内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档详细介绍Web应用防火墙的配置和使用方法。
Part01-ModSecurity配置
1.1 安装和配置ModSecurity
$ sudo dnf install -y mod_security mod_security_crs
# 配置ModSecurity
$ sudo tee /etc/httpd/conf.d/mod_security.conf << 'EOF'
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecResponseBodyLimit 524288
SecDataDir /var/cache/modsecurity
SecTmpDir /var/cache/modsecurity/tmp
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus “^(?:5|4(?!04))”
SecAuditLogParts ABIJDEHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecDefaultAction “phase:1,deny,log,status:403”
IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf
EOF
# 启用OWASP核心规则集
$ sudo ln -s /usr/share/mod_modsecurity_crs/base_rules/* /etc/httpd/modsecurity.d/activated_rules/
# 重启Apache
$ sudo systemctl restart httpd
# 测试ModSecurity
$ curl http://localhost/?id=1′ OR ‘1’=’1
Part02-自定义规则
2.1 编写ModSecurity规则
$ sudo tee /etc/httpd/modsecurity.d/activated_rules/custom_rules.conf << 'EOF' # 防止SQL注入 SecRule ARGS "(select|insert|update|delete|union|drop|crea更多学习教程公众号风哥教程itpux_comte|alter|exec)" \ "phase:2,deny,log,status:403,msg:'SQL Injection Detected',id:100001" # 防止XSS攻击 SecRule ARGS "(
Part03-Nginx WAF
3.1 配置Nginx WAF
$ sudo dnf install -y mod_security-nginx
# 配置ModSecurity for Nginx
$ sudo tee /etc/nginx/modsecurity.conf << 'EOF'
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecResponseBodyLimit 524288
SecDataDir /var/cache/modsecurity
SecTmpDir /var/cache/modsecurity/tmp
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEHZ
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log
SecDebugLog /var/log/nginx/modsec_debug.log
SecDebugLogLevel 0
Include /etc/nginx/modsecurity.d/activated_rules/*.conf
EOF
# 配置Nginx
$ sudo tee /etc/nginx/conf.d/modsecurity.conf << 'EOF'
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;
EOF
# 在虚拟主机中启用
$ sudo tee /etc/nginx/conf.d/example.conf << 'EOF'
server {
listen 80;
server_name fgedu.net.cn;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;
location / {
proxy_pass http://localhost:8080;
}
}
EOF
# 重启Nginx
$ sudo systemctl restart nginx
Part04-WAF监控
4.1 WAF日志分析
$ sudo tail -f /var/log/httpd/modsec_audit.log
# 分析攻击日志
$ sudo grep “SQL Injection” /var/log/httpd/modsec_audit.log | tail -10
# 统计攻击类型
$ sudo cat /var/log/httpd/modsec_audit.log | grep “msg:” | sed ‘s/.*msg:\([^,]*\).*/\1/’ | sort | uniq -c | sort -nr
# 统计攻击源IP
$ sudo cat /var/log/httpd/modsec_audit.log | grep “unique_id” | awk ‘{print $NF}’ | sort | uniq -c | sort -nr | head -10
# 创建WAF监控脚本
$ cat > /usr/local/bin/waf-monitor.sh << 'EOF'
#!/bin/bash
LOG_FILE="/var/log/httpd/modsec_audit.log"
REPORT_FILE="/tmp/waf-report.txt"
echo "WAF Security Report - $(date)" > $REPORT_FILE
echo “================================” >> $REPORT_FILE
echo -e “\nTop Attack Types:” >> $REPORT_FILE
cat $LOG_FILE | grep “msg:” | sed ‘s/.*msg:\([^,]*\).*/\1/’ | sort | uniq -c | sort -nr | head -10 >> $REPORT_FILE
echo -e “\nTop Attacker IPs:” >> $REPORT_FILE
cat $LOG_FILE | grep “unique_id” | awk ‘{print $NF}’ | sort | uniq -c | sort -nr | head -10 >> $REPORT_FILE
echo -e “\nRecent Attacks:” >> $REPORT_FILE
tail -20 $LOG_FILE >> $REPORT_FILE
mail -s “WAF Daily Report” admin@fgedu.net.cn < $REPORT_FILE EOF chmod +x /usr/local/bin/waf-monitor.sh # 配置每日报告 $ cat > /etc/cron.daily/waf-report << 'EOF' #!/bin/bash /usr/local/bin/waf-monitor.sh EOF chmod +x /etc/cron.daily/waf-report
1. 启用OWASP核心规则集
2. 编写自定义规则
3. 定期更新规则库
4. 监控WAF日志
5. 调整误报规则
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
