|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。( F2 k0 V# d% c5 ~" h( D6 o1 P
3 _" ^; d$ ~4 H7 u. `% g
一.准备工作+ [. e* f% A2 u( j
) e5 ?* B8 `3 ?1 X) [系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0' u# Z& }4 d' p7 u5 ?) ], v; q
3 C2 o2 Z! e1 h% s3 Jtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 J( S0 O0 \/ C0 ~5 v2 k: ^
6 g# q( d! ]. P Z" k3 _modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! X# M6 [3 J9 C5 Q1 e" L4 s% V
[4 \5 }/ P% z% ~7 J: y. jOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! l! X I* t& H2 Q
" a1 q' V; {, h x. }依赖关系:! r% u( u$ n# `! z6 Y
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:+ [; F F* P: J, H$ ?
% M' R: A% m2 x8 j yyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 m. B$ H7 q, F. |" E( H$ y* j( Nmodsecurty依赖的包:pcre httpd-devel libxml2 apr
) D6 L, k4 n5 L* k' z! l* |8 j- B% \5 N4 O0 k0 t6 M2 F5 t6 l
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
; k% g2 w, c$ m8 [" p二.启用standalone模块并编译
7 `* l9 z9 P3 Z$ V# _( a& v; q7 s
下载modsecurity for nginx 解压,进入解压后目录执行:1 y# N8 z" Q5 g/ E2 L% B7 w4 M
& p G* a4 ^5 T \./autogen.sh
+ I; Y) O4 c2 J0 D3 w9 y, g./configure --enable-standalone-module --disable-mlogc5 C5 z% F9 S& U5 B
make + X0 o; ?% B5 m" q7 O2 A
三.nginx添加modsecurity模块
8 e2 c- a/ z- l$ `3 f
% I7 d" @6 _1 i% G% q在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:) Y/ L: ^+ y7 m# K* R) {
5 U3 [# k& H0 G8 I./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. b, `" Z7 ?+ \" s1 _/ C" Q/ S( \make && make install
) X7 `8 r% w# u, E' C四.添加规则1 l" o9 f1 j5 S( b
7 T* v! Z. Z3 [- t1 Rmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。9 H' T l9 ?2 M0 h8 o( U" T
. a! F2 x0 x( t. Y+ P# I! ?' R
1.下载OWASP规则:: R, o. Q# w/ w, g/ \" o* w+ [
. R: e1 @9 ^6 W; @2 U; G
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 U2 C5 a, x, }4 |7 ]! U) `
* I7 d6 ^* |; s4 m6 N
mv owasp-modsecurity-crs /opt/tengine/conf/1 z* [9 U4 `% A" L( v! ?' x
4 S! W. K/ _4 I7 X$ w
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
0 n7 M; i( _3 p% `+ r# K* j$ v2.启用OWASP规则:
- q8 E1 S0 A& W w# S+ X( H/ E! t4 U" g3 c* I
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 \$ O$ D: k+ ~' D5 e6 j `: ]# M4 p" B4 |5 C
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
* t5 }# D5 |. R- l, J1 g% S' a+ K7 r& B4 I' z
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。% J) }, o T$ J" U3 z) y
8 |: c! w, \. C H9 JInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf- R, k' d# {4 U6 @: j
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf% a5 m! H! k' ?* \7 x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf8 C% @2 I' y; K0 @
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
* q) M% f% O( S3 {& EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
$ k% W9 `$ M8 ~) V' o! `1 ^Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf( f# _; Z1 I8 {4 V
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; Q, p! ?$ o) K. P# R G
五.配置nginx
" n- h2 E. w4 u/ C! }4 C( n* O
( N T2 Z# o) j e1 k1 @$ U4 r在需要启用modsecurity的主机的location下面加入下面两行即可:
0 q/ k0 R4 Q$ Q" R8 y
- B9 u; o& F/ v2 nModSecurityEnabled on;
' n3 ]) l z; fModSecurityConfig modsecurity.conf;
6 N' v9 O& h/ B4 ?7 W7 w下面是两个示例配置,php虚拟主机:
9 i2 {7 j _" u% S' ]4 c" L8 s9 E3 \9 T+ }: L' Z
server {' X- n9 j t7 [5 X; C( L/ \+ P
listen 80;1 L* f+ [8 n1 R: C4 o4 M! X; C
server_name 52os.net www.52os.net;# T% p) Z1 T( C7 {( L6 w* t+ |
+ _' x9 s& O% V& [1 { location ~ \.php$ {
" {- L* [6 h6 t/ b ModSecurityEnabled on;
# S& L7 N, d5 X, I/ E7 w ModSecurityConfig modsecurity.conf;: g8 H, P5 A* ?( t# v
" `7 i. R" j+ f- f6 |: i- t root /web/wordpress;& N9 E; c% U# z
index index.php index.html index.htm;
/ n4 @; [: M+ D1 x( L. g( \" O * H! c _$ g5 n4 k2 Z
fastcgi_pass 127.0.0.1:9000;
7 u1 [9 C! B8 w* ^1 [) ^% e2 r fastcgi_index index.php;
4 ], U8 q. }; R) B v, l fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;9 Z, z+ g; k8 R* R" X0 _2 t+ U
include fastcgi_params;
' ]7 L8 m' _0 t# T }% t' G/ V$ Y+ s& h% M4 f, a
}
( C2 s3 r6 l' O: fupstream负载均衡:6 @, v+ e2 h4 W; Z S: C
# y, n- O" [2 J9 mupstream 52os.net {
$ i2 H$ Y; \' C+ k/ n server 192.168.1.100:8080;! y6 U& Y2 _; q$ m
server 192.168.1.101:8080 backup;
# l+ H2 }2 w$ v* l+ G+ J5 D}
3 H6 N6 g' z! ]9 ]# x/ \9 u$ W- U6 X' X9 [# K5 o# F
server {. q6 o/ o3 O; s& `4 d
listen 80;% A$ T& Y$ o. L2 r! _# @
server_name 52os.net www.52os.net;# l8 Q- C2 _3 Z! c! a. h" J) A
3 q1 C N7 V* ?# p7 N4 Klocation / {$ J5 r/ {6 T/ Y) X4 y( `
ModSecurityEnabled on;
z- o6 S- k+ P* b- f ModSecurityConfig modsecurity.conf;
4 O! d3 V$ q' v7 d9 L7 w0 I B6 x& A6 E2 J' `/ P F& T. \8 W& K# W8 z
proxy_pass http://online;6 Z( ~" T- p+ g9 O
proxy_redirect off;2 ^+ [' ?% ^ a0 ~
proxy_set_header Host $host;7 E4 b @2 u, a. T- w g. |. U
proxy_set_header X-Real-IP $remote_addr;% R. G3 e* h& c% j
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
; B; d2 L- r0 ~! \) L1 D" D/ {5 m }
; g, Q. F" Q/ g( y( g}
! \2 |* E8 I9 q1 o, |六.测试; b# T1 K" E) w+ N; v( J" S# f- Z0 Y
$ X* F8 ]! g; A& |( A# r& H6 n我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 h$ h& `9 A' F3 @
% X9 V1 e+ p; K+ _<?php
) ?, E) c$ t" U' K, N# h phpinfo();
# J, Z- P+ }* `& f0 J: y?>
% M4 U" g* J K3 w! {在浏览器中访问:
4 x6 d! W) p4 E" |% } ?1 y8 E `' s) Y+ W$ ]7 S& J
http://www.52os.net/phpinfo.php?id=1 正常显示。: G O# F ]+ k, x" a3 C
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。; a& `% D: f7 w) j7 q T2 i l
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。+ J4 N- _/ w3 t! _+ M) D. D& [2 j
说明sql注入和xss已经被过滤了
7 m k- j O) _ m! n( D
7 B- i+ v+ I `0 M; \8 B" ?七、安装过程中排错8 Y G8 L1 S7 G2 U7 a; g
2 E' H j. v+ N- K: |
1.缺少APXS会报错& F0 b+ ^" T$ R2 N) F
7 }4 T% v4 k1 m: P+ H
configure: looking for Apache module support via DSO through APXS6 T9 z) D, U O7 | V
configure: error: couldn't find APXS+ \* N+ Q# p. i) X/ u
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
( F4 s! E; r) z% n& s, X" V9 X4 y$ {解决方法:, T7 F$ Q' D( i0 S. U: k
+ I6 u- i! ]; h, R
yum install httpd-devel" z# ?* P% p; L! l0 ]- x
2.没有pcre
2 L/ }6 n4 v; x9 ?
7 X. `, n, @% l. wconfigure: *** pcre library not found.
7 I# g5 n; d5 r) Uconfigure: error: pcre library is required
* g8 @# u/ |7 C+ R解决方法:1 u5 E( x$ h5 K6 ^5 Z L! N" Y
0 L- G+ o4 d0 P% p
yum install pcre pcre-devel
5 T; r9 d; x$ H1 C1 l3.没有libxml2. e9 J, \ Z w8 {) z u/ f7 ]
. O H. n8 g8 s. {5 v( C3 I! s, R+ j7 |" F% R5 L
configure: *** xml library not found.4 S+ q( X4 ^) l6 w. w2 i0 l( s8 v3 ?
configure: error: libxml2 is required
9 T- I1 H7 y# d4 C, M7 \解决方法:
2 ]- i- s) r' S6 G. u* }: d
" F, F% O( ^8 h& j4 F! pyum install libxml2 libxml2-devel/ N$ S+ u7 t( p4 U H' K8 K
4.执行 /opt/tengine/sbin/nginx -m 时有警告2 Y: R( o/ o- o" w; J7 n
0 J# }- u$ O7 f: [$ H1 W
Tengine version: Tengine/2.1.0 (nginx/1.6.2), \; j# }, X* f, w- K
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, a L1 _3 X) u7 i+ g6 s3 i- F原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log- }% `7 \/ g6 O+ F2 @
/ v& B3 T' a5 v" D" |' A8 S2 {- V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.( s' Y/ Z/ z4 } f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 o8 g/ v: b0 B
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!9 V7 M& Y: X7 \0 ]0 P3 M* _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 U/ J# x, {. y% ^3 t" v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 I6 Y* S. I, f4 \
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.. m2 a# E: e- b1 E+ ^
解决方法,移除低版本的APR (1.3.9). r$ h3 a: w' X
k7 a# m& }( V( [
yum remove apr( ^& \9 K1 ?4 Z$ n
5.Error.log中有: Audit log: Failed to lock global mutex) L8 V0 p$ `: p5 N
8 U: t, `! H# m0 H0 t! x( c/ C2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock , K) B& X# j: ] K7 x
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 Z1 J* _% y# }4 y5 S" b$ n7 U解决方法:
{8 b' p7 x' t% N2 r) u编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
# |0 \- G1 Z% F5 m/ ~
$ u! }3 d+ q+ e+ ]% e% XSecAuditLogDirMode 0777
# q: \8 i8 S- J% h' { WSecAuditLogFileMode 0550
- M+ p* L$ H9 X, I( oSecAuditLogStorageDir /var/log/modsecurity( e/ W) ?/ @, S5 [8 S
SecAuditLogType Concurrent# Z, T' Z+ e: z7 M$ P
参考文章:
1 v4 Z5 e; A: r, Y) M8 O" J) Ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
8 n0 l; M7 w* T: b# Shttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡