web application firewalld (WAF) 功能

Posted 2021-01-24 xiaohaizai

1、应用服务级别的安全考虑

引入web安全中的十大安全方向：

OWASP: 开源web应用安全项目。Open Web Application Security Project

十大安全问题：

SQL 注入、失效的身份认证和会话管理、跨站脚本（xss）、失效的访问控制、安全配置错误、

敏感信息泄露、攻击检测与防护不足、跨站请求伪造(CSRF)、使用含有已知漏洞的组件、未受保护的API

2、应用级别安全选择

对比分析当下主流安全插件

naxsi、modlibsecurity

3、测试应用

4、数据分析

5、功能性用途：

为了解决 top 10 问题

 

6、加载规则

ModSecurity的企业赞助商TrustWave Spiderlabs提供的推荐的ModSecurity配置

https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/

 

Add Include directives in the main NGINX WAF configuration file (/etc/nginx/modsec/main.conf, created in Step 4 of Protecting the Demo Web Application) to read in the CRS configuration and rules. Comment out any other rules that might already exist in the file, such as the sample SecRule directive created in that section.

 

# Include the recommended configuration

Include /etc/nginx/modsec/modsecurity.conf

# OWASP CRS v3 rules

Include /usr/local/owasp-modsecurity-crs-3.0.2/crs-setup.conf

Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-901-INITIALIZATION.conf

 

https://github.com/SpiderLabs/ModSecurity-nginx#usage

https://github.com/SpiderLabs/ModSecurity/wiki#secremoterulesfailaction

 

 

官方网站的解释：

https://modsecurity.org/crs/