Rootop 服务器运维与web架构

centos下为nginx添加modsecurity安全模块

2020-06-19 发表者 Venus

官网:https://www.modsecurity.org/download.html

先安装modsecurity,再编译nginx模块
# modsecurity依赖几个包实现某些功能

[root@localhost ~]# yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake

# 安装modsecurity

[root@localhost ~]# wget -c https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.4/modsecurity-v3.0.4.tar.gz
[root@localhost ~]# tar zxvf modsecurity-v3.0.4.tar.gz 
[root@localhost ~]# cd modsecurity-v3.0.4
[root@localhost modsecurity-v3.0.4]# ./configure 
[root@localhost modsecurity-v3.0.4]# make
[root@localhost modsecurity-v3.0.4]# make install
[root@localhost modsecurity-v3.0.4]# cp modsecurity.conf-recommended /usr/local/modsecurity/modsecurity.conf
[root@localhost modsecurity-v3.0.4]# cp unicode.mapping /usr/local/modsecurity/

默认会安装到/usr/local/modsecurity/

# 下载安全规则

[root@localhost ~]# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
[root@localhost ~]# cd owasp-modsecurity-crs/
[root@localhost owasp-modsecurity-crs]# cp -r rules/ /usr/local/modsecurity/
[root@localhost owasp-modsecurity-crs]# cp crs-setup.conf.example /usr/local/modsecurity/crs-setup.conf

# 下载nginx modsecurity模块

[root@localhost ~]# git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

# 查看nginx原编译参数

[root@localhost nginx-1.17.9]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.17.9
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --add-module=../ModSecurity-nginx/

# 重新编译nginx,添加modsecurity模块

[root@localhost nginx-1.17.9]# ./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --add-module=../ModSecurity-nginx/
[root@localhost nginx-1.17.9]# make
[root@localhost nginx-1.17.9]# make install

# 虚拟主机配置

server
{
  server_name admin.local;

  listen 80;

  access_log  /usr/local/nginx/logs/admin_access.log;
  error_log   /usr/local/nginx/logs/admin_error.log;

  modsecurity on;
  modsecurity_rules_file /usr/local/modsecurity/modsecurity.conf;
  
  location /
  {
     proxy_pass http://127.0.0.1:10102;
  }
}

# 配置 /usr/local/modsecurity/modsecurity.conf

# 由 DetectionOnly 改为 On
SecRuleEngine On
# 由 ABIJDEFHZ 改为 ABCDEFHZ
SecAuditLogParts ABCDEFHZ
# 下面3行追加到配置文件
Include /usr/local/modsecurity/crs-setup.conf
Include /usr/local/modsecurity/rules/*.conf
SecAuditLogFormat JSON

保存退出。

SecAuditLogFormat JSON是审计日志改为json格式,便于提取。

审计日志会输出到 /var/log/modsec_audit.log

测试:
可以在url访问中加个参数,如:/login?id=1 and 1=1 ,页面会提示403状态码。
日志中会出现审计日志。

原创文章,转载请注明。本文链接地址: https://www.rootop.org/pages/4794.html

作者:Venus

服务器运维与性能优化

评论已关闭。