modsecurity安装

Centos下nginx+Modsecurity安装：https://www.jianshu.com/p/93e310e12036
https://www.oschina.net/p/modsecurity?hmsr=aladdin1e1
http://www.modsecurity.cn/practice/post/23.html

http://www.modsecurity.cn/chm/pmFromFile.html

一，安装依赖：

# yum instal l-y gitwgetepel-releasegcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake

# yum install gcc-c++

二，安装MS：

# cd /usr/local
# git clone https://github.com/SpiderLabs/ModSecurity

# cd ModSecurity

# git checkout -b v3/master origin/v3/master      

# git submodule init                              

# git submodule update

# sh build.sh

# ./configure

# make

# makeinstall

三，安装nginx与ModSecurity-nginx连接器：

# cd /usr/local

# git clone https://github.com/SpiderLabs/ModSecurity-nginx

# wget wget http://nginx.org/download/nginx-1.18.0.tar.gz

# tar -xvzf nginx-1.18.0.tar.gz

# cd /usr/local/nginx-1.18.0

# ./configure --add-module=/usr/local/ModSecurity-nginx

# make && make install

四，模拟攻击，测试未启动MS时的访问效果：

启动nginx：
# /usr/local/nginx/sbin/nginx

访问URL地址：
http://10.20.192.36/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

未拦截效果：

五、配置MS：

# mkdir /usr/local/nginx/conf/modsecurity            

# cp /usr/local/Modsecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity/modsecurity.conf

#cp /usr/local/Modsecurity/unicode.mapping /usr/local/nginx/conf/modsecurity/

#cd /usr/local/

# wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip
# unzip owasp-modsecurity-crs-3.3-dev.zip
# cd owasp-modsecurity-crs-3.3-dev

#cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf

#cp -rf /usr/local/owasp-modsecurity-crs-3.3-dev/rules /usr/local/nginx/conf/modsecurity/

# cd /usr/local/nginx/conf/modsecurity/

# mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf                 
# mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf


编辑：vi nginx.conf
在http或server节点中添加以下内容：

modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;

编辑：vi modsecurity.conf
SecRuleEngine DetectionOnly 改为 SecRuleEngine On

然后添加以下内容：
Include /usr/local/nginx/conf/modsecurity/crs-setup.conf
Include /usr/local/nginx/conf/modsecurity/rules/*.conf

六，重新加载Nginx测试效果：
# /usr/local/nginx/sbin/nginx -s reload

重新攻击访问：
http://10.20.192.36/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

查看nginx日志：
tailf /usr/local/nginx/logs/access.log


七、modSecurity规则指令编写：
1、一个简单的规则

在/usr/local/nginx/conf/modsecurity/rules 目录下创建wz.conf，添加规则
SecRule ARGS "(testwwd)+"
    "msg:'wwd22 test',
    id:300102,
    phase:request,
    deny,
    status:503"

# /usr/local/nginx/sbin/nginx -s reload

测试：http://10.20.192.36/?test=testwwd