# 安装ModSecurity
[root@fgedu-waf ~]# yum install -y mod_security mod_security_crs

# 配置ModSecurity
[root@fgedu-waf ~]# cat > /etc/httpd/conf.d/mod_security.conf << 'EOF'
# 启用ModSecurity
SecRuleEngine On

# 配置审计日志
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/modsec_audit.log
SecAuditLogParts ABIJDEHZ
SecAuditLogType Serial

# 配置调试日志
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 3

# 请求体限制
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

# 响应体限制
SecResponseBodyAccess On
SecResponseBodyLimit 524288
SecResponseBodyMimeType text/plain text/html text/xml

# 规则配置
IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf

EOF

# 启用OWASP核心规则集
[root@fgedu-waf ~]# cd /etc/httpd/modsecurity.d/activated_rules/
[root@fgedu-waf activated_rules]# for f in ../base_rules/*.conf; do ln -s $f; done

# 配置自定义规则
[root@fgedu-waf ~]# cat > /etc/httpd/modsecurity.d/activated_rules/fgedu-custom.conf << 'EOF' # 自定义WAF规则 # SQL注入防护 SecRule ARGS "@detectSQLi" \ "id:10001,phase:2,deny,log,msg:'SQL Injection Detected',severity:'CRITICAL'" # XSS防护 SecRule ARGS "@detectXSS" \ "id:10002,phase:2,deny,log,msg:'XSS Attack Detected',severity:'CRITICAL'" # 路径遍历防护 SecRule ARGS "@contains ../" \ "id:10003,phase:2,deny,log,msg:'Path Traversal Detected',severity:'CRITICAL'" # 命令注入防护 SecRule ARGS "@rx (?:;|\||`|\$\(|\$\{)" \ "id:10004,phase:2,deny,log,msg:'Command Injection Detected',severity:'CRITICAL'" # 敏感文件访问防护 SecRule REQUEST_FILENAME "@pm .htaccess .htpasswd .git .svn .env" \ "id:10005,phase:2,deny,log,msg:'Sensitive File Access Attempt',severity:'WARNING'" # 扫描器检测 SecRule REQUEST_HEADERS:User-Agent "@pm nikto sqlmap nmap nessus" \ "id:10006,phase:1,deny,log,msg:'Scanner Detected',severity:'WARNING'" # 速率限制 SecRule IP:REQUEST_COUNT "@gt 100" \ 学习交流加群风哥微信: itpux-com "id:10007,phase:1,deny,log,msg:'Rate Limit Exceeded',severity:'WARNING',setvar:IP.request_count=+1,expirevar:IP.request_count=60" EOF # 重启Apache [root@fgedu-waf ~]# systemctl restart httpd # 测试WAF规则 [root@fgedu-client ~]# curl "http://192.168.1.10/?id=1' OR '1'='1"

403 Forbidden

---

Apache

# 安装ModSecurity v3
[root@fgedu-waf ~]# yum install -y gcc-c++ flex bison yajd yajd-devel curl-devel zlib-devel pcre-devel libxml2-devel pkgconfig libtool autoconf automake git doxygen geoip-devel ssdeep-devel lua-devel

# 编译安装ModSecurity v3
[root@fgedu-waf ~]# git clone –depth 1 -b v3/master https://github.com/SpiderLabs/ModSecurity.git
[root@fgedu-waf ~]# cd ModSecurity
[root@fgedu-waf ModSecurity]# git submodule init
[root@fgedu-waf ModSecurity]# git submodule update
[root@fgedu-waf ModSecurity]# ./build.sh
[root@fgedu-waf ModSecurity]# ./configure
[root@fgedu-waf ModSecurity]# make && make install

# 配置Nginx ModSecurity模块
[root@更多学习教程公众号风哥教程itpux_comfgedu-waf ~]# cat > /etc/nginx/modsec/main.conf << 'EOF' ModSecurityEnabled on; ModSecurityConfig /etc/nginx/modsec/modsecurity.conf; EOF [root@fgedu-waf ~]# cat > /etc/nginx/modsec/modsecurity.conf << 'EOF' SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off SecAuditEngine RelevantOnly SecAuditLog /var/log/nginx/modsec_audit.log SecDebugLog /var/log/nginx/modsec_debug.log SecDebugLogLevel 3 # OWASP CRS规则 Include /etc/nginx/modsec/owasp-crs/crs-setup.conf Include /etc/nginx/modsec/owasp-crs/rules/*.conf EOF # 配置Nginx [root@fgedu-waf ~]# cat > /etc/nginx/conf.d/waf.conf << 'EOF' server { listen 80; server_name www.fgedu.net.cn; modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; location / { proxy_pass http://192.168.1.20; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /modsec-status { modsecurity off; allow 127.0.0.1; deny all; return 200 "WAF Active\n"; } } EOF [root@fgedu-waf ~]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@fgedu-waf ~]# systemctl restart nginx

# 创建规则管理脚本
[root@fgedu-waf ~]# cat > /usr/local/bin/waf-rules.sh << 'EOF' #!/bin/bash # waf-rules.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn RULES_DIR="/etc/nginx/modsec/custom-rules" case "$1" in list) echo "=== WAF规则列表 ===" ls -la $RULES_DIR/*.conf 2>/dev/null || echo “无自定义规则”
;;

add)
if [ -z “$2” ]; then
echo “用法: $0 add <规则文件>”
exit 1
fi
cp $2 $RULES_DIR/
echo “规则已添加: $2”
;;

enable)
if [ -z “$2” ]; then
echo “用法: $0 enable <规则名>”
exit 1
fi
if [ -f “$RULES_DIR/$2.disabled” ]; then
mv $RULES_DIR/$2.disabled $RULES_DIR/$2.conf
echo “规则已启用: $2”
fi
;;

disable)
if [ -z “$2” ]; then
echo “用法: $0 disable <规则名>”
exit 1学习交流加群风哥QQ113257174
fi
if [ -f “$RULES_DIR/$2.conf” ]; then
mv $RULES_DIR/$2.conf $RULES_DIR/$2.disabled
echo “规则已禁用: $2”
fi
;;

reload)
nginx -t && nginx -s reload
echo “WAF规则已重载”
;;

test)
echo “=== WAF测试 ===”
echo “1. SQL注入测试”
curl -s -o /dev/null -w “%{http_code}” “http://localhost/?id=1′ OR ‘1’=’1”
echo “”
echo “2. XSS测试”
curl -s -o /dev/null -w “%{http_code}” “http://localhost/?name=”
echo “”
echo “3. 路径遍历测试”
curl -s -o /dev/null -w “%{http_code}” “http://localhost/?file=../../../etc/passwd”
echo “”
;;

*)
echo “用法: $0 {list|add|enable|disable|reload|test}”
exit 1
;;
esac
EOF

[root@fgedu-waf ~]# chmod +x /usr/local/bin/waf-rules.sh

# 创建白名单规则
[root@fgedu-waf ~]# cat > /etc/nginx/modsec/custom-rules/whitelist.conf << 'EOF' # IP白名单 SecRule REMOTE_ADDR "@ipMatch 192.168.1.0/24" \ "id:20001,phase:1,pass,nolog,ctl:ruleEngine=Off" # URL白名单 SecRule REQUEST_URI "@beginsWith /api/health" \ "id:20002,phase:1,pass,nolog,ctl:ruleEngine=Off" # 用户代理白名单 SecRule REQUEST_HEADERS:User-Agent "@contains FGEDU-Monitor" \ "id:20003,phase:1,pass,nolog,ctl:ruleEngine=Off" EOF

# 创建WAF监控脚本
[root@fgedu-waf ~]# cat > /usr/local/bin/waf-monitor.sh << 'EOF' #!/bin/bash # waf-monitor.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn echo "=== WAF监控报告 ===" echo "监控时间: $(date)" echo "" echo "1. ModSecurity状态" nginx -V 2>&1 | grep -q modsecurity && echo “已启用” || echo “未启用”

echo “”
echo “2. 今日拦截统计”
echo “总拦截: $(grep -c “denied” /var/log/nginx/modsec_audit.log 2>/dev/null || echo 0)”
echo “SQL注入: $(grep -c “SQL Injection” /var/log/nginx/modsec_audit.log 2>/dev/null || echo 0)”
echo “XSS攻击: $(grep -c “XSS” /var/log/nginx/modsec_audit.log 2>/dev/null || echo 0)”

echo “”
echo “3. 攻击来源TOP10”
grep “denied” /var/log/nginx/modsec_audit.log 2>/dev/null | \
awk ‘{print $4}’ | sort | uniq -c | sort -rn | head -10

echo “”
echo “4. 被攻击URL TOP10”
grep “denied” /var/log/nginx/modsec_audit.log 2>/dev/null | \
grep -oP ‘uri: “\K[^”]+’ | sort | uniq -c | sort -rn | head -10

echo “”
echo “5. 规则触发TOP10”
grep “id \”” /var/log/nginx/modsec_audit.log 2>/dev/null | \
grep -oP ‘id: “\K[^”]+’ | sort | uniq -c | sort -rn | head -10

echo “”
echo “6. 最近拦截日志”
tail -20 /var/log/nginx/modsec_audit.log 2>/dev/null

echo “”
echo “=== 监控完成 ===”
EOF

[root@fgedu-waf ~]# chmod +x /usr/local/bin/waf-monitor.sh

# 配置日志轮转
[root@fgedu-waf ~]# cat > /etc/logrotate.d/waf << 'EOF' /var/log/nginx/modsec_*.log { daily rotate 30 compress delaycompress missingok notifempty create 0640 nginx nginx postrotate nginx -s reopen > /dev/null 2>&1 || true
endscript
}
EOF