|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
5 }, f5 b B7 i& h$ @' z
- F2 @& C5 `2 Q# P. `一.准备工作8 k, Z0 n: I( k) U i' e
& Q0 p) n+ w, s. e2 Q系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0+ o# t- ~9 G# J
2 _1 u0 q- D8 m* x# P4 G' `+ ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 \% b# N7 ?/ I6 ?3 T8 R
6 L' t2 N7 J1 [9 qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) O8 [3 o: b1 d' b, u* D
6 v! B# G& \ g9 X* l2 {1 VOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, S- s! W# T2 B* ]8 i
, `0 O* l# j5 o# n) d. n依赖关系:
* {- y0 G* F+ l4 s& Utengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:2 k6 w- {8 @, k J; j0 Y4 u
- j# Z5 z. i9 z9 x Z- |! Y- r3 H
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
0 p8 M! v% q+ {9 P( M( Wmodsecurty依赖的包:pcre httpd-devel libxml2 apr
/ B4 }& h) a. C. u# O! N: M b4 a/ m' e H' v9 e m" i% X6 ^" g
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel0 a* ]+ J' w+ F6 @% j' y
二.启用standalone模块并编译
( p, g! D4 @8 E$ k* i9 G5 ~: ?: F! _( G$ e
下载modsecurity for nginx 解压,进入解压后目录执行:
5 W, p6 ~- b7 S! t" T: ? H
2 ~% K; o) f5 a$ u" Z1 a./autogen.sh8 u# l! x' H7 Z% t. m
./configure --enable-standalone-module --disable-mlogc. l& ?1 \3 Q9 Z0 l9 m& T- O
make ! c- ^8 H) i. F% N+ `+ ~
三.nginx添加modsecurity模块! X. M* H, H- q/ w
$ O, u9 O, ?, q; m- c) e
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:2 n( v4 z6 N" V9 R* {: Z) W
" j1 H3 S) m) D- h8 ?/ h6 B
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
9 x+ I9 u, a% @1 Y8 D- @% _* |4 x4 Q$ Jmake && make install
+ |& Y. Z9 ]- ^% M5 A) Z/ D' B8 n四.添加规则+ }+ k+ [6 X6 X4 Y
6 T6 N5 q I+ l: g. {5 A
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 V1 q9 [* v1 a% }3 h, Y6 X( H6 T5 r w/ Q' q& U4 Z, n w8 W ]
1.下载OWASP规则:, p1 s8 N$ G9 T+ [% X7 ^- K2 |
W. u2 I/ g+ C) ^8 K. tgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ I4 ?( |7 s8 [; E
: F6 J! L9 \2 z2 k/ d$ d$ imv owasp-modsecurity-crs /opt/tengine/conf/
* o: L3 S$ {) ]% P7 T# V8 R# v$ p$ H- Q3 s( [
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
) ^4 F2 y8 X- E+ H4 j* W& O& c2.启用OWASP规则:
% F* d8 [, L4 X8 @& o+ {" P% e6 _3 G/ y7 \- q+ u1 b% \
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* S, [% v7 e3 o7 S \
$ ^/ q+ c' X: E0 b" M+ M编辑modsecurity.conf 文件,将SecRuleEngine设置为 on. k2 p0 e% A$ g+ ~' U( F
2 \8 d. M, n9 `7 d
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。4 N' b: N! ~" u' O
7 L, t# A. N8 R, p
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* R+ h F( M/ l2 p. l: W
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
0 S6 P6 @7 T- b/ IInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
3 w: j9 T3 ?1 @ \Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf& g+ R7 k# d% b$ W ~
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf3 q! I+ \4 i5 L1 f( p+ P
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf8 Y5 Q- Y) p$ W4 L F j- L1 \
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; V: A% D% A) G8 E, y. V
五.配置nginx) l' P8 m( m! ^/ f; ? b
/ u% s8 [* l! P6 T* O X4 E在需要启用modsecurity的主机的location下面加入下面两行即可:
* D8 i& N% z! y! Y0 _1 D) f, ?9 M+ S$ _
ModSecurityEnabled on; 7 H: U, W3 |7 a
ModSecurityConfig modsecurity.conf;, _( X/ v2 Y0 P1 O0 L
下面是两个示例配置,php虚拟主机:3 y C4 e7 W+ X' Q5 g8 z
) U: L) ?: a; y [' U" Bserver {8 j7 _1 K; a! H7 h
listen 80;
9 X J7 L9 y( W3 ? server_name 52os.net www.52os.net;! Z0 M+ I0 Y1 ?9 G
/ @8 V- l" s g/ U6 Y' d location ~ \.php$ {
; y' C1 E9 p. ]1 w/ z9 ~# p: r ModSecurityEnabled on; 9 J" \4 T: c8 ~( E/ J( @( F
ModSecurityConfig modsecurity.conf;
0 }% r- W0 g v7 E! V0 }; ]3 ^' S7 j) \4 X; ~+ @
root /web/wordpress;
/ r0 w4 Q: Z) i* b k index index.php index.html index.htm;
& p. j6 I. p4 V4 D' |" t1 ^- d- m ) ?$ x* Y/ m+ s! E- v
fastcgi_pass 127.0.0.1:9000;$ I6 F4 n& J' s$ R$ J# L, e
fastcgi_index index.php;
/ d2 s: Q/ K: b fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 i4 H8 |2 B+ [/ I. Z9 X. A include fastcgi_params;
1 l/ \' `1 f4 D3 O( A1 i }+ J* v! L0 M# v$ e& B+ K1 R) \9 L5 O
}; O6 c+ R4 y0 b1 s5 D6 e, Q9 g
upstream负载均衡:& x2 p: J) D8 K$ f
$ |# F9 p5 p1 t
upstream 52os.net {( M5 X, c% a& F! F" A, u/ C) T
server 192.168.1.100:8080;: {( k |- H, q3 Q, f& C
server 192.168.1.101:8080 backup;! C2 T4 n8 C6 @, q* X
}2 J: O1 c9 B0 a2 Q2 G' k) d" Y4 ]
# {2 r$ x6 n! c* V1 ~! j* |: H
server {- s) z7 k+ d) I8 R6 s
listen 80;
/ [* ~' C9 ^' B( Q! x; userver_name 52os.net www.52os.net;
. ~( S/ B( J9 _# B6 u+ T3 v1 U* J% J. L, ]1 J' n
location / {2 |& {3 ^( L. q. D0 v! i( P
ModSecurityEnabled on;
+ e# E; }5 {5 Y; R ModSecurityConfig modsecurity.conf;
( ?6 ?1 G1 l! M9 H* o3 T& f& ~- v. U: J) @0 B: L* z; E( H f
proxy_pass http://online;
5 D! Z0 h0 ?2 L# p6 j% |( W proxy_redirect off;
3 A7 X( X+ p2 w* l6 h proxy_set_header Host $host;
9 K) |% R; b7 |+ l) E8 U& K proxy_set_header X-Real-IP $remote_addr;
+ d# Y8 a, @ y! ~9 ?- A( |5 } proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;* @! H5 A7 ^9 k$ a/ T
} {" O6 _! }3 A/ d9 D7 c
}5 V) {( K& g% a) x
六.测试
3 `3 `+ M: {' k; H. {( x9 D) |$ \( J
! ~7 h( m' g! Z我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
# g8 ]2 _4 q& z9 U! O& s* P) z. I0 k: b7 I( M% X
<?php$ p2 @- H+ e( i! P; V
phpinfo();
, A r$ F% i0 B" [! J/ M: B?>5 v3 F. }$ M' q( g; B
在浏览器中访问:/ J s t' c) a: ?6 |
( A3 S, ^! j$ f n( Ahttp://www.52os.net/phpinfo.php?id=1 正常显示。! } A+ o4 Q. R, e. @. X/ k
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* Q h& ^' E8 Q! ^$ j `$ C( L2 ^http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。# Q+ s& E' c1 U5 C# \+ L
说明sql注入和xss已经被过滤了, y) W/ s- Q" Z' g. T& u9 P* y
- a: a- Y2 g$ e ]+ e& g七、安装过程中排错
2 e! x z" q m/ V, v3 I
3 H$ i# m) Q( L/ ], w$ s6 C& V1.缺少APXS会报错8 q! c& M& A/ ^% \% P# s
0 s% W) K% K4 V" F$ Dconfigure: looking for Apache module support via DSO through APXS
8 p& j- M6 C4 s! y+ {- A g5 rconfigure: error: couldn't find APXS( B0 f [0 x2 K% X( w$ Z, S: W
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。+ F2 [" P( U# ?( F4 d* Q# O
解决方法:
6 S o/ d) A. z- c5 B6 Y- h
) T; @5 u+ M! s2 E0 J8 L* T8 Nyum install httpd-devel l8 U- @- X# g H& j
2.没有pcre9 \$ w% ~* l' G
$ l" Q F* d1 _* R( Tconfigure: *** pcre library not found.
4 Q) L! ^ l6 Z9 H- ?9 B8 o6 E1 rconfigure: error: pcre library is required" p' r4 d( o' } W# f
解决方法:
2 v, T) J- J+ d- z& S5 E
4 i8 V s5 @$ R+ M6 |yum install pcre pcre-devel
% P+ [- U) l* q( |6 ~! D5 O3.没有libxml2. f2 ?! `6 k: i y$ e- G
, e4 a. A* |( S7 d, W: r* J
( \- z6 d; ^' h- xconfigure: *** xml library not found.1 S8 p# R8 {: n; }: a& s* U
configure: error: libxml2 is required" W6 @0 q3 {2 i1 {: H
解决方法:( J7 v( t1 q; Q7 Y7 {2 e
# e5 ?0 X- r# p* \! U9 Eyum install libxml2 libxml2-devel
8 Z) t" e# i2 X! {: c4.执行 /opt/tengine/sbin/nginx -m 时有警告9 ?3 I/ m( C; g0 z! N* e
; i" _, D# m' I, i3 n j# ^) e- X5 k
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
& E) n# J( g9 o. A) Bnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, D8 c5 y7 S7 `( X原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
5 x( y1 U. D0 i( y$ c- }" \. g8 b7 g, J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 E: V* @. l+ ~- o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": ]' n- j! P; L, h: L9 k% O
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!& K& w$ h- q5 L c, X4 j. M& q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"+ h# A& b( |' {6 a: T }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
4 V4 Q; i+ x+ ]6 Y, t; C* I2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 q4 ]. H( t9 s: Z# X
解决方法,移除低版本的APR (1.3.9)7 L4 k2 e0 u- ^6 N
n, W- \9 ]! ~" ?% X
yum remove apr( g7 j* k3 ^6 r( q* s/ S
5.Error.log中有: Audit log: Failed to lock global mutex
: K' u: \, u3 N- f ^
$ P9 u" f6 u0 \: q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 4 F1 t: P2 B% @% ]0 w" w# h
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- A' L: C+ s3 r
解决方法:5 \3 `3 p3 |. |/ n
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:: s$ `. [, y, D( f7 m2 L
4 q6 J" H9 |: Z9 C
SecAuditLogDirMode 0777) M' P3 Z( U# J/ M1 P6 o
SecAuditLogFileMode 0550
* N2 G A; h9 j8 VSecAuditLogStorageDir /var/log/modsecurity
3 V0 C" A% v% W TSecAuditLogType Concurrent0 S) Z v2 O, W$ n, r" s# C% R8 i
参考文章:4 \5 j1 Z H+ V) _/ x, Y
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX" P5 N: d+ Y9 l# D. I# ^" U
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡