Centos7.4 modsecurity with nginx 安装
1、准备:
系统环境:Centos7.4
软件及版本:
nginx:OpenResty1.13.6.1 ModSecurity:ModSecurity v3.0.0rc1 (Linux) modsecurity connector:ModSecurity-nginx v0.1.1-beta
下载源文件:
mkdir /opt/waf cd /opt/waf
#下载openresty
wget https://openresty.org/download/openresty-1.13.6.1.tar.gz #下载ModSecurity,附:git安装yum -y install git
git clone https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity
git checkout v3.0.0 #克隆modsecurity nginx connector
cd /opt/waf
git clone --depth https://github.com/SpiderLabs/ModSecurity-nginx.git
2、依赖安装
yum -y install libtool gcc gcc-c++ pcre-devel zlib-devel libxml2-devel libxslt-devel gd-devel perl perl-devel perl-ExtUtils-Embed GeoIP GeoIP-devel GeoIP-data libatomic_ops-devel
#openssl源码安装(如果系统自带,可以不用装) cd /opt/tools/
wget http://www.openssl.org/source/openssl-1.0.2f.tar.gz
tar -zxvf openssl-1.0.2f.tar.gz
cd openssl-1.0.2f
./config --prefix=/usr/local/openssl
make
make install
#GeoIP源码安装(应该可以不用装,yum -y GeoIP-devel已经安装,当时应该是重新configure的时候未clean导致GeoIP动态库没添加到modsecurity的so库依赖) cd /opt/tools/
mkdir GeoIP
cd GeoIP
wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
tar -zxvf GeoIP.tar.gz
cd GeoIP-1.4.8/
make
make install
3、modsecurity编译
cd /opt/waf/ModSecurity
git submodule init
git submodule update
出现 以下,说明更新模块成功
./build.sh
#后面的编译参数可以去掉,如果最后链接有问题可以用自己源码安装的
./configure --with-geoip=/usr/local/GeoIP
make
make install
注意:make可能会报错,缺少依赖,缺少依赖后安装相关依赖,然后make clean下再重新执行三部曲。
查看
tree /usr/local/modsecurity/
4、openresty编译
cd /opt/waf
tar zxvf openresty-1.13.6.1.tar.gz
cd openresty-1.13.6.1
./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-luajit --with-http_gunzip_module --with-pcre --with-pcre-jit --with-http_perl_module --with-ld-opt="-Wl,-E" --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-select_module --with-poll_module --with-file-aio --with-http_degradation_module --with-libatomic --http-client-body-temp-path=/var/tmp/nginx/client_body --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --add-dynamic-module=/opt/waf/ModSecurity-nginx/ --with-openssl=/opt/tools/openssl-1.0.2f
make
make install
注意:1、--add-dynamic-module=/opt/waf/ModSecurity-nginx/ --with-openssl=/opt/tools/openssl/openssl-1.0.2f/ 这两个路径为自己的安装路径。
2、make可能会报错,缺少依赖,缺少依赖后安装相关依赖,然后make clean下再重新执行三部曲。
5、规则下载
cd /opt/waf
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp crs-setup.conf.example crs-setup.conf
cd rules
cp REQUEST--EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST--EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE--EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE--EXCLUSION-RULES-AFTER-CRS.conf
6、openresty配置添加
cd /usr/local/nginx/
vi nginx.conf 如下
#user nobody;
worker_processes ;
#error_log logs/error.log;
#modsecurity动态库加载
load_module /usr/local/nginx/nginx/modules/ngx_http_modsecurity_module.so; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events {
worker_connections ;
} http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout ;
keepalive_timeout ; #gzip on;
server { listen ;
server_name localhost;
#access_log logs/host.access.log main;
#modsecurity 支持
modsecurity on;
location / {
#modsecurity配置文件路径
modsecurity_rules_file /usr/local/nginx/modsecurity.conf;
root html;
index index.html index.htm;
} location = /50x.html {
root html;
}
}
}
添加modsecurity配置
cp /opt/waf/ModSecurity/modsecurity.conf-recommended modsecurity.conf
vi modsecurity.conf
最后添加
Include /opt/waf/owasp-modsecurity-crs/crs-setup.conf
Include /opt/waf/owasp-modsecurity-crs/rules/*.conf
保存
测试
nginx -t
发现如下错误
nginx: the configuration file /usr/local/nginx/nginx.conf syntax is ok
nginx: [emerg] mkdir() "/var/tmp/nginx/client_body" failed (: No such file or directory)
nginx: configuration file /usr/local/nginx/nginx.conf test failed
mkdir /var/tmp/nginx
nginx -t没问题了
启动nginx
nginx
测试
打开modsecurity检测日志
tail -f /var/log/modsec_audit.log
在浏览器访问
http://[your ip or hostname]/?a=<script>alert(aa)</script>
可以看到日志
---v3gm3tZj---A--
[/Apr/::: +] 152395519294.104760 172.23.11.56 172.23.11.56
---v3gm3tZj---B--
GET /favicon.ico HTTP/1.1
Host: 172.23.26.157
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close ---v3gm3tZj---D-- ---v3gm3tZj---F--
HTTP/1.1
Server: openresty/1.13.6.1
Date: Tue, Apr :: GMT
Content-Length:
Content-Type: text/html
Connection: close ---v3gm3tZj---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `172.23.26.157' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--PROTOCOL-ENFORCEMENT.conf"] [line ""] [id ""] [rev ""] [msg "Host header is a numeric IP address"] [data "172.23.26.157"] [severity ""] [ver "OWASP_CRS/3.0."] [maturity ""] [accuracy ""] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5."] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o0,13v32,"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)([<\xef\xbc\x9c]script[^>\xef\xbc\x9e]*[>\xef\xbc\x9e][\s\S]*?)' against variable `REQUEST_HEADERS:Referer' (Value: `http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--APPLICATION-ATTACK-XSS.conf"] [line ""] [id ""] [rev ""] [msg "XSS Filter - Category : Script Tag Vector"] [data "Matched Data: <script> found within REQUEST_HEADERS:Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o24,8o24,8v230,58t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o (3246 characters omitted)' against variable `REQUEST_HEADERS:Referer' (Value: `http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--APPLICATION-ATTACK-XSS.conf"] [line ""] [id ""] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within REQUEST_HEADERS:Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o24,7o41,8v230,58t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `13' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--BLOCKING-EVALUATION.conf"] [line ""] [id ""] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: )"] [data ""] [severity ""] [ver ""] [maturity ""] [accuracy ""] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `13' ) [file "/opt/waf/owasp-modsecurity-crs/rules/RESPONSE--CORRELATION.conf"] [line ""] [id ""] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: - SQLI=,XSS=,RFI=,LFI=,RCE=,PHPI=,HTTP=,SESS=): NoScript XSS InjectionChecker: HTML Injection'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref ""] ---v3gm3tZj---I-- ---v3gm3tZj---J-- ---v3gm3tZj---Z--
默认只是检测,不拦截,可以修改配置,将
SecRuleEngine DetectionOnly改为
SecRuleEngine On
vi /usr/local/nginx/modsecurity.conf # Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly
#SecRuleEngine On
重启nginx
nginx -s reload
再测试,发现被拦截了。
更多modsecurity配置修改请参考 modsecurity配置学习文章
Centos7.4 modsecurity with nginx 安装的更多相关文章
- (转)Centos7 Nginx安装
场景:工作中使用的suse,因为系统可可查资料太少,且系统中一些功能的确实,导致很多集群中功能无法顺利测试通过,在Centos上面进行测试,能够更快的熟悉项目的架构过程! 1 安装准备 首先由于ngi ...
- nginx在Centos7.5下源码安装和配置
安装nginx 安装nginx依赖包 yum install -y pcre-devel zlib-devel openssl-devel wget gcc tree vim 进入目录/root/se ...
- CentOS7 Nginx安装及配置反向代理
背景: Mono (Mono JIT compiler version 5.4.0.201 ) jexus-5.8.2-x64(<CentOS7 安装 jexus-5.8.2-x64>) ...
- [转]Centos7 fastdfs/nginx 安装与配置
https://blog.csdn.net/alex_bean/article/details/78625131 参考文章 分布式文件系统-FastDFS 使用FastDFS搭建图片服务器单实例篇 C ...
- centos7系统下nginx安装并配置开机自启动操作
准备工作 我的centos7系统是最小化安装的, 缺很多库, 首先安装必须的运行库 ? 1 2 3 4 5 6 7 8 9 10 11 yum install wget gcc gcc-c++ pcr ...
- 【Nginx安装】CentOS7安装Nginx及配置
[Nginx安装]CentOS7安装Nginx及配置 2018年03月05日 11:07:21 阅读数:7073 Nginx是一款轻量级的网页服务器.反向代理服务器.相较于Apache.lighttp ...
- centos7.x下环境搭建(二)—nginx安装
上篇文章是对mysql的安装,接着上篇文章,这篇文章安装nginx服务 添加yum源 默认情况Centos7中无Nginx的源,最近发现Nginx官网提供了Centos的源地址.因此可以如下执行命令添 ...
- Centos7.3云服务器上安装Nginx、MySQL、JDK、Tomcat环境
安装的软件路径建议放到/usr/local目录下 Tomcat 首先从最简单的Tomcat开始,进入到Apache的官网:http://www.apache.org,下载合适的版本来装,一般建议8.0 ...
- CentOS7 nginx安装与卸载
简明清晰,易操作,参照: CentOS7 nginx安装与卸载
随机推荐
- django orm 基本
1 modle基本数据类型 class Test(models.Model): """测试学习用""" Auto = models.Auto ...
- Python求阴影部分面积
一.前言说明 今天看到微信群里一道六年级数学题,如下图,求阴影部分面积 看起来似乎并不是很难,可是博主添加各种辅助线,写各种方法都没出来,不得已而改用写Python代码来求面积了 二.思路介绍 1.用 ...
- 紫书 例题 11-2 UVa 1395(最大边减最小边最小的生成树)
思路:枚举所有可能的情况. 枚举最小边, 然后不断加边, 直到联通后, 这个时候有一个生成树.这个时候,在目前这个最小边的情况可以不往后枚举了, 可以直接更新答案后break. 因为题目求最大边减最小 ...
- Maven 编译打包时如何忽略测试用例
跳过测试阶段: mvn package -DskipTests 临时性跳过测试代码的编译: mvn package -Dmaven.test.skip=true maven.test.skip同时控制 ...
- 洛谷 P3914 染色计数
P3914 染色计数 题目描述 有一颗NN个节点的树,节点用1,2,\cdots,N1,2,⋯,N编号.你要给它染色,使得相邻节点的颜色不同.有MM种颜色,用1,2,\cdots,M1,2,⋯,M编号 ...
- hdu 2102 A计划 具体题解 (BFS+优先队列)
题目链接:pid=2102">http://acm.hdu.edu.cn/showproblem.php?pid=2102 这道题属于BFS+优先队列 開始看到四分之中的一个的AC率感 ...
- [MST] Loading Data from the Server using lifecycle hook
Let's stop hardcoding our initial state and fetch it from the server instead. In this lesson you wil ...
- TOMCATserver不写port号、不写项目名訪问项目、虚拟文件夹配置
一.不写port. 这个问题都被问烂了.由于TOMCAT默认的訪问port为8080.而TCP/IP协议默认80port訪问,大家之所以看到别的站点都不写port号是由于人家用的的80port訪问的, ...
- Linux 文件系统初步
在Linux系统中,假设我们想要知道一个文件的详细信息,那么最简便的方法自然就是ls命令了.例如以下图所看到的:当在shell输入命令"ls -l old"时,在下方就会 ...
- 使用IIS承载WCF服务
作者:jiankunking 出处:http://blog.csdn.net/jiankunking 1.WCF能够方便的通过IIS承载,此承载模型与ASP.NET和ASP.NET Web Servi ...