|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 s* d0 [5 N C* E! L0 g' t
1 o; G4 D/ Y& h2 y一.准备工作
3 c- E* ~( W( r# y: w9 b2 Q3 f# m
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
0 r/ p, M0 B4 A
+ J7 `# |' z, K. utengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz1 i* ]; z! ]; P' E) U- s
7 {6 a. X+ I( y9 t1 U
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz& X1 E3 q2 g: n9 _
8 D2 ?/ p8 P. @5 N4 L
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
2 P% I! ^! C. }) `+ Y: G+ h
* s. h9 I4 G. t; D依赖关系:
- ~$ w n4 F& Z" U* _5 s! K: Gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
% j% i: i2 c& } y- w6 O8 ^2 [" {$ v8 {; v. [
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ E2 f2 C, M9 S& Umodsecurty依赖的包:pcre httpd-devel libxml2 apr
4 b+ \( I5 N% n w- w1 e) }0 p' ~. K8 _$ q" e
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel1 V$ }: c5 Z$ [/ T6 v% F
二.启用standalone模块并编译9 E; {/ [. H% {
, H/ L7 F( g0 E: g- ^: G
下载modsecurity for nginx 解压,进入解压后目录执行:# K( @) V8 B1 O2 S
/ e* a" m- H- E( \0 P. f! o9 P; B./autogen.sh, F5 ^+ B. {0 l; \: v1 _
./configure --enable-standalone-module --disable-mlogc
P7 `! }( E3 J7 q8 }! \; `make
2 s9 c P3 n9 q, a7 y3 R' Y三.nginx添加modsecurity模块
' v3 d- a5 j/ R" b& L* L: K5 z( n. Z# U _ m, v" [4 i* V
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 m& N9 h. I1 v; z! Y4 _" W9 m# c4 i1 P- {
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine% E( F$ ]' S% ^5 T& _, t
make && make install' x5 f% R* ~$ Q& y9 [4 H
四.添加规则 f( R# @- r5 T# Y
1 r6 n$ l+ h# y5 Z4 M. O k, ymodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 K( j, b8 c+ s- O0 a; X' h( h$ [3 W0 j- H4 J
1.下载OWASP规则:/ {4 L1 N- _4 j7 Y1 A) L
$ z8 k/ j. F3 y2 F2 \: j2 U- Igit clone https://github.com/SpiderLabs/owasp-modsecurity-crs. m7 R9 Z j2 K5 i) k
3 N8 }- ]- E3 z' T4 E) {mv owasp-modsecurity-crs /opt/tengine/conf/
( W/ |) j) b! e! c. t( A, P2 K+ m9 D/ I( G6 H2 M D# [6 K$ J
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf) @; K! M6 {1 N, q5 r
2.启用OWASP规则:
0 _9 C9 N: z. c* N; @% b4 k6 L5 l4 D& R) ]8 z/ J- g* m
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
) N4 S5 m/ G, ^' r; `0 r% E: `- I) p/ J
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; y- r: L- M# c8 i8 Y0 e5 f
# p6 U% R) G) I+ P7 qowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ k0 D0 I6 f* b7 h+ } e* @5 e7 t: @" k" w6 { J$ P7 z$ c
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( Z8 L: L0 o1 rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
) b+ p0 h. P% u9 l& J9 rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
j \3 Y, \; \* t6 K- vInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" F" v' _6 }9 M- IInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf3 r- N5 ^8 f9 X X" F8 h2 T
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf3 k9 c7 e. r( |( m+ l# E3 r% N
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
/ z3 N4 p- N0 U" {4 X7 b五.配置nginx( M) O, K) L/ c8 {4 X
3 Q; f [& N' d& t
在需要启用modsecurity的主机的location下面加入下面两行即可:4 P9 o( ? }. p Z7 D/ s
1 M& x/ e! j: a! V' F* Y8 h
ModSecurityEnabled on; 1 x% b: `9 N9 W% i- d9 ]
ModSecurityConfig modsecurity.conf;
# }* b( }- h! a# p* _5 ] v; r下面是两个示例配置,php虚拟主机:
# W! x" C! D" C* F, Y3 j" ~' ^; ~! W4 a! D4 e) X2 {( B
server {
6 W# _# j' D) i$ W; \1 {6 L listen 80;2 t0 M1 q% t& N7 H
server_name 52os.net www.52os.net;) a; q/ p# P' `% c& ^2 ?/ s! S% M
% k- n( i4 \1 j2 R9 J( p
location ~ \.php$ {! z R7 C. w6 T3 ^$ [. N
ModSecurityEnabled on;
$ Y: ~ q' d3 W: w8 j ModSecurityConfig modsecurity.conf;
, D! l% }! l; c) h! \" K, ~8 C
" {7 o& _3 R) a8 J& L k root /web/wordpress;
8 K& k, ], G& l7 v. ^: O index index.php index.html index.htm;8 u1 K( o) y) |" f$ u
]* ?" m' s1 O0 p1 D; T) x fastcgi_pass 127.0.0.1:9000;: A' {+ \! q8 T6 N
fastcgi_index index.php; j$ F0 z- O4 e; Q6 V" {
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; P7 p, d, U# l- Y5 V include fastcgi_params;% K& y+ I8 p& V( _! C& G% {; v
}! G& J6 b! l1 S/ g4 y( L
}: G! E0 z- B9 _
upstream负载均衡:, T+ B+ g! u& A% e3 M/ G
. P) m7 j* s- Z2 Z0 K
upstream 52os.net {
& c0 @4 X K+ M) o$ n- k, G( Z server 192.168.1.100:8080;
! N4 l' k7 c9 j* `, I( X server 192.168.1.101:8080 backup;
+ J7 D* K2 k, v: P. g5 v}
& d ^; Q- y( K0 z0 N. ~, ^5 E3 B V0 \ Q) j, R+ h
server {
5 `- w/ g0 G( q' E6 Ulisten 80;7 V0 U8 g( |7 [/ }2 G6 C
server_name 52os.net www.52os.net;
% \# }$ W4 \ u% ^' }0 n# g/ v8 k" T6 p
location / {% _) t6 m7 }+ W
ModSecurityEnabled on; ) T# I, p" c) m6 F0 x: ` j
ModSecurityConfig modsecurity.conf;
9 S3 b. @7 |; W* O$ g1 ?$ D9 c
) X1 c1 l& s- Y7 ?& A; B) C proxy_pass http://online;
0 r* } l4 a7 f8 ]2 D proxy_redirect off;
* n: }6 P4 b1 V3 C: k proxy_set_header Host $host;
: N7 i2 w/ I3 P) O! [7 g proxy_set_header X-Real-IP $remote_addr;2 ]6 y, _% R3 T! b" @
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' Q5 [7 M- \, A$ b9 |2 A
}
8 ~$ ~+ L6 V8 F}/ I. `; b0 F2 j! y" t
六.测试
$ K+ v# M( s# V! h) @; c+ i' o2 F* ]; ]# z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 b7 G3 _* T B3 c2 r
+ @) S; i) F7 s) f<?php1 A' l4 }2 X0 c8 M j7 t: w
phpinfo(); 7 r" T( ~, k/ Q& U: N
?>) L6 g% c/ W6 G/ c: E) Y
在浏览器中访问:
+ ~% p8 y; L/ d. s$ c3 K0 ~: U
, r) y' _4 m, j6 ^http://www.52os.net/phpinfo.php?id=1 正常显示。3 ]4 Z1 r* L, b4 I- z
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。+ q3 X) T& z+ V& }6 T
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
5 ^0 Z, }0 o5 |, r说明sql注入和xss已经被过滤了2 r( _( y9 l+ m D6 `
4 U) W6 K- l+ b/ S& Q七、安装过程中排错( Y5 z- z( ]6 N
8 E' d$ G6 j7 d) k5 `1.缺少APXS会报错
3 G: l: {1 h D6 ~4 e5 s& F3 R2 N
configure: looking for Apache module support via DSO through APXS
9 N3 @( ~! {9 [2 d P) nconfigure: error: couldn't find APXS2 T! P5 f/ Y% T" x3 ~: {. M
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# P# o- M' M' _( j1 B# G解决方法:) R4 n# Z) V. P$ i! ^: ] x4 y$ n
$ u" W7 W! p" Nyum install httpd-devel7 p8 @ v* E7 l( P
2.没有pcre
& q- G1 M& y" c1 a M
& L2 ~: K# V! r- B q( vconfigure: *** pcre library not found.
( g) [5 P- `+ s% Nconfigure: error: pcre library is required
3 u% @' v) {' Q) w- G解决方法:4 B" y, G! d5 z! A* S
' w% D S- {* @8 z# D- Gyum install pcre pcre-devel7 q4 x4 l+ z, m
3.没有libxml20 `7 p" e$ G- x4 n* K
$ {0 ^1 t* ^. q2 `9 Q% W
! b8 ^. ?5 C+ ? `7 K: q* Pconfigure: *** xml library not found.
6 j: H" X: @/ n& g( b' Kconfigure: error: libxml2 is required
1 @9 f( B- X Y( n6 W' H1 F! x: }解决方法:
+ U. D+ b- v* s( [, P( T8 V; N0 [2 t: S' l5 M; M% L
yum install libxml2 libxml2-devel* I E, {; `1 X( N# ]7 S
4.执行 /opt/tengine/sbin/nginx -m 时有警告" V: A# i" \1 ~3 }7 d+ o) J/ m
7 y* N9 h5 e; r0 @6 y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)' w5 j. S: _& i! Y# w: U( T2 p
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, }9 ] y6 Y% \' n7 Y; ^原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log) ~% O! B; }4 l% o/ Z+ e+ P
+ |1 K/ u! Q# W0 h1 T' @3 i2 y6 z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.0 J$ a+ D* u; h" z. u
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
/ t+ b( v: A f) M- R2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% \9 M6 p6 F I. {7 \# ^& {. [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
! v4 a+ y- R2 n/ q6 m* W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
0 _# N, c; p1 t2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
: b2 B/ ?) q7 }解决方法,移除低版本的APR (1.3.9)" x! K' z2 x7 a, |
b$ _5 M2 Q. tyum remove apr& ^' Y) c2 H# K+ f( O: Q0 w+ `
5.Error.log中有: Audit log: Failed to lock global mutex
) |- ^, b' ~* B4 v6 o4 B6 R( s' k2 S+ n& p1 y4 K9 {
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock + ]! s1 ^6 C8 ]! J$ U- y
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
- N; H2 y- w0 S( x \$ D# O- a! V" K解决方法:. k6 A7 B+ G* O, Z
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ x$ B2 F! {$ b: E4 r- D" x k/ c
- n# [5 a2 L6 e C
SecAuditLogDirMode 0777, ~1 ~% i4 Q2 C0 Z) ~. K1 W) d
SecAuditLogFileMode 05507 |$ t8 a. V) B, ~( @
SecAuditLogStorageDir /var/log/modsecurity
7 G- D) y4 ^0 M" ]SecAuditLogType Concurrent9 o8 \- g0 }& k9 T8 {) J
参考文章:
7 ^% E/ A' {! Shttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
7 N; ^8 d7 U9 nhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡