|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
]6 U$ F" }6 w6 s: W" s4 }1 F: M6 r# |3 R
一.准备工作, T4 ]1 v+ ^9 N0 g6 l5 W; X
/ i( R0 d& W* v系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
- _9 o8 P! r8 H3 L: j
/ E* ?+ P& k$ a( d7 ftengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz5 Y6 |# \/ H, S4 x( t
! y* l* u) [, o( D9 B0 ?# Cmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& O4 g' ^4 o* c. O2 f P3 a) a9 N8 s8 ?6 ]4 g4 t
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
6 P! `0 Z% A) s1 O; y1 P
$ L: A* {5 s2 D3 @7 G+ g依赖关系:8 B, H; V% ]) z2 |! }/ w l5 p5 S; P; L
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 V0 X# J; S- p; D w; W2 e; K: D) N- f
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel G. }$ y) [# S
modsecurty依赖的包:pcre httpd-devel libxml2 apr/ J$ ~& y3 a4 k+ H
; B9 L* F- t9 b/ t7 g6 p
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel% v! V9 t. @9 v1 }7 M0 H
二.启用standalone模块并编译
1 N0 F, ~7 o2 \& n# G/ }- Z8 Q( O5 {9 O1 n0 K- D; J/ \& c
下载modsecurity for nginx 解压,进入解压后目录执行:
% Z8 B, T% b ~$ f
' b' t! C4 v3 O5 u7 b./autogen.sh
( H+ {7 x9 ?# P./configure --enable-standalone-module --disable-mlogc% [) f2 Q/ W8 g/ x& ?/ o
make 5 l( }2 p P& X1 E* r8 O
三.nginx添加modsecurity模块8 {% E7 \; [! u# }8 [( N' J7 {
; D" r& L, @3 |% k在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:! n& w3 b' P& F j4 H8 w* z
4 c; q$ Z1 M; F. r$ ?
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine7 R. q3 o' {+ m3 U1 l$ E% P! k
make && make install
, w1 y$ `& t+ f# a四.添加规则
# g6 y3 u+ h* h! O2 x
% v2 D& G' T5 A1 P; }: |( zmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
2 c2 @, y6 s* M
! F. S& w( p- v5 L. a1.下载OWASP规则:& M% D3 M6 V) K( j
`) l! l) G2 x' K( C
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs/ D1 e4 t2 n" r9 O `/ h9 K; ~
$ c. y" z2 i1 t/ ^9 T' Kmv owasp-modsecurity-crs /opt/tengine/conf/% ]9 U( \) k ]3 ?+ i
' `4 u, B6 V# Q- G
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
5 K! j4 F0 z7 x2.启用OWASP规则:0 [7 ]4 w& T0 v2 f
/ \ Z% i! s/ P1 A# y( o3 Y8 h# N
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
; ]9 Z$ H/ M5 f( B
6 F4 Q7 K. q0 k4 v编辑modsecurity.conf 文件,将SecRuleEngine设置为 on: l- ^" B' g* m+ c6 N* k
! {0 s9 ^3 E# {9 I& \; _
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
! Z/ z. M' J" P+ b# p( \1 O1 H! B6 P; D7 Q+ n
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
0 g3 z& q' k4 M1 E% K# m7 Z: SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
6 y7 H8 `7 f) Y8 d! v WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" Z/ m6 f$ m3 ^7 L8 E$ H5 T" mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf( T0 J7 A- g+ k! ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 l3 U/ @9 z" q& ^Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf) d O7 g7 I/ N* q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, q( u/ R4 K# Z/ F/ i- J7 }+ v
五.配置nginx
2 E1 X4 G0 y: l$ y$ R6 b9 e
$ N8 Y! b! Q6 N7 _* G在需要启用modsecurity的主机的location下面加入下面两行即可:
% g# |0 v/ S3 D: C. `$ f% a9 ~! n$ e' ]2 I: q9 {
ModSecurityEnabled on; ' g7 d) s4 H8 G8 \ N2 w
ModSecurityConfig modsecurity.conf;
7 v5 m: [) U: J H% b& x下面是两个示例配置,php虚拟主机:
7 q/ e2 \# n; D& q7 M. u9 E4 {9 v. h+ Z
server {
- ~8 ^8 H5 X# b9 m9 K listen 80; v. K4 M- i! ^' o( W& ]) O
server_name 52os.net www.52os.net;& w( R/ l, O: `1 ]
) m) t8 d7 V+ S location ~ \.php$ {! T; x, S5 \" ~4 g5 K
ModSecurityEnabled on;
' h( F1 n+ T& L+ j5 }5 B1 O0 C9 ? ModSecurityConfig modsecurity.conf;
7 `) y& \0 G& o6 @; m7 T( @; x( x: U ?
root /web/wordpress;
- }4 `' V8 D! a$ n) h* n index index.php index.html index.htm;
) I0 c7 C2 _! D
' `1 P! B0 e8 o7 J( ^5 N" x/ x+ ^ fastcgi_pass 127.0.0.1:9000;6 ], Z+ b# V7 _8 ~
fastcgi_index index.php;
; L2 ^9 j- A9 s+ J fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;# t$ U0 b s' ]0 a4 J$ K: T* ]
include fastcgi_params;
2 e& M" F; U8 o% r$ o }5 z# D/ m" j5 P% p& E; ~4 W8 w
}1 y2 g: `- z- v% }8 e- m$ R
upstream负载均衡:
% ~ T& b, P' m' D9 L# e M/ v. Z
( p g: p4 H( l( L" W; oupstream 52os.net {
+ R6 G9 g5 S: G! S3 o& N2 d server 192.168.1.100:8080;
7 \4 M' D" {8 ? server 192.168.1.101:8080 backup;
4 {: T- u9 i, Y7 \. Z9 W}$ [5 F* U$ z% Z" }0 ^( \
" `% W7 G7 A, k! V# }, w: U# P
server {
, r W( T( O3 P: A8 Zlisten 80;; p; ~% i+ `6 d% y
server_name 52os.net www.52os.net;
2 L. F* w" @& ^3 o6 E- p% M0 y5 B9 p3 ~' C! g/ P& U
location / {
8 A- E, o9 b' u1 ] ModSecurityEnabled on;
+ Y9 u. b8 H! [ a ModSecurityConfig modsecurity.conf; 3 n; n! F1 P' L* D2 B; d0 y+ ?; ~$ [
0 \ D3 e6 F) F! w7 c proxy_pass http://online;" `; L' P- n) t0 r1 K( E
proxy_redirect off;6 c" L6 e. p+ v; I: s3 a. y
proxy_set_header Host $host;$ @# _1 U& `: O0 ]( X
proxy_set_header X-Real-IP $remote_addr;+ M, D, C& \. J D V/ A- Z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;+ v% `6 }; N/ S7 D; P/ k5 _
}
9 K/ ^, y- m5 O+ c8 Z# Q( O}
! w: d$ r0 \+ J7 |六.测试* r, z8 z9 x/ P; e
# i! R9 m" B8 ^ }/ T& M/ a# t
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
- k* y Y4 U9 V2 H U2 u) V
2 J( O; g# A9 Q' Y% h<?php
1 F4 I3 T E* l. t/ d, I# r, O phpinfo(); 4 o! |; ?) J! k4 b5 n
?>
/ F9 F- p6 e. e0 ]! s g在浏览器中访问:1 }1 H! z/ I8 Q3 K6 I ?1 m
. z# N: d6 i( p4 F: ohttp://www.52os.net/phpinfo.php?id=1 正常显示。
" P$ M+ i0 c4 D! Nhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。; M+ Z& I# H$ V8 x
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。+ h H$ [8 n) I3 P4 f
说明sql注入和xss已经被过滤了8 E; q# f4 W# i+ t
8 M3 a# m$ s& w% c七、安装过程中排错
?0 U8 x% v) }
' H" F' k; t- }2 Z4 n/ i1.缺少APXS会报错, G4 |' f0 ]: c7 y1 n' C
- ~' _, z& }- y3 X
configure: looking for Apache module support via DSO through APXS
8 f8 A# N- i# x! Bconfigure: error: couldn't find APXS8 Z- ^4 y3 @) [6 b6 g3 F5 L. f
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
2 [5 g* ~3 i0 b8 _( L& n# ?. }解决方法:4 L0 i: u' Y/ m3 [8 I- n) h. g
( D8 b% `! Y1 J: O5 |
yum install httpd-devel, _% \5 _+ |2 n6 G* r
2.没有pcre% @; t4 z F' p
1 o- u2 Q" n' E* i9 N" Z/ `. B
configure: *** pcre library not found.) K- O' a0 L( \( o6 R
configure: error: pcre library is required0 D n9 |, t0 K, v% v9 m
解决方法:
0 T+ O- J; ^# `& c# |
7 h2 e- o2 e% U% S7 [yum install pcre pcre-devel
* H0 A# _& L1 v' u3.没有libxml2: {" u# @+ _: _7 j) L, q
5 Z* n4 z! U8 S: b! F
% S/ K3 n# c0 Rconfigure: *** xml library not found.
1 q, ]: Z0 Z9 U$ Q/ ~8 }+ `configure: error: libxml2 is required* q* }& n; V5 l' h1 x' J
解决方法:! N& u' T/ L. Y u4 W
$ E/ g( \3 n2 W! b" B W
yum install libxml2 libxml2-devel
9 z! f; y1 `5 z0 u: u/ X4.执行 /opt/tengine/sbin/nginx -m 时有警告$ p0 d" `' g- ?: ?, M% V( H
: g5 U3 @" I+ q( q6 t" H3 y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
- H; o4 ? \/ u. i" X* x( M/ unginx: [warn] ModSecurity: Loaded APR do not match with compiled!& [8 _, g% Z1 l& A+ v
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log1 U( l" Y3 l' h, A& l% V: S9 |# h
6 m: b! G+ i' i: |! w# f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) ~) {5 i& L7 i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# Q, m5 M( L/ a- p- E8 M4 a7 B
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 a. T$ I0 U& }+ z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* Z# P. k6 n! O; D# [) t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"3 E2 k% U# |7 _" x! k5 B' C6 I8 {
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
- p5 p; r9 V2 ~7 l: j5 G解决方法,移除低版本的APR (1.3.9)" G6 o. B R; {8 |" C0 b0 B
( Y" }& P- m$ h
yum remove apr
* e( H* }/ _2 |% C5 }5.Error.log中有: Audit log: Failed to lock global mutex
; g8 C1 C: R$ [, z; f
# C3 y! j0 M- q, C8 }& u- ~9 V2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock * f1 c2 E# G# V* Z8 C! E# z
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
+ }! C4 s* }9 z5 x解决方法:
( O# x$ K: l! Z" ?. q编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- O2 R8 {2 F; J. M9 m8 _
+ s$ _; }; `7 u6 R8 s5 b8 M9 sSecAuditLogDirMode 0777% ?3 o/ f4 I2 j% p x
SecAuditLogFileMode 0550
/ Y$ O! Y6 {8 b2 W o9 O& \SecAuditLogStorageDir /var/log/modsecurity$ C# J: ^: r$ K! H: m
SecAuditLogType Concurrent
% f \4 b8 v* e参考文章:) h3 j8 l. G# ]" Q, e
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX; M& u" u9 X6 w4 t
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡