|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
9 Z& `2 i8 X) e3 v
/ @- y! z9 D' K" f! e- y一.准备工作
3 _1 |( Z0 p. ^/ A4 |$ K) j% ?6 t+ n( F0 }
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% C4 `; K6 d7 l: H% y7 c* i! h8 n E" {" g2 c- I( f# n! b' r
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: k& ^0 E& `& V) z
3 x. H1 a7 U, z- B3 Vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz8 }6 R+ b1 Y# e
9 K! l/ w+ y: e, K, _3 L
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- i4 ?' | k' _! s" e% r* N$ K5 J- W+ n) V' {: `
依赖关系:# \8 h( z( u$ t4 h
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
6 v8 l& w' \! r% \$ }# l) q( Q+ i1 w0 C/ ~1 W9 U
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' {9 \& |! u' \
modsecurty依赖的包:pcre httpd-devel libxml2 apr3 A* V% p& m* ~4 | f7 D
2 V0 z4 ^& n. q( [yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ k: h; _$ f9 ]. ?二.启用standalone模块并编译
' d8 ^* g$ @6 n
' W n- E& m# d j9 a5 ^1 h3 c下载modsecurity for nginx 解压,进入解压后目录执行:' o) Y3 b' \: x* L4 M
0 ^6 j( {& t8 g) W7 Q6 @
./autogen.sh0 B8 C& b8 y/ B9 t+ n I( ^
./configure --enable-standalone-module --disable-mlogc
- n; f& G9 q; j3 o, imake 7 U1 P# _ R1 c$ B8 ]9 `- a& m2 e
三.nginx添加modsecurity模块
0 q' r6 l% o9 B) U; d
v$ v9 w$ F2 G3 @; B在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
d. j% F& U; v0 |! X- P& E! T- W2 n( K$ q( k* U
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 g) v2 D- |* d# u. c3 ~make && make install" c# v7 [$ G. O( }
四.添加规则6 c* W9 U( S I) _
/ k0 z3 W4 k' C( m6 @
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
) X- j7 ~$ y3 V4 p, p' y* z ?3 y5 ?' _8 Q/ J5 j
1.下载OWASP规则:
, e o3 V5 Y9 W: F$ i0 E# ~! O) s" W* \' Q, }
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
" G1 W! O+ R7 s; J1 p; q. @! x
mv owasp-modsecurity-crs /opt/tengine/conf/
1 O+ {, L7 i# n ?/ v' C
* J2 |9 Y/ `6 U1 L) u0 J6 }; ccd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' R4 g0 x. h% {( F( `$ D, {2.启用OWASP规则:
% n M* o" E; n, {/ O* ? R9 ^- @- D6 i* z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. b2 d# D+ |5 V* R: ?1 n' b. y0 x) V+ `" T- f# J
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on% [! r! s* r2 O! f( m
2 z* O9 O0 o$ n. r- zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。% P7 Z- A T8 n: K# \( s2 r9 D
8 V$ v. l' s, d+ D+ y) WInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf7 l1 @) T1 n, i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; _4 x6 z. f6 I5 I: |
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf4 h3 o5 G6 C2 l& t- E8 v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf( C3 ^- e! w9 A* G4 U& n% j) A. V' {2 r
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf" e& k7 I$ I, y' j7 i4 K
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 s; u3 ~. V& \, r, {
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf6 u% @( v0 n* @ P& Z8 C# a& Z
五.配置nginx
8 O2 J4 {& Z, D' ?2 w/ {
" @' v( t0 i$ |- y+ h; ^2 y0 X在需要启用modsecurity的主机的location下面加入下面两行即可:; y6 Q5 i/ C4 [1 i
" L5 x7 R) h AModSecurityEnabled on;
* h ]1 L# I9 P2 U3 t- qModSecurityConfig modsecurity.conf;. R: {* Q5 }6 S9 B
下面是两个示例配置,php虚拟主机:5 m5 v2 c. C' \9 m
4 f% V! N) j2 B) Tserver {
8 h9 S: j1 _( ^% U listen 80;
: D* |: @4 ?, n2 \ server_name 52os.net www.52os.net;
( Z9 `7 E6 W* M- ` 8 _9 s) e( U# O8 ?1 T% h# p
location ~ \.php$ {1 D& I/ z8 d% o0 u; E" H
ModSecurityEnabled on; 1 Y( x, n9 y' j
ModSecurityConfig modsecurity.conf;: q9 u/ T$ U! O6 w& e6 p% t
. U4 Y5 g0 ~+ r& C1 C
root /web/wordpress;6 H" {, y- u6 e2 Q: F: l
index index.php index.html index.htm;8 {' X4 P) w( T$ ]
& N, J; z- P$ r* W$ m# D
fastcgi_pass 127.0.0.1:9000;0 B# x& S c3 F/ Q- ~
fastcgi_index index.php;
+ D5 b* }6 _, m& T fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, C% a; d6 X4 X3 I7 n/ X
include fastcgi_params;5 }6 M5 i6 {" U$ M9 h+ w
}& }/ v* s* ]- w* a9 h
}( B5 I) j# L$ d( s! Q
upstream负载均衡:
9 ]) C4 h% [8 I0 t" l1 v% _) o" F6 h2 q1 t* f- Z; C) w
upstream 52os.net {# {7 i5 [0 s9 ~2 l0 W5 e3 {; {
server 192.168.1.100:8080;8 ~3 i: l) |8 k8 m: ~5 y8 j
server 192.168.1.101:8080 backup;2 I: Y1 Q- K" U9 j; {
}
! \. u4 S2 }. [. R9 h* t
% z3 S1 @4 c1 ^9 E3 w, N- @server {
# O. O$ x, S+ ] i \. m, elisten 80;* A+ o2 L1 `$ @+ Z$ U
server_name 52os.net www.52os.net;; D+ C5 r( }: ^. W# L
4 S! D5 {& p4 g
location / {
6 e$ S3 \9 V$ r) k" h- K; A% M3 U ModSecurityEnabled on;
- e0 _# D& l9 l ModSecurityConfig modsecurity.conf;
4 T- Y' Y* {: U6 p
! d& u8 O. X( N* i6 n proxy_pass http://online;
9 Y. \2 U6 X: ^0 |5 A proxy_redirect off;' Y. E P5 N# v9 n/ j6 L, Z
proxy_set_header Host $host;) U3 k" ]# z; ?& g; M
proxy_set_header X-Real-IP $remote_addr;6 E9 O# o! h2 I: Z0 i* f
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
! I4 b W8 s4 y* h3 s+ W: z }
% B7 [+ Z( b0 p3 w9 J}
, E/ T. b* h0 `* \, m0 }- \六.测试: J3 C, A8 N0 x" W* V3 ~1 S% h
7 n" L; U: ~ ^/ ^4 `/ H& `我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:7 G* f! v! L" Z, V6 w
5 a5 {& |+ l" |4 s6 p<?php
( n i* P( B6 \ phpinfo();
; L# i- x8 T# {- e( k?>
& t$ Y6 u0 Y& z在浏览器中访问:( t4 N! ?* d: P/ N w; t
! X p. z U, O! o" _$ ?/ `5 _ n
http://www.52os.net/phpinfo.php?id=1 正常显示。- g0 v! `9 z: T. P- n& x5 ]+ N
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ T% n4 S2 j; O- B- H/ ihttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 `$ d+ g1 P5 n: j, L- l
说明sql注入和xss已经被过滤了 [2 g/ s n( u9 c2 T
9 g J( S: ]$ g' S
七、安装过程中排错( l7 \% y! L& J9 y B! D4 d
/ c$ B t/ ~& p: v$ E# b6 c" V1.缺少APXS会报错2 v. V+ n& N+ ]4 R2 ^3 c
- k* o1 G a1 e' u! U' l
configure: looking for Apache module support via DSO through APXS
4 L1 p1 l6 r9 [. K0 Jconfigure: error: couldn't find APXS
1 M' E7 K5 ~' j Bapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。4 r; F, Z( R8 e+ f. r. R
解决方法:
: V2 C4 _9 _6 S$ p( m- `2 Z/ T+ b/ n: U0 y3 _
yum install httpd-devel- S! @3 u6 B. J) c
2.没有pcre
' P* |0 t, W0 G( @# S2 ]$ U! S8 l* X: J6 C7 T
configure: *** pcre library not found.2 L8 m' S$ G0 R4 _
configure: error: pcre library is required
# u. w2 ?+ L; T( D' S% k解决方法:. t) R/ b' q1 E% `$ w
. Y; h3 w$ V( Y# T% T3 jyum install pcre pcre-devel L& i7 U9 Z6 N$ N" g( j
3.没有libxml2
1 O8 s$ H6 q1 e0 q: e. i& i5 ~, n) q
% {3 @9 Q% g( M7 kconfigure: *** xml library not found.
4 H3 Q u1 d! x4 X' |, Y& bconfigure: error: libxml2 is required
# J+ \0 e6 B5 A7 @: R解决方法:
+ d4 |4 ^6 Q1 ^; z* O w. v1 u R0 X0 s1 ]2 A2 \
yum install libxml2 libxml2-devel. J( p" k0 P2 S# T
4.执行 /opt/tengine/sbin/nginx -m 时有警告8 D+ G! }# p9 s2 X- A7 e8 a- p8 X: r
% {# {4 {& U$ v, w" i; _$ W3 Q
Tengine version: Tengine/2.1.0 (nginx/1.6.2): u+ F( z4 c6 E F: O8 K2 j
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
' e. @( S. F }# ~" X原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log" r9 x# V; `- z$ P
0 k1 B6 d8 n- {' x3 l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 H' }0 ]* b# I! v+ }: C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9" y; r% a5 r* I5 O& A& j
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!& c2 b; [( ?. S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ Z5 c' E5 ?9 q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ }- m+ b' J! |; n1 V6 I/ O2 U
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
3 v2 Z, ~. ~! i' k/ z解决方法,移除低版本的APR (1.3.9)9 g. e7 i$ r, d% ]
9 ?8 R* Q$ r7 H+ A/ f, b( p% ~
yum remove apr
2 i2 c4 X8 [* h5.Error.log中有: Audit log: Failed to lock global mutex- e9 D J- x) F0 ]+ F3 |
# r- i/ b* g! R. o5 e2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock * x8 [/ _$ s9 T( w- w5 [, N
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
+ A# [. H6 [' G解决方法:* h/ z( W q0 a0 W0 [$ K% d" e
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( I. g; Q9 ~4 ~1 ?! f" D$ w$ O
+ B4 S; S9 w$ W \! _. q0 a
SecAuditLogDirMode 0777- R& c7 s- Q9 D7 {/ C# P
SecAuditLogFileMode 0550
) `) d& ]3 @* }* A1 wSecAuditLogStorageDir /var/log/modsecurity
# ~5 g1 G2 \. _! N' Z# U! I0 Z8 `3 _SecAuditLogType Concurrent" U( n8 D2 K8 J: J5 p
参考文章:' Q' `8 C4 [) _* n
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
3 n9 y) |- |7 T( g: Uhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡