|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。8 k# f% ?! L% D
8 q* `) O2 y) u" k
一.准备工作
" C. @; p8 Y+ F- t2 e! H z9 j( V& ~$ m' Q; g! W q( |! y( R
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0( R* m! P$ y1 D* U+ P. \" {2 m
; P2 q4 X5 }& L5 ]$ M5 w6 utengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz! E6 N! E! [/ u5 k' t
; p" G6 R* |/ E K# W3 h* @
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 k& F* J G; X" C% a; L0 i# x0 H
" _, |; N7 \2 X$ A$ ~OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
6 U; P/ S$ x8 I: \" L( `# @! ]8 _1 E- b5 n5 a; z/ z
依赖关系:0 Y4 U+ p1 W2 ^6 Q
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
" a+ _: `1 @* M8 N8 O5 r3 u: v5 {9 i
\: [( K a/ qyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
! [1 h! |# S @- p$ r" _modsecurty依赖的包:pcre httpd-devel libxml2 apr
9 q0 A8 q8 |) i% p: m
0 {+ x) ]. I9 A3 j' O; E: a) t8 oyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel5 u5 }* ]2 N- l& q4 U
二.启用standalone模块并编译2 F" q/ H1 R( U3 b/ q5 u
1 u- d9 P0 n6 \ ?& |. h' H, M% @1 M4 v下载modsecurity for nginx 解压,进入解压后目录执行:
3 K$ u: b/ S2 n# H/ n" L F {/ h- C4 Q) j
./autogen.sh
* m. E, u/ k4 N: J! M: s./configure --enable-standalone-module --disable-mlogc$ u) e: ^6 T! @% \5 r
make ' n8 S. f4 ]4 A& C. Z- L
三.nginx添加modsecurity模块# K [% y/ a; H/ k
: R8 |1 x% f1 V. G在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ g2 W% U# D( ~9 z2 L
6 H1 A/ m6 E H+ d f* S% Y./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
3 I( D$ G* U/ z: h8 @make && make install* ^/ }1 y+ z' @ P! h
四.添加规则
# `" D& w2 g% c" W6 O- k! x" h0 {4 _
$ _8 ~3 A8 q& h3 t8 Y" l9 M# cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。9 Y7 z4 I% |! c$ Z- K1 V" e O
3 _$ C7 h/ Y5 z/ |. S
1.下载OWASP规则:
2 E# U* F2 \$ z* l- ~+ _5 J1 K* m1 J8 y
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
! u# l1 Z1 k4 i9 L# }5 U! A+ B$ p. q& p/ l1 `% D
mv owasp-modsecurity-crs /opt/tengine/conf/1 F$ T+ L1 c" ?' \/ U: T
, r" ]8 z# J+ P- tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf! v' a9 X* ^0 b4 l5 K
2.启用OWASP规则:- _$ N v' H- J
4 m4 e0 t0 F( q: o7 J
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ c2 J3 v0 l9 d' g7 [& g9 q2 _, B6 i/ u- M# r, o2 H
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& ^1 C& M0 U5 v4 g
7 [* p7 Q; P" @, s6 a. powasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。( g. W$ T! Y# C0 r3 f9 N
- J& Q5 h$ d/ Q6 Y! F3 JInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf) K0 B3 Z) k3 E6 ~' g5 ^( ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf3 I7 r" ?9 l% {0 Z5 p; [
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf- n) P, S) _8 m! M* h7 ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf3 s5 t& F0 H% K+ T
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf! x! c2 B# G2 I' g! A' {& S
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
8 \( w4 }/ _8 C% j6 j* Z4 p! WInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf8 ?0 ~( C$ _% f/ n
五.配置nginx' \) ~. h1 K- a" _
8 t8 p" I) T; K _( P
在需要启用modsecurity的主机的location下面加入下面两行即可:! B* m+ r9 Z+ o6 o
B. w0 E# M5 \0 d( m- R
ModSecurityEnabled on;
, D$ d6 T& Z4 ~- S; `ModSecurityConfig modsecurity.conf;
6 ?. g7 v* Y7 D; h5 n5 h5 L下面是两个示例配置,php虚拟主机:
. ^) S! r+ a8 M; V: l2 }
" I7 A2 |, C; o; R9 j7 e% M/ ~server {0 O( x/ g% k5 \3 F" }1 f
listen 80;
) v5 v/ M7 L, m server_name 52os.net www.52os.net;
& r, j- u8 ~2 y
3 z c, w1 m2 | location ~ \.php$ {! b0 f5 G6 k. x: s
ModSecurityEnabled on; 7 N' U: F G3 g3 o
ModSecurityConfig modsecurity.conf;$ x# O4 l6 H2 s' u5 P& T+ Q$ [
( I- a4 ~/ ^# g r. B$ h root /web/wordpress;
: V: l( W! v& E+ m6 `, r index index.php index.html index.htm;, s: ?% Z; v. u
. q3 g' h7 o W1 D2 J) O6 V7 w4 I
fastcgi_pass 127.0.0.1:9000;
( N: b+ p( r$ K9 `- d! K fastcgi_index index.php;
7 H( c5 | a& e) ]0 D6 d fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 h$ C H3 M# R- d C/ y include fastcgi_params;, K/ h" v" N" B. O
}
+ S. t& K" s6 j4 P }
( L( S' k' |0 X7 _8 eupstream负载均衡:
; y/ g5 H: H) Y+ Y& J! m
# D; P- S& Z4 j3 W- S/ j5 Eupstream 52os.net {. e% u9 c; n( U% o* S/ W% L Y
server 192.168.1.100:8080;: J6 J3 K3 m" ?) Y a4 }
server 192.168.1.101:8080 backup;
. B m0 ` l/ K+ y}
h+ R+ M1 R, C$ T) R( P% k/ v7 {& s
server { M' U+ @! y6 G7 g9 G0 ~( k
listen 80;
3 r8 v7 ` V$ w9 oserver_name 52os.net www.52os.net;( d( v; @* c# }
. g+ @$ U0 b2 M/ _; f% y# d. \
location / {
$ t. m9 `/ t1 N# I$ A ModSecurityEnabled on;
' l X1 e1 C9 S- s6 Z% c2 m! q7 r5 j ModSecurityConfig modsecurity.conf; 2 f- n1 I1 ^" g+ [! t7 C
# h2 ?/ v. c; {& |! v0 i6 d# h
proxy_pass http://online;+ o$ d8 k; _6 p0 R8 r2 Y
proxy_redirect off;2 B3 a' B" g$ ^; X' A# h0 {
proxy_set_header Host $host;
. M/ {8 {" R4 d/ } proxy_set_header X-Real-IP $remote_addr;# z" i' l( x9 u4 S9 F
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% c( u- B1 M* K8 Q4 [ }4 z1 e1 Q0 t8 c7 p7 `1 }7 b$ E6 B
}
/ m$ L' k/ S) m1 M) K8 S六.测试7 U% a9 C# ]. v" C/ K6 s- ?$ d1 Z
" u6 ?; {) b4 ~7 b" ?
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
% c5 M' E, M2 \. v$ A5 c7 q# O1 {# u1 q/ X
<?php
! C& P. p9 `# j: ~) W m, ~7 Z phpinfo();
5 R: T/ Y ]" a$ V/ A?>
* _+ Z; b' V) J0 P* I4 J* L* r在浏览器中访问:- A ]& D0 j7 |
& B' v$ g) j/ ~2 f1 p
http://www.52os.net/phpinfo.php?id=1 正常显示。
! S6 ^$ ]2 C+ S" B6 w$ uhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) R" Y" y& G2 A& khttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。2 q/ u/ u7 ~( d4 X% K# o! Q
说明sql注入和xss已经被过滤了% ~0 N9 x% D2 o/ j
% }; m# h6 d' g' M& B# z0 o七、安装过程中排错
* m& ^7 @$ a* _/ n: t
! s ]- Y. d! @' x5 O+ F1.缺少APXS会报错: N7 w# f A2 M; K& ?# C
" N- W& }* A3 z% \; V& j, p- Uconfigure: looking for Apache module support via DSO through APXS
8 Z" W) t* U0 F& v3 Vconfigure: error: couldn't find APXS
8 d* ?0 P! [( [% X( g5 Japxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 {3 m/ R1 k4 M& m9 C解决方法:5 k, X# M5 V# ^: k7 s2 C# b
/ W$ Q6 n7 r( r0 E2 W L( z( vyum install httpd-devel$ w+ ~- Z! u: c! P0 \
2.没有pcre
7 l$ `) U1 _0 @0 F1 I$ t" x
& G3 O/ g% S- x6 V5 ]( Kconfigure: *** pcre library not found.
& d4 F# Y s4 X* x1 E) Aconfigure: error: pcre library is required
$ j+ q: K: q8 f: k+ E解决方法:
% N& D& @( N* r3 s
3 B5 U' z! I3 Q& y) t; kyum install pcre pcre-devel- d: ?# v) V# |* n: Z- u) X! w2 c
3.没有libxml2
9 ~# j: ^& b* a) P: _" f- X, _6 N, S; c2 _% m2 F, T7 o
( L; Y7 r; c- d& {6 M9 ^configure: *** xml library not found.9 M8 g. l, u5 g# k, m/ k
configure: error: libxml2 is required
( `+ C/ f& T) o解决方法:2 ` q( d5 d. n: P* {% X% _
/ z5 N O- Z" r0 Ayum install libxml2 libxml2-devel
: `: {3 p! w0 T" u8 z4.执行 /opt/tengine/sbin/nginx -m 时有警告$ E' I: A0 w1 Q1 `! p! N
: K0 K5 }5 p) T1 M' v# C# FTengine version: Tengine/2.1.0 (nginx/1.6.2)) F9 I( s" W: A: |: p
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
5 c7 r( i: r2 l原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log; |3 n4 m! l7 n. M6 c2 l: v; {
* E" c! n7 [5 J q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 J# E9 T7 M2 D E# {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9" [! b: B. N- p) L; l$ O' m& `- \
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
6 L& Z8 ?3 B$ ?" i4 u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"- j* G. z0 W: X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"# ]# q0 h) s, D3 x+ {
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
( K! A' N$ A& |' S4 V解决方法,移除低版本的APR (1.3.9)/ e) ^, r9 R; w$ L; J; S
: O6 n7 u" Y& C1 g- i+ Zyum remove apr6 P. t6 |) w0 S6 T. i
5.Error.log中有: Audit log: Failed to lock global mutex
9 k* D' j t% o0 o& O: e+ z
3 L5 _+ Q5 \) L X2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 q0 ~' j6 o4 |, S4 Q" h# o
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]0 ]& q0 V$ c& e4 t9 T
解决方法:
! k+ s( U5 m$ P; Z8 z) h编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ f& V0 N$ J9 C# M. ^1 v
' k; p2 S8 ^# RSecAuditLogDirMode 0777! q+ _% n( T7 d: c% X
SecAuditLogFileMode 0550- ?. q' t: z6 ~9 z9 j7 o# U
SecAuditLogStorageDir /var/log/modsecurity" w4 K% L9 b+ e, C
SecAuditLogType Concurrent3 n |, a" g% |1 N8 k
参考文章:
. @7 d( @! ?. I; L' o) ~https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX& S! @- O& {0 {0 c1 m3 F+ Z
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡