ModSecurity开源WAF测试
部署参考:
示例网站/etc/nginx/conf.d/demo.conf
server {
listen 8085;
location / {
default_type text/plain;
return 200 "Thank you for requesting ${request_uri}\n";
}
}
ModSecurity配置文件
mkdir -p /etc/nginx/modsec
cd /etc/nginx/modsec
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended modsecurity.conf
编辑modsecurity.conf
配置
SecRuleEngine DetectionOnly
改成SecRuleEngine On
创建ModSecurity的主配置文件
echo "Include /etc/nginx/modsec/modsecurity.conf" >> /etc/nginx/modsec/main.conf
配置反向代理/etc/nginx/conf.d/proxy.conf
server {
listen 81;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
location / {
proxy_pass http://0.0.0.0:8085;
proxy_set_header Host $host;
}
}
测试有报错
[root@localhost modsec]# nginx -t
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/modsecurity.conf. Line: 236. Column: 17. Failed to locate the unicode map file from: un
icode.mapping Looking at: 'unicode.mapping', 'unicode.mapping', '/etc/nginx/modsec/unicode.mapping', '/etc/nginx/modsec/unicode.mapping'. in /etc/nginx/conf.d/proxy.conf:4nginx: configuration file /etc/nginx/nginx.conf test failed
报错解决:
编辑/etc/nginx/modsec/modsecurity.conf
,这一行改成
#SecUnicodeMapFile unicode.mapping 20127
测试正常
[root@localhost modsec]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
启动nginx
servie nginx start
正常测试 通过
[root@localhost modsec]# curl -D - http://localhost:81/foo?testparam=test
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 08 Dec 2020 03:52:41 GMT
Content-Type: text/plain
Content-Length: 44
Connection: keep-alive
Thank you for requesting /foo?testparam=test
在/etc/nginx/modsec/main.conf
增加一条规则
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"
再次测试,test关键词触发,返回403
[root@localhost modsec]# curl -D - http://localhost:81/foo?testparam=test
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0
Date: Tue, 08 Dec 2020 03:59:14 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
查看拦截日志
[root@localhost modsec]# tail -n 2 /var/log/nginx/error.log
2020/12/07 22:59:07 [notice] 32206#32206: ModSecurity-nginx v1.0.1 (rules loaded inline/local/remote: 0/7/0)
2020/12/07 22:59:14 [error] 32208#32208: *1 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Contains' with parameter `test' against
variable `ARGS:testparam' (Value: `test' ) [file "/etc/nginx/modsec/main.conf"] [line "2"] [id "1234"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/foo"] [unique_id "1607399954"] [ref "o0,4v19,4"], client: 127.0.0.1, server: , request: "GET /foo?testparam=test HTTP/1.1", host: "localhost:81"