ModSecurity开源WAF测试

  sre


部署参考:

ModSecurity开源WAF部署

示例网站/etc/nginx/conf.d/demo.conf

server {

listen 8085;

location / {

    default_type text/plain;

    return 200 "Thank you for requesting ${request_uri}\n";

    }

}

ModSecurity配置文件

mkdir -p /etc/nginx/modsec
cd /etc/nginx/modsec
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended modsecurity.conf

编辑modsecurity.conf配置

SecRuleEngine DetectionOnly改成SecRuleEngine On

创建ModSecurity的主配置文件

echo "Include /etc/nginx/modsec/modsecurity.conf" >> /etc/nginx/modsec/main.conf

配置反向代理/etc/nginx/conf.d/proxy.conf

server {
    listen 81;
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
    location / {
        proxy_pass  http://0.0.0.0:8085; 
        proxy_set_header Host $host;
    }
}

测试有报错

[root@localhost modsec]# nginx -t
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/modsecurity.conf. Line: 236. Column: 17. Failed to locate the unicode map file from: un
icode.mapping Looking at: 'unicode.mapping', 'unicode.mapping', '/etc/nginx/modsec/unicode.mapping', '/etc/nginx/modsec/unicode.mapping'.  in /etc/nginx/conf.d/proxy.conf:4nginx: configuration file /etc/nginx/nginx.conf test failed

报错解决:
编辑/etc/nginx/modsec/modsecurity.conf,这一行改成

#SecUnicodeMapFile unicode.mapping 20127

测试正常

[root@localhost modsec]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

启动nginx

servie nginx start

正常测试 通过

[root@localhost modsec]# curl -D - http://localhost:81/foo?testparam=test
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 08 Dec 2020 03:52:41 GMT
Content-Type: text/plain
Content-Length: 44
Connection: keep-alive

Thank you for requesting /foo?testparam=test

/etc/nginx/modsec/main.conf增加一条规则

SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

再次测试,test关键词触发,返回403

[root@localhost modsec]# curl -D - http://localhost:81/foo?testparam=test
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0
Date: Tue, 08 Dec 2020 03:59:14 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>

查看拦截日志

[root@localhost modsec]# tail -n 2 /var/log/nginx/error.log
2020/12/07 22:59:07 [notice] 32206#32206: ModSecurity-nginx v1.0.1 (rules loaded inline/local/remote: 0/7/0)
2020/12/07 22:59:14 [error] 32208#32208: *1 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Contains' with parameter `test' against 
variable `ARGS:testparam' (Value: `test' ) [file "/etc/nginx/modsec/main.conf"] [line "2"] [id "1234"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/foo"] [unique_id "1607399954"] [ref "o0,4v19,4"], client: 127.0.0.1, server: , request: "GET /foo?testparam=test HTTP/1.1", host: "localhost:81"

LEAVE A COMMENT

Captcha Code