|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) n, [3 B# q+ n& W
$ g, e. w. S9 |9 b! r* r0 w
一.准备工作' l$ @" R7 R% Z& Z8 U; j- U
. J- n) k) S1 u5 G6 ]系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
+ R0 Q; {$ `1 r9 v* d0 E; g; v0 j$ M; V, I
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ ]8 p9 W9 A- P( E! V+ A/ X" u2 h' q2 a6 M0 ~! R0 }
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( V: P$ i/ _% X. I% H4 T* ~" u
( z! _4 s6 s# c' F- h! @2 m
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, `5 q3 x+ X7 t0 v/ K+ F8 Y% g, R. v" B6 p8 a6 e( X
依赖关系:3 _5 y4 `1 z* q
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% k5 P: |5 Y* H: r6 M
1 b) k- B7 { U& P. gyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
' U5 M {8 {2 {5 F4 | \! F2 Emodsecurty依赖的包:pcre httpd-devel libxml2 apr1 v- D+ G7 y. R- K
' v, h4 a# J1 ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel; Q6 r. |7 {4 T5 k
二.启用standalone模块并编译
) n- ~5 y0 c3 ~0 j! A2 z2 l5 I; u: c9 L8 c5 o* Q5 _0 L# ?3 X
下载modsecurity for nginx 解压,进入解压后目录执行:7 q, ?. b; y: h6 E8 {+ q- f
) r& x2 N) b9 y$ T( g0 H9 `8 M3 E/ N+ l/ D5 D./autogen.sh! Z" v- E: I9 o
./configure --enable-standalone-module --disable-mlogc
, V( b8 X1 p6 I' I7 F C }, Tmake
( C Q& Z4 w7 a h三.nginx添加modsecurity模块
6 i, G# K- F7 Z6 o3 Z
& p5 I6 M* [' V/ V5 n0 O在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:2 H) z$ i8 s' f! i7 k
! b3 s9 @* G/ H+ i$ T0 W: M
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine) e( g4 b2 w) B* Q2 i% y
make && make install
8 S* K* v; u, j! q6 c四.添加规则
# s4 m4 |! ^% N; D; |4 l5 b3 d( i0 L/ p6 g7 S7 p& q; R( N6 d
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。9 q% w/ T1 _7 @% Z R
0 u; x3 D9 i p! L! h/ I; x( Q
1.下载OWASP规则:
6 u, N8 e) J' j3 [% p& a C( l2 b" y4 i- P
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs) i1 t" G' c& G& U; ~
( C1 C3 q: p- |1 ^) c: M4 C
mv owasp-modsecurity-crs /opt/tengine/conf/+ \6 m& p; ?' P2 R& M; Y
8 M! m7 G$ w, _3 |/ tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf8 T& V! u. Z0 W
2.启用OWASP规则:
8 _( w* c3 R+ s9 y. m
; z/ z( c5 |8 Y0 Y% ]6 I& B. l. x复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。$ a$ |+ |# r \" B
/ V2 Z1 s: ~7 v% E6 e
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on/ U4 s9 N: b8 {
, n I7 H, M. q0 V# v" D; Q. U+ Oowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
2 w) O0 j' V# Z1 a3 G" G i+ @# s( h/ a0 U( v0 | M0 b, \3 R
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* c" N. e7 v# B# p$ X2 n0 @, U5 i$ ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf' V) A/ H1 s$ X" O k9 V* n& c! W# ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) T! P( m. S. F6 T! oInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf5 ^* \& E7 l' G
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# b9 l. [. R0 W& O1 ~ iInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
7 M0 |, q0 L7 l$ w, U$ G' H, RInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
0 w; b1 [) L, A" K$ r0 g: Y五.配置nginx
8 m0 X2 F. T9 r
0 J9 }9 j; k9 v3 ]2 o7 |在需要启用modsecurity的主机的location下面加入下面两行即可:
5 S' g0 b% b2 @
* j, q, u/ ~9 G+ H' rModSecurityEnabled on; . F+ g( X# h f. e; A2 W6 R8 z
ModSecurityConfig modsecurity.conf;/ }( a6 v* @. F) A9 l
下面是两个示例配置,php虚拟主机:
% z, q; a8 l- b1 g; ~6 F2 u% j2 t$ ~$ o, I. m, {
server {9 ~: c; G; h3 m8 o. @# v8 R- K! c
listen 80;7 i: D* ]/ u$ ], [9 n7 K* h6 ]
server_name 52os.net www.52os.net;
5 R! {& K- `) Z+ { 9 G7 a7 I% g. ?! v: C9 p
location ~ \.php$ {+ W8 V- r8 m/ w& ?- E( O" Y! h
ModSecurityEnabled on;
6 s! e$ u) y! Q) L: i! V ModSecurityConfig modsecurity.conf;
: v/ @5 A) r' ?- w: p. R# M2 r
9 s6 m" O* x+ `) N root /web/wordpress;
0 _! n) ]& Q9 ~% {, h2 ~1 z/ m index index.php index.html index.htm;* K: }) {1 I- e& W7 `% B
! Z1 m8 }6 ?* l b0 b% Y6 R
fastcgi_pass 127.0.0.1:9000;6 `1 c0 f4 e2 x+ z
fastcgi_index index.php;
7 g# j; `. F: R- z; s: G fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, f' ]2 J4 i+ W' d: z X* e
include fastcgi_params;9 h6 P0 x$ Z1 Y+ U, l
}
5 c3 b7 I9 a( j5 S& N6 A }
4 o3 `" L/ _3 x" Q' Lupstream负载均衡:2 O, d9 r! t$ P& f- a! z: L
- p( w" O$ \* s8 {2 |upstream 52os.net {' l* |4 f( l2 F7 v+ A% r$ f
server 192.168.1.100:8080;
& p p/ M( x$ b6 r; G/ N, g) ^; U( _ server 192.168.1.101:8080 backup;
$ Q& X" g% c9 o) V2 G}
$ z6 q. A0 {8 _' v9 n/ Y8 k( C4 A, g: S
server {
: E9 N: j) e: F0 V$ y2 ]6 Rlisten 80;( G+ g2 z# Y& t* S
server_name 52os.net www.52os.net;
. T3 e/ b! S* i, P
3 S0 F0 G s+ g% Elocation / {
# R0 d& J8 [8 a$ O! ? ModSecurityEnabled on;
" ] S$ a% Y' g ModSecurityConfig modsecurity.conf;
; j* _8 f+ ]- N0 ^3 g2 ~; l
: z# n! Z0 ]! t2 A" c' v' G" a proxy_pass http://online;
& l' ?, F" c& T6 e8 T proxy_redirect off;' u" i6 H( X2 h; R* b6 y) n
proxy_set_header Host $host;. S) G, [" m* Z! Q1 ~
proxy_set_header X-Real-IP $remote_addr;
# R* a$ E5 `% C, m proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 v/ {- Y' B* F9 K
}& T; u' d h' w: f" d( L) G/ r
}
* F8 s1 b" E* }. h( q1 Z: ~. z0 W六.测试! l/ |. R/ _. a1 D+ Y
: |" o2 w& {" `) u; z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) I9 I5 s/ G8 ]% e8 |
9 B3 a. y* X7 m5 {) T
<?php( |/ y6 F2 M8 u3 ?! ?* j
phpinfo();
8 X( b8 a3 [7 E% i?>
5 [( |! S* a" h0 q4 k2 i在浏览器中访问:
4 e: |0 ~) \& l% h/ N! Q' M) W' G8 B* \+ j- c6 R5 |
http://www.52os.net/phpinfo.php?id=1 正常显示。
' j8 `4 E1 A' mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
9 H9 K/ Q9 e. W, G4 t c( nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
1 h+ {. M3 D& a$ y$ d4 Y/ S说明sql注入和xss已经被过滤了# K" j7 d, }9 j& E
' d5 W/ U. q- g6 R0 q七、安装过程中排错
2 `, V, O4 M( A. a
- f9 u1 l* U2 F9 `) p1 Y0 ^9 Y; }# x1.缺少APXS会报错/ ]0 w+ Q) ^" R7 P. F5 O8 n
% i/ ^; j0 n" s) M5 r3 L
configure: looking for Apache module support via DSO through APXS
2 B% |, k- A. Oconfigure: error: couldn't find APXS" f2 a! r6 A' {! J q
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。' }+ n* M' t5 d; T
解决方法:$ `/ x9 [( i X9 c) t" A. Q( n
$ p2 V% `2 a: l }' h) y* h+ o; `, Kyum install httpd-devel2 E, A/ }7 y6 p# V! O( N' v! v5 A
2.没有pcre
j5 h0 w/ _5 _$ L3 `9 e: X- [) N0 Q) u; A
configure: *** pcre library not found.6 s i7 u2 |1 t
configure: error: pcre library is required) c( y/ r, V) x$ z( C
解决方法:
9 k) S6 w/ k* b- j
. G, E& d/ ]6 f; H& y* O8 H/ pyum install pcre pcre-devel
$ \: r1 K5 K6 \3.没有libxml2& z- P2 H+ D# w& X! w
4 j; B( @% I0 {8 R$ ^
8 d8 o, ]# z: T: [6 P5 kconfigure: *** xml library not found./ X( D$ }/ t; O3 R: W! j: W
configure: error: libxml2 is required- J( ^8 T6 O9 c9 m
解决方法:
5 b6 ^# p6 c I# u n5 T; ~( u1 ^( ~7 f8 [0 V" Q' x. ?4 P# F
yum install libxml2 libxml2-devel
0 o- r$ P3 [8 `, \6 @) j4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ M) E! G3 a- x% M1 B% v h
, G: F/ }1 D0 Y0 t2 o, A8 F8 ~+ ~6 ITengine version: Tengine/2.1.0 (nginx/1.6.2)1 A- d$ W6 c F+ r# ]! a) _
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
0 @9 \% O# {" |0 h0 R原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
4 b- W' l1 k l9 B) u9 ~! Y
' M$ y Z1 {# S1 ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* l: G }& L! n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"/ N# ~1 J7 K- t, p$ y n& _: |
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!" s8 N1 s* _; P0 t0 b6 ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
! p) J+ ` F7 g6 W7 v; T$ x+ t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"+ x' @8 c; `3 u# ?* ?
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
- [% d! a( C" S解决方法,移除低版本的APR (1.3.9)
( ^; G4 Y( Q |4 j$ O( X" H z0 ], H
yum remove apr
, P* R9 y3 S0 V3 K5.Error.log中有: Audit log: Failed to lock global mutex" j+ w1 I+ f8 I3 t8 A$ Q
! e$ ^/ U# L# `0 z( `" ~' K/ j2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ! {! h# l+ m O# @/ L+ C
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]" K! d N* r" l# ?
解决方法:
3 |/ O6 {- Q/ e8 g# Y5 ]$ S3 J. c编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ o! J. b, T/ F7 j, D: S5 T. M5 o3 @2 B4 d+ y e+ O* G
SecAuditLogDirMode 0777% `- ^" e( U! E6 l
SecAuditLogFileMode 05506 T" k! O. S9 V5 Z: j9 O2 A+ M3 K, m
SecAuditLogStorageDir /var/log/modsecurity
' Y5 ?$ E' }* f& A0 b" K5 ySecAuditLogType Concurrent
( d/ r, W6 B, V参考文章:# a) s7 b3 {( C. N0 B P3 `
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
i4 A6 [# ^- g+ @: ?0 chttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡