ModSecurity - Efficient and Free WAF Component for Mid- and Small-Scale Webmasters

Original Author: Lei Xi
According to posting requirements, an "@" must be added in front of all http links.

Introduction

ModSecurity is a free open source host WAF software (@http://www.modsecurity.org/). The newest version on the official website is 2.9.1. It supports nginx/apache/iis (32 and 64 bits). It mainly acts as an extension module of web applications, recognizes malicious external web attacks according to related rule files, and further discards them.

Installation

nginx/apache

In Linux, if your application is nginx/apache, you have to compile nginx/apache and add the ModSecurity source code as a module.

1. Preparations

nginx : @http://nginx.org/
modsecurity for Nginx: @https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
OWASP rule set: @https://github.com/SpiderLabs/owasp-modsecurity-crs

2. Dependencies

Nginx Dependencies: (Pcre, zlib, and openssl are available in centos 6.5 and above) yum install zlib zlib-devel opensslopenssl-devel pcre pcre-devel
ModSecurity Dependencies: pcre @httpd-devellibxml2 apr
yum install @httpd-devel apr apr-util-develapr-devel pcre pcre-devel libxml2 libxml2-devel

3. Enable and Compile Standalone Module
Download and unzip modsecurity fornginx, and execute the following directories after entering unzipping:

./autogen.sh
./configure --enable-standalone-module--disable-mlogc
make

4. Add ModSecurity module to nginx

After compiling Standalone, add the ModSecurity module via "--add-module" during nginx compilation:

./configure--add-module=/root/modsecurity-2.9.1/nginx/modsecurity/  --prefix=/opt/tengine
make && make install

5. Add Rules

ModSecurity is intended to filter and stop web hazards. Its power comes from its rules. Rules provided by OWASP are maintained by volunteers, and are called core rules (CRS). They are reliable and powerful, but they can also be customized to meet different requirements.

a. Download OWASP rules:

git clone ~@https://github.com/SpiderLabs/owasp-modsecurity-crs

mv owasp-modsecurity-crs /opt/tengine/conf/
cd/opt/tengine/conf/owasp-modsecurity-crs && mvmodsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

b. Enable OWASP rules:

Copy modsecurity.conf-recommended and unicode.mapping under the ModSecurity source code directory to the nginx conf subdirectory, and rename modsecurity.conf-recommended to modsecurity.conf.

Edit the file modsecurity.conf and set SecRuleEngine to On. The default value DetectOnly is the observation mode. It is recommended that you use this mode by default during installation, and observe whether it has an unexpected influence on the website and server.

There are a lot of folders for storing rules in owasp-modsecurity-crs such as base_rules, experimental_rules, optional_rules, and slr_rules. You can enable the rules you need by including them in modsecurity.conf

Includeowasp-modsecurity-crs/modsecurity_crs_10_setup.conf
Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
Include owasp-modsecurity-crs/base_rules /modsecurity_crs_45_trojans.confwebshell

//Considering the probable impact on the performance of the host, it is recommended you only add defense rules for critical vulnerabilities to defend against the most current critical web attacks.

For the details of the overall rules, please refer to @[url]http://www.2cto.com/Article/201409/334251.html[/url]. You can add rules based on your website's individual requirements.

Note: nginx parses the @http request in a different way from apache. Therefore, some rules cannot be used in nginx. For more details, please refer to
nginxmodule :more_set_headers (@http://comments.gmane.org/gmane.comp.apache.mod-security.owasp-crs/962)

6. Configure nginx

Add the following lines to the location of the ModSecurity host that needs to be enabled:
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
The following are example configurations of PHP virtual host conf or the vhost file:

server {
     listen      80;
     server_name xxx.com www.xxx.com;
     location ~ \.php$ {
     ModSecurityEnabled on;
     ModSecurityConfig modsecurity.conf;
     root /web/webroot;
     index index.php index.html index.htm;
     fastcgi_pass   127.0.0.1:9000;
     fastcgi_index  index.php;
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;
     include        fastcgi_params;
     }
  }

IIS

The IIS official website provides the MSI installation file. Download and install it.

1. Preparations

• ModSecurity V2.9.1 for IIS MSI Install-32、64bits @http://www.modsecurity.org/download.html
• Microsoft VisualC++ 2013 Redistributable Package @https://www.microsoft.com/en-gb/download/details.aspx?id=40784

2. Installation

  1. Install the package above.
  2. Find the ModSecurity line in C:WindowsSystem32inetsrvconfigapplicationHost.config, and change it to <sectionname="ModSecurity" overrideModeDefault="Allow"allowDefinition="Everywhere" /></sectionGroup>
  3. Find modsecurity.conf under the installation directory ModSecurity IIS of ModSecurrity, and change "SecRuleEngine" to "On".
  4. Add the following configurations to the file web.config under the root directory of the web <?xmlversion="1.0" encoding="UTF-8"?> <configuration> d. <system.webServer> <ModSecurityenabled="true" configFile=" C:ProgramFilesModSecurity IISmodsecurity_iis.conf " /> </system.webServer> </configuration>
  5. Reload the website.

Results

Systems that have been tested so far include Centos6 and Windows Server2008/2012. They have been tested and installed successfully. The installation processes on other systems are similar to those described above. It is recommended that you update to the newest stable version of the operating system. The newest version of some operating systems may make significant changes to operational performance, which could potentially cause unforeseen errors during the installation process.

The interception rate was quite high for test scripts, satisfying expectations for intercepting high threat attacks like XSS, SQL injection, file inclusion, and command execution.
As far as other WAF products currently on the market go, Safedog is quite good but some problems still exist in its usability. It lacks adequate Windows compatibility, for example, and some website functionality is unavailable after deployment. Furthermore its defense capabilities in Linux simply don't hold up to ModSecurity.

User maintenance and operation

  1. All external attacks that match security rulles will be logged in the Modsecurity_audit.log file. You can use this file to audit defense records.
  2. The location of the log is defined in SecAuditLog in the modsecurity.conf file. In linux this location is /var/log/modesec_audit.log by dafault, but you need to set the location yourself in Windwos.
  3. ModSecurity provides its own WAF syntax for custom rule creation. If you want to add a custom rule, just add it to the modsecurity.conf file.
时间: 2024-10-03 16:41:22

ModSecurity - Efficient and Free WAF Component for Mid- and Small-Scale Webmasters的相关文章

NGINX发布新版本,旨在解决应用程序安全性

NGINX Plus最近发布了新版本R10,新发布的版本提高了应用程序安全性并改善了网络集成. NGINX公司技术产品市场部门的Faisal Memon称首次发布的ModSecurity web application firewall (WAF)受到了客户的长久期待. R10通过验证JSON web tokens(JWT)支持API验证,并通过elliptic curve crypto (ECC)证书提升了SSL/TLS在产品中的性能. NGINX的产品总监Owen Garrett阐述了WAF

【干货】ModSecurity - 针对中小站长高效、免费waf组件

ModSecurity  p.s. 因发帖规定,所有http前面都加了@哦~  原创作者:雷息  一.简介   ModSecurity是一款免费的开源主机waf软件(@http://www.modsecurity.org/),目前官网最新版本为2.9.1,支持nginx/apache/iis(32.64位).它主要是作为上述web应用的扩展模块形式存在,通过相关的规则文件,对外部恶意的web攻击进行识别,并作出进一步的丢弃操作.  二.安装   1.nginx/apache 在Linux操作系统

如何打造一款可靠的WAF

之前写了一篇<WAF防御能力评测及工具> ,是站在安全运维人员选型WAF产品的角度来考虑的(优先从测试角度考虑是前职业病,毕竟当过3年游戏测试!).本篇文章从WAF产品研发的角度来YY如何实现 一款可靠的WAF,灵感来自ModSecurity等,感谢开源.本片文章包括三个主题(1) WAF实现WAF包括哪些组件,这些组件如何交互来实现WAF防御功能(2)WAF规则(策略)维护规则(策略)如何维护,包括 获取渠道,规则测试方法以及上线效果评测(3) WAF支撑WAF产品的完善需要哪些信息库的支撑

配置ModSecurity防火墙与OWASP规则

0x00 背景ModSecurity是一个免费.开源的Apache模块,可以充当Web应用防火墙(WAF).ModSecurity是一个入侵探测与阻止的引擎.它主要是用于Web应用程序 所以也可以叫做Web应用程序防火墙.ModSecurity的目的是为增强Web应用程序的安全性和保护Web应用程序避免遭受来自已知与未知的攻击.OWASP是一个安全社区,开发和维护着一套免费的应用程序保护规则,这就是 所谓OWASP的ModSecurity的核心规则集(即CRS).我们可以通过ModSecurit

云安全服务:WAF和DDoS攻击预防

对于云安全的服务,WAF和DDoS攻击预防.现今有许多基于云服务提供的安全,包括Web和邮件过滤.网络流量访问控制和监控以及用于支付卡业务的标记化.不同安全服务的一个重要区别是"在云中"的.或"为了云"的,即那些集成到云环境中作为虚拟设备提供给用户使用和控制的安全服务.安全即服务(SaaS),是为了确保其他云服务提供商传输流量和数据通过.在本文中,我们将集中关注基于云的Web应用过滤和监控以及DDoS攻击预防服务,并可能提供两者的模型. Web应用防火墙目前可以提供

浜戝畨鍏ㄦ湇鍔★細WAF鍜孌DoS鏀诲嚮棰勯槻

鐜颁粖鏈夎澶氬熀浜庝簯鏈嶅姟鎻愪緵鐨勫畨鍏紝鍖呮嫭Web鍜岄偖浠惰繃婊ゃ€佺綉缁滄祦閲忚闂帶鍒跺拰鐩戞帶浠ュ強鐢ㄤ簬鏀粯鍗′笟鍔$殑鏍囪鍖栥€備笉鍚屽畨鍏ㄦ湇鍔$殑涓€涓噸瑕佸尯鍒槸鈥滃湪浜戜腑鈥濈殑銆佹垨鈥滀负浜嗕簯鈥濈殑锛屽嵆閭d簺闆嗘垚鍒颁簯鐜涓綔涓鸿櫄鎷熻澶囨彁渚涚粰鐢ㄦ埛浣跨敤鍜屾帶鍒剁殑瀹夊叏鏈嶅姟銆傚畨鍏ㄥ嵆鏈嶅姟(SaaS)锛屾槸涓轰簡纭繚鍏朵粬浜戞湇鍔℃彁渚涘晢浼犺緭娴侀噺鍜屾暟鎹€氳繃銆傚湪鏈枃涓紝鎴戜滑灏嗛泦涓叧娉ㄥ熀浜庝簯鐨刉eb搴旂敤杩

XSS现代WAF规则探测及绕过技术

初始测试 1.使用无害的payload,类似<b>,<i>,<u>观察响应,判断应用程序是否被HTML编码,是否标签被过滤,是否过滤<>等等: 2.如果过滤闭合标签,尝试无闭合标签的payload(<b,<i,<marquee)观察响应: 3.尝试以下的payload <script>alert(1);</script> <script>prompt(1);</script> <scri

论文笔记之:Fully Convolutional Attention Localization Networks: Efficient Attention Localization for Fine-Grained Recognition

  Fully Convolutional Attention Localization Networks: Efficient Attention Localization for Fine-Grained Recognition   细粒度的识别(Fine-grained recognition)的挑战性主要来自于 类内差异(inter-class differences)在细粒度类别中通常是局部的,细微的:类间差异(intra-class differences)由于姿态的变换而导致很大.

Tomcat7+Spring3异常Failed to start component

我做的一个考试系统,使用了hibernate和spring,原来使用的tomcat版本是6,后来把tomcat换成了apache-tomcat-7.0.30-windows-x64,spring的版本是:3.1 结果启动tomcat时报错如下: .6. Feb 27, 2013 12:18:00 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [