当前位置: 首页 > 工具软件 > ModSecurity > 使用案例 >

Nginx+Modsecurity 安全安装

高明辉
2023-12-01

一、安装nginx

Nginx可选择直接yum安装,也可以使用二进制文件编译安装,该文档模拟使用yum安装后,添加Modsecurity 模块

#安装nginx-1.16.1 [直接yum install nginx 安装1.20.1也行]
rpm -ivh http://nginx.org/packages/centos/7/x86_64/RPMS/nginx-1.16.1-1.el7.ngx.x86_64.rpm

#此时Nginx 已安装完成,可查看nginx版本
 nginx -v 

#使用nginx -V 查看已编译安装的模块,此时没有modsecurity-nginx模块,需要重新下载对应版本的nginx二进制文件,重新进行编译安装。

二、下载nginx、modsecurity、modsecurity-nginx、modsecurity-crs

Nginx:  http://nginx.org/download/

Modsecurity: https://github.com/SpiderLabs/ModSecurity/releases/

Modsecurity-nginx: https://github.com/SpiderLabs/ModSecurity-nginx/releases

modsecurity-crs: https://github.com/SpiderLabs/owasp-modsecurity-crs/releases

三、安装

#安装基础依赖等,编译二进制文件时也需要,若后续编译安装时还需要其他依赖,再进行单独安装
yum -y install libxml2 libxml2-dev libxslt-devel gd-devel perl-devel perl-ExtUtils-Embed GeoIP GeoIP-devel GeoIP-data gcc gcc-c++ autoconf automake zlib zlib-devel openssl-devel pcre-devel gperftools

yum groupinstall 'Development Tools' -y

# 安装modsecurity
#将已经下载的modsecurity二进制包放入服务器进行解压
tar zxvf modsecurity-v3.0.4.tar.gz
#将解压的的文件夹移动至/usr/local/下(建议)
mv modsecurity-v3.0.4 /usr/local/
cd /usr/local/modsecurity-v3.0.4
./configure
make    #该步骤有点慢
make install
#编译完成,modsecurity的安装路径在/usr/local/modsecurity/下
cp modsecurity.conf-recommended /usr/local/modsecurity/modsecurity.conf
cp unicode.mapping /usr/local/modsecurity/

#下载ModSecurity-nginx模块,解压放置/usr/local/src
tar zxvf modsecurity-nginx-v1.0.2.tar.gz
mv modsecurity-nginx-v1.0.2 /usr/local/modsecurity-nginx

#重新编译安装nginx,先记录其已编译的模块
nginx -V
#下载对应版本的nginx,备份旧nginx文件,并解压编译新nginx
mv /etc/nginx /etc/nginx_bak
mv /usr/sbin/nginx /usr/sbin/nginx_bak
tar zxvf nginx-1.16.1.tar.gz
mv nginx-1.16.1 /etc/nginx
cd /etc/nginx
#进行重新编译,在旧已编译的模块后方加入--add-module=/usr/local/modsecurity-nginx

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=/usr/local/modsecurity-nginx

make
make install
#若无报错,即可查看modsecurity-nginx编译加载成功
nginx -V

四、添加modsecurity安全规则及配置modsecurity

# 下载owasp-modsecurity-crs 规则并解压

tar zxvf owasp-modsecurity-crs-3.1.1.tar.gz
cd owasp-modsecurity-crs-3.1.1
#将安全规则与配置文件放置modsecurity中
cp -r rules/ /usr/local/modsecurity/
cp crs-setup.conf.example /usr/local/modsecurity/crs-setup.conf


#修改modsecurity配置文件
vim /usr/local/modsecurity/modsecurity.conf
# 由 DetectionOnly 改为 On
SecRuleEngine On
# 由 ABIJDEFHZ 改为 ABCDEFHZ
SecAuditLogParts ABCDEFHZ
# 修改modsec日志文件,改文件会特别大,建议将路径修改至数据盘(需要手动创建文件夹)
SecAuditLog /data/log/modsec_audit.log
# 下面3行追加到配置文件
Include /usr/local/modsecurity/crs-setup.conf
#加载rules中所有规则,也可自定义加载的规则
Include /usr/local/modsecurity/rules/*.conf
#看需求是否需要为JSON格式
SecAuditLogFormat JSON 


# -----自定义安全规则-----
# 下面2行追加到配置文件
Include /usr/local/modsecurity/crs-setup.conf
Include /usr/local/modsecurity/main.conf
#配置main.conf文件,即可自定义需要的安全规则
vim /usr/local/modsecurity/main.conf
#白名单ip
#SecRule REMOTE_ADDR "@ipMatch xx.xx.xx.xx" "id:1000,phase:1,pass,nolog,ctl:ruleEngine=Off"
#规则使用情况
#include /etc/nginx/modsecurity/rules/REQUEST-910-IP-REPUTATION.conf
#include /etc/nginx/modsecurity/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include /etc/nginx/modsecurity/rules/REQUEST-912-DOS-PROTECTION.conf
include /etc/nginx/modsecurity/rules/REQUEST-913-SCANNER-DETECTION.conf
include /etc/nginx/modsecurity/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
#include /etc/nginx/modsecurity/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include /etc/nginx/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
#include /etc/nginx/modsecurity/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
#include /etc/nginx/modsecurity/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
include /etc/nginx/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include /etc/nginx/modsecurity/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include /etc/nginx/modsecurity/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include /etc/nginx/modsecurity/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
include /etc/nginx/modsecurity/rules/RESPONSE-950-DATA-LEAKAGES.conf
include /etc/nginx/modsecurity/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include /etc/nginx/modsecurity/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
#include /etc/nginx/modsecurity/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
#include /etc/nginx/modsecurity/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include /etc/nginx/modsecurity/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include /etc/nginx/modsecurity/rules/RESPONSE-980-CORRELATION.conf

五、引用启动modsecurity

#配置nginx 配置文件,在虚拟主机或者整体http配置中引用modsecurity
vim /etc/nginx/nginx.conf
    modsecurity on;  #若不使用modsecurity注释掉这两行即可
    modsecurity_rules_file /usr/local/modsecurity/modsecurity.conf;


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    #modsecurity on;
    #modsecurity_rules_file /usr/local/modsecurity/modsecurity.conf;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        include /etc/nginx/default.d/*.conf;


        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }

六、测试modsecurity

#启动nginx
nginx

#关闭nginx
nginx -s stop

#重读配置文件
nginx -s reload

#每次修改modsecurity之后,需要重读nginx配置文件

#使用浏览器访问
http://xx.xx.xx.xx:xx/login?id=1 and 1=1 
#页面会提示为403状态。另,查看modsecurity日志,也可以测试modsecurity是否正常加载
tail -f /data/log/modsec_audit.log

 类似资料: