|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。# Y6 D( {( w; m6 v1 G5 T, C
1 r$ y5 c0 H( `& R2 T1 v; w
一.准备工作
3 x3 N* Z& r' ~2 W1 \
# o9 R8 a: h) y4 k, U系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
" ?3 `6 ]2 f$ a) w) B- [( M# @2 M3 w- ~
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
/ K5 R1 H) L" Z' j7 Z. b
0 {3 ~' v* p% N0 g. Dmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz; o, B( y: l7 e3 l5 J7 y. J
) E1 N4 [6 y2 EOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs' H" k; X) Y+ j% A" V" k
3 ?/ U2 X4 [, S, z% o9 P+ v6 c依赖关系:
# h: Z3 t+ e/ y0 ^/ V+ c. Ytengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
, ~8 Y, D+ F" R( p
! o3 t4 H) \- P2 h6 g( I Byum install zlib zlib-devel openssl openssl-devel pcre pcre-devel8 \8 C) o4 l' O5 g. ?
modsecurty依赖的包:pcre httpd-devel libxml2 apr
2 S$ k0 X# c- x+ ?4 e# c- e* K& J4 X y1 k) j0 O
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
/ ^$ c1 I! M. ? r$ W二.启用standalone模块并编译4 `1 g8 u9 i1 B+ N
3 D2 c' J- a7 ^1 u' R下载modsecurity for nginx 解压,进入解压后目录执行:6 Y6 f1 v4 n" f& ^$ a& j, f+ v# ]" @
, M% ]* l9 j, G6 @- R./autogen.sh2 `/ p0 K1 h, M G
./configure --enable-standalone-module --disable-mlogc
1 o) a/ e6 ~1 ~9 w9 G; ^% Emake
0 r1 M# y4 r N% c" k8 @三.nginx添加modsecurity模块
. `& v# A$ d$ c: K; k
) j. m3 j) C# ?& G$ W( h$ M9 L h在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 ~+ E* K. G% i* Q
; `, U: ?6 v6 ^./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
- S; a5 c: ?9 t7 j2 j% ^* Umake && make install
( E2 C4 ]- l y; A3 v, H' E j+ f四.添加规则
; O3 A1 h3 O6 g
; D2 J" N, u( ]modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 Q, o( G5 S" b4 ?
: o f f+ [, r' G
1.下载OWASP规则:$ \* \; k5 ~. m1 c F2 t$ B& P
, z& f% t5 H- xgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs% O1 H& g0 i* v8 Y! y
* C2 E- u" `! n6 V1 w0 _' v- V
mv owasp-modsecurity-crs /opt/tengine/conf/
3 h( B/ \( w" r) ?4 `; t2 t9 ]3 K$ x% k2 x; y" p) t2 T5 Q
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
* z- a3 o6 F; h/ c/ A2.启用OWASP规则:
3 W& q: `* O# l" } m# W
' i R# V. }7 s" u复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
! H7 ]) t1 [4 g W8 o! |" U$ m/ ^, ^) b; c: h6 m
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
7 T& v1 I# b1 ?/ F7 m# ~! Q' x& j0 I+ ]5 y/ M% ]" m, t
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
8 |% h# S' a' a5 i$ ], i/ V/ s0 J7 ?
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf# r+ |4 Y! A. G% {- K! K% e
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
. z( H& S. l6 w, nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
( U3 H5 H0 p0 ZInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
, X1 C! D% w( }& u w m6 jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
' R* r4 t2 F) f& g7 e( [4 @8 yInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
% A$ _5 r9 M% R$ @& S" qInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' A0 [& l1 U3 ?五.配置nginx3 z5 @4 O! X* B1 U+ G. \6 j: {
( C" p+ b8 ?# ^
在需要启用modsecurity的主机的location下面加入下面两行即可:+ {5 r/ j9 e! p9 |# q7 t* ~, K
) G% C: X: i' q
ModSecurityEnabled on; ) T; E8 z$ c9 Q: X0 [
ModSecurityConfig modsecurity.conf;
' `( K' L" ^5 ]+ |! P. M下面是两个示例配置,php虚拟主机:# i" a- ^3 R8 [! [3 G
' [8 m3 o7 A, q( ]: o1 Mserver {& \# o% O% m6 d7 {$ g
listen 80;
" O: \! N/ k1 a/ {1 J8 k server_name 52os.net www.52os.net;
1 _4 d F j4 U! n. X$ S4 Z9 e : P* A9 F: e5 {2 g9 ^; e
location ~ \.php$ {
% G9 [2 L! Y4 a/ h4 J ModSecurityEnabled on;
2 }; t/ a) J- T ModSecurityConfig modsecurity.conf;+ D& y( B; T, a" F4 R/ W% f, L, ?! `
9 a9 b# y [! R# {% n root /web/wordpress;0 K) r: i2 U1 m) V* ^& F2 w
index index.php index.html index.htm;
+ v1 V5 \. N T+ { j" D
9 n! s0 B6 P3 h3 G' J4 O/ S fastcgi_pass 127.0.0.1:9000;5 `: x% {+ [* t0 S; B/ p2 M
fastcgi_index index.php;
( d* K. r$ k3 r+ J* f, X7 P fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name; |2 i! }- n1 ]3 k
include fastcgi_params;# M1 X% ^2 x, ?2 \ Q
}
4 Q6 n; |0 o! Q3 { }8 I' O8 s1 `* }1 L! I
upstream负载均衡:
' U/ k! |, g/ U. \/ m" }4 m( \+ O9 I# Y. {* i: i! U
upstream 52os.net {
( O3 R3 b ]- |# \( B- N server 192.168.1.100:8080;7 ]7 O4 ` B$ d( _2 L; C
server 192.168.1.101:8080 backup;& T$ H& Q9 l, w; k! ?5 n
}* H" h4 ?7 _; q! q& C
( Q0 e# H% C3 k' |
server {
4 D5 J3 ?' w& R5 Z( ?% qlisten 80;
* {9 r) ]% U: d/ tserver_name 52os.net www.52os.net;
5 L; U! m3 R" F6 D4 j4 @3 M: p5 S' U5 `, G8 _4 N3 `
location / {) }9 W/ J+ p* j& S0 @
ModSecurityEnabled on; 3 @* ?' m4 M, {, {/ |% h9 ]. z
ModSecurityConfig modsecurity.conf; d' Q3 L. A0 `& `7 P* k
9 l. @, X3 [* g! y* I9 E proxy_pass http://online;7 R* w$ L. l) }! B+ i' }
proxy_redirect off;; e( [" C4 [, ?+ e4 i4 s: v2 }$ O/ J: @
proxy_set_header Host $host;( p( T8 Y4 N' @8 [0 y9 M, u
proxy_set_header X-Real-IP $remote_addr;
) N. @$ q2 f1 B5 R& e0 e6 d7 O proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;& Z! s/ l2 u2 g1 K0 i# N
}
; H- `# l$ a9 O ]5 e: h% T" `5 p}! l5 N! N$ B+ d- K0 w6 |, C
六.测试9 a# N: _ l. A" r9 e) Z Z- {% z
5 v; ^2 d/ i: {) `我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
* n; N; c! L3 R6 \, d& q& c6 w! k3 _/ L/ x2 L. |
<?php0 Q6 X0 s E/ X' i/ Q4 ^
phpinfo();
6 u6 e# \* B8 X1 ]8 |?>
`# W. V0 O& h9 ?! N在浏览器中访问:
\9 W4 F; W- r2 k6 m( Z; q
+ \) {1 O8 M0 l, b) z; Yhttp://www.52os.net/phpinfo.php?id=1 正常显示。
8 S' E. a; k6 P) f0 w9 Y1 b5 x! O6 ?http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。( \" R0 x" n; Q6 y/ O
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
0 B/ U0 ^3 N) v) ]说明sql注入和xss已经被过滤了% _" b X4 t" l
9 u6 p* q3 [5 p4 k( {: R
七、安装过程中排错, u' Q6 R" p" y5 ?
0 d8 X$ |5 X- j* T F
1.缺少APXS会报错
7 @5 v/ ?: f( z# `" m* G9 e
- o3 D8 W; z0 z! A& M( rconfigure: looking for Apache module support via DSO through APXS
' q% u; ?- o( l9 o. econfigure: error: couldn't find APXS
5 ]! F/ {8 k# z% q2 f9 tapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。# Y! I# `- J, X, R( U# ]
解决方法:
3 m. b3 o7 {5 x( \5 H+ f7 w
0 _( c4 @# G$ c& ?$ {) g% ]( Y1 r; d9 lyum install httpd-devel
) a) P8 Q) ]5 m$ {& j2 Y2.没有pcre4 M% D7 X; V0 N0 c0 \6 h4 u
5 p! S( R8 p: r, Y% W6 uconfigure: *** pcre library not found.6 N) n4 ]. d( U3 C3 m9 Y- a" D
configure: error: pcre library is required' I0 m& U& ]* F* z2 q) _. [
解决方法:6 g+ i2 a; P8 W& T4 w4 B5 j2 Q$ U
, H* W+ H( h# i( _" S, U, V5 K/ Y
yum install pcre pcre-devel
% c3 b4 `6 G0 ^+ }" U1 N" l( _5 {3.没有libxml2
7 g6 ^" \- `2 F$ U6 s% Y/ R8 ?: E+ R A
- E( {% a- J% N7 C
configure: *** xml library not found.9 L5 w) D' p0 ~: Z( n' Y* P
configure: error: libxml2 is required5 v/ s0 R8 R* d+ _
解决方法:! v2 g* a% t2 [
" q9 H u2 c, q5 b W2 y
yum install libxml2 libxml2-devel
/ b4 T! L5 x% \7 h5 V+ u) t8 m# R4.执行 /opt/tengine/sbin/nginx -m 时有警告2 V+ L8 X- j+ D `4 p
0 N; A' M0 o9 V+ Q. ~; x9 wTengine version: Tengine/2.1.0 (nginx/1.6.2)
9 ]. b5 Y4 L! B( ]0 g! wnginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 g; A2 e6 W) c( a4 K
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
3 Q4 U$ n+ \# J9 ^/ v7 e8 s
5 ^4 H' A; r) U9 A& p3 d) Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2 ^5 h) C9 ~: \) m* e; x! X& |4 e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
: x' S8 q- L) J0 C1 u- R* n- I2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! ^9 I! v. v% ^ I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
7 n0 a% ^% J% B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"' ~; D1 A- f2 W9 @/ @# e
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
9 E8 E& w* Y( E1 W" @- N0 K! `) G解决方法,移除低版本的APR (1.3.9)& Q8 z* }) A9 F0 R
2 @- X+ w# L5 _# u2 b3 zyum remove apr/ ~3 c6 j0 `- U1 H5 A: W" V* j
5.Error.log中有: Audit log: Failed to lock global mutex; Q2 G/ y. K2 m) g& Z6 C% c
$ q# Q) Y# P* y# p- I% L! h2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
, b; E- a, V( V) ^9 Kglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 g+ I6 C7 E% K# v4 Q" @
解决方法:
& Q5 }6 y+ _/ J, z编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 M$ k# v; P6 S$ B7 w+ w
3 V7 z* A6 s8 f3 A; b. \( P, O LSecAuditLogDirMode 07779 E3 Y4 v& J7 c" F! q6 p6 s5 o
SecAuditLogFileMode 0550
" d7 W0 e: z" s, A6 ASecAuditLogStorageDir /var/log/modsecurity
9 r$ K2 g# H7 R% G) u+ B9 fSecAuditLogType Concurrent
' g9 Q/ k7 ~+ E- Y; p; d4 |参考文章:
6 J F- ~+ b& ~: Y; X1 E4 y; O6 phttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# r" i! p# u6 \$ A- ^2 S
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡