如何在CentOS 7、Debian 8和Ubuntu 16.04上安装nginx modsecurity

・13 分钟阅读

ModSecurity是一个开源web应用程序防火墙(WAF )模块,它非常适合于保护不同网络Apache ,Nginx和IIS的潜在漏洞。

在本文中,我们将在Centos7 Debian8和Ubuntu16.04上安装和配置nginx modsecurity。

前提条件

  • 最新安装的CentOS 7,debian 8或Ubuntu 16.04 64位。
  • 作为root登录,

步骤1:更新系统

按本指南更新你的服务器和软件包到最新可用版本。

步骤2:安装依赖项

必须先安装几个软件包,然后才能成功编译Nginx和ModSecurity 。

a)在Centos 7上:


yum groupinstall -y"Development Tools"
yum install -y httpd httpd-devel pcre pcre-devel libxml2 libxml2-devel curl curl-devel openssl openssl-devel
shutdown -r now

b) 在Debian 8或Ubuntu上:


apt-get install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf

步骤3:编译ModSecurity

由于ModSecurity for Nginx主分支上报告了几个不稳定性问题,目前正式推荐使用nginx_refactoring分支的最新版本。

下载Nginx的ModSecurity的nginx_refactoring分支:


cd /usr/src
git clone -b nginx_refactoring https://github.com/SpiderLabs/ModSecurity.git

编译ModSecurity :

a) 在Centos 7上


cd ModSecurity
sed -i '/AC_PROG_CC/aAM_PROG_CC_C_O' configure.ac
sed -i '1 iAUTOMAKE_OPTIONS = subdir-objects' Makefile.am
./autogen.sh
./configure --enable-standalone-module --disable-mlogc
make

注意:上两个sed命令用于在使用新的automake版本时阻止警告消息。

b) 在Debian 8或Ubuntu 16.04上


cd ModSecurity
./autogen.sh
./configure --enable-standalone-module --disable-mlogc
make

步骤4:编译Nginx


cd /usr/src
wget https://nginx.org/download/nginx-1.10.3.tar.gz
tar -zxvf nginx-1.10.3.tar.gz && rm -f nginx-1.10.3.tar.gz

a) 在Centos 7上

首先,你需要为Nginx创建一个专用的用户nginx和一个专用的组nginx


groupadd -r nginx
useradd -r -g nginx -s /sbin/nologin -M nginx

然后在启用ModSecurity和SSL模块的同时编译Nginx :


cd nginx-1.10.3/
./configure --user=nginx --group=nginx --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
make
make install

修改Nginx的默认用户:


sed -i"s/#user nobody;/user nginx nginx;/" /usr/local/nginx/conf/nginx.conf

b在Debian 8或Ubuntu 16.04上

首先,你应该使用现有的用户www-data和现有的组www-data

然后在启用ModSecurity和SSL模块的同时编译Nginx :


cd nginx-1.10.3/
./configure --user=www-data --group=www-data --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
make
make install

修改Nginx的默认用户:


sed -i"s/#user nobody;/user www-data www-data;/" /usr/local/nginx/conf/nginx.conf

成功安装Nginx后,相关文件将位于以下位置:


nginx path prefix:"/usr/local/nginx"
nginx binary file:"/usr/local/nginx/sbin/nginx"
nginx modules path:"/usr/local/nginx/modules"
nginx configuration prefix:"/usr/local/nginx/conf"
nginx configuration file:"/usr/local/nginx/conf/nginx.conf"
nginx pid file:"/usr/local/nginx/logs/nginx.pid"
nginx error log file:"/usr/local/nginx/logs/error.log"
nginx http access log file:"/usr/local/nginx/logs/access.log"
nginx http client request body temporary files:"client_body_temp"
nginx http proxy temporary files:"proxy_temp"
nginx http fastcgi temporary files:"fastcgi_temp"
nginx http uwsgi temporary files:"uwsgi_temp"
nginx http scgi temporary files:"scgi_temp"

你可以通过以下方式测试安装:


/usr/local/nginx/sbin/nginx -t

如果没有错误,输出应该是:


nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

为方便起见,你可以为Nginx设置systemd单元文件:


cat <<EOF>> /lib/systemd/system/nginx.service
[Service]
Type=forking
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
KillStop=/usr/local/nginx/sbin/nginx -s stop

KillMode=process
Restart=on-failure
RestartSec=42s

PrivateTmp=true
LimitNOFILE=200000

[Install]
WantedBy=multi-user.target
EOF

你可以按如下所示start/stop/restart Nginx :


systemctl start nginx.service
systemctl stop nginx.service
systemctl restart nginx.service

步骤4 :配置ModSecurity和Nginx

4.1配置Nginx :


vi /usr/local/nginx/conf/nginx.conf

http {}段中查找以下段:


location / {
 root html;
 index index.html index.htm;
}

将下面的行插入到location/{}段中:


ModSecurityEnabled on;
ModSecurityConfig modsec_includes.conf;
#proxy_pass http://localhost:8011;
#proxy_read_timeout 180s;

最后的结果应该是:


location / {
 ModSecurityEnabled on;
 ModSecurityConfig modsec_includes.conf;
 #proxy_pass http://localhost:8011;
 #proxy_read_timeout 180s;
 root html;
 index index.html index.htm;
}

保存和退出:

 
:wq

 
!

注意:上面的Nginx配置只是使用Nginx作为Web服务器,而不是反向代理的示例配置。如果使用Nginx作为反向代理,请删除最后两行中的#字符,并且对它们进行适当的修改。

4.2创建名为的文件 /usr/local/nginx/conf/modsec_includes.conf


cat <<EOF>> /usr/local/nginx/conf/modsec_includes.conf
include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/*.conf
EOF

注意:上面的配置将应用owasp-modsecurity-crs/rules/目录中的所有OWASP ModSecurity核心规则,如果只希望应用选择性规则,则应删除,include owasp-modsecurity-crs/rules/*.conf 行,然后在步骤4.5之后指定所需的精确规则。

4.3导入ModSecurity配置文件:


cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/

4.4修改 /usr/local/nginx/conf/modsecurity.conf 文件:


sed -i"s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf

4.5添加OWASP ModSecurity CRS核心规则集文件:


cd /usr/local/nginx/conf
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs
mv crs-setup.conf.example crs-setup.conf
cd rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

步骤5: 测试ModSecurity

启动Nginx :


systemctl start nginx.service

打开端口80以允许外部访问:

a) 在CentOS:


firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --reload

b) 在Debian 8上:


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
touch /etc/iptables
iptables-save > /etc/iptables

c)在Ubuntu 16.04上:


ufw allow OpenSSH
ufw allow 80
ufw default deny
ufw enable 

将你的网络浏览器指向:


http://203.0.113.1/?param="><script>alert(1);</script>

使用grep按如下方式获取错误消息:


grep error /usr/local/nginx/logs/error.log

输出应包括几个类似于以下的错误消息:


2017/02/15 14:07:54 [error] 10776#0: [client 104.20.23.240] ModSecurity: Warning. detected XSS using libinjection. [file"/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line"56"] [id"941100"] [rev"2"] [msg"XSS Attack Detected via libinjection"] [data"Matched Data: found within ARGS:param: x22><script>alert(1);</script>"] [severity"CRITICAL"] [ver"OWASP_CRS/3.0.0"] [maturity"1"] [accuracy"9"] [tag"application-multi"] [tag"language-multi"] [tag"platform-multi"] [tag"attack-xss"] [tag"OWASP_CRS/WEB_ATTACK/XSS"] [tag"WASCTC/WASC-8"] [tag"WASCTC/WASC-22"] [tag"OWASP_TOP_10/A3"] [tag"OWASP_AppSensor/IE1"] [tag"CAPEC-242"] [hostname""] [uri"/index.html"] [unique_id"ATAcAcAkucAchGAcPLAcAcAY"]

就是这样,正如你所见,ModSecurity模块根据它默认操作策略成功记录了此次攻击,如果你想制作更多的自定义设置,请仔细查看和编辑,/usr/local/nginx/conf/modsecurity.conf/usr/local/nginx/conf/owasp-modsecurity-crs/crs-setup.conf 文件。

Hrh profile image