WAF全称叫Web Application Firewall,web应用防火墙
最近公司网页发现有人天天在刷单,ELk真心不错,能多维度的发现这些问题。所以现在考虑给nginx增加个WAF模块,找了个老外的ModSecurity,下面讲下如何安装
1、安装依赖rpm包
yum -y install gcc gcc-c++ ncurses-devel libxml2-devel openssl-devel curl-devel libjpeg-devel libpng-devel autoconf pcre-devel libtool-libs freetype-devel gd zlib-devel zip unzip wget crontabs iptables file bison cmake patch mlocate flex diffutils automake make readline-devel glibc-devel glibc-static glib2-devel bzip2-devel gettext-devel libcap-devel logrotate ntp libmcrypt-devel GeoIP* gd-devel libxslt-devel libtool
2、下载ModSecurity和Nginx
cd /usr/src wget http://tengine.taobao.org/download/tengine-2.1.0.tar.gz git clone https://github.com/SpiderLabs/ModSecurity.git modsecurity
开始安装modsecurity
cd /usr/src/modsecurity/ ./autogen.sh ./configure --enable-standalone-module --disable-mlogc make
现在开始编译安装tenginx,增加一个modsecurity模块
tar xfz tengine-2.1.0.tar.gz cd tengine-2.1.0 ./configure --with-debug --with-ipv6 --with-http_ssl_module --add-module=/usr/src/modsecurity/nginx/modsecurity make && make install
查看一下安装出来的文件
cd /usr/local/nginx/ ls -l drwxr-xr-x 2 root root 4096 Mar 10 11:21 conf/ drwxr-xr-x 2 root root 4096 Mar 10 11:21 html/ drwxr-xr-x 2 root root 4096 Mar 10 11:21 logs/ drwxr-xr-x 2 root root 4096 Mar 10 11:21 sbin/ ln -s /usr/local/nginx/sbin/nginx /bin/nginx
配置ModSecurity
cp /usr/src/modsecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.confcp /usr/src/modsecurity/unicode.mapping /usr/local/nginx/conf/ cd /usr/Local/nginx/conf/vi modsecurity.conf SecRuleEngine On #第7行SecRequestBodyLimit 100000000 #第39行 SecAuditLogType Concurrent #第192行#SecAuditLog /var/log/modsec_audit.log # Specify the path for concurrent audit logging.SecAuditLogStorageDir /usr/local/nginx/logs #确保nginx服务对logs目录有写的权限
配置OWASP规则
cd /usr/src/ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git cd owasp-modsecurity-crscp -R base_rules/ /usr/Local/nginx/conf/
编辑modsecuity.conf配置文件
cd /usr/Local/nginx/conf/ vi modsecurity.conf
#DefaultAction SecDefaultAction "log,deny,phase:1" #If you want to load single rule /usr/loca/nginx/conf #Include base_rules/modsecurity_crs_41_sql_injection_attacks.conf #Load all Rule Include base_rules/*.conf #Disable rule by ID from error message (for my wordpress) SecRuleRemoveById 981172 981173 960032 960034 960017 960010 950117 981004 960015
配置nginx.conf,把modsecuity.conf加进去
location ~ \.php$ {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
root /var/www/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
重启nginx服务
nginx -s reload
查看日志信息,ModSecurity成功启动
2016/03/10 12:30:18 [notice] 3706#0: signal process started 2016/03/10 12:31:46 [notice] 3794#0: ModSecurity for nginx (STABLE)/2.8.0 (http://www.modsecurity.org/) configured.2016/03/10 12:31:46 [notice] 3794#0: ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" 2016/03/10 12:31:46 [notice] 3794#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"2016/03/10 12:31:46 [notice] 3794#0: ModSecurity: LIBXML compiled version="2.7.6" 2016/03/10 12:31:46 [notice] 3794#0: ModSecurity: StatusEngine call: "2.8.0,ModSecurity Standalone,1.3.9/1.3.9,7.8/7.8 2008-09-05,(null),2.7.6,8707623d80eb7bec6055da659a5e03f88f4e4016"2016/03/10 12:31:46 [notice] 3794#0: ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
如果有报错可以参考下https://www.52os.net/articles/nginx-use-modsecurity-module-as-waf.html这篇文章,讲的蛮详细的。
时间: 2024-10-26 06:51:36