上次写过一篇关于WAF相关的文档(Nginx部署配置应用级防火墙WAF),这次介绍一款国外的关于WAF的产品。
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
[root@WEB ~]# yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel expat-devel [root@WEB ~]# cd /byrd/tools/ [root@WEB tools]# wget http://archive.apache.org/dist/apr/apr-util-1.5.4.tar.gz [root@WEB tools]# wget http://archive.apache.org/dist/apr/apr-1.5.2.tar.gz [root@WEB tools]# wget http://archive.apache.org/dist/httpd/httpd-2.4.20.tar.gz [root@Lnmp01 tools]# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.39.tar.gz [root@WEB tools]# wget https://codeload.github.com/lloyd/yajl/legacy.tar.gz/2.1.0 [root@Lnmp01 tools]# http://www.lua.org/ftp/lua-5.3.3.tar.gz [root@Lnmp01 tools]# wget https://superb-dca2.dl.sourceforge.net/project/ssdeep/ssdeep-2.13/ssdeep-2.13.tar.gz [root@Monitor tools]# wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz [root@WEB apr-1.5.2]# ./configure [root@WEB apr-util-1.5.4]# ./configure --with-apr=/usr/local/apr --with-crypto [root@WEB openssl-1.0.2j]# ./config --prefix=/opt/openssl-1.0.2j -fPIC && make [root@WEB httpd-2.4.20]# ./configure --prefix=/opt/httpd-2.4.20 --with-apr=/usr/local/apr --with-ssl=../openssl-1.0.2j --enable-deflate --enable-expires --enable-headers --enable-modules=most --enable-so --with-mpm=worker --enable-ssl --enable-cgi --enable-rewrite --enable-suexec --enable-unique-id [root@Monitor tools]# tar zxf lloyd-yajl-2.1.0-0-ga0ecdde.tar.gz [root@Monitor lloyd-yajl-66cb08c]# ./configure && make && make install [root@Lnmp01 pcre-8.39]# ./configure --prefix=/usr/local/pcre --enable-utf [root@Lnmp01 ssdeep-2.13]# ./configure && make && make install [root@Lnmp01 lua-5.3.3]# make linux test && make install #yum install readline-devel [root@Lnmp01 modsecurity-2.9.1]# vim ../lua-5.3.3/src/Makefile -CFLAGS= -O2 -Wall -Wextra -DLUA_COMPAT_5_2 $(SYSCFLAGS) $(MYCFLAGS) +CFLAGS= -O2 -Wall -fPIC -Wextra -DLUA_COMPAT_5_2 $(SYSCFLAGS) $(MYCFLAGS) [root@Lnmp01 modsecurity-2.9.1]# ./configure --with-pcre=/usr/local/pcre --enable-standalone-module --disable-mlogc --with-apxs=/opt/httpd-2.4.20/bin/apxs --with-apu=/usr/local/apr/bin/apu-1-config --with-apr=/usr/local/apr/bin/apr-1-config --with-yajl="/usr/local/lib /usr/local" --with-lua="/usr/local/lib /usr/local" --with-ssdeep=/usr/local/ssdeep && make [root@WEB nginx]# ./configure --prefix=/usr/local/nginx --add-module=../modsecurity-2.9.1/nginx/modsecurity |
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
[root@WEB modsecurity-2.9.1]# cp modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf [root@WEB modsecurity-2.9.1]# cp unicode.mapping /usr/local/nginx/conf/ [root@WEB conf]# sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/g" modsecurity.conf [root@WEB tmp]# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git [root@WEB tmp]# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git [root@WEB tmp]# mv owasp-modsecurity-crs /usr/local/nginx/conf/waf [root@WEB conf]# echo "SecRuleEngine on" >> modsecurity.conf [root@WEB conf]# echo "Include waf/crs-setup.conf" >> modsecurity.conf [root@WEB conf]# echo "Include waf/rules/*.conf" >> modsecurity.conf SecRuleEngine on include waf/crs-setup.conf include waf/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf include waf/rules/REQUEST-901-INITIALIZATION.conf include waf/rules/REQUEST-905-COMMON-EXCEPTIONS.conf include waf/rules/REQUEST-910-IP-REPUTATION.conf include waf/rules/REQUEST-911-METHOD-ENFORCEMENT.conf include waf/rules/REQUEST-912-DOS-PROTECTION.conf include waf/rules/REQUEST-913-SCANNER-DETECTION.conf include waf/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf include waf/rules/REQUEST-921-PROTOCOL-ATTACK.conf include waf/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf include waf/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf include waf/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf include waf/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf include waf/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf include waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf include waf/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf include waf/rules/REQUEST-949-BLOCKING-EVALUATION.conf include waf/rules/RESPONSE-950-DATA-LEAKAGES.conf include waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf include waf/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf include waf/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf [root@WEB conf]# cd waf/ [root@WEB waf]# cp crs-setup.conf.example crs-setup.conf |
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
[root@WEB opt]# /usr/local/nginx/sbin/nginx -s stop nginx: [warn] ModSecurity: Loaded APR do not match with compiled! nginx: [error] open() "/opt/tengine-2.1.2/logs/nginx.pid" failed (2: No such file or directory) yum remove apr [root@Monitor opt]# /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx: error while loading shared libraries: libapr-1.so.0: cannot open shared object file: No such file or directory [root@Monitor opt]# ln -s /usr/local/apr/lib/libapr-1.so.0 /lib64/libapr-1.so.0 [root@Monitor opt]# /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx: error while loading shared libraries: libaprutil-1.so.0: cannot open shared object file: No such file or directory [root@Monitor opt]# ln -s /usr/local/apr/lib/libaprutil-1.so.0 /lib64/libaprutil-1.so.0 Message: Audit log: Failed to lock global mutex: Permission denied SecAuditLogType Serial SecAuditLog /var/log/security/modsec_audit.log SecAuditLogDirMode 0777 SecAuditLogFileMode 0550 SecAuditLogStorageDir /var/log/security SecAuditLogType Concurrent # Specify the path for concurrent audit logging. SecAuditLogStorageDir /var/log/security/audit/ [root@Monitor conf]# /usr/local/nginx/sbin/nginx -t /usr/local/nginx/sbin/nginx: error while loading shared libraries: libyajl.so.2: cannot open shared object file: No such file or directory [root@Monitor conf]# ln -s /usr/local/lib/libyajl.so.2 /lib64/ [22/Dec/2016:15:56:39 +0800] [/sid#1179e70][rid#23a3650][//index.php][3] Rule 20a7f08 [id "-"][file "/usr/local/nginx/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "98"] - Execution error - PCRE limits exceeded (-8): (null). 1:php.ini add pcre.backtrack_limit = 10000000 pcre.recursion_limit = 10000000 2:RESPONSE-951-DATA-LEAKAGES-SQL.conf add SecPcreMatchLimit 50000 SecPcreMatchLimitRecursion 5000 nginx: [warn] ModSecurity: Loaded PCRE do not match with compiled! [root@iZ2zehsswqlvtzzg0t86aiZ nginx-1.10.2]# echo "/usr/local/pcre/lib/" >> /etc/ld.so.conf [root@iZ2zehsswqlvtzzg0t86aiZ nginx-1.10.2]# ldconfig -v |
参考文档:
1:https://raw.githubusercontent.com/SpiderLabs/owasp-modsecurity-crs/v3.0/master/INSTALL
2:https://github.com/SpiderLabs/ModSecurity/tree/nginx_refactoring
3:http://www.52os.net/articles/nginx-use-modsecurity-module-as-waf.html
4:http://serverfault.com/questions/450917/modsecurity-compile-error-on-nginx
5:http://www.52os.net/articles/nginx-use-modsecurity-module-as-waf.html
6:https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
7:http://www.2cto.com/article/201407/319878.html
8:https://modsecurity.org/crs/
9:http://blog.slogra.com/post-668.html
10:http://www.codeweblog.com/nginx%E9%85%8D%E5%90%88modsecurity%E5%AE%9E%E7%8E%B0waf%E5%8A%9F%E8%83%BD/
11:http://stackoverflow.com/questions/31537106/core-owasp-modsecurity-allowing-json
12:http://www.tuicool.com/articles/Bfyi2en
13:http://stackoverflow.com/questions/35202761/json-support-was-not-enabled-modsecurity
14:https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--JSON-Support/
15:https://forums.cpanel.net/threads/modsecurity-auto-updater.147745/SourceByrd's Weblog-https://note.t4x.org/environment/nginx-modsecurity-waf/
SourceByrd's Weblog-https://note.t4x.org/environment/nginx-modsecurity-waf/
申明:除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!
