ModSecurity - Efficient and Free WAF Component for Mid- and Small-Scale Webmasters

本文涉及的产品
Web应用防火墙 3.0,每月20元额度 3个月
简介: ModSecurity is a free open source host WAF software (@http://www.modsecurity.org/).

SE_001

Original Author: Lei Xi
According to posting requirements, an "@" must be added in front of all http links.

Introduction

ModSecurity is a free open source host WAF software (@http://www.modsecurity.org/). The newest version on the official website is 2.9.1. It supports nginx/apache/iis (32 and 64 bits). It mainly acts as an extension module of web applications, recognizes malicious external web attacks according to related rule files, and further discards them.

Installation

nginx/apache

In Linux, if your application is nginx/apache, you have to compile nginx/apache and add the ModSecurity source code as a module.

1. Preparations

nginx : @http://nginx.org/
modsecurity for Nginx: @https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
OWASP rule set: @https://github.com/SpiderLabs/owasp-modsecurity-crs

2. Dependencies

Nginx Dependencies: (Pcre, zlib, and openssl are available in centos 6.5 and above) yum install zlib zlib-devel opensslopenssl-devel pcre pcre-devel
ModSecurity Dependencies: pcre @httpd-devellibxml2 apr
yum install @httpd-devel apr apr-util-develapr-devel pcre pcre-devel libxml2 libxml2-devel

3. Enable and Compile Standalone Module
Download and unzip modsecurity fornginx, and execute the following directories after entering unzipping:

./autogen.sh
./configure --enable-standalone-module--disable-mlogc
make

4. Add ModSecurity module to nginx

After compiling Standalone, add the ModSecurity module via "--add-module" during nginx compilation:

./configure--add-module=/root/modsecurity-2.9.1/nginx/modsecurity/  --prefix=/opt/tengine
make && make install

5. Add Rules

ModSecurity is intended to filter and stop web hazards. Its power comes from its rules. Rules provided by OWASP are maintained by volunteers, and are called core rules (CRS). They are reliable and powerful, but they can also be customized to meet different requirements.

a. Download OWASP rules:

git clone ~@https://github.com/SpiderLabs/owasp-modsecurity-crs

mv owasp-modsecurity-crs /opt/tengine/conf/
cd/opt/tengine/conf/owasp-modsecurity-crs && mvmodsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

b. Enable OWASP rules:

Copy modsecurity.conf-recommended and unicode.mapping under the ModSecurity source code directory to the nginx conf subdirectory, and rename modsecurity.conf-recommended to modsecurity.conf.

Edit the file modsecurity.conf and set SecRuleEngine to On. The default value DetectOnly is the observation mode. It is recommended that you use this mode by default during installation, and observe whether it has an unexpected influence on the website and server.

There are a lot of folders for storing rules in owasp-modsecurity-crs such as base_rules, experimental_rules, optional_rules, and slr_rules. You can enable the rules you need by including them in modsecurity.conf

Includeowasp-modsecurity-crs/modsecurity_crs_10_setup.conf
Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
Include owasp-modsecurity-crs/base_rules /modsecurity_crs_45_trojans.confwebshell

//Considering the probable impact on the performance of the host, it is recommended you only add defense rules for critical vulnerabilities to defend against the most current critical web attacks.

For the details of the overall rules, please refer to @[url]http://www.2cto.com/Article/201409/334251.html[/url]. You can add rules based on your website's individual requirements.

Note: nginx parses the @http request in a different way from apache. Therefore, some rules cannot be used in nginx. For more details, please refer to
nginxmodule :more_set_headers (@http://comments.gmane.org/gmane.comp.apache.mod-security.owasp-crs/962)

6. Configure nginx

Add the following lines to the location of the ModSecurity host that needs to be enabled:
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
The following are example configurations of PHP virtual host conf or the vhost file:

server {
     listen      80;
     server_name xxx.com www.xxx.com;
     location ~ \.php$ {
     ModSecurityEnabled on;  
     ModSecurityConfig modsecurity.conf;
     root /web/webroot;
     index index.php index.html index.htm;
     fastcgi_pass   127.0.0.1:9000;
     fastcgi_index  index.php;
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;
     include        fastcgi_params;
     }
  }

IIS

The IIS official website provides the MSI installation file. Download and install it.

1. Preparations

• ModSecurity V2.9.1 for IIS MSI Install-32、64bits @http://www.modsecurity.org/download.html
• Microsoft VisualC++ 2013 Redistributable Package @https://www.microsoft.com/en-gb/download/details.aspx?id=40784

2. Installation

  1. Install the package above.
  2. Find the ModSecurity line in C:WindowsSystem32inetsrvconfigapplicationHost.config, and change it to <sectionname="ModSecurity" overrideModeDefault="Allow"allowDefinition="Everywhere" /></sectionGroup>
  3. Find modsecurity.conf under the installation directory ModSecurity IIS of ModSecurrity, and change "SecRuleEngine" to "On".
  4. Add the following configurations to the file web.config under the root directory of the web <?xmlversion="1.0" encoding="UTF-8"?> <configuration> d. <system.webServer> <ModSecurityenabled="true" configFile=" C:ProgramFilesModSecurity IISmodsecurity_iis.conf " /> </system.webServer> </configuration>
  5. Reload the website.

Results

Systems that have been tested so far include Centos6 and Windows Server2008/2012. They have been tested and installed successfully. The installation processes on other systems are similar to those described above. It is recommended that you update to the newest stable version of the operating system. The newest version of some operating systems may make significant changes to operational performance, which could potentially cause unforeseen errors during the installation process.

The interception rate was quite high for test scripts, satisfying expectations for intercepting high threat attacks like XSS, SQL injection, file inclusion, and command execution.
As far as other WAF products currently on the market go, Safedog is quite good but some problems still exist in its usability. It lacks adequate Windows compatibility, for example, and some website functionality is unavailable after deployment. Furthermore its defense capabilities in Linux simply don't hold up to ModSecurity.

User maintenance and operation

  1. All external attacks that match security rulles will be logged in the Modsecurity_audit.log file. You can use this file to audit defense records.
  2. The location of the log is defined in SecAuditLog in the modsecurity.conf file. In linux this location is /var/log/modesec_audit.log by dafault, but you need to set the location yourself in Windwos.
  3. ModSecurity provides its own WAF syntax for custom rule creation. If you want to add a custom rule, just add it to the modsecurity.conf file.
目录
相关文章
|
Web App开发 安全 应用服务中间件
Nginx配合modsecurity实现企业级WAF应用防火墙功能
      ModSecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器     对于配置以及基础教程在下面这本书中都已经提到了有感兴趣的可以联系我 目前这.
2241 0
|
tengine 应用服务中间件 PHP
Nginx 用ModSecurity实现WAF功能
转载:https://www.52os.net/articles/nginx-use-modsecurity-module-as-waf.html nginx配合modsecurity实现WAF功能 January 26, 2015 modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
1768 0
|
Apache
[WAF]apache和modsecurity的安装
安装pcre 安装aprhttp://labs.renren.com/apache-mirror//apr/apr-1.
1246 0
|
云安全 负载均衡 网络协议
阿里云waf简介和如何配置​
阿里云WAF(Web应用程序防火墙)是一种高效、智能的云安全服务,旨在保护Web应用程序免受各种网络攻击的威胁。它可防止诸如SQL注入、跨站点脚本(XSS)和跨站点请求伪造(CSRF)等攻击,有效保障了Web应用程序的安全性与稳定性。 阿里云WAF在Web应用程序与互联网之间构建一道安全屏障,通过拦截和检测恶意流量,防止攻击者对您的Web应用程序进行攻击。它不仅覆盖了常见的网络攻击类型,还针对新兴的攻击手段进行了防护设计,确保您的Web应用程序在面对各种威胁时都能得到全方位的保护。
|
4月前
|
安全 API 开发者
|
弹性计算 缓存 运维
【运维知识进阶篇】用阿里云部署kod可道云网盘(DNS解析+CDN缓存+Web应用防火墙+弹性伸缩)(三)
【运维知识进阶篇】用阿里云部署kod可道云网盘(DNS解析+CDN缓存+Web应用防火墙+弹性伸缩)(三)
217 0
|
6月前
|
SQL 监控 安全
【阿里云云原生专栏】云原生安全体系构建:阿里云云防火墙与WAF的应用
【5月更文挑战第27天】阿里云云防火墙和WAF是构建云原生安全体系的关键产品,提供网络、主机和Web应用多维度防护。云防火墙采用分布式架构抵御网络攻击,确保应用安全稳定;WAF专注Web应用安全,防止SQL注入、XSS和DDoS等威胁。简单部署配置,结合使用可实现全面安全防护,提升企业云上应用安全性,保障业务安全运行。未来,阿里云将持续强化云原生安全建设。
337 1
|
6月前
|
云安全 数据采集 安全
阿里云安全产品,Web应用防火墙与云防火墙产品各自作用简介
阿里云提供两种关键安全产品:Web应用防火墙和云防火墙。Web应用防火墙专注网站安全,防护Web攻击、CC攻击和Bot防御,具备流量管理、大数据防御能力和简易部署。云防火墙是SaaS化的网络边界防护,管理南北向和东西向流量,提供访问控制、入侵防御和流量可视化。两者结合可实现全面的网络和应用安全。
阿里云安全产品,Web应用防火墙与云防火墙产品各自作用简介
|
应用服务中间件
阿里云的WAF(Web应用防火墙)3.0的虚拟代理
阿里云的WAF(Web应用防火墙)3.0的虚拟代理
191 2