0 Introduction
ModSecurity is an open source cross-platform Web application firewall (WAF) engine for Apache, IIS and Nginx, SpiderLabs developed by Trustwave's. As WAF products, ModSecurity focus exclusively on HTTP traffic, when issuing an HTTP request, ModSecurity checks all parts of the request, if the request is malicious, it will be blocked and recorded.
Advantage
Perfectly compatible with nginx, nginx is the official recommended WAF Support OWASP rules 3 a .0 version of the update faster than the old version, more stable, and has been actively supported nginx, Inc, and Trustwave and other teams free
Features
SQL Injection (SQLi): prevent SQL Injection Cross Site Scripting (XSS): prevent cross-site scripting attacks Local File Inclusion (LFI): stop using the local file that contains the vulnerability to attack Remote File Inclusione (RFI): prevent the use of remote file inclusion vulnerability to attack Remote Code Execution (RCE): stop using the remote command execution vulnerability attack PHP Code Injectiod: PHP code injection stop HTTP Protocol Violations: HTTP protocol violation prevent malicious access HTTPoxy: to prevent infection using the Remote Agent vulnerability to attack Shellshock: Shellshock exploit loopholes to prevent attacks Session Fixation: Session session ID to prevent use of the same vulnerabilities to attack Scanner Detection: prevent hackers from scanning website The Metadata / Error Leakages: stop source code / error information disclosure Project Honey Pot Blacklist: honeypot project blacklist GeoIP Country Blocking: The home IP address is determined to block IP
Disadvantaged
Does not support the body in response checking rule, if the configuration includes these rules will be ignored, the Nginx sub_filter instruction can be used to check Clauses: rewriting the response data, the rules are the OWASP 95X. It does not support OWASP Core Rule Set DDoS rule REQUEST - 912 -DOS- PROTECTION.conf, nginx itself supports configuration DDoS limit Request and response are not supported in the audit log body
Above is an excerpt: ModSecurity: an excellent open source WAF .
00 Preface
This introduction on how to install ModSecurity CentOS7.6. Link to the content above given more messy, rearranged to record.
installation
Install nginx
If you have nginx, can be ignored; if not, please refer to: RHEL / CentOS install the latest version of Nginx .
Installation depends
# yum install epel-release -y
# yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre pcre-devel libxml2 libxml2-devel autoconf automake lmdb-devel ssdeep-devel ssdeep-libs lua-devel libmaxminddb-devel git apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev ibpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev -y
Compile ModSecurity
We use the v3 version, we installed in the / opt directory.
# CD / opt / # handover to / opt # Git clone --depth . 1 -b V3 / Master --single-Branch HTTPS: // github.com/SpiderLabs/ModSecurity download # # CD ModSecurity / # Git the init # initialization submodule # git submodule update update # ... Submodule path 'test/test-cases/secrules-language-tests': checked out 'c8cf2c588a93dce20781e597643e1b9d11aa4bba'
# ./build.sh
# ./configure
# make
# make install
[Note] will receive an error in the implementation of build.sh, can be ignored.
fatal: No names found, cannot describe anything
ModSecurity-nginx connector
We now need to ModSecurity-nginx incorporated.
# Nginx - v # View nginx version, mainline version
nginx Version: nginx / 1.17 . 5
# git clone --depth 1 HTTPS: //github.com/SpiderLabs/ModSecurity-nginx.git
# cd /opt/ # git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
# Wget http: // nginx.org/download/nginx-1.17.5.tar.gz # tar -xvf nginx- 1.17 . 5 . tar .gz # Ls ModSecurity ModSecurity -nginx nginx- 1.17 . 5 nginx- 1.17 . 5 . Tar .gz # cd nginx-1.17.5/ # ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx # The make modules # produces the following * .so # Ls ./objs/ ngx_http_modsecurity_module.so ./objs/ngx_http_modsecurity_module.so
# Head - . 1 / etc / Nginx / nginx.conf load_module / opt / nginx- 1.17 . . 5 / OBJS / ngx_http_modsecurity_module.so; # Add to the first line profile # Nginx - T # Test by Nginx: The Configuration File / etc / Nginx / nginx.conf syntax IS OK nginx: configuration file /etc/nginx/nginx.conf test is successful
test
ECHO test
New configuration file: /etc/nginx/conf.d/echo.conf:
# service nginx start Redirecting to /bin/systemctl start nginx.service # cat /etc/nginx/conf.d/echo.conf server { listen localhost:8085; location / { default_type text/plain; return 200 "Thank you for requesting ${request_uri}\n"; } } # nginx -s reload # nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@localhost ~]# curl -D - http://localhost:8085 HTTP/1.1 200 OK Server: nginx/1.17.5 Date: Mon, 18 Nov 2019 05:35:40 GMT Content-Type: text/plain Content-Length: 27 Connection: keep-alive Thank you for requesting / [root@localhost ~]# curl -D - http://localhost:8085/notexist HTTP/1.1 200 OK Server: nginx/1.17.5 Date: Mon, 18 Nov 2019 05:35:49 GMT Content-Type: text/plain Content-Length: 35 Connection: keep-alive Thank you for requesting /notexist
You can see the normal echo.
Configure Reverse Proxy
New configuration file: /etc/nginx/conf.d/proxy.conf, reads as follows:
[root@localhost ~]# cat /etc/nginx/conf.d/proxy.conf server { listen 80; location / { proxy_pass http://localhost:8085; # 80 => 8085 proxy_set_header Host $host; } }
Because the normal installation, nginx is the default configuration: /etc/nginx/conf.d/default.conf, this will affect the above normal effect.
[root@localhost ~]# mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak [root@localhost ~]# nginx -s reload [root@localhost ~]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@localhost ~]# curl -D - http://localhost HTTP/1.1 200 OK Server: nginx/1.17.5 Date: Mon, 18 Nov 2019 05:43:05 GMT Content-Type: text/plain Content-Length: 27 Connection: keep-alive Thank you for requesting / [root@localhost ~]# curl -D - http://localhost/noexist HTTP/1.1 200 OK Server: nginx/1.17.5 Date: Mon, 18 Nov 2019 05:44:06 GMT Content-Type: text/plain Content-Length: 34 Connection: keep-alive Thank you for requesting /noexist [root@localhost ~]#
You can see the default access port 80, will reverse proxy to port 8085.
Enable WAF
Configuring NGINX WAF to protect by preventing certain requests demo web application.
[root@localhost ~]# mkdir /etc/nginx/modsec [root@localhost ~]# cd /etc/nginx/modsec [root@localhost modsec]# sudo wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended [root@localhost modsec]# sudo mv modsecurity.conf-recommended modsecurity.conf
Modsecurity.conf modify configuration files
[root@localhost modsec]# vim modsecurity.conf # -- Rule engine initialization ----------------------------------------------
... SecRuleEngine On <== 设置为On
Nginx waf modify the configuration file: /etc/nginx/modsec/main.conf, add a response rule.
# cat /etc/nginx/modsec/main.conf # Include the recommended configuration Include /etc/nginx/modsec/modsecurity.conf # A test rule SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"
- Include: modsecurity.conf including the configuration proposed in the document.
- SecRule: Create a rule, when testparam parameter query string contains the string Test, by preventing the request and return the status code 403 to protect applications.
Nginx modify the configuration file, to enable WAF protection.
# cat /etc/nginx/conf.d/proxy.conf server { the listen 80 ; ModSecurity ON; # Enable modsecurity_rules_file / etc / nginx / modsec / main.conf; # rule document LOCATION / { proxy_pass http://localhost:8085; proxy_set_header Host $host; } }
- modsecurity on: Enable Nginx WAF;
- modsecurity_rules_file: specify rules file path.
[modsec the root @ localhost] # CP /opt/ModSecurity/unicode.mapping / etc / Nginx / modsec / # unicode.mapping need to copy the file [modsec the root @ localhost] Nginx # - S # reload configuration reload [root @ localhost modsec] # nginx - t test # nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Test parameters with a test, will be prohibited.
[root@localhost modsec]# curl -D - http://localhost/foo?testparam=thisisatestofmodsecurity HTTP/1.1 403 Forbidden Server: nginx/1.17.5 Date: Mon, 18 Nov 2019 05:59:10 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.17.5</center> </body> </html>
Logging
Nginx modify the configuration file: /etc/nginx/nginx.conf,
# head -5 /etc/nginx/nginx.conf load_module / opt / nginx- 1.17 . . 5 / OBJS / ngx_http_modsecurity_module.so; # loading module user nginx; worker_processes 1; error_log /var/log/nginx/error.log info ; # log the error level is set to info
[modsec the root @ localhost] Nginx # - S # reload configuration reload [root @ localhost modsec] # nginx - t test # nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@localhost modsec]# curl -D - http://localhost/foo?testparam=thisisatestofmodsecurity # 再次访问 HTTP/1.1 403 Forbidden Server: nginx/1.17.5 Date: Mon, 18 Nov 2019 06:02:09 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.17.5</center> </body> </ HTML> [modsec the root @ localhost] # tail - . 5 / var / log / Nginx / the error.log # View error log file 2019 / . 11 / 18 is 14 : 01 : 57 is [Notice] 24845 # 24845 : Process worker 25 847 the Exited code with 0 2019 / . 11 / 18 is 14 : 01 : 57 is [Notice] 24845 # 24845 : Signal 29 (the SIGIO) Received 2019 / . 11 /18 14:01:59 [notice] 25880#25880: ModSecurity-nginx v1.0.0 (rules loaded inline/local/remote: 0/7/0) 2019/11/18 14:02:09 [error] 25879#25879: *11 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Contains' with parameter `test' against variable `ARGS:testparam' (Value: `thisisatestofmodsecurity' ) [file "/etc/nginx/modsec/main.conf"] [line "4"] [id "1234"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/foo"] [unique_id "157405692985.199277"] [ref "o7,4v19,24"], client: 127.0.0.1, server: , request: "GET /foo?testparam=thisisatestofmodsecurity HTTP/1.1", host: "localhost" 2019/11/18 14:02:09 [info] 25879#25879: *11 client 127.0.0.1 closed keepalive connection
reference
ModSecurity: an excellent open source WAF
https://www.freebuf.com/sectool/211354.html
https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-installation-logging/#