|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
9 [, v" ~& R; m2 e+ ~# y! c' Y; Z" |3 _1 J5 B" S2 L
一.准备工作" p+ z _, `" [: H7 B$ o
8 q+ Q" s7 u0 y( o, v系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
" e3 e' Q8 J9 q) X7 F3 i: b7 q$ m0 k7 R- h* W
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
# i3 h2 r# M; h$ r* j; e
1 i& d7 ]- A, L' t( e2 \. nmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz. x, t' z& G! e
1 E3 T$ A8 u" D: v8 H
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 R" e& I3 y4 Z
+ u- s: @5 v- P" @依赖关系:, t. v/ ?$ @7 S r+ N; Q
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
! {, h( d3 R6 V* [% H6 U3 T- W k* U* D7 N U6 ~5 L
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel2 s4 ~; N9 e5 X1 O* b7 f: W
modsecurty依赖的包:pcre httpd-devel libxml2 apr# w; m) e7 \: f% H z: ]
! t8 O' T4 x2 a7 Iyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel4 _; x+ C& a9 N% U& L" Z% u' [% P8 M
二.启用standalone模块并编译& k k: r# S R& ^6 N% t/ l+ B
/ N h) C O3 C! x& x下载modsecurity for nginx 解压,进入解压后目录执行:; O& y- Y7 M' |7 ?/ K
5 p1 ?" n! D8 o- o
./autogen.sh
3 W/ f' ~1 k; ?4 r8 N+ o* N./configure --enable-standalone-module --disable-mlogc: [$ Y9 g9 [) c9 x
make 5 }' i3 h* S: b6 t; h% J
三.nginx添加modsecurity模块
& i+ o: F1 r: d9 D: X( o1 v; \4 n. S+ I3 [
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 \. S& `' Z8 U& D1 e8 t: P/ l, c% d- u
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
$ Z2 a C& {9 O3 [# _5 r. Fmake && make install7 L& u0 j/ Y) ]) e+ ]/ N
四.添加规则
9 I9 n: \. k9 f" {5 O1 ^: ?" @1 y' M% D. L( d
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 a4 h' j. U1 P5 D9 \& ~2 @* P6 N+ Y* P6 S( }" o8 L4 I
1.下载OWASP规则:
+ a; Y9 S; E' v4 N4 e1 e, |% V
( x. a' p8 e3 N v Vgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ g/ N+ I) A- A/ V% W7 l$ e6 w5 n! l. h/ m) P( K% B1 e- ]
mv owasp-modsecurity-crs /opt/tengine/conf/# b7 k, F1 D" t* P: [- D
' T q0 L( N+ l$ \# Vcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
8 J4 V- F9 C5 _* X2.启用OWASP规则:& ~' Y5 G* l9 U, E' u3 f8 y# ?- n
# B% [1 ^! `% @7 C复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。" O. ^7 A n6 E' C" v
+ @# ~' M+ L0 S& U
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on4 ?3 V- p8 N: [: k/ }) U; B0 D* j
3 {! i% s9 B7 u y3 u
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。( I8 D5 r9 w) b b) J
; _$ s$ ?( R" @+ x! z5 F/ C7 m( t: Q
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ a) `( ]$ `- A) y* _Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf! @# o0 k; n4 v) o) W
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
. c4 ~7 u( E. E* RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf- E2 ]. N: Q1 W; v3 U, ~) @/ |
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
2 g+ G* ]1 [* a2 qInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 p9 t: v* T+ `. m8 Y5 r0 }9 e4 p
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
+ m2 A' l4 _* R* o五.配置nginx8 a" L! W/ S9 n1 U! s# u& t
% }3 }$ X# S7 \& Z9 r# h
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 \, j0 v9 o! \) e3 r; b
% I4 }) e) n: f3 s+ M. hModSecurityEnabled on; 7 z2 J9 E4 A) u+ A1 R+ ^7 w: W! o
ModSecurityConfig modsecurity.conf;8 g2 g5 @5 Y% f# O1 x- Q8 _
下面是两个示例配置,php虚拟主机:0 ~+ Y, u4 h$ d3 S d
& x3 u2 R( P. `7 o
server {; `" p/ B+ e+ d/ b3 s
listen 80;
- |6 k5 ~2 f3 z5 i server_name 52os.net www.52os.net;9 a7 [" x& y4 r4 [
4 Y8 k# {; W- j. w* r location ~ \.php$ {. \# |5 `- p6 i3 R1 X
ModSecurityEnabled on; , E( z: L+ m3 I# q: w
ModSecurityConfig modsecurity.conf;( v C& q2 v) R' ~: T, }
( z+ [# `' e( z$ P5 f3 {; ^) U root /web/wordpress;) S1 [6 e h. X$ Z, Y Z4 x
index index.php index.html index.htm;3 H& q5 u6 S4 l' {! F1 b1 }3 x4 X
" n$ q- P3 V' r. `3 E; E fastcgi_pass 127.0.0.1:9000; F% d& v% l' u- Z' y) W+ ]5 G1 ^
fastcgi_index index.php;
& ?- E, o' t* w fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
# M( n J X- P1 \# g7 B" ^! Z include fastcgi_params;
$ r' Q% ~, U( \0 e/ e5 M }9 }& _' X6 [$ h. Y; W
}' d* M/ o5 U, G4 Q, V; |
upstream负载均衡:
+ D6 T+ m1 R( g4 X
6 X! k/ t8 L" l ~6 p# W8 M% zupstream 52os.net {$ ?) o: R% n, v, }0 e; G) z+ s" C
server 192.168.1.100:8080;
, }- I6 V V: L/ A% s server 192.168.1.101:8080 backup;
7 s& x7 m. z5 f- c" G" U" L6 v}0 o, Y4 H; ]6 C: X6 [
2 B* W" R. u1 T- {+ D, A; |server {7 z: }- i3 L# F( l
listen 80;+ _4 m i9 H# O6 y# P
server_name 52os.net www.52os.net;; f4 B* D& S7 t3 g* e2 R, E G
( {2 n2 \9 ~- K$ `7 E6 e
location / {
: r5 V: ~7 o g) ? ModSecurityEnabled on;
* ?/ K/ A( i9 p9 ], t; \" X ModSecurityConfig modsecurity.conf;
T4 s9 x! F3 F, j, a* T
! o/ s1 F3 y0 `) S proxy_pass http://online;, T* ]* X& ^* W5 {
proxy_redirect off;
& T' S/ J5 g2 p, e. q& P6 f proxy_set_header Host $host;; U2 `/ t4 f+ k! x% a
proxy_set_header X-Real-IP $remote_addr;6 [0 Q* w6 l! M2 \
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;) H" b! L" D2 ]( M
}
- b# T" o5 O9 R% C: v}# {; ?5 `4 x- |- Y$ A
六.测试
5 r) G2 M: I( b1 c7 g" s$ Z
) x7 `7 Y* c ^6 q* x$ A我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; j: r% K5 I, J5 v A
g- ~2 q8 A d! Y# h<?php/ W. m3 `, X) F. @8 y9 E: D
phpinfo(); ! N# K. Y" y1 `5 q. x1 d
?>& ~9 ]/ o( w4 ^1 I
在浏览器中访问:
; |& J% L2 U: W8 P! e' b
2 \6 G6 y3 g- hhttp://www.52os.net/phpinfo.php?id=1 正常显示。
# m1 N. v) U: B5 S7 _5 zhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。- @% @# M, m5 g* A; W
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
2 c. W0 s V2 P1 ~" B1 }; U+ ~说明sql注入和xss已经被过滤了
! f. N! O' ~& l1 m, Q1 `: H u$ _/ O4 [: q) X* M/ x3 g
七、安装过程中排错, G0 l$ S9 S \6 s2 e
' j* z3 ?! ?& }+ u1.缺少APXS会报错
0 }8 a* P" L7 Z C& Y B# U( ^& r- ^9 W' {( T5 r! O- F1 P
configure: looking for Apache module support via DSO through APXS
# t( [/ K7 ?8 K' Q4 Dconfigure: error: couldn't find APXS
2 w/ l* d- j1 I: iapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 F2 [1 i) \; L% \; {解决方法:
1 b& U/ g7 J4 W( j8 l
/ q& k1 A& O: q2 uyum install httpd-devel
* S0 f- w" s E7 z1 `+ ~7 N2.没有pcre
6 B: G& S" |; |# d, J, \8 N/ _* T3 W `
configure: *** pcre library not found.
3 o$ F1 a, l9 T% zconfigure: error: pcre library is required
5 y2 h# T4 C6 T8 |2 x; {+ m7 q6 ?解决方法:
2 |0 s9 S" ?3 A S1 t# \; ^. j' e: C& \- O+ r1 \
yum install pcre pcre-devel# l8 O o" _; o: m. q
3.没有libxml2
( {0 S$ F, h0 R/ d4 W
; l$ @/ g( |3 F* |3 ]) g: u& q
- M" k$ o- t$ D: ^, {% V! dconfigure: *** xml library not found.! i5 N# ?: z5 D; h- G5 }
configure: error: libxml2 is required
" \! w' C+ |2 ^0 ? [解决方法:; e/ ]% s* `4 r Z. G1 R
3 l8 y) O7 ~6 M9 w3 ~
yum install libxml2 libxml2-devel; S8 `& e9 e8 [9 r
4.执行 /opt/tengine/sbin/nginx -m 时有警告0 F& ]; z+ J9 L! _) `
* Y! ^7 g, j4 c; S2 f" h* [ R4 pTengine version: Tengine/2.1.0 (nginx/1.6.2)* y& \) }# o ~8 u0 H9 {$ f, j- S, E/ |; T# ]
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ z9 j" p0 q c: v; @* E原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# `( c7 f0 s8 A5 J# j* Q
+ d" Y, `6 N! H- _. e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
( [ B% C4 G- o) C4 p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
; Y+ b- r% C, q! X1 @( B S6 m- }2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
6 I/ v) a) O9 _0 r F9 P! |9 i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 L5 G$ y5 B* c3 p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"& d( N& s2 V+ u. b
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.6 F( y; g9 @5 s# n4 v$ q$ }
解决方法,移除低版本的APR (1.3.9)
# N3 P0 e, C- S3 g5 n$ C* M- h4 ?5 P' X& N! {; L; s
yum remove apr' s4 Y3 J0 F7 b0 K$ @& M$ R
5.Error.log中有: Audit log: Failed to lock global mutex
- e) @7 s8 u7 ]' A$ i2 F
! [5 |. w. [9 S/ B. v- x; \+ Z2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
- H' m) ?! E3 P* Aglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]! v, C3 Q0 {, P
解决方法:: V( t3 V: l/ Q" Y8 I
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
7 k n O- V: q: i( \% X* l- l. m+ z5 N
SecAuditLogDirMode 0777, x, ?* z: e4 o
SecAuditLogFileMode 0550
; a9 E7 f' t0 C6 l4 k0 t. Y9 MSecAuditLogStorageDir /var/log/modsecurity9 B. A! P7 B8 K
SecAuditLogType Concurrent
0 q' I. ~/ Q |" X$ V7 {参考文章:
# _3 P0 J/ \' A4 ?5 r8 N+ H( ahttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX) {" a( `, g- ?+ H7 O) l
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡