|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。. K$ e' }3 ]9 U4 X- L9 c+ B
q& \ ~$ ^& v# g+ G+ o' \
一.准备工作! s/ z: I) g3 C
) `9 U/ `4 c( a
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% A2 {" v, ?* V4 j" Y: U+ _" H, v' h& F4 g1 I8 t% S
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' l8 I ?6 s, L* O: `/ q) V" z( ]
6 }5 J' A' ~1 G7 S% V) m
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. C, R! j/ k. T4 I D$ D, l8 [9 T
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs( [) j! }5 [- e- @" l$ D
4 S7 @' s' x a% D# `& ^* u
依赖关系:, J& f; d8 R% \% N8 R) u
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
: C3 s( D# h) |+ ^, }' I8 G u0 a# d G
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel; K: }* ?5 H6 s
modsecurty依赖的包:pcre httpd-devel libxml2 apr+ `1 F/ C! Y- ], f( F! G: D4 ?: }0 n* e
" V# v$ ^1 t! H1 l1 jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
9 _1 D e' |/ n二.启用standalone模块并编译 H1 F( ?4 `% Z6 L1 [ \. G/ Q0 {
& X* X# Q5 j4 t6 |下载modsecurity for nginx 解压,进入解压后目录执行:( \6 H! N( c1 `( b: A( e
4 V/ b4 u/ X/ l8 M+ [./autogen.sh
' J! D, {7 b) p. S8 W./configure --enable-standalone-module --disable-mlogc
( x+ G2 H5 o5 M0 x6 c& rmake % L1 I. f) h& C4 d7 J# Y
三.nginx添加modsecurity模块
0 X0 D9 j. y2 H0 q
) l0 _& I% S' o* f在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:- w6 K: S! l6 O* _
) M' s0 X7 f$ m6 b1 G; R
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- Q) H, C3 @6 c8 [
make && make install1 G( d' y1 q3 z1 i
四.添加规则0 {. I' E8 L: Q9 z* ?
3 v2 Q+ E5 _/ b) r3 m( rmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 e; u3 }9 B, B; [5 c6 f' D5 V- E. b* c! T' T% j
1.下载OWASP规则:; Z, [9 j9 ]! U. t' i" F
3 T5 D: @$ D- P6 B
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 @5 @3 X1 M0 j" k [+ B
: S/ Z0 o. `( I& c
mv owasp-modsecurity-crs /opt/tengine/conf/9 m. g/ W( ~$ E4 {' d* r8 E6 i
3 t( ^9 j1 p$ o9 j9 fcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# V8 _/ {9 T; F1 m
2.启用OWASP规则:, D% o" k; k3 g( ]
0 G+ S7 _1 o# Z. B o复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。! E7 M2 Z9 e; Y; w# m; M$ x
8 ?' N' d5 ?7 v: `5 r8 A
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
0 `5 c+ r3 V9 m) @: Z# y9 ?
9 ]6 [' R, g* Y$ P' v6 wowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
! G) ]" [6 I9 a- F. _6 g& w; i0 Z5 [- ?# { l+ f
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
# O/ j: |1 S' Q5 pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- e# T1 y# c* C5 ]3 w6 `8 `9 ? o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf& d+ \3 ^# i, G0 [ V L) T% a
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf0 ] _8 z6 X( ^! c/ o, U4 R
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf, ]' A9 {8 [9 J. v
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf7 M* I$ A2 [! \
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
3 G0 G! N; j2 l5 A( d五.配置nginx/ ]7 ~. B# J1 b% }5 z
! F) C7 w. N Z/ R. i
在需要启用modsecurity的主机的location下面加入下面两行即可:
+ t( U: z E, n7 r$ k; E
/ u' j1 G# V0 k. j3 z) N! b' KModSecurityEnabled on;
. P7 ?8 A4 u5 A) n3 Q5 }: a/ \ModSecurityConfig modsecurity.conf;
& M2 \ A c, x! s8 O( x下面是两个示例配置,php虚拟主机:
9 h3 w9 o3 r2 t9 C! s% c
& o0 {+ `! V! U/ g6 M$ qserver {8 v" g: Q" V, b3 V# m
listen 80;
`2 s1 _# w5 d: a) H2 s% S server_name 52os.net www.52os.net;
! W5 @' \' V# @1 L
- q- l8 q! m2 d location ~ \.php$ {* I) w7 Q, |+ f5 c3 u! Q3 o4 ^8 O
ModSecurityEnabled on; " H5 P$ ^4 x) q( }
ModSecurityConfig modsecurity.conf;
, C; }5 v# L- U& Y3 t0 ~* R6 j" x: h+ x1 U4 f6 i: ^ M0 }
root /web/wordpress;
) l" U A- U' e! o9 \) K0 `8 P* d index index.php index.html index.htm;5 D' Y! y! l" i4 c8 {3 Y
2 u: d7 ~0 G M
fastcgi_pass 127.0.0.1:9000;
8 n2 ]8 U7 U ]0 T* v fastcgi_index index.php;
6 \ v8 B8 M9 k2 g2 G8 K* i: K fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 z+ c5 Y4 F+ [. v7 q$ z include fastcgi_params;3 q, k" H1 J% |' u: N
}% x! k) }$ F: i
}
( t9 O9 ] K2 r. b; fupstream负载均衡:) ^5 o$ K4 ~* m' D' D ~* } j& Y+ a
; s( ]9 z2 K( s! x, }
upstream 52os.net {
+ `5 R" ]6 u( Z1 M, @1 l server 192.168.1.100:8080;
* i7 B( h5 m" b- b' l% O server 192.168.1.101:8080 backup; I/ L7 p4 Y) R3 K. M
}
5 v$ M( d1 A/ w' `/ f- R* r9 `3 d" S3 }6 T6 m+ b6 ]
server {
5 m1 ?# F$ d+ Y) u8 Slisten 80;2 g0 g0 ^, b0 k7 c
server_name 52os.net www.52os.net;
, g5 S, U1 j! s# I9 r( Z: M+ O; [; z! m8 z. g7 Y
location / {
9 Y: I' ~. s( R+ `, Z! k% w ModSecurityEnabled on;
6 y6 c8 E5 X& [/ K7 Z" A4 K( T ModSecurityConfig modsecurity.conf; $ _. M; j8 T- A5 c0 X j) N
+ \8 B, J% o# h# c, r5 v proxy_pass http://online;5 g8 k: n/ |, Z. H8 j! P/ m
proxy_redirect off;* Q" w& Q( W7 w+ a
proxy_set_header Host $host;4 H k& s" H" b6 {( ~! g
proxy_set_header X-Real-IP $remote_addr;4 g/ p# L( b/ t; Y0 _* |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;1 X, y9 r2 s' v1 x5 j# X5 `$ I
}
- S6 G$ z! p6 Q: X& C. n4 H}
0 I5 [/ B/ `( r- u$ n) u六.测试& y2 L- L8 K9 [# C
' q) k) X8 t4 D3 V% Z# Z# [
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& |% C) _: O" D6 A& d, O7 v0 G7 ]4 ]
: r2 Q( ]$ ^* d9 i, p4 u. F! z
<?php
& P# v2 R5 r9 S6 L, V phpinfo();
) v9 D6 n/ u0 M?>
8 ~' y+ o9 @( e k- D: [在浏览器中访问:. c& {, U6 c1 w0 {& w& ]! f4 {, w
0 x% P! Y4 X0 y9 @( D
http://www.52os.net/phpinfo.php?id=1 正常显示。# h' c B9 j% Z8 M4 K2 `$ i% M
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) [2 C0 G3 }# [) uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
6 W4 Z; V; p. G, K: X- K说明sql注入和xss已经被过滤了
9 E/ y6 z1 h3 F, r
9 P! ^% g- V1 W. y1 b/ Y七、安装过程中排错7 |0 i, O7 x# z
' b. H9 R9 Z; m* k' R! }1.缺少APXS会报错
1 ]! q9 C4 Y9 W' C4 U* h V7 v9 F+ D" o1 V" W$ i. n
configure: looking for Apache module support via DSO through APXS5 T$ C8 N' x5 `
configure: error: couldn't find APXS. S9 N, [* e! o% v! h
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。7 e/ x0 \% l( A; v5 r
解决方法:0 s! q. J! y0 u2 d& [6 N# y
3 k1 C2 l0 h4 j0 F& Pyum install httpd-devel
! h7 q3 l# s0 G [9 q: `1 U0 W2.没有pcre, F& G( M" n! ~
: q( d* X& Z+ q/ Cconfigure: *** pcre library not found.
2 r/ W* V& i4 \+ }! B5 d% Yconfigure: error: pcre library is required7 {1 E3 C& x2 r. m$ i3 r
解决方法:
?: g( c! u, z3 Q: y6 L2 |% T- B
yum install pcre pcre-devel
, N# a8 |0 c; ?# v+ O2 P+ Y3.没有libxml2
4 z& c- [; [ P) O9 _
& d, b9 I8 s9 O+ b3 b; h
$ i2 _. ~4 c) @8 O" R' ^, Z8 gconfigure: *** xml library not found.% C6 V! S: q& d$ I, J
configure: error: libxml2 is required
) d' q. ?) U! J N& @7 I解决方法:: e- j$ K1 f# L4 u0 f" _$ i
6 H% G( [+ A: S
yum install libxml2 libxml2-devel
& p5 a# M8 v- N6 u! M1 F4.执行 /opt/tengine/sbin/nginx -m 时有警告* V0 x1 t. T0 r! y4 L7 c' q$ n
9 N# D: i, t' x9 X, o+ ~% h% T
Tengine version: Tengine/2.1.0 (nginx/1.6.2)5 l. ?+ n8 N8 S
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!$ [& h' Y0 l7 @. Z) j) c1 o
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
$ H8 } {; w; u/ R$ i
5 |. [ S1 l5 X5 q3 R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 G2 K G) j9 Z; K" X8 I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 X& S$ V3 S! o0 X! ?& J& r. @$ W
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!. Y, ?% X% a4 _; T2 J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
- F0 D- N; z3 Q$ j' C1 c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"' O m/ N; C, |8 w1 I
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 \- w) d7 P, X解决方法,移除低版本的APR (1.3.9)
& ?8 \! e2 z0 M
) ~. w8 h d$ I4 q# ?yum remove apr
+ u1 I' T O7 n- k% q3 }9 U, s- u5.Error.log中有: Audit log: Failed to lock global mutex
^: f5 n- [4 r, c$ E
/ d" \; s7 A. }9 X2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 C- L' N8 e. V' E+ w
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 D8 f5 \; z0 h
解决方法:
3 I! j, m! ^ S! A9 w2 H0 X" d2 A6 i. L编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
( K+ `, h5 t, I1 @3 i' ^5 V/ d+ S) z- X9 _$ G" i2 b
SecAuditLogDirMode 0777; p- k1 E& [' w0 _0 T3 K+ g0 H
SecAuditLogFileMode 0550
# F/ g7 a; S; G* rSecAuditLogStorageDir /var/log/modsecurity
% {7 p g+ J/ w# O& p2 ?7 O# [# `SecAuditLogType Concurrent
1 D$ ~' h& g. `6 S' |参考文章:
, I+ W { p& g! Phttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX2 g' Y4 m/ W9 J6 ^) ]: X
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡