|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
& e" } j' O' H* g' q) Q. ~1 l- d6 g# j; e. o6 i- F
一.准备工作
. s) x- t* X2 r' m. G- B s
2 n5 h8 e, u' H8 t, c系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
# Y; Z& m! T4 {/ d" ~. Q, R, f
5 s) `( S P" v" F' w) e- ltengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
" H2 @( o+ _2 A& ]7 |( w
( H8 p B* q/ c/ b G1 omodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
+ n: O2 H/ [1 c. E# C5 A1 n0 P: ^6 l6 G4 j* |1 ?9 d
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 A7 k: m3 {# N9 \1 m
! m9 j$ v) g4 Q7 U& {1 x& Y& r; l依赖关系:6 G3 H6 {% |( a+ O: l1 a/ T! J
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:) X) r& R) Y1 ^/ R4 j; @
/ b9 n' w0 h7 G( {! E
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
5 ^4 s$ f, F5 a6 y8 jmodsecurty依赖的包:pcre httpd-devel libxml2 apr) ]( D* m) m( y6 m( D8 N
: S; o+ D/ {8 c2 z. U# ]yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
- @7 h1 @8 y" S2 y! J9 J8 {二.启用standalone模块并编译$ ^; G* M; |4 a- b# K7 F
8 {" n, A7 W7 c! K8 _
下载modsecurity for nginx 解压,进入解压后目录执行:# s* p s! V) \! j
1 N7 g+ O0 L8 P$ s8 @! x./autogen.sh
0 k0 W+ m2 k: t! f' c+ B/ y./configure --enable-standalone-module --disable-mlogc* r7 _/ E% ~' v! o
make 5 p* L$ u" O v$ ]( o$ c
三.nginx添加modsecurity模块
: \/ `) ~# |. H: U' n5 x) Y5 v% ?$ w7 c$ s4 e3 \7 o4 [7 O) z
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
& p( g$ m L* \
. v# Q. b# }" s1 F3 P4 P1 o; p./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine a; Q- F: d' b
make && make install
$ V1 O, l& ]9 |% J* D' Y四.添加规则$ ~' }7 o: y1 |
. |' y* g: C4 t% [! C! [
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
! b9 i8 N4 z+ S% q2 w/ s
, t7 I" ?4 ?! W, i1.下载OWASP规则:
4 r( E- i6 y5 \2 L
7 ~7 ]. L, @! `+ J5 P P, `git clone https://github.com/SpiderLabs/owasp-modsecurity-crs4 G6 n# U9 W' e n# b
5 Y ?" l* }, R
mv owasp-modsecurity-crs /opt/tengine/conf/9 P. [/ y% H) E( _) V, ^. J
+ w! P* d! }4 f! \2 B& x
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* k+ D$ _" R1 A+ j
2.启用OWASP规则:* U5 Q8 z8 U7 o9 `
# d# Q" A7 [* q$ O
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。4 O# [# p* p" {' J2 ]
9 G" s0 W" y1 F J2 a1 O5 |
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on" g) ?0 K5 X- s4 K1 R+ `
+ V8 N& t3 ]( E! C$ q
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。' R! f& w9 w% X5 p! X* T% M
( _6 H$ Z& a5 j! N0 |3 Q: r b
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 F& \$ }8 Z4 z0 t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
6 X: b% I7 ]" X5 p/ RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
* d- Q4 x3 e3 m% L6 p. ~1 HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf& ^- q* h& Z9 F @" u/ `" J
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
- ?# m: J! v8 U( ]$ aInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 z5 X s4 v4 U1 S: EInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf1 p' k6 \& g$ n, u! J6 ~
五.配置nginx
" j. Y: T0 X t" |* v" u% [. k) g* S) C9 u
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 J2 ~3 e, d3 f% Q7 ]- m) Y
( f/ r$ M2 x4 eModSecurityEnabled on; " d* c. k3 o* X- [) P
ModSecurityConfig modsecurity.conf;
% h1 U1 X, m4 g4 I下面是两个示例配置,php虚拟主机:
; e0 @( k9 O; F% u* H
/ y* I: W9 a2 O' [) kserver { `, a& P0 s" D, @+ [, O) w! i+ Z; A- j2 J
listen 80;
. k+ O! N; [ K server_name 52os.net www.52os.net;$ h0 d! g" G7 E' S
6 }( |9 _- {3 r, b
location ~ \.php$ {$ w) R6 n# S9 v9 u& s* S
ModSecurityEnabled on; . N7 L: h9 s8 e
ModSecurityConfig modsecurity.conf;! Q P( H1 I4 |$ ?# D$ t5 J
% f" Z# c7 P/ [, M root /web/wordpress;
; g/ @& Z* a& v8 n$ t. L4 C- b index index.php index.html index.htm;' S, N% A+ [# e& m0 z! I
$ u/ U! ~9 }7 o. X T! Z fastcgi_pass 127.0.0.1:9000;$ ?4 Z$ M5 h( ^8 |9 j8 N; G {
fastcgi_index index.php;
/ u$ w N; N! i1 N fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;) |: ~' l" @$ m
include fastcgi_params;
/ k* o! ?0 W6 I: M* F }. I4 `2 ^; G) H w+ }
}6 c5 f% X+ k# Z3 s' `+ ]) N
upstream负载均衡:/ b/ }% i; X# C. U% ?8 b) Q" X s
9 ^5 ^& T i; \8 Y7 ^) w
upstream 52os.net {
! b7 |! U7 m0 w" | server 192.168.1.100:8080;
( S, F9 T8 w) [! V3 M: k/ Y) } server 192.168.1.101:8080 backup;
7 W: W. ]8 A$ q) S}
2 E$ b6 P$ u7 K
s: o: Q) V# kserver {
- p) u/ y/ b! V5 H$ o& ?listen 80;( x( V P6 Q, a" W/ n ]
server_name 52os.net www.52os.net;
' Z+ J2 a1 d' b8 m# r/ C) C# H/ U7 F$ h8 |( B" {" B
location / {
1 b( I5 D: S1 b1 p, {& y) ?) n# _ ModSecurityEnabled on;
- c$ Y# A$ G+ S+ a" k/ X, K2 F ModSecurityConfig modsecurity.conf;
! A* [" I% t# X4 y" b$ g* W- c1 [9 ]/ b" c' E# O
proxy_pass http://online;0 o- ^; s: r, L: @- C8 r
proxy_redirect off;
1 d; B* Z t h( L) o1 a proxy_set_header Host $host;; n( ]# |, y+ B. a6 D) ?
proxy_set_header X-Real-IP $remote_addr;: Q. V1 a! ]; }6 _9 ?5 k$ \' B( o
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" W/ b {# E5 w& J
}$ N& i2 I) W4 r( j3 F, W8 T4 b
}
2 M5 ~; z4 W ?6 G% m8 n六.测试
6 ]( H! d; Z, ?. T3 W4 f
1 m8 K7 [1 i9 C$ e9 O我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
% f; g) L: N3 S( k4 h2 v+ Q" G1 C
" U- Q- P: s. Y6 v<?php; f( x5 h8 f5 Q8 p+ }, x
phpinfo(); 5 R3 i# X! d' D2 p
?>
8 U1 U3 o/ L* m9 I0 m7 L8 S在浏览器中访问:7 j/ p, }- {* d$ g" S. Z8 u8 g
% T- Y3 B& P% u" r V" mhttp://www.52os.net/phpinfo.php?id=1 正常显示。+ ]5 A- D$ Y1 F. F2 W9 S
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 c/ C @% J9 f- ihttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。+ H4 ~5 S9 Y$ x0 d7 s
说明sql注入和xss已经被过滤了6 ~( }) w- |8 q# l% W
! }4 u% L8 l+ u# m4 {9 Q4 t# C七、安装过程中排错- L; q+ G. _( o! u6 V+ C4 Y" V
' p- V) d& s/ w2 _9 Q/ g
1.缺少APXS会报错
) A0 o p+ W& B0 V( V4 h4 x5 O( [2 s3 s
configure: looking for Apache module support via DSO through APXS
% |5 X u3 z, j; w( T% Z2 I! oconfigure: error: couldn't find APXS2 u2 J* n0 n2 m% z6 ^! l4 U8 T
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。1 N: z5 e( f* @5 \/ b' \
解决方法:+ p s( J' n- g( T* y. H! y
7 R1 u: [, {$ Q/ c7 m4 I8 k
yum install httpd-devel' g# n$ `# @+ t* h) V' e
2.没有pcre
2 J" \! G! v2 C& I4 V, e
8 C, C& V L, v. Jconfigure: *** pcre library not found. C7 X8 w8 T$ L) h$ P) A
configure: error: pcre library is required* q7 ^$ Q f. P4 m2 ?! l2 R
解决方法:
& Z$ e6 f5 V0 A0 H' O* t& t5 ^+ D# Q$ @/ p. T% e; Q$ F
yum install pcre pcre-devel' W2 ^* d; E- a+ w5 _7 k
3.没有libxml22 L" w6 v6 L, L) K/ X3 ^- T, J" l
0 P. J3 D8 }. @' r w# T) ]: }* r& {: S
configure: *** xml library not found.* s" [' F; N4 s ^7 C+ E
configure: error: libxml2 is required
; k& a; O E0 e r解决方法:& ]4 O/ K7 {; o* Q/ h
; z- P$ Y* I1 y! [, Syum install libxml2 libxml2-devel
7 o X0 B8 L! ]" X& y0 `1 Z! ^. G4.执行 /opt/tengine/sbin/nginx -m 时有警告6 f/ O5 \3 u; f7 @2 f; a0 ?
2 I) c8 u0 r* HTengine version: Tengine/2.1.0 (nginx/1.6.2)
; h1 v# {3 R9 r: f7 Y' inginx: [warn] ModSecurity: Loaded APR do not match with compiled!5 V+ H+ I) {4 {9 ^4 }
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
9 N* R, w2 Q4 P' B( T) Z7 K" A) _8 B0 B& `2 j3 D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; d" |: u7 i L {- B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"& Z% T8 R) E# ~- _; K" i
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
" j* p6 R: e4 V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"/ P! d! U6 ]! W0 ?5 E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"% q0 P1 Q, p" P- a3 s) x
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
- Z+ @, T4 h1 E# {' P# ~* E- ~6 e解决方法,移除低版本的APR (1.3.9)# V. l' |5 Q( p& |; M# Z# i
/ X4 X8 ^& Y/ k3 F5 Ryum remove apr
* a3 R0 p$ h* }* T- K' I3 n; M5.Error.log中有: Audit log: Failed to lock global mutex
! |* o( g" h* C3 @2 K# F) W" r! A0 u6 l' j
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 8 l( m" ]6 o) q) C* L
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"] e& ?1 l0 g( ]( P# ?3 e
解决方法:7 L2 A0 P0 v- j1 ^2 o( C! M' g
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
, g* H1 `$ ~5 E9 v. L. K/ }( ? J8 r( p
SecAuditLogDirMode 0777- V+ {. E% {, j$ k4 H
SecAuditLogFileMode 0550
$ H7 W9 F9 l& [5 K& p+ y# qSecAuditLogStorageDir /var/log/modsecurity
6 I" p6 C5 q3 g, a, aSecAuditLogType Concurrent3 I: M4 d8 E& E, ~2 g8 i9 N: k9 H
参考文章:, y" K. b/ C# v5 I. T
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX! C. I* G8 n2 K% i+ Q# h
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡