|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 B& N/ k0 b4 a |5 D# O1 r* {5 t- S$ f3 `% F$ O) [
一.准备工作! J$ p$ h, M% K& `" B6 R
5 V0 C$ N% [1 a' O4 w. n
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
" [: N" R/ P; ~8 ?" u7 X8 t- P/ h. c3 E
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
* J) _& Z5 y+ |8 v' [& ?, w9 A; k: Q5 ^/ w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
/ _! t* ~' q G9 n7 ]! A6 _' f) i" h
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, j0 w5 z, n9 Y% ]' V3 `
4 m# }/ B: \( Z) D! g6 J# L依赖关系:
7 v. Y2 G6 m. @4 g2 w f4 U+ xtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:# L# ]2 ?6 {) r
% H0 w2 y, v$ ?1 C$ k/ [9 A
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 Z+ h$ p7 r" u, i- c8 [1 g! C4 Pmodsecurty依赖的包:pcre httpd-devel libxml2 apr4 q/ a5 q8 [4 O$ T9 w- L
+ h) {* q) n$ K8 U4 V& a/ @ lyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel& `+ u) S G, \1 o S$ U) Z- A' A
二.启用standalone模块并编译
+ o3 K* m7 _& l% n! P7 w; A, _# ~- T- e% }$ T M3 J: A
下载modsecurity for nginx 解压,进入解压后目录执行:. a F4 M+ y7 C7 j! d5 q. p5 c
5 M+ y- O7 d6 i1 o, p* }5 _0 Y./autogen.sh( G1 p Q5 y/ X' I! |
./configure --enable-standalone-module --disable-mlogc
1 m7 x4 [& }6 O, ~7 r* s2 pmake ) K" S0 F' D3 }2 Y( a; ^" ]3 g
三.nginx添加modsecurity模块
, K. V4 j' P9 c* D% z3 r$ n, P* B
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( E! F( i% g, e% }9 Z: ~
$ O* k: ]- p ^+ }0 _1 T./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine8 v. t2 p: Z. v; Y& E1 `! G
make && make install4 c7 f* h- `9 n( D& S, h/ X, T+ k3 L% v
四.添加规则" m1 M6 A/ t" Y
3 U$ }, b9 I( T5 R: Tmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 s, v$ j5 E+ K- r( k+ y
. k+ c2 q, D% A6 D1.下载OWASP规则:7 e$ R. T! R% i: Q* P* V! w
9 v& h( }4 S+ J1 W
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs( K, n% h5 ]( y/ _# I7 r1 ^( ^, G
$ Y, B: b# e+ c' `* Fmv owasp-modsecurity-crs /opt/tengine/conf/
- I, n* Z2 L' C
- u' ?7 }' o% E2 jcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf; J1 `9 x0 x5 M4 g& S
2.启用OWASP规则:) D& Q" P8 X# _' F# W2 l; B
) T9 Z1 b, p$ s7 ]1 J, ]& Z复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 `. }2 H, f0 U7 x8 U* L6 T. h& ~) t
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
9 g |$ x' \& O, G$ ^+ W$ j0 |* O! `
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。1 k% h3 N% o! @& H! O/ C( ~0 t0 I) _
3 W1 J% }0 g8 O9 D* S1 R) zInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
. L% P( \$ k0 H( s MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf( A- e: E) n C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf- t# Q4 L& y- z* Z8 b
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf/ u( {' W- x1 \* z$ c7 O' N
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf% q/ y6 F- p4 l6 f; s
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
% h7 w* G0 W+ s% RInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! M, c/ ]0 Q, l& g6 k
五.配置nginx
' C- E) f5 r) ?) m# T( c- L
) `% B) D% T. W在需要启用modsecurity的主机的location下面加入下面两行即可:
" H6 m3 O+ L3 s+ O6 r$ W' A: r+ J; L6 c
ModSecurityEnabled on; ! C& a$ k v% t0 z4 X9 D1 h
ModSecurityConfig modsecurity.conf;
5 }2 [$ k5 ]( @: ~, e8 G下面是两个示例配置,php虚拟主机:
6 h* P" x& M- n! n- k: ~. r! e
" E5 n( I) S# ^' F- @server {# s" x1 R4 {9 B5 W7 P5 ]
listen 80;9 R1 c4 A- K5 E5 l- c& f9 g& j
server_name 52os.net www.52os.net;
. W0 u. a' S6 o! b, C7 B: [. x 9 ~8 l: V& y+ K& T- f
location ~ \.php$ {
. V3 y8 }8 q! o" y ModSecurityEnabled on; 1 B! |: L d9 q/ I+ W0 U8 S
ModSecurityConfig modsecurity.conf;( |: b1 i) R1 v4 k, f# c
9 I3 E; B s9 {. j; F p! |) e root /web/wordpress;
4 e: d: c9 d0 ]& x, j5 n r& f6 h index index.php index.html index.htm;
; }$ m7 \! o9 n3 w + l/ m( \ `9 Q) M/ z
fastcgi_pass 127.0.0.1:9000;
) ~$ K& ^7 L! U n0 h+ h fastcgi_index index.php;; [1 y! I4 A9 G q! ?: _6 Y
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, f2 J" [" ~* `* a
include fastcgi_params;; M3 F' Z; s: E' f. w
}
" e% O, c @' n9 `3 W8 n }' y7 L8 ]! X0 z" D8 H( c3 A
upstream负载均衡:
7 g3 m* u3 ^4 w$ h8 N1 X6 B6 }! _) `" [/ M+ [9 F
upstream 52os.net {
1 g; S3 L' t2 R( O4 m" G) L server 192.168.1.100:8080;( M+ O/ P% m/ d, `
server 192.168.1.101:8080 backup;
/ @$ ~: ]1 _3 \3 I; n$ I- g- X} ~4 Z+ u7 ?/ m
, e6 X! ^, v# y+ L* |
server {, {& i+ ^3 v6 ~2 J. c8 R1 l2 R
listen 80;
9 o/ X! w( S! D3 z1 A8 i* a5 F9 o* J, Mserver_name 52os.net www.52os.net;
3 n: c5 `1 Z# k: r8 K8 |$ B# t0 l9 K8 [; z! ~8 K
location / {
8 ?# Y9 ^# E( i' v! O* b% x! p ModSecurityEnabled on; - u/ `/ l+ ^# k3 c2 u& s
ModSecurityConfig modsecurity.conf;
. r$ F# E. y& f9 \
+ I4 }) r9 t1 u proxy_pass http://online;# r y8 B' L4 ^7 R& i- }
proxy_redirect off;2 A, N; r3 i0 F" ]9 }; p
proxy_set_header Host $host;2 f* d; B+ A* \% T9 V: M& |
proxy_set_header X-Real-IP $remote_addr;
; P0 x X7 i& o5 x+ n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;+ F% U0 N( X2 E5 M
}
: e7 P- Y2 T1 \" l}/ w8 \. z$ B; M) z' L0 o; p
六.测试7 ]( E Y3 F# |1 V0 @6 V8 R
& f. q2 ]) o/ ^& v0 b7 `* T1 U我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:5 E# O Q0 \9 U3 G" i1 B. n( u
) H0 S% p U- y G; B<?php8 U$ C+ p, n7 J# l" I
phpinfo();
- C6 k+ N5 J9 _# S?>6 W2 y* ]; o6 @) B5 S/ f
在浏览器中访问:' b2 L1 o" _( r/ Y" k9 Z, t0 ~
! k! S4 I8 t8 B2 bhttp://www.52os.net/phpinfo.php?id=1 正常显示。
2 T2 n R' G dhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。% d: P" i! E( o% h- U7 {7 f5 N) y/ O
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。9 i& L. T- z2 R2 B# V8 [! ?
说明sql注入和xss已经被过滤了1 I8 ~& r' X$ ?2 p6 |* J
' B3 b6 ]% f4 H4 l+ ~! U七、安装过程中排错
7 y7 H Y2 H h
* X/ b* e+ p# u5 d6 V1.缺少APXS会报错# O' T* q& l! g! \( J
& Z: @0 f9 c: p# b" t! d6 m; _
configure: looking for Apache module support via DSO through APXS
% P( i/ Q+ Y& Jconfigure: error: couldn't find APXS
; z& `- h% p9 q) v% t, D, Tapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) ^8 {5 {5 w& w0 O+ P, F, q7 q
解决方法:
2 v4 x1 U0 s7 Z8 ` H9 v7 }$ k4 j$ s3 w2 N+ H6 J# e0 O
yum install httpd-devel
7 Y0 q6 L" _* D9 z& X; B2.没有pcre
* g5 M. m( N1 u7 r, u3 E$ U
6 L' Y: ^% M* Y0 Econfigure: *** pcre library not found.
. g0 D) F% Q/ R4 ?* hconfigure: error: pcre library is required' Y6 ?. a/ \ P' z. f" ~* a; B
解决方法:
" ]+ ^& H8 G1 n+ g: P0 }! l
& \& r2 X) l% c/ W1 M8 yyum install pcre pcre-devel5 B* e! _8 T$ I
3.没有libxml20 V/ j6 Q- V* x/ o0 u! y' S
E" q3 p2 [, z! R% J* T7 d' w8 f6 _
S" y; }9 q: t6 r3 aconfigure: *** xml library not found.$ X" c# m# @$ o5 u( I
configure: error: libxml2 is required
! G8 t8 L: E2 n8 j) D" N解决方法:: L2 k. K& f; |% s7 d( ~
7 Q0 q1 K4 {2 c- N
yum install libxml2 libxml2-devel
6 A1 ] f) \3 s+ z% Y, C; b' N4.执行 /opt/tengine/sbin/nginx -m 时有警告+ E! K& o) ^" O7 \# t9 f
& t7 G. o3 Q% I
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
1 l5 ?0 z) F2 u' S. @nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
" k. R9 B& }, \( c) c5 M原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& @) E1 ]3 O& _& v
/ s" S, i. y9 l$ F1 l2 p: J! M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
- K% o2 |9 u' O( `0 g0 W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"9 s1 q5 b; ? S* Y. M3 J
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( v; W6 n$ k+ f. K% g+ K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05") T" W4 v# O' n% K; r9 I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
, R5 V+ ]- [4 ^& @7 I1 d2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
2 c% Y0 ]; q, L+ Z% H解决方法,移除低版本的APR (1.3.9)
" o: g% Z& ^0 a6 S. ]) x" Z' _1 Z8 v \5 ^" K% e
yum remove apr
% q$ e3 H( u" A5.Error.log中有: Audit log: Failed to lock global mutex
2 ]. |& q" V7 T$ y' y! ^9 Q9 N: F9 m
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
/ M. Q8 U7 A5 d' t7 j! K. ?global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 A$ c; n2 ]! {; Z7 f1 h# `, c, ]: q
解决方法:
( p/ R) F7 H# K, `编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& B& L7 p* i: w1 Y! w
9 J9 Z% Y7 r- r8 l4 f6 R+ e; v/ xSecAuditLogDirMode 0777, v5 N: f8 }5 q. S6 O5 t7 x- T
SecAuditLogFileMode 0550+ S( \" [4 z0 @9 i. L9 O4 O. T
SecAuditLogStorageDir /var/log/modsecurity# x: W& C7 G: s: B
SecAuditLogType Concurrent. i& l* y% h/ L, u1 R
参考文章:2 h X! i$ F7 j) w$ t9 J2 K2 }
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ l) |! O, ]3 I% q
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡