|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
; P& S5 s; u6 G" @' M, j
# t8 ^- {8 p* U/ l# Y8 d# _* W; i. p1 X! O一.准备工作/ M8 z0 ]- {3 ?7 w% D6 y/ U
$ W9 J$ y8 g. z3 A) `# a5 V& R* h系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0" U6 J" N1 v+ S t7 y; w
* w. v/ \# P' {4 Y! o( Gtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz* O. g) H+ w2 N& T
% l" Q# ^$ S0 \. \+ u: Vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 K8 M6 s6 Y7 T: \% L6 S1 z1 W
- \ X$ K1 Z9 T4 |+ M9 GOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs \# j& l- r) Q0 Z7 X0 v1 T
# Z' d7 V( e9 `2 Y; C
依赖关系:
: N" S' |& ~ z6 j% Atengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:, K3 S6 I: U5 @6 f2 @5 |, L
+ O3 c' |% e: O X0 l3 Gyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel" F$ \8 o" G( ^: A4 ~% ~6 h
modsecurty依赖的包:pcre httpd-devel libxml2 apr
7 R6 V5 p! D7 b! u6 r2 \# Y8 Y) ]+ h2 I. h1 i) K
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: T; N0 |" K2 S) N
二.启用standalone模块并编译$ M, V2 s7 R! B1 X
' m$ e5 V0 R* i) E, A' J# b7 z下载modsecurity for nginx 解压,进入解压后目录执行:* [6 B s/ ]$ U$ @' q
! L" w7 ^# R4 Y: K- `
./autogen.sh# b0 U I+ z% _0 e
./configure --enable-standalone-module --disable-mlogc1 m7 |( O8 U& p$ G
make
* A. Z0 p, V2 u! d1 {9 f三.nginx添加modsecurity模块# T8 F! P/ w' Y2 G
* b1 q; u4 v1 H( f. [$ {
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:; `: h! C" v! `
* c. B3 `( B& F( W; F) L3 ?
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
- C" k+ r/ ~. Z0 D1 I% ]& Imake && make install
& m& o& s$ W. B0 E四.添加规则
# S2 }- ]$ z- f& [' [# K: F
" |3 l4 R/ H# W% G. c) }modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 P" ~, z1 G7 v/ M
/ O+ ^0 ^$ ~3 C% l4 o3 o1.下载OWASP规则:( p0 J6 L, j3 s' D' r
. r5 y1 m% A3 m
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs: M7 i2 i% j/ H$ b% T( v
. a0 l7 W. a5 ]- S* l) t8 ]mv owasp-modsecurity-crs /opt/tengine/conf/
6 C3 U( w7 h+ ?; ]) }) z& r7 ~, G; |7 d6 U
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ t4 l) f: X/ ~, _+ w$ P, t2.启用OWASP规则:7 N, f0 J: M! f5 @5 m9 |# F5 g& A
( Z$ t+ I8 a( w) D! ? w5 R复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
& s0 Z$ w5 a" s: _6 j+ Q! D
8 s7 [( l+ c5 s2 s K+ U编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
$ _# K a* Z: f) {1 V& Z5 ~- L* p$ S
: z# J$ W% a' powasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。 o1 M, O3 F& @# D. |7 T, C
3 ?5 }- K: v$ n7 G" G
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf3 B0 ?2 f+ B W* \5 _5 a! l/ f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
% Z# O9 w) }) f& l0 K; ?Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf* m4 f' _6 p0 r$ R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf/ ^5 S1 n% G; u R9 z+ [ H4 ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf( U, @- M4 `! S
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
% H3 d) {7 d4 F$ uInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
, I) R3 K2 y/ \0 H& y$ y五.配置nginx. K2 i4 ^, \$ f7 `
' W& r/ e& ^6 {( O+ V5 ?
在需要启用modsecurity的主机的location下面加入下面两行即可: }0 ^/ ?6 D$ C/ a$ |' z8 C
0 w: _4 T$ e& i% p+ |' _' G
ModSecurityEnabled on; % N" Z+ i6 B8 k/ p: h0 I3 i
ModSecurityConfig modsecurity.conf;
3 x# M9 m( n& V4 y' U5 W& d下面是两个示例配置,php虚拟主机:9 K6 w; q# s" Q. s: B( y
8 u. S$ Y2 h& h) F" }9 r' Tserver {
) v5 t8 m# S5 K1 p; k listen 80;; f& A4 Z9 m, z
server_name 52os.net www.52os.net;
2 ]7 p! y$ F# M5 ~$ f - K! t+ d9 c: U; Z/ g3 f/ G7 n2 D
location ~ \.php$ {5 e7 U+ o* R7 u! w
ModSecurityEnabled on;
; o; D; `* m. I ModSecurityConfig modsecurity.conf;
# D P4 e! g& |9 ?3 ]9 Z h
2 y' x' V7 ?, Z/ t+ I8 H" m+ b root /web/wordpress;" q, K2 p* G* b; O1 i( [2 h
index index.php index.html index.htm;/ u& [* M8 @! r
; V* _" ]2 B; G3 g fastcgi_pass 127.0.0.1:9000;6 ~/ W; O, C* l7 }7 L6 A/ \# l0 k
fastcgi_index index.php;
, h. W4 L+ _: M" f. b- B fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ \" F4 k u2 r9 K
include fastcgi_params;7 N# V7 E/ x+ f$ y# H0 C) Y, [ Q
}1 `3 X+ T' J& m- P, i
}
7 {' O$ ]: b* ^upstream负载均衡:
2 a/ M6 b0 n# N* b) K' v7 N' | ~: J) O/ R
upstream 52os.net {
: o4 w$ x" [9 k server 192.168.1.100:8080;
. v4 J; W, m- n% a5 K+ m) V r server 192.168.1.101:8080 backup;
4 \9 a" Y# q9 {! t' a1 _) _2 ~}2 `: o5 Z2 X+ w
* r4 q! L j1 _' Userver {: N1 k- c: e: L1 \* j* P' H- v
listen 80;: s" C3 v6 J1 M
server_name 52os.net www.52os.net;' i2 W+ A, d" R" |: I1 ]
0 b+ r4 g9 Y! b5 v' N l
location / {
/ F4 G# Q8 i! s0 A8 }* c: _) e ModSecurityEnabled on;
1 l0 ^. Z; R% y ModSecurityConfig modsecurity.conf; : O" s, `, x0 `, G& e
# ]% F: ~5 Z z1 h2 O proxy_pass http://online;% t2 R5 O8 j. f8 g. b/ D
proxy_redirect off;
( p' Y# }3 T X" g- W, l0 w proxy_set_header Host $host;2 W! Z& C) X# C1 f2 z1 e2 U, D
proxy_set_header X-Real-IP $remote_addr;0 w1 C2 T) U- E6 ]7 _
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 P% v- [* D% A0 W9 x5 \' l9 @9 h+ u }- F$ V q, y i6 _7 C8 c, Q
}
1 x6 I/ \# L; n) H* n4 C9 g Y N& k六.测试' x- }+ H" g* u3 _; g
$ o8 v2 o, a) j0 |; W' i1 L% {
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为: C) E# m! E: L
5 h8 p7 w# ^( v" r7 I" j X<?php
: Q. K6 x4 f2 \9 q8 t+ d# T7 O- ]% U% g phpinfo(); ! g! ^+ L2 `0 A7 t
?>6 y6 h: K' u* g% S+ y2 W
在浏览器中访问:
# d+ Z7 J' [1 D+ l! ^8 ?% R7 j! c2 `3 d {5 N' L6 w
http://www.52os.net/phpinfo.php?id=1 正常显示。
, F% \7 p, C* N0 T& _http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。# B+ O; ]: f+ j+ b- ^
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
}8 O7 Q8 o; S5 r6 |说明sql注入和xss已经被过滤了$ a( R# `0 I5 m, Z( y) C
/ A- h/ @& e0 X
七、安装过程中排错
: H0 z/ d, R0 Z2 i# p7 y% V. ?: ]
1.缺少APXS会报错
9 {8 p0 X9 d; `5 D; A7 U
# X+ a) ~8 X$ h' f! U1 cconfigure: looking for Apache module support via DSO through APXS
4 h& k0 s' ~$ j/ y9 Qconfigure: error: couldn't find APXS; o6 \4 \& m! ]9 |, d4 l
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。+ O2 j& {1 P3 l3 s8 o
解决方法:
) s2 `! S8 u0 ^# T
& g* w+ U, x7 g3 F# y R4 _yum install httpd-devel
9 X1 S$ {! L' e6 {% C# k9 A1 P A% H2.没有pcre5 b+ l8 T z8 k) z
( m3 i9 S* N8 R& a A3 u3 O
configure: *** pcre library not found.
+ B) G7 W% h" E9 D; I- h+ bconfigure: error: pcre library is required+ s" l6 }5 [ G3 J3 l* N
解决方法:2 u2 F- V5 b% b! q/ Y/ L
4 d9 _" H4 c3 g: {" kyum install pcre pcre-devel- m5 D5 q/ V2 j
3.没有libxml2
8 @$ o! S* G# K- R! g h; y5 `: y( f2 O: `. H) j) r6 K$ K1 I
# p1 E; b. M/ I) ~
configure: *** xml library not found.
. J3 o( c# m# p+ {7 Uconfigure: error: libxml2 is required
; s6 g1 k/ g' [+ b& D \解决方法:
& o, q4 c. a" E* k& G3 }& y( P/ x( W
yum install libxml2 libxml2-devel6 R) ]( v2 q4 Z2 K" {+ ~* M
4.执行 /opt/tengine/sbin/nginx -m 时有警告
. P2 h; N7 Q8 g* _! Z; Y% x
; h. k$ C$ M4 J ~: OTengine version: Tengine/2.1.0 (nginx/1.6.2)+ {: {. T7 H9 l, n9 b9 E n
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 Z2 C5 T) d8 W
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 Y# S9 ?6 r3 L; B1 @
; u9 H) e. ? P1 o% X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.5 H1 I* m/ e% p' o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" K! s/ p$ u! ~4 v9 E2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
/ T9 `) d8 e8 ]' p: `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"' E0 R* P9 |4 U0 [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 x; _& T0 a- J1 ]9 m' D2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On." q9 n$ X- Y% e4 \* N
解决方法,移除低版本的APR (1.3.9)( ?# ?3 [- l* {
. A& e5 M, z7 O: V6 b; e8 w* Wyum remove apr) v+ m, H6 {7 Z l: b1 l2 |
5.Error.log中有: Audit log: Failed to lock global mutex
8 u0 l' z" h3 O4 \& t( c1 I4 n/ s4 n% c( n+ T b. h. S V8 A N. T
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
1 A8 s7 C+ X6 V& Uglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]9 m6 U: F' d$ J7 I1 n
解决方法:
* z5 C5 ?7 p/ F8 d v# U编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
V1 h& r* u8 |9 Q& {! I( _4 C
- M7 j; E+ o8 f$ g$ [5 BSecAuditLogDirMode 0777
/ O, t/ |) q) p. L; PSecAuditLogFileMode 0550& K. o5 ?* i j3 A3 T
SecAuditLogStorageDir /var/log/modsecurity
8 ]& y( v$ T) J" P. ySecAuditLogType Concurrent/ W$ L7 z# U; M- H7 [( o" C
参考文章:
7 @7 x$ Q9 i2 Jhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
: {3 f [5 W6 Z# i9 `( R# d: uhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡