1、准备:

系统环境:Centos7.4

软件及版本:

nginx:OpenResty1.13.6.1

ModSecurity:ModSecurity v3.0.0rc1 (Linux)

modsecurity connector:ModSecurity-nginx v0.1.1-beta

下载源文件:

mkdir /opt/waf

cd /opt/waf

#下载openresty

wget https://openresty.org/download/openresty-1.13.6.1.tar.gz

#下载ModSecurity,附:git安装yum -y install git

git clone https://github.com/SpiderLabs/ModSecurity.git

cd ModSecurity

git checkout v3.0.0

#克隆modsecurity nginx connector
cd /opt/waf

git clone --depth  https://github.com/SpiderLabs/ModSecurity-nginx.git

2、依赖安装

yum -y install libtool gcc gcc-c++ pcre-devel zlib-devel libxml2-devel libxslt-devel gd-devel perl perl-devel perl-ExtUtils-Embed GeoIP GeoIP-devel GeoIP-data libatomic_ops-devel

#openssl源码安装(如果系统自带,可以不用装)

cd /opt/tools/

wget http://www.openssl.org/source/openssl-1.0.2f.tar.gz

tar -zxvf openssl-1.0.2f.tar.gz

cd openssl-1.0.2f

./config --prefix=/usr/local/openssl

make

make install 
#GeoIP源码安装(应该可以不用装,yum -y GeoIP-devel已经安装,当时应该是重新configure的时候未clean导致GeoIP动态库没添加到modsecurity的so库依赖)

cd /opt/tools/

mkdir GeoIP

cd GeoIP

wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz

tar -zxvf GeoIP.tar.gz

cd GeoIP-1.4.8/

make

make install

  

3、modsecurity编译

cd /opt/waf/ModSecurity

git submodule init

git submodule update

 出现 以下,说明更新模块成功

./build.sh
#后面的编译参数可以去掉,如果最后链接有问题可以用自己源码安装的

./configure --with-geoip=/usr/local/GeoIP

make

make install

注意:make可能会报错,缺少依赖,缺少依赖后安装相关依赖,然后make clean下再重新执行三部曲。

查看

tree /usr/local/modsecurity/

4、openresty编译

cd /opt/waf

tar zxvf openresty-1.13.6.1.tar.gz

cd openresty-1.13.6.1

./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-luajit --with-http_gunzip_module --with-pcre --with-pcre-jit --with-http_perl_module --with-ld-opt="-Wl,-E" --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-select_module --with-poll_module --with-file-aio --with-http_degradation_module --with-libatomic --http-client-body-temp-path=/var/tmp/nginx/client_body --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --add-dynamic-module=/opt/waf/ModSecurity-nginx/ --with-openssl=/opt/tools/openssl-1.0.2f
make
make install

注意:1、--add-dynamic-module=/opt/waf/ModSecurity-nginx/ --with-openssl=/opt/tools/openssl/openssl-1.0.2f/ 这两个路径为自己的安装路径。

2、make可能会报错,缺少依赖,缺少依赖后安装相关依赖,然后make clean下再重新执行三部曲。

5、规则下载

cd /opt/waf

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

cd owasp-modsecurity-crs/

cp crs-setup.conf.example crs-setup.conf

cd rules

cp REQUEST--EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST--EXCLUSION-RULES-BEFORE-CRS.conf

cp RESPONSE--EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE--EXCLUSION-RULES-AFTER-CRS.conf

6、openresty配置添加

cd /usr/local/nginx/

vi nginx.conf  如下

#user  nobody;

worker_processes  ;

#error_log  logs/error.log;

#modsecurity动态库加载

load_module /usr/local/nginx/nginx/modules/ngx_http_modsecurity_module.so; 

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info; 

#pid        logs/nginx.pid; 

events {

    worker_connections  ;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

    #                  '$status $body_bytes_sent "$http_referer" '

    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;

    #tcp_nopush     on;

    #keepalive_timeout  ;

    keepalive_timeout  ;

    #gzip  on;

    server {

        listen       ;

        server_name  localhost;

        #access_log  logs/host.access.log  main;

        #modsecurity 支持

        modsecurity on;

        location / {

            #modsecurity配置文件路径

            modsecurity_rules_file /usr/local/nginx/modsecurity.conf;

            root   html;

            index  index.html index.htm;

        }

        location = /50x.html {

            root   html;

        }

    }

}

添加modsecurity配置

cp /opt/waf/ModSecurity/modsecurity.conf-recommended modsecurity.conf

vi modsecurity.conf
最后添加
Include /opt/waf/owasp-modsecurity-crs/crs-setup.conf
Include /opt/waf/owasp-modsecurity-crs/rules/*.conf
保存

测试

nginx -t

发现如下错误

nginx: the configuration file /usr/local/nginx/nginx.conf syntax is ok

nginx: [emerg] mkdir() "/var/tmp/nginx/client_body" failed (: No such file or directory)

nginx: configuration file /usr/local/nginx/nginx.conf test failed
mkdir /var/tmp/nginx

nginx -t没问题了

启动nginx

nginx

测试

打开modsecurity检测日志

tail -f /var/log/modsec_audit.log

在浏览器访问

http://[your ip or hostname]/?a=<script>alert(aa)</script>

可以看到日志

---v3gm3tZj---A--

[/Apr/::: +] 152395519294.104760 172.23.11.56  172.23.11.56

---v3gm3tZj---B--

GET /favicon.ico HTTP/1.1

Host: 172.23.26.157

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36

Accept: image/webp,image/apng,image/*,*/*;q=0.8

Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

---v3gm3tZj---D--

---v3gm3tZj---F--

HTTP/1.1

Server: openresty/1.13.6.1

Date: Tue,  Apr  :: GMT

Content-Length:

Content-Type: text/html

Connection: close

---v3gm3tZj---H--

ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `172.23.26.157' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--PROTOCOL-ENFORCEMENT.conf"] [line ""] [id ""] [rev ""] [msg "Host header is a numeric IP address"] [data "172.23.26.157"] [severity ""] [ver "OWASP_CRS/3.0."] [maturity ""] [accuracy ""] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5."] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o0,13v32,"]

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)([<\xef\xbc\x9c]script[^>\xef\xbc\x9e]*[>\xef\xbc\x9e][\s\S]*?)' against variable `REQUEST_HEADERS:Referer' (Value: `http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--APPLICATION-ATTACK-XSS.conf"] [line ""] [id ""] [rev ""] [msg "XSS Filter - Category : Script Tag Vector"] [data "Matched Data: <script> found within REQUEST_HEADERS:Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o24,8o24,8v230,58t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o (3246 characters omitted)' against variable `REQUEST_HEADERS:Referer' (Value: `http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--APPLICATION-ATTACK-XSS.conf"] [line ""] [id ""] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within REQUEST_HEADERS:Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o24,7o41,8v230,58t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `13' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--BLOCKING-EVALUATION.conf"] [line ""] [id ""] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: )"] [data ""] [severity ""] [ver ""] [maturity ""] [accuracy ""] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref ""]

ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `13' ) [file "/opt/waf/owasp-modsecurity-crs/rules/RESPONSE--CORRELATION.conf"] [line ""] [id ""] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score:  - SQLI=,XSS=,RFI=,LFI=,RCE=,PHPI=,HTTP=,SESS=): NoScript XSS InjectionChecker: HTML Injection'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref ""]

---v3gm3tZj---I--

---v3gm3tZj---J--

---v3gm3tZj---Z--

默认只是检测,不拦截,可以修改配置,将

SecRuleEngine DetectionOnly改为
SecRuleEngine On
vi /usr/local/nginx/modsecurity.conf 

# Enable ModSecurity, attaching it to every transaction. Use detection

# only to start with, because that minimises the chances of post-installation

# disruption.

#

SecRuleEngine DetectionOnly

#SecRuleEngine On

重启nginx

nginx -s reload

再测试,发现被拦截了。

更多modsecurity配置修改请参考 modsecurity配置学习文章

Centos7.4 modsecurity with nginx 安装的更多相关文章

  1. (转)Centos7 Nginx安装

    场景:工作中使用的suse,因为系统可可查资料太少,且系统中一些功能的确实,导致很多集群中功能无法顺利测试通过,在Centos上面进行测试,能够更快的熟悉项目的架构过程! 1 安装准备 首先由于ngi ...

  2. nginx在Centos7.5下源码安装和配置

    安装nginx 安装nginx依赖包 yum install -y pcre-devel zlib-devel openssl-devel wget gcc tree vim 进入目录/root/se ...

  3. CentOS7 Nginx安装及配置反向代理

    背景: Mono (Mono JIT compiler version 5.4.0.201 ) jexus-5.8.2-x64(<CentOS7 安装 jexus-5.8.2-x64>) ...

  4. [转]Centos7 fastdfs/nginx 安装与配置

    https://blog.csdn.net/alex_bean/article/details/78625131 参考文章 分布式文件系统-FastDFS 使用FastDFS搭建图片服务器单实例篇 C ...

  5. centos7系统下nginx安装并配置开机自启动操作

    准备工作 我的centos7系统是最小化安装的, 缺很多库, 首先安装必须的运行库 ? 1 2 3 4 5 6 7 8 9 10 11 yum install wget gcc gcc-c++ pcr ...

  6. 【Nginx安装】CentOS7安装Nginx及配置

    [Nginx安装]CentOS7安装Nginx及配置 2018年03月05日 11:07:21 阅读数:7073 Nginx是一款轻量级的网页服务器.反向代理服务器.相较于Apache.lighttp ...

  7. centos7.x下环境搭建(二)—nginx安装

    上篇文章是对mysql的安装,接着上篇文章,这篇文章安装nginx服务 添加yum源 默认情况Centos7中无Nginx的源,最近发现Nginx官网提供了Centos的源地址.因此可以如下执行命令添 ...

  8. Centos7.3云服务器上安装Nginx、MySQL、JDK、Tomcat环境

    安装的软件路径建议放到/usr/local目录下 Tomcat 首先从最简单的Tomcat开始,进入到Apache的官网:http://www.apache.org,下载合适的版本来装,一般建议8.0 ...

  9. CentOS7 nginx安装与卸载

    简明清晰,易操作,参照: CentOS7 nginx安装与卸载

随机推荐

  1. nginx 多级7层代理安装配置

    编译安装 yum install zlib-devel -y wget https://nginx.org/download/nginx-1.15.12.tar.gz tar -zxf nginx-1 ...

  2. 解除 linux 账户过期时间

    riyimei:~ # chage -E 2019/01/01 li Aging information changed. riyimei:~ # cat /etc/shadow |grep li l ...

  3. Laravel核心解读--ENV的加载和读取

    Laravel在启动时会加载项目中的.env文件.对于应用程序运行的环境来说,不同的环境有不同的配置通常是很有用的. 例如,你可能希望在本地使用测试的Mysql数据库而在上线后希望项目能够自动切换到生 ...

  4. 紫书 习题 11-9 UVa 12549 (二分图最小点覆盖)

    用到了二分图的一些性质, 最大匹配数=最小点覆盖 貌似在白书上有讲 还不是很懂, 自己看着别人的博客用网络流写了一遍 反正以后学白书应该会系统学二分图的,紫书上没讲深. 目前就这样吧. #includ ...

  5. 几周内搞定Java的10个方法

    不要将Java与JavaScript弄混了,Java的目标是“一次编译,到处调试”(呃,不对,是“到处运行”).简单来说,就是Java程序可以直接在任何设备上运行. Java语言是什么? 不管我们是否 ...

  6. 【推荐系统实战】:C++实现基于用户的协同过滤(UserCollaborativeFilter)

    好早的时候就打算写这篇文章,可是还是參加阿里大数据竞赛的第一季三月份的时候实验就完毕了.硬生生是拖到了十一假期.自己也是醉了... 找工作不是非常顺利,希望写点东西回想一下知识.然后再攒点人品吧,仅仅 ...

  7. iOS代码添加视图约束

    项目要做这样一个效果的启动页. 考虑到版本号是会不断变更的,因此采用动画效果启动页,让版本号动态加载iOS启动页动画效果 - 简书 考虑到屏幕适配问题,因此采用代码对视图添加约束.在添加约束的过程中遇 ...

  8. Sequences of sequences

    I have focused on lists of tuples, but almost all the examples in this chapter also work with lists ...

  9. leetcode 新题型----SQL,shell,system design

    leetcode 主要是一个针对北美的coder人群找工作的代码练习网站,我在2015年初次接触这个网站的时候,总共只有200多道题目,是一个类似acm 的a题网站.这些年变化越来越大,主要是因为找工 ...

  10. 集合区别(list和linkedlist的区别)?

    1.list和linkedlist都是有序可重复,为什么还要用linkedlist呢? 数组和数组列表都有一个重大的缺陷,这就是从数组的中间位置删除一个元素需要付出很大的代价,其原因是数组中处于被删除 ...