|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) n8 ^9 _# t$ N+ m
8 v7 _, o1 u# y) R) u一.准备工作
% @6 R; f- ?+ W$ B N0 m: \/ b1 F3 v
" `( P& [$ |4 \3 c, N9 ?! @4 r2 c0 Y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
4 F' K' B; i& {; t# i
( G, |! @* f" o6 E* a2 qtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz& I. D a2 p$ m" p9 R ^ O7 c
# s1 I9 k. L! m6 H' G8 ]
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz ]1 W U5 ~" x6 `, [
6 ]4 V" w+ [( n
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs5 d: W- y- f9 L( W9 y+ Y
3 p1 M5 L. Q9 B* W! [+ e8 ~
依赖关系:
; r4 ~- w( v" @+ Y+ e* p1 }tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
; N5 {3 C4 ~, N$ |& B4 Z, k& e
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
1 p+ Y& s3 \9 C9 ?* Z) m. Pmodsecurty依赖的包:pcre httpd-devel libxml2 apr
* Z( d3 ~) q& @' p! s w$ w$ Z1 D) }. B# e
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
" ~) M' t% |4 ~( M5 a$ T二.启用standalone模块并编译
6 s; a( }8 K" u# N6 K9 F5 r* D% F8 C
下载modsecurity for nginx 解压,进入解压后目录执行:. w/ Y, ~4 B2 M
: z+ V( X! m4 U5 v2 ~
./autogen.sh
7 L2 X- W Q3 E4 c" t. U./configure --enable-standalone-module --disable-mlogc. e0 D- o3 D F' r/ W
make
5 h) _# e) ~# |6 q; `6 `$ X" R5 K, D/ a三.nginx添加modsecurity模块# k9 N3 o( L) u. }2 g) m
/ g; S* |: e! n5 o' `( _1 [在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:8 Y- G* A' Y5 G: H' J, [" O
8 y* |/ I0 B: d4 P1 f( s5 A./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ ^5 r" {1 S' b- t" R& {) g3 o
make && make install( s* ]! g( e5 a' ^
四.添加规则
) Y" Y1 p7 g6 y( u1 G& ^% `; S/ f6 f
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。! _( ~3 e5 d3 n, [5 b0 Q# `. T$ r
( B- W) X3 S/ e) [+ @$ ~* m( Q4 d$ k
1.下载OWASP规则:
" C" T2 O" ^7 S$ j- E' C5 A5 t% T `
: O8 G8 g" D/ q) i, Lgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs: r) `2 K3 u" z- h. ~* {
! \" z+ r+ d: a5 ?
mv owasp-modsecurity-crs /opt/tengine/conf/1 N5 n. @4 b. O0 Y
. s5 N: K, U' @( a$ \2 z& G) i: R- X- Tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
3 H$ h4 M# s% ]6 s8 F+ B# j2 p& R2.启用OWASP规则:+ v+ i( G. G9 y0 g/ I% W4 \- R
6 ~% F: O4 t$ ]' @: Q6 r, }
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
' Y" ~# c& ^9 p. X/ r: W9 s
; t* W& D5 T2 J* u5 i/ s8 ^编辑modsecurity.conf 文件,将SecRuleEngine设置为 on) ]. j9 _: f+ R. m) v# f8 @% c
+ I, \) `1 ~1 [5 Z# z O8 X$ o: Howasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ w" R" O8 p+ h5 w' P) E+ T! j! s$ t8 ?& Z3 q
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
# m- n' i9 x& A- ~5 B) ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
% [' m, s8 y* K8 S6 u* o1 SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 C& O/ u1 \) q7 bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' W& F, l% O# t% z
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf# @, Q; o# J$ y6 e2 P4 _7 q, V
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
# J( t' k: R" G% ~Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! c# Z+ R* T& f k. Q+ m
五.配置nginx
" q8 `* F+ |/ R; g. w0 u3 ?+ k1 J- c' w% W/ o5 T- e8 b0 B
在需要启用modsecurity的主机的location下面加入下面两行即可:
6 h: M2 e0 P; a8 d% y6 {+ V3 G3 o5 _8 n H' b
ModSecurityEnabled on; & q2 a/ }/ W2 ^
ModSecurityConfig modsecurity.conf;9 S, a |9 a; H: L/ i% T. f' M# p% p5 }
下面是两个示例配置,php虚拟主机:% m/ ~+ x! U! v
5 O, h' T. H$ E, A, m4 m7 }
server {! d2 d: r; l" I
listen 80;3 J7 L8 u7 L# j r4 r1 u; x9 Q1 d
server_name 52os.net www.52os.net;
6 m9 ?. ]. S: U% J ; s$ q& H3 i( T: E
location ~ \.php$ {4 y3 F4 Y' @: J$ j- u
ModSecurityEnabled on;
; _5 B" w# f4 A ModSecurityConfig modsecurity.conf;
5 }2 ^3 {3 K7 H4 L4 Y, k
5 F3 N* j! ^3 B1 Z' U- ~ root /web/wordpress;) _0 j2 z3 t& p9 P
index index.php index.html index.htm;6 P6 W |, t0 z1 r1 x; c4 t/ K2 @
5 r2 b% m2 x/ V! d; N fastcgi_pass 127.0.0.1:9000;
% \3 {& Q7 {3 H. q( i fastcgi_index index.php;
+ ]% V+ f& C+ D, Q3 H6 c% v _ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;+ A8 }3 c# D' ]1 Z: ~
include fastcgi_params;
) g) U, }1 j3 s- Q/ a+ Q }! P4 Z, Q- {: E: L
}
0 O' R* Z+ I% jupstream负载均衡:: M3 d7 u& [5 Z1 q
) I' x. `) ^% X" |; q# v6 Jupstream 52os.net {
- V% k: b5 V3 C+ j7 l; O% { server 192.168.1.100:8080;
. Y. V$ C" C4 x: i6 v X' W server 192.168.1.101:8080 backup;# v! z/ N: D/ h n) c
}
! @! j8 h3 Y. Y
& e6 R( q: g% B* [) s+ C$ F C0 Rserver {
: W, i# @" T9 G" ? Zlisten 80;" j: f" L" l! C. V
server_name 52os.net www.52os.net;+ G- e5 ^: u9 B% t8 C* ^
' f% p1 W" C' b6 }location / { @/ N5 g; m0 k: w! o9 ]
ModSecurityEnabled on;
% G. R& Q, n3 n* B% Q& G3 [3 I ModSecurityConfig modsecurity.conf; ! [: }$ x: s0 V/ V4 b
# k2 Z1 j# n6 i6 ]7 U M, t# B
proxy_pass http://online;' l5 E7 a; ?0 _1 U% v3 i( R H
proxy_redirect off;# @0 i0 g. c8 }0 p3 P" b
proxy_set_header Host $host;
& B0 A7 r; ~- x0 \" i proxy_set_header X-Real-IP $remote_addr;
9 L$ c& H" T1 r1 B+ w! ?( Q proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;8 k" I# l L4 u' n( K0 f9 Z
}6 D& K. o( t% J. n, t
}
& F9 Q: m! ?& i# a9 r六.测试
& { i) r4 h0 T- s7 s+ |3 Z; u' ?1 i. e
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
0 d' k" q/ q8 _' h s9 ~ K
" _* R$ i1 ^) i; B* x& M: ?* g0 ?2 A<?php& T( {9 F- \+ L, I% }
phpinfo(); 2 @0 w+ i, y8 k" [7 C- j) x1 ~
?>
. G/ Y" x# p: E. P在浏览器中访问:; x9 I+ E r) S/ y& ]$ Z; s
, t/ U/ Q% d0 f1 Ihttp://www.52os.net/phpinfo.php?id=1 正常显示。
( j$ z- \( E8 e0 ^http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。0 `' O: G. J! [# b _5 R0 p, {
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% D. O7 E+ H* U! z说明sql注入和xss已经被过滤了8 v+ U# C/ ^% E6 n! F1 w/ P2 C5 f
; }& A m8 d+ [( ?0 i! X8 s
七、安装过程中排错. c1 C) `5 F2 M
% H4 S0 P& d1 x
1.缺少APXS会报错
& d) K2 \# f2 [( ]5 o
3 U$ J6 R' L, q/ z2 l& Mconfigure: looking for Apache module support via DSO through APXS
7 k$ J% c. K4 R- oconfigure: error: couldn't find APXS
! i5 L- h, ~: o4 Xapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。; h0 @+ n% {1 y5 A
解决方法:
/ k# F1 Q9 _8 a- v' ^5 T$ r( a1 M; J* ~% w
yum install httpd-devel3 b) l" A4 r# ~: i* i! `
2.没有pcre& P# I8 L3 w' {- o6 b- X% _
( K, S; @/ s: k$ ]configure: *** pcre library not found.
/ {" J8 g, G* Gconfigure: error: pcre library is required
: o8 n ~+ d. n0 A解决方法:
7 k- \0 J' ` ~- x% h4 M
% d9 p. q* ^, s" H/ @5 M/ Q! a# {yum install pcre pcre-devel7 r5 d. m. r' N( D$ X
3.没有libxml2) X, _; B- t4 q8 [/ Z9 s3 o7 K; f
/ h9 l1 m5 ^5 P4 _0 [
' M3 O/ U% V/ f9 Cconfigure: *** xml library not found.0 g9 @& Z# t# T
configure: error: libxml2 is required( Y; w8 n. M' m N
解决方法:* P' f1 m. F& T
: ~+ d7 `4 k+ U5 Y, {/ X
yum install libxml2 libxml2-devel
, G$ W7 g% O2 g3 r0 V4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 C+ t# |4 Y u" ]2 {9 ^4 z' q; N& \( W3 X3 q
Tengine version: Tengine/2.1.0 (nginx/1.6.2)4 X$ J+ O( C9 t7 U. s; k" Z/ L* @( D
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!. m2 M# M4 _! K5 U) J5 S
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 P+ ^& i B {' k$ ]( ~! q, o) ]0 O& x" J9 W
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
4 Y1 P9 }3 a$ ^, O4 I! F2 x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"- v; d4 M2 q7 z/ J
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
# v' r6 z) C: e% u' ]9 H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
$ n: j/ `4 o! b3 ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
9 F5 ^- V# q z9 M! e$ M2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.6 ?2 Y% `+ J8 C4 h& |% h. V$ m# t
解决方法,移除低版本的APR (1.3.9)5 V; N! b3 C" n
& i# `$ t: E0 T$ tyum remove apr
1 K' n" W m' Q. s/ e5.Error.log中有: Audit log: Failed to lock global mutex
+ N3 } e4 g# w2 J& d+ f6 I: f) j5 A7 M) s
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
) l# j9 b* S1 K& Y# Y6 L+ lglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 N/ J2 {! N2 i8 {3 Z解决方法:
) @3 U O3 N) a, U编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:* H" R, v! w0 E3 R. ]3 r
" V3 H- N% ~4 F0 V4 G8 mSecAuditLogDirMode 07771 ^% E& L4 c* F' y+ x+ w. b& }: B) @% C
SecAuditLogFileMode 0550
: ?! A/ ?5 F1 x2 Y) N4 Z' w, E JSecAuditLogStorageDir /var/log/modsecurity" |% I7 v9 R! w
SecAuditLogType Concurrent
) m1 W/ ?7 g' a# H( L参考文章:
* _) `7 c, ]1 D* \/ ~- N! ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
5 A- q6 B" `1 O; N! T$ |6 ]http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡