|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
! ]/ C" L( f% y! r$ r5 u8 j+ b: l: K7 I! k9 w
一.准备工作
$ |3 Q* C) i* x1 y3 M4 @' ?; ^9 Q [! S* S
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 I% P! o3 P; J' d1 ^( ~
1 w4 B* c/ F* E1 H9 rtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz+ `5 R" Z+ ^ v3 C9 ], ~
2 v a7 }- V. r% j( B/ gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 {" v1 ~0 d% h8 J, I& c
8 d/ `* E$ X! ^: r: _ \: f, TOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* ^! F0 b" M. v$ z* e
) a5 C. u. b) w0 E% J" l$ }依赖关系:# {; o ~3 V3 A3 f
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
7 T$ u& v+ {4 T8 b# x1 a) x# w. \+ L% K# j3 A' @
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel" w" V, P, K" }( D2 p4 P
modsecurty依赖的包:pcre httpd-devel libxml2 apr
5 M. z1 i7 e3 H$ L. U# @9 R0 {' [2 q
( R0 b, }4 m a& X1 Z2 n" oyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel9 I) N. o% `* P7 U7 g1 A& F$ `
二.启用standalone模块并编译
X5 g; l: A8 e8 T0 ]/ `$ G
' h J6 W, k# ?6 z: D# m9 O1 U下载modsecurity for nginx 解压,进入解压后目录执行:) p4 `! v a1 ] P v
" _! m. X- _4 m( G
./autogen.sh
" K2 T; [! X3 C5 \8 H./configure --enable-standalone-module --disable-mlogc
* ]. q* e2 X& Q! fmake 6 N. D& o9 a- F: o
三.nginx添加modsecurity模块
9 b U- C$ H/ E" `/ g
. D. c5 P/ z l# Q: T% f5 e- G在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
. b" f4 I T G; P) p) {: O3 h
9 p4 B& |* K2 B7 W0 r4 C4 N3 f: p./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ C+ s, s7 I& C- t m& A1 y+ }" ^make && make install% F. z$ v$ ?, [$ N+ S* u# b
四.添加规则
7 X# \ h3 `: f. m* c
( }. x6 Y% ?3 [0 |5 b3 s) r. }; cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( N9 w" a+ G9 r" P7 H/ v% G$ P
! ~. x9 m* G) A& i9 V* x
1.下载OWASP规则:
9 h' H, }3 Y0 A$ k
& ^5 ~7 O, x0 e7 t8 g* K2 Ggit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
) c8 Z. @) j( A, ^. ]8 N* E9 m3 U! L* h; L9 E) R' @4 S
mv owasp-modsecurity-crs /opt/tengine/conf/
4 J& U* r6 g8 r* w7 v+ q e
4 Y1 c! \$ @0 V& xcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
7 X, i$ d) d1 J. q# Z6 X2.启用OWASP规则:
8 a; N' H* v$ X8 H }
) F1 q" _: H0 ?复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
6 q% ]2 N/ A4 `# q# Y9 }
7 {) D8 {$ G( u y9 O# ^+ F: g编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 g" M6 C, _: Y$ \6 K
+ n; ?/ t9 ?* l% `owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。4 B" n0 [6 c5 C2 p ^% p m
) `- d# v+ G" ?! t
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
# m# j8 Z: K6 I4 V% P; b6 G! ^; PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
1 N& `, C& b$ }3 r3 W P7 PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf& V: E* H& Z0 r
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
9 A) K. {% K: JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
$ \' g, `) h8 |Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf0 }, n8 N1 H: D: L5 n9 G2 }
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
7 c* G/ g) l) P6 y五.配置nginx& [5 W: H3 x6 x- e1 B
: G* o A# U: k7 u
在需要启用modsecurity的主机的location下面加入下面两行即可:$ b9 B# g z" t% I
& T% D& g3 c1 T5 ~ModSecurityEnabled on; 6 b- n& L$ T+ S- X; s2 c7 ]
ModSecurityConfig modsecurity.conf;
6 x- R$ i/ @- {下面是两个示例配置,php虚拟主机:* O( g& O" l) e. X/ H
8 f' ]& N! O+ C
server {+ v. ^9 W/ J! E7 q/ o& L! @9 |
listen 80;8 Y/ T/ j7 A& |9 l C( f
server_name 52os.net www.52os.net;
* K% Y+ r7 e* V1 y- I8 H* [
r7 [4 }: I9 `9 {7 q' c location ~ \.php$ {
2 m6 i' v: n/ p, _ ModSecurityEnabled on;
* V( E; q% Y' W: n7 J. k ModSecurityConfig modsecurity.conf;
4 M/ e9 q1 R5 @# I7 ^2 W
4 e' X; ]$ ] V% O7 b root /web/wordpress;/ h! s! w2 q" v) e1 w* @
index index.php index.html index.htm;
/ s* v! ?- p* G% i . M- \. s9 k4 ? s# v) [- o
fastcgi_pass 127.0.0.1:9000;
/ D6 M+ x9 u! }' \ fastcgi_index index.php;3 L4 \, I& b2 P! y* l7 A9 p
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
! o6 |2 w v1 O& G include fastcgi_params;
. r' g/ `) k( o' g }
9 ^/ A3 y7 Q9 c! D% V* M# p. @) | }
3 z# z; j+ \4 T7 jupstream负载均衡:
- G- p" d0 L; G( U2 ]! X2 B0 }) [- P$ {
upstream 52os.net {
7 H' ]. g* Q: P6 F2 ?3 n server 192.168.1.100:8080;9 F: Q) ~! R5 B# b' P" n
server 192.168.1.101:8080 backup;
, t" v1 v3 u" L" q}. K3 E3 m( a7 j! f. q
0 }6 |) Y8 m& N* u; jserver {
5 n9 V0 N7 T- A. O' K# Alisten 80;
2 W, k$ x7 L, v2 H. ?$ pserver_name 52os.net www.52os.net;% i" W* F6 t. s+ l5 V1 x6 D+ w0 e
/ J5 V- ~9 y4 l6 c L* J( ?1 G, Slocation / {, L r8 z' N+ b! v
ModSecurityEnabled on; ( ]( m/ l1 K5 t+ `; z% P) s
ModSecurityConfig modsecurity.conf;
- ~, @9 \7 n& D. ?
' t( X2 g* }$ j; t proxy_pass http://online;
( o }! L9 T- K$ p proxy_redirect off;) H; k6 c9 i5 |$ f6 ?9 n7 @
proxy_set_header Host $host;
5 a+ C" p+ Q% N# h+ _6 J- u4 } proxy_set_header X-Real-IP $remote_addr;
. t6 c$ A: H2 K: f% m5 v proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
0 `' L6 l$ ]' i. L4 H# j }6 `: i/ q6 H h' K0 |4 a/ S
}
) k! A# w8 e0 E% ^8 {9 z& T六.测试
$ w5 w9 u9 G+ C1 ] X2 v$ C
: u q l' b4 o# e& c3 W; I4 I5 ~我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 ~" x& R6 P7 I2 n
8 ~; d+ [. E! e. p
<?php
, U8 c3 @3 x$ C S phpinfo(); 0 M3 e2 C7 ?4 @, k8 g6 I
?>) o2 g' F$ }4 V8 F% _' j" s; o
在浏览器中访问:* U7 u; p9 j4 R5 \( _ J- @
4 ], z4 p* x5 Z Rhttp://www.52os.net/phpinfo.php?id=1 正常显示。2 P* L0 c) {" u$ x$ d; t
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。- v% {! ^7 `; O; Y
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。% s- x x+ P' o) L$ e
说明sql注入和xss已经被过滤了
* \6 T7 V& F( [! {6 m, U0 \ x; H x8 ?- u% z4 P" r
七、安装过程中排错7 b+ d! ?6 R3 ?& I- a, e# ?9 J
- x( ~, }( Y8 B6 v( G1 v3 K m8 [1.缺少APXS会报错8 U* Q% P2 |- ]! D7 s( [
4 D) b+ c( U2 ~7 [
configure: looking for Apache module support via DSO through APXS ~/ o4 x5 d2 o
configure: error: couldn't find APXS
! x. ~" R! p/ m2 V, C1 Uapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
2 K& I+ q4 Y3 c- z4 W# A8 |6 Q; ~解决方法:
: i% Q: t. q1 [6 i: C, }) t4 B0 _
yum install httpd-devel0 m- S. s( D- |# h1 X; _* d
2.没有pcre* N& i8 ?7 \: O: e; _6 S1 T2 a: w
& n. I' G5 O+ B. m) p" S
configure: *** pcre library not found.
1 V" G& v& A% ~; z. y! `- Zconfigure: error: pcre library is required) a ^9 A, x( r4 C
解决方法:
& E8 n9 u$ Y" u! T
' H' J/ P& r+ ^7 o& byum install pcre pcre-devel. I2 O8 w5 I' d! N! x' r
3.没有libxml24 Z9 x; f5 D- U* x; l! f3 `% }
3 M4 X+ u) Y6 [6 O' n
+ Z5 a2 c* j# g4 \3 e# Y0 Q# S8 |
configure: *** xml library not found.; N8 j6 Q& J5 m% i. |. r8 Q. Q2 F
configure: error: libxml2 is required
& \: i5 v5 k+ Q, S- l9 T$ W$ O解决方法:
; s5 ?4 G% O8 o7 F( @, G
* ~7 ]4 H3 Z0 ^3 x' Vyum install libxml2 libxml2-devel* P* i% D+ z' C1 E% g7 [8 u
4.执行 /opt/tengine/sbin/nginx -m 时有警告& q; B, }2 Y* q4 Z7 q' ^& M& B4 u
/ a0 d8 ~' t0 N0 y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
8 I- H& B+ p* enginx: [warn] ModSecurity: Loaded APR do not match with compiled!, J( |4 b: _& Y O+ h |
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log! Z) G, Y0 T( M) ~. Z
- }! q$ z) v8 U! d! D* k% |1 P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.7 g# r" q& `3 [% D2 U- V( N! {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" F. y8 o+ B+ G* \& n& e2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
% H! _- v1 O+ X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 k9 t7 W) V' M$ f0 B, W4 [2 m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 y" w5 U& i9 ]" x% R
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.* ?# w* C4 L( }( S! L
解决方法,移除低版本的APR (1.3.9)
4 _7 l: K. M: s1 A' R4 L/ |! J4 Z2 |* r! Y
yum remove apr
v B9 I; h! U5 ?4 h9 q! |" @5.Error.log中有: Audit log: Failed to lock global mutex4 h& C* j, z+ X, }- g0 y: u3 a8 q6 O P
0 t7 X+ q+ |5 n+ h8 F
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
) B L& `& t5 nglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
4 J& {# A4 `8 e解决方法:
" g1 e0 N+ u7 }$ J, T编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:3 V' t( W: a" _3 |
* I3 W3 f. K$ ^4 ^SecAuditLogDirMode 0777
" J5 S9 L& w. V+ p+ m4 iSecAuditLogFileMode 05505 h6 L" @) y) X. c
SecAuditLogStorageDir /var/log/modsecurity
9 i1 U0 U, O: R a" p. RSecAuditLogType Concurrent; }9 {! k/ w1 D9 {( S' ^6 o
参考文章:1 Z( ~* ^, w; l' r6 B
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX/ W2 k; b& w! x) d0 {5 S- K
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡