上次尝试了在Unbuntu下的LAMP部署了WAf防火墙,其文章如下:

这次折腾了下就继续研究了基于LNMP环境来部署Modsecurity,结合Nginx给你的WEB提供一层防火墙

本次演示的博主的系统环境:

  • 系统版本:CentOS Linux release 7.9.2009 (Core)
  • Kernel:3.10.0-1160.11.1.el7.x86_64
  • Nginx版本(编译安装):nginx version: nginx/1.19.6
  • MySQL版本(编译安装):mysql Ver 14.14 Distrib 5.6.50
  • PHP版本(编译安装):PHP 7.3.26

下面教程开始

安装教程

下面的一切操作皆是root用户进行

1、安装所需的依赖

yum install -y git pcre pcre-devel openssl openssl-devel libtool libtool-ltdl-devel gcc gcc-c++ gcc-g77 autoconf automake geoip geip-devel libcurl libcurl-devel yajl yajl-devel lmdb-devel ssdeep-devel lua-devel  unzip GeoIP-devel

2、编译动态库并安装Modsecurity

git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make
make install

过程会比较慢,耐心等待即可

3、生成nginx和Modsecurity连接的动态模块

此处需要你当前已安装版本的Nginx源码编译生成,可从Nginx官网下载,链接:http://nginx.org/download/

查看nginx版本并下载源码及解压命令(若您以上述操作安装的Nginx且还保留了当前源码可不必再下载一遍):

cd ~
/usr/local/nginx/sbin/nginx -V
#此时我的版本为:nginx version: nginx/1.19.6,故下载1.19.6版本的源码,若你的Nginx是编译安装的,最好也记住编译安装的指令

wget http://nginx.org/download/nginx-1.19.6.tar.gz
tar -zxvf nginx-1.19.6.tar.gz

上面源码下载好后进行接下来操作

cd ~
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git modsecurity-nginx
cd nginx-1.19.6

# 此处的编译命令为博主的命令,不同的安装方式不同,按需编译,也可直接使用命令./configure --add-dynamic-module=../modsecurity-nginx 参数添加模块编译即可
./configure --prefix=/usr/local/nginx --user=www --group=www --with-pcre \
 --with-http_v2_module --with-stream --with-stream_ssl_module \
 --with-stream_ssl_preread_module --with-http_stub_status_module \
 --with-http_ssl_module --with-http_image_filter_module --with-http_gzip_static_module \
 --with-http_gunzip_module --with-ipv6 --with-http_sub_module --with-http_flv_module \
 --with-http_addition_module --with-http_realip_module --with-http_mp4_module \
 --with-ld-opt=-Wl,-E --with-cc-opt=-Wno-error --with-http_dav_module \
 --add-dynamic-module=../modsecurity-nginx

make modules
make
make install

4、下载规则集,移动到Nginx配置规则中

cd ~
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cp -a owasp-modsecurity-crs  /usr/local/nginx/conf/
cd /usr/local/nginx/conf/owasp-modsecurity-crs
cp crs-setup.conf.example  crs-setup.conf

sed -ie 's/SecDefaultAction "phase:1,log,auditlog,pass"/#SecDefaultAction "phase:1,log,auditlog,pass"/g' crs-setup.conf

sed -ie 's/SecDefaultAction "phase:2,log,auditlog,pass"/#SecDefaultAction "phase:2,log,auditlog,pass"/g' crs-setup.conf

sed -ie 's/#.*SecDefaultAction "phase:1,log,auditlog,deny,status:403"/SecDefaultAction "phase:1,log,auditlog,deny,status:403"/g' crs-setup.conf

sed -ie 's/# SecDefaultAction "phase:2,log,auditlog,deny,status:403"/SecDefaultAction "phase:2,log,auditlog,deny,status:403"/g' crs-setup.conf

5、将Modsecurity的配置文件移动到Nginx配置文件中

cd ~/ModSecurity
cp modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf

vim /usr/local/nginx/conf/modsecurity.conf

# 修改为如下
SecRuleEngine On

cp unicode.mapping  /usr/local/nginx/conf/

6、在Nginx配置文件中,创建modsec_includes.conf并写入相关配置

cd /usr/local/nginx/conf/owasp-modsecurity-crs
cp rules/*.data /usr/local/nginx/conf
vim /usr/local/nginx/conf/modsec_includes.conf

#写入如下内容
include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/*.conf

7、修改Nginx配置文件nginx.conf

vim /usr/local/nginx/conf/nginx.conf

#将其中修改为如下:
server {
        listen       80;
        server_name  localhost;
        root   html;
        
        location / {
            # 该站点开启防火墙
            modsecurity on;
            modsecurity_rules_file /usr/local/nginx/conf/modsec_includes.conf;
            index  index.html index.htm;
        }
...
}

#再将以下load_module指令添加到/etc/nginx/nginx.conf的main中:
load_module modules/ngx_http_modsecurity_module.so;

添加模块.png

8、验证配置文件是否正确

/usr/local/nginx/sbin/nginx -t

显示syntax is ok即可

此处若显示如下错误:

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 75. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support. in /usr/local/nginx/vhost/0.default.conf:9
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

因为没有编译 GeoIP 。如果暂时不需要此功能,用#号注释/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf文件的第60-81行的部分

注释规则.png

9、重启Nginx并测试

nginx -s reload
systemctl restart nginx
curl localhost/?doc=/bin/ls

403错误.png

返回403错误,配置成功

10、检查审计日志

tail /var/log/modsec_audit.log

成功记录日志.png

成功记录

文章名: 《LNMP环境安装部署WEB防火墙(Modsecurity)》

文章链接:https://www.isisy.com/1042.html

除特别注明外,文章均为深度博客所创,转载时请注明本文出处及文章链接
Last modification:February 21st, 2021 at 01:41 pm
如果觉得我的文章对你有用,请随意赞赏