|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
. J l1 n3 I9 p2 ^, T+ Y# c2 i6 `) z: h4 q- ?
一.准备工作3 I# P7 d# C) X5 n8 o" a- W
( b& Z( w5 o/ |( z% R$ v
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ A# [ T5 g. I. V% H$ U
5 [3 d+ B( X& O8 o% W9 X/ T' ? l& Dtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz7 _: v0 m1 h$ N7 r
, g/ E4 G% `6 b& P- D" \; ^modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz6 G8 _+ ]( r! I, U: f
* ^9 M' M0 w, S& N, f7 dOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
" ]1 H( p! m' b; e, ]! {
: y: `( e( y% I依赖关系:; H4 F9 ~' h0 ~; ~' _
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:) n+ W# w( W8 b- X
8 i+ a% U, @/ ?* Qyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel! a1 v) ^. ]3 E( _ `/ b
modsecurty依赖的包:pcre httpd-devel libxml2 apr
0 V P, g, ?" F" @& ^
6 l7 n5 X3 u; ~5 X5 Wyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
! D% M# A0 m: e# c' l* s二.启用standalone模块并编译' | _# H* Z0 t- F
6 ^! Q5 I3 c% v* [0 q6 A( A
下载modsecurity for nginx 解压,进入解压后目录执行:
8 k+ K6 g; m; y$ i# P* r) P- h2 {
6 j& B7 q1 e# X) R% _./autogen.sh
; {; s9 s3 k& I' x./configure --enable-standalone-module --disable-mlogc
$ b, w# [8 T2 T. Emake ; w" J8 R k; {5 \8 r
三.nginx添加modsecurity模块- Z: x% [* S! c2 S5 P: l
, B& |9 C1 o& n: T0 x* X在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:3 T: \1 c- Q% l
0 M$ z: A; K" ?) m& a./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine& N* Y/ {0 ~6 Q9 ]
make && make install
: N$ ?% j! H( x- _, x+ |四.添加规则
; @- a Y- O3 n# f+ Z
9 Y4 v, @4 k) J3 E3 e4 Cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: n! P6 ^5 F' M; w7 `
* _9 F3 V3 Z7 N- M6 Q1.下载OWASP规则:% r' y) ^# z, z- j. j" H
7 ?$ e, ?2 M) S- F1 Y# u* C" igit clone https://github.com/SpiderLabs/owasp-modsecurity-crs R5 S; ~/ W& x
, d0 C" E( N1 s: Z
mv owasp-modsecurity-crs /opt/tengine/conf/, }" S1 G a1 D
6 \5 V. d& ?3 Y, G( V/ h
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: Y: M# ]. ~2 |" Z) {1 o, h2.启用OWASP规则:
7 m. N* Z0 ^# p- Y( f+ R! u; t/ N4 V
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. j c c' r4 \2 g& [: o3 O
3 Q- ` X0 G1 B/ h P4 W编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% Y7 q# q: B/ }0 U! F' `9 N) v! r( a+ T+ G* F" k; O
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
8 ]! J+ l1 t# c$ t0 B( k! K1 i r# e. [( s* q
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
I, W( L, J, {+ R# \8 DInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
( ~2 Y& R/ x7 L% G' }Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf0 J6 i+ p0 `+ ~6 ]+ Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
, T/ p" O" J- D" s' PInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 w8 ?; r5 b! R, pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ [9 V- e# U- n4 ZInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& |! o2 W8 r1 i: f五.配置nginx
& x, L: P2 ~# _$ L7 F4 P" ~
5 a' O* J. ?2 u P- ~ k在需要启用modsecurity的主机的location下面加入下面两行即可:
7 d t! c4 F \. D' Y" y. G9 v0 D% f, r& V2 A
ModSecurityEnabled on;
! O! i. o6 U5 X' l, u) DModSecurityConfig modsecurity.conf;
# k7 K- z& Q$ T9 A3 E+ Q* n下面是两个示例配置,php虚拟主机:3 i" B0 r/ U+ A$ [" l+ {6 j
# Z1 v: t/ l( M; Z& r& [
server {% b" w" B" C0 t
listen 80;
. b Q) g5 F9 o2 r; N* Y' E1 d$ L# W( ] server_name 52os.net www.52os.net;8 S2 Q a" ^1 }3 a' y
$ e# X# j; W7 B/ C
location ~ \.php$ {
$ c% P" V3 q" H2 T. a4 S/ W/ B ModSecurityEnabled on; + i8 s: W3 V5 L8 J" }2 E" {! f
ModSecurityConfig modsecurity.conf;
5 |7 `3 [, a. J& j
" u# T ?5 Z" w$ H root /web/wordpress;
9 h1 N% _ b- k index index.php index.html index.htm;" _. l& v6 Z! R* W& W- Q, Z
* k- ]* w+ @% p
fastcgi_pass 127.0.0.1:9000;3 g- J' R! w3 n" ~7 d: s* u
fastcgi_index index.php;
; S5 f% \/ D: c: V& U/ b5 ]. ]1 f fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;6 a! C( D" F1 X9 }6 s: N
include fastcgi_params;
+ j1 ^. n! `# U1 V }# X6 `' k i. e: a
}# H5 o& L% E1 s- \
upstream负载均衡:* [1 A! @; |. S1 b; O- B& K
5 G; K1 ~$ e; \5 ]! p, cupstream 52os.net {
" X2 s$ H7 `! v. f+ }, `( j6 E server 192.168.1.100:8080;4 s1 u1 U) n8 O6 s
server 192.168.1.101:8080 backup;+ v5 z6 J5 [) Q. i# d9 L) g
}. F9 f% R: u* S0 g: V
; }+ _; [, w1 q! v7 k6 N: u3 eserver {
% o7 R# a! p' C6 E& \# [/ ?! z2 _listen 80;
% p$ a9 \. O1 X4 `server_name 52os.net www.52os.net;
, }) \/ _9 W' S
1 s0 M1 q3 e2 q5 F) ?* N3 i$ c+ jlocation / {
4 [9 d- n. @) Q2 L' e% \ ModSecurityEnabled on; * I3 v4 l5 @5 a9 x# Z' z) e
ModSecurityConfig modsecurity.conf;
+ z. Y* R. [5 r. v3 j/ Z% y' X" a
proxy_pass http://online;
* F* g% P" ~" x- b proxy_redirect off;
8 ~" M# f* h6 P- \& L* A proxy_set_header Host $host;
+ F' J$ l4 F! Z, A, O* ~+ G6 y; U proxy_set_header X-Real-IP $remote_addr;
$ A# t9 v+ q+ r; R" H; ]9 J proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ z5 b* z) f8 X
}
6 ^- o2 X% _' Y, H5 @, |0 R% J}
2 \8 U+ d5 S# k! t: f1 |六.测试7 W; ]7 o7 F4 c. F) `8 u
' b& k( F" @4 a+ u我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:8 i9 V! Q# l3 I" f
; [$ k& K* x- \" V2 {: E0 Z5 A
<?php$ V+ ]5 S0 L5 `5 a7 u
phpinfo(); / n* f$ }/ h) i4 Y! K6 m; D
?>
5 r1 n# z* A% a H$ u9 N在浏览器中访问:
+ Z% a F+ { I( W+ k$ z# P
, m8 I6 d) w: n) k3 k: ?http://www.52os.net/phpinfo.php?id=1 正常显示。* S) H+ ?4 ^, i$ ^0 |2 K `
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。7 `$ u% ?1 M$ F) q8 g6 s
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
$ z/ A, [, Y9 c% H$ K说明sql注入和xss已经被过滤了
' [4 T5 u; b3 q* d) n* L# ]9 x
& J8 H7 O0 A+ g. Z7 A) \1 m1 {七、安装过程中排错
; T( A3 i$ J* N0 h/ O% a$ [2 i5 O1 K# u8 l
1.缺少APXS会报错9 Z4 W8 y; M- c$ [4 P/ P) ~
& I5 ?/ f& y4 W' I- uconfigure: looking for Apache module support via DSO through APXS
9 ` y! o5 K% d/ F6 k1 tconfigure: error: couldn't find APXS
+ M3 m9 c( Y! S+ gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
j% I) _1 D8 J( G6 z解决方法:4 H# }# V9 K/ P1 O" W
- y* ^0 u2 n+ _6 I9 b" O- wyum install httpd-devel
; q% f) W. q- ?# U- \% W' R2.没有pcre" c0 _8 J# `5 O/ ?4 H4 J, E
- }8 m$ s& k- mconfigure: *** pcre library not found.' Q) s: ?& }; h! C
configure: error: pcre library is required
8 H9 Z* z5 F( p- h* i( B: P$ P/ O解决方法:
0 m7 J4 e4 I& F- p1 Y; g6 J! t4 [
yum install pcre pcre-devel
$ t+ F, R! X8 o+ |3.没有libxml2$ Y) ]' ^' }) N5 g
; Q6 }2 B* s1 S- ^* [
/ z+ a/ l+ a: t S+ u. w* t, e7 rconfigure: *** xml library not found.- n+ L, B7 Q) h7 P# ^0 B: S
configure: error: libxml2 is required
& m4 H ?" _1 D. ^$ g; I解决方法:
_6 X% V" n* j" T, A- \- b) I
4 G' ~7 G9 w |yum install libxml2 libxml2-devel* C) }# T p- o% Y/ c; Z7 w; k
4.执行 /opt/tengine/sbin/nginx -m 时有警告* T! V. _$ F( b/ q! l. x
: A4 V7 l2 ^* e8 F- hTengine version: Tengine/2.1.0 (nginx/1.6.2)
" @$ W3 a' t' ~1 ?, snginx: [warn] ModSecurity: Loaded APR do not match with compiled!( l& u7 e+ f' Q* R1 ? R, @
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 ]0 n& }8 u* w" ~+ Z5 l' `- m& k1 M$ X3 ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
* |& Y) C0 J! ?* i& k. S0 a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 f# `' b }6 v; Z& N5 Z7 s9 f2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, f ^2 `- }: d( ^9 U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"$ h& L2 ]* Y" d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"0 O' K: q" e, z8 {7 h* N; ?
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On., @9 z7 G- {" k
解决方法,移除低版本的APR (1.3.9)
$ l: L2 ~, d. m0 C; C# o2 `$ h2 S* A7 r( L
yum remove apr# G( b6 o. q9 l% z2 A
5.Error.log中有: Audit log: Failed to lock global mutex
. v5 z' s. a. A4 i* i7 j% g
* \3 \7 g" { ?, ]$ o2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ! r. V9 X e5 z) a
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]$ R# \8 q2 I: [0 [
解决方法:& A$ {* v) Z: }8 _
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:1 ~& k/ w$ C( L. i2 k8 m$ ^/ @' w
: |9 n& _8 E9 z cSecAuditLogDirMode 0777
) N5 F7 l/ N& m! t i, RSecAuditLogFileMode 0550% g1 {& O, t; W
SecAuditLogStorageDir /var/log/modsecurity& D$ }4 G T; \: O, v
SecAuditLogType Concurrent
: _- P# v6 ]% h参考文章:
, C, j6 W+ O' R2 o2 Jhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
" l! _( v% g/ m0 C8 W3 }! z7 Zhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡