一、ModSecurity安装配置

1. 基础安装

bash
# Ubuntu/Debian系统
sudo apt update
sudo apt install -y libapache2-mod-security2

# CentOS系统
sudo yum install mod_security mod_security_crs

2. Nginx配置

bash
# 安装依赖
sudo apt install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev

# 编译ModSecurity-nginx连接器
git clone --depth 1-b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity-nginx.git

二、规则配置

1. OWASP CRS规则

bash
# 下载OWASP CRS规则
cd /usr/share/modsecurity-crs/
wget https://github.com/coreruleset/coreruleset/archive/v3.3.2.tar.gz
tar xvf v3.3.2.tar.gz

2. 基础防护规则

apache
# modsecurity.conf
SecRuleEngineOn
SecRequestBodyAccessOn
SecRequestBodyLimit13107200
SecRequestBodyNoFilesLimit131072
SecRule REQUEST_HEADERS:Content-Type"text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

三、防护策略配置

1. SQL注入防护

apache
# sql-injection.conf
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \
    "id:942100,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments,\
    msg:'SQL Injection Attack Detected',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    severity:'CRITICAL'"

2. XSS防护

apache
# xss.conf
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
    "id:941100,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
    msg:'XSS Attack Detected',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    severity:'CRITICAL'"

四、日志配置与分析

1. 日志配置

apache
# 配置审计日志
SecAuditEngineRelevantOnly
SecAuditLog/var/log/modsec_audit.log
SecAuditLogParts ABIJDEFHZ
SecAuditLogRelevantStatus"^(?:5|4(?!04))"

2. 日志分析脚本

python
#!/usr/bin/python3
import re
import sys

def analyze_log(logfile):
    attacks ={}
with open(logfile,'r')as f:
for line in f:
if'msg'in line:
                msg = re.search(r'msg: (.*?)\[', line)
if msg:
                    attack = msg.group(1)
                    attacks[attack]= attacks.get(attack,0)+1
return attacks

五、性能优化

1. 规则优化

apache
# 优化规则执行顺序
SecRuleEngineOn
SecRuleUpdateTargetById942100"!REQUEST_HEADERS:Accept"
SecRuleUpdateTargetById942100"!REQUEST_HEADERS:Accept-Charset"

2. 资源限制

apache
# 限制请求大小
SecRequestBodyLimit13107200
SecRequestBodyInMemoryLimit131072
SecRequestBodyNoFilesLimit131072

六、高级防护配置

1. 自定义规则

apache
# custom-rules.conf
# 防止路径遍历
SecRule REQUEST_URI "\.\./" \
"id:1000,\
    phase:1,\
    deny,\
    msg:'Directory Traversal Attack'"

# 防止文件上传攻击
SecRule FILES_NAMES "@rx .*\.(?:php|phtml|php3|php4|php5|php7|pht|phar)$" \
"id:1001,\
    phase:2,\
    deny,\
    msg:'Malicious File Upload Attempted'"

2. 异常检测

apache
# 配置异常检测规则
SecRule&IP:BLOCK "@eq 10" \
"id:2000,\
    phase:1,\
    deny,\
    msg:'IP Blocked due to multiple violations',\
    expirevar:IP:BLOCK=3600"

七、监控告警配置

1. 告警脚本

bash
#!/bin/bash
# alert.sh
LOGFILE="/var/log/modsec_audit.log"
THRESHOLD=100

attack_count=$(grep "msg:" $LOGFILE | wc -l)

if[ $attack_count -gt $THRESHOLD ];then
    echo "Warning: High number of WAF blocks detected!"| mail -s "WAF Alert" admin@example.com
fi

2. 监控集成

yaml
# prometheus配置
scrape_configs:
- job_name:'modsecurity'
    static_configs:
- targets:['localhost:9100']
    metrics_path:'/metrics'