1�、WAF相關(guān)概念介紹:
網(wǎng)站制作�����、做網(wǎng)站介紹好的網(wǎng)站是理念���、設(shè)計(jì)和技術(shù)的結(jié)合���。創(chuàng)新互聯(lián)公司擁有的網(wǎng)站設(shè)計(jì)理念、多方位的設(shè)計(jì)風(fēng)格���、經(jīng)驗(yàn)豐富的設(shè)計(jì)團(tuán)隊(duì)����。提供PC端+手機(jī)端網(wǎng)站建設(shè)����,用營(yíng)銷思維進(jìn)行網(wǎng)站設(shè)計(jì)���、采用先進(jìn)技術(shù)開源代碼、注重用戶體驗(yàn)與SEO基礎(chǔ)�,將技術(shù)與創(chuàng)意整合到網(wǎng)站之中,以契合客戶的方式做到創(chuàng)意性的視覺化效果�����。
(1)WAF簡(jiǎn)介:
WAF:Web Appalication Firewall�,Web應(yīng)用防火墻,是一種工作在應(yīng)用層的��、通過一系列針對(duì)HTTP/HTTPS的安全策略為Web應(yīng)用提供安全防護(hù)的產(chǎn)品����。
(2)WAF可以實(shí)現(xiàn)如下功能:
a、防止SQL注入���、本地包含����、部分溢出��、Fuzzing測(cè)試�����、XSS等Web Attack;
b����、防止SVN/備份之類的文件泄漏�;
c、防止Apache Bench之類的壓測(cè)工具Attack����;
d、屏蔽常見的Hacker掃描工具���;
e����、屏蔽異常的網(wǎng)絡(luò)請(qǐng)求�;
f、屏蔽圖片附件類目錄的PHP執(zhí)行權(quán)限�;
g、防止Webshell上傳等����。
2�����、安裝依賴軟件包:
# yum -y install gcc gcc-c++ make zlib zlib-devel openssl openssl-devel pcre pcre-devel perl-devel perl-ExtUtils-Embed gd-devel libxml2 libxml2-devel libxslt libxslt-devel GeoIP GeoIP-devel GeoIP-data git libuuid-devel libblkid-devel libudev-devel fuse-devel libedit-devel libatomic_ops-devel httpd-tools
3����、編譯安裝OpenResty:
# useradd -s /sbin/nologin -M nginx
# mkdir -pv /usr/local/openresty/nginx/logs/
# tar -xf openresty-1.15.8.2.tar.gz -C /usr/src
# cd /usr/src/openresty-1.15.8.2/
# ./configure --prefix=/usr/local/openresty --user=nginx --group=nginx --with-threads --with-file-aio --with-http_iconv_module --with-luajit --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module --with-stream_ssl_preread_module --with-pcre --with-pcre-jit --with-libatomic --http-log-path=/usr/local/openresty/nginx/logs/access.log
# gmake && gmake install
4����、配置環(huán)境變量,并啟動(dòng)OpenResty:
# vim /etc/profile.d/openresty.sh
export PATH=/usr/local/openresty/nginx/sbin:/usr/local/openresty/bin:$PATH
# . /etc/profile.d/openresty.sh
# nginx -v
# nginx
# ss -tunlp | grep -w :80
5�、測(cè)試Lua環(huán)境:
# vim /tmp/hello.lua --> print("Hello Lua")
# lua /tmp/hello.lua
# lua
6、測(cè)試OpenResty Lua模塊:
# cd /usr/local/openresty/nginx/conf
# cp nginx.conf{,.bak}
# vim nginx.conf�,在server配置段中新增如下location:
location /lua {
default_type? text/html;
content_by_lua_block {
ngx.say("Hello Lua")
}
}
# nginx -t
# nginx -s reload
7、創(chuàng)建保存***日志的目錄:
# mkdir -pv /usr/local/openresty/nginx/logs/hack
8�、下載解壓ngx_lua_waf模塊:
ngx_lua_waf:基于lua-nginx-module的Web應(yīng)用防火墻,https://github.com/loveshell/ngx_lua_waf���。
# tar -xf ngx_lua_waf-0.7.2.tar.gz -C /usr/local/openresty/nginx/conf
# cd /usr/local/openresty/nginx/conf
# mv ngx_lua_waf-0.7.2 waf
# chown -R nginx.nginx /usr/local/openresty
備注:waf目錄主要結(jié)構(gòu)
(1)config.lua:配置文件��;
(2)init.lua:規(guī)則函數(shù)���;
(3)waf.lua:定義WAF檢測(cè)順序;
(4)wafconf:保存過濾規(guī)則的目錄,每條規(guī)則需換行或用|分割���;
(5)wafconf/args:按照GET參數(shù)過濾(默認(rèn)已開啟)�;
(6)wafconf/cookie:按照Cookie過濾�;
(7)wafconf/post:按照POST請(qǐng)求過濾(默認(rèn)已開啟);
(8)wafconf/url:按照GET請(qǐng)求URL過濾����;
(9)wafconf/user-agent:按照User Agent過濾;
(10)wafconf/whiteurl:按照白名單中的URL做匹配����,匹配到則不做過濾�����。
9�、修改config.lua配置文件中waf規(guī)則目錄的路徑:
# vim /usr/local/openresty/nginx/conf/waf/config.lua --> RulePath="/usr/local/openresty/nginx/conf/waf/wafconf/"
備注:config.lua配置文件
指令 | 含義 | RulePath="/usr/local/openresty/nginx/conf/waf/wafconf/" | 規(guī)則存放目錄 |
attacklog="on" | 開啟日志 |
logdir="/usr/local/openresty/nginx/logs/hack/" | Log日志目錄 |
UrlDeny="on" | 攔截URL訪問 |
Redirect="on" | 攔截后重定向 |
CookieMatch="on" | 攔截Cookie?Attack |
postMatch="on" | 攔截Post?Attack |
whiteModule="on" | 開啟URL白名單 |
black_fileExt={"php","jsp"} | 不允許上傳的文件后綴類型 |
ipWhitelist={"127.0.0.1"} | IP白名單,多個(gè)IP之間使用逗號(hào)分隔 |
ipBlocklist={"1.0.0.1"} | IP黑名單�,多個(gè)IP之間使用逗號(hào)分隔 |
CCDeny="on" | 開啟攔截CC Attack(需要在nginx.conf的http配置段中新增代碼lua_shared_dict limit 10m;) |
CCrate="100/60" | 設(shè)置CC Attack頻率,單位為秒 默認(rèn)1分鐘同一個(gè)IP只能請(qǐng)求同一個(gè)地址100次 |
10����、修改nginx.conf配置文件:
# vim /usr/local/openresty/nginx/conf/nginx.conf,在http配置段中新增如下代碼:
lua_package_path? "/usr/local/openresty/nginx/conf/waf/?.lua";
lua_shared_dict? limit? 10m;
init_by_lua_file? "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file? "/usr/local/openresty/nginx/conf/waf/waf.lua";
# nginx -t
# nginx -s reload
11、測(cè)試WAF應(yīng)用防火墻:
(1)模擬URL參數(shù)檢測(cè):http://192.168.0.121/lua?id=../etc/shadow
(2)使用ab命令模擬CC Attack:# ab -n 10000 -c 100 http://192.168.0.121/lua
備注:ab命令選項(xiàng)
a����、-n requests:執(zhí)行的請(qǐng)求總數(shù),默認(rèn)為1
b�、-c concurrency:一次并發(fā)執(zhí)行的請(qǐng)求數(shù),默認(rèn)為1
(3)查看日志:# tail -3 /usr/local/openresty/nginx/logs/hack/localhost_2020-02-18_sec.log
192.168.0.121 [2020-02-18 00:47:49] "UA localhost/lua" "-"? "ApacheBench/2.3""(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/)"
分享名稱:CentOS7.7OpenResty實(shí)現(xiàn)WAF應(yīng)用防火墻
本文地址:
http://weahome.cn/article/ihhdid.html
重慶分公司
重慶分公司
