|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。. A! ^3 E! ?0 y' p
, ]2 G/ _$ O) I9 m' w) [一.准备工作
8 S5 X" A: y1 O6 f; e$ K( z
; u; f" q7 g! Q \4 K% D% T- A$ _系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
( a7 X5 Z# o; E& Q- v" q# b% J, J- b2 o8 y" q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz7 h* H$ ?7 P& F3 f" l
9 a4 Z! y6 ^6 Tmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz" D+ L# _9 ]/ H! Y/ e* Y
) X* ^3 \) [4 ?! |4 e+ h4 r8 K7 ~
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
c5 {0 @ i$ b1 B+ g# O+ \# Z0 y- V5 Q i
依赖关系:. d+ R! y5 x) x: {
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:" R8 D( G: N M
' _ b' v2 m8 o0 _+ G4 @yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel Y3 F. [3 i* Y" B
modsecurty依赖的包:pcre httpd-devel libxml2 apr' I7 A! F' \) A+ Z/ t4 F
2 j: j; s+ l1 K: j
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 ~" s l5 u3 Y+ \3 P$ ^二.启用standalone模块并编译
* f, \5 o( p2 ^) Z& f7 h' |1 x: s# q7 W* _1 M
下载modsecurity for nginx 解压,进入解压后目录执行:
, N6 @, g$ Y! G- i0 ?) J/ ~8 b- S2 W0 Q; h; J+ A
./autogen.sh6 a* f3 q0 S- Q$ f, x( Z% T
./configure --enable-standalone-module --disable-mlogc9 _) G6 r2 C; {' O& C& J
make , C- a( j" P' q ^0 y5 P0 B
三.nginx添加modsecurity模块
. m$ X N6 S! m# V
9 B% p1 A( e K3 x+ Q在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' |! z& Z$ q/ y; ~- K. m
/ H# K! ?0 [. P8 P9 D- I./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 l+ E7 ~/ |$ d+ G8 X3 wmake && make install( V, s) c3 F$ Q4 o1 E7 Z
四.添加规则
+ i& d; J# |5 c! N" [$ m2 }- d- F V$ J4 s) X9 x
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。+ z! G! v% o+ B& e& q# G" S
+ @' T* u2 |% d+ {" Z- w# x; ~
1.下载OWASP规则:) H1 I) x, v0 j4 M) h. ^& A5 W
7 i: W. O' j7 ^% w
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
0 W) k+ e8 @# V7 v4 |, I( B6 F6 m( Y* k! D
mv owasp-modsecurity-crs /opt/tengine/conf/
5 Y( f& x7 l5 i& m- y
0 R; k# W- U" l, a* m/ \4 V' J/ Gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
Q; {3 Y/ ~7 \8 ^5 H2.启用OWASP规则:
7 }- Y( n w+ G7 |3 d U. H" O2 \. X, D4 T A
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。# p0 F( {7 }" u- O1 c8 [
* Y' A$ T, J1 P4 q& p! `- u# v% B编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; t @' B- J; O8 s7 C6 ]) w
; z+ X8 r( J5 ]( ^7 y+ y# i wowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。0 p0 U6 S( `5 [. h9 a' ]
b3 e U1 I% W5 b3 U5 o
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf4 A) [+ |. U0 m: M; V9 h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
G! \1 Z$ _ P5 k) a) g) ?7 t- VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 {( m; W4 J" ~; VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf) P% O5 k1 W6 c
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
) H% [# U& v T1 U; qInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
4 e! F* A- P. B& M$ V* z# n% GInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf f/ o1 B) H# J: [
五.配置nginx
1 d5 [4 t: s# w7 [4 H0 D" ]; C& {+ S' @. ^, w" i7 @1 K
在需要启用modsecurity的主机的location下面加入下面两行即可:
3 e" W5 q: ~6 L2 w5 s6 p$ R- D L. i7 p; `# Z
ModSecurityEnabled on;
* t7 U' P. ]6 e9 p3 `( w: D( kModSecurityConfig modsecurity.conf;" n- ~1 ^, X5 `: a! H- ^# b
下面是两个示例配置,php虚拟主机:5 B; y7 Z, b; A" ~4 m& [
4 x- i7 c G" p! o6 Z" c- N' Lserver {
& ^2 Q" _0 I; U) x listen 80;
; ]* N, a& c5 p( x# f) f1 w server_name 52os.net www.52os.net;
3 `/ D4 W Y, G9 B 2 e# ^ I1 a7 e2 p8 b* P% d
location ~ \.php$ {
% ]& l1 t+ E$ M1 k ModSecurityEnabled on; 9 D0 {) [5 I, m/ U2 O' P" d
ModSecurityConfig modsecurity.conf;
5 i0 E1 ]# a$ \ r& I2 A5 Y( m0 [2 u7 `# h) s
root /web/wordpress;- a7 b% C0 y: y9 `' ?" U+ m& s
index index.php index.html index.htm;. W: b: ]8 Y- s7 J9 M0 W
+ N4 |- q4 W" _! K. A, w( c fastcgi_pass 127.0.0.1:9000;- r7 Y! N, O2 W9 j9 [0 c
fastcgi_index index.php;
. \* ` {, q, K8 w7 o( f fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
# F" ^" F/ l/ K9 _& S/ Q$ G9 Q include fastcgi_params;1 E* `& L! Y! X. V
}) M/ r, v5 T0 j$ J8 l; P7 {7 ~
}1 e* q2 G m* N5 b" B% w) T7 L
upstream负载均衡:8 g [* F6 O/ e( Y
# B; i- G$ W% o% k% y: ?0 vupstream 52os.net {5 y. y: h- i |
server 192.168.1.100:8080;
2 G& @! O; n H( l+ k server 192.168.1.101:8080 backup;
9 a( q) D) {5 @$ [8 |}: A. S u# x1 h
+ z' P& g& v5 ]; O( p, O2 j9 B( oserver {
; D2 R( U* u$ T plisten 80;
8 N8 E/ \ K! n) s/ I; ~0 Yserver_name 52os.net www.52os.net; s* v4 P4 z' v9 G
, q5 K& q8 ^2 o# R. E7 @+ @/ _location / { l# A5 l# k6 \# m
ModSecurityEnabled on;
/ O7 c- Y, u( r# |5 |/ n ModSecurityConfig modsecurity.conf;
" U, c& n# `+ k
5 C1 x9 B2 `' o proxy_pass http://online;
$ x7 Z# m* [/ j1 E/ m proxy_redirect off;
3 E0 }) c; a- w, [1 }* e) N8 m9 E. ?. X proxy_set_header Host $host;' h% G6 P; I+ o Y8 J0 M" T
proxy_set_header X-Real-IP $remote_addr;$ X7 k2 K4 j# \6 W, p" V
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, x1 Q* |6 H( O. Y
}# V; C. h2 q5 l1 C* V2 w. x6 W
}
7 `5 y3 S; p' U! [1 a六.测试
; c6 t" R3 a7 j. F: u1 L5 s
2 P3 i% a* R; u0 F, K( D我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:, I% T+ C* h _2 E+ s+ h) c
4 `) X7 l, b( |& K<?php1 B; O; f' H' @
phpinfo(); ; u9 l; y& J1 b( Z& K3 M
?>
9 v, W2 K7 ?2 e, N6 d' T0 r9 S' g在浏览器中访问:
8 Q* s; I! ]8 Q3 A! U0 Z5 T; `3 o C8 O4 N6 E0 h1 I
http://www.52os.net/phpinfo.php?id=1 正常显示。
, S4 s! \6 E/ q, ^4 i0 phttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
( ^9 u5 N; p% _4 z; }& jhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. p8 p3 r. v1 t1 ^+ N
说明sql注入和xss已经被过滤了$ U4 a1 l1 t5 d
+ \9 {# n5 {- k0 V
七、安装过程中排错
' b; e+ ]2 Z z3 m
8 ^/ Q' w4 M. Z- h0 D# d9 `/ I1.缺少APXS会报错2 b2 @0 H; J' U! T: |
3 {4 ~/ \( v( Z$ |) G
configure: looking for Apache module support via DSO through APXS
$ k) r/ m$ |3 R, {- K2 C3 @ r9 b2 vconfigure: error: couldn't find APXS1 }1 L% T3 u% a$ t. P! G; p# X
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。9 U6 \: k0 m# n5 K
解决方法:
. E9 b2 n1 d6 X
% @3 @' I4 _7 e+ Iyum install httpd-devel
9 Z4 ~8 F+ c7 C8 z2.没有pcre: k( R( [: n b* \& P( b
1 M4 M. a2 s) `, p& R7 Gconfigure: *** pcre library not found.! J( \, z0 X8 T9 `: k& e% \
configure: error: pcre library is required
4 p& R( _4 p$ a2 z- ]4 F6 E$ U解决方法:# ]$ }; i( Z' p/ j; Y+ h2 J
/ }8 r/ E- Q. _7 [0 B1 P2 d
yum install pcre pcre-devel7 ]. X5 `$ @* {5 D; b8 w
3.没有libxml2
+ h4 \# L% t. C* s+ a
' Y9 {" |0 `$ y7 Z+ D6 B5 b7 V$ F7 C# i: [4 x# ?0 u$ F
configure: *** xml library not found.: y: ~4 ~5 P; p1 E
configure: error: libxml2 is required
8 X& H4 B8 K' E% f( s( p Q: l% L解决方法:# m4 x6 Q7 b& J4 R4 f/ d5 f$ h' q
9 P, x7 k0 Z) N
yum install libxml2 libxml2-devel+ F' S. N1 j. U% }( r
4.执行 /opt/tengine/sbin/nginx -m 时有警告
u$ X2 e) _% V3 z% f
* Z& M% g' v; N( uTengine version: Tengine/2.1.0 (nginx/1.6.2)
4 Y: h% T! Q0 Z; l, O: M9 Tnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
- b5 }: b1 s& d+ Z4 A8 K8 ]原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log; j* z7 [: p1 i' x, c6 g
$ K9 c1 }. r" J. f8 b3 A- H
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.! l# q4 m6 x- S- l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
. R. h* C/ [& }# ]! }2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
/ ?' X' } W, \' i4 W& i: v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"% v5 T( x: A. V( w& _9 r' G; h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
7 G. @) X6 z U7 n! C- E# Z1 L, i2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! ?1 B) O, m% A" G# G. e
解决方法,移除低版本的APR (1.3.9)
, j. }: q0 I0 D- v- c# h
8 z4 B$ E% f9 Z% q8 Hyum remove apr
. J" q2 X6 l2 E8 L5.Error.log中有: Audit log: Failed to lock global mutex( ]: U0 ]2 K9 v- r' z
g1 p2 h& u( x! J6 W2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ; H% K. X- C: {8 [
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 K/ c6 ?3 z0 M! a& F
解决方法:
2 g. o# C t8 e; r编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: i' _( l. C: N' a8 V
. T8 E- R1 B( V+ q/ x2 c) [0 cSecAuditLogDirMode 0777
% q1 I; E* }' h6 P" NSecAuditLogFileMode 0550
. r, b3 c6 C+ GSecAuditLogStorageDir /var/log/modsecurity
9 |9 r) Z H, k0 SSecAuditLogType Concurrent
! C2 r6 N% t6 ]* T$ g2 g参考文章:# I- N6 m/ F3 F# H) o
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX( s4 I; g/ c5 B
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡