CentOS下Nginx+ModSecurity(3.0.x)安装及⽇志保存
⽬录
CentOS下Nginx+ModSecurity(3.0.x)安装及配置WAF规则
本⽂主要介绍ModSecurity v3.0.x在CentOS+Nginx环境下的安装、WAF规则⽂件配置、以及防御效果的验证,因此对于Nginx仅进⾏简单化安装。
服务器操作系统:CentOS-7-x86_64-DVD-1810.iso;
⼀、安装相关依赖⼯具
yum install -y git wget epel-release
yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel l ibtool autoconf automake
⼆、安装Modsecurity
cd /usr/local
git clone github/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
git submodule init
git submodule update
sh build.sh
./configure
make&&make install
三、安装nginx与ModSecurity-nginx
cd /usr/local
git clone github/SpiderLabs/ModSecurity-nginx
wget /download/nginx-1.16.
tar -xvzf nginx-1.16.
cd /usr/local/nginx-1.16.1
./configure --add-module=/usr/local/ModSecurity-nginx
make
make install
四、测试效果
启动nginx
/usr/local/nginx/sbin/nginx
模拟攻击,测试未启动ModSecurity时的访问效果,访问URL为:服务器IP/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E
效果如下:
五、配置WAF规则
创建⽤于存在配置⽂件的⽂件夹
mkdir /usr/local/nginx/conf/modsecurity
将/usr/local/f-recommended复制到/usr/local/nginx/conf/modsecurity,并重命名为f;
将/usr/local/Modsecurity/unicode.mapping复制到/usr/local/nginx/conf/modsecurity;
下载,解压后复制ample到/usr/local/nginx/conf/modsecurity/下并重命名为f;
复制rules⽂件夹到/usr/local/nginx/conf/modsecurity/下,同时修改ample与ample两个⽂件的⽂件名,将".example"删除,可将⾃⼰写的规则放置于此两个⽂件中;
编辑f
在http或server节点中添加以下内容(在http节点添加表⽰全局配置,在server节点添加表⽰为指定⽹站配置.
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/f;
编辑f
SecRuleEngine DetectionOnly改为SecRuleEngine On
SecRuleEngine DetectionOnly #它只会检测到所有的攻击,并根据攻击产⽣错误,但它不会在服务器上阻⽌任何东西
SecRuleEngine On #将在服务器上激活ModSecurity防⽕墙。它会检测并阻⽌该服务器上的任何恶意攻击。
同时添加以下内容:
Include /usr/local/nginx/conf/f
Include /usr/local/nginx/conf/modsecurity/rules/*.conf
六、重新加载Nginx测试效果
/usr/local/nginx/sbin/nginx -s reload
七、其他补充
如果要确保ModSecurity v3.0.3在记录审计⽇志时保存请求体,SecAuditLogParts需要添加配置C,⽽不是IJ,否则审计⽇志将⽆法记录请求体
ModSecurity⽇志保存⾄MySQL数据库(通过Logstash)
JDK:;
Logstash:;
JDBC:;
⼀、软件上传
将上述JDK及Logstash的软件压缩包下载后,上传⾄服务器/usr/local⽬录下并解压,将JDBC上传⾄解压后的Logstash⽬录下。
cd /usr/local
tar -zxvf
tar -zxvf logstash-5.6.
⼆、配置JDK
如果服务器中已经安装了其他版本的JDK,且不可随意变更,可对Logstash进⾏单独的JDK配置,将以下内容复制到Logstash⽬录下
bin/logstash、bin/logstash.lib.sh两个⽂件的⾸⾏位置即可:
export JAVA_HOME=/usr/local/jdk1.8.0_241
三、测试Logstash
⾸先,测试Logstash是否可以正常⼯作,在控制台输⼊以下命令等待Logstash启动:
/usr/local/logstash-5.6.16/bin/logstash -e 'input { stdin { } } output { stdout {} }'
启动成功的结果类似于下图(电脑端右击图⽚点击“在新标签页中打开图⽚”即可查看⼤图):
然后直接输⼊字符串,如“Test”回车,如出现类似以下信息,表明Logstash可正常⼯作
测试结束后通过Ctrl+C结束进程
四、安装logstash-output-jdbc
由于要把⽇志输⼊到数据库中,因此需要安装logstash-output-jdbc,该插件为第三⽅所开发,并未在Logstash 6.3及以上版本进⾏测试。
/usr/local/logstash-5.6.16/bin/logstash-plugin install logstash-output-jdbc
由于要从国外下载插件,因此在线安装过程较慢,如果发现⽆法在线安装,可下载,上传⾄Logstash⽬录下。该安装包为本⼈基于Logstash 5.6.16在线安装logstash-output-jdbc成功后,所⽣成的离线安装包,其他版本的Logstash不⼀定适⽤。运⾏以下命令即可进⾏离线安装:
/usr/local/logstash-5.6.16/bin/logstash-plugin install file:///usr/local/logstash-5.6.16/logstash-output-jdbc.zip
五、创建⽇志同步配置⽂件
在Logstash⽬录下创建⽂件f,并将以下内容复制进⽂件中,保存时要使⽤UTF8格式,或将中⽂注释删除,否则Logstash启动时会报错:
input {
file{
#ModSecurity审计⽇志的存放位置,请根据实际情况进⾏修改
path =>["/var/log/modsecurity/*/*/*"]
start_position =>"beginning"
}
}
filter{
json{
source=>"message"
remove_field =>["message"]
}
#以下到filter节点结束的内容,是为了将ModSecurity记录的⽇期转换为数据库可存放的datetime格式
mutate{
split=>["[transaction][time_stamp]"," "]
add_field =>{"date"=>"yyyy-MM-dd HH:mm:ss"}
add_field =>{"month"=>"%{[transaction][time_stamp][1]}"}
add_field =>{"day"=>"%{[transaction][time_stamp][2]}"}
add_field =>{"time"=>"%{[transaction][time_stamp][3]}"}
add_field =>{"year"=>"%{[transaction][time_stamp][4]}"}
}
if[month]=="Jan"{
mutate {
gsub =>["month","Jan",'01']
mysql下载的zip版本安装步骤}
}else if[month]=="Feb"{
mutate {
gsub =>["month","Feb",'02']
}
}else if[month]=="Mar"{
mutate {
gsub =>["month","Mar",'03']
}
}else if[month]=="Apr"{
mutate {
gsub =>["month","Apr",'04']
}
}else if[month]=="May"{
mutate {
gsub =>["month","May",'05']
}
}else if[month]=="Jun"{
mutate {
gsub =>["month","Jun",'06']
}
}else if[month]=="Jul"{
mutate {
gsub =>["month","Jul",'07']
}
}
}else if[month]=="Aug"{
mutate {
gsub =>["month","Aug",'08']
}
}else if[month]=="Sep"{
mutate {
gsub =>["month","Sep",'09']
}
}else if[month]=="Oct"{
mutate {
gsub =>["month","Oct",'10']
}
}else if[month]=="Nov"{
mutate {
gsub =>["month","Nov",'11']
}
}else if[month]=="Dec"{
mutate {
gsub =>["month","Dec",'12']
}
}
mutate {
gsub =>["date","yyyy",'%{[year]}']
gsub =>["date","MM",'%{[month]}']
gsub =>["date","dd",'%{[day]}']
gsub =>["date","HH:mm:ss",'%{[time]}']
}
}
output {
#该节点会将最终⽇志数据以JSON格式打印到控制台中,便于观测进⾏调试,测试⽆问题后可将此节点删除
stdout {
codec => json {
charset =>"UTF-8"
}
}
jdbc {
driver_jar_path =>"/usr/local/logstash-5.6.16/mysql-connector-java-5.1.48.jar"
driver_class =>"sql.jdbc.Driver"
connection_string =>"jdbc:mysql://服务器IP地址:数据库端⼝/modsecurity?user=数据库⽤户名&password=数据库密码"
statement =>["insert into data (client_ip,time_stamp,date,server_id,client_port,host_ip,host_port,uri,unique_id,request,response,producer,messages) val ues (?,?,?,?,?,?,?,?,?,?,?,?,?)","[transaction][client_ip]","[transaction][time_stamp]","[date]","[transaction][server_id]","[transaction][client_port]","[transaction ][host_ip]","[transaction][host_port]","[transaction][request][uri]","[transaction][unique_id","[transaction][request]","[transaction][response]","[transaction][prod ucer]","[transaction][messages]"]
}
}
六、创建数据库
创建名为modsecurity的数据库,并执⾏以下SQL创建数据表
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论