mod_security 是 Apache 的保安模组,可以预防多种针对网页的攻击,例如执行远端程式码, SQL Injection,路径扫瞄等。以下是在 RHEL 及 CentOS 安装 mod_security 的方法:
1. 安装 mod_security 所需套件:
# yum install gcc make httpd-devel libxml2 pcre-devel libxml2-devel curl-devel git
2. 下载 mod_security 最新的稳定版源码,进行编译及安装:
# wget https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz
# tar xzf modsecurity-apache_2.9.0.tar.gz
# cd modsecurity-apache_2.9.0
# ./configure
# make install
# cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
# cp unicode.mapping /etc/httpd/conf.d/
# tar xzf modsecurity-apache_2.9.0.tar.gz
# cd modsecurity-apache_2.9.0
# ./configure
# make install
# cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
# cp unicode.mapping /etc/httpd/conf.d/
3. 下载及设定 OWASP (Open Web Application Security Project) 的 rule 作为基本设定:
# cd /etc/httpd
# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
# mv owasp-modsecurity-crs modsecurity-crs
# cd modsecurity-crs
# cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf
# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
# mv owasp-modsecurity-crs modsecurity-crs
# cd modsecurity-crs
# cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf
4. 设定 mod_security:
开启 /etc/httpd/conf/httpd.conf, 加入以下几行加载 mod_security:
|
1 2 3 4 5 6 7 |
LoadModule security2_module modules/mod_security2.so <IfModule security2_module> Include conf.d/modsecurity.conf </IfModule> Include modsecurity-crs/modsecurity_crs_10_config.conf Include modsecurity-crs/base_rules/*.conf |
储存 httpd.conf 后,最后重新启动 Apache 就完成了。
备注:Yum 及 Apt-get 安装
如果不想编译源码,用 Yum 及 Apt-get 安装更简单:
RHEL, CentOS, Fedora:
$ sudo yum install mod_security
$ sudo /etc/init.d/httpd restart
$ sudo /etc/init.d/httpd restart
Debian, Ubuntu
$ sudo apt-get install libapache2-mod-security
$ sudo a2enmod mod-security
$ sudo /etc/init.d/apache2 force-reload
$ sudo a2enmod mod-security
$ sudo /etc/init.d/apache2 force-reload