dnf install -y https://repo.aerisnetwork.com/pub/aeris-release-8.rpm
yum install nginx-more
yum install libmodsecurity
yum install nginx-more-module-modsecurity
cd /tmp
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
mkdir -p /etc/nginx/modsec
cp unicode.mapping /etc/nginx/modsec/
cp modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
vi /etc/nginx/modsec/modsecurity.conf
SecRuleEngine On
vi /etc/nginx/modsec/main.conf
Include "/etc/nginx/modsec/modsecurity.conf"
Include "/etc/nginx/modsec/crs/crs-setup.conf"
Include "/etc/nginx/modsec/crs/rules/*.conf"
vi /etc/nginx/nginx.conf
server {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
location / {
proxy_pass http://192.168.174.1/;
sub_filter my your;
sub_filter_once off;
sub_filter_types *;
}
}
cd /tmp
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0.tar.gz
tar -zxvf v3.2.0.tar.gz
cd owasp-modsecurity-crs-3.2.0
mkdir -p /etc/nginx/modsec/crs
cp crs-setup.conf.example /etc/nginx/modsec/crs/crs-setup.conf
cd rules
mkdir -p /etc/nginx/modsec/crs/rules/
cp * /etc/nginx/modsec/crs/rules/
systemctl restart nginx
curl localhost/index.html?exec=/bin/bash
cd /var/log
more modsec_audit.log
# more modsec_audit.log
---qR5tEZ3Z---A--
[02/Aug/2020:07:42:52 +0800] 159632537210.626465 127.0.0.1 39492 127.0.0.1 80
---qR5tEZ3Z---B--
GET /index.html?exec=/bin/bash HTTP/1.1
Host: localhost
User-Agent: curl/7.61.1
Accept: */*
---qR5tEZ3Z---D--
---qR5tEZ3Z---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0
d\x0a</html>