|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。! m ]( f3 F' e8 i
$ b. D! }$ q8 s* o$ R8 \' c
一.准备工作
* ? L( \% `) G6 M5 J* F3 k& l- j0 z
9 f I% y. h# ~系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ Z, O$ o, J( ^( P% T& T9 Z! f6 {0 w& v) d9 |
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
5 h& P' Z' ]) ]2 i. |7 V5 a: G
0 [* d l( c! G; E3 d- s& l9 c5 O% `modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz' l) a" q# n X9 U- U5 n9 N7 p# a; N
* x# v! ]7 a6 W5 d2 e/ YOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
7 H0 \5 ^, s/ Z ?6 ?. [+ T. U2 X8 h3 I' R2 X9 z D4 w* Z" a
依赖关系:: e' M0 f. j' J! i
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:5 \. A. q$ Y2 F$ s7 l
% Q* p$ x2 `( z: N& ?/ ~yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
. E8 L/ S# Y. C* u3 F) xmodsecurty依赖的包:pcre httpd-devel libxml2 apr
# p- Y" ^% X4 o/ x5 s
( r, B5 X8 `- |6 v" ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel; F* P& P" ]- F8 Y" ?
二.启用standalone模块并编译
. \5 J3 Z/ b. ]4 t) c7 ~8 S% I w
下载modsecurity for nginx 解压,进入解压后目录执行:
# w3 `# G4 I' ~; ~& [8 h# E. q3 w3 \$ D" x4 ~! z. }
./autogen.sh- Y/ I. w2 h8 ]2 C
./configure --enable-standalone-module --disable-mlogc
" G: Z/ d$ R+ Y D W8 E, U) Wmake
- \7 H9 k6 m; u3 ?; h/ ~ @% b三.nginx添加modsecurity模块
+ s9 H+ P! Y4 }
% S! q1 n* o: S5 _( H: \在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
2 ?2 T/ Y' ^2 T9 X
* X- ?: C. d- @, }3 Q( h+ `5 K/ h./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
! |) I# y( @- E" ]make && make install
9 B' m3 J0 y( `" }. T2 m四.添加规则; p( \' T: H' _2 H4 I
7 P4 w& f) k, x- Emodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。, L* @. O* `7 ]8 n1 V$ i7 c
" A V4 I3 e3 U( E5 U- A% f
1.下载OWASP规则:( b8 W1 p& A) s Z
6 U- D4 F" F( O/ D
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
8 W/ a$ f& b2 ?, D, Z2 D6 L' Q! a' C7 q" T m
mv owasp-modsecurity-crs /opt/tengine/conf/" q' [7 `4 b5 x9 ]' n& c: W
' H( x, b* p% r
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf- d! \9 e& G6 a2 ?, s- `6 A) x1 C9 X
2.启用OWASP规则:
( Y1 d# k+ {* r: K6 O" u
6 o4 p9 I7 A9 ]" ], F/ ]复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ M n+ _7 y5 ]3 O- {$ |# l8 u: x7 S8 E4 b- [2 l$ V3 W; }1 X6 B
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% x. b! h2 [; ?$ D- p
- w$ l2 c& J$ D0 x! ? T6 Q6 L3 \owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 s7 k9 i$ A# x4 n
& b) I9 y% R& g& R- |/ j; K* oInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf% _1 z0 V# U0 X8 f# ~2 B
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf0 \7 |, X8 P& u |) v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
, o" K' r, y- T$ A( y5 }4 RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
' X" @) j1 H; @1 ]: w* nInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% ^. ^0 T [' P W6 i3 WInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf I$ y$ k# \! r/ C
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. B, D+ e P, V; u/ M% e! y5 T0 ~8 M
五.配置nginx
6 }2 d6 d( R% V, J+ {/ l4 K, l0 s5 t* C9 \' J2 M
在需要启用modsecurity的主机的location下面加入下面两行即可:+ J1 f& Z. ]3 h; B1 e, q r
/ Z0 m1 ~) O6 Q, H' a
ModSecurityEnabled on; / V$ H) W1 z1 Y2 d3 N. G
ModSecurityConfig modsecurity.conf;3 M! C7 @$ X/ L# ~
下面是两个示例配置,php虚拟主机:
& a$ U+ h. p8 _& c4 S5 `
2 k6 a. T6 i/ D# K9 sserver {! \9 ?% j& Q: ]! ]
listen 80;
9 F; [) a. |+ @& D" s$ N server_name 52os.net www.52os.net;: M. {( x+ G% \: k9 q, h5 l$ V: v: l
. V. X2 p* x% W- Z location ~ \.php$ {
- n) \5 m4 {; Y6 r s# s ModSecurityEnabled on;
6 t* g+ n' Y* A! b ModSecurityConfig modsecurity.conf;
; T. N2 G/ V0 L+ K
P* @# Z2 O; F, n/ y" C root /web/wordpress;
! i3 }5 C+ d- ~2 K7 j# j index index.php index.html index.htm;# e! z/ c/ I; e. e; V4 F' R
4 T+ `0 f4 C6 @5 o" K& B( Y- R
fastcgi_pass 127.0.0.1:9000;& L3 Y, @, b0 E1 `+ u' R
fastcgi_index index.php;; ?- J5 @9 i; T5 @( ^' s
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
! t! @3 F# J) @, N; b+ d* C5 ^4 j$ Q, b include fastcgi_params;
5 w, A5 @& Z3 s* c8 U/ c }% }/ B' F1 n) A0 q
}
4 w& Z. [( {- n: C Hupstream负载均衡:& L' b$ J/ f& S7 F& H
, M1 b: W/ U+ ]! o6 Jupstream 52os.net {
6 v. e, k1 L! X C% n$ \0 b server 192.168.1.100:8080;
9 B" r* K( l- [4 | server 192.168.1.101:8080 backup;$ J1 c+ ~# b' P- e- F) R
}
3 j" {* M, u( F) n# r) m3 v/ L7 s `1 z9 G; J' J4 P" n0 L
server {
9 h( I$ h* F. i' Q, k/ s( \listen 80;
6 {% H% z2 V* o2 m+ e* f; Yserver_name 52os.net www.52os.net;
6 X1 e2 u4 e' i9 e) j4 E- y0 E# T6 _2 V- e! ~% ?! F, X
location / {' l6 C! r( o) `+ o0 J( _
ModSecurityEnabled on;
) O. J+ ~ v) j1 O ModSecurityConfig modsecurity.conf;
8 `: l; z ^$ U! K/ W% G9 x% U: [" W0 ~
/ n7 j0 @3 ^9 [& r q8 ^, L proxy_pass http://online;+ x8 y6 I' v0 w+ \8 [/ m
proxy_redirect off;
6 u0 s2 N) W7 u9 Q proxy_set_header Host $host;$ ~/ S3 ~! M$ n
proxy_set_header X-Real-IP $remote_addr;
( w I; [, B, x' l2 {1 Y: O* Q! R proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;6 K$ U7 y7 i) R7 {" l
}
8 p5 ]: [ _4 M: R, h( g2 }+ y: f}
. Y& T+ ?( @7 F六.测试. p0 F8 Z5 [" P
7 b* @$ i1 y. T" i& m6 E我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! @% F, I) x8 O" N5 `0 U: N! A. b! O9 Q' g- P, D
<?php
9 |( X: k M. b7 Q- Z Z phpinfo();
4 Q* ~$ ]8 S/ U9 J Z?>
5 @! l3 L+ v6 L# q) S在浏览器中访问:% F/ z# U; o0 u% P3 O/ L8 f
2 l# {+ w. W4 ]5 o% }
http://www.52os.net/phpinfo.php?id=1 正常显示。: k! n5 A! u% v3 Z }- o8 F' q
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。$ B1 p* \) z; t" q7 F7 O) x' \( |
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
: @0 m, X3 H) c说明sql注入和xss已经被过滤了
3 U, c/ W% X' m) [* j
6 Z* M, [9 s6 X z+ c2 l七、安装过程中排错3 `: K) X& f. F; P1 E) \! I
9 m; |! q) F' j4 Z/ l. l1.缺少APXS会报错
! _- v/ |) ?/ Z \0 l3 W: |' Q7 e ]7 Z3 l/ X5 y
configure: looking for Apache module support via DSO through APXS t( Z* r& i, b/ \! f
configure: error: couldn't find APXS; [9 f, t! c" q' @/ R
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。3 S0 E$ i2 S" y% J2 |$ m
解决方法:& n7 x0 R, g; s7 z) p6 m
# Q7 K, Q% h0 M0 n2 z( O2 V3 ?
yum install httpd-devel% i8 C- T) R& e# D
2.没有pcre$ G1 k4 n; ?/ q [+ O0 ]& X- a# N: j
& t- q. G: }4 G9 k$ W1 u
configure: *** pcre library not found.
3 e2 o3 q4 Y/ c' ]configure: error: pcre library is required: J0 v* Z/ z! }5 ~0 ~
解决方法:; J1 ?) m" u; q8 {3 d3 o0 w4 d4 _( L
8 b# W# P H9 S+ F" |9 c
yum install pcre pcre-devel
6 _8 `( D" E$ ~# e0 s6 _& m3.没有libxml2
N) C0 e& t3 V. q8 X, i# T2 J6 p2 ?$ }4 R
) ]* P2 v; n* m4 G- f) f; C* |configure: *** xml library not found.
3 E/ N; q7 O! a; e6 |1 p! Sconfigure: error: libxml2 is required, S. b$ n6 O5 ?2 F" u
解决方法:
" X# S6 ~) b4 m7 S5 J: m
1 r% r- F, f2 D- O5 s" w I+ Hyum install libxml2 libxml2-devel$ N' ?7 w" s- E7 ] [
4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ B. u3 C' L2 \- |' R0 j6 I& T9 p3 _; a
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
: Q7 r2 E) ~7 n4 h- F) w; Cnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
: F0 q7 d3 X8 }; n6 B( s原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log R/ D, N. z8 m5 y
! f1 N* v; L( F o" s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 ~' ] h d& f* ?1 ]5 }' A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
5 R0 R5 X( I0 e: i$ Y, z* \2 Y7 f2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. ~ L8 E3 e/ j) g# c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"$ i# y( w3 B( k; K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
- Z* q) I7 m% e: p! ~ G# a9 Z2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
q" ]+ o4 A# B8 n解决方法,移除低版本的APR (1.3.9)$ Y( g1 M6 F2 u4 ]: z0 y' L
$ v! f. d! r" q- c# V% eyum remove apr9 k2 V1 T0 ^ i% }
5.Error.log中有: Audit log: Failed to lock global mutex
# P6 I7 r- r) \. g: u0 q% C! e: I4 E! f' e q% j, ?# [, @2 u
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 A! ]! d" v- E/ F$ q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
( `. J" `& y5 q3 ?) ^- R解决方法:; n e' @8 F/ d
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
7 c N0 V: x+ V# U8 P0 T* g2 e2 N
' _: P0 p+ O* O7 vSecAuditLogDirMode 0777: Z6 g, M/ u2 X" P2 V
SecAuditLogFileMode 0550
% }1 ?: I$ P. O E) eSecAuditLogStorageDir /var/log/modsecurity' l1 ^; Q4 e8 W, Z. Y- L
SecAuditLogType Concurrent
9 k* _' u* G' }- u% M参考文章:2 E3 D% \# U4 X" S/ A3 ^) q' k, r; f
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX4 u l/ U; @2 M, _
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡