1、准备:

系统环境:Centos7.4

软件及版本:

nginx:OpenResty1.13.6.1

ModSecurity:ModSecurity v3.0.0rc1 (Linux)

modsecurity connector:ModSecurity-nginx v0.1.1-beta

下载源文件:

mkdir /opt/waf

cd /opt/waf
#下载openresty
wget https://openresty.org/download/openresty-1.13.6.1.tar.gz #下载ModSecurity,附:git安装yum -y install git
git clone https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity
git checkout v3.0.0 #克隆modsecurity nginx connector
cd /opt/waf
git clone --depth https://github.com/SpiderLabs/ModSecurity-nginx.git

2、依赖安装

yum -y install libtool gcc gcc-c++ pcre-devel zlib-devel libxml2-devel libxslt-devel gd-devel perl perl-devel perl-ExtUtils-Embed GeoIP GeoIP-devel GeoIP-data libatomic_ops-devel
#openssl源码安装(如果系统自带,可以不用装)

cd /opt/tools/
wget http://www.openssl.org/source/openssl-1.0.2f.tar.gz
tar -zxvf openssl-1.0.2f.tar.gz
cd openssl-1.0.2f
./config --prefix=/usr/local/openssl
make
make install 
#GeoIP源码安装(应该可以不用装,yum -y GeoIP-devel已经安装,当时应该是重新configure的时候未clean导致GeoIP动态库没添加到modsecurity的so库依赖)

cd /opt/tools/
mkdir GeoIP
cd GeoIP
wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
tar -zxvf GeoIP.tar.gz
cd GeoIP-1.4.8/
make
make install

  

3、modsecurity编译

cd /opt/waf/ModSecurity
git submodule init
git submodule update

 出现 以下,说明更新模块成功

./build.sh
#后面的编译参数可以去掉,如果最后链接有问题可以用自己源码安装的
./configure --with-geoip=/usr/local/GeoIP
make
make install

注意:make可能会报错,缺少依赖,缺少依赖后安装相关依赖,然后make clean下再重新执行三部曲。

查看

tree /usr/local/modsecurity/

4、openresty编译

cd /opt/waf
tar zxvf openresty-1.13.6.1.tar.gz
cd openresty-1.13.6.1
./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-luajit --with-http_gunzip_module --with-pcre --with-pcre-jit --with-http_perl_module --with-ld-opt="-Wl,-E" --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-select_module --with-poll_module --with-file-aio --with-http_degradation_module --with-libatomic --http-client-body-temp-path=/var/tmp/nginx/client_body --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --add-dynamic-module=/opt/waf/ModSecurity-nginx/ --with-openssl=/opt/tools/openssl-1.0.2f
make
make install

注意:1、--add-dynamic-module=/opt/waf/ModSecurity-nginx/ --with-openssl=/opt/tools/openssl/openssl-1.0.2f/ 这两个路径为自己的安装路径。

2、make可能会报错,缺少依赖,缺少依赖后安装相关依赖,然后make clean下再重新执行三部曲。

5、规则下载

cd /opt/waf
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp crs-setup.conf.example crs-setup.conf
cd rules
cp REQUEST--EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST--EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE--EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE--EXCLUSION-RULES-AFTER-CRS.conf

6、openresty配置添加

cd /usr/local/nginx/

vi nginx.conf  如下

#user  nobody;
worker_processes ;
#error_log logs/error.log;
#modsecurity动态库加载
load_module /usr/local/nginx/nginx/modules/ngx_http_modsecurity_module.so; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events {
worker_connections ;
} http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout ;
keepalive_timeout ; #gzip on;
server { listen ;
server_name localhost;
#access_log logs/host.access.log main;
#modsecurity 支持
modsecurity on;
location / {
#modsecurity配置文件路径
modsecurity_rules_file /usr/local/nginx/modsecurity.conf;
root html;
index index.html index.htm;
} location = /50x.html {
root html;
}
}
}

添加modsecurity配置

cp /opt/waf/ModSecurity/modsecurity.conf-recommended modsecurity.conf
vi modsecurity.conf
最后添加
Include /opt/waf/owasp-modsecurity-crs/crs-setup.conf
Include /opt/waf/owasp-modsecurity-crs/rules/*.conf
保存

测试

nginx -t

发现如下错误

nginx: the configuration file /usr/local/nginx/nginx.conf syntax is ok
nginx: [emerg] mkdir() "/var/tmp/nginx/client_body" failed (: No such file or directory)
nginx: configuration file /usr/local/nginx/nginx.conf test failed
mkdir /var/tmp/nginx
nginx -t没问题了

启动nginx

nginx

测试

打开modsecurity检测日志

tail -f /var/log/modsec_audit.log

在浏览器访问

http://[your ip or hostname]/?a=<script>alert(aa)</script>

可以看到日志

---v3gm3tZj---A--
[/Apr/::: +] 152395519294.104760 172.23.11.56 172.23.11.56
---v3gm3tZj---B--
GET /favicon.ico HTTP/1.1
Host: 172.23.26.157
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close ---v3gm3tZj---D-- ---v3gm3tZj---F--
HTTP/1.1
Server: openresty/1.13.6.1
Date: Tue, Apr :: GMT
Content-Length:
Content-Type: text/html
Connection: close ---v3gm3tZj---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `172.23.26.157' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--PROTOCOL-ENFORCEMENT.conf"] [line ""] [id ""] [rev ""] [msg "Host header is a numeric IP address"] [data "172.23.26.157"] [severity ""] [ver "OWASP_CRS/3.0."] [maturity ""] [accuracy ""] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5."] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o0,13v32,"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)([<\xef\xbc\x9c]script[^>\xef\xbc\x9e]*[>\xef\xbc\x9e][\s\S]*?)' against variable `REQUEST_HEADERS:Referer' (Value: `http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--APPLICATION-ATTACK-XSS.conf"] [line ""] [id ""] [rev ""] [msg "XSS Filter - Category : Script Tag Vector"] [data "Matched Data: <script> found within REQUEST_HEADERS:Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o24,8o24,8v230,58t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o (3246 characters omitted)' against variable `REQUEST_HEADERS:Referer' (Value: `http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--APPLICATION-ATTACK-XSS.conf"] [line ""] [id ""] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within REQUEST_HEADERS:Referer: http://172.23.26.157/?a=%3Cscript%3Ealert(aa)%3C/script%3E"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref "o24,7o41,8v230,58t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `13' ) [file "/opt/waf/owasp-modsecurity-crs/rules/REQUEST--BLOCKING-EVALUATION.conf"] [line ""] [id ""] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: )"] [data ""] [severity ""] [ver ""] [maturity ""] [accuracy ""] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `13' ) [file "/opt/waf/owasp-modsecurity-crs/rules/RESPONSE--CORRELATION.conf"] [line ""] [id ""] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: - SQLI=,XSS=,RFI=,LFI=,RCE=,PHPI=,HTTP=,SESS=): NoScript XSS InjectionChecker: HTML Injection'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "172.23.11.56"] [uri "/favicon.ico"] [unique_id "152395519294.104760"] [ref ""] ---v3gm3tZj---I-- ---v3gm3tZj---J-- ---v3gm3tZj---Z--

默认只是检测,不拦截,可以修改配置,将

SecRuleEngine DetectionOnly改为
SecRuleEngine On
vi /usr/local/nginx/modsecurity.conf 

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly
#SecRuleEngine On

重启nginx

nginx -s reload

再测试,发现被拦截了。

更多modsecurity配置修改请参考 modsecurity配置学习文章

Centos7.4 modsecurity with nginx 安装的更多相关文章

  1. (转)Centos7 Nginx安装

    场景:工作中使用的suse,因为系统可可查资料太少,且系统中一些功能的确实,导致很多集群中功能无法顺利测试通过,在Centos上面进行测试,能够更快的熟悉项目的架构过程! 1 安装准备 首先由于ngi ...

  2. nginx在Centos7.5下源码安装和配置

    安装nginx 安装nginx依赖包 yum install -y pcre-devel zlib-devel openssl-devel wget gcc tree vim 进入目录/root/se ...

  3. CentOS7 Nginx安装及配置反向代理

    背景: Mono (Mono JIT compiler version 5.4.0.201 ) jexus-5.8.2-x64(<CentOS7 安装 jexus-5.8.2-x64>) ...

  4. [转]Centos7 fastdfs/nginx 安装与配置

    https://blog.csdn.net/alex_bean/article/details/78625131 参考文章 分布式文件系统-FastDFS 使用FastDFS搭建图片服务器单实例篇 C ...

  5. centos7系统下nginx安装并配置开机自启动操作

    准备工作 我的centos7系统是最小化安装的, 缺很多库, 首先安装必须的运行库 ? 1 2 3 4 5 6 7 8 9 10 11 yum install wget gcc gcc-c++ pcr ...

  6. 【Nginx安装】CentOS7安装Nginx及配置

    [Nginx安装]CentOS7安装Nginx及配置 2018年03月05日 11:07:21 阅读数:7073 Nginx是一款轻量级的网页服务器.反向代理服务器.相较于Apache.lighttp ...

  7. centos7.x下环境搭建(二)—nginx安装

    上篇文章是对mysql的安装,接着上篇文章,这篇文章安装nginx服务 添加yum源 默认情况Centos7中无Nginx的源,最近发现Nginx官网提供了Centos的源地址.因此可以如下执行命令添 ...

  8. Centos7.3云服务器上安装Nginx、MySQL、JDK、Tomcat环境

    安装的软件路径建议放到/usr/local目录下 Tomcat 首先从最简单的Tomcat开始,进入到Apache的官网:http://www.apache.org,下载合适的版本来装,一般建议8.0 ...

  9. CentOS7 nginx安装与卸载

    简明清晰,易操作,参照: CentOS7 nginx安装与卸载

随机推荐

  1. django orm 基本

    1 modle基本数据类型 class Test(models.Model): """测试学习用""" Auto = models.Auto ...

  2. Python求阴影部分面积

    一.前言说明 今天看到微信群里一道六年级数学题,如下图,求阴影部分面积 看起来似乎并不是很难,可是博主添加各种辅助线,写各种方法都没出来,不得已而改用写Python代码来求面积了 二.思路介绍 1.用 ...

  3. 紫书 例题 11-2 UVa 1395(最大边减最小边最小的生成树)

    思路:枚举所有可能的情况. 枚举最小边, 然后不断加边, 直到联通后, 这个时候有一个生成树.这个时候,在目前这个最小边的情况可以不往后枚举了, 可以直接更新答案后break. 因为题目求最大边减最小 ...

  4. Maven 编译打包时如何忽略测试用例

    跳过测试阶段: mvn package -DskipTests 临时性跳过测试代码的编译: mvn package -Dmaven.test.skip=true maven.test.skip同时控制 ...

  5. 洛谷 P3914 染色计数

    P3914 染色计数 题目描述 有一颗NN个节点的树,节点用1,2,\cdots,N1,2,⋯,N编号.你要给它染色,使得相邻节点的颜色不同.有MM种颜色,用1,2,\cdots,M1,2,⋯,M编号 ...

  6. hdu 2102 A计划 具体题解 (BFS+优先队列)

    题目链接:pid=2102">http://acm.hdu.edu.cn/showproblem.php?pid=2102 这道题属于BFS+优先队列 開始看到四分之中的一个的AC率感 ...

  7. [MST] Loading Data from the Server using lifecycle hook

    Let's stop hardcoding our initial state and fetch it from the server instead. In this lesson you wil ...

  8. TOMCATserver不写port号、不写项目名訪问项目、虚拟文件夹配置

    一.不写port. 这个问题都被问烂了.由于TOMCAT默认的訪问port为8080.而TCP/IP协议默认80port訪问,大家之所以看到别的站点都不写port号是由于人家用的的80port訪问的, ...

  9. Linux 文件系统初步

         在Linux系统中,假设我们想要知道一个文件的详细信息,那么最简便的方法自然就是ls命令了.例如以下图所看到的:当在shell输入命令"ls -l old"时,在下方就会 ...

  10. 使用IIS承载WCF服务

    作者:jiankunking 出处:http://blog.csdn.net/jiankunking 1.WCF能够方便的通过IIS承载,此承载模型与ASP.NET和ASP.NET Web Servi ...