# 安装ModSecurity
[root@waf ~]# dnf install -y mod_security mod_security_crs

# 配置ModSecurity
[root@waf ~]# cat > /etc/httpd/conf.d/mod_security.conf << 'EOF'
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecResponseBodyMimeType text/plain text/html
SecDataDir /var/lib/mod_security
SecTmpDir /var/lib/mod_security
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus “^(?:5|4(?!04))”
SecAuditLogParts ABIJDEHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecDefaultAction “phase:2,log,deny,status:403”

# OWASP CRS规则
IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf

EOF

# 启用OWASP CRS规则
[root@waf ~]# cd /etc/httpd/modsecurity.d/activated_rules/
[root@waf activated_rules]# for f in ../base_rules/*.conf; do ln -s $f; done

# 自定义规则
[root@waf ~]# cat > /etc/httpd/modsecurity.d/activated_rules/custom_rules.conf << 'EOF' # SQL注入防护 SecRule ARGS "(select|insert|update|delete|drop|union|alter|create|truncate)" \ "id:1001,phase:2,deny,log,msg:'SQL Injection Detected'" # XSS防护 SecRule ARGS "(script|javascript|onerror|onload|onclick)" \ "id:1002,phase:2,deny,log,msg:'XSS Attack Detected'" # 路径遍历防护 SecRule ARGS "\.\./" \ "id:1003,phase:2,更多视频教程www.fgedu.net.cndeny,log,msg:'Path Traversal Detected'" # 命令注入防护 SecRule ARGS "(;|\||`|\$\(|\$\{)" \ "id:1004,phase:2,deny,log,msg:'Command Injection Detected'" # 敏感文件访问防护 SecRule REQUEST_URI "\.(git|svn|env|htaccess|htpasswd)" \ "id:1005,phase:2,deny,log,msg:'Sensitive File Access Detected'" # 限制请求大小 SecRequestBodyLimit 10485760 SecRequestBodyNoFilesLimit 1048576 # 限制请求速率 SecAction "id:1006,phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}" SecRule IP:REQUEST_COUNT "@gt 100" \ "id:1007,phase:1,deny,log,msg:'Rate Limit Exceeded',setvar:ip.request_count=+1" EOF # 重启Apache [root@waf ~]# systemctl restart httpd # 测试WAF [root@client ~]# curl "http://waf.fgedu.net.cn/?id=1' OR '1'='1"

Forbidden

You don’t have permission

to

风哥提示：

access this resource.

# 查看日志
[root@waf ~]# tail -f /var/log/httpd/modsec_audit.log
—1234567890A–
[04/Apr/2026:00:00:00 +0800] Waf 192.168.1.100 80 – 192.168.1.200 80
—1234567890B–
GET /?id=1’%20OR%20’1’=’1 HTTP/1.1
Host: waf.fgedu.net.cn
User-Agent: curl/7.76.1
Accept: */*

—1234567890F–
HTTP/1.1 403 Forbidden
Content-Length: 199
Content-Type: text/html; charset=iso-8859-1

—1234567890H–
Message: Access denied with code 403 (phase 2). Pattern match “select|insert|update|delete|drop|union|alter|create|truncate” at ARGS:id. [file “/etc/httpd/modsecurity.d/activated_rules/custom_rules.conf”] [line “3”] [id “1001”] [msg “SQL Injection Detected”]

# 安装OSSEC
[root@ossec ~]# dnf install -y gcc make wget

[root@ossec ~]# cd /opt
[root@ossec opt]# wget https://github.com/ossec/ossec-hids/archive/refs/tags/3.7.0.tar.gz
[root@ossec opt]# tar xzf 3.7.0.tar.gz
[root@ossec opt]# cd ossec-hids-3.7.0

# 安装OSSEC服务器
[root@ossec ossec-hids-3.7.0]# ./install.sh
OSSEC HIDS v3.7.0 Installation Script
…
1- What kind of installation do you want (server, agent, local, hybrid or help)? server
2- Setting up the installation environment.
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: y
– What’s your e-mail address? admin@fgedu.net.cn
– What’s your SMTP serve学习交流加群风哥微信: itpux-comr ip/host? smtp.fgedu.net.cn
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
3.4- Active response allows you to execute a specific command based on the events received.
– Do you want to enable active response? (y/n) [y]: y
– Do you want to enable the firewall-drop response? (y/n) [y]: y
3.5- Do you want to add any IP to the white list? (y/n) [n]: n
4- Installing the system
5- Installation completed.

# 配置OSSEC
[root@ossec ~]# cat > /var/ossec/etc/ossec.conf << 'EOF'

yes
admin@fgedu.net.cn
smtp.fgedu.net.cn
ossec@fgedu.net.cn

rules_config.xml
sshd_rules.xml
syslog_rules.xml
apache_rules.xml
web_rules.xml

1
6

/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt

firewall-drop
local
5502,5503,5504,5505
600

firewall-drop
firewall-drop.sh
srcip


EOF

# 添加Agent
[root@ossec ~]# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v3.7.0 Agent Manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
Adding a new agent.
Provide the name of the agent: web-server-1
Provide the IP of the agent: 192.168.1.20
Provide an ID for the agent [001]:
Agent information:
ID:001
Name:web-server-1
IP Address:192.168.1.20
Confirm adding it?(y/n): y
Agent added.

# 启动OSSEC
[root@ossec ~]# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS…
Started ossec-maild…
Started ossec-execd…
Started ossec-analysisd…
Started ossec-logcollector…
Started ossec-remoted…
Started ossec-syscheckd…
Started ossec-monitord…
Completed.
更多学习教程公众号风哥教程itpux_com
# 查看告警
[root@ossec ~]# tail -f /var/ossec/logs/alerts/alerts.log
** Alert 1234567890.12345: mail – syslog,sshd,authentication_success
2026 Apr 04 00:00:00 web-server-1->/var/log/secure
Rule: 5501 (level: 4) -> ‘Login session opened.’
Src IP: 192.168.1.100
User: admin
Apr 4 00:00:00 web-server-1 sshd[12345]: Accepted publickey for admin from 192.168.1.100 port 12345 ssh2