官网:https://www.modsecurity.org/download.html
先安装modsecurity,再编译nginx模块
# modsecurity依赖几个包实现某些功能
[root@localhost ~]# yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake
# 安装modsecurity
[root@localhost ~]# wget -c https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.4/modsecurity-v3.0.4.tar.gz [root@localhost ~]# tar zxvf modsecurity-v3.0.4.tar.gz [root@localhost ~]# cd modsecurity-v3.0.4 [root@localhost modsecurity-v3.0.4]# ./configure [root@localhost modsecurity-v3.0.4]# make [root@localhost modsecurity-v3.0.4]# make install [root@localhost modsecurity-v3.0.4]# cp modsecurity.conf-recommended /usr/local/modsecurity/modsecurity.conf [root@localhost modsecurity-v3.0.4]# cp unicode.mapping /usr/local/modsecurity/
默认会安装到/usr/local/modsecurity/
# 下载安全规则
[root@localhost ~]# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git [root@localhost ~]# cd owasp-modsecurity-crs/ [root@localhost owasp-modsecurity-crs]# cp -r rules/ /usr/local/modsecurity/ [root@localhost owasp-modsecurity-crs]# cp crs-setup.conf.example /usr/local/modsecurity/crs-setup.conf
# 下载nginx modsecurity模块
[root@localhost ~]# git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
# 查看nginx原编译参数
[root@localhost nginx-1.17.9]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.17.9 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --add-module=../ModSecurity-nginx/
# 重新编译nginx,添加modsecurity模块
[root@localhost nginx-1.17.9]# ./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --add-module=../ModSecurity-nginx/ [root@localhost nginx-1.17.9]# make [root@localhost nginx-1.17.9]# make install
# 虚拟主机配置
server { server_name admin.local; listen 80; access_log /usr/local/nginx/logs/admin_access.log; error_log /usr/local/nginx/logs/admin_error.log; modsecurity on; modsecurity_rules_file /usr/local/modsecurity/modsecurity.conf; location / { proxy_pass http://127.0.0.1:10102; } }
# 配置 /usr/local/modsecurity/modsecurity.conf
# 由 DetectionOnly 改为 On SecRuleEngine On # 由 ABIJDEFHZ 改为 ABCDEFHZ SecAuditLogParts ABCDEFHZ # 下面3行追加到配置文件 Include /usr/local/modsecurity/crs-setup.conf Include /usr/local/modsecurity/rules/*.conf SecAuditLogFormat JSON
保存退出。
SecAuditLogFormat JSON是审计日志改为json格式,便于提取。
审计日志会输出到 /var/log/modsec_audit.log
测试:
可以在url访问中加个参数,如:/login?id=1 and 1=1 ,页面会提示403状态码。
日志中会出现审计日志。
原创文章,转载请注明。本文链接地址: https://www.rootop.org/pages/4794.html