内容简介:ModSecurity+Nginx构建WAF
- A+
所属分类:Nginx
+++++++++++++++++++++++++++
os: centos7.2_64bit
modsecurity: 2.9.1
nginx: 1.10.3
by: chenb
at: 2017-03-22
+++++++++++++++++++++++++++
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
一、安装ModSecurity
yum -y install httpd-devel pcre pcre-devel libxml2-devel libxml2 cd /home/tools wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz tar zxvf modsecurity-2.9.1.tar.gz cd modsecurity-2.9.1 ./autogen.sh ./configure --enable-standalone-module --disable-mlogc make
二、编译nginx并添加modsecurity和nginx-sticky模块
cd /home/tools unzip nginx-sticky-module-ng.zip 解压后从命名为:nginx-goodies-nginx-sticky groupadd nginx useradd -r -g nginx -s /sbin/nologin -M nginx cd /home/tools tar zxvf nginx-1.10.3.tar.gz cd nginx-1.10.3/ ./configure \ --with-pcre \ --prefix=/usr/local/nginx \ --user=nginx \ --group=nginx \ --with-http_ssl_module \ --with-http_flv_module \ --with-http_stub_status_module \ --with-http_gzip_static_module \ --with-http_realip_module \ --add-module=/home/tools/modsecurity-2.9.1/nginx/modsecurity \ --add-module=/home/tools/nginx-goodies-nginx-sticky make && make install
三、下载OWASP规则
cd /home/tools/ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs mv owasp-modsecurity-crs /usr/local/nginx/conf #移动到nginx配置目录下 cd /usr/local/nginx/conf/owasp-modsecurity-crs cp crs-setup.conf.example crs-setup.conf #拷贝模板配置文件 cd /home/tools/modsecurity-2.9.1/ cp modsecurity.conf-recommended /usr/local/nginx/conf #拷贝配置文件 cp unicode.mapping /usr/local/nginx/conf #拷贝配置文件 mv /usr/local/nginx/conf/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf #重命名 vim /usr/local/nginx/conf/modsecurity.conf #修改添加 SecRuleEngine DetectionOnly #修改为SecRuleEngine On 在最后加上如下: #Include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf #Include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf #Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf #Include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf #Include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf #Include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf #Include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf #Include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf #Include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf #Include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf #Include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf #Include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf Include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf Include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf Include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf Include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf Include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf Include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf Include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf Include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf Include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf Include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf Include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf Include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf Include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf :wq! #保存退出
四、配置nginx支持Modsecurity
在需要启用modsecurity的主机的location下面加入下面两行即可:
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
location / {
root html;
index index.html index.htm;i
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
}
至此,Modsecurity模块+nginx的安装完成。
五、查看ip地址的连接数前十:
netstat -nt | awk '{print $5}' | awk -F: '{print ($1>$4?$1:$4)}' | \
sort | uniq -c | sort -nr | head 10
微信公众号
扫一扫关注运维生存时间公众号,获取最新技术文章~
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:
- vueSSR: 从0到1构建vueSSR项目 --- 路由的构建
- 在 Android Studio 里使用构建分析器提升构建性能
- [译] 使用 React 和 ImmutableJS 构建一个拖放布局构建器
- 为 Envoy 构建控制面指南第4部分:构建的可扩展性
- 自动化构建工具 Gradle 4.5 RC1 发布,改进构建缓存
- 构建工具篇 - react 的 yarn eject 构建命令都做了什么
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Paradigms of Artificial Intelligence Programming
Peter Norvig / Morgan Kaufmann / 1991-10-01 / USD 77.95
Paradigms of AI Programming is the first text to teach advanced Common Lisp techniques in the context of building major AI systems. By reconstructing authentic, complex AI programs using state-of-the-......一起来看看 《Paradigms of Artificial Intelligence Programming》 这本书的介绍吧!
