|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
& _) m, w2 o0 Q# i! C% F9 q
1 @/ E3 k. C6 }) [/ ], ^一.准备工作" X5 o6 t0 n2 N( `) i
o4 b0 o2 U" L/ z4 A& A
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.02 i. F, V8 K' l7 p& y# K. d) h
& r8 g7 \0 E% J `9 Jtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ \1 R/ C: y9 l# O7 Q5 t
" [# x* Y, `+ E! D- G( E4 R! Vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# W: D- S, U* u; I2 f& Y1 d. s2 d8 w
$ C4 y( o" H6 z' F' Z1 nOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
+ t& z+ s+ L" D" B6 l. R" e
. C3 H* b' a4 d( K7 {. a依赖关系:. B# D& j0 C, R+ l/ q+ v$ O
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; ?: q3 a- C, p4 }& I6 ?
& X, G% P* j6 l7 Pyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
8 p7 x# T# y" f5 J/ g/ Vmodsecurty依赖的包:pcre httpd-devel libxml2 apr
9 L) v# k- y2 b+ i V+ M( `# P& L" v4 l q
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ ]/ n7 C# _" W. ^
二.启用standalone模块并编译: G5 J d4 N8 D' Y& s& z
@* r ~! N ?) Q下载modsecurity for nginx 解压,进入解压后目录执行:
' ]; q% N- t8 L! }. g7 q
4 n# X/ h/ }4 |, ?) N./autogen.sh
9 y! x' C* d9 U# K./configure --enable-standalone-module --disable-mlogc1 c# _9 s7 c! r: I v$ G
make
2 L$ k5 n+ B1 y; ]" l三.nginx添加modsecurity模块
4 h' u' K& L$ p; X' @( i3 \/ C2 [. O+ q5 O" H% O# ]$ s
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 \) o' v! V6 h0 M1 [8 n( W8 d9 U9 u L' v; A2 s' G# }+ z5 @2 w
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% S" D4 P* R8 K% Gmake && make install: e/ U5 X8 E' U# D- I
四.添加规则
; A* C2 d3 {$ i1 T2 l1 [" |
) K$ h; z% I* V9 z3 vmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* M5 G5 `7 }1 `* k; a, D# }0 _/ J
* }1 |* O/ x9 a9 r5 Y4 a
1.下载OWASP规则:0 |4 \! i# A1 g( T! ?1 |% {
m" d0 |9 V' d; L9 ^5 M$ k. H" e
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs: h6 K8 l: ]# W$ m
) [" w F+ Z2 I9 K
mv owasp-modsecurity-crs /opt/tengine/conf/9 R, t6 ^+ c) c* N5 Q! T- p4 M! ^
, _( D7 L- ^# i
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
F7 f' r; P* W. c9 e2.启用OWASP规则:: i6 Y" G F7 E1 I0 V2 j( `
+ T3 z$ X' O7 \& ^# }$ Z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( W) \% O' A6 ? u6 k3 t# f
- ]4 J, ?( r" ^* J+ r; V7 W" M9 K' A% b编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
3 J3 a% ^* L3 s ?$ V
& ?! p2 F% V3 P9 p- U: @owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
* z1 _. g( N% B3 j- `$ ?9 w' m% s( D2 n, o
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( W: x) P5 B+ E! ?" ?( ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
# z* u. X R: wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ k- z( n* O$ t. H% ~8 u" g* RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
! p, y4 }6 @: m* _6 QInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* M. Z- e- x4 p* sInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
0 j. z& g% Q; c/ w. gInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
- W3 E. u7 y& Q: q8 j `五.配置nginx! @# q+ P6 L# o! u6 H5 o
3 U! Q. V; W# Q
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 O/ E: u1 _5 y- f# M+ |
0 v2 j1 w- q! ], A5 ~" h0 bModSecurityEnabled on; ; _! o% g" x2 ~* v* J$ j
ModSecurityConfig modsecurity.conf;
" J/ ^6 r5 E& V) O0 T; p下面是两个示例配置,php虚拟主机:
' l* m4 T: s* U1 t! l$ x9 h1 c) x. ^, {. S
server {
" G* t1 b4 r; {1 D$ v listen 80;6 F8 f9 Q, k( G" U
server_name 52os.net www.52os.net;+ n# r5 [- s t) `
. F* d0 @, C, C5 D0 ] location ~ \.php$ {
( W& z3 h, T7 {. L ~ ModSecurityEnabled on; / E) Q/ K. e5 C1 E2 Q' P
ModSecurityConfig modsecurity.conf;
% K3 [, L/ d5 b& h8 W! t( A: x* Q& T: |, y. M/ I6 X8 g- n" j
root /web/wordpress;! O5 j8 B- H% h4 e8 Z2 K
index index.php index.html index.htm;7 _( k! @' B' I, R' x3 V. K; A
1 ]( I2 M" K- i
fastcgi_pass 127.0.0.1:9000;' k0 C$ W) A8 H; C% U) R
fastcgi_index index.php;1 `$ B) W% J, z9 V8 t- `- g
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
, }3 v1 x9 ]" t include fastcgi_params;# p! @9 `1 b! ]5 t
}
D1 W7 K* S6 N. K' f ? }
3 U( b3 L! ~* ~) l r( ^) p9 J! Gupstream负载均衡:- \9 Z/ B- ?: Y: \$ r' M5 m. i% c
! b: ]4 b) E; j
upstream 52os.net {$ T2 W: N* h4 w6 q9 r- k9 G
server 192.168.1.100:8080;
/ W, N* j5 s1 F- P( _* e server 192.168.1.101:8080 backup;) T @6 ^8 T n" }4 b
}* R5 S3 k# s9 n+ T' t
" w; p/ ~. n: M8 ?# {2 N
server {9 [/ B6 ]8 t# f+ Y% O
listen 80;0 A3 t' h# P a# i9 H9 O, T
server_name 52os.net www.52os.net;: `+ [( R+ A7 g# k4 G2 H [
# V) d( F; t0 |- Nlocation / {% M" s! x- @2 X7 ~1 y' g
ModSecurityEnabled on;
4 l) g0 e4 P5 K9 V: H ModSecurityConfig modsecurity.conf;
/ O- x2 t, G0 j% [: w$ b9 `' o/ X6 W; U( |9 x6 ?* u7 ?
proxy_pass http://online;- h$ k# {$ c9 u$ F _
proxy_redirect off;- W4 M- I5 s# Z' w5 o+ A+ V! l
proxy_set_header Host $host;5 @" D* w2 P) H4 X% o. U3 N2 ~' i
proxy_set_header X-Real-IP $remote_addr;* a$ w; o: E7 [$ n6 b& l
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, b$ F: f0 c3 [! b- K }
4 B8 f9 ~6 U. i% A9 A) e, g$ C3 A}2 b9 M! E# u* v: x# v* J! q
六.测试
* p b- ~2 J6 M1 m8 H4 E7 {
9 j0 y" b# X$ R8 l我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为: P+ M; O% T9 ?5 `
. X5 ^2 \: ?0 D4 z
<?php! N, u: \" Q5 J3 K7 K' A
phpinfo();
& O- P3 v7 t+ s! \, v. w?>+ S" e; K! @4 b" p
在浏览器中访问:
+ O; E1 D1 {. u; j4 J& x
& h( _8 Y b# U, rhttp://www.52os.net/phpinfo.php?id=1 正常显示。9 {0 n Z/ `" P0 a+ T
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。8 R3 S( N+ L3 d" I7 D1 W
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。- d) c U! W, C6 f. v- C) S( p
说明sql注入和xss已经被过滤了
+ b! o2 Q7 r) |+ O( a$ p2 L) J3 T: D) w" t5 {9 P4 E# x
七、安装过程中排错
" ]7 ?. x9 p/ p, j4 m* p+ @8 \& s4 E
5 O0 `( k4 h3 t+ v% C1.缺少APXS会报错
6 k+ K* M1 T' _8 l% l# c! ~; R, i
configure: looking for Apache module support via DSO through APXS
6 o5 N: W7 h0 @: J2 `0 \- E I3 \) Nconfigure: error: couldn't find APXS
6 X% I! Y* V4 n3 m* ?apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) T2 O) Y( E& k1 s) K
解决方法: J7 }: M3 \7 W6 a' X9 I
9 M) v0 E5 s* A0 ~# P. Yyum install httpd-devel
: ^( t/ h# I( ^, d( D+ z/ x* v9 u2.没有pcre
4 o$ e U! l, k
0 [# E7 Y \, H% r% s. A, E- Rconfigure: *** pcre library not found.5 `) a7 G2 X' q5 n1 w
configure: error: pcre library is required
. j( k- ~! O0 a4 t9 |' d8 y解决方法:: D$ ^4 }- E$ r. U! @8 L
: b! I- a4 i5 ?5 D
yum install pcre pcre-devel. e& B0 q) p# Z7 B
3.没有libxml25 Q) n4 U3 W' {" f9 ^& Q: G
7 U, |, B( T. a+ w' P# g* o
# o5 A5 q" K( N# sconfigure: *** xml library not found.4 H9 o3 O- Z5 `3 h
configure: error: libxml2 is required
1 G2 j: F' _ B8 a5 n' T/ p( |解决方法:3 O* V, S2 F5 w4 h2 Z+ I: \1 x5 T
1 w7 a g4 X1 g2 ]
yum install libxml2 libxml2-devel' \5 J) k& x0 V7 }
4.执行 /opt/tengine/sbin/nginx -m 时有警告
% L8 o$ e9 Q3 G. L. f" A* h# z3 \3 |6 j2 e. H7 T0 ?6 Y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
% [* [1 D' N: j( ?6 \nginx: [warn] ModSecurity: Loaded APR do not match with compiled!) p/ B) M2 q o7 d$ U
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log- l" D0 r8 U, K& t3 w
# M3 E/ B: q: w! w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
" j: J0 B! c( T4 `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"0 B( G9 A B! t, h; S. S& S
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% Q @3 U1 f3 |$ u, [; q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
8 K$ k0 N9 Q9 |/ ?- D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"* v5 Q7 V# }/ n: v, Y6 C' S) _
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# |0 {+ o8 m6 { a$ F+ P1 n& K/ C! h- U
解决方法,移除低版本的APR (1.3.9)- d; Q; _' ~# u* g! e
+ P" i' }" h, y s" b. `6 V4 }yum remove apr- J- G. q* O! }1 W; b% k& r
5.Error.log中有: Audit log: Failed to lock global mutex
4 K. t; y- e4 t" z7 @9 p- ^# U' r$ _3 A+ Z! d* r6 G" s& n
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 V4 u: k% l W/ T$ r
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
2 V" Z1 e! e7 |# l- `解决方法:" V2 h' y3 Z$ I- X8 Q4 i# f3 t
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" X# Z/ J4 R1 r: D7 T1 L. g7 x& D1 I! E3 Y7 V3 _1 ~1 D' U' ?3 Y/ [
SecAuditLogDirMode 0777
\& W" Q$ i/ p l5 `% s) T: w6 z8 RSecAuditLogFileMode 0550: Z2 u. Z4 u6 g) a# L8 v2 v
SecAuditLogStorageDir /var/log/modsecurity% ?8 @, b% g6 {# B: R; m8 }: W9 u
SecAuditLogType Concurrent$ v5 u0 F/ r- v4 i
参考文章:
' u4 t% s7 p9 H l; R" e: O. d+ ?https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX. ` p4 P' y# J% \
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡