|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
+ t2 L& F5 {2 J2 z5 J8 a( _
, J3 r1 P. M! I+ V6 ?一.准备工作
- ~! p% @# B; s9 h) C
% r a8 P# U0 R% c1 n Q9 H5 } z系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0/ J! D$ D6 `' r, U; s
' N# W% E9 f X
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
& n- w9 c- e/ M2 c# }: e& U
3 f* T% [7 i7 X$ O$ zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 M: w5 _* F+ {
7 V2 Q2 x0 N! T/ k4 N. P# E6 G5 aOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
. g0 R4 o B ?0 V/ d+ Q8 l
& g6 Z4 u" `, P( M/ E* l% M依赖关系:2 |3 \+ ^, Q' ]: {( ]/ Q4 {
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
. t2 O! K0 `! n9 j5 u' ]- S
* S8 `; E4 P8 I( ?yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% j) v. N/ b) d6 P2 f" I0 l* r
modsecurty依赖的包:pcre httpd-devel libxml2 apr
8 |- v$ \* Z2 K6 X% L' @, a
9 m# g1 q) P/ r0 G+ {& ]5 p) myum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel& o" l0 d) q9 F7 H) i+ N* Q I
二.启用standalone模块并编译
, [' O9 i6 W- Y) D+ l* ?$ a) A; C4 T( j% q! e) a7 m
下载modsecurity for nginx 解压,进入解压后目录执行:) B4 _; L8 i3 ~
8 A, E: U4 K' `) d3 w9 e) Q
./autogen.sh
' U$ y `, N1 F! Z% b$ k2 X./configure --enable-standalone-module --disable-mlogc: W z* e( o' \; u9 Y5 [
make
6 w! p0 Y& Y( B, f7 f) \- j三.nginx添加modsecurity模块0 x* [5 h% A. L& a0 v( B' Z+ G
4 Z8 p! ^9 P8 m, J( G1 [在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 Z" |1 x) O. ?1 y
2 F+ I& k2 o+ E9 {./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
9 L( ~) X4 c( Smake && make install, [' k- \0 q* T
四.添加规则% @% Z- S3 r# F9 Y3 D# z, r1 R
' y2 h3 {$ M% _- o. L. emodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
j. c: Z [* l; {* Z6 S8 b P
, v1 f1 N/ I, k5 ]1.下载OWASP规则:
/ g5 H' G& [ q) `+ `
5 v, g$ x5 q( x0 I) c. O- ?6 [# fgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs' b. M; ?( {5 e' d
5 M5 v3 w1 l/ @1 u$ b+ Y- y0 |mv owasp-modsecurity-crs /opt/tengine/conf/
! }" E1 j; C! p
2 `; X" O2 [" d* ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ I$ `3 P$ V) I' S+ ?2.启用OWASP规则:
4 v; `& B! N8 T+ s0 P& x" ^# U3 L; x6 l; i( T: ~: k
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。' R" F9 V$ N3 ^2 z3 [' }/ `
$ }3 {* Q3 {2 L# f( t1 O% u' l
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
' l$ W( ]# I% f0 K1 E6 f% B
. P* ]; ^" }, ]- P3 B* E& f$ L* T; yowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
5 g6 ~% |3 {# q- c/ M; R+ x5 R3 D
% T* {& G" a( _% p# tInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' d1 O7 p0 f3 m$ {8 {2 AInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
. K$ H/ k6 \3 |& r6 c- Y' V2 W7 tInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
- w, _4 E$ T) uInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
8 V' w0 \; w- lInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf6 @* f6 |$ Y) I3 k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
/ }0 K; s% ~ D9 U UInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf P( K, Q6 ?; g1 U/ ?. A
五.配置nginx. }+ e+ R, J- y! d& z j
6 C, d1 T3 L8 V7 a5 r
在需要启用modsecurity的主机的location下面加入下面两行即可:+ r: L$ j* [. _+ r
9 d( F! j* Z6 eModSecurityEnabled on;
# B- N9 ?' Q$ E9 q+ T4 LModSecurityConfig modsecurity.conf;0 r& S/ @- Y# e2 F! K v! I( Z
下面是两个示例配置,php虚拟主机:( q1 Q9 E9 k6 g0 F) Q
0 w5 M* x% B- |, b4 h+ U" I1 V1 m/ u; u# e
server {
, r! s# J A, B. p3 }3 k listen 80;! A+ H% H2 Q7 U1 E- j
server_name 52os.net www.52os.net;' Q1 F0 w6 M# y* A
]) O' ^) p, m) V5 h location ~ \.php$ {" q. f7 l! t, W$ t: q$ Z: {
ModSecurityEnabled on; 2 X q( G# }1 \' k" }- L0 q% t
ModSecurityConfig modsecurity.conf;* V: y" s8 S0 U8 X& P# g' h
" m+ @2 W/ [2 T# u# v
root /web/wordpress;! |3 X9 [# G9 X/ Q$ y' G' y" k1 T/ }- a
index index.php index.html index.htm;
5 e1 y; K8 i& e . r1 i9 z- I! v
fastcgi_pass 127.0.0.1:9000;
# m$ b! G/ e/ ~8 u3 J) y fastcgi_index index.php;
, U! E$ M+ K, H4 a+ p" d fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;- z% a# t. _% R
include fastcgi_params;5 @+ A2 F& X+ e' ]& a
}
3 j6 s, G' |& i/ O }
8 S6 Q9 X! x! J8 f% q5 J" Tupstream负载均衡:
. Y- ^/ A$ g6 u3 x' q: N; c. g( \; |6 z" H# {, I* c8 x& h
upstream 52os.net {
. u% j" o# [) h0 |9 f: k server 192.168.1.100:8080;
3 \1 k: h( F; k. ` z8 l/ K server 192.168.1.101:8080 backup;
+ i# d$ \$ X8 {( e9 |& H}
' |; P u7 x+ c/ V5 g9 C7 k! [- G n2 C' |7 p9 c
server {8 l N. R( n/ {9 `* g
listen 80;( s. U$ P- E. e
server_name 52os.net www.52os.net;
# l5 D6 y0 M; B, O) Z1 {
! v+ j$ H8 A U% ?1 k* x1 ^location / {
2 J( A! Q0 c; d% @9 W ModSecurityEnabled on;
% F" q" r$ u* a" y ModSecurityConfig modsecurity.conf; 4 R1 M5 u& o2 k# ^
/ k4 O6 [' u. _4 d
proxy_pass http://online;4 }7 R k0 X4 p' q2 K3 o2 v5 H+ R
proxy_redirect off;
k" G# V* V* y2 q2 f1 s9 A proxy_set_header Host $host;
% D' }2 s* D* F, s' ^1 i proxy_set_header X-Real-IP $remote_addr;9 t$ ]1 ]- v* j2 H* z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
; g: }9 s: V4 j# U& H }. d$ }2 f# k* m7 h) Y, S
}
$ [# i# w& Z/ {六.测试& @" V [, d# N/ Q
/ K- x( P9 {8 @8 l0 C9 \我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
" ~0 e, v0 O0 U: G. X1 M5 H* h' ^+ ^1 f! V$ X4 M; x3 V: @
<?php' [) C7 [3 [, E2 _$ S* z
phpinfo(); , i. Z$ q' c, ^3 A1 b/ P
?>% k/ a0 H, @ X3 C0 W
在浏览器中访问:& ?0 e& K) G' t( }3 `7 W- C
# x W% P# P* j: f! `% [
http://www.52os.net/phpinfo.php?id=1 正常显示。. C" v# j+ j( U% @% j, c# o( ?
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。0 J% ^, T z* _
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
. B0 z( o3 t" b: l说明sql注入和xss已经被过滤了 a& k$ i* n; T3 L5 A& p
' o* u: D- H+ v/ I3 V X. h8 b七、安装过程中排错
, Z' W7 r4 v& G( Y3 s( W- T, o6 \: Q* x
1.缺少APXS会报错
2 M c8 v8 P+ Z3 a+ X* {8 s6 ~ i, G7 p% x9 d% \
configure: looking for Apache module support via DSO through APXS
# J& y4 D2 z3 O7 N) Vconfigure: error: couldn't find APXS
0 b! b9 \5 Q0 dapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
' P/ p% @0 m' g/ f解决方法:* \. ^, e: e5 _7 U% M* M/ O+ @
" s+ Y+ H* l$ o% @; v& N, Ayum install httpd-devel8 M6 S% ~- Y0 y
2.没有pcre
1 J4 G2 g8 {" N6 g/ q) A0 h, ~: r8 u" i2 r4 D' M
configure: *** pcre library not found.
1 x; A, m$ C1 H c: Dconfigure: error: pcre library is required2 A: B& _7 t( s5 y
解决方法:
$ g5 E7 f& c: H& G7 p
- N' t3 L3 X# n, X; a) J8 V; @4 Nyum install pcre pcre-devel7 r! C" k r x
3.没有libxml2
' u' \3 Z, b% B! t1 m! ^ R
: F5 z2 L1 [+ ~5 f j4 s9 ~
/ a: S, [: H2 W3 R |- G: R4 a3 cconfigure: *** xml library not found.
, ^* V+ s7 K7 O+ d5 X8 h; dconfigure: error: libxml2 is required
% O& w( S8 d* `/ J- q解决方法:
8 P. L; F( K, ^" D/ s' H& \7 U9 r, r! M0 f) c# i# I |8 r
yum install libxml2 libxml2-devel
- Z y4 r3 W8 `" {- x5 u/ |4.执行 /opt/tengine/sbin/nginx -m 时有警告, F4 T8 ]! S% \# i/ H- X2 W# N
5 `$ x( N# x6 |1 U. o: ^
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
( T6 a' o a" d+ z; a1 O7 vnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
% S9 q. a/ }) d原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log% k9 T& |" ^- J1 N+ O
$ h$ T7 t/ N1 D% ]5 W4 q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
! M$ o$ \. J3 S+ q! L% y* E0 }1 p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 ~( X/ f9 Q% g2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!! ]! r- z! D9 S1 f# X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" u) [9 `6 z- b( Y7 R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6", h# L6 }% H$ [' I& r
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.2 E7 S @) F, t
解决方法,移除低版本的APR (1.3.9)3 d9 H( p% g7 ^$ [: M2 K3 P
/ d& D$ S; O$ X6 N$ }yum remove apr- ^% e( h' \& G9 s
5.Error.log中有: Audit log: Failed to lock global mutex/ ?- ?4 |( S9 ~
) o# H- `1 a l) a
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock & J" U! I+ a |- b
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 q7 ^$ h: K$ z/ P$ W: U
解决方法:
! a" r6 j6 Y* L/ @编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 u" z+ O8 a Q* g& f$ I
1 u- _0 y9 q& F' s/ }. h
SecAuditLogDirMode 0777 n" v9 t% x! B$ q+ V- c
SecAuditLogFileMode 0550; Y$ J3 t- X q: P2 M
SecAuditLogStorageDir /var/log/modsecurity' t& O3 F" M e3 Q/ s( d* r! @: a
SecAuditLogType Concurrent
! \; E6 c0 I' c8 [6 {7 F, H参考文章:
$ S8 f& H, u$ Hhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX4 p- ~; O8 J6 [2 r
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡