安裝相依套件

sudo yum install gcc make httpd-devel libxml2 pcre-devel libxml2-devel curl-devel

下載 ModSecurity

sudo wget https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz
sudo tar xzf modsecurity-2.9.7.tar.gz

安裝 ModSecurity

cd modsecurity-2.9.7
./configure
sudo make install
進入到 /usr/lib64/httpd/modules 目錄下改變 mod_security2.so 權限
sudo chmod 755 mod_security2.so

複製檔案到 /etc/httpd/conf.d/ 目錄並修改

sudo cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
sudo cp unicode.mapping /etc/httpd/conf.d/
sudo vi /etc/httpd/conf/httpd.conf

將下面這行新增到 httpd.conf
LoadModule security2_module modules/mod_security2.so

安裝 Application Security Project (OWASP) rule set

cd /etc/httpd

# 使用 git clone 將 ruleset 抓下來
sudo git clone https://github.com/coreruleset/coreruleset.git

# 切換到3.3版本
sudo git checkout -b v3.3/master origin/v3.3/master

# 將目錄變更為 modsecurity-crs
sudo mv coreruleset modsecurity-crs

# 複製設定檔
cd modsecurity-crs
sudo cp crs-setup.conf.example modsecurity_crs_10_config.conf

# 將下面新增到 httpd.conf
Include modsecurity-crs/modsecurity_crs_10_config.conf
Include modsecurity-crs/rules/*.conf

參考 ModSecurity中文手册 修改 /etc/httpd/modsecurity.conf

sudo vi /etc/httpd/conf.d/modsecurity.conf

a. 偵測模式與啟用設定
#SecRuleEngine DetectionOnly
SecRuleEngine On

b. 修改log位置
SecAuditLog /var/log/modsecurity/modsec_audit.log
註: 必須要建立該目錄且權限為httpd的user group才會正常運作.
不修改則預設在 /var/log/modsec_audit.log

c. 修改紀錄資料 只記錄簡單的資訊
SecAuditLogParts ABFZ

# 重新啟動 httpd
sudo service httpd restart

測試

在網址列上輸入 https://domain/?q=<script> 若有正常運作則會看到 Forbidden You don’t have permission to access / on this server. 拒絕存取畫面. 在記錄檔內就會發現下面訊息.

--970d9b79-A--
[18/Feb/2023:13:24:49 +0800] Y-BhIVNZ-4OlQ22p-mwm3AAAAAk 60.248.153.35 34438 172.31.25.173 443
--970d9b79-B--
GET /orders?q=%3Cscript%3E HTTP/1.1
Host: gate.icarry.me
Connection: keep-alive
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
dnt: 1
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6,zh-CN;q=0.5
Cookie: _gcl_au=1.1.1354739799.1676367927; __auc=0f94e1461864f5098842816e3a7; _ga=GA1.2.1727535867.1676367927; _fbp=fb.1.1676367927476.2073229639; crisp-c
lient%2Fsession%2F63363ef8-c8c2-47fe-b359-98e27bb23706=session_841c571c-1829-4e70-83da-ed61afd0fa7d; XSRF-TOKEN=eyJpdiI6Ing0REozbnZBVitpYk1QakswRDd6OVE9PS
IsInZhbHVlIjoiWnJyODJQSUJVdzZpdGNaYlAySVRBV3JHdVZVOEpya3NkbzUxbVVZTXJmc0YxOTN1S1FSQ2tYdG9yN3AySzZlamhTYTNMY0ExaVZ6MzYxdDFsc1dlYWdpQ0ZJTVRnZkJUc2pjdGplb0pD
ZzVLeHFUaFcxalczVWJRWlhlQWx2SEYiLCJtYWMiOiJjMjI1OTg3M2RjOWZlNjE3MjRkZDYwN2JhZjliNmQzZDNmMTU1YjViZjYzNGRhN2ExM2NlMGQxMTUxNjA0NDkwIiwidGFnIjoiIn0%3D; gate_s
ession=eyJpdiI6IlVRcHR5c1NXT0ppWkFCRStwclMzY3c9PSIsInZhbHVlIjoiek95d1l4K0x5c3lmNCt5OW92a3k5Zm1tNGxDWmhUcDc4bnRZWDZHQmtueDlXZVd6T251ekJmYzBzcnhWMjlEelhyc0d
wQTNCb3JXcTlaNm4zZTRKWVNnSUpZZEZXdiswRisrNXQzbG1hY1J3Mm1GRXNXZTNFelFIRFgrWEF2T2kiLCJtYWMiOiJhMTRiNDgwYmY3NDlhZmU5YjVhOGRhZjBlNjZlOGNiNTBmNjY4YWI0MDhlNWNlZ
Tc1MDNmNWQ0OWM1YjAxMjA1IiwidGFnIjoiIn0%3D

--970d9b79-F--
HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
Content-Length: 208
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--970d9b79-Z--

實際使用狀況

目前使用 3.3.4 rule set 算是比較正常的,但尚有一些問題存在如下:

  1. 使用在 WordPress 新版的編輯器中無法撰寫文章,必須安裝舊版的編輯器
  2. 網站輸入框有些中文字會被判定錯誤。
最後修改日期: 2024 年 8 月 30 日