Platform: CentOS7.x
编译并生成 nginx_modsecurity3 RPM 安装包
安装依赖
yum -y install epel-release
yum install -y git rpm-build gperftools-devel openssl-devel pcre-devel zlib-devel GeoIP-devel gd-devel perl-devel libxslt-devel perl-ExtUtils-Embed.noarch gcc gcc-c++ autoconf automake libtool
yum -y install yum-utils yajl yajl-devel libcurl libcurl-devel lmdb lmdb-devel ssdeep ssdeep-devel lua lua-devel
安装 nignx
yum -y install nginx
cd /root/
yumdownloader --source nginx
rpm -i nginx-1.16.1-1.el7.src.rpm
- 当前结果
[root@localhost ~]# ls -l
-rw-r--r--. 1 root root 1070280 10月 4 2019 nginx-1.16.1-1.el7.src.rpm
drwxr-xr-x. 4 root root 34 5月 19 14:41 rpmbuild
安装 libModSecurity
- 下载 modsecurity
cd /root/
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
- 安装 modsecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure --with-lmdb
ModSecurity - for Linux
Mandatory dependencies
+ libInjection ....v3.9.2-30-gbf234eb
+ SecLang tests ....c8cf2c5
Optional dependencies
+ GeoIP/MaxMind ....found
* (GeoIP) v1.5.0
-lGeoIP , -I/usr/include/
+ LibCURL ....found v7.29.0
-lcurl , -DWITH_CURL
+ YAJL ....found v2.0.4
-lyajl , -DWITH_YAJL
+ LMDB ....disabled
+ LibXML2 ....found v2.9.1
-lxml2 -lz -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
+ SSDEEP ....found
-lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
+ LUA ....found v501
-llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
Other Options
+ Test Utilities ....enabled
+ SecDebugLog ....enabled
+ afl fuzzer ....disabled
+ library examples ....enabled
+ Building parser ....disabled
+ Treating pm operations as critical section ....disabled
make -j2
make install
当前结果
[root@localhost ~]# ls -l
drwxr-xr-x. 14 root root 4096 5月 19 15:01 ModSecurity
-rw-r--r--. 1 root root 1070280 10月 4 2019 nginx-1.16.1-1.el7.src.rpm
drwxr-xr-x. 4 root root 34 5月 19 14:41 rpmbuild
[root@localhost ~]# find . -name libmodsecurity.so*
./ModSecurity/src/.libs/libmodsecurity.so.3.0.4
./ModSecurity/src/.libs/libmodsecurity.so.3
./ModSecurity/src/.libs/libmodsecurity.so
[root@localhost ~]#
关联 nginx
- 下载 ModSecurity-nginx
cd /root/
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
当前结果
[root@localhost ~]# ls -l
drwxr-xr-x. 14 root root 4096 5月 19 15:01 ModSecurity
drwxr-xr-x. 6 root root 192 5月 19 15:14 ModSecurity-nginx
-rw-r--r--. 1 root root 1070280 10月 4 2019 nginx-1.16.1-1.el7.src.rpm
drwxr-xr-x. 5 root root 47 5月 19 15:30 rpmbuild
- 解压缩 nginx 源文件
cd /root/
tar zxf ./rpmbuild/SOURCES/nginx-1.16.1.tar.gz
当前结果
[root@localhost ~]# ls -l
drwxr-xr-x. 14 root root 4096 5月 19 15:01 ModSecurity
drwxr-xr-x. 6 root root 192 5月 19 15:14 ModSecurity-nginx
drwxr-xr-x. 9 1001 1001 186 5月 19 15:18 nginx-1.16.1
-rw-r--r--. 1 root root 1070280 10月 4 2019 nginx-1.16.1-1.el7.src.rpm
drwxr-xr-x. 5 root root 47 5月 19 15:30 rpmbuild
- 更新 nginx build string
cd /root/nginx-1.16.1/
nginx -V 2>&1 | grep 'configure arguments' | sed "s#configure arguments:#./configure --add-dynamic-module=../ModSecurity-nginx #g"
nginx -V 2>&1 | grep 'configure arguments' | sed "s#configure arguments:#./configure --add-dynamic-module=../ModSecurity-nginx #g" |bash
make modules
当前结果:
[root@localhost nginx-1.16.1]# find . -name *modsecurity*
./objs/ngx_http_modsecurity_module_modules.c
./objs/addon/src/ngx_http_modsecurity_module.o
./objs/addon/src/ngx_http_modsecurity_pre_access.o
./objs/addon/src/ngx_http_modsecurity_header_filter.o
./objs/addon/src/ngx_http_modsecurity_body_filter.o
./objs/addon/src/ngx_http_modsecurity_log.o
./objs/addon/src/ngx_http_modsecurity_rewrite.o
./objs/ngx_http_modsecurity_module_modules.o
./objs/ngx_http_modsecurity_module.so
[root@localhost nginx-1.16.1]#
- 将生成的 modsecurity 相关文件复制到 rpmbuild 中
cd /root/
mkdir -p ./rpmbuild/BUILD
find . -type f -iname 'libmodsecurity.so.3.*' -exec cp {} ./rpmbuild/BUILD \;
find . -type f -iname 'ngx_http_modsecurity_module.so' -exec cp {} ./rpmbuild/BUILD \;
当前结果:
[root@localhost ~]# ls rpmbuild/BUILD/ -l
总用量 43780
-rwxr-xr-x. 1 root root 44442616 5月 19 15:49 libmodsecurity.so.3.0.4
-rwxr-xr-x. 1 root root 384824 5月 19 15:49 ngx_http_modsecurity_module.so
[root@localhost ~]#
生成 rpm 安装包
vi /root/rpmbuild/SPECS/nginx-modsecurity.spec
Name: nginx-modsecurity3-centos7
Version: 3.0.4
Release: 1
Group: Applications/System
BuildArch: x86_64
Summary: modsecurity for nginx
License: GPL
%description
Brief description of software package.
Provides: libmodsecurity.so.3 nginx-modsecurity
%prep
%build
%install
mkdir -p %{buildroot}/opt/modsecurity
cp libmodsecurity.so.3.0.4 %buildroot/opt/modsecurity
cp ngx_http_modsecurity_module.so %buildroot/opt/modsecurity
%post
echo 'load_module "/usr/lib64/nginx/modules/ngx_http_modsecurity_module.so";' > /usr/share/nginx/modules/mod-modsecurity.conf
ln -sf /opt/modsecurity/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
cat > /etc/ld.so.conf.d/modsecurity.conf << EOF
/opt/modsecurity
EOF
ldconfig
%postun
rm -f /etc/ld.so.conf.d/modsecurity.conf
rm -f /usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
rm -f /usr/share/nginx/modules/mod-modsecurity.conf
ldconfig
%clean
%files
/*
- 生成 rpm 安装包
cd /root/rpmbuild/SPECS
rpmbuild -ba nginx-modsecurity.spec
最终生成的文件(见附件):
[root@localhost x86_64]# ls /root/rpmbuild/RPMS/x86_64/
nginx-modsecurity3-centos7-3.0.4-1.x86_64.rpm
安装 nginx 和 nginx_modsecurity3
- 安装 nginx
yum -y install epel-release
yum -y install nginx-1.16.1
检查安装的 nginx 版本:
[root@localhost ~]# nginx -v
nginx version: nginx/1.16.1
- 安装依赖
yum -y install yajl lua lmdb ssdeep
下载
nginx-modsecurity3-centos7-3.0.4-1.x86_64.rpm安装
nginx-modsecurity3-centos7-3.0.4-1.x86_64.rpm
rpm -i nginx-modsecurity3-centos7-3.0.4-1.x86_64.rpm
结果检查:
[root@localhost /]# cd /usr/share/nginx/modules/
[root@localhost modules]# ls
mod-http-image-filter.conf mod-http-perl.conf mod-http-xslt-filter.conf mod-mail.conf mod-modsecurity.conf mod-stream.conf
[root@localhost modules]# more mod-modsecurity.conf
load_module "/usr/lib64/nginx/modules/ngx_http_modsecurity_module.so";
[root@localhost modules]# cd /usr/lib64/nginx/modules/
[root@localhost modules]# ls
ngx_http_image_filter_module.so ngx_http_modsecurity_module.so ngx_http_perl_module.so ngx_http_xslt_filter_module.so ngx_mail_module.so ngx_stream_module.so
配置 modsecurity
Client ----- Nginx & ModSecurity ---- DVWA
下载配置文件
- 下载 modsecurity.conf 配置文件
mkdir -p /etc/nginx/modsec
mkdir -p /etc/nginx/modsec/modsecurity
cd /etc/nginx/modsec/modsecurity/
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended modsecurity.conf
- 下载 unicode.mapping 文件
cd /etc/nginx/modsec/modsecurity/
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/unicode.mapping
- 下载 OWASP CRS
cd /etc/nginx/modsec/modsecurity/
git clone --depth 1 -b v3.0/master https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd coreruleset/
mv crs-setup.conf.example crs-setup.conf
配置 modsecurity
- 开启引擎:
vi modesecurity.conf
# -- Rule engine initialization ----------------------------------------------
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
# SecRuleEngine DetectionOnly
SecRuleEngine On
- 添加配置文件:
vi /etc/nginx/modsec/main.conf
include /etc/nginx/default.d/modsecurity/modsecurity.conf
include /etc/nginx/default.d/modsecurity/coreruleset/crs-setup.conf
include /etc/nginx/default.d/modsecurity/coreruleset/rules/*.conf
配置 nginx
- 配置 nginx.conf:
vi /etc/nginx/nginx.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
# server_name $hostname;
# root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
# Load modsecurity configuration files.
modsecurity_rules_file /etc/nginx/modsec/main.conf;
location / {
# Enable modsecurity for this block.
modsecurity on;
# Add backend server.
proxy_pass http://183.169.1.12;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded_Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
- 开启 nginx:
systemctl start nginx
测试
-
SQLi
SQLi - 访问日志:
tail -f /var/log/nginx/access.log
183.168.1.11 - - [20/May/2020:18:25:19 +0800] "GET /?a=1%27=%271 HTTP/1.1" 403 153 "-" "curl/7.58.0" "-"
- 错误日志:
tail -f /var/log/nginx/error.log
2020/05/20 18:25:19 [error] 2373#0: *25 [client 183.168.1.11] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOM
ALY_SCORE' (Value: `8' ) [file "/etc/nginx/modsec/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score
Exceeded (Total Score: 8)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [
tag "attack-generic"] [hostname "183.168.1.1"] [uri "/"] [unique_id "1589970319"] [ref ""], client: 183.168.1.11, server: , request: "GET /?a=1%27=%271 HTTP/1.1", host: "183.168.1.1
"
Reference:
https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x
https://github.com/coreruleset/coreruleset/blob/v3.3/dev/crs-setup.conf.example