前言
ModSecurity 是一个免费的开源 Web 应用程序,最初是一个 Apache 模块,后来发展成为一个成熟的 Web 应用程序防火墙。它的工作原理是根据预定义的规则集实时检查发送到 Web 服务器的请求,防止典型的 Web 应用程序攻击,如 XSS 和 SQL 注入。
本次的环境为Debian11 LNMAP
安装
安装 ModSecurity
直接使用包管理器安装
apt install libapache2-mod-security2 -y
启用 Apache 2 模块
a2enmod headers
后重启Apache即可
配置 ModSecurity
使用推荐配置
cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
编辑/etc/modsecurity/modsecurity.conf
将开头部分
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
#SecRuleEngine DetectionOnly
SecRuleEngine On
SecRuleEngine
值改为On
# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000
增大SecPcreMatchLimit
和SecPcreMatchLimitRecursion
的值
此处我改为了300000
设置核心规则
先删除默认规则
rm -rf /usr/share/modsecurity-crs/*
安装核心规则,此处有两种选项
官方发布
打开https://coreruleset.org/installation/
获取最新发布的下载地址
下载完成后解压将coreruleset-*.*.*/
下的文件移动到/usr/share/modsecurity-crs
使用默认规则
mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
mv /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Git安装
rm -rf /usr/share/modsecurity-crs
git clone https://github.com/coreruleset/coreruleset /usr/share/modsecurity-crs
mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
mv /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
注:该安装方法误报概率较高
启用ModSecurity
编辑/etc/apache2/mods-available/security2.conf
添加
Include /usr/share/modsecurity-crs/crs-setup.conf
Include /usr/share/modsecurity-crs/rules/*.conf
文件配置完后大概应为:
<IfModule security2_module>
# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity
Include /usr/share/modsecurity-crs/crs-setup.conf
Include /usr/share/modsecurity-crs/rules/*.conf
# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
IncludeOptional /etc/modsecurity/*.conf
# Include OWASP ModSecurity CRS rules if installed
IncludeOptional /usr/share/modsecurity-crs/*.load
</IfModule>
这种结构
编辑/etc/apache2/sites-enabled/000-default.conf
在VirtualHost
块内添加SecRuleEngine On
编辑后结构类似与
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
SecRuleEngine On
</VirtualHost>
重启Apache
systemctl restart apache2
测试效果
访问http://IP(Domain)/index.php?exec=/bin/bash
应返回403错误
例如你访问https://www.moec.top/index.php?exec=/bin/bash
会得到403错误
性能差异
未启用:
This is ApacheBench, Version 2.3 <$Revision: 1901567 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking www.moec.top (be patient).....done
Server Software: cloudflare
Server Hostname: www.moec.top
Server Port: 443
SSL/TLS Protocol: TLSv1.3,TLS_AES_256_GCM_SHA384,256,256
Server Temp Key: X25519 253 bits
TLS Server Name: www.moec.top
Document Path: /
Document Length: 38982 bytes
Concurrency Level: 10
Time taken for tests: 21.226 seconds
Complete requests: 100
Failed requests: 0
Total transferred: 3969644 bytes
HTML transferred: 3898200 bytes
Requests per second: 4.71 [#/sec] (mean)
Time per request: 2122.601 [ms] (mean)
Time per request: 212.260 [ms] (mean, across all concurrent requests)
Transfer rate: 182.63 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 4 10 9.7 8 81
Processing: 746 2000 488.4 1925 3806
Waiting: 742 1940 474.7 1867 3591
Total: 753 2010 488.4 1973 3821
Percentage of the requests served within a certain time (ms)
50% 1973
66% 2094
75% 2250
80% 2327
90% 2666
95% 3038
98% 3328
99% 3821
100% 3821 (longest request)
启用:
root@rnldp:~# ab -n 100 -c 10 https://www.moec.top/
This is ApacheBench, Version 2.3 <$Revision: 1901567 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking www.moec.top (be patient).....done
Server Software: cloudflare
Server Hostname: www.moec.top
Server Port: 443
SSL/TLS Protocol: TLSv1.3,TLS_AES_256_GCM_SHA384,256,256
Server Temp Key: X25519 253 bits
TLS Server Name: www.moec.top
Document Path: /
Document Length: 38982 bytes
Concurrency Level: 10
Time taken for tests: 20.473 seconds
Complete requests: 100
Failed requests: 0
Total transferred: 3969568 bytes
HTML transferred: 3898200 bytes
Requests per second: 4.88 [#/sec] (mean)
Time per request: 2047.265 [ms] (mean)
Time per request: 204.726 [ms] (mean, across all concurrent requests)
Transfer rate: 189.35 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 4 12 15.1 9 139
Processing: 808 1922 397.2 1895 2907
Waiting: 592 1854 397.2 1793 2907
Total: 822 1934 398.7 1907 2915
Percentage of the requests served within a certain time (ms)
50% 1907
66% 2090
75% 2218
80% 2329
90% 2482
95% 2576
98% 2816
99% 2915
100% 2915 (longest request)
后
参考:
https://coreruleset.org/
https://bobcares.com/blog/modsecurity-pcre-limits-exceeded/
https://serverfault.com/questions/367481/mod-security-pcre-limits-exceeded
https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/
Comments 1 条评论
博主 老兄
对WP造成403错误的可参考:
https://anto.online/guides/how-to-disable-modsecurity-rules-that-cause-403-errors/