modsecurity 安裝
wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
tar -zxvf modsecurity-2.9.1.tar.gz
cd modsecurity-2.9.1
./configure --enable-standalone-module --disable-mlogc
make
nginx 安裝
wget http://nginx.org/download/nginx-1.10.2.tar.gz
tar -zxvf nginx-1.10.2.tar.gz
cd nginx-1.10.2
./configure --add-module=../modsecurity-2.9.1/nginx/modsecurity/
modsecurity設定
cp ../modsecurity-2.9.1/modsecurity.conf-recommended /etc/nginx/modsecurity.conf
cp ../modsecurity-2.9.1/unicode.mapping /etc/nginx/
vim nginx.conf
增加
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
測試
nginx -t
啟用nginx後,檢查error.log
增加 OWASP ModSecurity Core Rule Set (CRS) 規則
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
or
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.0.tar.gz
tar zxvpf v3.0.0.tar.gz
mv owasp-modsecurity-crs-3.0.0/ /etc/nginx/owasp-modsecurity-crs
cp crs-setup.conf.example crs-setup.conf
cp rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
新增 modsec_includes.conf
include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
如果需要其它規則也可以加入
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
修改nginx.conf
將
ModSecurityConfig modsecurity.conf;
更改為
ModSecurityConfig modsec_includes.conf;
重新載入nginx
Cross-site Scripting test request
http://192.168.1.106/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E
沒有留言:
張貼留言
注意:只有此網誌的成員可以留言。