|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
$ b9 b5 n V. `' b' I: [" R. J0 `9 d6 m' h2 {: z% e
一.准备工作
6 }$ D6 k( _6 n2 \ ~; k0 B
) u7 p; A) M* G( E$ V3 U" ~: @ T系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
7 Z3 c# S) x: y/ ^; q( q$ R1 ]% R) j( ^1 Z$ v
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz2 L1 d4 r' N6 C- t3 `$ X2 r
) a7 j3 ?- u8 {6 Omodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz; @; y8 n2 D9 d8 M4 K+ E' k, z. N
7 V# b0 \3 P1 ^3 ~3 `: i! i! ?6 `
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* m0 W8 c N& q7 t) v- l P- T6 J8 v& M, \1 R, |; a
依赖关系:
, K/ e8 P2 U. S) j0 D" dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
# A5 N- e+ _, { p/ c+ ^) U
/ c y9 w- X) h, Y6 q; Lyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% Q) i) w5 m, `4 {, I3 M3 G0 F2 jmodsecurty依赖的包:pcre httpd-devel libxml2 apr0 O* [* T. i0 q- \4 K
) p! ^* L$ W: i8 S4 ]% V
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel4 @# R8 _3 K- q4 i. ^8 x4 j
二.启用standalone模块并编译
6 E$ O/ [* P. D( D* \5 O
- v3 f/ R/ X% R下载modsecurity for nginx 解压,进入解压后目录执行:2 X# U% E( b3 U8 W
0 U1 o T' t: @( F4 H6 k: q# J2 Y./autogen.sh l2 ^, K8 {9 N: \3 v: R
./configure --enable-standalone-module --disable-mlogc
, J5 l1 q1 @; i) v# Mmake % I" u4 j& D( D8 k- j- }
三.nginx添加modsecurity模块
/ f- @% K2 [. X: D1 q$ r# [* J" m" B& G3 p# c7 i3 s
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:+ e O; F) C. t* x! }# N: U: B
' d7 O* i1 L. ~3 s4 N./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine3 ~" `$ t6 ~1 g5 ?4 B' Z
make && make install+ j8 n$ N' q$ K. j+ R$ ^( Y
四.添加规则* J, R" ?% _* j+ [& C
. T; k* G6 g$ P7 u* Amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
N6 x1 q; L2 w/ X% e. e, C# j) _% J* W5 b
1.下载OWASP规则:; A) o9 D7 `1 i$ J4 l' \( L
. S) j" M& T0 S* Kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs8 @: a- [3 j6 g& D& [
- ~/ H& o- x9 p0 o7 ^$ L
mv owasp-modsecurity-crs /opt/tengine/conf/; e) S! \6 n# x2 u% z+ X
+ u6 i2 |0 n4 q( g" H
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
" r2 ]6 L3 J( V% Y* u2.启用OWASP规则:
3 V7 V& v$ o' r3 {* T* u& m* H
8 F$ h7 I% \" L: X1 l; } D复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
- j2 p2 J& ?% a! I
9 P; \) K* n2 F6 u编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
$ }& }0 C2 Y2 Q* [* e4 F* Q; @; N6 U! d+ q. f
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。7 b5 I* c3 [) ]+ Y! F
. H: x; I4 H! ]) `7 C! a5 M
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf; S: ]3 `8 o) G& P
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ `/ {3 e. N3 V% W* O' H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf. I/ P2 _3 i$ g+ }+ V
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf8 K) g0 V) G' z7 Z0 J/ K! K) I
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
' o# V9 |2 m5 [# k0 ^Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
8 `% {& l* p4 y& |7 m4 n, L6 cInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf: `: g1 Z; }9 a- H) `) |
五.配置nginx
( n9 b% q* d/ [7 }% X$ c \
: F& v0 ^; w3 O+ ^4 P% L% k# v+ i在需要启用modsecurity的主机的location下面加入下面两行即可:
! f% K$ w' o$ O3 {7 U
' {, h) z* a% TModSecurityEnabled on; ! A, A* |1 `! I( M+ l/ ~6 Z
ModSecurityConfig modsecurity.conf;
I1 U1 Y: {; c+ z下面是两个示例配置,php虚拟主机:5 g7 I! H0 {6 ^: d
( p* Z; b! P5 r/ `8 O7 V7 ^server {
( t" T: k# o3 V listen 80;7 F/ r$ b* X3 i" n3 I9 s
server_name 52os.net www.52os.net;# Z: n2 k Q, T& w3 Q; q
/ Y0 v1 r% _+ w: W0 y location ~ \.php$ {
( y5 R j+ Y5 o/ ]; c# U, x ModSecurityEnabled on; 4 V) @1 d% T, Q9 f6 R. _
ModSecurityConfig modsecurity.conf;( s0 E3 n9 j( g+ Y9 O# j
8 o0 u8 l4 V! H# e, W1 y
root /web/wordpress;
1 c- ^$ X2 k: K( g' H- o9 c; e* k index index.php index.html index.htm;
+ D3 i; \: s6 c+ t" I $ e% c v/ A' U' d
fastcgi_pass 127.0.0.1:9000;: V. M+ x! }; I: B
fastcgi_index index.php;
( F9 r2 }' n7 X | fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* U9 g% p7 r& B' u$ ^
include fastcgi_params;3 B& s E |2 \1 ^
}% m( O" D4 A. V6 I% i0 ~1 C
}
& I/ n6 c& v; vupstream负载均衡:
5 ?; y+ j; m: D( i, F4 U7 m% v2 `& v- F4 p
upstream 52os.net {
1 Z: Y: t; ]/ Y# O server 192.168.1.100:8080;- R4 h7 E. [( W( L( D/ |% I1 \7 [9 v
server 192.168.1.101:8080 backup;. Y+ }2 S2 V5 v
}: w! R: G f" ]6 ?1 Y
) f: g [. k- s
server {3 t2 [; } g4 u, x9 k9 j9 {
listen 80;' O7 Y. j6 i N5 Z) b# a
server_name 52os.net www.52os.net;
! @. H& C7 [" _" [; _2 s) V0 Z$ {! R& S2 a1 y$ `
location / {
, X: C4 y) C( P7 W- s ModSecurityEnabled on; # G8 |1 Y/ d7 M3 ?, T* e. E
ModSecurityConfig modsecurity.conf;
# z* V2 b9 W- `' Z
$ W* \+ W# u9 p proxy_pass http://online;
* ?9 H7 z1 [9 b% u. U( h/ W2 H proxy_redirect off;$ ]1 R( g( ?3 c3 n& ~
proxy_set_header Host $host;
7 t/ t% X- e, A) K1 ~* G( A) ?0 Q f7 Y proxy_set_header X-Real-IP $remote_addr;: |" `7 \' P; n% {+ {$ v& k
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 M! j K5 p0 A& O. P2 g [8 N% t! [
}) g6 j: ?% v* H# g1 y) M9 A' I1 d
} O# y" ~8 x) g, `9 E
六.测试/ W8 ]1 e1 l, q$ E, ?
7 U5 F& t# C1 g8 T4 y5 o b
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ J j4 s1 v# R2 q1 \
9 R4 _* ]; R; J% a<?php
_8 f4 D: M( ~' `( ? phpinfo();
J1 P+ p& U/ e, }/ ?5 {; f?>( V4 C L! {) W
在浏览器中访问:
. o3 n9 @; t* R# P5 h1 b% y/ |1 [ `! a3 @% L6 ]9 i
http://www.52os.net/phpinfo.php?id=1 正常显示。& L4 ^ T* u# z3 u8 r/ _
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。! h' r5 r5 u0 n t* I6 T2 l8 Q
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% q, }. q% T7 E* S5 p( x说明sql注入和xss已经被过滤了
& z5 R: ^) }* l/ F) M1 {
8 J8 F! K0 n" u8 g# a y# i f七、安装过程中排错
' ]' c0 n. u/ L3 @! i6 y4 {' I" z( z* O" ?' Y- ^; W
1.缺少APXS会报错: c/ R" C9 ]. G8 b
) r4 v5 T8 s6 _/ N$ o L+ Pconfigure: looking for Apache module support via DSO through APXS
" a5 m5 \9 q5 f8 ~" G7 c% rconfigure: error: couldn't find APXS/ Z+ ]) g$ E7 g" B0 N7 L/ H
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。9 I2 d" ~5 C2 W1 Z0 t# @( g% \9 _
解决方法:
, Y; `/ |) W) n4 P3 N
/ U# [. _" \* p& M6 D' Q$ p1 {yum install httpd-devel
J- O! F Q- }8 D# w2.没有pcre0 e, T$ ^) [) e1 ~$ D6 v3 F
& n8 M5 C2 X9 L$ `( u4 b) B
configure: *** pcre library not found.
9 R5 P1 Q( g9 ^0 d9 _2 Tconfigure: error: pcre library is required1 ^8 J$ g$ V ]# D
解决方法:
* H5 D+ m+ O# Z, |5 D' |( S9 C4 J8 f# `" d3 ~5 g3 e+ y; m2 j, y
yum install pcre pcre-devel- \; }+ J4 S( Z0 a& C
3.没有libxml29 r8 c8 t5 L/ p( C T- ^& L0 t
9 x( |: l! Y, A; o4 ~
* H3 }( X0 y; g# D5 tconfigure: *** xml library not found.
5 w: k9 ?* \% s, x, M! }8 }( N6 Kconfigure: error: libxml2 is required
: a6 D2 y, o* q解决方法:
# q! E% F3 \' \* S* x1 e' y' h* U! ?) s3 M: A
yum install libxml2 libxml2-devel
, V7 t; _% P; `# M4.执行 /opt/tengine/sbin/nginx -m 时有警告3 @* @% \* A) a" r: @
* ~: `* ^* B1 M( _/ `
Tengine version: Tengine/2.1.0 (nginx/1.6.2)/ {; \/ C/ o& T- r9 m% W6 M
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 P. x$ Y, f# h7 G8 }# l8 h) R
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
2 L# ]* y3 H- S0 W! x! `$ q# \: {, n% p8 Y" c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2 ~! h9 S& [7 K# A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# { U# R4 d5 n4 w$ o5 b/ o
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!; a J: Z0 f6 K0 ?3 t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 Z2 H2 b- `$ I! x- E; [' @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
# m) a/ A1 {# C) i$ }2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.2 |7 @: Z! _, j2 `
解决方法,移除低版本的APR (1.3.9)
7 s1 T9 P. G& i0 _* a2 |! i% p5 I7 g, C+ F2 ^& z% B5 o: v
yum remove apr
* `: e, y6 ?. v1 ]( o( c. i5.Error.log中有: Audit log: Failed to lock global mutex
# W! |( G- M3 a$ B8 z- w0 b5 O: B" V6 L& ?* F
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% t/ H5 r; y3 [; lglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 s/ u+ {- \* k& l0 U7 _! _解决方法:
, g; B6 j( Q# X- X# [& W编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
* L2 }* ~# S: ^& J3 u
. U9 W* m# Z/ _/ ySecAuditLogDirMode 0777# r0 ?: o* D* X d
SecAuditLogFileMode 0550' L) f2 a0 l& _5 d
SecAuditLogStorageDir /var/log/modsecurity
! [8 {/ ]1 f) U% e! g, DSecAuditLogType Concurrent
4 l( K r' i/ H3 [参考文章:
6 W2 h5 o- I" `, V2 ?! k7 qhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# S- N6 i! ^3 L
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡