|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
; H9 Q3 w3 \8 W% M& C6 u% {! M: S: o: a: h
一.准备工作8 l& V, l7 G6 D. ^& X0 R- B
7 ~/ C. X& Z. `系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0$ ]% x0 f3 t" S) [8 @* j4 F) ` z2 Y
6 i6 X: M" Y& h5 f0 m3 D" r; Otengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; A# [2 L* M! F( P! p* V$ C1 u
% B3 N1 R, s' v0 Z8 Pmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
6 s; }3 I: }" ?: r7 p+ ?5 X8 [3 h) F3 [7 j5 j# H0 q+ U
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
4 P$ c) ?+ }" Z9 z" x; d0 H* S8 c. K: A* N* r6 |
依赖关系:
9 i: y6 h: f- [; ]tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
1 P: {$ a9 N' }' ]7 W! m
+ p& G+ Z) V* T6 Ayum install zlib zlib-devel openssl openssl-devel pcre pcre-devel. t' O( t, ~7 g, q- G
modsecurty依赖的包:pcre httpd-devel libxml2 apr U. r& `) [3 p/ B
( b" C0 s2 B V2 k% ?4 Y; Cyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ ^% O' b7 Z3 M- V4 j二.启用standalone模块并编译2 A2 m" z. z N7 L( s
2 _$ I/ f7 A0 a: w下载modsecurity for nginx 解压,进入解压后目录执行:4 |; G$ o/ ?" v3 U) ~) d# C) R
' R$ R8 S% s2 Z& Z7 B# `./autogen.sh! d. p0 v2 O$ R5 I
./configure --enable-standalone-module --disable-mlogc
6 `" [5 }2 W0 l4 omake
7 G" A& e: i+ ^8 o; U三.nginx添加modsecurity模块' y9 X y( Q* l& y9 d2 Z+ Z# t
- ]$ w; M% U% C! v/ l6 m7 i在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:& ^; b- T% w& R" k5 z" j
& R( b; E! x; N; z
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine* q+ j; i) r2 v0 C. d
make && make install( I7 H" w/ B4 n* ~# X9 Y' l; ]
四.添加规则
$ M6 c* E' B, o
5 z6 v! e( O* Y3 P4 O; ^modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。$ z* V4 Y: D& m
; } s6 x1 w3 M# n! D8 j/ d1.下载OWASP规则:% {8 a% _" d' }+ T, o c; V/ |
8 ]* L I! T& q! Y* M
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
0 ^# g( X) E2 H' }0 m1 S/ P: i( i; I+ {0 s) _& W$ J/ c9 ~7 t
mv owasp-modsecurity-crs /opt/tengine/conf/6 p9 D* _* i- ]+ K
, B! Q& L& [6 Zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
6 r- O9 }/ `+ S, m- q" u: }2.启用OWASP规则:) s$ i6 {) U: @: t% V2 S$ P/ a
) n( q/ ]5 D1 `% O' ]- ?
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( {3 M3 k4 {* c3 J+ `
3 x) ^. C+ b* z; }+ `2 A( C
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
+ f7 F2 _* q j- J7 X
- R+ \6 K" f8 E+ J1 @$ I0 Powasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
# k$ p v+ q) ^5 c! {. h1 K
6 {5 h. c, d8 l5 x/ @6 bInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
$ b3 w7 D0 `" M+ iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf) X# N# D$ k" Z3 i$ e
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
' i3 \4 |! j4 _( F5 `. HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" D) r* B8 Y7 [* I1 y( L$ rInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
2 v) c, i0 @* w. N8 vInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
4 R+ E" H4 L* |; L6 A* d9 }Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
: ^5 Z& F5 o5 H* {五.配置nginx$ d$ ?( S. o9 p9 z% o
9 l$ e* p- \4 ?0 Q& m在需要启用modsecurity的主机的location下面加入下面两行即可:
& O# M; T( C# y! G# D' q1 Z' X; o( ]
ModSecurityEnabled on; 2 f# i: f- i, L/ w
ModSecurityConfig modsecurity.conf;5 l7 l' B; S/ j G T% F) `
下面是两个示例配置,php虚拟主机:- Q; Q! K- ]2 v4 h7 d) N* Q
* D! r4 M; R9 w' ?server {
' n/ [8 C( T: K Y T+ c/ V* d+ ` listen 80;1 B$ {. l3 e2 u& ]* u% V
server_name 52os.net www.52os.net;0 l. V4 ~" v: `; Y
, v( _+ t3 V* J7 q4 Q5 a location ~ \.php$ {
) z0 h: n" V/ n- ?7 n [0 i ModSecurityEnabled on;
/ s$ h& X" h4 Q+ A/ Q3 R' t ModSecurityConfig modsecurity.conf;5 k$ J4 K5 [9 V) A) R2 Y" \
; k# p7 |4 d; D" n7 m" \) h- Y
root /web/wordpress;4 U& T A+ }: K- @/ \
index index.php index.html index.htm;% `6 x% p" O! i6 d, A7 `3 i, f, G
6 d) k6 o: T. H* m1 }7 n$ ~, d) s
fastcgi_pass 127.0.0.1:9000;9 [5 Y4 f. {+ {
fastcgi_index index.php;
9 w. A y8 o: U. V- J fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
& ^5 y5 J: `, P) G4 q. k. k include fastcgi_params;) a2 U, C+ c, P" g* Z4 Y( A. F9 ~
}
$ P3 S: M- K& v. @0 O: z3 i+ r }- e& K+ x/ H0 H [" X
upstream负载均衡:
, r* k$ G! V, x7 P" U1 v4 U. }& {3 H5 }2 w# t9 I) g) f
upstream 52os.net {
& }# z1 t& u: ?& V( } server 192.168.1.100:8080;
+ E, i6 {- x& O# L/ V server 192.168.1.101:8080 backup;8 t2 A# j0 J }0 D
}
4 s/ X* C6 e3 i# W* ~- q- l
, b5 {& W' u% j2 B: vserver {
2 c5 F: A2 b5 p& y2 f L- `listen 80;
& G& K5 O! U* j) G# Q+ w+ Qserver_name 52os.net www.52os.net;
) E1 }7 z4 J J8 }; H: l7 M- V& @0 _( ^3 k6 K
location / {: o H% H) ^4 N2 f
ModSecurityEnabled on;
: [: n4 l+ p# Z' v8 }. v ModSecurityConfig modsecurity.conf; . w% ]5 }$ M% N3 @. y5 I
' [0 w* q+ M- N. s proxy_pass http://online;
0 J* }( o& W8 g8 E n4 A proxy_redirect off;
2 I9 R2 y: d: {: g proxy_set_header Host $host;
$ Z) Z* T n$ b proxy_set_header X-Real-IP $remote_addr;3 v B% a* E% t+ j6 V( x6 [
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% j" t; U c7 V }
0 x# }- p9 O: U! A* q5 m}
6 M( G* ^* A6 o1 L1 w8 R六.测试
( \8 o$ V8 e, ?) k: i$ ^* |: n2 q; i
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 u; G4 M! G' x6 b h
5 U; R/ L. S- e5 ~- O- [
<?php
" ^2 N4 \. _1 q$ [ phpinfo();
# y b- }; p% i$ O0 v0 U4 P9 X?>
8 J- B1 z. W9 L: q# P5 n" n在浏览器中访问:. z+ | x( f/ B
. U$ C" W0 @% T( s4 u
http://www.52os.net/phpinfo.php?id=1 正常显示。 Q U% M2 q! o
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
+ b* W# ]. z5 Y# Zhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 d$ S7 O9 i5 }+ \2 [
说明sql注入和xss已经被过滤了 e3 k: _! r' t: f+ O
% R- Z# e' P1 }" B8 ?' q七、安装过程中排错
8 B/ p& j& p8 E9 V/ U% ?
" a" ]8 T! l2 X& T) d" t1.缺少APXS会报错9 K3 X; Y) T# o1 ` ^
$ \- k4 Y# c. P- x/ Q
configure: looking for Apache module support via DSO through APXS
L) r% d) `/ J( xconfigure: error: couldn't find APXS) C$ W: [3 E& W; A( f0 y* c% w6 W6 Z
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 V' Z, p0 R2 F5 X解决方法:5 R* Q) S5 j+ v7 r
% l& b( d- T: u3 M
yum install httpd-devel
7 x( x* z/ a3 |/ `* q0 ^4 b# i! ]2.没有pcre4 }$ p% j& Y1 W4 C& i
! y' K. r$ u6 x% r$ q( n( sconfigure: *** pcre library not found.
* i% B; I/ _1 W3 t. Kconfigure: error: pcre library is required8 s* l. G' L, d- M+ w
解决方法:
" c2 `0 `* s# ~8 c, q9 z+ m5 Y& ?6 Z
1 y' G+ H s3 p. T+ u% iyum install pcre pcre-devel4 }0 o+ {6 P* q1 I L0 o
3.没有libxml22 D7 V4 Q5 |, D
+ o% X% M& A* {/ D1 ]( T9 Z- z. D4 o! Q+ N8 T" z) j
configure: *** xml library not found.
0 V D' n8 C1 i- Iconfigure: error: libxml2 is required: a, _7 D$ A! X @6 W: X; ^. Q: G
解决方法:0 Z3 `" o4 |* p7 a) S
' s% B1 U+ U* g9 F0 _4 b1 s; tyum install libxml2 libxml2-devel; f7 h( o8 \, [; E
4.执行 /opt/tengine/sbin/nginx -m 时有警告' @/ n% D: T' k! @# L0 \
$ v7 a) _* X' F3 H
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
5 ~( A0 g4 l% I0 o/ X+ [- I- Znginx: [warn] ModSecurity: Loaded APR do not match with compiled! E7 M- Q& y. V5 j8 s. ~$ R
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
9 j6 D9 j/ F" z$ t6 B# }; R* p% O- ^( Y- A: k2 _( w$ ?# M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.7 I+ a* a, X5 M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": T; y1 P+ w6 |9 Z8 ^0 ?- b
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!' a# C8 \; z; d5 @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ n( J. e2 T, U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
# |% L. X) [6 P1 e) `6 P2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
) S, ?8 Z4 P7 @: Q1 D& C解决方法,移除低版本的APR (1.3.9)" D2 L% i! \; L B& U; H% S
% x* I- B, u& R ]2 a) v
yum remove apr+ }) N2 h d2 p. d- x# h( d
5.Error.log中有: Audit log: Failed to lock global mutex
) B$ {, I& q0 i* }6 @3 O
! J9 I. J8 A( g, t. y$ X1 C4 p$ a3 m2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock + b: y; P, ]& S' C* p" }
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
7 ?5 |* S( Y* s) e' u3 ~- V, c- w" m解决方法:
2 i2 U( j' f5 X1 x编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
6 `+ O# q3 d1 b+ x* G! U) u
9 ]5 P) O8 E, g4 S6 C6 j! |SecAuditLogDirMode 0777$ A6 @; ]) c5 K* y
SecAuditLogFileMode 05509 }; d5 r" l7 u
SecAuditLogStorageDir /var/log/modsecurity+ }5 m7 g! E C7 e1 @0 r
SecAuditLogType Concurrent
2 l/ |6 |( ^- }! G! t# M. C; f参考文章:" `- l9 S( y% A( m o) }
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# R9 E3 v' z0 y. T1 m/ p
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡