如何在CentOS 7,Debian 8和Ubuntu 16.04上安装Nginx的ModSecurity
ModSecurity是一个开放源码的Web应用程序防火墙(WAF)模块,非常适合各种网络攻击中的Apache,Nginx和IIS保护,以针对各种Web应用程序中的潜在漏洞
在本文中,我们将在CentOS 7,Debian 8和Ubuntu 16.04上安装和配置Nginx的ModSecurity。
先决条件
- 一个向上最新安装的CentOS 7,8的Debian,或Ubuntu 16.04 64位的。
- 登录为root。
步骤1:更新系统
按照本指南,将服务器的内核和软件包更新为最新的可用版本。
步骤2:安装依赖关系
在您可以成功编译Nginx和ModSecuriaty之前,需要安装多个软件包,如下所示。
a)在CentOS 7上:
yum groupinstall -y “Development Tools” yum install -y httpd httpd-devel pcre pcre-devel libxml2 libxml2-devel curl curl-devel openssl openssl-devel shutdown -r now
b)在Debian 8或Ubuntu 16.04上:
apt-get install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf
步骤3:编译ModSecurity
由于针对Nginx主分支的ModSecurity报告的几个不稳定性,现在正式建议尽可能使用最新版本的nginx_refactoring分支机构。
下载nginx_refactoring用于Nginx的ModSecurity分支:
cd /usr/src git clone -b nginx_refactoring https://github.com/SpiderLabs/ModSecurity.git
编译ModSecurity:
a)在CentOS 7上:
cd ModSecurity sed -i ‘/AC_PROG_CC/a\AM_PROG_CC_C_O’ configure.ac sed -i ‘1 i\AUTOMAKE_OPTIONS = subdir-objects’ Makefile.am ./autogen.sh ./configure –enable-standalone-module –disable-mlogc make
注意:上述两个sed命令用于在使用较新的automake版本时防止警告消息。
b)在Debian 8或Ubuntu 16.04上:
cd ModSecurity ./autogen.sh ./configure –enable-standalone-module –disable-mlogc make
##步骤4:编译Nginx
下载并取消存档在Nginx 1.10.3编写本文时Nginx的最新稳定版本:
cd /usr/src wget https://nginx.org/download/nginx-1.10.3.tar.gz tar -zxvf nginx-1.10.3.tar.gz && rm -f nginx-1.10.3.tar.gz
a)在CentOS 7上:
首先,您需要为Nginx 创建专门的用户nginx和专用组nginx:
groupadd -r nginx useradd -r -g nginx -s /sbin/nologin -M nginx
然后在启用ModSecurity和SSL模块的同时编译Nginx:
cd nginx-1.10.3/ ./configure –user=nginx –group=nginx –add-module=/usr/src/ModSecurity/nginx/modsecurity –with-http_ssl_module make make install
修改Nginx的默认用户:
sed -i “s/#user nobody;/user nginx nginx;/” /usr/local/nginx/conf/nginx.conf
b)在Debian 8或Ubuntu 16.04上:
首先,您应该使用现有的用户www-data和现有的组www-data。
然后在启用ModSecurity和SSL模块的同时编译Nginx:
cd nginx-1.10.3/ ./configure –user=www-data –group=www-data –add-module=/usr/src/ModSecurity/nginx/modsecurity –with-http_ssl_module make make install
修改Nginx的默认用户:
sed -i “s/#user nobody;/user www-data www-data;/” /usr/local/nginx/conf/nginx.conf
Nginx成功安装后,相关文件将位于:
nginx path prefix: “/usr/local/nginx” nginx binary file: “/usr/local/nginx/sbin/nginx” nginx modules path: “/usr/local/nginx/modules” nginx configuration prefix: “/usr/local/nginx/conf” nginx configuration file: “/usr/local/nginx/conf/nginx.conf” nginx pid file: “/usr/local/nginx/logs/nginx.pid” nginx error log file: “/usr/local/nginx/logs/error.log” nginx http access log file: “/usr/local/nginx/logs/access.log” nginx http client request body temporary files: “client_body_temp” nginx http proxy temporary files: “proxy_temp” nginx http fastcgi temporary files: “fastcgi_temp” nginx http uwsgi temporary files: “uwsgi_temp” nginx http scgi temporary files: “scgi_temp”
您可以使用以下方式测试安装:
/usr/local/nginx/sbin/nginx -t
如果没有问题,输出应该是:
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
为方便起见,您可以为Nginx设置一个systemd单元文件:
cat <<EOF>> /lib/systemd/system/nginx.service [Service] Type=forking ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf ExecReload=/usr/local/nginx/sbin/nginx -s reload KillStop=/usr/local/nginx/sbin/nginx -s stop KillMode=process Restart=on-failure RestartSec=42s PrivateTmp=true LimitNOFILE=200000 [Install] WantedBy=multi-user.target EOF
向前移动,您可以启动/停止/重新启动Nginx,如下所示:
systemctl start nginx.service systemctl stop nginx.service systemctl restart nginx.service
步骤4:配置ModSecurity和Nginx
4.1配置Nginx:
vi /usr/local/nginx/conf/nginx.conf
查找细分中的以下http {}细分:
location / { root html; index index.html index.htm; }
将以下行插入location / {}段:
ModSecurityEnabled on; ModSecurityConfig modsec_includes.conf; #proxy_pass http://localhost:8011; #proxy_read_timeout 180s;
最后的结果应该是:
location / { ModSecurityEnabled on; ModSecurityConfig modsec_includes.conf; #proxy_pass http://localhost:8011; #proxy_read_timeout 180s; root html; index index.html index.htm; }
保存并退出:
:wq!
注意:上面的Nginx配置只是使用Nginx作为Web服务器而不是反向代理的示例配置。如果您使用Nginx作为反向代理,请删除#最后两行中的字符并对其进行适当修改。
4.2创建一个文件名为/usr/local/nginx/conf/modsec_includes.conf:
cat <<EOF>> /usr/local/nginx/conf/modsec_includes.conf include modsecurity.conf include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/*.conf EOF
注意:上述配置将在owasp-modsecurity-crs/rules/目录中应用所有OWASP ModSecurity核心规则。如果要仅应用选择性规则,则应删除该include owasp-modsecurity-crs/rules/*.conf行,然后在步骤4.5之后指定所需的准确规则。
4.3导入ModSecurity配置文件:
cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/
4.4修改/usr/local/nginx/conf/modsecurity.conf文件:
sed -i “s/SecRuleEngine DetectionOnly/SecRuleEngine On/” /usr/local/nginx/conf/modsecurity.conf
4.5添加OWASP ModSecurity CRS(核心规则集)文件:
cd /usr/local/nginx/conf git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git cd owasp-modsecurity-crs mv crs-setup.conf.example crs-setup.conf cd rules mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
步骤5:测试ModSecurity
开始Nginx:
systemctl start nginx.service
打开端口80以允许外部访问:
a)在CentOS 7上:
firewall-cmd –zone=public –permanent –add-service=http firewall-cmd –reload
b)Debian 8:
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp –dport 80 -j ACCEPT iptables -A INPUT -p tcp –dport 22 -j ACCEPT iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP touch /etc/iptables iptables-save > /etc/iptables
c)在Ubuntu 16.04:
ufw allow OpenSSH ufw allow 80 ufw default deny ufw enable
将您的网页浏览器指向:
http://203.0.113.1/?param=”><script>alert(1);</script>
使用grep如下获取错误信息:
grep error /usr/local/nginx/logs/error.log
输出应包含几个类似于以下的错误消息:
2017/02/15 14:07:54 [error] 10776#0: [client 104.20.23.240] ModSecurity: Warning. detected XSS using libinjection. [file “/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf”] [line “56”] [id “941100”] [rev “2”] [msg “XSS Attack Detected via libinjection”] [data “Matched Data: found within ARGS:param: \x22><script>alert(1);</script>”] [severity “CRITICAL”] [ver “OWASP_CRS/3.0.0”] [maturity “1”] [accuracy “9”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-xss”] [tag “OWASP_CRS/WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A3”] [tag “OWASP_AppSensor/IE1”] [tag “CAPEC-242”] [hostname “”] [uri “/index.html”] [unique_id “ATAcAcAkucAchGAcPLAcAcAY”]
而已。如您所见,ModSecurity模块已经按照其默认的操作策略成功记录了此攻击。如果要进行更多自定义设置,请仔细阅读并编辑/usr/local/nginx/conf/modsecurity.conf和/usr/local/nginx/conf/owasp-modsecurity-crs/crs-setup.conf文件。
