1. nginx ユーザ作成、パッケージインストール
useradd -s /sbin/nologin -d /usr/local/nginx -M nginx
yum install -y gcc make automake autoconf libtool git
yum install -y pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel
yum install -y openssl openssl-devel
yum install zlib zlib-devel
2. modsecurityのインストール
cd /usr/local/src/
yum install git -y
git clone https://github.com/SpiderLabs/ModSecurity.git mod_security
cd mod_security/
./autogen.sh
configure.acを修正
AM_PROG_CC_C_O
を追加
./autogen.sh
CFLAGS="-DDEFAULT_USER=\\\"nginx\\\" -DDEFAULT_GROUP=\\\"nginx\\\"" CPPFLAGS="-I/usr/include/apr-1 -I/usr/include/httpd" ./configure --disable-apache2-module --disable-mlogc --enable-standalone-module
make
make install
3. nginxのインストール
cd /usr/local/src/
wget http://nginx.org/download/nginx-1.8.0.tar.gz
tar xzvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
./configure --user=nginx --group=nginx --add-module=../mod_security/nginx/modsecurity --with-http_ssl_module --with-http_realip_module --with-cc-opt="-I/usr/include/apr-1 -I/usr/include/httpd" --with-ld-opt="-lapr-1 -laprutil-1"
make
make install
vi /etc/init.d/nginx
chmod +x /etc/init.d/nginx
chkconfig --add nginx
chkconfig nginx on
chkconfig --list
4. CRSルール追加
cd /usr/local/etc/
mkdir modsecurity
cd modsecurity
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs
ln -s crs/base_rules/modsecurity_35_bad_robots.data .
ln -s crs/base_rules/modsecurity_40_generic_attacks.data .
ln -s crs/base_rules/modsecurity_35_scanners.data .
ln -s crs/base_rules/modsecurity_50_outbound.data .
ln -s crs/base_rules/modsecurity_50_outbound_malware.data .
cp /usr/local/src/mod_security/modsecurity.conf-recommended modsecurity.conf
5. ルール更新
cd /usr/local/etc/modsecurity/crs
git pull
cd ..
cat crs/modsecurity_crs_10_setup.conf.example crs/base_rules/*.conf > modsecurity_crs.conf
備考:False Positiveの問題
そのままルール適用したら、AWSのELBからのヘルスチェックすら通らない
まず、modsecurity_crs.conf
で
SecRuleEngine DetectionOnly
を設定してから、
/var/log/modsec_audit.log
を確認、ルールを調整
nginx起動スクリプト
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)
NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"
lockfile=/usr/local/nginx/logs/nginx.lock
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
configtest || return $?
stop
sleep 1
start
}
reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}
force_reload() {
restart
}
configtest() {
$nginx -t -c $NGINX_CONF_FILE
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac
参考
http://qiita.com/albatross/items/5b9034c80f9c49519442
http://www.happytrap.jp/blogs/2012/02/23/8243/
https://www.modsecurity.org/
https://github.com/SpiderLabs/owasp-modsecurity-crs
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/
http://eterhost.net/knowledgebase.php?action=displayarticle&id=7