开源WAF：ModSecurity探究与部署

零、防火墙

观察nginx日志发现恶意扫描 什么/shell #$%*
调研方案很多，但部分收费，收费的功能多但也比较耗费服务器，这里使用经典的web防火墙ModSecurity3

一、ModSecurity3.0介绍

ModSecurity是一个开源的跨平台Web应用程序防火墙（WAF）引擎，用于Apache，IIS和Nginx，由Trustwave的SpiderLabs开发。作为WAF产品，ModSecurity专门关注HTTP流量，当发出HTTP请求时，ModSecurity检查请求的所有部分，如果请求是恶意的，它会被阻止和记录。

优势：

完美兼容nginx，是nginx官方推荐的WAF
支持OWASP规则
3.0版本比老版本更新更快，更加稳定，并且得到了nginx、Inc和Trustwave等团队的积极支持
免费

ModSecurity的功能：

SQL Injection (SQLi)：阻止SQL注入
Cross Site Scripting (XSS)：阻止跨站脚本攻击
Local File Inclusion (LFI)：阻止利用本地文件包含漏洞进行攻击
Remote File Inclusione(RFI)：阻止利用远程文件包含漏洞进行攻击
Remote Code Execution (RCE)：阻止利用远程命令执行漏洞进行攻击
PHP Code Injectiod：阻止PHP代码注入
HTTP Protocol Violations：阻止违反HTTP协议的恶意访问
HTTPoxy：阻止利用远程代理感染漏洞进行攻击
Shellshock：阻止利用Shellshock漏洞进行攻击
Session Fixation：阻止利用Session会话ID不变的漏洞进行攻击
Scanner Detection：阻止黑客扫描网站
Metadata/Error Leakages：阻止源代码/错误信息泄露
Project Honey Pot Blacklist：蜜罐项目黑名单
GeoIP Country Blocking：根据判断IP地址归属地来进行IP阻断

劣势：

不支持检查响应体的规则，如果配置中包含这些规则，则会被忽略，nginx的的sub_filter指令可以用来检查状语从句：重写响应数据，OWASP中相关规则是95X。

不支持OWASP核心规则集DDoS规则REQUEST-912-DOS- PROTECTION.conf,nginx本身支持配置DDoS限制

不支持在审计日志中包含请求和响应主体

二、安装部署

#已安装nginx(apt-get install nginx)
#安装依赖

apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev

编译安装modSecurityLib

#克隆GitHub存储库:

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

#编译安装源代码

 cd ModSecurity

 git submodule init

 git submodule update

 ./build.sh

 ./configure

 make

 make install

 cd ..

 #注意：安装中有报错fatal: No names found, cannot describe anything.是正常现象

NGINX连接器

#下载用于ModSecurity的NGINX连接器：

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

#确定哪个版本的NGINX是运行在主机上的ModSecurity模块将加载:
nginx -v
#nginx version: nginx/1.17.3

#下载与安装版本对应的源代码：

wget http://nginx.org/download/nginx-1.17.3.tar.gz

tar zxvf nginx-1.17.3.tar.gz

#编译动态模块，复制到模块标准目录:

cd nginx-1.17.3

./configure --with-compat --add-dynamic-module=../ModSecurity-nginx

 make modules

cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/


#将以下load_module指令添加到/etc/nginx/nginx.conf的main中：

load_module modules/ngx_http_modsecurity_module.so;

#确定nginx模块加载成功：

nginx -t

三、配置 开启 并测试防护效果

#接口能正常返回
curl -D - http://localhost/foo?testparam=123 

配置文件

 mkdir /etc/nginx/modsec

#使用推荐的ModSecurity配置文件

 cp ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

 cp ModSecurity/unicode.mapping /etc/nginx/modsec

#更改配置中的SecRuleEngine指令，将默认的仅检测模式更改为主动丢弃恶意流量。
 sed -i ‘s/SecRuleEngine DetectionOnly/SecRuleEngine On/’ /etc/nginx/modsec/modsecurity.conf

配置

 #创建ModSecurity的主配置文件
#vim /etc/nginx/modsec/main.conf
#内容如下

#Include the recommended configuration

Include /etc/nginx/modsec/modsecurity.conf

#A test rule

SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

开启 并添加配置文件 到/etc/nginx/nginx.conf

server {

    # …

    #隐藏版本信息
    server_tokens off;

    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;

}

测试

nginx -s reload #重新加载nginx

curl -D - http://localhost/foo?testparam=test #则返回"403 Forbidden"，说明前面配置的那条modsecuriy规则生效了，并阻拦了testparam参数中带test的请求

#在/var/log/nginx/error.log中可以看到拦截的详细日志

部署OWASP规则--CRS（Core Rule Set）
https://coreruleset.org/docs/deployment/install/

#在此之前复现没有拦截的样子 下面请求正常返回
curl -D - http://localhost?foo=/etc/passwd&bar=/bin/sh 

#下载OWASP CRS 仓库更新了 独立出去了coreruleset
#wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz 

wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz

#安装规则
mkdir /etc/crs4
tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /etc/crs4

#配置
cd /etc/crs4
mv crs-setup.conf.example crs-setup.conf

#在modsecurity主配置文件中include CRS的配置和规则

vim /etc/nginx/modsec/main.conf
#内容如下
#Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf

#OWASP CRS v3 rules
Include /etc/crs4/crs-setup.conf
Include /etc/crs4/rules/*.conf

#测试CRS

nginx -s reload #重新加载nginx配置

curl -D - http://localhost?foo=/etc/passwd&bar=/bin/sh  #则返回"403 Forbidden"，说明配置的规则生效了阻拦请求

拦截日志 tail -f /var/log/modsec_audit.log

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:foo' (Value: `/etc/passwd' ) [file "/etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "97"] [id "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:foo: /etc/passwd"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname " 172.129.15.195"] [uri "/"] [unique_id "172178055710.904907"] [ref "o1,10v16,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin"]
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/bin/sh' ) [file "/etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "556"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin/sh"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname " 172.129.15.195"] [uri "/"] [unique_id "172178055710.904907"] [ref "o1,10v16,11t:cmdLine,t:normalizePatho1,6v32,7t:cmdLine,t:normalizePath"]
ModSecurity: Access denied with code 302 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname " 172.129.15.195"] [uri "/"] [unique_id "172178055710.904907"] [ref ""]

也可以使用扫描库nikto进行测试

git clone https://github.com/sullo/nikto
Cloning into 'nikto'...
cd nikto
perl program/nikto.pl -h localhost
- Nikto v2.1.6
...
+ 7531 requests: 0 error(s) and 324 item(s) reported on remote host

参考链接：
https://www.cnblogs.com/zgq123456/articles/17714325.html
https://blog.nginx.org/blog/compiling-and-installing-modsecurity-for-open-source-nginx
https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/
https://github.com/owasp-modsecurity/ModSecurity
https://github.com/owasp-modsecurity/ModSecurity-nginx