|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
3 _6 w% v, u: b) \( Q6 o* e, s9 ?3 F8 Y' b! n
一.准备工作
5 |& k6 @! I n
' g. K# \: z: d' T系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 I) H: U2 i+ t) m- X; L
$ B$ C% C/ f% F$ Ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
& L1 s" c9 q6 F3 b& q/ w, U I% Z2 X# F/ a/ i1 D l# ~& W5 J
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& ]+ `- `4 o" k5 F$ O+ x' P3 E1 |5 I) ^3 n: c
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 \. W2 N% v2 T4 c. F) |: C
% J0 E {0 e$ s' `: k3 q依赖关系:% J" T0 C5 I( e! s# ^' j
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
$ {/ R8 d' Y7 u8 ?: F: h I% |6 S; D
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
1 `4 F2 S. ?; ]) H# ]3 `modsecurty依赖的包:pcre httpd-devel libxml2 apr6 h+ ~8 B* P5 o {8 T2 }
% k. { r) k+ J6 _7 dyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel6 M G+ d0 @; ^; y, M2 ~
二.启用standalone模块并编译. O: d" g y: B9 O! |9 ~
9 W# d+ _1 P2 ?+ ]下载modsecurity for nginx 解压,进入解压后目录执行:5 k+ @7 `' I# |/ V
: j& ~5 Y ~2 {5 o* j* U( N& H./autogen.sh+ H; G, P5 z' ]. w. S3 s B
./configure --enable-standalone-module --disable-mlogc
5 m7 b2 g% L4 x2 q7 l, Mmake * {3 D; v' y5 X# u; S: N* ]
三.nginx添加modsecurity模块
/ O7 f* l1 l A$ m( |" A
, S' [* o4 l) M在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
* }' G2 o9 J. h, L5 [
* O9 g+ U4 K/ V./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
) c7 y6 j$ h. u" b+ Wmake && make install
1 b- k* }$ k. m6 A: K四.添加规则. `7 k* V6 I2 _; W7 D: f
9 P1 h: m& R9 h+ R# ]2 P
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
; R6 T# H3 h9 L% U/ }" g& n! O& h* I, L7 o, m( ?% `1 P
1.下载OWASP规则:/ m: J2 Z4 | U
) v2 D# L% f! q9 Hgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ ]- u+ P& A0 F$ Y
" H0 E) e- N$ f& y4 N& }mv owasp-modsecurity-crs /opt/tengine/conf/
& i! }3 H8 `4 Q+ f% D7 x0 r7 a% B8 b( }# d# w
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' v9 |* v5 ~! `2.启用OWASP规则:( c7 o* k$ o' Z
( U" u7 F6 d+ R8 H8 y1 K复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* o; [; t/ o6 M! F k4 w
& f$ \% E# _ s. i# i1 `8 ^7 F编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
! s" \' h9 [3 u% {9 c' h# l2 F$ U
, i/ _. {' J8 i3 O; dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' w. N; O5 [! E9 Y5 Y
$ c) D$ h% |' PInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf; ~: ?/ A' D5 N* Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf3 |1 Q; D' v6 W5 k" ^5 u7 _
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
4 w( W# S7 `, N# Q# H" a O7 @Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf2 ^# P& ], _2 g2 Z+ I
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
. r. ^2 h7 X3 I, O/ ?Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
. Y8 Y* J; |; S+ Y2 `Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, r1 b8 A( G: E# Q. `: \3 I
五.配置nginx
3 m& b- ]- p8 m6 \
# m3 c; ^2 {% \8 a* |在需要启用modsecurity的主机的location下面加入下面两行即可:. a! W6 a3 n* b- ~- n& k
& u1 L- {0 k- N/ ^+ M zModSecurityEnabled on;
+ u. y& K4 A2 G1 C+ B! aModSecurityConfig modsecurity.conf; i. x$ d0 P5 O+ ^/ h, [7 a: {: @
下面是两个示例配置,php虚拟主机:* e1 d# r% q2 y1 V9 Z4 S P2 l
! I- r5 ~' L) d5 g
server {
3 z% ^* M1 @3 ~0 a0 T* |2 d listen 80;
( ]9 y2 Z5 Q( L+ c: w server_name 52os.net www.52os.net;4 ~5 Q8 I! B* R* X/ `8 }
% s" A3 S1 ~, h$ C- }
location ~ \.php$ {
" W% {5 D& m$ ]& d ~; c ModSecurityEnabled on; 9 o, I4 |. {6 @" t1 H1 D: r! I1 X
ModSecurityConfig modsecurity.conf;
V- [1 e! J/ _: ?$ Y, }2 T' m5 g
root /web/wordpress;9 y7 z$ H1 _ G% e" @- ?. D- [- r
index index.php index.html index.htm;% z. W+ ^$ Z. E$ l* O$ |+ ~
, H' A; J- N# R* ^
fastcgi_pass 127.0.0.1:9000;0 b- z4 a/ Z. T* k
fastcgi_index index.php;
( k+ ? w8 [# r: _8 V# Z fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;8 _2 S- }5 i$ E; D X4 A0 A
include fastcgi_params;
# X# ?1 `; z6 K% N }+ i; ?$ |* g, c( ]
}7 C A$ X' E: ?; l( @! w6 `9 J/ [6 N
upstream负载均衡:- W* q' }3 Y0 u: y
1 O; l4 | z. I# Qupstream 52os.net {4 M( Y; X( v8 q1 z3 O. N/ d/ N
server 192.168.1.100:8080;
+ R i$ Y1 k+ ~' r8 J) M3 ~0 v server 192.168.1.101:8080 backup;& [4 L6 J( g5 n# w9 O3 j
}. _) q5 T9 h; a" R% U! v& g6 U. d/ ~ Y
* w9 @1 t; C& m# G, f5 u" ]server {
/ x/ T) r5 G2 X/ B; x: tlisten 80;
8 g8 t }3 ^, C0 s0 W) ^7 ]$ m5 dserver_name 52os.net www.52os.net;1 f! D, d6 s4 `9 f3 p8 b
7 d4 X+ j: W( L
location / {& p" @0 O6 A* R8 ]' m
ModSecurityEnabled on;
6 O. o2 k1 W4 T9 g5 L ModSecurityConfig modsecurity.conf;
u9 M K! k. W) U J# x9 V
. ~0 r9 b% X3 {6 ` D" m& m proxy_pass http://online;4 }( ^- m( K# m: L
proxy_redirect off;
; g3 z7 W, [6 D6 k; r/ I proxy_set_header Host $host;
: Q( H7 s7 J$ W* S c proxy_set_header X-Real-IP $remote_addr;. F( W9 P4 e( x( c; z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;2 ~7 Q$ r; t0 ^; ?( z
}
5 l9 Q! Y# M2 N9 N- b0 W}& \; f. z$ w8 J7 J: x4 U
六.测试
& K+ ]5 \- F* z+ [) B& ~9 L) e) j1 j) o" o3 [+ C
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:- \% L7 d- F0 E9 J
/ q; _( s% F+ X3 j- F3 t! G6 C, @) V; R
<?php
* e3 A3 b- n6 `; p" z phpinfo();
7 }4 u$ M* A: @" \* V?>) t( ^" B- n) N7 X
在浏览器中访问:( h A& ]4 [& h/ o6 E) T
2 ~( }' J; ], _* D; ` Ohttp://www.52os.net/phpinfo.php?id=1 正常显示。
0 H0 e) r0 e- P6 q8 Ahttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。) P8 i, s+ p( D7 d$ E& @
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( @& }; [% R9 T }" e说明sql注入和xss已经被过滤了; P2 B2 r4 l) P" A; ?. Z
. g% p" a8 N8 p3 H: y& X) T3 }6 u七、安装过程中排错
+ j3 K2 r; \) G0 V- T% }5 P# S5 V e: g) y% D
1.缺少APXS会报错
: v2 u$ D7 `% [0 ~
6 S" z8 R: ?; U+ C0 l2 zconfigure: looking for Apache module support via DSO through APXS# |5 F) n; B& r
configure: error: couldn't find APXS
! L( a0 K( W8 n( gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
6 `7 E) N" [/ k3 Q0 B9 d解决方法:
5 n0 c7 V) p1 ^: u0 p
' T7 r* v3 K+ f$ i- ^2 }$ myum install httpd-devel
/ _& W% c$ K5 G2.没有pcre
% N/ E5 ?6 C- ]7 s" ?" t8 P$ c* x2 d4 a
configure: *** pcre library not found.
w% u7 j3 M) B2 fconfigure: error: pcre library is required
- R) H" V: L S7 O: P3 J解决方法:4 D; j e- U! K$ d0 G
s" U5 S3 {& U2 zyum install pcre pcre-devel
* @3 T( K5 N* n2 N; M0 \1 m3.没有libxml2 ^. w: {( }6 `9 }
" n, E v6 e5 Y+ h3 U
) I- N+ o, e$ ?4 e
configure: *** xml library not found.5 h8 T; e+ L8 B) e
configure: error: libxml2 is required
* ?1 E- }/ u2 m" H! \解决方法:+ e. z9 z' ~3 F
# K5 U; B8 e1 C6 t) e! o
yum install libxml2 libxml2-devel
T, g& V, P1 b2 e4.执行 /opt/tengine/sbin/nginx -m 时有警告
# D" i B' |( n: u% G0 O( V; g q' p5 ^4 I, Y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)9 m+ B/ P9 l. J/ v( q7 j
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
q; O# U9 i7 D6 t3 t ?0 _ `原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log+ X5 w4 ~( D% r
; W T$ R& a" C g0 W% X e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
$ n. f5 V3 j" K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"6 N' ?* B1 _$ g! k
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% k: J1 i6 w% L4 R- | Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
) W# o& ^1 D n, G! J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
3 f1 N" X$ A( d6 A/ _& \. `2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.+ Z( Y/ v6 _$ ?2 S3 x
解决方法,移除低版本的APR (1.3.9)
4 ~+ Q- x/ q. o n1 U. d/ _, s& _0 g% A$ K. U1 E3 q
yum remove apr
, J3 i9 @! U% ]3 J. I2 f5.Error.log中有: Audit log: Failed to lock global mutex
! F/ ?) [4 C# f/ l' Z- m/ h6 u/ B+ O
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ! H% A0 o0 Z9 x6 O& Z/ M
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]: S4 a. Q; k- Y( a
解决方法:
( A F0 l4 v/ C, \: y0 F编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
6 ~, d; N. a/ U# F8 X7 W& w6 Q) U- @( d6 P. f4 P
SecAuditLogDirMode 0777
: Z; z6 b/ Z3 Y1 {( FSecAuditLogFileMode 05508 P# N) s2 s- S/ _8 Q& F9 v
SecAuditLogStorageDir /var/log/modsecurity
+ y& P/ T0 I9 B) k. y8 S' GSecAuditLogType Concurrent/ R$ w( x4 t# [, t
参考文章:
5 `3 G' m! ?+ a" h' K Fhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX" X/ h4 W$ Y u& N6 \
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡