信息安全就是国家安全,WEB开发过程中稍有不慎就会产生很多的SQL注入漏洞,XSS反渗透等等问题,一方面需要代码开发的时候特别注意,另一方面服务器上也需要安装相应的防护测试,尽可能的做好网络安全,最近也比较懒了,LINUX安全好多服务器都采用了宝塔面板,宝塔的确提供了很便捷的安装和管理方式,但是有些防护费用还是相对偏高,小站实在应对不了,那么我们只能采用有些免费开源的方案,我们采用ModSecurity结合nginx的方式来做一定的防护,接下来是一些操作步骤。
首先安装一些依赖
yum install -y gcc gcc-c++ make pcre-devel zlib-devel libxml2 libxml2-devel yajl yajl-devel curl-devel geoip-devel doxygen
编译安装ModSecurity v3
cd /opt
git clone --depth 1 -b v3/master https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
./build.sh
git submodule init
git submodule update
./configure
make
make install
echo "/usr/local/modsecurity/lib/" > /etc/ld.so.conf.d/modsecurity.conf
ldconfig
cd /opt
git clone --depth 1 https://github.com/SpiderLabs/modsecurity-nginx.git
卸载nginx重新编译安装下nginx,加入自定义模块
--add-dynamic-module=/opt/modsecurity-nginx
编辑nginx.conf文件,在顶部加入 load_module /www/server/nginx/modules/ngx_http_modsecurity_module.so;
建立配置文件
mkdir -p /www/server/nginx/conf/modsecurity
cp /opt/ModSecurity/modsecurity.conf-recommended /www/server/nginx/conf/modsecurity/modsecurity.conf
cp /opt/ModSecurity/unicode.mapping /www/server/nginx/conf/modsecurity/
下载规则
cd /www/server/nginx/conf/modsecurity
git clone https://github.com/coreruleset/coreruleset.git owasp-crs
cd owasp-crs
mv crs-setup.conf.example crs-setup.conf
cd /www/server/nginx/conf/modsecurity
cd owasp-crs/rules/
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cat > modsecurity_main.conf << 'EOF'
# ModSecurity 主配置文件
Include modsecurity.conf
Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include owasp-crs/rules/REQUEST-901-INITIALIZATION.conf
Include owasp-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include owasp-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include owasp-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
Include owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include owasp-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
Include owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include owasp-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include owasp-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include owasp-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include owasp-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include owasp-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include owasp-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include owasp-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include owasp-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include owasp-crs/rules/RESPONSE-980-CORRELATION.conf
EOF
nginx的网站server配置增加
modsecurity on;
# 指定 ModSecurity 主配置文件路径
modsecurity_rules_file /www/server/nginx/conf/modsecurity/modsecurity_main.conf;
# 加载 OWASP 核心规则集(如果下载了)
modsecurity_rules_file /www/server/nginx/conf/modsecurity/owasp-crs/crs-setup.conf;
保存重新加载nginx
浙公网安备 33048302000577号
