modsecurity原本是Apache上的一款開源waf,可以有效的增強web安全性,目前已經支持nginx和IIS,配合nginx的靈活和高效,可以打造成生產級的WAF,是保護和審覈web安全的利器。
git clone https://github.com/SpiderLabs/ModSecurity.git cd ModSecurity/ ./autogen.sh ./configure--enable-standalone-module --disable-mlogc make cd tengine/ ./configure--prefix=/usr/local/nginx --conf-path=/etc/nginx/nginx.conf--pid-path=/var/run/nginx/nginx.pid --error-log-path=/var/log/nginx/nginx.log--http-log-path=/var/log/nginx/nginx-http.log--add-module=/root/ngx_devel_kit-0.2.19/--add-module=/root/lua-nginx-module-0.9.13/--add-module=/root/ModSecurity/nginx/modsecurity/ --with-ld-opt="-Wl,-rpath,$LUAJIT_LIB" make
modsecurity傾向於過濾和阻止web危險,之所以強大就在於規則,OWASP提供的規則是於社區志願者維護的,被稱爲核心規則CRS(corerules),規則可靠強大,當然也可以自定義規則來滿足各種需求。
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs cp -R owasp-modsecurity-crs /etc/nginx/ cp /etc/nginx/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example /etc/nginx/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf cd ModSecurity/ cp modsecurity.conf-recommended /etc/nginx/modsecurity.conf cp unicode.mapping /etc/nginx vim modsecurity.conf SecRuleEngine on nclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf Includeowasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf Includeowasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
在需要啓用modsecurity的主機的location下面加入下面兩行即可:
ModSecurityEnabled on; ModSecurityConfig modsecurity.conf;
參考文章
http://www.52os.net/articles/nginx-use-modsecurity-module-as-waf.html
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
http://drops.wooyun.org/tips/2614
http://drops.wooyun.org/tips/3804
http://drops.wooyun.org/tips/734
http://www.freebuf.com/articles/web/18084.html
http://www.freebuf.com/articles/web/16806.html