|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 W, i+ }6 P' n. F# p& ?/ z
$ X4 ~. f9 t7 o, J; ~; F! H一.准备工作 P7 v: \) r& J. y! ?/ M
8 d& g' k* J6 k1 R3 c4 g
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
+ d' y1 Z% V9 X. d. r
; f- E6 k2 p$ k( Ptengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
- B4 J! ]% q* m/ \$ s4 g% [) h
5 V" q5 Q9 f' A* _; n$ ~. {+ xmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz& b: x' e6 d6 x3 n* ?3 V( [4 K
% m. k/ M- Y+ T7 bOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: g6 F' z0 z) H
$ Y8 P. y+ l" _# {4 m依赖关系:2 G& n1 H( i: v: U2 M
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 f2 G" ?3 G& A' k9 J! C9 R
. j3 B! n& g: E Cyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% g9 H' `. b" {& c1 B" A8 mmodsecurty依赖的包:pcre httpd-devel libxml2 apr# Z0 \/ P2 R6 g9 [% ^9 i
" O" [( K$ L. f+ V7 s8 k
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel6 \7 \3 u( @- q3 K" T
二.启用standalone模块并编译; p9 E: u: }, [9 a3 E; V7 ]
# G& m3 i+ V" v7 t' |下载modsecurity for nginx 解压,进入解压后目录执行:5 F- ^ D6 [* v9 m: W! W' d3 Z9 Z
0 z4 ?; Z7 m3 p
./autogen.sh
+ k' u, Y' i3 Q( Z./configure --enable-standalone-module --disable-mlogc# M6 o. C( u$ o% g0 Z2 V+ f7 Z; I
make & b9 e8 t4 o1 L3 w4 a. }
三.nginx添加modsecurity模块. s; k( U S& v6 J( v
/ S9 u: U, ]* O5 j在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' z0 Y/ P* l# A1 w* t' X( o4 W9 K3 J
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. ]* k0 l5 @8 l9 W( I) ^7 Bmake && make install' Z, p: b* ~6 h j
四.添加规则
" v8 l5 z o9 K8 Y2 {% k( h$ s, ~1 I6 ?
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
6 S, ]2 R* |, T& v0 V0 m7 o( q* d6 t, u+ \. A. E
1.下载OWASP规则:
' E- A+ h8 D& W: X& @9 t+ j: ]+ N: L2 b
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 w( G5 `6 S/ u6 C; n
7 T1 j V3 L x/ X- O% Y8 Z; f2 O" z5 jmv owasp-modsecurity-crs /opt/tengine/conf/ D2 v2 p3 W8 N
; T5 u+ E% r& V' Z, @9 h
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf7 c2 U& p C4 }. B
2.启用OWASP规则:& {) f% Q. p7 X) J
& ~ K1 r& A& h6 Z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
+ k( o: n$ q. r& j2 D }- W J. b V h ^$ h' K. Z
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
# A4 j1 v% u. h
! t! ~0 m2 ~8 ?% i5 Fowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 G$ J5 c/ z; |: p* B. A+ x6 L, o: H
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 |3 w/ d! ]) \% T3 W& u: X- WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
7 e+ X- n+ h1 c3 R7 pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf( }9 c8 l; W$ A7 J5 G8 P y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 T" M5 c, V( d$ e& d9 Q+ JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 L( ^" [7 \* q7 Y3 u
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. X; R! H! \: d, e
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf- |6 D7 W4 |. z6 D, }
五.配置nginx
! B$ J; P# Q7 ~ }- c, ?. F6 ?& I4 [: h; C; f" T
在需要启用modsecurity的主机的location下面加入下面两行即可:2 g0 [8 p* U+ f# X
# ?7 i g5 K7 r V
ModSecurityEnabled on; ( K+ W6 g' b/ Q: c+ `5 z7 f/ p! d
ModSecurityConfig modsecurity.conf;
; K: P1 w5 @% K4 c* k, \# U下面是两个示例配置,php虚拟主机:; I+ N J9 B' c! C3 @/ V
" ~ Q) N+ H9 c- D c$ d9 V# Nserver {6 s' I3 g' X% O \6 S0 Z
listen 80;
- m6 b. ~% h, n) j8 u server_name 52os.net www.52os.net;
. ~+ D, m, D- w4 o+ {
P8 t @* k6 _3 ]' E% ~ location ~ \.php$ {
' J* a) C7 h4 u ModSecurityEnabled on;
9 c {- t4 Y0 n, c- M ModSecurityConfig modsecurity.conf;. e0 `- d) ~8 P4 r* \6 y# p* X
; V& ]* ?. c. C3 o$ T! p root /web/wordpress;
* |% m! L7 S6 o% S2 y, h' w index index.php index.html index.htm;
3 c: J4 _+ G( I2 _ 6 w. |! G$ G; @0 d: L* ~. y
fastcgi_pass 127.0.0.1:9000;% I- E& ~' x, s' |( ?; ?! `
fastcgi_index index.php;
" d ~" H; ^7 q& w: P3 I fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;: H3 k( T3 ~, M, S6 y; G6 i
include fastcgi_params;
& t$ w# R. L/ |$ Q }
! X; A/ p1 t- |; x, D. R, c }, Z1 y5 Z5 k n& q
upstream负载均衡:8 d& a; W& ^' J8 j! j
; u6 D" y$ W# w2 j9 _1 ]! \* s
upstream 52os.net {
7 `6 T) x7 b8 G$ }; }% k1 P server 192.168.1.100:8080;
% D) G2 F3 ~* J" w server 192.168.1.101:8080 backup;
6 ]2 r B& U, t8 R0 {6 O7 l1 s7 c}( n1 b7 r- t+ I( r) C% N- ?( o: ^" D
# _7 d" X8 e. z1 O* ?# m8 s
server {
$ G% ]! [5 \; _# y0 plisten 80;0 [+ l; g, x9 C! o5 V7 g6 l( q
server_name 52os.net www.52os.net;
3 u5 m' {4 h6 L! }: _6 k; S9 n4 g$ e7 _1 [% N% v
location / {
h/ J8 z- `2 l7 B. j: b# k, _& W+ B/ Q ModSecurityEnabled on; 5 W* A1 U! m. C3 ~5 D
ModSecurityConfig modsecurity.conf;
3 O$ o9 h# K8 E8 j! ?' k4 n. j, g, A F' M
proxy_pass http://online;. Q& s/ j% K4 Z: D7 w; ]( l$ j6 s
proxy_redirect off;
6 ?/ Z/ m9 U$ [# f proxy_set_header Host $host;5 e& y/ F, N9 ]0 J/ Z3 G
proxy_set_header X-Real-IP $remote_addr;
- j1 u, k/ d" D. @: I \ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# q7 h5 m2 i* E; W, j* w
} J" f% \- ~* v( n9 R$ _3 d
}" m, ?) b% y/ g
六.测试" t }/ P2 F1 X4 ?- w
% x" x+ u9 b2 e我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
. H. C8 l) V( c' |' |4 F6 k
5 U3 w/ c H& ?* O/ [9 J/ I( y8 [<?php
$ h) S: r8 @2 V phpinfo(); - w# n3 R! |: O; E$ Y
?>* K+ Q r+ f* B* Z1 T2 C
在浏览器中访问:
5 a) ^* b6 q+ X& w7 @% _$ h% h. x- G) j
http://www.52os.net/phpinfo.php?id=1 正常显示。
5 c* b2 H2 G* l: a: e1 Dhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。 ]3 ^8 d! b( { S
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。7 A5 f6 H# o9 `
说明sql注入和xss已经被过滤了. J5 h- y. Z' s6 P) J8 v' B
, A( v7 W, M& [0 ~, I, t/ E& b七、安装过程中排错4 W0 {. w4 j* x9 Q5 n, A
/ e: Z ~2 q5 A+ S+ o9 b1.缺少APXS会报错
& a1 X5 W/ d8 p
z6 x2 N! t3 Y. e8 c& ?configure: looking for Apache module support via DSO through APXS
: i: G/ q! Z6 T0 s$ J+ _4 }configure: error: couldn't find APXS
# ^3 E2 i, j$ b0 W( J1 Papxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
) \# @& r: f6 T# t. _# l解决方法:) w' c" C" b* R2 c. R# k
" @. t5 d3 x- E( y3 y! V# Jyum install httpd-devel2 Q6 @" |, A0 S. m% _6 N7 N
2.没有pcre
& T7 x! |4 L! W
7 o6 |1 L7 t% r# a, Q" d7 y5 `configure: *** pcre library not found.2 C4 z; V$ Z8 r3 \% t
configure: error: pcre library is required+ V& S: y" U* E
解决方法: R+ I7 S* H- N' E( c& Z& i" m
1 N' _1 L5 V" u% I4 W$ A
yum install pcre pcre-devel. d0 M1 g- f) ^% g$ p3 t; h
3.没有libxml2
8 W9 g. G. e( [1 G( h- W6 E9 B- A0 O% l
8 ^2 r8 |4 u7 K; U1 V. e# f5 vconfigure: *** xml library not found.
5 }5 \3 z' Y4 y& o8 x- ]configure: error: libxml2 is required
: Z+ ^: N8 V4 a解决方法:9 a8 O9 ?7 A: J! W3 M3 n! d' B
* ~! o8 s$ u+ X# M P
yum install libxml2 libxml2-devel
7 n+ c- Q {6 D9 j! }! d2 g4.执行 /opt/tengine/sbin/nginx -m 时有警告# ^( [2 }1 k6 x* m! k2 G
2 h7 E, K7 {1 [ g- s8 s$ [
Tengine version: Tengine/2.1.0 (nginx/1.6.2)7 K. G& U; A, P: p, T1 N
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!9 t! o- A$ P- z! {
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log$ D' N& y' D) W
1 M0 m3 W. \ B1 E, Z: e$ A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
0 d) Y6 }6 e# ]: @+ l" S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# T9 w- x; {5 P1 g3 |
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 p0 G3 r. B6 z4 u p) p+ i+ S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 @1 J: B1 H: j; b; P, I, F# E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! h( s3 A4 O- Y. ^- [7 {: N; d2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.7 K3 a' b4 t/ n
解决方法,移除低版本的APR (1.3.9)
9 y) ?. y1 \1 m8 x: f/ \1 K! D; m2 U* ^" k5 W9 M
yum remove apr4 C+ Y/ B2 C1 k9 W: b/ u4 v
5.Error.log中有: Audit log: Failed to lock global mutex2 n7 ?- B4 ~9 `" G
2 q$ X* n+ C- [. u: }" w& P2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
8 ~% b( N8 r) C8 }; \6 G6 Y& lglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
6 q- a5 l6 z* `" H解决方法:
, _1 A2 {6 @1 E编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
7 g+ N0 p$ n' J. d4 Y) A1 s V! M% B& u; \6 D
SecAuditLogDirMode 0777
1 K& K; e* w3 D+ u4 PSecAuditLogFileMode 0550
* O" E# P( j& O$ E- WSecAuditLogStorageDir /var/log/modsecurity- t6 a4 D8 i) \9 G
SecAuditLogType Concurrent
; d" r. |4 X. X6 s% D1 U参考文章:
C/ f/ F" F1 G. g# t& Vhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) L( G5 k3 b2 Jhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡