在 CentOS 7 上安裝 Nginx 的 Modsecurity module
  • Sep 10, 2017
  • 2 minutes read.
  • 雜談

    • 之前有寫過如何自己Compile Nginx + Modsecurity

    這次在官方網站上看到一篇

    不需要重新compile nginx

    只需要把 modsecurity compile 成 module 就可以用的方案

    這對使用 yum 安裝 nginx 的人來說才是最好的方案

    但安裝過程中

    發現 yum 官方 repo 提供的 nginx 版本太低

    不支援 –with-compat 的參數 (最低要求是1.11.5)

    所以必須使用 nginx 官方 repo 來安裝 nginx

    才會是最新的 stable 版本

    安裝官方 nginx

    先在/etc/yum.repos.d新增一個nginx.repo的檔案

    並加入以下內容

    [nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

    這樣在 yum install nginx 的時候就會是最新的stable version

    安裝依賴套件

    yum install -y epel-release
yum groupinstall -y 'Development Tools' 

yum install -y git lmdb lmdb-devel libxml2 libxml2-devel pcre pcre-devel curl libcurl-devel GeoIP GeoIP-devel yajl yajl-devel

    Compile Modsecurity Lib

    先 clone

    git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

    安裝

    cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install

    在 build.sh 的時候會出現像錯誤的訊息

    fatal: No names found, cannot describe anything.

    不用管他

    下載 nginx 與 modsecurity-nginx connector

    git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

    下載 nginx 的 source 之前要看自己的 nginx 版本

    nginx -v

    可以看到

    目前stable版本是 1.12.1

    所以就下載 1.12.1的source

    wget https://nginx.org/download/nginx-1.12.1.tar.gz
tar zxvf nginx-1.12.1.tar.gz

    進入source並compile mod security module

    cd nginx-1.12.1
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

    設定 modsecurity

    在 /etc/nginx/nginx.conf 加入 load_module

    load_module modules/ngx_http_modsecurity_module.so;

    接下來就跟官方那邊教學會不一樣

    我就按照之前我寫的那篇

    把OWASP TOP 10的rule都加進去

    Modsecurity 基本設定

    cp ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.conf

sed -ie 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/nginx/modsecurity.conf
sed -ie 's/SecPcreMatchLimit .*$/SecPcreMatchLimit 150000/g' /etc/nginx/modsecurity.conf
sed -ie 's/SecPcreMatchLimitRecursion .*$/SecPcreMatchLimitRecursion 150000/g' /etc/nginx/modsecurity.conf
sed -ie 's/SecAuditLogType Serial/SecAuditLogType Concurrent/g' /etc/nginx/modsecurity.conf
sed -ie "/^SecAuditLogType Concurrent$/aSecAuditLogStorageDir \/var\/log\/nginx" /etc/nginx/modsecurity.conf

    OWASP TOP 10

    git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
mv owasp-modsecurity-crs /etc/nginx
cd /etc/nginx/owasp-modsecurity-crs
cp crs-setup.conf.example crs-setup.conf
sed -ie 's/SecDefaultAction "phase:1,log,auditlog,pass"/#SecDefaultAction "phase:1,log,auditlog,pass"/g' crs-setup.conf
sed -ie 's/SecDefaultAction "phase:2,log,auditlog,pass"/#SecDefaultAction "phase:2,log,auditlog,pass"/g' crs-setup.conf
sed -ie 's/#.*SecDefaultAction "phase:1,log,auditlog,deny,status:403"/SecDefaultAction "phase:1,log,auditlog,deny,status:403"/g' crs-setup.conf
sed -ie 's/# SecDefaultAction "phase:2,log,auditlog,deny,status:403"/SecDefaultAction "phase:2,log,auditlog,deny,status:403"/g' crs-setup.conf
cat <<EOT >> /etc/nginx/modsecurity.conf
Include owasp-modsecurity-crs/crs-setup.conf
Include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
Include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
Include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
Include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
EOT

    開啟Modsecurity

    在要啟動 Modsecurity 的 server 區塊內

    加入以下設定

    server {
    ....
    ....
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsecurity.conf;
}

    最後記得把 /var/log/nginx 資料夾 owner 改成nginx

    這樣發生問題 modsecurity才能寫log進去喔

  • 雜談

    • 看更多

    Nested Transaction using savepoint
    如何寫 Fail2ban 的 filter