|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 H' S+ M( Q" I' b" o% [9 `8 c0 L+ z; f& q( V; C2 I* [
一.准备工作) O, M) {4 l4 @- V$ q
) B6 J( u3 m o( j
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
0 C+ `3 M% t5 [7 B8 ?# v7 i; |) E N: G4 Q( P9 w0 N' o, \; K
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. A. U( f! X: g" L
; t C+ u7 C8 j) H
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 `" q" a4 d/ M; d+ a1 H
, h. K# L# {; o6 Y+ _OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 c4 P+ E7 Q! V" \. @2 U
- ^6 i# g: A4 ^4 v' U5 ^依赖关系:3 H, P4 i% o: Z% ?( U9 I
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- }, n* N, Z K( h) o7 `5 ?1 p" A" {9 q: [4 j
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% x1 M0 o# Y( f# i5 A6 T3 T
modsecurty依赖的包:pcre httpd-devel libxml2 apr' i+ g5 ~8 [) C# ]5 J
" o. X/ M) a. {/ y& h
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
+ q& o4 U3 ~ w. O4 I& P二.启用standalone模块并编译 R5 j0 M( @. c' c! A' u, C
2 r1 y4 O, a+ e% K3 b& k. F) p& }下载modsecurity for nginx 解压,进入解压后目录执行:1 [ r1 i; b6 g t0 I$ u
9 ^. q4 I' c$ V. v8 T
./autogen.sh
6 M$ V7 x2 [3 x5 X- H./configure --enable-standalone-module --disable-mlogc& N, J2 f% ~* Q N6 O. Z
make % o4 E& P4 C1 P. a( O
三.nginx添加modsecurity模块
1 Q8 k7 a, q# `# W+ Z4 M: `2 T2 p) s# v1 j
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 z' H" d: t- t+ _2 M- v
3 M6 R4 q* ]; M3 ~5 j. n./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine' \3 D* G+ q* W- V
make && make install/ X7 j5 ~* j% Y. O$ P3 l6 B
四.添加规则
1 d1 T3 T0 a' h% R! K& J- {/ Q9 a) u. d8 ?6 B5 K- Q$ [
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
# Y% m, W. P" g, Q; g$ v% \4 O! I U$ w
1.下载OWASP规则:+ d8 R- Q( T8 Q
8 k f9 W( ] U8 e% c" pgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs3 |6 H% I/ e0 E) I5 z) j+ F, a h
/ K2 j$ N0 c5 r$ T' mmv owasp-modsecurity-crs /opt/tengine/conf/
/ V" G. I9 l+ b% `2 U
) {8 K; o0 z; i' M6 n- ?6 ~cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
T# T& ]% a2 p- y) N3 Y2.启用OWASP规则:* X! U7 Y0 M4 p, x$ j2 H" B
: E4 D. X. l* p/ t. f! q复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
! N3 l6 c( p, _8 t- X$ M0 C& Q0 T* V$ E. [, l* m1 B9 [
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; H# P) Z% B' X
) k6 U5 L) L1 C0 Cowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
% ^. D* d& v/ P4 h& }8 D% V% w
: M, g0 O2 v% b+ N# P4 P: PInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' Y: L5 S( Z$ n$ z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf3 [. ]# R5 @ O4 X& ^. Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf) t- i& V1 w g) D
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf& @) F. C2 ^% Y% i2 _! u# J& }
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
1 }, ^8 E6 L8 J- X) h" wInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
( V8 S* \) I' c) gInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
9 W7 P5 {- W7 l! u6 i" i5 ]五.配置nginx1 |* p. L9 U6 B" W/ W+ b; n: y
7 D: l, `3 {- z! h
在需要启用modsecurity的主机的location下面加入下面两行即可:$ j+ V+ {1 h9 ]
6 U, Q$ t) `3 y4 VModSecurityEnabled on; . M) C& b: A* ~( ]
ModSecurityConfig modsecurity.conf;
2 {6 w8 B4 l# c* |! A$ ]下面是两个示例配置,php虚拟主机:( R8 G9 o% V& a( M
9 S, |) I; R6 s5 Z0 y
server {
9 Q* y# [1 D) { listen 80;
5 [2 Z, [9 p* j server_name 52os.net www.52os.net;; y, L; ]) k# q, P b& u, ]
; ]# d2 [$ P6 e9 @& \8 R location ~ \.php$ {1 t7 w4 T' `# I2 e; ^
ModSecurityEnabled on; 7 L: y R6 R, r3 X- J9 I
ModSecurityConfig modsecurity.conf;# @7 ]4 }, Z, r1 s- I% J9 K) {6 x
3 y. h# j' n/ K
root /web/wordpress;
. `3 R- [, T8 m u4 F$ @ index index.php index.html index.htm;4 `0 S0 z- K/ E9 W* \
$ c" ?+ y6 d) D( q7 r/ T X fastcgi_pass 127.0.0.1:9000;
5 n5 L% K2 Y( M$ U/ m* A fastcgi_index index.php;7 l8 c3 Q/ L7 @ m' l' t! N
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
6 u2 ~: q! Q) t* ]7 ~ include fastcgi_params;, p: Q$ J# P3 C
}
+ t( i) H! ~) k1 S3 K, ~ }1 r5 ~% ]5 d, }
upstream负载均衡:2 x x6 b% |+ i/ c( g: q% D
O; A8 Q6 C! _4 K" e4 \
upstream 52os.net {
* `" ]' a0 h! `3 p+ ?2 m server 192.168.1.100:8080;+ j: G! r0 y- N$ I) A% _! y& s5 q
server 192.168.1.101:8080 backup;
& _. F! z D: f% H' B}* t |: P, V8 u0 |
2 t/ U: L% S6 ^$ W
server {
& v/ S9 ^" ]9 p# g! L# [$ ^: }. v% Flisten 80;5 ?# k& Y- K5 I+ Z8 j+ Z
server_name 52os.net www.52os.net;% U9 y# g( m6 L! O! q0 y7 R
4 a* H( C: F% _! I# i' X$ S- O4 Ylocation / {
; k# B9 p4 ?- m- v$ R/ O4 R ModSecurityEnabled on;
i& A- I+ I* a3 c! H# Q ModSecurityConfig modsecurity.conf;
4 W1 N3 z) x) n8 \
- Q4 a/ ^1 t0 v# N$ k* x proxy_pass http://online;
3 [" S2 S( Y. D7 h0 b7 { proxy_redirect off;
* V1 }) z" W3 Q, U- U$ Y proxy_set_header Host $host;
% h8 l$ z" x( [+ ^( v$ w! `9 A proxy_set_header X-Real-IP $remote_addr;2 U, s, a3 z/ ^/ p& G8 e( t. z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;) r+ P0 t- o+ }5 y1 D4 G
}3 b* O4 t" v* [) }$ E6 R5 T7 D
}# C" H- j+ j" P6 t6 ^
六.测试
0 K5 w0 U- }" _ x
5 N* U- o: }( x* m: L. V我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 L8 D d! S- ^# E' J0 T( \
9 W# ]5 k# r/ `, h& a<?php3 M% _# ?, I8 r* {
phpinfo(); + Q Z. ^2 @- q; f+ b" N
?>6 Q9 F; P' b& |2 j" t- @
在浏览器中访问:! K; H! M; |! S
9 ], f [) a4 q& c
http://www.52os.net/phpinfo.php?id=1 正常显示。+ `, H2 n, f. k; U4 g
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 w4 j& h* i6 D3 r# Y, n. Q
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. m" ^# o9 o5 [- F' ?: Z
说明sql注入和xss已经被过滤了7 o' l8 ?3 I- |+ `: N. ~
9 G* }" b: \% F$ b
七、安装过程中排错
- S; K }( b, [& o& E/ W& `4 }
6 f3 j0 x# g% [9 Z' d2 o9 e1.缺少APXS会报错
, P1 s9 M0 q1 p( V2 f/ e) o% O" o3 g# m9 {, _* Y/ J* C7 r
configure: looking for Apache module support via DSO through APXS
* j. {7 l% l1 R$ v; Mconfigure: error: couldn't find APXS- |& s, `. s* b
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
2 Z/ k* U6 o) C" a) W解决方法:- }# r' p+ M3 p
: ` C" j. s% t; I* [9 G
yum install httpd-devel
- O# w9 D4 Z% ^5 B3 B' p& c2.没有pcre8 q+ ?4 o2 Z, ] t
3 i1 t1 L! b9 Uconfigure: *** pcre library not found.2 f! A3 D0 b! `9 T; Q
configure: error: pcre library is required* X9 W. {/ q# D9 G( Q8 [
解决方法:' W; V3 j5 F8 t( z' S
^1 e. b ^3 C% }
yum install pcre pcre-devel
+ |3 M, k, Q3 K& `' V% {3.没有libxml2
; n7 B: Y( s& c/ @7 o
" H( E" K" U" m; \0 K0 J1 g B, q1 x6 i
configure: *** xml library not found.
5 D* n" |6 g# W* ]8 g" M; uconfigure: error: libxml2 is required
2 b; z' d. _& S3 c! Z解决方法:7 Z& }0 K* k7 P! n: T2 }
, R( X; k- h+ M& L6 ]# s
yum install libxml2 libxml2-devel
4 G) l! o* @" }$ @/ G1 {6 P. N# @4.执行 /opt/tengine/sbin/nginx -m 时有警告
5 p; {& o. @" V p2 `& g( K1 v9 D U) {4 K9 B. N# f8 G
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
' [$ m& N* Z ~; |* d/ a/ Cnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
) Z2 `" j% v. j( s* D! F原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ x. M. F% i9 R! `$ Z2 `8 v
9 b+ ?! ]/ V# c4 s* M3 P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.% c+ X* C* Z0 v, [& z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
; T f" y* W5 i! g6 A* }- x2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!6 m* M; T+ O7 f4 M/ f8 r& s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"5 a* c2 Y' ^6 | B6 [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 i+ ~/ d* \$ M1 c2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 ^. X g+ X% n2 V# d9 J解决方法,移除低版本的APR (1.3.9)
. E5 c# ]! x1 S* k1 W3 s9 g) ]& a4 K8 v H5 u: h+ Q2 v
yum remove apr% o# y. e7 ^5 }7 l9 L3 Q
5.Error.log中有: Audit log: Failed to lock global mutex
+ \) d. K g& j1 s. f, t5 a; ^% k2 y& ]. U$ g. U8 {/ }+ _, M
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ' ^2 R$ H/ }7 o( K6 [- F3 k# u
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 R6 b+ g2 N( h8 W# y
解决方法:
( d0 N; u+ w( @8 c$ A9 \2 I编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
6 i/ E1 R) }7 {, ~, s9 z3 [, B6 E( F3 I, c- e* p$ A% b( n
SecAuditLogDirMode 0777
- t! t. s, N* x" o* }SecAuditLogFileMode 0550. }* J" O' Q/ K' \- _4 t* o \
SecAuditLogStorageDir /var/log/modsecurity$ h) S1 G' B/ }( }/ c y* [
SecAuditLogType Concurrent
* Y4 E4 P# K" H0 p5 V参考文章:9 K1 D, _! Z8 i& i" X
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX; h1 k! \1 R/ D% U
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡