首页 使用教程正文

CentOS下Apache+ModSecurity(3.0.3)安装教程及配置WAF规则文件

王子 使用教程 2019-12-22 12292 0

本文主要介绍ModSecurity v3.0.3在CentOS+Apache环境下的安装、WAF规则文件配置、以及防御效果的验证,因此对于Apache仅进行简单化安装。


注意,目前不建议在Apache环境下使用ModSecurity v3.0.3,ModSecurity与Apache的连接器(ModSecurity-apache connector)目前处于测试阶段,因此本文仅供阅读者进行研究测试,仅供熟悉ModSecurity v3.0.3在Apache下的安装步骤。生产环境请使用ModSecurity v2.9.3与Apache搭配使用,点击此处查看Apache+ModSecurity(2.9.3)安装教程


服务器操作系统:CentOS-7-x86_64-DVD-1810.iso


一、软件包上传

点此下载软件包合集,上传至服务器中/usr/local目录下后解压

二、安装相关依赖工具

yum install -y epel-release
yum install -y readline-devel curl-devel gcc gcc-c++ python-devel lua-devel doxygen perl yajl-devel GeoIP-devel lmdb-devel ssdeep-devel flex bison autoconf automake

三、创建相关安装目录

cd /usr/local
mkdir apr apr-util pcre apache libxml2

四、安装apr

cd /usr/local
tar -zxvf apr-1.5.2.tar.gz 
cd  apr-1.5.2
./configure --prefix=/usr/local/apr
#结尾会提示rm: cannot remove 'libtoolT': No such file or directory,无需处理
make
make install

五、安装apr-util

cd /usr/local
tar -zxvf apr-util-1.5.4.tar.gz
cd apr-util-1.5.4 
./configure --prefix=/usr/local/apr-util -with-apr=/usr/local/apr/bin/apr-1-config
make
make install

六、安装pcre

cd /usr/local
tar -zxvf pcre-8.43.tar.gz
cd pcre-8.43
./configure --prefix=/usr/local/pcre
make
make install
#中间会出现两次警告,不影响最终效果,因此暂不处理

七、安装libxml2

cd /usr/local
tar -zxvf libxml2-2.9.9.tar.gz
cd libxml2-2.9.9
./configure --prefix=/usr/local/libxml2
make
make install
#中间会出现一次警告,libtool: warning: relinking 'libxml2mod.la',不影响最终效果,因此暂不处理

八、安装Apache

cd /usr/local
tar -zxvf httpd-2.4.41.tar.gz
cd httpd-2.4.41
./configure --prefix=/usr/local/apache --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util/ --with-pcre=/usr/local/pcre
make
make install

修改httpd.conf配置文件,将"#ServerName www.example.com:80"改为"ServerName localhost:80"后启动Apache

/usr/local/apache/bin/apachectl start


九、测试效果

模拟攻击,测试未安装ModSecurity时的访问效果,访问URL为:http://服务器IP/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

效果如下:

image.png


十、安装ModSecurity

#停止Apache
/usr/local/apache/bin/apachectl stop
cd /usr/local
tar -zxvf modsecurity-v3.0.3.tar.gz
cd modsecurity-v3.0.3
./configure
make
make install

运行config后的最终结果如下:

十一、安装ModSecurity-apache connector

cd /usr/local
tar -zxvf ModSecurity-apache.tar.gz
cd ModSecurity-apache
./autogen.sh
./configure --with-libmodsecurity=/usr/local/modsecurity/
make 
make install

运行autogen.sh脚本后会显示以下信息:


十二、最后配置

创建用于存放规则文件的文件夹,可以只创建到rules这一层,个人是由于其他自定义规则文件存在,所以默认规则额外创建了一个base文件夹

mkdir -p /usr/local/apache/conf/modsecurity/rules/base

复制ModSecurity配置文件

cp /usr/local/modsecurity-v3.0.3/modsecurity.conf-recommended /usr/local/apache/conf/modsecurity/modsecurity.conf


将owasp-modsecurity-crs解压后中的crs-setup.conf.example复制到/usr/local/apache/conf/modsecurity/下并重命名为crs-setup.conf

将owasp-modsecurity-crs解压后rules文件夹内的所有文件复制到/usr/local/apache/conf/modsecurity/rules/base下,同时修改REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example与RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example两个文件的文件名,将".example"删除,可将自己写的规则放置于此两个文件中

编辑httpd.conf,去掉#LoadModule unique_id_module modules/mod_unique_id.so前的注释符,并添加以下内容:

LoadModule security3_module modules/mod_security3.so
<IfModule security3_module>
    modsecurity on
    #modsecurity_rules_file指令目前无法匹配通配符,因此只能一个指令引用一个文件
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/modsecurity.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/crs-setup.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-901-INITIALIZATION.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-905-COMMON-EXCEPTIONS.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-910-IP-REPUTATION.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-911-METHOD-ENFORCEMENT.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-912-DOS-PROTECTION.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-913-SCANNER-DETECTION.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-921-PROTOCOL-ATTACK.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-930-APPLICATION-ATTACK-LFI.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-931-APPLICATION-ATTACK-RFI.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-932-APPLICATION-ATTACK-RCE.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-933-APPLICATION-ATTACK-PHP.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-941-APPLICATION-ATTACK-XSS.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/REQUEST-949-BLOCKING-EVALUATION.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/RESPONSE-950-DATA-LEAKAGES.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/RESPONSE-951-DATA-LEAKAGES-SQL.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/RESPONSE-953-DATA-LEAKAGES-PHP.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/RESPONSE-954-DATA-LEAKAGES-IIS.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/RESPONSE-959-BLOCKING-EVALUATION.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/RESPONSE-980-CORRELATION.conf
    modsecurity_rules_file /usr/local/apache/conf/modsecurity/rules/base/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
</IfModule>


编辑modsecurity.conf

SecRuleEngine DetectionOnly改为SecRuleEngine On,将SecUnicodeMapFile unicode.mapping 20127注释;


十三、重新启动Apache测试效果

/usr/local/apache/bin/apachectl start

再访问http://服务器IP/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

此时显示效果为:

image.png

版权声明

本文仅代表作者观点,不代表本站立场。
本文系作者授权发表,未经许可,不得转载。