|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( o/ }( M. n# W) E. A
- B2 r6 }' E0 g; P5 t, p一.准备工作
5 u: j! [, m$ V
" G8 c- Q9 ]3 N( i! Y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
) O7 O- ~# ], h u
" h) e3 s4 y1 [* ?2 Ttengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz1 ]8 N W @( i( ^' ^1 [
/ H+ M/ m5 x4 d ^% p$ Z) q4 W
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ S& i* m0 E: h5 Y9 x% }
7 l9 t6 M: O: D G8 Q- @
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
0 B$ H6 ?) H% u/ r% q' m1 T) e. j: ?$ I, I7 e* Q
依赖关系:
% ~8 d/ z( R3 a; u$ }5 Dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 a/ w9 a6 `, g4 M& `, X, i- L
& d9 \: F$ \# k8 I- Eyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel4 i6 e2 i# h- [ n) j$ n i5 [
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% ~3 a3 y' @- ?! {/ s+ ~5 N0 ~. J S- o P+ A8 ]/ k
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* {8 j* F5 ?) x6 @# y- _8 Q二.启用standalone模块并编译. @- r* I2 F4 z3 n& N& S' d, {5 d
# k9 T# }9 J( e. t" w下载modsecurity for nginx 解压,进入解压后目录执行:
* H. o2 n4 I$ K+ t; ~$ M6 V! F' u4 S8 `) D& ^7 J/ a; Q
./autogen.sh2 m2 W/ s5 } j
./configure --enable-standalone-module --disable-mlogc
, O+ W7 _; F8 I' d1 M! ^make
8 w5 N8 R8 C# Y: L, {三.nginx添加modsecurity模块( Q4 D. V2 X$ i" c! j1 `
4 v a- p/ l; ]% S; Z; t! j在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" n/ h# G5 u) y+ U$ U
. D7 F, t; [/ }& x; G./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
- Q- D4 Y: e+ y1 G9 c. d# m! zmake && make install4 S( k- W- T, [! l, M
四.添加规则, X# t7 ?) l' }3 a
, T* L% p4 i/ k* Hmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
- T( C' ~, b' T( C8 B: c
! G2 r7 t6 t1 ?& M1.下载OWASP规则:
{8 ~. Q5 B# i) M
4 n) S) k% l1 N+ u7 A, [ agit clone https://github.com/SpiderLabs/owasp-modsecurity-crs* q0 N! r$ B/ F( S- ]
( b4 @+ |% W4 f9 y
mv owasp-modsecurity-crs /opt/tengine/conf/! j, x7 h2 s( }1 A! J& X2 n
, U: @6 D; l% A; T1 C' R$ Q& }cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 f8 ~5 ]3 o5 T6 ~( N n2.启用OWASP规则:; t0 x: G- |" s6 M& k1 Q
5 _; z# |5 W. \* X9 i6 b
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 s& D$ D3 ~ F! i! ]0 L3 G9 M* Z, G+ i2 M8 K0 u2 m
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
8 y+ F3 r" P: f+ Q( S0 ~0 D0 S
9 s* l( b. |: x1 fowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
* d3 f+ t7 ^2 p8 Y& ~! \' A, f
. y" ?& V" p* n: X! E- XInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* Y: T+ x6 ]8 \* g0 J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: o7 a5 h7 a2 L( r
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
: i* V9 w% ^9 M+ V# ?# mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf$ t% g1 Q0 R3 C- k0 ?1 J' b0 Z
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
9 O: e" t) N- M7 e+ C8 f! _Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. |; U6 j2 t, u9 s8 r0 n
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' W5 u* u a2 q; X8 e! x
五.配置nginx: ~5 Y# |7 g4 E0 w7 C% R
0 m( B* E8 Z; i在需要启用modsecurity的主机的location下面加入下面两行即可:% |, q! q4 L7 O! X
6 _2 L! L9 R7 s/ G8 S7 d4 a0 UModSecurityEnabled on;
# N; h# \( h. e0 t' W' tModSecurityConfig modsecurity.conf;" E& f- j, [- k) L* C2 u1 [
下面是两个示例配置,php虚拟主机:
0 n4 ]! S/ Y+ p$ a" D+ e+ h
' ~- T3 ~; _+ Sserver {, b3 I! f( f2 h3 z3 E1 @
listen 80;
* \5 I, ~5 n5 w7 `. ~ server_name 52os.net www.52os.net;) T( c( I; ~1 K1 ^- k- x9 b1 \' q
% C9 I( t( Q' a( C: }3 n* b location ~ \.php$ {
2 B! ?, n" P8 M8 u' ^ ModSecurityEnabled on; |8 |2 }3 i, H; H4 P- K
ModSecurityConfig modsecurity.conf;
4 z6 @. N7 I$ D! O2 Q3 N0 M6 ^
root /web/wordpress;
: A* K: B, M( M6 p8 f/ S j) l index index.php index.html index.htm;- Y- a! T9 Q5 T6 H$ r
+ g: W$ \& v4 T1 R9 y* i fastcgi_pass 127.0.0.1:9000;
# {+ B8 I* C4 A& J8 u4 T, I: D8 ~ fastcgi_index index.php;2 l* s, z% h. C" J$ i) Y
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
% a8 i) d; n2 L0 N include fastcgi_params;2 i# |. E5 X. |+ A. N' R4 x- h
}
* \/ r; E. H& g. F3 y }. \. n5 K- Y z8 ]4 W! q
upstream负载均衡:
/ W) b8 B& ?5 l8 K7 L$ T- {& {; n. D# a
upstream 52os.net {
7 \- l: C4 C/ z' W# Q. ]: M server 192.168.1.100:8080;
9 e' ^5 |8 O) V& s; b' x# r. p server 192.168.1.101:8080 backup;9 i3 p$ q3 |6 K% W
}
, t% f7 J1 o8 V. D9 @
# }/ a- C3 I/ ^server {
% F* P' b5 M9 l9 Xlisten 80;! O5 D! B( ?$ _9 Y# J& w& s# z0 [
server_name 52os.net www.52os.net;
/ ]4 N) U/ S6 V: h; v
7 {+ c6 @* X) W& Z2 I2 Zlocation / {( L. y7 f& o( F( z W7 \
ModSecurityEnabled on;
~7 P& C9 A4 l7 l ModSecurityConfig modsecurity.conf;
0 V: v) t* c9 u, x% A' H) w, D
2 `( h9 v4 r" L8 I8 F proxy_pass http://online;) b" ?1 u! F" ` M" G: U, Z
proxy_redirect off;
' D. p! J% F3 m1 X4 I( z proxy_set_header Host $host;
* a% _+ @9 a1 ` proxy_set_header X-Real-IP $remote_addr;
4 ~* z+ s3 D) n# i+ C proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
3 D6 g" G+ n1 W& b2 X1 r+ N& A }
! w! S6 D( [/ X e5 _7 F}8 O$ u' k" @# x
六.测试' `6 e8 z2 Q! U# R* d0 g
/ a0 l4 o i. L我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: u& G6 Y& v* v. I2 V& i2 v; I! l5 B% o0 s; e8 |# e: ^
<?php3 m$ s$ A' y8 ^+ @; j
phpinfo();
3 Q$ A' r$ }& F4 s?>
; C* P' y% X9 q6 c在浏览器中访问:3 P o2 |; e+ Y% n, i+ W
7 @0 ^$ t. L3 e& u! U; O* }
http://www.52os.net/phpinfo.php?id=1 正常显示。
5 U+ M# t' C& w/ o1 d1 x, Ghttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" ^, ?2 q( `( V
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。3 W/ d% z( C; f. D [
说明sql注入和xss已经被过滤了
4 W" s8 @& h) i& S! J7 r3 M0 h h) Q& r0 H. s+ _
七、安装过程中排错
( ~; n: B8 _' k |% z% S
a4 }8 v) p3 Z9 [1.缺少APXS会报错! [& O: W0 h) [1 j' _3 k5 F/ g
* X2 k7 M; ?/ D# {' O. qconfigure: looking for Apache module support via DSO through APXS- x; N2 K' _/ L8 |4 B: M
configure: error: couldn't find APXS
6 e I# [- ~! v/ [apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。6 d4 h, N+ [& j" P( \
解决方法:$ m" X4 G. t7 H$ W) }7 q
1 g! b) P+ i6 b; e
yum install httpd-devel
3 Z L. b v: _6 c& l2.没有pcre
W" n. Q1 C! H
" {. f4 |$ O) U! n/ Bconfigure: *** pcre library not found.
* r% z9 Z" a2 U" w7 O, ]- rconfigure: error: pcre library is required& J# J4 ^3 C0 N
解决方法:
; i' s% `# v1 n$ z6 D1 N& z8 W0 T! w, b2 a
yum install pcre pcre-devel
9 o- `% b& z( P3 K0 y3.没有libxml2
3 h `9 U9 F9 H4 `2 h/ N0 d) |# @8 C% F$ a
! L* F( o- T9 oconfigure: *** xml library not found.
; _) E; {2 W$ K! C9 g" Rconfigure: error: libxml2 is required
1 T6 C# f) E* e. b解决方法:
3 l! v1 G4 Q) r" K/ M5 S* v. L' k! i% K5 y/ }& _/ F4 q
yum install libxml2 libxml2-devel
: L' V% T1 q! x# X4.执行 /opt/tengine/sbin/nginx -m 时有警告5 E, m# O W' m) ^ K
) t, c; l* _1 o3 n* K
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
6 ?; N# D2 q& ?7 c. V7 |: unginx: [warn] ModSecurity: Loaded APR do not match with compiled!
: [% S( r8 S) w' G5 f原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 o( I4 F5 U, G/ i, ?" _( A) ^# u
8 `7 }3 k1 y$ A' [3 D' H# z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
3 _' Y4 I; X* u4 P$ ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"- C5 ~8 s2 \& i) n; |: S, T
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!) U6 V# f9 f8 Q3 L$ ^! L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 ~1 R4 g2 m+ Y5 ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6") x7 Z0 ?: |# M- E' o3 Z. Z8 b: X/ e. [
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 b: J$ o) @2 r解决方法,移除低版本的APR (1.3.9)! J7 b& h: ` G, J9 e& \- r4 p
+ Y: t0 G/ a' s! j! Nyum remove apr
) \4 C/ n: H2 T5.Error.log中有: Audit log: Failed to lock global mutex5 q, j8 T, Y' _3 f5 Y! e: E; u
9 k* O5 i+ T. S2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 x3 g8 U$ B( e3 z3 `- Z& j
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]5 r% a% x3 O$ k) f9 {: R
解决方法:
! w; m* [6 m7 X! i; J+ A+ M编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
9 b) G* f' |" S1 U- e2 ?# h7 m- v+ L
SecAuditLogDirMode 07779 I! p) R9 w1 J3 F) _
SecAuditLogFileMode 0550# N" ]+ P2 t6 H9 i. k8 U
SecAuditLogStorageDir /var/log/modsecurity# W. J3 e3 T5 K9 X5 ?0 R/ e
SecAuditLogType Concurrent8 j2 _7 r, `7 M
参考文章:1 \# ~! o+ m O: L$ R3 A0 q
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
* f' k+ o G! D6 K- {! mhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡