurity/modsecurity-nginx ........... #后面的就省略了
make #千万不要make install
6:复制nginx启动文件
将已经编译好的nginx启动文件替换至原有的安装目录的nginx
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.back
cp objs/nginx /usr/local/nginx/sbin/
7:创建目录设置Modsecurity配置文件
mkdir /usr/local/nginx/conf/modsecurity cp /usr/local/src/modsecurity-v3.0.8/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity/modsecurity.conf cp /usr/local/src/modsecurity-v3.0.8/unicode.mapping /usr/local/nginx/conf/modsecurity/
8:修改nginx文件
vim /usr/local/nginx/conf/nginx.conf #在http块中填写如下两行内容 modsecurity on; modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;
9:修改Modsecurity配置文件
vim /usr/local/nginx/conf/modsecurity/modsecurity.conf #SecRuleEngine DetectionOnly SecRuleEngine On #打开规则引擎 SecRuleEngine On #SecAuditLogParts ABIJDEFHZ SecAuditLogParts ABCDEFHZ #确保ModSecurity在记录审计日志时保存请求体IJ 改为 C #在最底部添加防护规则文件 Include /usr/app/nginx/conf/modsecurity/crs-setup.conf Include /usr/app/nginx/conf/modsecurity/rules/*.conf
10:下载owasp-modsecurity-crs
这是防火墙规则文件
wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip unzip owasp-modsecurity-crs-3.3-dev.zip cd owasp-modsecurity-crs-3.3-dev cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf cp -r rules /usr/local/nginx/conf/modsecurity/ cd /usr/local/nginx/conf/modsecurity/rules mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
11:nginx报错
如果出现nginx报错的情况,把下面的文件中的内容注释掉即可
vim /usr/local/nginx/conf/modsecurity/rules/REQUEST-910-IP-REPUTATION.conf #将文件内以下内容全部注释 #SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \ # "id:910100,\ # phase:2,\ # block,\ # t:none,\ # msg:'Client IP is from a HIGH Risk Country Location',\ # logdata:'%{MATCHED_VAR}',\ # tag:'application-multi',\ # tag:'language-multi',\ # tag:'platform-multi',\ # tag:'attack-reputation-ip',\ # tag:'paranoia-level/1',\ # ver:'OWASP_CRS/3.2.0',\ # severity:'CRITICAL',\ # chain" # SecRule TX:REAL_IP "@geoLookup" \ # "chain" # SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \ # "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ # setvar:'ip.reput_block_flag=1',\ # setvar:'ip.reput_block_reason=%{rule.msg}',\ # expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
12:重启nginx
killall nginx
/usr/local/nginx/sbin/nginx
13:查看Modsecurity日志
tail -f /var/log/modsec_audit.log