作为一个饱受黑客“关爱”的站长,万事屋牛马阿银深知服务器安全的重要性。OpenLiteSpeed(简称OLS)是个性能怪兽,但光靠默认配置可挡不住SQL注入、XSS、RCE这些“妖魔鬼怪”。今天咱们就来聊聊怎么手动给OLS装上OWASP Core Rule Set(CRS),再顺手加点自定义规则,打造一个坚不可摧的Web应用防火墙(WAF)。这篇教程不仅适合从CyberPanel迁移过来的兄弟,也适合想自己动手折腾的纯OLS用户。别慌,步骤超详细,连我这种“手残党”都能搞定!
为什么需要OWASP CRS和自定义规则?
OWASP CRS是ModSecurity的标配规则集,像个“网络保镖”,能识别SQL注入、跨站脚本(XSS)、远程代码执行(RCE)等常见攻击。官方文档里说,它能覆盖90%以上的通用Web攻击,简直是站长的救命稻草。但有时候,站点有特殊需求,比如防暴力破解、限制恶意文件上传,这时候就得靠自定义规则来补刀。手动配置虽然麻烦点,但灵活性拉满,还能省下用商业WAF的银子!
准备工作:确保环境就绪
在Ubuntu 20.04上,咱们先检查几件事,免得后面踩坑:
- 确认OpenLiteSpeed已安装:运行
lswsctrl status,看到运行状态就OK。 - 安装ModSecurity模块:执行
sudo apt-get install ols-modsecurity -y,然后检查模块文件:ls /usr/local/lsws/modules/mod_security.so。没文件?重新装! - 权限准备:确保有
sudo权限,日志目录(如/usr/local/lsws/logs/)要可写。
步骤一:手动安装OWASP CRS
OWASP CRS得从GitHub下载,别指望apt-get帮你全搞定。2025年9月最新版本是v4.4.0,咱们直接上手:
- 创建规则目录:
sudo mkdir -p /usr/local/lsws/conf/owasp/ cd /usr/local/lsws/conf/owasp/ - 下载CRS:
sudo wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.4.0.zipGitHub偶尔抽风,下载慢就多试几次,或者用国内镜像加速。
- 解压并重命名:
sudo unzip v4.4.0.zip sudo mv coreruleset-4.4.0 owasp-modsecurity-crs cd owasp-modsecurity-crs目录结构得是
/usr/local/lsws/conf/owasp/owasp-modsecurity-crs/,别随便改名,省得规则引用出错。 - 处理示例文件:
sudo mv crs-setup.conf.example crs-setup.conf cd rules sudo mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf sudo mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf这些“.example”文件是模板,直接改名就能用,里面有些默认配置可以微调,但新手先不动。
- 创建规则包含文件:在
/usr/local/lsws/conf/owasp/创建modsec_includes.conf,内容如下:# ModSecurity core configuration include modsecurity.conf # OWASP CRS setup and rules include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf include owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf这文件是规则的“大总管”,按顺序加载,确保初始化、攻击检测和响应评估不乱套。
步骤二:添加自定义规则
OWASP CRS很强,但有些需求它覆盖不到,比如防暴力破解、限制恶意文件上传。咱们把自定义规则放进单独文件,既方便管理,又不干扰CRS。
- 创建自定义规则文件:在
/usr/local/lsws/conf/owasp/创建custom_rules.conf:# Custom ModSecurity Rules for OpenLiteSpeed # Enhanced protection for specific threats # --- 1. Core Settings --- SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain text/html text/xml application/json SecDefaultAction "phase:2,log,auditlog,deny,status:403" SecDefaultAction "phase:1,log,auditlog,deny,status:403" # --- 2. General Attack Protection --- # 2.1 SQL Injection (SQLi) SecRule ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent "@rx (?i)(?:\\b(?:union|select|insert|update|delete|drop|alter|create|rename|truncate|load_file|outfile|sleep|benchmark)\\b|\\d\\s*\\'|\\'\\s*\\d|\\b(?:or|xor|and)\\b\\s*[\\d\\'\\\"])" \ "id:1000,phase:2,block,t:none,t:lowercase,msg:'SQL Injection Attack Detected',logdata:'Matched Data: %{MATCHED_VAR}',severity:'CRITICAL',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli'" # 2.2 Cross-Site Scripting (XSS) SecRule ARGS|REQUEST_HEADERS|REQUEST_BODY "@rx (?i)(?:<script|javascript:|onload\\s*=|onerror\\s*=|onmouseover\\s*=|eval\\(|alert\\(|document\\.cookie)" \ "id:1001,phase:2,block,t:none,t:lowercase,msg:'XSS Attack Attempt Detected',logdata:'Matched Data: %{MATCHED_VAR}',severity:'CRITICAL',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss'" # 2.3 Remote Command Execution (RCE) SecRule ARGS|REQUEST_HEADERS|REQUEST_BODY "@rx (?i)(?:\\b(?:bash|sh|cmd|powershell|python|perl|php)\\s*-c|\\b(?:whoami|id|ifconfig|ipconfig|ls|dir|cat|echo|curl|wget|ftp)\\b|\\|\\s*\\||&\\s*&|;\\s*;|`|\\$(?:\\(|\\{))" \ "id:1002,phase:2,block,t:none,t:lowercase,msg:'Remote Command Execution Attempt',logdata:'Matched Data: %{MATCHED_VAR}',severity:'CRITICAL',tag:'attack-rce'" # 2.4 File Inclusion (LFI/RFI) SecRule ARGS|REQUEST_HEADERS "@rx (?i)(?:\.\./|\.\\.\\|file:\\/\\/|php:\\/\\/input|php:\\/\\/filter|expect:\\/\\/|http:\\/\\/|https:\\/\\/|ftp:\\/\\/|\\b(?:etc|proc|usr|home|root|windows|winnt)\\b)" \ "id:1003,phase:2,block,t:none,t:lowercase,msg:'File Inclusion Attack Attempt',logdata:'Matched Data: %{MATCHED_VAR}',severity:'CRITICAL',tag:'attack-lfi',tag:'attack-rfi'" # 2.5 Session Fixation SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/ "!@streq %{SESSION.ID}" \ "id:1004,phase:2,block,msg:'Session Fixation Attack Attempt',tag:'attack-session-fixation'" # --- 3. Scanner and Bot Protection --- # 3.1 Block Scanner User-Agents SecRule REQUEST_HEADERS:User-Agent "@pmf /usr/local/lsws/conf/modsec/scanner-user-agents.list" \ "id:2000,phase:1,deny,msg:'Scanner Detected via User-Agent',logdata:'Scanner User-Agent: %{MATCHED_VAR}',severity:'WARNING',tag:'hostile-scanner'" # --- 4. File Upload Restrictions --- SecRule FILES_TMPNAMES "@rx \\.(?:php|pl|py|jsp|asp|sh|exe|dll|bat|cmd)$" \ "id:3000,phase:2,deny,msg:'Potentially Malicious File Upload Attempt',logdata:'File Name: %{MATCHED_VAR}',severity:'CRITICAL',tag:'attack-malicious-file'" # --- 5. Information Leakage Protection --- # 5.1 Prevent PHP Source Leak SecRule RESPONSE_BODY "@rx (?i:\\<\\?php.*\\?\\>)" \ "id:4000,phase:4,deny,msg:'PHP Source Code Leakage Detected',severity:'ERROR'" # 5.2 Prevent Sensitive File Access SecRule REQUEST_FILENAME "@rx /(\\.git|\\.env|\\.DS_Store)(/|$)|\\/\\.env$" \ "id:4001,phase:1,deny,msg:'Access to Sensitive Hidden File or Directory',logdata:'Matched File: %{MATCHED_VAR}',severity:'CRITICAL'" # --- 6. Rate Limiting (Anti-Brute Force) --- SecRule REQUEST_FILENAME "@streq /wp-login.php" \ "id:5000,phase:1,setvar:'ip.brute_force_counter=+1',expirevar:'ip.brute_force_counter=60',nolog,pass" SecRule VARIABLE:brute_force_counter "@gt 5" \ "id:5001,phase:1,deny,msg:'Brute Force Attack Attempt from IP: %{REMOTE_ADDR}',logdata:'Requests in last 60 seconds: %{brute_force_counter}',severity:'WARNING'" # --- 7. Path Traversal Protection --- SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access',log,auditlog,deny" - 创建辅助文件:为ID 2000规则创建
scanner-user-agents.list:sudo mkdir -p /usr/local/lsws/conf/modsec/ sudo nano /usr/local/lsws/conf/modsec/scanner-user-agents.list添加内容(如
sqlmap、nikto、burp)。 - 更新包含文件:编辑
modsec_includes.conf,在末尾添加:include custom_rules.conf
步骤三:配置ModSecurity模块
编辑主配置文件/usr/local/lsws/conf/httpd_config.conf,确保ModSecurity模块正确启用:
module mod_security {
modsecurity on
modsecurity_rules `
SecDebugLogLevel 0
SecDebugLog /usr/local/lsws/logs/modsec.log
SecAuditEngine on
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts AFH
SecAuditLogType Serial
SecAuditLog /usr/local/lsws/logs/auditmodsec.log
SecRuleEngine On
`
modsecurity_rules_file /usr/local/lsws/conf/owasp/modsec_includes.conf
ls_enabled 1
}确保日志目录权限正确:
sudo mkdir -p /usr/local/lsws/logs/
sudo chown lsadm:lsadm /usr/local/lsws/logs/
sudo chmod 750 /usr/local/lsws/logs/步骤四:测试与验证
配置好了,别急着庆祝,先测测看真能挡住“妖怪”不!
- 启用调试:将
SecDebugLogLevel设为9,重启服务:sudo systemctl restart lsws。 - 模拟攻击:
- XSS:
curl "http://your-domain/?param=<script>alert(1)</script>"– 应返回403,触发ID 1001或CRS 941100。 - SQLi:
curl "http://your-domain/?id=1' OR '1'='1"– 触发ID 1000或942100。 - 路径遍历:
curl "http://your-domain/?file=../etc/passwd"– 触发ID 99999或930100。
- XSS:
- 检查日志:查看
/usr/local/lsws/logs/modsec.log和/usr/local/lsws/logs/auditmodsec.log,找规则ID和403错误。 - 处理假阳性:如果WordPress后台被误拦,编辑
custom_rules.conf或CRS规则,注释问题规则(如#SecRule ...),或加排除规则:SecRuleRemoveById 1000。 - 生产模式:测试OK后,恢复
SecDebugLogLevel 0,设SecRuleEngine On,重启。
踩坑预警
- 假阳性:CMS(如WordPress)可能误拦合法输入(比如评论里带“union”)。解决:针对特定URL加排除规则,或者调正则。
- 路径不匹配:ID 5000-5001的
/wp-login.php得改成你站点的登录路径,比如/admin/login。 - 文件缺失:没
scanner-user-agents.list?赶紧建,不然ID 2000规则白搭。 - 日志爆盘:审计日志长得快,定期清理,或者调整
SecAuditLogRelevantStatus少记点。 - CyberPanel残留:迁移过来的兄弟,检查
/usr/local/lsws/conf/modsec/下有没有旧规则,删干净!
总结
折腾完这套,OpenLiteSpeed的WAF就不是摆设了!OWASP CRS加自定义规则,SQL注入、XSS、暴力破解啥的都能挡,站点的安全感直接拉满。记得定期更新CRS(GitHub盯着点),没事翻翻日志,别让黑客钻了空子。手动配置虽然费点脑细胞,但比花钱买商业WAF香多了,对吧?
本文由万事屋原创,转载请保留出处及链接:https://www.rei3.com。
没有回复内容