|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。 I4 k( }% K; Y5 X3 w6 z
% [. f0 j6 F8 {; k一.准备工作
* @/ I) ~! t. s' @, O: |/ `* p* q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% s/ `/ p! B* s" h$ A' ^# f
* H- I9 q Q; V# C- ttengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz& t8 j. k5 a3 h/ D
3 z5 Q; h' I4 M; W' qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& \- ~# L" @. b$ y! Z+ B& e
. ~3 U5 N" r& _9 xOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
% C( l% N9 T: D+ |# ^6 }0 f
8 f w: S x8 e依赖关系:, O) R9 U% d c3 F& ?9 X. Y6 G: K8 T
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:7 z2 X- H6 Y* h, M4 {
$ j* _2 @* e0 I7 @1 Nyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% I1 P/ j# s) z4 A( c/ R1 [
modsecurty依赖的包:pcre httpd-devel libxml2 apr+ _5 p' w# }% c- n) p: k3 E7 u
2 Q: v, a+ ^2 Q/ r
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel7 T! V; }0 H7 ]2 v
二.启用standalone模块并编译! M4 I8 E( L9 W' e" u5 r8 e- w
2 Z, @6 _( A* A9 ] R) r2 G下载modsecurity for nginx 解压,进入解压后目录执行:4 H) `! Z5 q3 u0 j; j* y! j
/ e7 _' Q! v5 \+ v' _
./autogen.sh* t/ ^- V. \- d8 k- K
./configure --enable-standalone-module --disable-mlogc6 _5 i K9 u$ v. @0 M/ ~
make
, [. `) ~4 I1 ?" Y# A9 m三.nginx添加modsecurity模块/ {: K1 y4 z% f6 k* ~/ k
' j. U: y# K8 ?2 T" E3 Z) C
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:$ C; |/ P$ l+ Y+ Z! }/ z
1 X" q; Q0 D( B; z$ a, J4 X
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
1 T& F: K( `2 H6 s, Pmake && make install3 g( z+ F E& c" q& u1 ]
四.添加规则
% Z B0 M! _6 X
# d( Y0 b" `0 J1 r6 |- m3 Dmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。# @. s. A' b" Y! ^8 g- b
, B+ z) L- n* n% o: B$ G
1.下载OWASP规则:
1 r2 i h# M8 F: a) m2 v0 b0 q( D- R
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs. z9 l$ E8 i, q. V
; j( M* j3 ]1 f7 Z- _7 |0 h p
mv owasp-modsecurity-crs /opt/tengine/conf/ Q3 S. W. v; _
% x, p# z4 G0 i. E- i4 n4 p
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. z- Z6 t& z) @9 r0 k0 }
2.启用OWASP规则:
# k# f6 G" @3 G+ m$ `8 e: i9 N# t2 r$ V5 o
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 k4 @8 b) ]1 }. S# d* O
9 w1 J5 G: j* T0 ^8 s+ h9 m7 d7 r编辑modsecurity.conf 文件,将SecRuleEngine设置为 on4 B5 @5 v" v( Q0 t+ ^* o; _# X
6 o7 @- ~2 l& ?. F+ l
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ {; s9 | F3 }+ _* `
# E$ Y2 o4 `1 A- eInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf O$ z) B5 h! L1 k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
, r' w! m- b' l) p( F2 u# B1 jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ P6 m; C- @ \* b; ZInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# e% |7 Z7 c* T" L; C: K( o
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 x) O' W& A, [
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf8 _& ^5 a, C% x1 N
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf3 B) V* M" p1 v% Y: n$ x
五.配置nginx5 @' H( \5 d. Q3 n [( E$ X
% Y6 ^# d6 c! D7 X
在需要启用modsecurity的主机的location下面加入下面两行即可:: Z; [$ j4 F8 n
4 R" y5 P* l3 K* M, O
ModSecurityEnabled on; # H; H1 q: ?# m5 ?
ModSecurityConfig modsecurity.conf;) [7 {3 a0 }/ x9 ]: B0 ^! Q
下面是两个示例配置,php虚拟主机:
2 j6 a/ @( j7 j( V; U3 _
4 x3 N3 i5 b* N' M! \+ H+ @7 C rserver {+ p, D" R/ i& }1 M% i1 {" W
listen 80;
L- @( f3 @2 h+ Z# L4 Y server_name 52os.net www.52os.net;0 h, s4 y- l% E4 S' o
1 O5 P$ ~* H0 A6 I1 O- x( Q$ D
location ~ \.php$ {" U; Q; V1 z2 P m& T
ModSecurityEnabled on;
4 J4 ^3 E+ s( G0 G3 p- u! W2 r l ModSecurityConfig modsecurity.conf;- I4 E4 e& L$ b' w# w/ y
- {3 ?) B2 z$ I4 L% }% Z
root /web/wordpress;
i5 w3 O! @" q, F) R index index.php index.html index.htm;8 p9 R1 l/ M/ u. e( a5 @
8 m; {3 s9 I9 J9 X3 d
fastcgi_pass 127.0.0.1:9000;9 u* Q s& [! E2 i- u
fastcgi_index index.php;3 j0 E( w# v; ^( L
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;/ k0 c) u1 _; }
include fastcgi_params;: g3 ^ W* V! Y ?; C: e
}
/ x' E, S! Q E3 ]8 b1 K }% `3 ]3 Y/ I i: ?
upstream负载均衡:8 S% g2 A1 z2 p" z( b
$ S" i# Z! s' l) j- a
upstream 52os.net {; k" t( T9 q8 }: r; h4 @, }. v' H
server 192.168.1.100:8080;; m6 ^0 f5 w. h8 J
server 192.168.1.101:8080 backup;
- Y" ?$ _% r2 ?+ R}" F8 {6 e2 ]9 K4 b+ l4 Q! O
4 \+ n& O+ D5 G9 Fserver {5 X5 { l9 j/ S
listen 80;; i! ]+ k2 D: G# ]8 Z1 y
server_name 52os.net www.52os.net;8 c# y( R! H5 u* Y- [
% w( p# W7 ]4 e$ O
location / {
, [5 a0 e: k1 I: @ ModSecurityEnabled on;
2 r ]# c0 X: o- b$ r- _8 v" I8 a' G ModSecurityConfig modsecurity.conf;
' T6 A+ g( K. O9 W# Y
5 ^( @0 y% v* \! G5 L proxy_pass http://online;; g5 b6 j) ~3 d% @4 q( A
proxy_redirect off;
) f5 |& t5 J: `, p proxy_set_header Host $host;: S a% p, j5 p5 x: h; X
proxy_set_header X-Real-IP $remote_addr;& O4 l; V8 e& }; D" n) ^3 S
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
2 E1 C; D. c+ u; Y0 ?6 D }
' v% b0 i" p) ^2 f7 v# g9 R}
: r9 M5 y9 T2 k' t1 n3 {9 u六.测试/ p. |/ O: x& {5 F
8 E* ~. [1 }7 i |! z- ?* ^
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 R7 N; e: T" N" r3 D! i' v
5 J6 ^8 l. P M: ?; H: h4 J3 u: c
<?php
( q6 Y1 B- j9 l- Y phpinfo();
( \& ]( [, l; c, ]1 f?>
& D4 h1 Q3 C* o4 R6 Q1 l: R& o在浏览器中访问:- i7 |/ C8 t+ m) b# n! E
" A: ?9 E6 ^6 m! y5 @/ }4 o# z* h/ khttp://www.52os.net/phpinfo.php?id=1 正常显示。$ R+ L' E# l$ M7 S! P, v' M0 w( \
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。+ L- f/ N& S$ K1 u* P8 K
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
: z, Z; S) C/ O8 I说明sql注入和xss已经被过滤了
. D; B# p1 u! u+ @8 d) e! h: g+ b9 O1 K: I! ~2 E
七、安装过程中排错
, H8 q6 S w) G; c+ ` D; E- G' ^. C4 K
1.缺少APXS会报错
p; y4 ^& K, I! c* O! x# J
* U4 O' w- l: T: ~configure: looking for Apache module support via DSO through APXS
/ u1 H( @% c5 @' iconfigure: error: couldn't find APXS
- S4 x: F* q" B, P3 }' B+ Uapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" Y5 r; ] M6 P8 ~- Q3 }, n/ M& `( V解决方法:
5 Y; a2 a* ?3 G r, d% |9 I1 N
* _; }% }6 k$ q0 Syum install httpd-devel! _' W* k2 l( q& y0 q7 ~- H
2.没有pcre: I/ `0 ^4 P; y
3 A# x/ e* a/ K
configure: *** pcre library not found.. T4 `0 Q5 {- [ Z) R; ^5 D
configure: error: pcre library is required+ _8 v! ?0 g' J9 `) L
解决方法:8 x( M5 m+ Y* `5 s6 ]& b
/ h7 c( \: p) |- \! W; Kyum install pcre pcre-devel
. l7 x( T! t' ^; o4 ^# u3.没有libxml2 }! L) ~9 [5 J0 d" l
2 k. I+ B% G- f' _: N' j! N1 |5 d+ @2 G& S8 Z: V3 _+ r) ^
configure: *** xml library not found.% {* @8 P; k- F4 y* b) `
configure: error: libxml2 is required6 [" h, Y6 D& @+ X2 j# h
解决方法:
4 Y- c) B3 w U7 u" s, X
0 w) F W* q* P ^4 Wyum install libxml2 libxml2-devel
6 ^0 o, M) v3 ?! v4.执行 /opt/tengine/sbin/nginx -m 时有警告
% d; S& @& W c5 q/ N; a- s8 d( |; E% b, g3 ^
Tengine version: Tengine/2.1.0 (nginx/1.6.2)( A4 o" J# N8 r+ Y/ k
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
7 p" \- N7 T! K8 w' [ M原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log, V4 y2 @- L/ D2 O1 n+ r1 T
& d; @% a$ k' H. C" z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 v" v' c. G5 f4 _ }( F3 R( x! G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", X9 u! t" [: z
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, Q H; t. D- B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 a9 H% _8 [+ ]6 i! P5 J* j! Q5 F; k! k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! n r4 Y: v6 {2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" l6 g' Z( L# z5 Q& i( m解决方法,移除低版本的APR (1.3.9)
: o; K! J% W. R* a2 A
6 @2 T7 ^! v2 w4 T$ Y, Y5 Yyum remove apr$ p1 m. y3 Y( t0 W6 E) l2 O
5.Error.log中有: Audit log: Failed to lock global mutex
8 Y# y) d, u+ v# W, x' W6 d1 @6 P" e2 }( C/ P
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
& T; W! p4 K# Zglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& v% _0 O# W9 o( s解决方法:
" S7 q5 j3 S: w1 Y- Y D编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:! H7 K6 D0 h/ U- O+ y3 h3 q
1 j9 r0 k# N( Y
SecAuditLogDirMode 07772 Z! U' J3 T; C) x% k
SecAuditLogFileMode 0550
8 [4 ]/ a7 ~0 GSecAuditLogStorageDir /var/log/modsecurity
5 A0 Q- T3 l2 c$ K) v8 uSecAuditLogType Concurrent y. a; s3 f) z
参考文章: ?* z0 `$ x2 f# q( t
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX$ g" @' Y0 d7 I' k
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡