|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% U# a. w6 u+ h+ C
5 u9 r# A* Q8 D$ x9 A2 m, a8 t
一.准备工作- e x9 I0 d' Q9 D& Z% ~
9 Y. d7 H1 K/ X9 q7 O5 D9 L系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ w2 I! I* G3 x5 K3 n- Y& W4 d& K# j5 ^/ Q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. F% v* T( v9 }% J
& F6 d3 q9 g* b
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz- b8 i& k+ w! S) `- ~* C' J" c
: k8 ~0 C y% F6 uOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
# g& Y. N$ L& ^; `2 `; M5 F* ~9 }
依赖关系:
0 J; e% o; {- ?- T5 rtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
& z0 v9 o3 _4 f7 p6 N. N2 Z0 w* t8 z" u
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 C. a8 W; d8 @0 x( b% Smodsecurty依赖的包:pcre httpd-devel libxml2 apr
0 x) R' |& @$ t# T- H: G/ t
1 v9 F. L' b$ byum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( R- T: h0 d+ r% q$ V- X
二.启用standalone模块并编译- {- r8 |- U" h2 [. P/ ^
+ [$ Y1 p6 |. m" r, J下载modsecurity for nginx 解压,进入解压后目录执行:3 O2 \* @5 r6 {( x
5 r; s; Q% @9 B- ?) R* F$ P
./autogen.sh2 l% q% ~0 x# }# T
./configure --enable-standalone-module --disable-mlogc3 I5 R: Q$ A3 h, V& ~
make % C9 ~. @- e1 Q
三.nginx添加modsecurity模块5 ^! a& D) v @) z" j( k/ h, f: L6 D& q$ ?
, e' e) m3 q0 _0 E' i+ F在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 T) z3 g& ^" S* f& Z9 D$ [/ V
1 W H) O/ q. v+ ~/ g4 Q- a./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine9 N8 _6 {7 J/ N7 d* J) w
make && make install. n9 |( r* B3 I. G$ }/ Q
四.添加规则& p; u' e8 y+ Y
+ ]7 s( z+ Z% f
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ |( W4 c9 w/ F# W: @
% v5 o6 x9 K' }$ B1.下载OWASP规则:7 j: A7 Q* }( u
' r0 y8 i, ~. S/ ^
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 \& [7 ~1 s' Z) m
* N! I: N1 Z* rmv owasp-modsecurity-crs /opt/tengine/conf/9 ^1 t4 w& V) }4 q5 U9 m# z8 H
0 d8 U1 d4 }: ^" m4 E9 ]5 @
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf' Q9 y# E& z/ S' w) P
2.启用OWASP规则: ~5 `/ @3 `+ B
; o& [3 q( K* G" j8 u0 G
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
+ _# ?& k0 H8 Z6 f" ?+ w8 `! G6 X9 ]
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 g" D( l2 \7 j4 j4 u4 D4 {
4 M8 N1 i' Q: d( ?
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。5 @' @! f2 p0 U
9 W8 G% n5 i: r( `
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
3 x+ C1 W) B& n% s6 AInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* @* `9 t% p0 E1 `0 d# p C* r5 U% VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 D0 @- x [) I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf: q. t9 n* R* R& V% A K7 S, e; K
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 e5 O: f# j8 F# }+ i& G/ b
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
% ^$ k( M3 x( G! eInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf1 B3 b: x; N2 l: \
五.配置nginx
- R/ A5 g0 P8 z1 ~5 Q0 M' }5 x( z7 s. d ~& W; e
在需要启用modsecurity的主机的location下面加入下面两行即可:
6 k6 H" x T$ ~5 m8 Z% _; H& i# T9 c, \2 m5 j' B
ModSecurityEnabled on; 2 W4 `* |% a$ N
ModSecurityConfig modsecurity.conf;
- V5 [0 C8 i; v4 d/ }下面是两个示例配置,php虚拟主机:' \( Z p. x2 Z: k" `
- J: [# i$ @- j. ~
server {
. W$ j8 S5 V% m listen 80;
$ i% B L+ n% q/ z server_name 52os.net www.52os.net;3 n1 O' Z( ?8 z5 i6 i1 ?; x
6 F6 n Z" r7 W2 Y1 s# I& N
location ~ \.php$ {
9 R, ^" h! H* f6 f ModSecurityEnabled on;
: ^/ V( H* t. Q- u0 k ModSecurityConfig modsecurity.conf;% s0 _% W, T; }" U! A8 d% t/ Y _2 q
A/ w4 _ `+ b# P2 |, W9 m
root /web/wordpress;' }8 _( A' e& q
index index.php index.html index.htm;* Z: I8 ?# |/ p* ~
) n3 X. H2 c0 f
fastcgi_pass 127.0.0.1:9000;3 U, V; k5 A- p# i0 v
fastcgi_index index.php;; q! e0 R" s0 p8 A
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;: M) S# p& T! d. E* I- h8 u
include fastcgi_params;
2 j( V& i4 S& k }& T/ w6 h" E! p5 K$ o
}
V; Z3 z G. ]/ h- d Uupstream负载均衡:
! ~" W: J$ a$ w! }& D. y% A$ z, h& \$ H) ?3 m
upstream 52os.net {
0 o4 B- v; D7 i$ K3 ~; E% g server 192.168.1.100:8080;
4 ^5 \' i0 l+ B" m4 G) R server 192.168.1.101:8080 backup;; J7 e' {8 `: @# `2 q }
}
' c0 o1 o. D! G: L8 p
% \0 p. X' C" V5 a% Nserver {. I% ]2 ?- o. i* o6 d! e) b3 o7 ?
listen 80;
: L) R- q" X# a2 M! R/ s- m1 V/ dserver_name 52os.net www.52os.net;
0 c4 f( J" u! h; f* P) R' W7 e& [, p1 o) q" y$ c/ Q: Q& b: f
location / {& Y. @* _4 \6 ^1 v6 ~ ~
ModSecurityEnabled on;
3 N t2 ]; J! m, i: M" [$ M ModSecurityConfig modsecurity.conf; & ]( B, J6 A1 X
/ E8 R7 q# L( C4 }
proxy_pass http://online;' c. H) X. p6 ]: F- b: M
proxy_redirect off;
E5 C, R$ d9 X" {0 D proxy_set_header Host $host;
) \) D$ w }7 J, ?) E. ~! ^# M+ C! u proxy_set_header X-Real-IP $remote_addr;
% ~' k _5 R) C& f/ t proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;- m# C/ N1 x( \- C4 L8 g D
}7 n* m0 W' ~; r0 W: O
}
4 u5 N d; Y% k5 d六.测试
# i* z) g& Z3 }/ l: W0 ~
: e |2 d0 c1 l* w我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:+ _* F# o$ d" j/ F* a0 Y4 ^. o
& A1 ?8 ?1 K5 O<?php
0 M" l3 i7 V) i; C phpinfo(); & ^5 {- I" |# N* n' I( p% C0 z
?>2 S: \* t: @$ l4 K! l
在浏览器中访问:
; M3 k0 G7 J0 @- {, Q1 m2 M5 K% ~1 k7 l; K
http://www.52os.net/phpinfo.php?id=1 正常显示。
* Z9 V9 z: [2 |2 S+ m# y2 x* qhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。, W3 l# W, S4 \: s, n
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' |8 { C; j) @) c
说明sql注入和xss已经被过滤了# F/ }( L# |, d' q6 x
4 \+ l( a: |- K3 m8 }七、安装过程中排错
- B- _6 W) \# M5 g; ]/ C& x; ~, H3 f
0 T. v$ b4 [$ Q5 u+ p' |" s1.缺少APXS会报错% ?, @8 v: d, l1 x, ?8 C4 D
* X1 W8 J8 z- c( y" vconfigure: looking for Apache module support via DSO through APXS4 |; E$ O0 i+ C* a# Y3 b# l6 t, h
configure: error: couldn't find APXS. ]" V6 E1 @# ?- y) n& F. c3 y) Q9 h
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 s" O8 ?! w* A5 y( U解决方法:
3 F2 O( k& g" T- L# }) n4 h, H
/ r3 h p* G% ?3 H* qyum install httpd-devel
" _5 u) @" W" \2 L$ {) }: Y2.没有pcre- p* D% ^, i7 h. b! b& L
6 D5 F; o1 G0 t& U
configure: *** pcre library not found.! F+ W% X- E6 O9 i
configure: error: pcre library is required
; ?2 q9 d* \5 y, ], n7 Z7 {6 X解决方法:5 c8 [0 R8 r' Q7 Z4 r; ~. @3 L
7 B6 a" n' I& l C S9 K6 uyum install pcre pcre-devel
" }7 n: S) f" [. f% v- @3.没有libxml22 P: L z2 I8 F% W |' x% @
4 W2 l' |9 Z0 J9 R& |& s
" G$ h( L: I/ l9 q, R8 {, \3 @' q) rconfigure: *** xml library not found.7 h4 j9 a3 ^! ^9 k* ^
configure: error: libxml2 is required
3 b. o. k* X/ D2 [9 }1 [+ J- ^解决方法:+ B! B, k1 H4 B
! W# |% A: u6 o
yum install libxml2 libxml2-devel' Z" W/ x/ T* Y
4.执行 /opt/tengine/sbin/nginx -m 时有警告
" D% G* ]/ S. Q, k4 O0 R% w' p1 L) t1 a3 V8 a
Tengine version: Tengine/2.1.0 (nginx/1.6.2)4 y6 l% r: P) B8 {) I& y5 x1 a6 i
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
; W3 z7 Q% }6 }$ B2 a$ H* d8 {原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log" k k5 t% l6 b) u: `# |% z: d x. l. d
. P% c c1 e0 Z# d+ H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.! q9 H/ i/ c# h! P/ J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
8 Y) U! j X+ X L2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!; N& k: m' ^! ?. G [# j- U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"8 n- q8 U% O' W$ n' I9 L+ N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 }3 o6 ^. t" ~- n6 K0 S2 u6 G
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.& G5 x B8 ~) P
解决方法,移除低版本的APR (1.3.9), x% E- a* m. }0 h
( S: N( K: G7 P% e6 wyum remove apr) z/ r) b8 d9 c
5.Error.log中有: Audit log: Failed to lock global mutex$ S: i1 d0 n6 d
( Y( ]3 u* I' K% }8 E8 [3 Y2 i
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock / r) s; n+ N3 |
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
. `) {1 e; t( x* e2 `3 M解决方法:
0 m8 }& _) u" ]+ O9 P5 }编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ M T, F: O( T" n. b7 D0 z
' f4 L( x% I7 X1 USecAuditLogDirMode 0777) B7 [, e0 Q7 n" ~
SecAuditLogFileMode 0550
0 s3 w& _0 p2 p- [SecAuditLogStorageDir /var/log/modsecurity
1 Z2 u& Y! U1 i! Y, p/ }0 uSecAuditLogType Concurrent
! }: p ~5 p# v4 @' q# k: b) e: r' S参考文章:
3 i* N' }. S7 B) L3 Phttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, r5 q2 \7 I) y! V. }http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡