以下是有关在nginx中引入ModSecurity&OWASP Core Rule Set的笔记

1. 创建 Nginx 用户并安装软件包。

useradd -s /sbin/nologin -d /usr/local/nginx -M nginx
yum install -y gcc make automake autoconf libtool git
yum install -y pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel
yum install -y openssl openssl-devel
yum install zlib zlib-devel

2. 安装modsecurity

cd /usr/local/src/
yum install git -y
git clone https://github.com/SpiderLabs/ModSecurity.git mod_security
cd mod_security/

./autogen.sh

修改configure.ac

添加 AM_PROG_CC_C_O

./autogen.sh


CFLAGS="-DDEFAULT_USER=\\\"nginx\\\" -DDEFAULT_GROUP=\\\"nginx\\\"" CPPFLAGS="-I/usr/include/apr-1 -I/usr/include/httpd" ./configure --disable-apache2-module --disable-mlogc --enable-standalone-module
make
make install

3. 安装nginx

cd /usr/local/src/
wget http://nginx.org/download/nginx-1.8.0.tar.gz
tar xzvf nginx-1.8.0.tar.gz 
cd nginx-1.8.0
./configure --user=nginx --group=nginx --add-module=../mod_security/nginx/modsecurity --with-http_ssl_module --with-http_realip_module --with-cc-opt="-I/usr/include/apr-1 -I/usr/include/httpd" --with-ld-opt="-lapr-1 -laprutil-1"
make
make install

vi /etc/init.d/nginx
chmod +x /etc/init.d/nginx 
chkconfig --add nginx
chkconfig nginx on
chkconfig --list

4. 添加CRS规则 CRS

cd  /usr/local/etc/
mkdir modsecurity
cd modsecurity
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs

ln -s crs/base_rules/modsecurity_35_bad_robots.data .
ln -s crs/base_rules/modsecurity_40_generic_attacks.data .
ln -s crs/base_rules/modsecurity_35_scanners.data .
ln -s crs/base_rules/modsecurity_50_outbound.data .
ln -s crs/base_rules/modsecurity_50_outbound_malware.data .

cp /usr/local/src/mod_security/modsecurity.conf-recommended modsecurity.conf

5. 规则更新

cd /usr/local/etc/modsecurity/crs
git pull
cd ..

cat crs/modsecurity_crs_10_setup.conf.example crs/base_rules/*.conf > modsecurity_crs.conf

注:假陽性問題

如果直接应用这个规则,连AWS的ELB健康检查都无法通过。
首先,在modsecurity_crs.conf文件中将SecRuleEngine设置为DetectionOnly模式,
然后查看/var/log/modsec_audit.log日志文件,来进行规则调整。

nginx的启动脚本

#!/bin/sh                                                                                                                                                                  
#                                                                                                                                                                          
# nginx - this script starts and stops the nginx daemon                                                                                                                    
#                                                                                                                                                                          
# chkconfig:   - 85 15                                                                                                                                                     
# description:  Nginx is an HTTP(S) server, HTTP(S) reverse \                                                                                                              
#               proxy and IMAP/POP3 proxy server                                                                                                                           
# processname: nginx                                                                                                                                                       

# Source function library.                                                                                                                                                 
. /etc/rc.d/init.d/functions

# Source networking configuration.                                                                                                                                         
. /etc/sysconfig/network

# Check that networking is up.                                                                                                                                             
[ "$NETWORKING" = "no" ] && exit 0

nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)

NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

lockfile=/usr/local/nginx/logs/nginx.lock

start() {
    [ -x $nginx ] || exit 5
    [ -f $NGINX_CONF_FILE ] || exit 6
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
}

stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
}

restart() {
    configtest || return $?
    stop
    sleep 1
    start
}

reload() {
    configtest || return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
}

force_reload() {
    restart
}

configtest() {
  $nginx -t -c $NGINX_CONF_FILE
}

rh_status() {
    status $prog
}

rh_status_q() {
    rh_status >/dev/null 2>&1
}

case "$1" in
    start)
        rh_status_q && exit 0
        $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart|configtest)
        $1
        ;;
    reload)
        rh_status_q || exit 7
        $1
        ;;
    force-reload)
        force_reload
        ;;
    status)
        rh_status
    ;;
    condrestart|try-restart)
        rh_status_q || exit 0
            ;;
    *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
        exit 2
esac

提供参考

请为我把以下内容以中文进行本地化的改写,只需要一种选项:
http://qiita.com/albatross/items/5b9034c80f9c49519442
http://www.happytrap.jp/blogs/2012/02/23/8243/

https://www.modsecurity.org/ -> https://www.modsecurity.org/ (官方网站)
https://github.com/SpiderLabs/owasp-modsecurity-crs -> https://github.com/SpiderLabs/owasp-modsecurity-crs (GitHub 项目页面)
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project -> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project (OWASP ModSecurity Core Rule Set 项目页面)
https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week–(Updated)-Exception-Handling/ -> https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week–(Updated)-Exception-Handling/ (Trustwave SpiderLabs 博客)
http://eterhost.net/knowledgebase.php?action=displayarticle&id=7 -> http://eterhost.net/knowledgebase.php?action=displayarticle&id=7 (知识库文章)

广告
将在 10 秒后关闭
bannerAds