WEB waf应用
Nginx+modsecurity WAF防火墙
ModSecurity是一个开源的跨平台Web应用程序防火墙(WAF)模块。它被称为WAF的“瑞士军刀”,它使Web应用程序防御者能够了解HTTP(S)流量,并提供强大的规则语言和API来实现高级保护。
ModSecurity有以下作用:
SQL Injection (SQLi):阻止SQL注入
Cross Site Scripting (XSS):阻止跨站脚本攻击
Local File Inclusion (LFI):阻止利用本地文件包含漏洞进行攻击
Remote File Inclusione(RFI):阻止利用远程文件包含漏洞进行攻击
Remote Code Execution (RCE):阻止利用远程命令执行漏洞进行攻击
PHP Code Injectiod:阻止PHP代码注入
HTTP Protocol Violations:阻止违反HTTP协议的恶意访问
HTTPoxy:阻止利用远程代理感染漏洞进行攻击
Sshllshock:阻止利用Shellshock漏洞进行攻击
Session Fixation:阻止利用Session会话ID不变的漏洞进行攻击
Scanner Detection:阻止黑客扫描网站
Metadata/Error Leakages:阻止源代码/错误信息泄露
Project Honey Pot Blacklist:蜜罐项目黑名单
GeoIP Country Blocking:根据判断IP地址归属地来进行IP阻断
准备环境:
1.克隆github存储库
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
1
1
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
2.ModSecurity-nginx(nginx连接器)【需要编译进NGINX模块里】
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
1
1
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
3.准备一个nginx压缩包
wget http://nginx.org/download/nginx-1.13.1.tar.gz
1
1
wget http://nginx.org/download/nginx-1.13.1.tar.gz
步骤一:安装依赖
yum -y install httpd-devel pcre pcre-devel libxml2-devel libxml2 git(后面编译的时候缺啥装啥)
步骤二.进入ModSecurity目录进行编译
目录内容如图
#编译安装modsecurity
[root@xx ModSecurity]# git submodule init
[root@xx ModSecurity]# git submodule update
[root@xx ModSecurity]# ./build.sh
[root@xx ModSecurity]#./configure
[root@xx ModSecurity]# make
[root@xx ModSecurity]# make install
7
1
#编译安装modsecurity
2
[root@xx ModSecurity]# git submodule init
3
[root@xx ModSecurity]# git submodule update
4
[root@xx ModSecurity]# ./build.sh
5
[root@xx ModSecurity]#./configure
6
[root@xx ModSecurity]# make
7
[root@xx ModSecurity]# make install
注意:在构建过程中忽略以下消息是安全的。即使它们出现,编译也会完成并创建一个工作对象。
fatal: No names found, cannot describe anything.步骤二:编译添加新模块
--add-dynamic-module=$PATH【连接器编译进入】
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
进入将解压后的nginx包
1.[root@xx nginx-1.10.2]# ./configure --help 选择你要编译的模块
2.如果你之前编译过nginx,,也需要完整的编译添加动态模块
#由于之前我已经编译好nginx,
编译添加 --add-dynamic-module=/tmp/ModSecurity-nginx
#【我自己测试的编译模块】
[root@xx nginx-1.10.2]# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.10.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.1.0b 26 Sep 2016
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --without-http_memcached_module \
--user=www --group=www --with-http_stub_status_module --with-http_ssl_module \
--with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.1.0b \
--with-zlib=/usr/local/src/zlib-1.2.11 --with-pcre=/usr/local/src/pcre-8.39
[#上面测试仅供参考!]
make && make install
21
1
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
2
3
进入将解压后的nginx包
4
1.[root@xx nginx-1.10.2]# ./configure --help 选择你要编译的模块
5
6
2.如果你之前编译过nginx,,也需要完整的编译添加动态模块
7
#由于之前我已经编译好nginx,
8
编译添加 --add-dynamic-module=/tmp/ModSecurity-nginx
9
10
#【我自己测试的编译模块】
11
[root@xx nginx-1.10.2]# /opt/nginx/sbin/nginx -V
12
nginx version: nginx/1.10.2
13
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
14
built with OpenSSL 1.1.0b 26 Sep 2016
15
TLS SNI support enabled
16
configure arguments: --prefix=/opt/nginx --without-http_memcached_module \
17
--user=www --group=www --with-http_stub_status_module --with-http_ssl_module \
18
--with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.1.0b \
19
--with-zlib=/usr/local/src/zlib-1.2.11 --with-pcre=/usr/local/src/pcre-8.39
20
[#上面测试仅供参考!]
21
make && make install
步骤三:复制文件
./configure后
make && make install
如果是make && make install
会直接在编译的nginx路径生成一个
/opt/nginx/modules/ngx_http_modsecurity_module.so
make modules【官方提供的命令】
如果是make modules则会在/Modescurity/生成一个objs
#编译完成后生成一个objs的目录,目录下面也会有一个ngx_http_modsecurity_module.so 文件 拷贝到/nginx/modules下面
cp objs/ngx_http_modsecurity_module.so /opt/nginx/modules
14
1
./configure后
2
make && make install
3
如果是make && make install
4
会直接在编译的nginx路径生成一个
5
/opt/nginx/modules/ngx_http_modsecurity_module.so
6
7
8
make modules【官方提供的命令】
9
如果是make modules则会在/Modescurity/生成一个objs
10
#编译完成后生成一个objs的目录,目录下面也会有一个ngx_http_modsecurity_module.so 文件 拷贝到/nginx/modules下面
11
cp objs/ngx_http_modsecurity_module.so /opt/nginx/modules
12
13
14
步骤四:加载NGINX ModSecurity连接器动态模块
load_module modules/ngx_http_modsecurity_module.so;
添加到/opt/nginx/conf/nginx.conf中
2
1
load_module modules/ngx_http_modsecurity_module.so;
2
添加到/opt/nginx/conf/nginx.conf中
步骤五:配置启动和测试ModSecurity
1.#设置适当的ModSecurity配置文件。在这里,
我们使用由ModSecurity的企业赞助商TrustWave Spiderlabs提供的推荐的ModSecurity配置。
mkdir /opt/nginx/modsec
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
2.#更改SecRuleEngine配置中的指令以从默认的“仅检测”模式更改为主动丢弃恶意流量。
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.
#或者vim配置【第七行】::
[root@xx ~]# vim /opt/nginx/modsec/modsecurity.conf
7 SecRuleEngine Onx
1
1.#设置适当的ModSecurity配置文件。在这里,
2
我们使用由ModSecurity的企业赞助商TrustWave Spiderlabs提供的推荐的ModSecurity配置。
3
mkdir /opt/nginx/modsec
4
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
5
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
6
2.#更改SecRuleEngine配置中的指令以从默认的“仅检测”模式更改为主动丢弃恶意流量。
7
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.
8
#或者vim配置【第七行】::
9
[root@xx ~]# vim /opt/nginx/modsec/modsecurity.conf
10
7 SecRuleEngine On
1.规则简单测试
配置一个或者多个规则,创建一个简单的规则,该规则删除了一个请求,其中调用的URL参数在其值中testparam包含字符串test.
将以下文本放在/opt/nginx/modsec/main.conf中
# From https://github.com/SpiderLabs/ModSecurity/blob/master/
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/etc/nginx/modsec/modsecurity.conf"
# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
8
1
# From https://github.com/SpiderLabs/ModSecurity/blob/master/
2
# modsecurity.conf-recommended
3
#
4
# Edit to set SecRuleEngine On
5
Include "/etc/nginx/modsec/modsecurity.conf"
6
7
# Basic test rule
8
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
- 在生产环境中,您可能会使用实际防止恶意流量的规则,例如免费的OWASP核心规则集。
modsecurity和modsecurity_rules_file指令添加到NGINX配置以启用ModSecurity;
3.进行curl命令,返回403状态码确认规则工作
测试成功
报错小提示:如果配置中提示unicode.mapping字段错误,把Modsecurity目录下unicode.mapping复制到/opt/nginx/modsec/下面
步骤六:OWASP CRS规则与NGINX WAF配合使用
1.下载
#下载规则
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz
#解压
$ tar -xzvf v3.0.2.tar.gz
#移动目录【自定义】
$ sudo mv owasp-modsecurity-crs-3.0.2 /opt/
1
#下载规则
2
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz
3
#解压
4
$ tar -xzvf v3.0.2.tar.gz
5
#移动目录【自定义】
6
$ sudo mv owasp-modsecurity-crs-3.0.2 /opt/
2.创建CRS-setup.conf文件的副本CRS-setup.conf.example。
#进入解压目录
cd /usr/local/owasp-modsecurity-crs-3.0.2
#创建副本
sudo cp crs-setup.conf.example crs-setup.conf
4
1
#进入解压目录
2
cd /usr/local/owasp-modsecurity-crs-3.0.2
3
#创建副本
4
sudo cp crs-setup.conf.example crs-setup.conf
3.添加Include的主要NGINX WAF配置文件中的指令(/etc/nginx/modsec/main.conf,在步骤4中创建保护演示Web应用程序)的CRS配置和规则来读取。注释掉文件中可能已存在的任何其他规则,例如SecRule在该部分中创建的示例指令。
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/opt/nginx/modsec/modsecurity.conf"
# Basic test rule
#SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
Include /opt/owasp-modsecurity-crs-3.0.2/crs-setup.conf
#Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-901-INITIALIZATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
#Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-910-IP-REPUTATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-912-DOS-PROTECTION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-980-CORRELATION.conf
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.confx
7
39
1
# modsecurity.conf-recommended
2
#
3
# Edit to set SecRuleEngine On
4
Include "/opt/nginx/modsec/modsecurity.conf"
5
6
# Basic test rule
7
#SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
8
Include /opt/owasp-modsecurity-crs-3.0.2/crs-setup.conf
9
#Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
10
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-901-INITIALIZATION.conf
11
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
12
#Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-910-IP-REPUTATION.conf
13
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
14
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-912-DOS-PROTECTION.conf
15
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-913-SCANNER-DETECTION.conf
16
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
17
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-921-PROTOCOL-ATTACK.conf
18
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
19
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
20
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
21
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
22
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
23
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
24
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
25
Include /opt/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf
26
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-950-DATA-LEAKAGES.conf
27
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
28
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
29
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
30
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
31
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
32
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-980-CORRELATION.conf
33
Include /opt/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
【tip:有些报错仔细审审,owasp中的部分模板是.exmple结尾的,修改一下即可】
4.重启nginx
sudo nginx -s reload
1
sudo nginx -s reload
参考文章
woasp--modsecurity-crs
nginx+modsecurity