Modsecurity 简介 ModSecurity是由Trustwave的SpiderLabs开发的开源、跨平台Web应用程序防火墙(WAF)。它具有强大的基于事件的规则语言,可针对Web应用程序提供一系列的攻击保护,并允许HTTP流量监控,日志记录和实时分析。ModSecurity 在全球拥有超过 10,000 个部署,是现存部署最广泛的 WAF。
Modsecurity 安装 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 yum install epel-release yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel bison cd /opt/git clone https://github.com/SpiderLabs/ModSecurity.git git checkout -b v3/master origin/v3/master sh build.sh git submodule init git submodule update ./configure make make install
编译安装nginx module 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 export MODSECURITY_INC="/opt/ModSecurity/headers/" export MODSECURITY_LIB="/opt/ModSecurity/src/.libs/" cd /opt/git clone https://github.com/SpiderLabs/ModSecurity-nginx.git wget http://nginx.org/download/nginx-1.9.2.tar.gz tar -xvzf nginx-1.9.2.tar.gz cd /opt/nginx-1.9.2./configure --with-compat --add-dynamic-module=../ModSecurity-nginx make modules cp objs/ngx_http_modsecurity_module.so /etc/nginx/modulesmkdir /etc/nginx/conf/modseccp ~/ModSecurity/unicode.mapping /etc/nginx/conf/modsec/cp ~/ModSecurity/modsecurity.conf-recommended /etc/nginx/conf/modsec/modsecurity.conf
在nginx.conf
引入模块
1 load_module modules/ngx_http_modsecurity_module.so;
配置OWASP ModSecurity Core Rule Set 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 cd /opt/wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.2.tar.gz tar -xvzf coreruleset-3.3.2.tar.gz cd coreruleset-3.3.2cp crs-setup.conf.example /etc/nginx/conf/modsec/crs-setup.confcp -rf rules /etc/nginx/conf/modsec/cd /etc/nginx/conf/modsec/rulescp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.confcp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
修改配置文件modsecurity.conf
1 2 3 4 5 SecRuleEngine DetectionOnly #修改为SecRuleEngine On 建议先设置为DetectionOnly,记录日志并设置白名单后再改为On # 在文件最后添加OWASP ModSecurity Core Rule Set include crs-setup.conf include rules/*.conf
修改nginx配置文件nginx.conf
1 2 modsecurity on; # 启动modsecurity,可以配置在: http, server, location modsecurity_rules_file /etc/nginx/conf/modsec/modsecurity.conf; # 规则地址,可以配置在: http, server, location
重启服务器
1 2 nginx -t service nginx restart
开启ddos防御功能 修改crs-setup.conf
配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 # 找到并修改这条规则;根据实际情况添加静态文件后缀名,ddos时会忽略静态文件 # File extensions considered static files. # Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. # Used in DoS protection rule. See section "Anti-Automation / DoS Protection". # Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ # Uncomment this rule to change the default. SecAction \ "id:900260,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" # 取消注释下面规则启动ddos防御。ID为900700的规则定义了CC攻击判定的一些参数,即如果在60秒内(tx.dos_burst_time_slice),IP地址的访问频率达到了100次(tx.dos_counter_threshold),就被判定为一次攻击嫌疑(但此时并不会将IP地址进行封禁,下方会解释),而一旦将IP地址封禁,600秒后(tx.dos_block_timeout)才会解封。 #规则会与REQUEST-912-DOS-PROTECTION.conf文件中的规则进行联动,只有出现两次连续的攻击嫌疑判定,才会将IP地址封禁,即,在第一个60秒内,IP地址的访问频率达到了100次时,以访问达到100次时的时间为开始进行计算,下一个60秒如果依然达到了100次的访问,则会将IP地址封禁600秒。 SecAction \ "id:900700,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.dos_burst_time_slice=60',\ setvar:'tx.dos_counter_threshold=100',\ setvar:'tx.dos_block_timeout=600'"
重启服务器,启动规则
1 2 nginx -t service nginx restart
配置基于声誉的IP黑名单拦截 配置基于Project Honeypot项目。
Project Honeypot是一个社区驱动的在线数据库,其中包含可疑垃圾邮件发送者或机器人的IP地址。每个 IP 地址都分配了一个介于 0 和 255 之间的威胁分数;数字越大,IP 地址越有可能是恶意的。
注册Project Honeypot 账号.
获取请求Project Honeypot项目的http:BL密钥 。
修改crs-setup.conf
配置文件
1 2 3 4 5 6 7 8 9 10 11 SecHttpBlKey 上一步获取的key SecAction "id:900500,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.block_search_ip=0,\ setvar:tx.block_suspicious_ip=1,\ setvar:tx.block_harvester_ip=1,\ setvar:tx.block_spammer_ip=1" # 请注意,上面的示例中有设置允许搜索引擎访问 block_search_ip
重启服务器,启动规则
1 2 nginx -t service nginx restart
配置白名单解决误报
基本规则
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 # As a general rule: # ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # # SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
审计modsec_audit.log
获取误报信息
完全禁用某条规则(尽量少用)
1 2 # RESPONSE-999-EXCLUSION-RULES-AFTER-CRS 文件末尾添加 SecRuleRemoveById 942100
路径前缀禁用所有规则
1 2 3 4 5 6 SecRule REQUEST_URI "@beginsWith /hello.php" \ "id:10001,\ phase:1,\ pass,\ nolog,\ ctl:ruleEngine=Off"
根据访问路径前缀禁用某条规则
1 2 3 4 5 6 SecRule REQUEST_URI "@beginsWith /hello.php" \ "id:10002,\ phase:1,\ pass,\ nolog,\ ctl:ruleRemoveById=912170"
根据访问路径前缀在特定目标上禁用某条规则
1 2 3 4 5 6 SecRule REQUEST_URI "@beginsWith /hello.php" \ "id:10003,\ phase:1,\ pass,\ nolog,\ ctl:ruleRemoveTargetById=941310;ARGS:content"
(完)
参考:How to Use Project Honeypot with NGINX and ModSecurity 3.0
Using the OWASP CRS with the NGINX ModSecurity WAF
ModSecurity防CC攻击、防采集规则配置
Compilation recipes for v3.x