订阅本站
收藏本站
微博分享
QQ空间分享

Linux下Nginx服务器配置Modsecurity实现Web应用防护系统

alen 分类:其它防护软件 时间:2018/12/23 00:48:20 浏览: 评论: 加入收藏

操作系统:CentOS

Nginx安装目录:/usr/local/nginx

需求: 增加Modsecurity模块,实现Nginx服务器Web应用防护系统

开始操作:

一、安装ModSecurity

cd /usr/local/src

wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz #下载软件

yum install httpd-devel #modsecurity安装需要APXS包,APXS在httpd-devel中

cd /usr/local/src

tar zxvf modsecurity-2.9.1.tar.gz

cd modsecurity-2.9.1

./autogen.sh

./configure --enable-standalone-module --disable-mlogc

make

安装过程报错,提示没有pcre解决办法

yum install pcre pcre-devel

安装过程报错,提示没有libxml2解决办法

yum install libxml2 libxml2-devel

二、编译nginx并添加modsecurity模块

查看nginx编译参数:/usr/local/nginx/sbin/nginx -V

添加modsecurity模块重新编译nginx:

cd /usr/local/src/nginx-1.10.1

./configure --prefix=/usr/local/nginx --without-http_memcached_module --user=www --group=www --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.0.2j --with-zlib=/usr/local/src/zlib-1.2.8 --with-pcre=/usr/local/src/pcre-8.39 --add-module=/usr/local/src/modsecurity-2.9.1/nginx/modsecurity/

make

make install

三、下载OWASP规则

cd /usr/local/src

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs

mv owasp-modsecurity-crs /usr/local/nginx/conf #移动到nginx配置目录下

cd /usr/local/nginx/conf/owasp-modsecurity-crs

Linux下Nginx<a href=http://8u.hn.cn/linuxsev/ target=_blank class=infotextkey>服务器</a>配置Modsecurity实现Web应用防护系统

cp crs-setup.conf.example crs-setup.conf #拷贝模板配置文件

cd /usr/local/src/modsecurity-2.9.1

cp modsecurity.conf-recommended /usr/local/nginx/conf #拷贝配置文件

cp unicode.mapping /usr/local/nginx/conf #拷贝配置文件

mv /usr/local/nginx/conf/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf #重命名

vi /usr/local/nginx/conf/modsecurity.conf #修改添加

SecRuleEngine DetectionOnly #修改为SecRuleEngine On

#Include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf

#Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

#Include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf

#Include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf

#Include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

Include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf

Include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

Include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf

Include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf

Include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

#Include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

#Include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

Include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

Include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf

Include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf

Include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

Include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf

#Include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf

Include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf

Include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf

Include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf

:wq! #保存退出

四、配置nginx支持Modsecurity

在需要启用modsecurity的主机的location下面加入下面两行即可:

Linux下Nginx<a href=http://8u.hn.cn/linuxsev/ target=_blank class=infotextkey>服务器</a>配置Modsecurity实现Web应用防护系统

ModSecurityEnabled on;

ModSecurityConfig modsecurity.conf;

service nginx restart #重启nginx使配置生效

五、规则测试

可以写一个php页面进行测试

具体规则如下:

Linux下Nginx<a href=http://8u.hn.cn/linuxsev/ target=_blank class=infotextkey>服务器</a>配置Modsecurity实现Web应用防护系统

至此,Linux下Nginx服务器配置Modsecurity实现Web应用防护系统教程完成。

TAG:服务器安全   安全狗   Modsecurity

文章评论

留言与评论(共有 0 条评论)
   
验证码: