以下是有关在nginx中引入ModSecurity&OWASP Core Rule Set的笔记
1. 创建 Nginx 用户并安装软件包。
useradd -s /sbin/nologin -d /usr/local/nginx -M nginx
yum install -y gcc make automake autoconf libtool git
yum install -y pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel
yum install -y openssl openssl-devel
yum install zlib zlib-devel
2. 安装modsecurity
cd /usr/local/src/
yum install git -y
git clone https://github.com/SpiderLabs/ModSecurity.git mod_security
cd mod_security/
./autogen.sh
修改configure.ac
添加 AM_PROG_CC_C_O
./autogen.sh
CFLAGS="-DDEFAULT_USER=\\\"nginx\\\" -DDEFAULT_GROUP=\\\"nginx\\\"" CPPFLAGS="-I/usr/include/apr-1 -I/usr/include/httpd" ./configure --disable-apache2-module --disable-mlogc --enable-standalone-module
make
make install
3. 安装nginx
cd /usr/local/src/
wget http://nginx.org/download/nginx-1.8.0.tar.gz
tar xzvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
./configure --user=nginx --group=nginx --add-module=../mod_security/nginx/modsecurity --with-http_ssl_module --with-http_realip_module --with-cc-opt="-I/usr/include/apr-1 -I/usr/include/httpd" --with-ld-opt="-lapr-1 -laprutil-1"
make
make install
vi /etc/init.d/nginx
chmod +x /etc/init.d/nginx
chkconfig --add nginx
chkconfig nginx on
chkconfig --list
4. 添加CRS规则 CRS
cd /usr/local/etc/
mkdir modsecurity
cd modsecurity
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs
ln -s crs/base_rules/modsecurity_35_bad_robots.data .
ln -s crs/base_rules/modsecurity_40_generic_attacks.data .
ln -s crs/base_rules/modsecurity_35_scanners.data .
ln -s crs/base_rules/modsecurity_50_outbound.data .
ln -s crs/base_rules/modsecurity_50_outbound_malware.data .
cp /usr/local/src/mod_security/modsecurity.conf-recommended modsecurity.conf
5. 规则更新
cd /usr/local/etc/modsecurity/crs
git pull
cd ..
cat crs/modsecurity_crs_10_setup.conf.example crs/base_rules/*.conf > modsecurity_crs.conf
注:假陽性問題
如果直接应用这个规则,连AWS的ELB健康检查都无法通过。
首先,在modsecurity_crs.conf文件中将SecRuleEngine设置为DetectionOnly模式,
然后查看/var/log/modsec_audit.log日志文件,来进行规则调整。
nginx的启动脚本
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)
NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"
lockfile=/usr/local/nginx/logs/nginx.lock
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
configtest || return $?
stop
sleep 1
start
}
reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}
force_reload() {
restart
}
configtest() {
$nginx -t -c $NGINX_CONF_FILE
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac
提供参考
请为我把以下内容以中文进行本地化的改写,只需要一种选项:
http://qiita.com/albatross/items/5b9034c80f9c49519442
http://www.happytrap.jp/blogs/2012/02/23/8243/
https://www.modsecurity.org/ -> https://www.modsecurity.org/ (官方网站)
https://github.com/SpiderLabs/owasp-modsecurity-crs -> https://github.com/SpiderLabs/owasp-modsecurity-crs (GitHub 项目页面)
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project -> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project (OWASP ModSecurity Core Rule Set 项目页面)
https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week–(Updated)-Exception-Handling/ -> https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week–(Updated)-Exception-Handling/ (Trustwave SpiderLabs 博客)
http://eterhost.net/knowledgebase.php?action=displayarticle&id=7 -> http://eterhost.net/knowledgebase.php?action=displayarticle&id=7 (知识库文章)