Debian11下 Nginx 安装 ModSecurity
先决条件
默认已安装Nginx并正常工作
一、安装依赖项
apt update
apt install make gcc build-essential autoconf automake libtool libfuzzy-dev ssdeep gettext pkg-config libcurl4-openssl-dev liblua5.3-dev libpcre3 libpcre3-dev libxml2 libxml2-dev libyajl-dev doxygen libcurl4 libgeoip-dev libssl-dev zlib1g-dev libxslt-dev liblmdb-dev libpcre++-dev libgd-dev
二、下载相同版本的Nginx源码包
wget http://nginx.org/download/nginx-1.22.0.tar.gz
tar xvf nginx-1.22.0.tar.gz
三、安装Libmodsecurity3库
apt install libmodsecurity3
四、下载ModSecurity
root@localhost:/home# git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /home/ModSecurity/
root@localhost:/home# cd /home/ModSecurity/
root@localhost:/home/ModSecurity/# git submodule init
root@localhost:/home/ModSecurity/# git submodule update
root@localhost:/home/ModSecurity/# ./build.sh
root@localhost:/home/ModSecurity/# ./configure
提示fatal: No names found, cannot describe anything.,不管
root@localhost:/home/ModSecurity/# make -j4
root@localhost:/home/ModSecurity/# make install
五、下载并编译 ModSecurity v3 Nginx 连接器
root@localhost:/home/# git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /home/ModSecurity-nginx/进入nginx源码文件夹
root@localhost:/home/# cd /home/nginx-1.22.0/
root@localhost:/home/nginx-1.22.0# apt build-dep nginx
root@localhost:/home/nginx-1.22.0# apt install uuid-dev
root@localhost:/home/nginx-1.22.0# ./configure --with-compat --add-dynamic-module=/home/ModSecurity-nginx
root@localhost:/home/nginx-1.22.0# make modules
该模块保存为objs/ngx_http_modsecurity_module.so。将此模块复制到/usr/lib/nginx/modules/目录
root@localhost:/home/nginx-1.22.0# cp objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules/
六、加载 ModSecurity Nginx 连接器模块
root@localhost:/# vi /etc/nginx/nginx.conf
在前几行的下方附加以下行
load_module modules/ngx_http_modsecurity_module.so;
在http {...}部分中附加以下行。这将为所有 Nginx 虚拟主机启用 ModSecurity。
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
保存退出
创建ModSecurity配置目录/etc/nginx/modsec/
mkdir /etc/nginx/modsec/
cp /home/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf编辑/modsecurity.conf
vi /etc/nginx/modsec/modsecurity.conf
SecRuleEngine DetectionOnly 改为 SecRuleEngine On
接下来,创建/etc/nginx/modsec/main.conf文件
vi /etc/nginx/modsec/main.conf
将下行黏贴
Include /etc/nginx/modsec/modsecurity.conf
复制 Unicode 映射文件到modsec
cp /home/ModSecurity/unicode.mapping /etc/nginx/modsec/
测试 Nginx 配置
nginx -t
七、下载 OWASP 核心规则集
wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz
tar xvf v3.3.0.tar.gz
mv coreruleset-3.3.0/ /etc/nginx/modsec/
mv /etc/nginx/modsec/coreruleset-3.3.0/crs-setup.conf.example /etc/nginx/modsec/coreruleset-3.3.0/crs-setup.conf编辑main.conf
vi /etc/nginx/modsec/main.conf
将下行黏贴
Include /etc/nginx/modsec/coreruleset-3.3.0/crs-setup.conf
Include /etc/nginx/modsec/coreruleset-3.3.0/rules/*.conf
main.conf最后看起来是这样:
Include /etc/nginx/modsec/modsecurity.conf
Include /etc/nginx/modsec/coreruleset-3.3.0/crs-setup.conf
Include /etc/nginx/modsec/coreruleset-3.3.0/rules/*.conf
重启nginx
systemctl restart nginx
八、测试
vi /etc/nginx/modsec/modsecurity.conf
在 SecRuleEngine On 下方黏贴下行
SecRule ARGS:testparam "@contains test" "id:254,deny,status:403,msg:'Test Successful'"
像这样:
# -- Rule engine initialization ----------------------------------------------
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
#SecRuleEngine DetectionOnly
SecRuleEngine On
SecRule ARGS:testparam "@contains test" "id:254,deny,status:403,msg:'Test Successful'"
# -- Request body handling ---------------------------------------------------
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
重启nginx
systemctl restart nginx
curl http://server-ip/?testparam=test
得到一个403 ‘Forbidden’返回
查看/var/log/nginx/error.log,会得到下面一行日志,说明安装成功
[error] 2553377#2553377: 1 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator Contains' with parameter test' against variable ARGS:testparam' (Value: test' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "9"] [id "254"] [rev ""] [msg "Test Successful"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/"] [unique_id "165763662681.902416"] [ref "o0,4v16,4"], client: 127.0.0.1, server: localhost, request: "GET /?testparam=test HTTP/1.1", host: "localhost"
