|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, N0 e' }& I4 P
3 O% Y* c1 r1 T6 }% N) L A; f一.准备工作
& ?& s8 ^( b5 o+ b& q7 Y$ J- A: Q' k9 F+ I+ K7 s S( E
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
+ O+ t* r' f$ ~
; r9 L- t9 i- n& L9 w( Etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
" Y( |& {" G/ a8 H/ ~% f7 H# Z0 G1 X% A/ U: p
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz; r: D" F( X4 G% R- E
9 l) p- ?# I2 U6 J EOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs2 E) |! B, r2 Q9 _8 I8 d
- z4 z) g& R) R" k0 r, R6 \, ^4 Z: N
依赖关系:
$ ~" Y/ z9 V! x8 Y) g K$ Ptengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
+ \9 ~5 F2 W& M! g. j
, V6 B+ C% E- ^. ]yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 {" ?; R+ E' fmodsecurty依赖的包:pcre httpd-devel libxml2 apr
5 _0 x* l. A7 `* H2 t" y. t6 [; p% t. E4 b
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" r" v2 L3 i$ ^; z( \
二.启用standalone模块并编译
; P+ S4 g# q* M) `3 H- D, {3 a0 W
下载modsecurity for nginx 解压,进入解压后目录执行:
! ?9 ^1 Q7 r/ |6 T/ m# Y w, S2 H5 U
./autogen.sh
- w( P% V) ^8 j./configure --enable-standalone-module --disable-mlogc
9 F0 m1 E+ X9 Q# [. s, T- ~6 Qmake 4 j8 Y- B9 O- R7 A
三.nginx添加modsecurity模块, ?% C% |6 h+ Z; I# c9 W
2 T" L- Z& F* E$ F p在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:0 i! M9 m; a) U. k; p5 T# b
+ p, |% ~: S2 _! i
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
4 U2 B, |% E3 D* wmake && make install
1 i/ l" P& c" G" O! V" R i8 y* ^, R四.添加规则) \* X. Q9 c- \* M7 [! ?0 o& x
1 ]! |- M' ~% N: u3 Pmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。8 B3 ?! u0 Q6 j# m' x
$ }3 S7 Q! `5 m- @$ l0 `) P" X
1.下载OWASP规则:* b& d9 R( B, v/ t
* I9 q( V8 r3 ^, B9 h1 |3 A
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
* C. a' c( a5 b" M# c2 {1 d& G) O( X( C0 K, i: T' o
mv owasp-modsecurity-crs /opt/tengine/conf/
0 F4 K( w* @8 Z. x, L. ^6 U* H# d% D& y a
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ V z" h2 z+ T! v
2.启用OWASP规则:9 j- z' y$ z+ v- R+ i: S' s F
/ R7 O7 j( ~% \9 {6 x/ \0 f) x' v复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
; r# u! X% j' m& Z. n' F) u3 R* V0 g) ^
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 U' W/ n) Z5 d6 v
! x* b0 G1 r- m! }' F/ Sowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* i0 Q2 ~2 B8 x( b# A( s
/ ~' _+ K7 |$ hInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
4 ~# r2 w/ {/ s7 u6 d. }Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/ G% ]5 j" n- L. hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
6 ~! y( h& q6 X: S) cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
1 s* x; v/ _/ C8 ^4 u5 lInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 K. }6 \; n. j+ m7 o6 C
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 W. i* t: v4 G! H j' k% E4 ]( p
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
k V6 [% C/ g0 i+ q a' u五.配置nginx
0 e# F0 o% |' z1 V0 |2 m! x, N' V- p) K/ {
在需要启用modsecurity的主机的location下面加入下面两行即可:
' H5 h" h1 [# G+ i: i- @& S. u$ m+ H
ModSecurityEnabled on; 2 k% d) P( W' l
ModSecurityConfig modsecurity.conf;" D% S1 {: P+ W3 K5 f
下面是两个示例配置,php虚拟主机:
$ C8 W+ k( v0 n4 q& _ Q, s9 i" X* R2 O6 y; R# E
server {
$ s% N o6 P5 b listen 80;; `: i1 k1 J4 g/ ?* j0 q* N! c
server_name 52os.net www.52os.net;! S7 o/ Z! t7 ?2 P
+ a A# c# C# Q2 e. r( _4 h location ~ \.php$ {- u/ v, A& y7 H+ p5 H4 D* Q
ModSecurityEnabled on; 6 W5 D, @) Y* e$ b. T9 S
ModSecurityConfig modsecurity.conf;* Z$ K6 O8 c( U r* \( {: w7 ?
7 j" Z# l* i: l8 P root /web/wordpress;+ u" _) s# x! s8 H2 ~
index index.php index.html index.htm;
+ W" n2 m% W/ r" j4 ?+ q+ l " ^7 ]* \) j( m a+ R8 k% m
fastcgi_pass 127.0.0.1:9000;& Y' p) @- a' W' F
fastcgi_index index.php;
e b$ U4 l1 M% h fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
6 a# P `. g' ~1 B7 _: | ^* | include fastcgi_params;
5 ~. Y7 U( a; n* l' r9 ]9 R( D. t) s }8 ~) e% L/ O% \ q
}
$ y0 y2 O! J3 O7 _) fupstream负载均衡:
" P( C( i% y+ p$ [% e7 |/ ?. F4 l4 `! a) A+ C/ C
upstream 52os.net {
: `' O; U( u1 p server 192.168.1.100:8080;- d( d' C# ?5 c7 n6 @8 n
server 192.168.1.101:8080 backup;: i; C& K E$ E0 o" M
}; e8 O) c) ~/ X7 i+ F
9 \: h I* x6 u9 B4 }7 |* ?$ Q+ H# h7 X
server {
: o& S) u4 ?7 {0 R. k$ _" llisten 80;
0 U( @* q. {1 k& I, z/ J, i2 Sserver_name 52os.net www.52os.net;2 M- Q2 B: r g3 r& E* z
$ {4 c T1 \3 R
location / {
8 Y- A6 Y- e% W# j ModSecurityEnabled on;
& J9 e% V; J$ b- e7 G5 m1 z ModSecurityConfig modsecurity.conf;
6 k9 H4 h. X- d$ I0 A
: R: M5 f! X+ i proxy_pass http://online;. y( M0 D( p( |3 T
proxy_redirect off;
2 Q- b9 ^, j3 T5 C( a, f proxy_set_header Host $host;
" X6 V& _2 q3 b" s proxy_set_header X-Real-IP $remote_addr;
9 S! ]& `# c* h# I proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" Q" m. w& i% B0 e, N8 H5 `& T
}
9 i7 ~+ E9 T% J$ i8 e}' S# a1 h; S o
六.测试9 e$ s& D5 t2 }! ^8 u9 x( j8 {( v
: ?) N5 q1 W) N, ~
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; ~6 A7 {; Y4 M" q5 P) V1 ?$ f; v# L$ b. X
<?php
# B8 B7 q" V% S7 x5 e/ @0 r P5 r phpinfo(); # `% j* l( T' R: ?
?>) g8 h( K( g4 S$ B9 C* i k
在浏览器中访问:' s6 r3 p( H5 u k
% R7 |1 t0 B2 a9 B, q$ O+ I. I% dhttp://www.52os.net/phpinfo.php?id=1 正常显示。
- V+ G( Y! E0 Bhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
+ w9 d5 h- a) ^8 G' K% i3 fhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
7 [/ [- z! V2 ^$ i7 ~; h说明sql注入和xss已经被过滤了
3 M/ H+ O5 p" T
- \! Q3 y! W- q+ Q M( S七、安装过程中排错- S$ r* O N1 N% y
' J0 p, t0 w! P1.缺少APXS会报错
8 Q2 b0 L" s e9 H- s2 y0 R# X( `% }. [; N) A
configure: looking for Apache module support via DSO through APXS4 C$ d0 f9 G+ o. n2 K( S
configure: error: couldn't find APXS
- k( `2 c1 j9 i, sapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。6 p8 p3 a7 z' J# K4 \% m% {
解决方法:
4 C E: M: l+ `" Z" P1 Y3 P9 o) J8 Z& \' G
yum install httpd-devel5 H s6 k( ]( u
2.没有pcre
, d- i1 _( u3 W& `$ y& E: n# u' ? ?0 [; r
configure: *** pcre library not found.
# d4 e5 o. j& L# l0 B1 T- bconfigure: error: pcre library is required
) K; z6 J2 z* `0 k( J6 `/ U; d解决方法:3 S& O9 k# g0 {+ Z" Q
/ j/ d I$ V8 u$ Z8 v1 j8 i
yum install pcre pcre-devel( U0 D6 D" F* x( ?
3.没有libxml2 Q, v$ {7 H6 h& x0 h" c
9 c9 T5 S# {! {3 _/ S
8 y! g8 t0 z3 V/ m" A Zconfigure: *** xml library not found.
( }# y" ?) ^5 A. K, B4 @configure: error: libxml2 is required
) \) c: A# W9 _9 U6 U解决方法:' b" d& I; g1 N4 c
. Q" H, X- f7 K" Byum install libxml2 libxml2-devel- W. e- g% E; h1 Z* S7 r8 x- t
4.执行 /opt/tengine/sbin/nginx -m 时有警告
; G+ @; c9 Q, I* L& t( J
2 K1 d% `+ |3 ?: _) ^Tengine version: Tengine/2.1.0 (nginx/1.6.2)
, ]4 B$ ~& Y; r, |+ a- }# J# N/ Unginx: [warn] ModSecurity: Loaded APR do not match with compiled!
0 o4 W0 x( h y7 |$ O9 D d原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log7 u4 S; L d- K e
+ s7 ^9 d- J, A# E2 @$ B0 }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.6 T4 W. K+ R) q& ]( V' a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ b. t" Y2 N9 T, Q7 P; b$ ]9 a& X$ z7 K- g6 o
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
4 W: C# y$ u. d) W7 u+ u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
( ]% f5 W" H1 l9 k: ~; J# n' V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
& a j6 b* y' G2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! l% y- L& t- S1 Y3 J
解决方法,移除低版本的APR (1.3.9)' h9 `5 O0 `: \6 Z4 s
) c3 s' w: t2 d {2 e" c
yum remove apr
0 }' ?0 F3 t! j9 E0 F1 B5.Error.log中有: Audit log: Failed to lock global mutex
# Q! P$ J9 h+ [7 x% H2 r$ n
' d6 N% [+ r6 a' @0 ^( U2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% J; f! c+ n |; |$ gglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]6 w- E: [) V6 j( O
解决方法:
3 o' {* R/ J9 w. G9 X- w7 Q编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 ]- y/ p/ `- V# E
, k7 K* ?9 H+ b+ b6 y! c& T
SecAuditLogDirMode 0777% U O2 E* Z6 Z/ N$ N1 D& `
SecAuditLogFileMode 0550$ S4 R4 N( p6 }. \- Q
SecAuditLogStorageDir /var/log/modsecurity6 V# s+ m1 @ _# t
SecAuditLogType Concurrent
# Y" t& X, U- {- |" E3 B1 H参考文章:, Y! F: Y. S* z6 O! d4 Q4 r# P
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
' [# I" s- B% R4 e/ g# Shttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡