ubuntu nginx 安装ModSecurity 3.0
本文记录Ubuntu 22.04 LTS上已安装好 nginx/1.18.0 (Ubuntu),在不重新编译nginx的情况下,增加安装配置modSecurity,配置NGINX WAF,WEB防火墙的详细过程。
从中文网下载代码方式编译
download http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
apt install g++ flex bison curl apache2-dev doxygen libyajl-dev ssdeep liblua5.2-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev git liblmdb-dev libpkgconf3 lmdb-doc pkgconf zlib1g-dev libssl-dev -y
/build.sh
./configure
make
make install
编译安装成功,但没有往后走,为了最新,后来又使用下面的方法,不过从github上下载,需要多尝试,否则难以拉取成功。
直接从github 上下载最新源码方式安装
apt update
#安装操作系统依赖包,否则modsecurity configure时报错,如下是否多了不清楚
apt-get install git g++ apt-utils autoconf automake build-essential libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
从github上拉取ModSecurity源代码,尝试编译
mkdir -p /opt/waf
git clone https://github.com/SpiderLabs/ModSecurity
./configure
编译报错,提示还需要下载依赖子源代码
git submodule init
git submodule update
./configure
make
sudo make install
编译nginx连接适配模块
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
查看当前在用 nginx版本,去nginx官网下载(https://nginx.org/en/download.html)对应版本的源码
ubuntu@VM-12-10-ubuntu:~$ nginx -v
nginx version: nginx/1.18.0 (Ubuntu)
cd /opt/waf/
tar -zxv nginx-1.18.0.tar.gz
cd nginx-1.18.0
./configure --add-dynamic-module=/opt/waf/ModSecurity-nginx --with-compat
make
也可以只如下生成模块:
make modules
生成了需要的nginx module:
ngx_http_modsecurity_module.so
root@VM-12-10-ubuntu:/usr/lib/nginx/modules# ls -l /opt/waf/nginx-1.18.0/objs/
total 4388
drwxrwxr-x 3 ubuntu ubuntu 4096 Oct 21 20:09 addon
-rw-rw-r-- 1 ubuntu ubuntu 18686 Oct 21 20:09 autoconf.err
-rw-rw-r-- 1 ubuntu ubuntu 43718 Oct 21 20:09 Makefile
-rwxrwxr-x 1 ubuntu ubuntu 4073304 Oct 21 20:10 nginx
-rw-rw-r-- 1 ubuntu ubuntu 5375 Oct 21 20:10 nginx.8
-rw-rw-r-- 1 ubuntu ubuntu 7579 Oct 21 20:09 ngx_auto_config.h
-rw-rw-r-- 1 ubuntu ubuntu 657 Oct 21 20:09 ngx_auto_headers.h
-rw-rw-r-- 1 ubuntu ubuntu 883 Oct 21 20:09 ngx_http_modsecurity_module_modules.c
-rw-rw-r-- 1 ubuntu ubuntu 27432 Oct 21 20:10 ngx_http_modsecurity_module_modules.o
-rwxrwxr-x 1 ubuntu ubuntu 242920 Oct 21 20:10 ngx_http_modsecurity_module.so
-rw-rw-r-- 1 ubuntu ubuntu 5856 Oct 21 20:09 ngx_modules.c
-rw-rw-r-- 1 ubuntu ubuntu 36272 Oct 21 20:10 ngx_modules.o
drwxrwxr-x 9 ubuntu ubuntu 4096 Oct 21 20:09 src
root@VM-12-10-ubuntu:/usr/lib/nginx/modules#
nginx -V 可以看到–module-path目录,然后,将ngx_http_modssecurity_module.so复制过去。
root@VM-12-10-ubuntu:/usr/lib/nginx/modules# nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module
root@VM-12-10-ubuntu:/usr/lib/nginx/modules#
root@VM-12-10-ubuntu:/usr/lib/nginx/modules# pwd
/usr/lib/nginx/modules
root@VM-12-10-ubuntu:/usr/lib/nginx/modules# ls -ltr
total 396
-rw-r--r-- 1 root root 184904 May 31 01:31 ngx_stream_module.so
-rw-r--r-- 1 root root 18896 May 31 01:31 ngx_stream_geoip2_module.so
-rw-r--r-- 1 root root 112264 May 31 01:31 ngx_mail_module.so
-rw-r--r-- 1 root root 27672 May 31 01:31 ngx_http_xslt_filter_module.so
-rw-r--r-- 1 root root 31872 May 31 01:31 ngx_http_image_filter_module.so
-rw-r--r-- 1 root root 19024 May 31 01:31 ngx_http_geoip2_module.so
#将编译好的module复制过去
cp /opt/waf/nginx-1.18.0/objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules
配置nginx增加module
cd /etc/nginx
cp nginx.conf nginx.conf.bak20230121
mkdir -p /etc/nginx/conf
cd /etc/nginx/conf
cp /opt/waf/ModSecurity/modsecurity.conf-recommended modsecurity.conf
cp /opt/waf/ModSecurity/unicode.mapping .
vi /etc/nginx/nginx.conf
# 最前面增加加载模块
load_module modules/ngx_http_modsecurity_module.so;
....
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name nginx.example.com;
# 启用模块
modsecurity on;
# 加载模块配置文件
modsecurity_rules_file /etc/nginx/conf/modsecurity.conf;
检查配置正确否, 重启nginx
nginx -t
下载modsecurity规则
cd /opt/waf
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
tar -zxv owasp-modsecurity-crs.tgz
mkdir -p /etc/nginx/conf/owasp-crs
cd /etc/nginx/conf/owasp-crs
cp -r /opt/waf/owasp-modsecurity-crs-3.3-dev/rules .
cp /opt/waf/owasp-modsecurity-crs-3.3-dev/crs-setup.conf.example crs-setup.conf
在modsecurity.conf中添加如下的参数:
Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/*.conf
检查配置正确否, 重启nginx
nginx -t
nginx -s reload
modsecurity 配置是否生效测试
SQL注入测试
https://www.itnext.top/?rule_id=1024′ or 1=1
403 Forbidden
nginx/1.18.0 (Ubuntu)
nginx log显示如下信息:
2023/10/21 21:08:08 [error] 821268#821268: *152 [client 35.78.172.160] ModSecurity: Access denied with code 403 (phase 2). Matched “Operator Ge' with parameter5′ against variable TX:ANOMALY_SCORE' (Value:5′ ) [file “/etc/nginx/conf/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.2.0”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “10.0.12.10”] [uri “/”] [unique_id “16978936883.865166”] [ref “”], client: 35.78.172.160, server: www.itnext.top, request: “GET /?rule_id=1024%20or%201=1 HTTP/1.1”, host: “www.itnext.top”
如果修改nginx.conf中
modsecurity off;
nginx -s reload
则不拦截,正常显示网页了。
XSS Injection测试
<script>alert("test")</script>
https://www.itnext.top/%3Cscript%3Ealert(%E2%80%9Ctest%E2%80%9D)%3C/script%3E
2023/10/21 21:42:41 [error] 823155#823155: *260 [client 120.229.47.150] ModSecurity: Access denied with code 403 (phase 2). Matched “Operator Ge' with parameter5′ against variable TX:ANOMALY_SCORE' (Value:5′ ) [file “/etc/nginx/conf/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.2.0”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “10.0.12.10”] [uri “/“] [unique_id “169789576116.828957”] [ref “”], client: 120.229.47.150, server: www.itnext.top, request: “GET /%3Cscript%3Ealert(%E2%80%9Ctest%E2%80%9D)%3C/script%3E HTTP/1.1”, host: “www.itnext.top”
php xmlrpc.php攻击
2023/10/21 21:45:58 [error] 823155#823155: *269 [client 77.32.68.242] ModSecurity: Access denied with code 403 (phase 2). Matched “Operator Ge' with parameter5′ against variable TX:ANOMALY_SCORE' (Value:5′ ) [file “/etc/nginx/conf/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.2.0”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “10.0.12.10”] [uri “/xmlrpc.php”] [unique_id “169789595897.064107”] [ref “”], client: 77.32.68.242, server: www.itnext.top, request: “POST /xmlrpc.php HTTP/1.1”, host: “www.itnext.top”
查看modsecurity审计日志
cat /var/log/modsec_audit.log