How to install ModSecurity with Nginx

2018-11-22 16:45:00

本文不打算写安装过程,具体安装参考这里
安装环境: centos6.8

安装前准备,需要安装gcc4.8 和 更新autoconf,参考这里

1
2
3
4
5
6
7
8
9
10
[root@localhost opt]# curl -L -O http://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz
[root@localhost opt]# tar zxf autoconf-2.69.tar.gz
[root@localhost opt]# cd autoconf-2.69
[root@localhost opt]# yum install -y openssl-devel
[root@localhost opt]# ./configure
[root@localhost opt]# make && make install

[root@localhost opt]#  wget http://people.centos.org/tru/devtools-2/devtools-2.repo -O /etc/yum.repos.d/devtools-2.repo
[root@localhost opt]#  yum install -y devtoolset-2-gcc-c++ devtoolset-2-binutils
[root@localhost opt]#  source /opt/rh/devtoolset-2/enable

规则下载

1
2
3
4
5
6
7
cd /opt
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp crs-setup.conf.example /usr/local/openresty/nginx/conf/crs-setup.conf
cd rules
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

添加modsecurity配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/openresty/nginx/conf/modsecurity.conf
cp /opt/ModSecurity/unicode.mapping /usr/local/openresty/nginx/conf/unicode.mapping
cp cp *.data /usr/local/openresty/nginx/conf/owasp/rules
cp cp *.conf /usr/local/openresty/nginx/conf/owasp/rules
vi modsecurity.conf
最后添加
Include /usr/local/openresty/nginx/conf/crs-setup.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-901-INITIALIZATION.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-910-IP-REPUTATION.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-912-DOS-PROTECTION.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/RESPONSE-980-CORRELATION.conf
Include /usr/local/openresty/nginx/conf/owasp/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
#禁用某个规则方法
#SecRuleRemoveById 949110
#SecRuleRemoveById 920420
#SecRuleRemoveById 931100

默认只是检测,不拦截,可以修改配置,将

1
2
SecRuleEngine DetectionOnly改为
SecRuleEngine On

编辑crs-setup.conf文件
默认ModSecurity不会阻挡恶意连接,只会记录在Log里。修改SecDefaultAction选项,默认开启阻挡

1
2
3
4
$ sed -ie 's/SecDefaultAction "phase:1,log,auditlog,pass"/#SecDefaultAction "phase:1,log,auditlog,pass"/g' crs-setup.conf
$ sed -ie 's/SecDefaultAction "phase:2,log,auditlog,pass"/#SecDefaultAction "phase:2,log,auditlog,pass"/g' crs-setup.conf
$ sed -ie 's/#.*SecDefaultAction "phase:1,log,auditlog,deny,status:403"/SecDefaultAction "phase:1,log,auditlog,deny,status:403"/g' crs-setup.conf
$ sed -ie 's/# SecDefaultAction "phase:2,log,auditlog,deny,status:403"/SecDefaultAction "phase:2,log,auditlog,deny,status:403"/g' crs-setup.conf

nginx中增加

1
2
modsecurity on;
modsecurity_rules_file /usr/local/openresty/nginx/conf/modsecurity.conf;

重启nginx

1
service nginx restart

打开modsecurity检测日志

1
tail -f /var/log/modsec_audit.log

测试Modsecurity

在浏览器中访问默认首页,会看到Nginx默认的欢迎页
这时我们在网址后面自己加上正常参数,例如: http://localhost/?id=1 。同样会看到Nginx默认的欢迎页:
接下来,我们在前面正常参数的基础上再加上 AND 1=1 ,整个请求变成: http://localhost/?id=1 AND 1=1
就会看到Nginx返回403 Forbidden的信息了,说明Modsecurity成功拦截了此请求。

出现的错误:

  1. 未更新autoconf,更新即可
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    [root@localhost ModSecurity]# sh build.sh 
    libtoolize: putting auxiliary files in `.'.
    libtoolize: copying file `./ltmain.sh'
    libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.
    libtoolize: copying file `build/libtool.m4'
    libtoolize: copying file `build/ltoptions.m4'
    libtoolize: copying file `build/ltsugar.m4'
    libtoolize: copying file `build/ltversion.m4'
    libtoolize: copying file `build/lt~obsolete.m4'
    /usr/bin/m4:configure.ac:209: bad expression in eval: m4_esyscmd_s(cat headers/modsecurity/modsecurity.h | grep "define MODSECURITY_MAJOR " | awk {'print '} | sed 's/\"//g') + m4_esyscmd_s(cat headers/modsecurity/modsecurity.h | grep "define MODSECURITY_MINOR " | awk {'print '} | sed 's/\"//g')
    autom4te: /usr/bin/m4 failed with exit status: 1
    aclocal: autom4te failed with exit status: 1
    autoreconf: aclocal failed with exit status: 1
    /usr/bin/m4:configure.ac:209: bad expression in eval: m4_esyscmd_s(cat headers/modsecurity/modsecurity.h | grep "define MODSECURITY_MAJOR " | awk {'print '} | sed 's/\"//g') + m4_esyscmd_s(cat headers/modsecurity/modsecurity.h | grep "define MODSECURITY_MINOR " | awk {'print '} | sed 's/\"//g')
    autom4te: /usr/bin/m4 failed with exit status: 1
    autoheader: '/usr/bin/autom4te' failed with exit status: 1
    /usr/bin/m4:configure.ac:209: bad expression in eval: m4_esyscmd_s(cat headers/modsecurity/modsecurity.h | grep "define MODSECURITY_MAJOR " | awk {'print '} | sed 's/\"//g') + m4_esyscmd_s(cat headers/modsecurity/modsecurity.h | grep "define MODSECURITY_MINOR " | awk {'print '} | sed 's/\"//g')
    autom4te: /usr/bin/m4 failed with exit status: 1
    automake: autoconf failed with exit status: 1
    /usr/bin/m4:configure.ac:209: bad expression in eval: m4_esyscmd_s(cat headers/modsecurity/modsecurity.h | grep "define MODSECURITY_MAJOR " | awk {'print '} | sed 's/\"//g') + m4_esyscmd_s(cat headers/modsecurity/modsecurity.h | grep "define MODSECURITY_MINOR " | awk {'print '} | sed 's/\"//g')
    autom4te: /usr/bin/m4 failed with exit status: 1

ref

Using the OWASP CRS with NGINX WAF
owasp-modsecurity-crs-3.0.2/INSTALL