安全:modsecurity配置

一，日志在哪里查看?

# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log

# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/

从配置文件中可以看到:

日志位于: /var/log/modsec_audit.log

查看:

[root@localhost modsecurity]# more /var/log/modsec_audit.log
---HwxpvSzz---A--
[04/Sep/2024:16:50:45 +0800] 172543984560.438043 192.168.219.1 53408 192.168.219.14 80
---HwxpvSzz---B--
GET /index.html?param=%22%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1
Host: 192.168.219.14
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6
If-None-Match: "66d81282-2c"
If-Modified-Since: Wed, 04 Sep 2024 07:55:46 GMT

---HwxpvSzz---D--

---HwxpvSzz---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx/1.26.1</center>\x0d\x0a</body>\x0d\
x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a paddin
g to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome fr
iendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---HwxpvSzz---F--
HTTP/1.1 403
Server: nginx/1.26.1
Date: Wed, 04 Sep 2024 08:50:45 GMT
Content-Length: 555
Content-Type: text/html
Connection: keep-alive

---HwxpvSzz---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)' against variable `REQUEST_HEADERS:Host' (Value: `192.168.219.14' )
[file "/opt/soft/nginx-1.26.1/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "772"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "19
2.168.219.14"] [severity "4"] [ver "OWASP_CRS/4.7.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-prot
ocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "192.168.219.14"] [uri "/index.html"] [unique_id "172543984560.438043"]
 [ref "o0,14o0,14v75,14"]
ModSecurity: Warning. detected XSS using libinjection. [file "/opt/soft/nginx-1.26.1/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941100"] [rev "
"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:param: \x22<script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/4.7.0-dev"
] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag
 "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.219.14"] [uri "/index.html"] [unique_id "172543984560.438043"] [ref "v22,27t:utf8toUnicode,t:urlDecodeUni,t:htmlEntit
yDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<script[^>]*>[\s\S]*?' against variable `ARGS:param' (Value: `"<script>alert(1);</script>' ) [file "/opt/soft/ng
inx-1.26.1/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "108"] [id "941110"] [rev ""] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data
: <script> found within ARGS:param: \x22<script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/4.7.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "lan
guage-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.219.14"
] [uri "/index.html"] [unique_id "172543984560.438043"] [ref "o1,8v22,27t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-
9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A (4341 characters omitted)' against variable `ARGS:param' (Value: `"<script>alert(1);</script
>' ) [file "/opt/soft/nginx-1.26.1/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "200"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Inje
ction"] [data "Matched Data: <script found within ARGS:param: \x22<script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/4.7.0-dev"] [maturity "0"] [accuracy "0"] [tag "app
lication-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
[hostname "192.168.219.14"] [uri "/index.html"] [unique_id "172543984560.438043"] [ref "o1,7v22,27t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:remo
veNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\x0b]*\(' against va
riable `ARGS:param' (Value: `"<script>alert(1);</script>' ) [file "/opt/soft/nginx-1.26.1/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "713"] [id "941390"]
[rev ""] [msg "Javascript method detected"] [data "Matched Data: alert( found within ARGS:param: \x22<script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/4.7.0-dev"] [mat
urity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/100
0/152/242"] [hostname "192.168.219.14"] [uri "/index.html"] [unique_id "172543984560.438043"] [ref "o9,6v22,27t:htmlEntityDecode,t:jsDecode"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/opt/soft/nginx-1.26.1/modsecurity/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev
 ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: son(1 found within ARGS:param: \x22<script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/4
.7.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [
tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.219.14"] [uri "/index.html"] [unique_id "172543984560.438043"] [ref "v22,27"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `28' ) [file "/opt/sof
t/nginx-1.26.1/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [s
everity "0"] [ver "OWASP_CRS/4.7.0-dev"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "192.168.219.14"] [uri "/index.html"] [unique_id "1
72543984560.438043"] [ref ""]

---HwxpvSzz---I--

---HwxpvSzz---J--

---HwxpvSzz---Z--

---X0io3vO2---A-- 

二，如何增加一条自定义的规则?

1,创建规则

[root@localhost modsecurity]# mkdir custom_rules
[root@localhost modsecurity]# cd custom_rules/
[root@localhost custom_rules]# vi custom_rule1.conf 

内容:

SecRule ARGS:param "@contains laowang" "id:1235,deny,log,status:403"
SecRule ARGS "@contains laoliu" "id:1236,deny,log,status:403"

说明：

第一条是指当param这个参数包含 laowang时,
第二条是指当任意参数包含 laoliu时,

2, 把自定义规则文件包含到配置文件:

[root@localhost nginx-1.26.1]# cd modsecurity/
[root@localhost modsecurity]# vi modsecurity.conf 

增加一行:

include /opt/soft/nginx-1.26.1/modsecurity/custom_rules/*.conf

3,重启nginx服务:

[root@localhost conf]# systemctl restart nginx 

三，如何禁用一条规则?

用id指定要关闭的规则,写入到modsecurity.conf中,
或者单用一个conf再include也可以

#禁用ID为942100的规则
SecRuleRemoveById 942100

#禁用ID为942100、942100的两条规则
SecRuleRemoveById 942100 942101

#禁用ID在941000-942000区间（包含前后ID）的所有规则
SecRuleRemoveById 941000-942000