一、安装靶场

首先先在kali中安装sqli靶场环境用来测试WAF的可用性,然后安装所需要的WAF,安装owasp src规则库,最后启用WAF。

1.检测必备环境是否已经开启

service apache2 start

访问 http://127.0.0.1,显示页面出来,即表示apache启动成功

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。

2.安装sqli-labs

git clone https://github.com/mukkul007/sqli-labs-kali2 sqli-labs

这里注意:kali中自带的PHP版本在7.0以上,无法直接使用一般版本的Sqli-labs,必须用这个版本的才行

3.添加数据量信息

service mysql start
mysql -uroot

登录后,创建新用户名和密码

grant all on dvwa.* to root@localhost identified by '123456';

成功后刷新权限

flush privileges;

然后exit退出数据库

4.配置文件设定

cd /var/www/html/sqli-labs/sql-connections
gedit db-creds.inc

apache2安装owasp-modsecurity-src Safe 第1张

5.启动sqli-labs

http://127.0.0.1/sqli-labs/ 点击setup

apache2安装owasp-modsecurity-src Safe 第2张

apache2安装owasp-modsecurity-src Safe 第3张

开启靶场要注意要提前开启数据库服务和apache2服务

二、安装ModSecurity

1.安装modsecurity-crs

apt-get install modsecurity-crs

安装完之后自己就跑到目录/etc/modsecurity下了,这里应该就是默认的吧

apache2安装owasp-modsecurity-src Safe 第4张

查看目录下的内容

apache2安装owasp-modsecurity-src Safe 第5张

将第二个文件改名

apache2安装owasp-modsecurity-src Safe 第6张

2.在apache2配置文件中安装modsecurity crs规则库

apache2安装owasp-modsecurity-src Safe 第7张

apache2安装owasp-modsecurity-src Safe 第8张

比较长的命令打一下

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs

安装完成后,当前目录下会多出一个owasp-modsecurity-crs目录,这里存放的就是在apache下运行的规则库了,只需要配置规则库,就可以了

owasp crs规则库的内容如下

apache2安装owasp-modsecurity-src Safe 第9张

3.将crs-setup.conf.example改名为crs-setup.conf

apache2安装owasp-modsecurity-src Safe 第10张

4.在rules目录下重命名两个规则库

mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

apache2安装owasp-modsecurity-src Safe 第11张

5.在apache2的配置文件/etc/apache2/apache2.conf的最后添加内容

<IfModule security2_module>
Include modsec/owasp-modsecurity-crs/crs-setup.conf
Include modsec/owasp-modsecurity-crs/rules/*.conf
</IfModule>

apache2安装owasp-modsecurity-src Safe 第12张

6.编辑crs-setup.conf文件(使用命令)

# sed -ie 's/SecDefaultAction "phase:1,log,auditlog,pass"/#SecDefaultAction "phase:1,log,auditlog,pass"/g' crs-setup.conf
# sed -ie 's/SecDefaultAction "phase:2,log,auditlog,pass"/#SecDefaultAction "phase:2,log,auditlog,pass"/g' crs-setup.conf
# sed -ie 's/#.*SecDefaultAction "phase:1,log,auditlog,deny,status:403"/SecDefaultAction "phase:1,log,auditlog,deny,status:403"/g' crs-setup.conf
# sed -ie 's/# SecDefaultAction "phase:2,log,auditlog,deny,status:403"/SecDefaultAction "phase:2,log,auditlog,deny,status:403"/g' crs-setup.conf

7.生成例外排除请求的配置文件

cp rules/*.data /etc/apache2/modsec

apache2安装owasp-modsecurity-src Safe 第13张

apache2安装owasp-modsecurity-src Safe 第14张

除了这个目录,其他都是刚刚copy过来的

8.添加规则

在/etc/apache2/modsec下添加一个main.conf配置文件,并添加我们想要的规则:

# Include the recommended configuration
include etc/modsecurity/modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
# A test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

【注】考虑到可能对主机性能上的损耗,可以根据实际需求加入对应的漏洞的防护规则即可。

9.重启apache2服务

apache2安装owasp-modsecurity-src Safe 第15张

apache2 --help  //查看具体错误在哪

看到说${APACHE_RUN_DIR}没有定义

解决方法:

.   /etc/apache2/envvars

10.处理apache2服务开启时的错误

apache2安装owasp-modsecurity-src Safe 第16张

在/etc/apache2/apache2.conf下更改成正确的crs-setup.conf路径

apache2安装owasp-modsecurity-src Safe 第17张

又出现的错误是找不到这个,于是我把它删了emmm

apache2安装owasp-modsecurity-src Safe 第18张

知道出现running,说明apache2服务可以正常运行了

11.打开规则库的使用

将SecRuleEngine打开

apache2安装owasp-modsecurity-src Safe 第19张

三、配置虚拟主机

apache2安装owasp-modsecurity-src Safe 第20张

apache2安装owasp-modsecurity-src Safe 第21张

apache2安装owasp-modsecurity-src Safe 第22张

新增虚拟主机映射

apache2安装owasp-modsecurity-src Safe 第23张

四、测试结果

apache2安装owasp-modsecurity-src Safe 第24张

加了个分号,WAF会拒绝访问

apache2安装owasp-modsecurity-src Safe 第25张

如果,将/etc/modsecurity/modsecurity.conf的SecRuleEngine改回DetectionOnly,

apache2安装owasp-modsecurity-src Safe 第26张

再重启一下apache2之后再注入单引号,发现WAF没有起到作用

apache2安装owasp-modsecurity-src Safe 第27张

说明安装成功

【注】这里的环境我的/etc/apache2/modsec是自己创建的,里面的owasp-modsecurity-src的文件是我之前在哪里的GitHub下载,之后又用xftp传进去的,如果Apache开启的时候有其他报错现象,要自己解决。

五、参考链接

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/INSTALL  https://www.cnblogs.com/Hi-blog/p/OWASP-ModSecurity-Core-Rule-Set-CRS.html  https://klionsec.github.io/2017/07/31/waf-for-modsecurity/ 



扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄