|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
0 P3 S$ F7 t! h, ]
) W; p! R8 H" O% o$ G# ~0 Z一.准备工作' i* ? d3 Z- `& ~
" x$ E6 ^/ W! V! u& [+ z9 i2 w
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
1 t$ j! {3 S0 V3 p# T1 W% O F- ]! G+ _' s5 {3 W' @" X' J+ F3 ~ w2 U
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: C% y! @7 v# ^6 e6 b
0 p4 X: P, a8 i5 r$ k0 n, V
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& V, T9 p/ X2 v, H2 p
# ?6 G7 B N0 x- Q y+ POWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
1 f7 k; V9 N- A9 L& x$ Q
4 z' t" f" y7 c/ F1 d1 L依赖关系:! C! c6 ]2 }2 W/ b+ |( [% h
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( |' ~) m0 W6 C: v2 Y9 A/ g* p: D
# Z/ W* l z( L+ ^9 {4 _! t- A4 Nyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel5 y& x3 _6 ^( D8 S1 j! t, c
modsecurty依赖的包:pcre httpd-devel libxml2 apr
1 E4 s+ e- a! i. S1 `: B: p0 {' v: Z8 V( |$ Q4 n
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel3 Q4 r3 ]2 {4 }, Z# e" c
二.启用standalone模块并编译
5 M( h) W3 X. y# H' u4 i
6 ~5 }& G6 r/ j0 L下载modsecurity for nginx 解压,进入解压后目录执行:
; c- f; P1 e' P/ J; ^6 x2 X* ~5 T; t' G9 @, \% y' V
./autogen.sh% q1 L- q3 e7 D6 B" ~3 Z
./configure --enable-standalone-module --disable-mlogc
& q% f: s: n0 r4 Z8 Rmake
( D7 }. Z& \- @) Y9 w1 s三.nginx添加modsecurity模块
: W! x5 o: i$ M+ @6 L
' K! G2 O v1 F' Z' V在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ K; n* F' W8 |4 T$ _9 m0 K; ?
# [3 h- i8 E" @./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. V& W7 Y, B& w1 F1 W% hmake && make install
3 q& \8 L+ Q0 \1 r5 e# q- v& H四.添加规则( f$ K; x* R+ N e) \5 M/ [
: r6 H l: [1 d% t' zmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
% q; f3 Z2 ^( ~6 r3 _+ R# p" O2 S* o& f2 H8 S- g, m
1.下载OWASP规则:9 ` o3 @( M$ N9 M+ i2 W; b& j4 [5 L& |3 O
- ~% A: A3 A: a0 ]* S! |
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
. Q+ r) r0 \* J) }" }( q3 ^2 w
" M8 x8 _0 h, y0 E E$ r& F& J4 I) nmv owasp-modsecurity-crs /opt/tengine/conf/. J! c. n5 H; W J2 f
6 P" v6 i9 W+ V. b! s1 q+ q
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf- ?( J3 I: p8 J0 t# @0 q
2.启用OWASP规则:
3 R X2 c! V* R. B) v" l
' E! _ X* u& J$ ]. q复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。8 \% F1 J# K! r" ~
5 W- ?; P& @1 _" _: t9 Z
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on% Q, K [6 b: M7 q* V$ K; o
, ]( v) b7 S* qowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
; X' e! d4 f3 {% q8 T S- W" \" W- P6 W
* T6 k% N+ a {, ^Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf1 G, l5 U6 `* |, }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: G% U; i, o# A# `: u6 U: |# Y' {
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf% @& c; P! T7 \
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf4 _ c+ }1 ]0 I& m5 l
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 g; s2 J1 t$ l# c7 TInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
7 [" J5 e8 ?& y; uInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) A8 d; {7 a3 N$ l" H五.配置nginx
4 u$ O5 U3 X! G: y2 k9 L, {) X* ^; {; l4 O$ K8 {3 h
在需要启用modsecurity的主机的location下面加入下面两行即可: }4 x9 H/ k- x
0 @" a# ?/ b$ c; s& J* S7 e# cModSecurityEnabled on;
& H" { n& C' U0 IModSecurityConfig modsecurity.conf;4 C1 v( I# }# G2 N
下面是两个示例配置,php虚拟主机:
q9 @/ o7 x$ j) y
1 C+ ~. O8 v% r! b6 Q! p! V' J; Gserver {
0 u- H7 {: o6 O listen 80;
# e* x' b; U8 a6 z5 M- v1 A server_name 52os.net www.52os.net;+ d- V! i5 }5 r, y# F
3 ~! v- y) ~/ y0 U3 e- O location ~ \.php$ {
8 Z( g5 b# t/ x ModSecurityEnabled on;
" a/ w! P6 m# c- Z, o ModSecurityConfig modsecurity.conf;
$ S0 @3 c1 s8 N6 e$ ?5 i! Q8 X6 w0 o& a7 B! R5 t6 {' T& h p
root /web/wordpress;
. H& I& ^/ o* r7 p, `9 b9 o0 M- q3 N index index.php index.html index.htm;
7 V; }+ _& s1 q6 T& y1 F 7 [0 u4 C) b9 z& b- Z$ P% L: e! p
fastcgi_pass 127.0.0.1:9000;- e7 W7 A% R; x, j% {! K
fastcgi_index index.php;& q- X- @$ q% v% u& ]% H
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; Y& L) K. a8 U* J# P- V) t include fastcgi_params;
, o2 |$ L7 D& c4 E' N/ y/ @: M }
) [) ^; U9 l+ r+ u4 d }
) t* I6 r3 F2 d$ v1 y9 ?* Qupstream负载均衡:
1 u2 @9 t1 ^+ H2 a. Y" j! R
2 T! Z+ P$ {5 v- x" nupstream 52os.net {
2 v0 C: l+ f5 `$ y4 {9 m5 y+ t& B server 192.168.1.100:8080;
" ` E) {- c0 m7 |% o. D! G# ^7 K server 192.168.1.101:8080 backup;
' G8 g ?, M0 h3 w- ~; D0 q7 D}1 v+ y/ d& L7 X1 u0 N% [8 m
: v- D+ ]) w. A8 dserver {
* B9 G/ R; ^; ^3 v% ulisten 80;3 s* p- U- D2 f# \0 g, o( G6 G9 O9 w
server_name 52os.net www.52os.net;, i4 d$ B7 T! S3 H
* p6 c, d1 t) Q0 a' Y2 P o. D
location / {
& i) F, c9 y8 d7 e) r/ Q ModSecurityEnabled on; ' P% ^! v+ ^7 \" g7 h
ModSecurityConfig modsecurity.conf; 9 q% P9 I1 O+ a( |3 ?' `/ L' {
8 z; @2 m! H+ v6 {, d( o' A
proxy_pass http://online;
( W( K7 {" P9 ]- o proxy_redirect off;, P" P- K2 E$ y$ P3 Z- \
proxy_set_header Host $host;- `9 j$ S0 v6 A1 y
proxy_set_header X-Real-IP $remote_addr;+ j1 w6 j% H5 s8 z, {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;: ^5 m8 }8 `+ f" t( E6 @$ X
}* n4 D; @, `( v: {- Z; @" B
}+ q0 J* Y+ b d5 P+ f0 j* e
六.测试; D/ w0 T8 O6 `( P8 o0 _5 U( t. h
& b' F0 G- [: K; a9 `我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
' Y; W3 F1 F4 s. x+ g, C2 [$ N
+ G& C: a8 I% Z<?php7 J7 r! V0 n' P, R
phpinfo(); 2 c' {1 x$ r" U7 E9 X) E" {
?>
j& F; s( `: I7 `2 Z3 f. T6 p" |在浏览器中访问: T. `+ H9 G7 |$ d5 b
' p* K e0 O( x* H7 _5 U
http://www.52os.net/phpinfo.php?id=1 正常显示。* r* r" L- z7 `* Z X
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。: i9 m( q/ e5 T' p" q
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
. ]) ]8 F1 l7 }+ R; `! A& \6 ~说明sql注入和xss已经被过滤了
# o! e( x1 Z: c. T4 k& m6 D2 m2 j7 z( k
七、安装过程中排错3 P+ y: D; u* T
# w+ P( A1 u" {( U1.缺少APXS会报错/ S. c6 D3 q `7 z0 p) y! K
$ s6 X+ I- u# _' O+ ~
configure: looking for Apache module support via DSO through APXS
: d& }7 e% F4 }* N$ Wconfigure: error: couldn't find APXS5 B& Q# O( C5 ~, p
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。8 `) _; I9 \2 ?0 w& b( s8 v
解决方法:' B4 F' K* ^* g4 K9 Q/ Z
9 Q" O0 [! Z5 \5 _* r, Q
yum install httpd-devel1 l! e, ~7 J" X9 R
2.没有pcre
1 h3 R& D. k( B
% M. H% K" T$ m# f# X- `3 rconfigure: *** pcre library not found.
# p. O9 }9 B/ `configure: error: pcre library is required# H! u, m$ V2 {8 n2 B
解决方法:+ D& G9 J m7 x9 u: l' u
P# p9 j" I8 P; e& h b- b
yum install pcre pcre-devel
. |. e, t; j" a# }" ]6 Z3.没有libxml2
& U4 _3 n7 s6 [) _- S- C3 z9 [6 ~7 q
: X: D$ o |7 Q1 A7 o3 O1 B2 H& }& dconfigure: *** xml library not found.. [. ^! f/ u; i, |5 d) \. G# ~
configure: error: libxml2 is required
$ G2 i. R5 `' z g1 C0 c解决方法:7 C4 _9 @% u/ z, G& {3 W& L! F& _7 `
8 C5 [ P7 |4 @% f& Vyum install libxml2 libxml2-devel
. P R. {4 }7 `: }/ L) `8 m4.执行 /opt/tengine/sbin/nginx -m 时有警告
! i4 K+ L/ B9 X4 K) J' E
5 _) }# e. i: \9 `6 m7 O8 uTengine version: Tengine/2.1.0 (nginx/1.6.2)
+ H6 l, K f$ s$ \1 L, \. G9 Wnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
0 [4 e R( E0 d! T B5 u8 Z/ \原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
# h, V) ^ s! f% n- I9 y: p) V k+ j5 e/ t; }' S2 {0 [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.! u1 r8 O! E$ s* e. v$ r" q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
, \9 S% s! ^1 I7 d4 z, U, i' ^2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
- i9 d' l, E% `! }7 r2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
8 O! ?. \$ O" z. _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 v) O. F1 H' x0 L9 l3 |) k
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.- z$ D5 `/ u: g, M7 X0 @- W
解决方法,移除低版本的APR (1.3.9)* {0 d7 J4 I( |7 Y2 N
1 r, E$ x' `9 Y- V5 c6 {
yum remove apr
2 k* c) Y" j( J5.Error.log中有: Audit log: Failed to lock global mutex) d- T3 n) r# `/ A) d. c
3 J N0 T; J0 r9 ^, Y
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
1 a3 }$ Z N+ r4 q0 P. B5 |global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ n/ `4 o8 t+ A! @: Q3 f解决方法:
! w4 y# q$ [5 m r }/ D编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
0 r3 I% L0 O U- f% S7 A3 X, e5 ~* s9 j; f# ~
SecAuditLogDirMode 0777- P6 Z8 [+ _2 s) K7 }( q* p
SecAuditLogFileMode 0550
* Z" A# p* U& b7 |3 ?6 v' a" ~SecAuditLogStorageDir /var/log/modsecurity
5 Q" Y% ~$ @) R% f" X, kSecAuditLogType Concurrent# s' T0 u$ E! m# @0 v! e
参考文章:
% E6 W. [' i' X4 u) z5 E. f/ Qhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# x, d7 R c5 o! Q5 o' p
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡