代码
#!/bin/bash
# WAF防护配置脚本
# 作者: 系统安全助手
# 版本: 2.0
# 功能: 全面的Linux Web应用防火墙配置
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
PURPLE='\033[0;35m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
# 脚本目录
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CONFIG_DIR="$SCRIPT_DIR/waf_configs"
LOGS_DIR="$SCRIPT_DIR/waf_logs"
BACKUP_DIR="$SCRIPT_DIR/waf_backups"
RULES_DIR="$SCRIPT_DIR/waf_rules"
# 创建必要的目录
mkdir -p "$CONFIG_DIR" "$LOGS_DIR" "$BACKUP_DIR" "$RULES_DIR"
# 配置文件
MAIN_CONFIG="$CONFIG_DIR/waf_main.conf"
NGINX_CONFIG="$CONFIG_DIR/waf_nginx.conf"
APACHE_CONFIG="$CONFIG_DIR/waf_apache.conf"
CUSTOM_RULES="$RULES_DIR/custom_rules.conf"
# 日志文件
INSTALL_LOG="$LOGS_DIR/install.log"
ACCESS_LOG="$LOGS_DIR/waf_access.log"
BLOCK_LOG="$LOGS_DIR/waf_block.log"
# 备份文件
BACKUP_PREFIX="$BACKUP_DIR/waf_backup_$(date +%Y%m%d_%H%M%S)"
# 当前配置状态
CURRENT_CONFIG=""
# 显示横幅
show_banner() {
clear
echo -e "${CYAN}"
echo "╔════════════════════════════════════════════════════════════╗"
echo "║ 高级WAF防护配置脚本 v2.0 ║"
echo "║ 全面Linux Web应用防火墙 ║"
echo "╚════════════════════════════════════════════════════════════╝"
echo -e "${NC}"
echo -e "${YELLOW}脚本目录: $SCRIPT_DIR${NC}"
echo -e "${YELLOW}配置目录: $CONFIG_DIR${NC}"
echo -e "${YELLOW}日志目录: $LOGS_DIR${NC}"
echo "════════════════════════════════════════════════════════════"
echo
}
# 日志记录函数
log_message() {
local level=$1
local message=$2
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
case $level in
"INFO")
echo -e "${GREEN}[INFO]${NC} $message"
;;
"WARN")
echo -e "${YELLOW}[WARN]${NC} $message"
;;
"ERROR")
echo -e "${RED}[ERROR]${NC} $message"
;;
"DEBUG")
echo -e "${BLUE}[DEBUG]${NC} $message"
;;
esac
echo "[$timestamp] [$level] $message" >> "$INSTALL_LOG"
}
# 检查依赖
check_dependencies() {
log_message "INFO" "检查系统依赖..."
local missing_deps=()
# 检查常用工具
for cmd in curl wget grep awk sed iptables; do
if ! command -v $cmd &> /dev/null; then
missing_deps+=($cmd)
fi
done
# 检查Web服务器
if systemctl is-active --quiet nginx 2>/dev/null; then
WEB_SERVER="nginx"
log_message "INFO" "检测到Nginx服务器"
elif systemctl is-active --quiet apache2 2>/dev/null || systemctl is-active --quiet httpd 2>/dev/null; then
WEB_SERVER="apache"
log_message "INFO" "检测到Apache服务器"
else
log_message "WARN" "未检测到运行中的Web服务器"
WEB_SERVER="unknown"
fi
if [ ${#missing_deps[@]} -gt 0 ]; then
log_message "WARN" "缺少以下依赖: ${missing_deps[*]}"
read -p "是否安装缺少的依赖? (y/n): " choice
if [ "$choice" = "y" ]; then
if [ -f /etc/debian_version ]; then
sudo apt-get update
sudo apt-get install -y ${missing_deps[@]}
elif [ -f /etc/redhat-release ]; then
sudo yum install -y ${missing_deps[@]}
else
log_message "ERROR" "无法确定系统发行版,请手动安装依赖"
fi
fi
fi
return 0
}
# 备份当前配置
backup_config() {
log_message "INFO" "备份当前配置..."
# 备份iptables规则
sudo iptables-save > "${BACKUP_PREFIX}_iptables.rules" 2>/dev/null
# 备份系统文件
local files_to_backup=(
"/etc/sysctl.conf"
"/etc/hosts.allow"
"/etc/hosts.deny"
"/etc/security/limits.conf"
)
for file in "${files_to_backup[@]}"; do
if [ -f "$file" ]; then
sudo cp "$file" "${BACKUP_PREFIX}_$(basename $file)"
fi
done
# 备份Web服务器配置
if [ "$WEB_SERVER" = "nginx" ] && [ -f "/etc/nginx/nginx.conf" ]; then
sudo cp /etc/nginx/nginx.conf "${BACKUP_PREFIX}_nginx.conf"
elif [ "$WEB_SERVER" = "apache" ]; then
if [ -f "/etc/apache2/apache2.conf" ]; then
sudo cp /etc/apache2/apache2.conf "${BACKUP_PREFIX}_apache.conf"
elif [ -f "/etc/httpd/conf/httpd.conf" ]; then
sudo cp /etc/httpd/conf/httpd.conf "${BACKUP_PREFIX}_httpd.conf"
fi
fi
log_message "INFO" "配置已备份到: $BACKUP_DIR"
}
# 加载配置
load_config() {
if [ -f "$MAIN_CONFIG" ]; then
source "$MAIN_CONFIG"
log_message "INFO" "加载现有配置"
else
# 默认配置
ENABLE_SQL_INJECTION="true"
ENABLE_XSS="true"
ENABLE_RFI_LFI="true"
ENABLE_COMMAND_INJECTION="true"
ENABLE_BRUTE_FORCE="true"
ENABLE_DDOS="true"
ENABLE_BOT_PROTECTION="true"
ENABLE_FILE_UPLOAD="true"
ENABLE_HOTLINKING="true"
ENABLE_SENSITIVE_DATA="true"
BLOCK_THRESHOLD=10
BAN_TIME=3600
RATE_LIMIT=100
MAX_CONNECTIONS=50
log_message "INFO" "使用默认配置"
fi
}
# 保存配置
save_config() {
cat > "$MAIN_CONFIG" << EOF
# WAF主配置文件
# 生成时间: $(date)
# 防护模块开关
ENABLE_SQL_INJECTION="$ENABLE_SQL_INJECTION"
ENABLE_XSS="$ENABLE_XSS"
ENABLE_RFI_LFI="$ENABLE_RFI_LFI"
ENABLE_COMMAND_INJECTION="$ENABLE_COMMAND_INJECTION"
ENABLE_BRUTE_FORCE="$ENABLE_BRUTE_FORCE"
ENABLE_DDOS="$ENABLE_DDOS"
ENABLE_BOT_PROTECTION="$ENABLE_BOT_PROTECTION"
ENABLE_FILE_UPLOAD="$ENABLE_FILE_UPLOAD"
ENABLE_HOTLINKING="$ENABLE_HOTLINKING"
ENABLE_SENSITIVE_DATA="$ENABLE_SENSITIVE_DATA"
# 防护参数
BLOCK_THRESHOLD="$BLOCK_THRESHOLD"
BAN_TIME="$BAN_TIME"
RATE_LIMIT="$RATE_LIMIT"
MAX_CONNECTIONS="$MAX_CONNECTIONS"
# 自定义规则文件
CUSTOM_RULES_FILE="$CUSTOM_RULES"
# 日志文件
ACCESS_LOG="$ACCESS_LOG"
BLOCK_LOG="$BLOCK_LOG"
EOF
log_message "INFO" "配置已保存到: $MAIN_CONFIG"
}
# 显示当前配置
show_current_config() {
echo -e "${CYAN}════════════════════ 当前WAF配置 ════════════════════${NC}"
echo -e "${YELLOW}防护模块:${NC}"
echo -e " SQL注入防护: ${GREEN}$ENABLE_SQL_INJECTION${NC}"
echo -e " XSS防护: ${GREEN}$ENABLE_XSS${NC}"
echo -e " RFI/LFI防护: ${GREEN}$ENABLE_RFI_LFI${NC}"
echo -e " 命令注入防护: ${GREEN}$ENABLE_COMMAND_INJECTION${NC}"
echo -e " 暴力破解防护: ${GREEN}$ENABLE_BRUTE_FORCE${NC}"
echo -e " DDoS防护: ${GREEN}$ENABLE_DDOS${NC}"
echo -e " 机器人防护: ${GREEN}$ENABLE_BOT_PROTECTION${NC}"
echo -e " 文件上传防护: ${GREEN}$ENABLE_FILE_UPLOAD${NC}"
echo -e " 盗链防护: ${GREEN}$ENABLE_HOTLINKING${NC}"
echo -e " 敏感数据防护: ${GREEN}$ENABLE_SENSITIVE_DATA${NC}"
echo
echo -e "${YELLOW}防护参数:${NC}"
echo -e " 阻断阈值: ${BLUE}$BLOCK_THRESHOLD${NC} 次/分钟"
echo -e " 封禁时间: ${BLUE}$BAN_TIME${NC} 秒"
echo -e " 速率限制: ${BLUE}$RATE_LIMIT${NC} 请求/秒"
echo -e " 最大连接数: ${BLUE}$MAX_CONNECTIONS${NC}"
echo -e "${CYAN}════════════════════════════════════════════════════${NC}"
}
# 自定义配置菜单
custom_config_menu() {
while true; do
clear
show_banner
show_current_config
echo -e "${PURPLE}════════════════════ 自定义配置 ════════════════════${NC}"
echo " 1) 切换SQL注入防护 [$ENABLE_SQL_INJECTION]"
echo " 2) 切换XSS防护 [$ENABLE_XSS]"
echo " 3) 切换RFI/LFI防护 [$ENABLE_RFI_LFI]"
echo " 4) 切换命令注入防护 [$ENABLE_COMMAND_INJECTION]"
echo " 5) 切换暴力破解防护 [$ENABLE_BRUTE_FORCE]"
echo " 6) 切换DDoS防护 [$ENABLE_DDOS]"
echo " 7) 切换机器人防护 [$ENABLE_BOT_PROTECTION]"
echo " 8) 切换文件上传防护 [$ENABLE_FILE_UPLOAD]"
echo " 9) 切换盗链防护 [$ENABLE_HOTLINKING]"
echo "10) 切换敏感数据防护 [$ENABLE_SENSITIVE_DATA]"
echo "11) 修改防护参数"
echo "12) 管理自定义规则"
echo "13) 保存配置并返回主菜单"
echo "14) 返回主菜单(不保存)"
echo -e "${PURPLE}════════════════════════════════════════════════════${NC}"
read -p "请选择选项 [1-14]: " choice
case $choice in
1)
[ "$ENABLE_SQL_INJECTION" = "true" ] && ENABLE_SQL_INJECTION="false" || ENABLE_SQL_INJECTION="true"
;;
2)
[ "$ENABLE_XSS" = "true" ] && ENABLE_XSS="false" || ENABLE_XSS="true"
;;
3)
[ "$ENABLE_RFI_LFI" = "true" ] && ENABLE_RFI_LFI="false" || ENABLE_RFI_LFI="true"
;;
4)
[ "$ENABLE_COMMAND_INJECTION" = "true" ] && ENABLE_COMMAND_INJECTION="false" || ENABLE_COMMAND_INJECTION="true"
;;
5)
[ "$ENABLE_BRUTE_FORCE" = "true" ] && ENABLE_BRUTE_FORCE="false" || ENABLE_BRUTE_FORCE="true"
;;
6)
[ "$ENABLE_DDOS" = "true" ] && ENABLE_DDOS="false" || ENABLE_DDOS="true"
;;
7)
[ "$ENABLE_BOT_PROTECTION" = "true" ] && ENABLE_BOT_PROTECTION="false" || ENABLE_BOT_PROTECTION="true"
;;
8)
[ "$ENABLE_FILE_UPLOAD" = "true" ] && ENABLE_FILE_UPLOAD="false" || ENABLE_FILE_UPLOAD="true"
;;
9)
[ "$ENABLE_HOTLINKING" = "true" ] && ENABLE_HOTLINKING="false" || ENABLE_HOTLINKING="true"
;;
10)
[ "$ENABLE_SENSITIVE_DATA" = "true" ] && ENABLE_SENSITIVE_DATA="false" || ENABLE_SENSITIVE_DATA="true"
;;
11)
modify_parameters
;;
12)
manage_custom_rules
;;
13)
save_config
log_message "INFO" "配置已保存"
sleep 2
return 0
;;
14)
read -p "确定放弃修改? (y/n): " confirm
if [ "$confirm" = "y" ]; then
load_config # 重新加载配置
return 0
fi
;;
*)
echo -e "${RED}无效选项${NC}"
sleep 1
;;
esac
done
}
# 修改防护参数
modify_parameters() {
echo -e "${CYAN}════════════════════ 修改防护参数 ════════════════════${NC}"
echo -e "当前阻断阈值: ${BLUE}$BLOCK_THRESHOLD${NC} 次/分钟"
read -p "新的阻断阈值 (默认10): " new_threshold
[ -n "$new_threshold" ] && BLOCK_THRESHOLD=$new_threshold
echo -e "当前封禁时间: ${BLUE}$BAN_TIME${NC} 秒"
read -p "新的封禁时间 (默认3600): " new_ban
[ -n "$new_ban" ] && BAN_TIME=$new_ban
echo -e "当前速率限制: ${BLUE}$RATE_LIMIT${NC} 请求/秒"
read -p "新的速率限制 (默认100): " new_rate
[ -n "$new_rate" ] && RATE_LIMIT=$new_rate
echo -e "当前最大连接数: ${BLUE}$MAX_CONNECTIONS${NC}"
read -p "新的最大连接数 (默认50): " new_max
[ -n "$new_max" ] && MAX_CONNECTIONS=$new_max
echo -e "${GREEN}参数已更新${NC}"
sleep 1
}
# 管理自定义规则
manage_custom_rules() {
while true; do
clear
show_banner
echo -e "${CYAN}════════════════════ 自定义规则管理 ════════════════════${NC}"
echo " 1) 查看当前规则"
echo " 2) 添加新规则"
echo " 3) 编辑规则文件"
echo " 4) 导入规则集"
echo " 5) 清空所有规则"
echo " 6) 返回上一级"
echo -e "${CYAN}════════════════════════════════════════════════════════${NC}"
read -p "请选择选项 [1-6]: " choice
case $choice in
1)
if [ -f "$CUSTOM_RULES" ] && [ -s "$CUSTOM_RULES" ]; then
echo -e "${GREEN}当前自定义规则:${NC}"
echo "════════════════════════════════════════"
cat "$CUSTOM_RULES"
echo "════════════════════════════════════════"
else
echo -e "${YELLOW}暂无自定义规则${NC}"
fi
read -p "按Enter继续..."
;;
2)
echo -e "${GREEN}添加自定义规则${NC}"
echo "示例: deny '恶意User-Agent' 'BadBot'"
echo "格式: <动作> <描述> <匹配模式>"
echo -n "请输入规则: "
read rule
if [ -n "$rule" ]; then
echo "# 自定义规则 - 添加于 $(date)" >> "$CUSTOM_RULES"
echo "$rule" >> "$CUSTOM_RULES"
echo -e "${GREEN}规则已添加${NC}"
fi
sleep 1
;;
3)
if command -v nano &> /dev/null; then
nano "$CUSTOM_RULES"
elif command -v vim &> /dev/null; then
vim "$CUSTOM_RULES"
elif command -v vi &> /dev/null; then
vi "$CUSTOM_RULES"
else
echo -e "${YELLOW}未找到文本编辑器,使用cat编辑${NC}"
cat > "$CUSTOM_RULES"
fi
;;
4)
echo -e "${GREEN}导入规则集${NC}"
echo "1) OWASP核心规则集"
echo "2) 常见攻击规则"
echo "3) 扫描器防护规则"
read -p "选择规则集 [1-3]: " ruleset
case $ruleset in
1)
import_owasp_rules
;;
2)
import_common_attack_rules
;;
3)
import_scanner_rules
;;
*)
echo -e "${RED}无效选择${NC}"
;;
esac
sleep 1
;;
5)
read -p "确定清空所有自定义规则? (y/n): " confirm
if [ "$confirm" = "y" ]; then
> "$CUSTOM_RULES"
echo -e "${GREEN}规则已清空${NC}"
fi
sleep 1
;;
6)
return 0
;;
*)
echo -e "${RED}无效选项${NC}"
sleep 1
;;
esac
done
}
# 导入OWASP规则
import_owasp_rules() {
cat >> "$CUSTOM_RULES" << 'EOF'
# ========== OWASP核心规则集 ==========
# SQL注入防护规则
deny "SQL Injection - UNION" "union.*select"
deny "SQL Injection - SELECT" "select.*from"
deny "SQL Injection - INSERT" "insert.*into"
deny "SQL Injection - UPDATE" "update.*set"
deny "SQL Injection - DELETE" "delete.*from"
deny "SQL Injection - DROP" "drop.*table"
deny "SQL Injection - OR 1=1" "or.*1=1"
deny "SQL Injection -- comment" "--"
# XSS防护规则
deny "XSS - Script Tag" "<script>"
deny "XSS - Javascript Protocol" "javascript:"
deny "XSS - onload Event" "onload="
deny "XSS - onerror Event" "onerror="
deny "XSS - eval()" "eval\("
# 命令注入防护规则
deny "Command Injection - Pipe" "\|"
deny "Command Injection - Semicolon" ";"
deny "Command Injection - Backtick" "`"
deny "Command Injection - Dollar" "\$\(.*\)"
EOF
echo -e "${GREEN}OWASP规则集已导入${NC}"
}
# 导入常见攻击规则
import_common_attack_rules() {
cat >> "$CUSTOM_RULES" << 'EOF'
# ========== 常见攻击规则 ==========
# 目录遍历
deny "Directory Traversal" "\.\./"
deny "Directory Traversal" "\.\.\\"
# 文件包含
deny "File Inclusion" "\.\./\.\./"
deny "File Inclusion" "/etc/passwd"
# SSI注入
deny "SSI Injection" "<!--#"
# PHP攻击
deny "PHP Injection" "php://"
deny "PHP Code Injection" "eval\(base64_decode"
# Shellshock攻击
deny "Shellshock Attack" "\(\)\s*{"
# 扫描器特征
deny "Scanner - Nikto" "nikto"
deny "Scanner - Acunetix" "acunetix"
deny "Scanner - Nessus" "nessus"
deny "Scanner - Netsparker" "netsparker"
EOF
echo -e "${GREEN}常见攻击规则已导入${NC}"
}
# 生成iptables规则
generate_iptables_rules() {
local iptables_file="$CONFIG_DIR/iptables_rules.sh"
cat > "$iptables_file" << EOF
#!/bin/bash
# 自动生成的iptables规则
# 生成时间: $(date)
# 清除现有规则
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# 默认策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# 允许本地回环
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# 允许已建立的连接
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 允许SSH (端口22)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# 允许HTTP (端口80)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# 允许HTTPS (端口443)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# DDoS防护 - 限制连接数
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above $MAX_CONNECTIONS --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above $MAX_CONNECTIONS --connlimit-mask 32 -j DROP
# 速率限制
iptables -A INPUT -p tcp --dport 80 -m limit --limit $RATE_LIMIT/second --limit-burst 200 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -m limit --limit $RATE_LIMIT/second --limit-burst 200 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
# 防止SYN洪水攻击
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
# 防止ping洪水攻击
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# 保存规则
iptables-save > /etc/iptables/rules.v4
echo "iptables规则已应用"
EOF
chmod +x "$iptables_file"
log_message "INFO" "iptables规则已生成: $iptables_file"
}
# 生成Nginx WAF配置
generate_nginx_waf() {
local nginx_waf="$CONFIG_DIR/nginx_waf.conf"
cat > "$nginx_waf" << EOF
# Nginx WAF配置
# 生成时间: $(date)
# 限制请求大小
client_max_body_size 10M;
# 限制缓冲区大小
client_body_buffer_size 128k;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
# 超时设置
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
# 限制请求方法
if (\$request_method !~ ^(GET|HEAD|POST)\$ ) {
return 405;
}
# 阻止SQL注入
$(if [ "$ENABLE_SQL_INJECTION" = "true" ]; then
cat << 'SQL_RULES'
set \$block_sql_injection 0;
if (\$query_string ~* "union.*select.*\(") { set \$block_sql_injection 1; }
if (\$query_string ~* "union.*all.*select.*") { set \$block_sql_injection 1; }
if (\$query_string ~* "concat.*\(") { set \$block_sql_injection 1; }
if (\$query_string ~* "group.*by.*\(") { set \$block_sql_injection 1; }
if (\$query_string ~* "order.*by.*\(") { set \$block_sql_injection 1; }
if (\$block_sql_injection = 1) { return 403; }
SQL_RULES
fi)
# 阻止XSS攻击
$(if [ "$ENABLE_XSS" = "true" ]; then
cat << 'XSS_RULES'
set \$block_xss 0;
if (\$query_string ~* "<script.*>.*</script>") { set \$block_xss 1; }
if (\$query_string ~* "javascript:") { set \$block_xss 1; }
if (\$query_string ~* "onload\s*=") { set \$block_xss 1; }
if (\$query_string ~* "onerror\s*=") { set \$block_xss 1; }
if (\$query_string ~* "onclick\s*=") { set \$block_xss 1; }
if (\$block_xss = 1) { return 403; }
XSS_RULES
fi)
# 阻止目录遍历
$(if [ "$ENABLE_RFI_LFI" = "true" ]; then
cat << 'DIR_RULES'
set \$block_dir_traversal 0;
if (\$query_string ~* "\.\./") { set \$block_dir_traversal 1; }
if (\$query_string ~* "\.\.\\") { set \$block_dir_traversal 1; }
if (\$query_string ~* "etc/passwd") { set \$block_dir_traversal 1; }
if (\$query_string ~* "proc/self/environ") { set \$block_dir_traversal 1; }
if (\$block_dir_traversal = 1) { return 403; }
DIR_RULES
fi)
# 阻止命令注入
$(if [ "$ENABLE_COMMAND_INJECTION" = "true" ]; then
cat << 'CMD_RULES'
set \$block_command_injection 0;
if (\$query_string ~* "\|.*\/bin\/") { set \$block_command_injection 1; }
if (\$query_string ~* "\|.*\/bin\/sh") { set \$block_command_injection 1; }
if (\$query_string ~* "cmd\s*=") { set \$block_command_injection 1; }
if (\$query_string ~* "exec\s*=") { set \$block_command_injection 1; }
if (\$block_command_injection = 1) { return 403; }
CMD_RULES
fi)
# 文件上传防护
$(if [ "$ENABLE_FILE_UPLOAD" = "true" ]; then
cat << 'UPLOAD_RULES'
# 限制上传文件类型
location ~* \.(php|pl|py|jsp|asp|sh|cgi)\$ {
return 403;
}
# 防止执行上传的脚本
location ~* /uploads/.*\.(php|pl|py|jsp|asp|sh|cgi)\$ {
return 403;
}
UPLOAD_RULES
fi)
# 防盗链
$(if [ "$ENABLE_HOTLINKING" = "true" ]; then
cat << 'HOTLINK_RULES'
location ~* \.(jpg|jpeg|png|gif|ico|css|js)\$ {
valid_referers none blocked server_names ~\.google\. ~\.bing\. ~\.yahoo\.
*.example.com example.com;
if (\$invalid_referer) {
return 403;
}
}
HOTLINK_RULES
fi)
# 阻止常见扫描器
$(if [ "$ENABLE_BOT_PROTECTION" = "true" ]; then
cat << 'SCANNER_RULES'
set \$block_scanner 0;
if (\$http_user_agent ~* (nikto|wikto|acunetix|nessus|netsparker|w3af|owasp|paros|burpsuite)) { set \$block_scanner 1; }
if (\$http_user_agent ~* (sqlmap|havij|sqlninja|pangolin)) { set \$block_scanner 1; }
if (\$http_user_agent ~* (masscan|nmap|nessus|openvas)) { set \$block_scanner 1; }
if (\$block_scanner = 1) { return 403; }
# 阻止空User-Agent
if (\$http_user_agent = "") { return 403; }
# 阻止异常User-Agent
if (\$http_user_agent ~* (libwww-perl|wget|curl|python|java|jakarta|httpclient)) {
return 403;
}
SCANNER_RULES
fi)
# 速率限制
limit_req_zone \$binary_remote_addr zone=one:10m rate=${RATE_LIMIT}r/s;
limit_req_zone \$binary_remote_addr zone=two:10m rate=5r/s;
server {
# 全局速率限制
limit_req zone=one burst=20 nodelay;
location /login {
# 登录页面更严格的限制
limit_req zone=two burst=5 nodelay;
}
location /admin {
# 后台管理限制
limit_req zone=two burst=10 nodelay;
}
}
# 访问日志格式
log_format waf '\$remote_addr - \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for" '
'blocked=\$block_sql_injection\$block_xss\$block_dir_traversal\$block_command_injection';
access_log $ACCESS_LOG waf;
error_log $ACCESS_LOG;
EOF
log_message "INFO" "Nginx WAF配置已生成: $nginx_waf"
}
# 生成Apache WAF配置
generate_apache_waf() {
local apache_waf="$CONFIG_DIR/apache_waf.conf"
cat > "$apache_waf" << EOF
# Apache WAF配置
# 生成时间: $(date)
<IfModule mod_security2.c>
# 启用ModSecurity
SecRuleEngine On
# 规则文件
SecRuleRemoveById 123456
$(if [ "$ENABLE_SQL_INJECTION" = "true" ]; then
cat << 'APACHE_SQL'
# SQL注入防护
SecRule ARGS "(?i:union\s+select)" \
"id:1001,phase:2,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack'"
SecRule ARGS "(?i:select.*from)" \
"id:1002,phase:2,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack'"
SecRule ARGS "(?i:insert\s+into)" \
"id:1003,phase:2,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack'"
SecRule ARGS "(?i:update.*set)" \
"id:1004,phase:2,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack'"
APACHE_SQL
fi)
$(if [ "$ENABLE_XSS" = "true" ]; then
cat << 'APACHE_XSS'
# XSS防护
SecRule ARGS "<script" \
"id:2001,phase:2,t:none,block,msg:'XSS Attack Detected'"
SecRule ARGS "javascript:" \
"id:2002,phase:2,t:none,block,msg:'XSS Attack Detected'"
SecRule ARGS "(?i:onload\s*=)" \
"id:2003,phase:2,t:none,block,msg:'XSS Attack Detected'"
APACHE_XSS
fi)
$(if [ "$ENABLE_COMMAND_INJECTION" = "true" ]; then
cat << 'APACHE_CMD'
# 命令注入防护
SecRule ARGS "[\|;`&]" \
"id:3001,phase:2,t:none,block,msg:'Command Injection Attempt'"
SecRule ARGS "(?i:cmd\s*=)" \
"id:3002,phase:2,t:none,block,msg:'Command Injection Attempt'"
APACHE_CMD
fi)
</IfModule>
<IfModule mod_evasive20.c>
# DDoS防护
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod $BAN_TIME
$(if [ "$ENABLE_BRUTE_FORCE" = "true" ]; then
cat << 'APACHE_BRUTE'
# 暴力破解防护
DOSLoginPage "/login.php"
DOSLoginCount 5
APACHE_BRUTE
fi)
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
$(if [ "$ENABLE_HOTLINKING" = "true" ]; then
cat << 'APACHE_HOTLINK'
# 防盗链
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
APACHE_HOTLINK
fi)
$(if [ "$ENABLE_BOT_PROTECTION" = "true" ]; then
cat << 'APACHE_BOT'
# 阻止恶意机器人
RewriteCond %{HTTP_USER_AGENT} (nikto|wikto|acunetix|nessus|netsparker|sqlmap|nmap) [NC]
RewriteRule ^.*$ - [F,L]
# 阻止空User-Agent
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule ^.*$ - [F,L]
APACHE_BOT
fi)
</IfModule>
# 限制请求方法
<LimitExcept GET POST>
Deny from all
</LimitExcept>
# 文件上传限制
LimitRequestBody 10485760
# 自定义日志格式
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" waf
CustomLog "$ACCESS_LOG" waf
ErrorLog "$ACCESS_LOG"
EOF
log_message "INFO" "Apache WAF配置已生成: $apache_waf"
}
# 生成系统加固配置
generate_system_hardening() {
local sysctl_file="$CONFIG_DIR/sysctl_hardening.conf"
local limits_file="$CONFIG_DIR/limits_hardening.conf"
# 生成sysctl配置
cat > "$sysctl_file" << EOF
# 系统安全加固配置
# 生成时间: $(date)
# 防止IP欺骗
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 禁止IP源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 禁止ICMP重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# 禁止发送ICMP重定向
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 开启SYN Cookies
net.ipv4.tcp_syncookies = 1
# 减少TIME-WAIT套接字
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
# 增大TCP缓冲区
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
# 增大最大连接数
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
# 防止SYN洪水攻击
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3
# 开启TCP时间戳
net.ipv4.tcp_timestamps = 1
# 开启恶意ICMP错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
# 开启IP转发日志
net.ipv4.ip_forward = 0
EOF
# 生成limits配置
cat > "$limits_file" << EOF
# 用户限制配置
# 生成时间: $(date)
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
# 防止fork炸弹
root soft nproc unlimited
root hard nproc unlimited
# 核心文件限制
* soft core 0
* hard core 0
# 内存限制
* soft memlock unlimited
* hard memlock unlimited
EOF
log_message "INFO" "系统加固配置已生成"
}
# 应用配置
apply_configuration() {
log_message "INFO" "开始应用WAF配置..."
# 备份当前配置
backup_config
# 应用iptables规则
if [ -f "$CONFIG_DIR/iptables_rules.sh" ]; then
log_message "INFO" "应用iptables规则..."
sudo bash "$CONFIG_DIR/iptables_rules.sh"
fi
# 应用系统加固
if [ -f "$CONFIG_DIR/sysctl_hardening.conf" ]; then
log_message "INFO" "应用sysctl配置..."
sudo sysctl -p "$CONFIG_DIR/sysctl_hardening.conf"
fi
if [ -f "$CONFIG_DIR/limits_hardening.conf" ]; then
log_message "INFO" "应用limits配置..."
sudo cp "$CONFIG_DIR/limits_hardening.conf" /etc/security/limits.d/waf_limits.conf
fi
# 应用Web服务器配置
if [ "$WEB_SERVER" = "nginx" ] && [ -f "$CONFIG_DIR/nginx_waf.conf" ]; then
log_message "INFO" "应用Nginx WAF配置..."
# 检查Nginx配置语法
if sudo nginx -t; then
sudo cp "$CONFIG_DIR/nginx_waf.conf" /etc/nginx/conf.d/waf.conf
sudo systemctl reload nginx
log_message "INFO" "Nginx配置已应用并重载"
else
log_message "ERROR" "Nginx配置测试失败"
fi
elif [ "$WEB_SERVER" = "apache" ] && [ -f "$CONFIG_DIR/apache_waf.conf" ]; then
log_message "INFO" "应用Apache WAF配置..."
sudo cp "$CONFIG_DIR/apache_waf.conf" /etc/apache2/conf-available/waf.conf
sudo a2enconf waf
sudo systemctl reload apache2
log_message "INFO" "Apache配置已应用并重载"
fi
# 设置监控脚本
setup_monitoring
log_message "INFO" "WAF配置应用完成!"
}
# 设置监控
setup_monitoring() {
local monitor_script="$SCRIPT_DIR/waf_monitor.sh"
cat > "$monitor_script" << 'EOF'
#!/bin/bash
# WAF监控脚本
# 定期检查WAF状态和日志
LOG_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/waf_logs"
CONFIG_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/waf_configs"
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# 检查日志
check_logs() {
echo -e "${YELLOW}=== WAF日志分析 ===${NC}"
if [ -f "$LOG_DIR/waf_block.log" ]; then
echo -e "最近被阻止的攻击:"
tail -20 "$LOG_DIR/waf_block.log" | while read line; do
echo -e "${RED}✗${NC} $line"
done
fi
# 统计攻击类型
echo -e "\n${YELLOW}攻击统计:${NC}"
if [ -f "$LOG_DIR/waf_access.log" ]; then
echo "SQL注入尝试: $(grep -c "SQL Injection" "$LOG_DIR/waf_access.log" 2>/dev/null || echo 0)"
echo "XSS攻击尝试: $(grep -c "XSS Attack" "$LOG_DIR/waf_access.log" 2>/dev/null || echo 0)"
echo "扫描器探测: $(grep -c "Scanner" "$LOG_DIR/waf_access.log" 2>/dev/null || echo 0)"
fi
}
# 检查系统状态
check_system() {
echo -e "${YELLOW}=== 系统状态 ===${NC}"
# 检查iptables
echo -e "iptables规则数: $(sudo iptables -L -n | wc -l)"
echo -e "当前连接数: $(netstat -an | grep ESTABLISHED | wc -l)"
# 检查内存使用
echo -e "内存使用: $(free -m | awk 'NR==2{printf "%.2f%%", $3*100/$2}')"
# 检查CPU负载
echo -e "CPU负载: $(uptime | awk -F'load average:' '{print $2}')"
}
# 生成报告
generate_report() {
local report_file="$LOG_DIR/waf_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "WAF监控报告"
echo "生成时间: $(date)"
echo "======================"
echo ""
check_system
echo ""
check_logs
echo ""
echo "配置状态:"
if [ -f "$CONFIG_DIR/waf_main.conf" ]; then
grep -E "ENABLE_|BLOCK_" "$CONFIG_DIR/waf_main.conf"
fi
} > "$report_file"
echo -e "${GREEN}报告已生成: $report_file${NC}"
}
# 主循环
case "$1" in
"check")
check_logs
check_system
;;
"report")
generate_report
;;
"monitor")
while true; do
clear
check_logs
check_system
echo -e "\n${YELLOW}按Ctrl+C退出监控${NC}"
sleep 10
done
;;
*)
echo "用法: $0 {check|report|monitor}"
exit 1
;;
esac
EOF
chmod +x "$monitor_script"
# 创建cron任务
local cron_job="*/5 * * * * $monitor_script check > /dev/null 2>&1"
(crontab -l 2>/dev/null | grep -v "$monitor_script"; echo "$cron_job") | crontab -
log_message "INFO" "监控脚本已设置: $monitor_script"
}
# 一键默认配置
default_configuration() {
log_message "INFO" "应用默认配置..."
# 设置所有防护为开启
ENABLE_SQL_INJECTION="true"
ENABLE_XSS="true"
ENABLE_RFI_LFI="true"
ENABLE_COMMAND_INJECTION="true"
ENABLE_BRUTE_FORCE="true"
ENABLE_DDOS="true"
ENABLE_BOT_PROTECTION="true"
ENABLE_FILE_UPLOAD="true"
ENABLE_HOTLINKING="true"
ENABLE_SENSITIVE_DATA="true"
# 默认参数
BLOCK_THRESHOLD=10
BAN_TIME=3600
RATE_LIMIT=100
MAX_CONNECTIONS=50
# 保存配置
save_config
# 生成所有配置文件
generate_iptables_rules
generate_system_hardening
if [ "$WEB_SERVER" = "nginx" ]; then
generate_nginx_waf
elif [ "$WEB_SERVER" = "apache" ]; then
generate_apache_waf
fi
# 导入默认规则
import_owasp_rules
import_common_attack_rules
# 询问是否立即应用
read -p "是否立即应用配置? (y/n): " apply_now
if [ "$apply_now" = "y" ]; then
apply_configuration
fi
log_message "INFO" "默认配置已完成!"
}
# 显示状态
show_status() {
echo -e "${CYAN}════════════════════ WAF状态 ════════════════════${NC}"
# 检查服务状态
echo -e "${YELLOW}服务状态:${NC}"
if systemctl is-active --quiet nginx 2>/dev/null; then
echo -e " Nginx: ${GREEN}运行中${NC}"
elif systemctl is-active --quiet apache2 2>/dev/null; then
echo -e " Apache: ${GREEN}运行中${NC}"
fi
# 检查iptables
echo -e " iptables: $(sudo iptables -L -n 2>/dev/null | grep -c 'DROP\|REJECT') 条阻止规则"
# 检查配置文件
echo -e "\n${YELLOW}配置文件:${NC}"
[ -f "$MAIN_CONFIG" ] && echo -e " 主配置: ${GREEN}存在${NC}" || echo -e " 主配置: ${RED}缺失${NC}"
[ -f "$CUSTOM_RULES" ] && echo -e " 自定义规则: ${GREEN}存在 ($(wc -l < "$CUSTOM_RULES") 条)${NC}" || echo -e " 自定义规则: ${RED}缺失${NC}"
# 检查日志
echo -e "\n${YELLOW}日志文件:${NC}"
[ -f "$ACCESS_LOG" ] && echo -e " 访问日志: ${GREEN}存在 ($(du -h "$ACCESS_LOG" | cut -f1))${NC}" || echo -e " 访问日志: ${RED}缺失${NC}"
[ -f "$BLOCK_LOG" ] && echo -e " 阻止日志: ${GREEN}存在 ($(grep -c "blocked" "$BLOCK_LOG" 2>/dev/null || echo 0) 条记录)${NC}" || echo -e " 阻止日志: ${RED}缺失${NC}"
# 显示最近事件
if [ -f "$BLOCK_LOG" ] && [ -s "$BLOCK_LOG" ]; then
echo -e "\n${YELLOW}最近被阻止的事件:${NC}"
tail -5 "$BLOCK_LOG" | while read line; do
echo -e " ${RED}▶${NC} $line"
done
fi
echo -e "${CYAN}════════════════════════════════════════════════════${NC}"
}
# 主菜单
main_menu() {
while true; do
clear
show_banner
show_status
echo -e "${GREEN}════════════════════ 主菜单 ════════════════════${NC}"
echo " 1) 自定义配置WAF"
echo " 2) 一键默认配置"
echo " 3) 生成配置文件"
echo " 4) 应用配置到系统"
echo " 5) 查看当前配置"
echo " 6) 管理自定义规则"
echo " 7) 查看日志和状态"
echo " 8) 备份当前配置"
echo " 9) 恢复配置"
echo "10) 运行监控脚本"
echo "11) 测试WAF防护"
echo "12) 卸载WAF配置"
echo "13) 退出脚本"
echo -e "${GREEN}════════════════════════════════════════════════════${NC}"
read -p "请选择选项 [1-13]: " choice
case $choice in
1)
custom_config_menu
;;
2)
default_configuration
read -p "按Enter继续..."
;;
3)
generate_configurations
read -p "按Enter继续..."
;;
4)
read -p "确定应用配置到系统? (y/n): " confirm
if [ "$confirm" = "y" ]; then
apply_configuration
read -p "按Enter继续..."
fi
;;
5)
clear
show_current_config
echo -e "\n配置文件位置:"
echo " 主配置: $MAIN_CONFIG"
echo " 规则文件: $CUSTOM_RULES"
echo " Nginx配置: $CONFIG_DIR/nginx_waf.conf"
echo " Apache配置: $CONFIG_DIR/apache_waf.conf"
echo " iptables配置: $CONFIG_DIR/iptables_rules.sh"
read -p "按Enter继续..."
;;
6)
manage_custom_rules
;;
7)
clear
show_status
if [ -f "$SCRIPT_DIR/waf_monitor.sh" ]; then
echo -e "\n${YELLOW}运行监控检查:${NC}"
$SCRIPT_DIR/waf_monitor.sh check
fi
read -p "按Enter继续..."
;;
8)
backup_config
read -p "按Enter继续..."
;;
9)
restore_configuration
read -p "按Enter继续..."
;;
10)
if [ -f "$SCRIPT_DIR/waf_monitor.sh" ]; then
$SCRIPT_DIR/waf_monitor.sh monitor
else
echo -e "${RED}监控脚本未找到${NC}"
sleep 2
fi
;;
11)
test_waf_protection
;;
12)
uninstall_waf
read -p "按Enter继续..."
;;
13)
echo -e "${GREEN}感谢使用WAF防护脚本!${NC}"
exit 0
;;
*)
echo -e "${RED}无效选项${NC}"
sleep 1
;;
esac
done
}
# 生成所有配置文件
generate_configurations() {
log_message "INFO" "生成所有配置文件..."
generate_iptables_rules
generate_system_hardening
if [ "$WEB_SERVER" = "nginx" ]; then
generate_nginx_waf
elif [ "$WEB_SERVER" = "apache" ]; then
generate_apache_waf
else
log_message "WARN" "未检测到Web服务器,跳过生成服务器配置"
fi
log_message "INFO" "所有配置文件已生成到: $CONFIG_DIR"
}
# 测试WAF防护
test_waf_protection() {
echo -e "${CYAN}════════════════════ WAF防护测试 ════════════════════${NC}"
echo "此功能将发送测试请求来验证WAF防护是否正常工作"
echo "注意: 这些是真实的攻击测试,但使用安全参数"
echo -e "${YELLOW}警告: 仅在测试环境使用!${NC}"
echo -e "${CYAN}════════════════════════════════════════════════════${NC}"
read -p "是否继续? (y/n): " confirm
if [ "$confirm" != "y" ]; then
return
fi
# 获取服务器地址
read -p "请输入要测试的URL (默认: http://localhost): " test_url
test_url=${test_url:-http://localhost}
echo -e "\n${GREEN}开始WAF防护测试...${NC}"
# 测试SQL注入防护
if [ "$ENABLE_SQL_INJECTION" = "true" ]; then
echo -e "\n${YELLOW}测试SQL注入防护:${NC}"
curl -s -o /dev/null -w "HTTP状态码: %{http_code}\n" "$test_url/?id=1' OR '1'='1"
curl -s -o /dev/null -w "HTTP状态码: %{http_code}\n" "$test_url/?id=1 UNION SELECT NULL,NULL--"
fi
# 测试XSS防护
if [ "$ENABLE_XSS" = "true" ]; then
echo -e "\n${YELLOW}测试XSS防护:${NC}"
curl -s -o /dev/null -w "HTTP状态码: %{http_code}\n" "$test_url/?q=<script>alert('xss')</script>"
curl -s -o /dev/null -w "HTTP状态码: %{http_code}\n" "$test_url/?q=javascript:alert(1)"
fi
# 测试目录遍历
if [ "$ENABLE_RFI_LFI" = "true" ]; then
echo -e "\n${YELLOW}测试目录遍历防护:${NC}"
curl -s -o /dev/null -w "HTTP状态码: %{http_code}\n" "$test_url/?file=../../../etc/passwd"
curl -s -o /dev/null -w "HTTP状态码: %{http_code}\n" "$test_url/?page=....//....//etc/passwd"
fi
# 测试命令注入
if [ "$ENABLE_COMMAND_INJECTION" = "true" ]; then
echo -e "\n${YELLOW}测试命令注入防护:${NC}"
curl -s -o /dev/null -w "HTTP状态码: %{http_code}\n" "$test_url/?cmd=ls%20-la"
curl -s -o /dev/null -w "HTTP状态码: %{http_code}\n" "$test_url/?input=|cat%20/etc/passwd"
fi
# 测试扫描器防护
if [ "$ENABLE_BOT_PROTECTION" = "true" ]; then
echo -e "\n${YELLOW}测试扫描器防护:${NC}"
curl -s -o /dev/null -A "nmap" -w "HTTP状态码: %{http_code}\n" "$test_url/"
curl -s -o /dev/null -A "sqlmap" -w "HTTP状态码: %{http_code}\n" "$test_url/"
fi
echo -e "\n${GREEN}测试完成!${NC}"
echo "查看日志文件了解详细信息: $BLOCK_LOG"
read -p "按Enter继续..."
}
# 恢复配置
restore_configuration() {
echo -e "${CYAN}════════════════════ 恢复配置 ════════════════════${NC}"
if [ ! -d "$BACKUP_DIR" ] || [ -z "$(ls -A $BACKUP_DIR 2>/dev/null)" ]; then
echo -e "${RED}未找到备份文件${NC}"
return 1
fi
# 显示备份文件
echo -e "${YELLOW}可用的备份:${NC}"
local backups=($(ls -1t $BACKUP_DIR/waf_backup_*.conf 2>/dev/null | head -10))
if [ ${#backups[@]} -eq 0 ]; then
backups=($(ls -1t $BACKUP_DIR/waf_backup_* 2>/dev/null | head -10))
fi
for i in "${!backups[@]}"; do
echo " $((i+1))) $(basename ${backups[$i]})"
done
read -p "选择要恢复的备份编号 [1-${#backups[@]}]: " choice
if [[ $choice =~ ^[0-9]+$ ]] && [ $choice -ge 1 ] && [ $choice -le ${#backups[@]} ]; then
local backup_file="${backups[$((choice-1))]}"
echo -e "\n恢复备份: $backup_file"
# 根据文件类型恢复
case $backup_file in
*_nginx.conf)
sudo cp "$backup_file" /etc/nginx/nginx.conf
sudo nginx -t && sudo systemctl reload nginx
echo -e "${GREEN}Nginx配置已恢复${NC}"
;;
*_apache.conf|*_httpd.conf)
if [ -f "/etc/apache2/apache2.conf" ]; then
sudo cp "$backup_file" /etc/apache2/apache2.conf
sudo systemctl reload apache2
elif [ -f "/etc/httpd/conf/httpd.conf" ]; then
sudo cp "$backup_file" /etc/httpd/conf/httpd.conf
sudo systemctl reload httpd
fi
echo -e "${GREEN}Apache配置已恢复${NC}"
;;
*_iptables.rules)
sudo iptables-restore < "$backup_file"
echo -e "${GREEN}iptables规则已恢复${NC}"
;;
*_sysctl.conf)
sudo cp "$backup_file" /etc/sysctl.conf
sudo sysctl -p
echo -e "${GREEN}sysctl配置已恢复${NC}"
;;
*)
echo -e "${YELLOW}未知备份类型,请手动恢复${NC}"
;;
esac
else
echo -e "${RED}无效选择${NC}"
fi
}
# 卸载WAF配置
uninstall_waf() {
echo -e "${RED}════════════════════ 卸载WAF配置 ════════════════════${NC}"
echo -e "${RED}警告: 这将移除所有WAF配置${NC}"
echo "1) 仅移除配置,保留备份和日志"
echo "2) 完全卸载,删除所有文件"
echo "3) 取消"
echo -e "${RED}════════════════════════════════════════════════════${NC}"
read -p "选择卸载选项 [1-3]: " choice
case $choice in
1)
# 移除配置
echo -e "${YELLOW}正在移除WAF配置...${NC}"
# 移除iptables规则
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
# 恢复默认策略
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
# 移除Web服务器配置
if [ "$WEB_SERVER" = "nginx" ] && [ -f "/etc/nginx/conf.d/waf.conf" ]; then
sudo rm -f /etc/nginx/conf.d/waf.conf
sudo systemctl reload nginx
elif [ "$WEB_SERVER" = "apache" ]; then
sudo rm -f /etc/apache2/conf-available/waf.conf
sudo a2disconf waf 2>/dev/null
sudo systemctl reload apache2
fi
# 移除limits配置
sudo rm -f /etc/security/limits.d/waf_limits.conf
echo -e "${GREEN}WAF配置已移除,备份和日志已保留${NC}"
;;
2)
# 完全卸载
read -p "确定要完全删除所有WAF文件? (输入'CONFIRM'确认): " confirm
if [ "$confirm" = "CONFIRM" ]; then
echo -e "${RED}正在删除所有WAF文件...${NC}"
# 移除配置和规则
rm -rf "$CONFIG_DIR" "$RULES_DIR"
# 移除cron任务
crontab -l | grep -v "waf_monitor" | crontab -
# 移除监控脚本
rm -f "$SCRIPT_DIR/waf_monitor.sh"
echo -e "${GREEN}所有WAF文件已删除${NC}"
else
echo -e "${YELLOW}取消卸载${NC}"
fi
;;
*)
echo -e "${YELLOW}取消卸载${NC}"
;;
esac
}
# 初始化脚本
init_script() {
# 检查是否为root
if [ "$EUID" -ne 0 ]; then
log_message "WARN" "建议使用root权限运行此脚本"
sleep 2
fi
# 创建目录
mkdir -p "$CONFIG_DIR" "$LOGS_DIR" "$BACKUP_DIR" "$RULES_DIR"
# 初始化日志
log_message "INFO" "WAF脚本初始化"
log_message "INFO" "脚本目录: $SCRIPT_DIR"
# 检查依赖
check_dependencies
# 加载配置
load_config
}
# 主程序
main() {
init_script
main_menu
}
# 捕获Ctrl+C
trap 'echo -e "\n${RED}用户中断脚本${NC}"; exit 1' INT
# 运行主程序
main脚本功能说明
主要特性:
1.全面防护功能:
- SQL注入防护
- XSS跨站脚本防护
- RFI/LFI远程/本地文件包含防护
- 命令注入防护
- 暴力破解防护
- DDoS防护
- 恶意机器人防护
- 文件上传防护
- 盗链防护
- 敏感数据防护
2.配置管理:
- 一键默认配置
- 自定义配置(可单独开关每个功能)
- 参数自定义调整
- 配置备份与恢复
- 规则管理:
- 自定义规则添加
- OWASP核心规则集导入
- 常见攻击规则导入
- 规则文件编辑
3.多Web服务器支持:
- Nginx配置生成
- Apache配置生成
- iptables防火墙规则
4.监控与报告:
- 实时监控脚本
- 自动日志分析
- 攻击统计报告
- 系统状态监控
使用方法:
保存脚本:
# 将脚本保存为 waf_manager.sh
chmod +x waf_manager.sh运行脚本:
sudo ./waf_manager.sh推荐使用流程:
- 首次运行选择"一键默认配置"
- 根据需求使用"自定义配置"调整
- 生成配置文件后"应用配置到系统"
- 使用"测试WAF防护"验证效果
- 定期使用"运行监控脚本"查看状态
本文共30496个字符,其中有 2617 个汉字,平均阅读时长 ≈ 113分钟
评论