Tycho Blog
专注于信息、技术分享

WEB 应用防火墙实现(WAF) Centos 7 基于Nginx + ModSecurity 3.X

系统环境
centos 7.4 , nginx 1.14.0 , modsecurity-v3.0.2.tar.gz

安装依赖库

yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel GeoIP-data GeoIP
yum install gcc-c++ flex bison curl-devel curl libxml2-devel doxygen zlib-devel git automake libtool pcre-devel

编译libModSecurity

cd /data
###################################################### |
git clone https://github.com/SpiderLabs/ModSecurity    |
cd ModSecurity                                         |
git checkout -b v3/master origin/v3/master             |  官方直接用这种方式安装,经过多次测试效果不好,
sh build.sh                                            |  建议用下面这个下载后编译。
git submodule init                                     |
git submodule update                                   |
###################################################### |

wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.2/modsecurity-v3.0.2.tar.gz
tar -zxvf modsecurity-v3.0.2.tar.gz
mv modsecurity-v3.0.2 ModSecurity
cd ModSecurity
./configure
make
make install

安装完成后路径在

/usr/local/modsecurity/lib

安装nginx connector组件

export MODSECURITY_INC="/data/ModSecurity/headers/"
export MODSECURITY_LIB="/data/ModSecurity/src/.libs/"
cd /data
git clone https://github.com/SpiderLabs/ModSecurity-nginx
[root@10-9-168-43 soft]# nginx -V
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

官网下载nginx 对应源码版本

wget http://nginx.org/download/nginx-1.14.0.tar.gz
tar -zxvf nginx-1.14.0.tar.gz
cd nginx-1.14.0

复制上面nginx -V 输出的configure arguments 后面的参数,再添加--add-dynamic-module=/data/ModSecurity-nginx参数上去

[root@10-9-168-43 nginx-1.14.0]# ./configure --prefix=/etc/nginx --add-dynamic-module=/data/ModSecurity-nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

编译modules

make modules

编译完成的.so文件路径在当前目录下

./objs/ngx_http_modsecurity_module.so

复制链接库

cp ./objs/ngx_http_modsecurity_module.so /etc/nginx/modules/

在nginx 配置文件目录下创建个modsecurity 配置文件目录

mkdir -p /etc/nginx/modsec
cd /etc/nginx

下载modsecurity 规则库

wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz
tar -zxvf v3.0.2.tar.gz

解压完后删除v3.0.2.tar.gz 包

rm -rf v3.0.2.tar.gz
cd owasp-modsecurity-crs-3.0.2

复制个配置文件为crs‑setup.conf

cp crs-setup.conf.example crs-setup.conf

cd /etc/nginx/modsec
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended modsecurity.conf

查找
# SecRuleEngine DetectionOnly
替换为
SecRuleEngine On

_______________________________
创建 ModSecurity WAF 主配置文件,/etc/nginx/modsec/main.conf,用于引用modsecurity 所有相关配置文件,内容如下:

# Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf

# A test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

# OWASP CRS v3 rules
Include /etc/nginx/owasp-modsecurity-crs-3.0.2/crs-setup.conf
Include /etc/nginx/owasp-modsecurity-crs-3.0.2/rules/*.conf
_______________________________

修改nginx主配置文件

vim /etc/nginx/nginx.conf

增加一行,加载modsecurity.so 模块

load_module /etc/nginx/modules/ngx_http_modsecurity_module.so

创建测试配置文件

vi /etc/nginx/conf.d/echo.conf

server {
listen 0.0.0.0:8088;

location / {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
default_type text/plain;
return 200 "Thank you for requesting ${request_uri}\n";
}
}
curl -i http://127.0.0.1:8088/foo?testparam=dalongtest

已被拦截

查看日志

tail -f /var/log/modsec_audit.log
---dG6xPLPF---A--
[01/Jun/2018:16:28:46 +0800] 152784172665.503402 127.0.0.1 40172 127.0.0.1 8088
---dG6xPLPF---B--
GET /foo?testparam=dalongtest HTTP/1.1
User-Agent: curl/7.29.0
Host: 127.0.0.1:8088
Accept: */*

---dG6xPLPF---D--

---dG6xPLPF---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body bgcolor="white">\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx/1.14.0</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---dG6xPLPF---F--
HTTP/1.1 403
Server: nginx/1.14.0
Date: Fri, 01 Jun 2018 08:28:46 GMT
Content-Length: 169
Content-Type: text/html
Connection: keep-alive

---dG6xPLPF---H--
ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Contains' with parameter `test' against variable `ARGS:testparam' (Value: `dalongtest' ) [file "/etc/nginx/modsec/main.conf"] [line "115"] [id "1234"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/foo"] [unique_id "152784172665.503402"] [ref "o6,4v19,10"]

---dG6xPLPF---I--

---dG6xPLPF---J--

---dG6xPLPF---Z--
赞(3) 打赏
未经允许不得转载:fleyun » WEB 应用防火墙实现(WAF) Centos 7 基于Nginx + ModSecurity 3.X
分享到: 更多 (0)

评论 2

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
  1. #1

    I think the admin of this website is actually working hard in favor of his
    web page, because here every data is quality based information.

    Julienne6年前 (2019-03-28)回复
  2. #2

    A person necessarily help to make significantly articles I might state.
    That is the very first time I frequented your web page and
    so far? I surprised with the research you made to create this particular put up incredible.
    Fantastic task!

    online pharmacy6年前 (2019-08-14)回复

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏