ModSecurity 3.x + Nginx 编译安装

2020-05-21  本文已影响0人  捞小虾

Platform: CentOS7.x

编译并生成 nginx_modsecurity3 RPM 安装包


安装依赖

yum -y install epel-release
yum install -y git rpm-build gperftools-devel openssl-devel pcre-devel zlib-devel GeoIP-devel gd-devel perl-devel libxslt-devel perl-ExtUtils-Embed.noarch gcc gcc-c++ autoconf automake libtool
yum -y install yum-utils yajl yajl-devel libcurl libcurl-devel lmdb lmdb-devel ssdeep ssdeep-devel lua lua-devel

安装 nignx

yum -y install nginx
cd /root/
yumdownloader --source nginx
rpm -i nginx-1.16.1-1.el7.src.rpm
[root@localhost ~]# ls -l
-rw-r--r--.  1 root root 1070280 10月  4 2019 nginx-1.16.1-1.el7.src.rpm
drwxr-xr-x.  4 root root      34 5月  19 14:41 rpmbuild

安装 libModSecurity

cd /root/
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure --with-lmdb
ModSecurity -  for Linux
 
 Mandatory dependencies
   + libInjection                                  ....v3.9.2-30-gbf234eb
   + SecLang tests                                 ....c8cf2c5
 
 Optional dependencies
   + GeoIP/MaxMind                                 ....found 
      * (GeoIP) v1.5.0
         -lGeoIP  , -I/usr/include/  
   + LibCURL                                       ....found v7.29.0 
      -lcurl  ,  -DWITH_CURL
   + YAJL                                          ....found v2.0.4
      -lyajl  , -DWITH_YAJL  
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.9.1
      -lxml2 -lz -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....found 
      -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
   + LUA                                           ....found v501
      -llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
 
 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled
make -j2
make install

当前结果

[root@localhost ~]# ls -l
drwxr-xr-x. 14 root root    4096 5月  19 15:01 ModSecurity
-rw-r--r--.  1 root root 1070280 10月  4 2019 nginx-1.16.1-1.el7.src.rpm
drwxr-xr-x.  4 root root      34 5月  19 14:41 rpmbuild

[root@localhost ~]# find . -name libmodsecurity.so*
./ModSecurity/src/.libs/libmodsecurity.so.3.0.4
./ModSecurity/src/.libs/libmodsecurity.so.3
./ModSecurity/src/.libs/libmodsecurity.so
[root@localhost ~]# 

关联 nginx


cd /root/
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

当前结果

[root@localhost ~]# ls -l
drwxr-xr-x. 14 root root    4096 5月  19 15:01 ModSecurity
drwxr-xr-x.  6 root root     192 5月  19 15:14 ModSecurity-nginx
-rw-r--r--.  1 root root 1070280 10月  4 2019 nginx-1.16.1-1.el7.src.rpm
drwxr-xr-x.  5 root root      47 5月  19 15:30 rpmbuild
cd /root/
tar zxf ./rpmbuild/SOURCES/nginx-1.16.1.tar.gz

当前结果

[root@localhost ~]# ls -l
drwxr-xr-x. 14 root root    4096 5月  19 15:01 ModSecurity
drwxr-xr-x.  6 root root     192 5月  19 15:14 ModSecurity-nginx
drwxr-xr-x.  9 1001 1001     186 5月  19 15:18 nginx-1.16.1
-rw-r--r--.  1 root root 1070280 10月  4 2019 nginx-1.16.1-1.el7.src.rpm
drwxr-xr-x.  5 root root      47 5月  19 15:30 rpmbuild
cd /root/nginx-1.16.1/
nginx -V 2>&1 | grep 'configure arguments' | sed "s#configure arguments:#./configure --add-dynamic-module=../ModSecurity-nginx #g"
nginx -V 2>&1 | grep 'configure arguments' | sed "s#configure arguments:#./configure --add-dynamic-module=../ModSecurity-nginx #g" |bash
make modules

当前结果:

[root@localhost nginx-1.16.1]# find . -name *modsecurity*
./objs/ngx_http_modsecurity_module_modules.c
./objs/addon/src/ngx_http_modsecurity_module.o
./objs/addon/src/ngx_http_modsecurity_pre_access.o
./objs/addon/src/ngx_http_modsecurity_header_filter.o
./objs/addon/src/ngx_http_modsecurity_body_filter.o
./objs/addon/src/ngx_http_modsecurity_log.o
./objs/addon/src/ngx_http_modsecurity_rewrite.o
./objs/ngx_http_modsecurity_module_modules.o
./objs/ngx_http_modsecurity_module.so
[root@localhost nginx-1.16.1]# 
cd /root/
mkdir -p ./rpmbuild/BUILD
find . -type f -iname 'libmodsecurity.so.3.*' -exec cp {} ./rpmbuild/BUILD \;
find . -type f -iname 'ngx_http_modsecurity_module.so' -exec cp {} ./rpmbuild/BUILD \;

当前结果:

[root@localhost ~]# ls rpmbuild/BUILD/ -l
总用量 43780
-rwxr-xr-x. 1 root root 44442616 5月  19 15:49 libmodsecurity.so.3.0.4
-rwxr-xr-x. 1 root root   384824 5月  19 15:49 ngx_http_modsecurity_module.so
[root@localhost ~]# 

生成 rpm 安装包

Name: nginx-modsecurity3-centos7
Version: 3.0.4
Release: 1
Group: Applications/System
BuildArch: x86_64
Summary: modsecurity for nginx
License: GPL

%description
Brief description of software package.
Provides: libmodsecurity.so.3 nginx-modsecurity


%prep

%build

%install
mkdir -p %{buildroot}/opt/modsecurity
cp libmodsecurity.so.3.0.4 %buildroot/opt/modsecurity
cp ngx_http_modsecurity_module.so %buildroot/opt/modsecurity
%post
echo 'load_module "/usr/lib64/nginx/modules/ngx_http_modsecurity_module.so";' > /usr/share/nginx/modules/mod-modsecurity.conf
ln -sf /opt/modsecurity/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
cat > /etc/ld.so.conf.d/modsecurity.conf << EOF
/opt/modsecurity
EOF
ldconfig
%postun
rm -f /etc/ld.so.conf.d/modsecurity.conf
rm -f /usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
rm -f /usr/share/nginx/modules/mod-modsecurity.conf
ldconfig


%clean

%files
/*
cd /root/rpmbuild/SPECS
rpmbuild -ba nginx-modsecurity.spec

最终生成的文件(见附件):

[root@localhost x86_64]# ls /root/rpmbuild/RPMS/x86_64/
nginx-modsecurity3-centos7-3.0.4-1.x86_64.rpm

安装 nginx 和 nginx_modsecurity3


yum -y install epel-release
yum -y install nginx-1.16.1

检查安装的 nginx 版本:

[root@localhost ~]# nginx -v
nginx version: nginx/1.16.1
yum -y install yajl lua lmdb ssdeep
rpm -i nginx-modsecurity3-centos7-3.0.4-1.x86_64.rpm

结果检查:

[root@localhost /]# cd /usr/share/nginx/modules/
[root@localhost modules]# ls
mod-http-image-filter.conf  mod-http-perl.conf  mod-http-xslt-filter.conf  mod-mail.conf  mod-modsecurity.conf  mod-stream.conf

[root@localhost modules]# more mod-modsecurity.conf 
load_module "/usr/lib64/nginx/modules/ngx_http_modsecurity_module.so";

[root@localhost modules]# cd /usr/lib64/nginx/modules/
[root@localhost modules]# ls
ngx_http_image_filter_module.so  ngx_http_modsecurity_module.so  ngx_http_perl_module.so  ngx_http_xslt_filter_module.so  ngx_mail_module.so  ngx_stream_module.so

配置 modsecurity


Client ----- Nginx & ModSecurity ---- DVWA

下载配置文件

mkdir -p /etc/nginx/modsec
mkdir -p /etc/nginx/modsec/modsecurity
cd /etc/nginx/modsec/modsecurity/
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended modsecurity.conf
cd /etc/nginx/modsec/modsecurity/
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/unicode.mapping
cd /etc/nginx/modsec/modsecurity/
git clone --depth 1 -b v3.0/master https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd coreruleset/
mv crs-setup.conf.example crs-setup.conf

配置 modsecurity

# -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
# SecRuleEngine DetectionOnly
SecRuleEngine On
include /etc/nginx/default.d/modsecurity/modsecurity.conf
include /etc/nginx/default.d/modsecurity/coreruleset/crs-setup.conf
include /etc/nginx/default.d/modsecurity/coreruleset/rules/*.conf

配置 nginx

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        
        # server_name  $hostname;
        # root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        # Load modsecurity configuration files. 
        modsecurity_rules_file /etc/nginx/modsec/main.conf;

        location / {
            # Enable modsecurity for this block.
            modsecurity on;

            # Add backend server.
            proxy_pass http://183.169.1.12;

            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
            proxy_set_header Host $host:$server_port;
            proxy_set_header X-Forwarded_Proto $scheme;
        proxy_connect_timeout 600;
            proxy_send_timeout 600;
            proxy_read_timeout 600;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

测试

183.168.1.11 - - [20/May/2020:18:25:19 +0800] "GET /?a=1%27=%271 HTTP/1.1" 403 153 "-" "curl/7.58.0" "-"
2020/05/20 18:25:19 [error] 2373#0: *25 [client 183.168.1.11] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOM
ALY_SCORE' (Value: `8' ) [file "/etc/nginx/modsec/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score
 Exceeded (Total Score: 8)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [
tag "attack-generic"] [hostname "183.168.1.1"] [uri "/"] [unique_id "1589970319"] [ref ""], client: 183.168.1.11, server: , request: "GET /?a=1%27=%271 HTTP/1.1", host: "183.168.1.1
"

Reference:
https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x
https://github.com/coreruleset/coreruleset/blob/v3.3/dev/crs-setup.conf.example

上一篇下一篇

猜你喜欢

热点阅读