|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- ?8 q- k" J5 s( y6 K5 l
2 K$ i$ K) } [
一.准备工作
# J m0 U+ g, \" |& j* {- ~- j! ]2 T8 y" i( \) q6 I \/ N
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
. H1 j8 d& f Q0 V' X" C: k! a0 l( a0 {3 y$ `
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( I0 M+ J( m3 U& g+ N: h
3 v S$ M7 x( v; f# K
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz& u* Q! S* o: ?" C! f, U
?, L! d- l' ?& G$ U. k& R9 Y
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; p" j& |, Q2 s+ @* n* {9 g' r
6 t7 v5 @" g* O6 O- g依赖关系:. L3 x# F3 W5 M( d f! ~
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
8 Z2 k5 j3 D# _& p
! J2 c. C: z/ ^yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
& O K; t$ \4 _% Imodsecurty依赖的包:pcre httpd-devel libxml2 apr
5 f7 L' S% c, `* Q, f
8 C% q7 f. p6 G& k3 G/ Z; [8 vyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ z9 v! o( J$ Q0 {! X, L
二.启用standalone模块并编译
) z1 n# y" w5 R0 b1 @
0 r, W/ z1 C! B* d4 \下载modsecurity for nginx 解压,进入解压后目录执行:, Z2 V2 }) c3 N1 x3 S% w
4 ^- p, l+ P& \) ]
./autogen.sh
/ H- s; t5 H% |./configure --enable-standalone-module --disable-mlogc* I" L! }9 }8 W! P4 Z) o7 j$ H
make
5 @0 W5 V( a8 K* h三.nginx添加modsecurity模块
9 V: n. D8 ~4 O& A) e! X5 |. k1 I3 z, J! T8 A
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:6 `6 e! Y0 D5 u" V# o: v1 a" C
% q" h$ }7 |. ]
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
! G2 g) i; F. s$ h+ D. H5 X$ Mmake && make install
' L- K5 N: O) H! ~+ Z" _四.添加规则
5 _% O6 X& _# d% Q/ n# h5 R. Z! D: y c* k0 J( s
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
* N( k0 I$ j* }6 S
" @- e5 {" N" `7 {8 p1.下载OWASP规则:: L8 C" E4 G: X2 F" s
8 {( m: r) \6 n, h4 m/ l7 C
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
% M2 g6 C' I$ \! K# V; [( V) H; M- R9 \
mv owasp-modsecurity-crs /opt/tengine/conf/
) ^0 [! F$ ~9 a# a- n2 h: X% P" t) R; m
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf l' |" s9 {1 J& b/ z& h
2.启用OWASP规则:
# }4 b# W) L2 h6 S
: R5 h+ p; I& n* p5 u复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
" m# J7 z* G3 u4 S- i) q' Y0 V! P Q8 P
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& H _' K6 D+ B }* S1 W! Q% C: R7 Z6 j% m6 r
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。( n/ j, A+ R' B
! E# {# w4 Y) I! GInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
x# R6 c- f5 @Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
' ]6 S M0 Y3 eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ n' @+ I1 j- Q. s" ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf3 ?5 D' E- a7 h; a+ u* j& P* M
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
- j. }: K$ t3 GInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 h, U! X. r' V+ k8 q7 _$ qInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& J$ s/ |9 X0 k5 q: B4 z- ?
五.配置nginx) x0 \/ B5 ]6 v% k1 K. p
3 ~3 T4 z# x5 x- V
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 \4 r8 o% @& B
: @* w: n) Q6 I& KModSecurityEnabled on; 9 F0 `: z' T5 p1 K& I" \
ModSecurityConfig modsecurity.conf;
9 h1 C/ _9 t |, U下面是两个示例配置,php虚拟主机:
3 Q) }$ g1 f% f' e$ k5 k1 n
8 `6 M: `2 o% S9 g" Hserver {" p& t3 N7 @% K2 L
listen 80;
5 P: |! @) G$ ?# N server_name 52os.net www.52os.net;
/ F1 V W; ]& g! a
0 ~8 ^7 {. z. Z5 i0 ]6 ~ location ~ \.php$ {
( w7 A& Y* x( ?% y6 Z2 w7 B ModSecurityEnabled on; % o3 b4 j# ^3 t7 L2 o
ModSecurityConfig modsecurity.conf;- g+ _3 F* s$ h! l3 X) R: \
' r$ n! \. r; }8 E& t
root /web/wordpress;
9 ~/ c' U( l0 d index index.php index.html index.htm;4 h0 P! p1 l- I, \! L$ j
1 P: [2 ~8 y. U( a fastcgi_pass 127.0.0.1:9000;
; h& q8 g8 L6 F6 _ fastcgi_index index.php;; |4 w' ~$ B$ y- N' `. s
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 h4 K" F9 h( ]/ I; J include fastcgi_params;
& b5 [5 @9 D D" v) b }! [1 W* K$ t# Q9 F
}
3 a" F$ `* S0 ?; R7 @" m0 fupstream负载均衡:
) C9 T! r5 M0 ` q7 `8 M0 X1 q1 S* d V; U" B
upstream 52os.net {
8 j7 D7 Z# q' n0 }5 l# d0 J$ ~ server 192.168.1.100:8080;
, F1 x; _ M2 }0 }$ L server 192.168.1.101:8080 backup;
0 ~; I2 f! b& G}% s: w- g' e; H9 b# r
" E3 S9 V' U9 ~0 W! Hserver {" @! r+ y3 X R. x
listen 80;# S( K; J5 ^5 Q' n( \# @: @+ O
server_name 52os.net www.52os.net;
5 h: f+ m4 L9 _7 s% r. C2 N# w |; B: Z$ S' _% Z+ }
location / {8 d. q! W' Y0 x+ t& a6 }9 E
ModSecurityEnabled on; + T9 N: t8 L' \6 p; l) l
ModSecurityConfig modsecurity.conf; $ |1 k$ q. E; h( P
: o \3 w9 @, B
proxy_pass http://online;
/ d+ Q# j) O: J2 H4 n1 Y6 `8 _ r( M proxy_redirect off;$ K# O: c: q6 B# s" ^
proxy_set_header Host $host;
! } S! o* X; N b' Y- I proxy_set_header X-Real-IP $remote_addr;7 f M; ?7 \6 h8 G8 d
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Q% K# [9 s" Z" H/ {# a& S }
0 w5 n+ K' f/ K/ D" C% ?}7 i2 C. w$ n2 l, O
六.测试
7 Y) [6 W: [! H4 _: L4 f2 N2 K& ~" }8 H
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:# |$ ^4 h: \, U, k- g$ x
z7 H/ @ e; M. Z- R7 ]. s<?php
2 P# E! M' v* d3 x phpinfo(); , o! }4 n$ @! O! x
?>
. r0 T; G% M- r4 m4 K; l1 u在浏览器中访问:
/ d* A) E) ^9 O* `# p" O8 t! q f2 G7 J% x0 a
http://www.52os.net/phpinfo.php?id=1 正常显示。
0 m+ _, \1 N8 w! B! { J2 Vhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
& z0 s9 D* U% fhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。; d$ L- R6 o, \8 @" u8 \" Z# L
说明sql注入和xss已经被过滤了
6 J2 {4 Z3 O( H% {6 ^
9 z- P" M' k& e9 U0 |; }七、安装过程中排错8 h, L" p0 \5 z5 e; M7 S0 W8 B
& N3 D: y6 h, y5 d/ x* m
1.缺少APXS会报错7 S! y$ ] b2 q' `* Z8 \
& Y) I8 P# z$ @8 ?' ]1 C+ G0 ?: |
configure: looking for Apache module support via DSO through APXS
9 o+ Z) a+ o4 m$ G2 hconfigure: error: couldn't find APXS
2 h1 o5 b% v, {% e; hapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
, C' S5 x9 t6 N& X; z' @解决方法:
Y5 U `3 ?; @7 y# P/ m4 C
% F7 h- V3 \- Qyum install httpd-devel
/ O1 X; L- }" ^+ N5 S, N2.没有pcre
9 Q4 X, H) P8 `9 b9 Y( Z; C4 U) d, B
configure: *** pcre library not found. H! y; n/ Q# ~$ ^$ @- p
configure: error: pcre library is required
% n) r5 ?$ ?) m1 c, h解决方法:4 p5 \+ |3 B9 ]- v
7 i* H" a/ @& c) Kyum install pcre pcre-devel0 ], _$ U" h) b
3.没有libxml2
; ~$ G o D: O# {; V, V) c
7 A; E# J+ K2 _3 i' X" b0 U
. G% F1 P9 i: f9 gconfigure: *** xml library not found.7 z* X8 a- e6 Z/ |7 r5 t e% ^
configure: error: libxml2 is required
+ C4 D+ c) m1 Y* y! h. z+ {解决方法:
! Z# N6 L# X1 P2 I0 z5 g5 c- Q( X6 {8 J+ L+ I2 ^9 R/ K. l
yum install libxml2 libxml2-devel6 c# t& {* W9 [% H t4 q
4.执行 /opt/tengine/sbin/nginx -m 时有警告' X/ F$ `4 |3 m: x' b2 i
( x+ m/ d% Z: a. D5 w# J0 h* M1 S
Tengine version: Tengine/2.1.0 (nginx/1.6.2)6 P' q' h9 e l) y9 w
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
' s! L# G( s& B原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
* {( L; k; K% L- b' W6 C5 C' v& ]. m" a; c- x0 o0 S* Q2 G- M; p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.8 a2 b' P/ c' k J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
/ c- _, r$ m1 J& N# k8 U2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!6 ^, v& v3 L* A+ }, Q' a0 @8 F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
1 P7 z" v- e' U7 c2 r+ i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
$ h/ L! V. t( B% V2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
9 P# A# x+ t, V. K3 e K M解决方法,移除低版本的APR (1.3.9)
- r1 L( A6 b& ]" C! l1 S& A" r: B, q2 \; E' V: C% l4 g
yum remove apr
2 z+ J$ ~2 {- t7 Z5.Error.log中有: Audit log: Failed to lock global mutex, [" ]5 a$ v& W' ~3 J( e
% Z: w+ T! i$ ~4 Y! Y
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% ~6 e% l' w4 v& `* V1 V3 pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
7 u3 `. o/ g2 d1 P2 i) f* w, w; m解决方法:
- h- i& r5 D: j# f编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:- T0 K' C5 y' a: u
! G9 g) y% B; G2 L% ~% g- h- [
SecAuditLogDirMode 0777# q# v; |$ ` a
SecAuditLogFileMode 0550
6 ^; u3 Y" J" b! }! i; YSecAuditLogStorageDir /var/log/modsecurity* d& A4 u/ G/ k$ p6 Z6 w
SecAuditLogType Concurrent
/ x3 @0 E3 B; N2 W, \8 ]; [+ N参考文章:. L3 V+ Y4 p1 C! g7 F) w: U
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' F. A" u0 q% o0 F
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡