|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
7 }* N2 {* r6 T* F$ Y" Y! B2 c5 U: ^( I3 z/ N8 x6 T- Z
一.准备工作
* K) E0 O7 n' _" {% v% U+ X2 l
, z) W8 [2 u* H" a1 u3 X1 Q系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
- [$ E6 X$ r$ M) c8 d) b8 K, T- }& x2 W
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz7 `' C' ]& l6 S' I
) Y' z4 m9 x5 k s, M$ D* r
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz6 C \# v0 g- k8 V2 F# ]) `; T% F
2 H9 G( h& ^" ^& `2 H5 F( R
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs- _7 P* D) w' ?6 Y j7 R. c) O
' F) S+ Q. x" a7 S9 \
依赖关系:( G3 ~9 t! e3 [, M8 P: I7 u
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:( P3 @% g% G; l% B0 [5 x. l
M0 O+ s/ q8 x) {+ ?- L0 q _: X
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* [( n7 S/ A& B) V: y" X. k
modsecurty依赖的包:pcre httpd-devel libxml2 apr
- K9 y9 R) H) a( Y0 V, B! r' v; o
. L; e! N- G/ s) H" A* t! a8 Uyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel1 u# w; t; e; D! `4 U `) Z0 ?
二.启用standalone模块并编译1 {, h! n: p+ n
: x- R4 T: O, x1 h9 C5 ^6 _. b下载modsecurity for nginx 解压,进入解压后目录执行:
& ^4 X% i% x p( q! }- s$ \) s% [- i2 ]' R4 j9 L2 V8 k+ N
./autogen.sh7 {& e) S. S5 }5 f7 u
./configure --enable-standalone-module --disable-mlogc
# Z; ^, d: M2 J, F. {make
' _. f1 B( ~7 W9 C三.nginx添加modsecurity模块- a' d# d6 ]5 E' L
6 Y0 ` O+ x8 }! y( y' s. {" D在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:+ j9 _0 e6 d. b9 ], e. R
5 |5 e; l5 i+ F' L V. k; D
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine, q: Y5 ?: Q7 [$ r3 P ?8 h
make && make install
: C" A+ H3 w5 Q& D4 P3 A K9 A四.添加规则$ e; ^" F4 a7 J. k
# U% b/ f7 O2 S/ Dmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' z! n W; U2 u) |
+ d$ j: s) u% H* Q6 Q6 ], d1.下载OWASP规则:* l* F3 E! a, G7 h' d9 L5 {; ^5 W
* h9 ]7 I7 }6 |& D
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs S, o& ~/ _8 Z1 w- v
2 I' j* L) [0 @ q
mv owasp-modsecurity-crs /opt/tengine/conf/# e$ J( |7 x2 E
- H: B( L$ G* P) T" Z2 Z) ^2 [
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
) q( [8 i* v4 D5 x2 y! X2.启用OWASP规则:( B, k/ o6 n9 T6 A" l
! n% w/ |2 W2 ?3 w4 @' S4 h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。+ X! B$ ]6 D e
; \0 l3 I0 O. p/ ]7 c
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on& N/ ]" u- V! x2 _/ _( X" R* ~& I
4 L+ H4 Q- Q7 J5 x {
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, o- L& t& g8 p9 I" H5 V% R* o) h' G9 S% `* [) W1 j/ `
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 W& a/ Y* m" U4 J. \; U$ N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf& q) W6 r I1 B# s2 y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" H' n% Z5 G4 v6 w4 T4 ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
& b4 ~6 t/ L+ Q7 eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# V- L2 ]# C7 ^Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf! G) |9 C* W& w8 {, h
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
+ f4 H) w+ j; h$ U# D0 b五.配置nginx
4 r' t9 P6 v3 C7 D6 m. G. Y* V# A6 k+ w; J% H* ]
在需要启用modsecurity的主机的location下面加入下面两行即可:
! e5 K `# H# e5 [# E5 L& Z; E( K4 x) s/ W
ModSecurityEnabled on; * o$ E, _& I5 A, K) s" i4 R
ModSecurityConfig modsecurity.conf;
$ p1 g/ `7 ?6 b {5 v# i, Q& b, i下面是两个示例配置,php虚拟主机:
- e1 C5 S: E% B! L. [2 w: V& W& `0 T1 }0 |( X" |
server {3 \) m. F6 _4 Y, h$ t2 U
listen 80;
9 o( B, @- d& r3 c* h& w server_name 52os.net www.52os.net;
. R1 k/ g1 t$ ~5 A7 c" W 2 @7 ^# ^6 J, \
location ~ \.php$ {
; d. ?/ r7 k! z$ \. ^$ m( V2 d1 p ModSecurityEnabled on;
# L H3 W: V% Y- h3 c* f0 @ ModSecurityConfig modsecurity.conf;% P) t6 Y; o# O' N4 u8 b( u
# }" ]( \0 h; ?- ^3 e6 n root /web/wordpress;
4 t) K+ J% v$ b2 z! N/ @ index index.php index.html index.htm;. v1 f. l D' i5 L$ Z1 F2 _; t
# e$ n9 }* x3 b* d6 F fastcgi_pass 127.0.0.1:9000;
4 N: O: s5 H9 C3 j9 ]4 w fastcgi_index index.php;6 g0 J1 i6 J3 {' G0 r
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
8 j2 i2 T5 _% D9 l$ a k- D include fastcgi_params;
* y5 [1 P* k9 m }
' ^; O9 _- h6 n) C, ~# Z d! K/ M }8 K' A" m! T2 P U
upstream负载均衡:
: R, _: `' d: C9 S0 u( C/ b) D: B- @
upstream 52os.net {/ W( L3 u5 X+ U, W4 n# k
server 192.168.1.100:8080;
" S& h1 s: x, n# B server 192.168.1.101:8080 backup;
& f7 u: t% W$ K. U3 g}
9 S6 U& v5 p8 k9 S5 b, _9 ?* M) t! p, L1 e5 b1 h, d0 H
server {
' `4 }" M# d5 Z0 e) p+ r) nlisten 80;2 H U! k2 s' e3 I; A( P: }
server_name 52os.net www.52os.net;1 S2 g' ?8 n Z& g7 Z3 V
3 Y1 n8 W4 d0 o1 ~" J" w8 {# N+ a1 g
location / {
9 S' C& c6 l- ] T/ p y& n/ e ModSecurityEnabled on; 2 y& b+ R6 {" ]3 x5 r: A
ModSecurityConfig modsecurity.conf;
+ W6 d6 U9 [& L& w% ]& c: [8 t+ ~
proxy_pass http://online;
* Q# i7 ?. {0 ?8 |: M/ x8 h proxy_redirect off;
5 G! X7 l% P( u% q proxy_set_header Host $host;# Q1 ?" I$ I, |" _- R
proxy_set_header X-Real-IP $remote_addr;
9 R- h5 `, G5 m5 ?8 l: z* H8 c proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
8 ~* N- r+ w* q; s3 \ }
/ |. H: x0 c& O3 e" X; f2 A8 A$ H}
" \+ N: o8 \5 s- n! _' y* |六.测试
2 f& o" C. R1 T0 ^3 Z- i
: f3 U4 r9 O; T1 ~ @我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:7 t/ C/ Q! T5 n6 h8 Y$ R2 C
) E3 v' R3 G; W! u5 d
<?php
3 K- c' C( h3 M! W+ f: o! J' H1 q phpinfo();
: `- v; R9 h. v8 Q+ ?' W0 n5 F5 U?>: d* J5 C' k0 z8 q: q8 a
在浏览器中访问:
2 f7 C4 u" m1 V9 e k8 S! X: k+ x& T3 S1 o
http://www.52os.net/phpinfo.php?id=1 正常显示。% j1 U7 _8 b/ W/ L# L$ p2 ~" O7 e( _
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
4 o2 J0 G+ R n+ Dhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 p1 A8 b5 X, ^% ^2 C- E说明sql注入和xss已经被过滤了' n4 s7 R9 [) T i2 e4 [
/ l' J6 t _5 \: }6 W% D
七、安装过程中排错' }. w; {) {8 H4 f5 X
" \: F7 M0 r+ ~( F8 W9 g! f
1.缺少APXS会报错% Q' ^9 ]+ _2 t) k2 N
" w) ~3 k0 u4 C |configure: looking for Apache module support via DSO through APXS9 s- S+ L! _4 r+ [/ T
configure: error: couldn't find APXS
; ]5 o" M1 C2 t5 L6 i- F$ Vapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) G! l5 K ~6 ~! Z# F {
解决方法:
$ H; H$ n$ ~+ `% P, {; H
/ N: Y4 u- y" X: k: q" K" ?3 \8 T# vyum install httpd-devel
9 A$ ?7 o6 v- u8 r8 b; j$ r/ ]2.没有pcre
( L% R- e7 C/ }1 B' c
& }. V/ O% i. Z9 q9 p- r) zconfigure: *** pcre library not found." d: F3 t' S ?" ?$ ^; w
configure: error: pcre library is required
, }, T( [7 |( N# }. y解决方法:
+ M% q, K @6 R, x7 U4 R) O, \0 b M% m3 @
yum install pcre pcre-devel
R' j9 r V4 Q; u2 R+ r- ?8 n3.没有libxml2
0 |* z3 p g$ Z& J
2 Q$ `5 Z5 t2 U8 N
2 H7 e. O" P3 i7 Q: l" Zconfigure: *** xml library not found.
8 F; J. ^2 C) {( `3 R! k$ L: uconfigure: error: libxml2 is required' x! d7 R4 m$ O9 f- T
解决方法:" ^) s4 s5 Z2 v1 h, r
# ] N) u) X: k) G$ J. p; S
yum install libxml2 libxml2-devel
$ R: |! Y! x: L' p3 V4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 T. M) P( y) z4 Z
0 q" _1 p5 U ?9 \! |Tengine version: Tengine/2.1.0 (nginx/1.6.2)
3 m! C5 }( p$ K8 gnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
8 M" t, u7 g2 p7 J原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log1 N3 y! Z9 S/ _) `) K
& u6 `4 P( z8 d$ U4 [( q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
( N+ M: Y% q! p0 G9 V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
; w7 U. N2 ~4 |. q3 s2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!2 H! z4 ~$ s1 y2 o4 u
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* T& i0 J3 }* w; {6 {" i0 f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
; G3 u7 t$ d# ~# x- B- a' m0 B2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 E; e# q' D! w0 B$ l
解决方法,移除低版本的APR (1.3.9)
, q; c. k6 s3 U F( a' o9 Z o/ v- [. f( t |& q1 J
yum remove apr% k5 q$ T6 B$ J' V K* f
5.Error.log中有: Audit log: Failed to lock global mutex
( K* [3 B/ X5 p! Y; ^. p( N$ p+ M7 s: ]. r& Z/ j! ~
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock : ]* V& |+ c% {& `
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]/ u9 l( v8 a5 ]# B/ _
解决方法:, D8 i3 p2 I9 h5 o
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
7 q" k) m2 Q* P+ U) m4 U5 O4 T! g. `& }, n/ o/ Y) v3 P
SecAuditLogDirMode 0777
! o/ ^- R( l& I" }3 H# `1 zSecAuditLogFileMode 05502 ^6 p8 l" F8 j; ^) ]
SecAuditLogStorageDir /var/log/modsecurity H( K6 j% Y2 \7 W) _
SecAuditLogType Concurrent
. i2 ?6 R7 W+ Z7 ^参考文章:" J0 o/ u8 Q+ N. J+ Y
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX3 w! N8 w' C3 b' ]
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡