广告

本站里的文章大部分经过自行整理与测试

2017年2月5日星期日

Linux - Nginx - 用 OWASP 加强防御

1. 安装

# 依赖库
$ yum install openssl openssl-devel pcre pcre-devel zlib zlib-devel
$ yum install apr apr-util-devel apr-devel httpd-devel libxml2 libxml2-devel

# openssl
$ cd /usr/local/src
$ wget https://www.openssl.org/source/openssl-1.1.0c.tar.gz
$ tar zxvf openssl-1.1.0c.tar.gz
$ cd openssl-1.1.0c
$ ./config --prefix=/usr
$ make && make install

# pcre
$ cd /usr/local/src
$ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz
$ tar zxvf pcre-8.40.tar.gz
$ cd pcre-8.40
$ ./configure
$ make && make install

# zlib
$ cd /usr/local/src
$ wget http://zlib.net/zlib-1.2.11.tar.gz
$ tar zxvf zlib-1.2.11.tar.gz
$ cd zlib-1.2.11
$ ./configure
$ make && make install

# 编译与安装 ModSecurity
$ cd /usr/local/src
$ wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
$ tar zxvf modsecurity-2.9.1.tar.gz
$ cd modsecurity-2.9.1
$ ./autogen.sh
$ ./configure --enable-standalone-module --disable-mlogc
$ make

# 编译与安装 Nginx
$ cd /usr/local/src
$ wget http://nginx.org/download/nginx-1.10.2.tar.gz
$ tar zxvf nginx-1.10.2.tar.gz
$ cd nginx-1.10.2
$ ./configure --prefix=/usr/local/nginx 
--without-http_memcached_module --user=www --group=www --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.1.0c --with-pcre=/usr/local/src/pcre-8.40 --with-zlib=/usr/local/src/zlib-1.2.11 --add-module=/usr/local/src/modsecurity-2.9.1/nginx/modsecurity/
$ make
$ make install

$ /usr/local/nginx/sbin/nginx -V

$ cd /usr/local/src/modsecurity-2.9.1
$ cp modsecurity.conf-recommended /usr/local/nginx/modsecurity.conf
$ cp unicode.mapping /usr/local/nginx/unicode.mapping

# 下载 OWASP ModSecurity Core Rule Set (CRS)
$ cd /usr/local/nginx
$ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
$ cd owasp-modsecurity-crs
$ mv crs-setup.conf.example crs-setup.conf

2. 设置

2.1) 编辑 modsecurity.conf

$ gedit /usr/local/nginx/conf/modsecurity.conf

SecRuleEngine on

#Include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
#Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
#Include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
#Include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
#Include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
#Include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
#Include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
#Include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf

# 注释掉默认的 SecAuditLogType 和 SecAuditLog
SecAuditLogDirMode 0777
SecAuditLogFileMode 0550
SecAuditLogStorageDir /var/log/modsecurity
SecAuditLogType Concurrent

2.2) 编辑 nginx.conf

$ gedit /usr/local/nginx/nginx.conf

server {  
location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;

                proxy_pass http://online;
                proxy_redirect         off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
       }
}

3. 启动

$ systemctl start nginx

没有评论:

发表评论