一、ModSecurity安装配置
1. 基础安装
bash# Ubuntu/Debian系统
sudo apt update
sudo apt install -y libapache2-mod-security2
# CentOS系统
sudo yum install mod_security mod_security_crs
2. Nginx配置
bash# 安装依赖
sudo apt install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev
# 编译ModSecurity-nginx连接器
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity-nginx.git
二、规则配置
1. OWASP CRS规则
bash# 下载OWASP CRS规则
cd /usr/share/modsecurity-crs/
wget https://github.com/coreruleset/coreruleset/archive/v3.3.2.tar.gz
tar xvf v3.3.2.tar.gz
2. 基础防护规则
apache# modsecurity.conf
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
三、防护策略配置
1. SQL注入防护
apache# sql-injection.conf
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \
"id:942100,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments,\
msg:'SQL Injection Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
severity:'CRITICAL'"
2. XSS防护
apache# xss.conf
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
"id:941100,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
msg:'XSS Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
severity:'CRITICAL'"
四、日志配置与分析
1. 日志配置
apache# 配置审计日志
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec_audit.log
SecAuditLogParts ABIJDEFHZ
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
2. 日志分析脚本
python#!/usr/bin/python3
import re
import sys
def analyze_log(logfile):
attacks = {}
with open(logfile, 'r') as f:
for line in f:
if 'msg' in line:
msg = re.search(r'msg: (.*?)\[', line)
if msg:
attack = msg.group(1)
attacks[attack] = attacks.get(attack, 0) + 1
return attacks
五、性能优化
1. 规则优化
apache# 优化规则执行顺序
SecRuleEngine On
SecRuleUpdateTargetById 942100 "!REQUEST_HEADERS:Accept"
SecRuleUpdateTargetById 942100 "!REQUEST_HEADERS:Accept-Charset"
2. 资源限制
apache# 限制请求大小
SecRequestBodyLimit 13107200
SecRequestBodyInMemoryLimit 131072
SecRequestBodyNoFilesLimit 131072
六、高级防护配置
1. 自定义规则
apache# custom-rules.conf
# 防止路径遍历
SecRule REQUEST_URI "\.\./" \
"id:1000,\
phase:1,\
deny,\
msg:'Directory Traversal Attack'"
# 防止文件上传攻击
SecRule FILES_NAMES "@rx .*\.(?:php|phtml|php3|php4|php5|php7|pht|phar)$" \
"id:1001,\
phase:2,\
deny,\
msg:'Malicious File Upload Attempted'"
2. 异常检测
apache# 配置异常检测规则
SecRule &IP:BLOCK "@eq 10" \
"id:2000,\
phase:1,\
deny,\
msg:'IP Blocked due to multiple violations',\
expirevar:IP:BLOCK=3600"
七、监控告警配置
1. 告警脚本
bash#!/bin/bash
# alert.sh
LOGFILE="/var/log/modsec_audit.log"
THRESHOLD=100
attack_count=$(grep "msg:" $LOGFILE | wc -l)
if [ $attack_count -gt $THRESHOLD ]; then
echo "Warning: High number of WAF blocks detected!" | mail -s "WAF Alert" admin@example.com
fi
2. 监控集成
yaml# prometheus配置
scrape_configs:
- job_name: 'modsecurity'
static_configs:
- targets: ['localhost:9100']
metrics_path: '/metrics'
最佳实践建议
- 部署策略
- 先启用监控模式
- 逐步开启防护规则
- 定期更新规则库
- 建立白名单机制
- 维护建议
- 定期分析日志
- 更新WAF规则
- 优化性能配置
- 监控系统资源
- 应急响应
- 准备回滚方案
- 建立应急处理流程
- 保存攻击样本
- 定期演练
本指南为您提供了在云服务器上配置WAF的完整方案。记住,WAF配置是一个持续优化的过程,需要根据实际攻击情况和业务需求不断调整规则。建议在正式部署前进行充分的测试,确保不影响正常业务访问。
同时,要注意保持WAF规则库的更新,关注新的攻击方式,及时调整防护策略。对于生产环境的WAF,建议建立完善的监控系统,确保能够及时发现和处理安全威胁。
请记住,WAF只是网站安全防护的一部分,还需要结合其他安全措施,如服务器加固、安全扫描等,构建完整的安全防护体系。