1.安装modsecurity
中文 社区:
ModSecurity功能介绍
SQL Injection (SQLi):阻止SQL注入
Cross Site Scripting (XSS):阻止跨站脚本攻击
Local File Inclusion (LFI):阻止利用本地文件包含漏洞进行攻击
Remote File Inclusione(RFI):阻止利用远程文件包含漏洞进行攻击
Remote Code Execution (RCE):阻止利用远程命令执行漏洞进行攻击
PHP Code Injectiod:阻止PHP代码注入
HTTP Protocol Violations:阻止违反HTTP协议的恶意访问
HTTPoxy:阻止利用远程代理感染漏洞进行攻击
Sshllshock:阻止利用Shellshock漏洞进行攻击
Session Fixation:阻止利用Session会话ID不变的漏洞进行攻击
Scanner Detection:阻止黑客扫描网站
Metadata/Error Leakages:阻止源代码/错误信息泄露
Project Honey Pot Blacklist:蜜罐项目黑名单
GeoIP Country Blocking:根据判断IP地址归属地来进行IP阻断
apt-get install libtool
cd modsecurity-v3.0.12
./build.sh
./configure
make -j 6 && make install2.编译nginx时添加 ModSecurity-nginx模块
https://nginx.org/download/nginx-1.24.0.tar.gz
cd nginx-1.24.0
./configure --prefix=/opt/nginx --with-http_ssl_module --with-openssl=/root/openssl-3.0.13 --with-http_mp4_module --with-http_flv_module --add-module=/root/modsecurity-nginx-v1.0.3
make -j 6 && make install3.配置ModSecurity安全规则
规则集下载地址:https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
mkdir -p /etc/nginx/modsec
cp /root/modsecurity-v3.0.12/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
cp /root/modsecurity-v3.0.12/unicode.mapping /etc/nginx/modsec/
cp coreruleset-4.0.0/crs-setup.conf.example /etc/nginx/modsec/crs-setup.conf
cp -r coreruleset-4.0.0/rules /etc/nginx/modsec/
cd /etc/nginx/modsec/rules/
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf4.编辑nginx.conf
在http或server节点中添加以下内容(在http节点添加表示全局配置,在server节点添加表示为指定网站配置):
server {
listen 8123 ssl;
server_name bbs.apollo-sun.online;
ssl_certificate config.d/ssl/bbs.apollo-sun.online.cer;
ssl_certificate_key config.d/ssl/bbs.apollo-sun.online.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ModSecurityEnabled on; //老版本nginx配置例如1.16
ModSecurityConfig /etc/nginx/modsec/modsecurity.conf;
modsecurity on; //新版本nginx配置例如1.24
modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;
location / {
root /data/database/webroot/bbs;
index index.html index.php;
}
location ~ \.php$ {
root /data/database/webroot/bbs;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location /video/ {
alias /data/database/video/;
mp4;
mp4_max_buffer_size 5m;
}
}5.编辑modsecurity.conf
SecRuleEngine DetectionOnly改为SecRuleEngine On
SecRuleEngine On同时在文件末尾添加以下内容:
Include /etc/nginx/modsec/crs-setup.conf
Include /etc/nginx/modsec/rules/*.conf记录审计日志:
# Log everything we know about a transaction.
#SecAuditLogParts ABIJDEFHZ
SecAuditLogParts ABCDEFHZ6.规则测试:
# A test rule
SecRule ARGS:testparam “@contains test” “id:1234,deny,log,status:403”
curl -D – “https://bbs.apollo-sun.online:8123/foo?testparam=thisisatestofmodsecurity“
HTTP/1.1 403 Forbidden
Server: nginx/1.24.0
Date: Wed, 06 Mar 2024 07:52:25 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
/var/log/modsec_audit.log:
—882F3amP—A–
[06/Mar/2024:15:52:25 +0800] 170971154554.044799 192.168.23.1 44880 192.168.23.4 8123
—882F3amP—B–
GET /foo?testparam=thisisatestofmodsecurity HTTP/1.1
Host: bbs.apollo-sun.online:8123
User-Agent: curl/7.88.1
Accept: */*
—882F3amP—D–
—882F3amP—F–
HTTP/1.1 403
—882F3amP—H–
ModSecurity: Access denied with code 403 (phase 1). Matched “Operator `Contains’ with parameter `test’ against variable `ARGS:testparam’ (Value: `thisisatestofmodsecurity’ ) [file “/etc/nginx/modsec/modsecurity.conf”] [line “276”] [id “1234”] [rev “”] [msg “”] [data “”] [severity “0”] [ver “”] [maturity “0”] [accuracy “0”] [hostname “192.168.23.4”] [uri “/foo”] [unique_id “170971154554.044799”] [ref “o7,4v19,24”]
—882F3amP—Z–