Centos7.4 modsecurity with nginx 安裝

一、準備：

系統環境：Centos7.4

軟件及版本：

nginx：OpenResty1.13.6.1

ModSecurity：ModSecurity v3.0.0rc1 (Linux)

modsecurity connector：ModSecurity-nginx v0.1.1-beta

下載源文件：

 

mkdir /opt/waf

cd /opt/waf
#下載openresty
wget https://openresty.org/download/openresty-1.13.6.1.tar.gz

#下載ModSecurity,附：git安裝yum -y install git
git clone https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity
git checkout v3.0.0

#克隆modsecurity nginx connector
cd /opt/waf
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

 

二、依賴安裝

yum -y install libtool gcc gcc-c++ pcre-devel zlib-devel libxml2-devel libxslt-devel gd-devel perl perl-devel perl-ExtUtils-Embed GeoIP GeoIP-devel GeoIP-data libatomic_ops-devel

 

#openssl源碼安裝（若是系統自帶，能夠不用裝）

cd /opt/tools/
wget http://www.openssl.org/source/openssl-1.0.2f.tar.gz
tar -zxvf openssl-1.0.2f.tar.gz
cd openssl-1.0.2f
./config --prefix=/usr/local/openssl
make
make install　

 

#GeoIP源碼安裝（應該能夠不用裝，yum -y GeoIP-devel已經安裝，當時應該是從新configure的時候未clean致使GeoIP動態庫沒添加到modsecurity的so庫依賴）

cd /opt/tools/
mkdir GeoIP
cd GeoIP
wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
tar -zxvf GeoIP.tar.gz
cd GeoIP-1.4.8/
make
make install

　　

三、modsecurity編譯

cd /opt/waf/ModSecurity
git submodule init
git submodule update

　出現 如下，說明更新模塊成功

./build.sh
#後面的編譯參數能夠去掉，若是最後連接有問題能夠用本身源碼安裝的
./configure --with-geoip=/usr/local/GeoIP
make
make install

注意：make可能會報錯，缺乏依賴，缺乏依賴後安裝相關依賴，而後make clean下再從新執行三部曲。

查看

tree /usr/local/modsecurity/

四、openresty編譯

cd /opt/waf
tar zxvf openresty-1.13.6.1.tar.gz
cd openresty-1.13.6.1
./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-luajit --with-http_gunzip_module --with-pcre --with-pcre-jit --with-http_perl_module --with-ld-opt="-Wl,-E" --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-select_module --with-poll_module --with-file-aio --with-http_degradation_module --with-libatomic --http-client-body-temp-path=/var/tmp/nginx/client_body --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --add-dynamic-module=/opt/waf/ModSecurity-nginx/ --with-openssl=/opt/tools/openssl-1.0.2f
make
make install

注意：一、--add-dynamic-module=/opt/waf/ModSecurity-nginx/ --with-openssl=/opt/tools/openssl/openssl-1.0.2f/ 這兩個路徑爲本身的安裝路徑。

二、make可能會報錯，缺乏依賴，缺乏依賴後安裝相關依賴，而後make clean下再從新執行三部曲。

五、規則下載

cd /opt/waf
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp crs-setup.conf.example crs-setup.conf
cd rules
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

六、openresty配置添加

cd /usr/local/nginx/

vi nginx.conf  以下

#user  nobody;
worker_processes  1; 
#error_log  logs/error.log;
#modsecurity動態庫加載
load_module /usr/local/nginx/nginx/modules/ngx_http_modsecurity_module.so; 

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info; 

#pid        logs/nginx.pid; 

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream; 
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    server {

        listen       80;
        server_name  localhost;
        #access_log  logs/host.access.log  main;
        #modsecurity 支持
        modsecurity on;
        location / {
            #modsecurity配置文件路徑
            modsecurity_rules_file /usr/local/nginx/modsecurity.conf;
            root   html;
            index  index.html index.htm;
        }

        location = /50x.html {
            root   html;
        }
    }
}

添加modsecurity配置

cp /opt/waf/ModSecurity/modsecurity.conf-recommended modsecurity.conf
vi modsecurity.conf
最後添加
Include /opt/waf/owasp-modsecurity-crs/crs-setup.conf
Include /opt/waf/owasp-modsecurity-crs/rules/*.conf
保存

測試

nginx -t

發現以下錯誤

nginx: the configuration file /usr/local/nginx/nginx.conf syntax is ok
nginx: [emerg] mkdir() "/var/tmp/nginx/client_body" failed (2: No such file or directory)
nginx: configuration file /usr/local/nginx/nginx.conf test failed

mkdir /var/tmp/nginx
nginx -t沒問題了

啓動nginx 

nginx

測試

打開modsecurity檢測日誌

tail -f /var/log/modsec_audit.log

在瀏覽器訪問

http://[your ip or hostname]/?a=<script>alert(aa)</script>

能夠看到日誌

---v3gm3tZj---A--
[17/Apr/2018:16:53:12 +0800] 152395519294.104760 172.23.11.56 31223 172.23.11.56 80
---v3gm3tZj---B--
GET /favicon.ico HTTP/1.1
Host: 172.23.26.157
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

---v3gm3tZj---D--

---v3gm3tZj---F--
HTTP/1.1 404
Server: openresty/1.13.6.1
Date: Tue, 17 Apr 2018 08:53:12 GMT
Content-Length: 577
Content-Type: text/html
Connection: close

---v3gm3tZj---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `172.23.26.157' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "733"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "172.23.26.157"] [severity "4"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o0,13v32,13"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)([<\xef\xbc\x9c]script[^>\xef\xbc\x9e]*[>\xef\xbc\x9e][\s\S]*?)' against variable `REQUEST_HEADERS:Referer' (Value: `http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "63"] [id "941110"] [rev "2"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within REQUEST_HEADERS:Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o24,8o24,8v230,58t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o (3246 characters omitted)' against variable `REQUEST_HEADERS:Referer' (Value: `http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "195"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within REQUEST_HEADERS:Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o24,7o41,8v230,58t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `13' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 13)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `13' ) [file "/opt/waf/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 13 - SQLI=0,XSS=10,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref ""]

---v3gm3tZj---I--

---v3gm3tZj---J--

---v3gm3tZj---Z--

View Code

默認只是檢測，不攔截，能夠修改配置，將

SecRuleEngine DetectionOnly改成

SecRuleEngine On

vi /usr/local/nginx/modsecurity.conf 

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly
#SecRuleEngine On

重啓nginx

nginx -s reload

再測試，發現被攔截了。

更多modsecurity配置修改請參考 modsecurity配置學習文章