说明:
操作系统:CentOS
Nginx安装目录:/usr/local/nginx
需求:增加Modsecurity模块,实现Nginx服务器Web应用防护系统
开始操作:
一、安装ModSecurity
cd /usr/local/src
wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz #下载软件
yum install httpd-devel #modsecurity安装需要APXS包,APXS在httpd-devel中
cd /usr/local/src
tar zxvf modsecurity-2.9.1.tar.gz
cd modsecurity-2.9.1
./autogen.sh
./configure --enable-standalone-module --disable-mlogc
make
安装过程报错,提示没有pcre解决办法
yum install pcre pcre-devel
安装过程报错,提示没有libxml2解决办法
yum install libxml2 libxml2-devel
二、编译nginx并添加modsecurity模块
查看nginx编译参数:/usr/local/nginx/sbin/nginx -V
添加modsecurity模块重新编译nginx:
cd /usr/local/src/nginx-1.10.1
./configure --prefix=/usr/local/nginx --without-http_memcached_module --user=www --group=www --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.0.2j --with-zlib=/usr/local/src/zlib-1.2.8 --with-pcre=/usr/local/src/pcre-8.39 --add-module=/usr/local/src/modsecurity-2.9.1/nginx/modsecurity/
make
make install
三、下载OWASP规则
cd /usr/local/src
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
mv owasp-modsecurity-crs /usr/local/nginx/conf #移动到nginx配置目录下
cd /usr/local/nginx/conf/owasp-modsecurity-crs
cp crs-setup.conf.example crs-setup.conf #拷贝模板配置文件
cd /usr/local/src/modsecurity-2.9.1
cp modsecurity.conf-recommended /usr/local/nginx/conf #拷贝配置文件
cp unicode.mapping /usr/local/nginx/conf #拷贝配置文件
mv /usr/local/nginx/conf/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf #重命名
vi /usr/local/nginx/conf/modsecurity.conf #修改添加
SecRuleEngine DetectionOnly #修改为SecRuleEngine On
#Include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
#Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
#Include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
#Include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
#Include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
#Include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
#Include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
#Include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
:wq! #保存退出
四、配置nginx支持Modsecurity
在需要启用modsecurity的主机的location下面加入下面两行即可:
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
service nginx restart #重启nginx使配置生效
五、规则测试
可以写一个php页面进行测试
具体规则如下:
至此,Linux下Nginx服务器配置Modsecurity实现Web应用防护系统教程完成。
