本文共 2387 字,大约阅读时间需要 7 分钟。
- Install ModSecurity:
sudo apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev libapache-mod-security |
If your Ubuntu is 64bit, you need to fix a bug: sudo ln -s /usr/lib/x86_64-linux-gnu/libxml2 .so.2 /usr/lib/libxml2 .so.2 |
- Configure ModSecurity:
sudo mv /etc/modsecurity/modsecurity .conf-recommended /etc/modsecurity/modsecurity .conf; sudo vi /etc/modsecurity/modsecurity .conf |
Enable the rule engine: Increase the request body size limit to 10Mb(Optional, only if your site accepts uploads): SecRequestBodyLimit 10000000 SecRequestBodyInMemoryLimit 10000000 |
- Check the ModSecurity version:
dpkg -s libapache-mod-security | grep Version |
The installed ModSecurity version is: Version: 2.6.3-1ubuntu0.2 |
- Install :
- Download the rule set( because the latest version requires ModSecurity 2.7.0+):
wget https: //github .com /SpiderLabs/owasp-modsecurity-crs/tarball/v2 .2.5 -O /tmp/owasp . tar .gz |
- Extract the package:
cd /tmp ; tar -zxvf owasp. tar .gz; rm owasp. tar .gz |
- Copy the directory to /etc/modsecurity, and set the permissions:
sudo mv SpiderLabs-owasp-modsecurity-crs-5c28b52/ /etc/modsecurity/owasp-crs sudo chmod -R 644 /etc/modsecurity/owasp-crs |
- Link the rules to /etc/modsecruity/owasp-crs/activated_rules directory:
sudo mv /etc/modsecurity/owasp-crs/modsecurity_crs_10_setup .conf.example /etc/modsecurity/owasp-crs/modsecurity_crs_10_setup .conf cd /etc/modsecurity/owasp-crs/activated_rules/ sudo ln -s .. /modsecurity_crs_10_setup .conf for f in $( ls .. /base_rules/ ); do sudo ln -s .. /base_rules/ $f; done for f in $( ls .. /optional_rules/ ); do sudo ln -s .. /optional_rules/ $f; done |
- Modify /etc/apache2/mods-available/mod-security.conf to include the rules:
sudo vi /etc/apache2/mods-available/mod-security .conf |
Add the following line: Include "/etc/modsecurity/owasp-crs/activated_rules/*.conf" |
- Enable headers module: This to fix the following error:
Syntax error on line 29 of /etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf: Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration Action 'configtest' failed. The Apache error log may have more information. |
when restarting apache2.
- Enable ModSecurity module and restart apache2:
sudo a2enmod mod-security; sudo /etc/init .d /apache2 restart |
转载地址:http://ikemb.baihongyu.com/