Как да конфигурираме ModSecurity с Nginx уеб сървър ?
Nginx уебсървър
ModSecurity е Web Application Firewall ( WAF ) който може да предпази уеб сървисите ( съответно и всички уебсайтове на този хост ) от недоброжелателни хора или ботове в мрежата.
Списък с едни от най-популярните уеб атаки от които може да ни предпази ModSecurity конфигуриран съвместно с OWASP Core Rule Set .
- SQL Injection (SQLi)
- Cross Site Scripting (XSS)
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
- Remote Code Execution (RCE)
- PHP Code Injection
- HTTP Protocol Violations
- HTTPoxy
- Shellshock
- Session Fixation
- Scanner Detection
В тази статия ще разгледаме как да компилираме и инсталираме ModSecurity за работа с един от най-използваните уеб сървъри в света Nginx.
Операционната система за сървър която използваме е CentOS 8.1 .
CentOS 8.1 уеб сървър
Първо, нека да инсталираме основните зависимости от пакетният мениджър.
dnf -y install wget tar
dnf -y install gcc pcre pcre-devel openssl openssl-devel libicu libicu-devel bzip2-devel bzip2-libs cyrus-sasl-devel
dnf -y groupinstall „Development Tools“
Сваляме, компилираме и инсталираме LibModSecurity
git clone –depth 1 -b v3/master –single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install
Компилиране и инсталиране на ModSecurity за работа с Nginx .
Първо, трябва да свалиме ModSecurity nginx-connector модула.
git clone –depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
Сваляме и компилираме Nginx с ModSecurity модула.
Трябва предварително да създадем потребител с който ще работи Nginx.
wget https://nginx.org/download/nginx-1.17.8.tar.gz
tar -xf nginx-1.17.8.tar.gz
./configure \
–user=nginx \
–group=nginx \
–prefix=/etc/nginx \
–sbin-path=/usr/sbin/nginx \
–conf-path=/etc/nginx/nginx.conf \
–pid-path=/var/run/nginx.pid \
–lock-path=/var/run/nginx.lock \
–error-log-path=/var/log/nginx/error.log \
–http-log-path=/var/log/nginx/access.log \
–with-http_gzip_static_module \
–with-http_stub_status_module \
–with-http_ssl_module \
–with-pcre \
–with-file-aio \
–with-http_realip_module \
–with-compat –add-dynamic-module=../ModSecurity-nginx/
make
make install
След това трябва да заредим в /etc/nginx/nginx.conf ModSecurity модула (най-отгоре в файла).
load_module modules/ngx_http_modsecurity_module.so;
Конфигурираме и инсталираме OWASP Core Rule Set / CSR / версия 3.0.2 актуалната към момента .
mkdir -p /etc/nginx/modsec/
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sed -i ‘s/SecRuleEngine DetectionOnly/SecRuleEngine On/’ /etc/nginx/modsec/modsecurity.conf
tar -xzvf v3.0.2.tar.gz
sudo mv owasp-modsecurity-crs-3.0.2 /usr/local
cd /usr/local/owasp-modsecurity-crs-3.0.2
sudo cp crs-setup.conf.example crs-setup.conf
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cp /usr/src/ModSecurity/unicode.mapping /etc/nginx/modsec/
Зареждаме всички CSR правила.
vim /etc/nginx/modsec/main.conf
# Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf
# OWASP CRS v3 rules
Include /usr/local/owasp-modsecurity-crs-3.0.2/crs-setup.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-901-INITIALIZATION.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
#Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-910-IP-REPUTATION.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-912-DOS-PROTECTION.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-980-CORRELATION.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
Конфигурираме Nginx да използва модула.
vim /etc/nginx/nginx.conf
В server { } блока добавяме:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
За финал, нека създадем systemd service файл за Nginx.
vim /etc/systemd/system/nginx.service
[Unit] Description=The nginx server
After=network.target remote-fs.target nss-lookup.target
[Service] Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=mixed
PrivateTmp=true
[Install] WantedBy=multi-user.target
systemctl daemon-reload
systemctl start nginx
systemctl enable nginx