|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
- X- V7 j9 e! R! \+ R L6 I9 i, x
* t% }7 w3 J; J I# ?" @一.准备工作/ ~2 r& }- g- W7 _- O H9 ~
: A) _# G& t5 M3 E* J! _! i系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.09 \& i* v- [1 a) e
: o: |4 t+ h, P1 u' G$ X7 o9 K5 }tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
4 q) A! d$ f k% q0 m1 ?1 ]; Z( v* X; G( X( F1 W
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
3 k5 O$ |4 i; A1 \$ b
) D- }" N. F" N! ?OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 k1 g4 e/ t7 o9 g% a7 W8 B8 c
0 V8 i3 }. T; S1 V G- k
依赖关系:
% Y! W+ A0 [3 X% K2 {) o* Gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
# ~" ~6 ~4 K+ d# ?
. m) H7 q# l6 b u/ }/ oyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel7 q! z; @ E- D3 T& ?$ V1 n
modsecurty依赖的包:pcre httpd-devel libxml2 apr# T% o9 M# f& r- p3 |9 @
3 j+ S2 D0 w! ~, t8 F
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
4 F+ h! L" z, f9 ]' n2 q二.启用standalone模块并编译
) t1 D6 A9 J: M4 ?. e: t1 j* ^
, o7 q. W1 r+ @4 O: x0 e下载modsecurity for nginx 解压,进入解压后目录执行: Q- t& | f" V6 B7 k9 s1 Z
( O! E; |% ? y3 C" @( @% v$ F( X./autogen.sh) ~, t9 H: R- U% ]+ L
./configure --enable-standalone-module --disable-mlogc
) m% N* t! C# o$ V' x9 C; g/ L6 tmake , a9 j/ L* ~# F) n9 ~
三.nginx添加modsecurity模块' w$ H( M e% B3 c& K% D" w
# r) q& g _6 j5 z
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
. a( Q( S3 [# B$ A# @& K3 Y) I s/ g1 o, z3 X6 h8 s
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine3 M) Y i! o9 K+ J9 U) K: L
make && make install+ I0 g4 b2 K% C8 t( { J
四.添加规则
7 i7 o0 E2 i& B5 L
4 y/ a+ j H' _" Emodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。/ j G- E6 ~ Y! @/ |/ p, z. ~
3 P9 L5 x; c: }7 A; o/ Z0 ~1.下载OWASP规则:
. z+ J, l; z9 y5 R3 h: ]0 i5 l9 k- r( s! d4 v" L
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs" f4 S5 \- S" m, K# p3 J' j
8 Z' L4 f. o `' Z( S
mv owasp-modsecurity-crs /opt/tengine/conf/
: _; w5 f& t. p* d& H- R2 s) e' {2 c- }8 E/ {0 p
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf, D$ G2 b' O# h+ P8 e
2.启用OWASP规则:
2 _* T3 J, }) C9 J' L
* U6 `& N1 V0 w- n4 }6 J复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% F3 w1 T4 _! ^ `4 j0 N
7 v0 q3 r( L# v
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on: B- V J0 Q4 A" r. N& K9 W
9 o7 C4 V8 @) X8 T/ e: {* zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
% c% f$ ^% ~" \3 H1 R+ g. z/ s1 ]* \
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 a$ [6 W' }) A r" Y+ J0 q- z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf3 x) a0 b" ]' f. b0 H. S
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf: x9 X2 v' o U; U9 A* B0 {$ q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! q- w, h1 ? [7 s0 g
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf6 H+ ?7 M, V% }& L0 I. O, {9 z2 L
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf$ e$ y; U4 w; X4 a5 ~3 j: S
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. H: i, D+ G; Y# ~0 u3 `; w
五.配置nginx1 ? e0 I k7 @: B7 d
, `% j% k" x2 _" q在需要启用modsecurity的主机的location下面加入下面两行即可:
# t& M) M' ^- n2 E0 C$ w4 l
2 \0 I' {- {+ HModSecurityEnabled on; 0 [# {' ~% t0 v u; H6 A
ModSecurityConfig modsecurity.conf;
/ q+ `3 c3 r! b+ w0 K3 {. k& y; i下面是两个示例配置,php虚拟主机:
1 c3 R8 a: j+ a4 \
* }. u4 U# e% nserver {
! M9 i" R+ a2 g: y listen 80;
# ~/ O% s1 O/ u' z server_name 52os.net www.52os.net;: u9 m6 \. Q6 f
9 _# T0 `2 a* f) N4 I8 _; v location ~ \.php$ {! q- j6 n% y: n; F- X/ g! q; [5 K
ModSecurityEnabled on; : d. R# z% y1 Y' ~
ModSecurityConfig modsecurity.conf;
8 P2 g# B v+ C
* b+ N* F6 x* V. F" X( L# ^. t root /web/wordpress;# o: B2 i7 e" t! x
index index.php index.html index.htm;
) r. u8 O+ M& ^" ~, W9 C& I % D( }4 m* b( ^/ q
fastcgi_pass 127.0.0.1:9000;; l) @; F T o
fastcgi_index index.php;
% c3 y* a8 h5 b+ u" ~) M fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;" C) h$ t3 I' ~7 T* q" t- N
include fastcgi_params;
1 b. t/ \" s4 P }
( Y/ I% B9 O, R4 [0 f }, C2 G. o/ X' U W0 }$ F+ Z
upstream负载均衡:0 m3 H# ?+ }5 C% X) h' [
3 d. ^! ^/ a7 _# ?
upstream 52os.net {
! I! z/ d$ ~; f, t& @ server 192.168.1.100:8080;
# d# b5 X4 g' E1 e( ^, a4 t server 192.168.1.101:8080 backup;9 M! L2 ?' A- v/ O, e# D5 U. A- Q% O
}: z1 o' g w" \2 y' V! Y; Z/ a
4 q7 k( m6 g# x+ j7 A# y
server {9 d. S6 M! ~1 e
listen 80;2 I* z6 V, d. k; v# @. m* V! K, r' N
server_name 52os.net www.52os.net;
, A9 e5 Q, U3 }% H4 g2 ?# U
0 @8 k2 d5 f" V# g$ ^location / {5 B- b t3 }) o( H' N( j
ModSecurityEnabled on; 1 @: B' N5 f4 r. \6 s8 b S
ModSecurityConfig modsecurity.conf;
: q" t: Q S. H6 U- T
2 u- x- O/ D4 O- W( [ proxy_pass http://online;
/ p) t: ?9 m5 P proxy_redirect off;
1 T3 I. M' \. C proxy_set_header Host $host;
0 ]9 p/ w+ |) W- S6 ^! y proxy_set_header X-Real-IP $remote_addr;
: j3 Q; w% ]/ }+ K proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;) X4 a0 S- @9 V/ k5 T4 l& E8 G8 @
}
0 [6 Z- f, V% o}
, ?& d& j! T. ^" l. o v六.测试
9 U1 k( [4 [( h1 k# k
5 T3 q ?( v. Q( {3 S& y我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& [% z* S( j; J4 H) M/ l- ~
' g8 `3 O* @, Q0 t; W# A6 h1 i( x& V<?php
: p# T$ {+ _( w phpinfo();
! j6 G9 F' m& H- W% i3 G3 {?>; P( y& l' d6 r: `7 V: f- W) A% c
在浏览器中访问:9 r5 b$ O, d+ H" V; X- T
0 `6 s1 N" d6 e5 e; B9 L3 i
http://www.52os.net/phpinfo.php?id=1 正常显示。! E" n, L+ Z$ d& R1 f. B
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。: T- _2 @% c4 Q5 D
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。) f( F, R' k" q5 `& X# d( j
说明sql注入和xss已经被过滤了
# x- U' `6 ?7 ?: Y% ~8 P- \$ @8 q1 g( K' t& @& @1 b$ E3 d/ C
七、安装过程中排错4 ^: j% V" g1 y8 r( g9 w9 \
W3 f& L! S4 G, v2 X1.缺少APXS会报错. A \% z5 t& ?4 I
5 X) \$ Q0 Z1 z0 q; M% r
configure: looking for Apache module support via DSO through APXS, n' b$ P- c1 w; n! t
configure: error: couldn't find APXS
2 M% F* _7 q# E0 aapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ W& O6 i$ F& L& \解决方法:3 ? Z7 N' x$ J5 N2 W' B) `- L& t
7 T- }6 T. N1 J0 I
yum install httpd-devel4 i* k9 L9 a, f: F; e, k& R6 w
2.没有pcre" B" C, a$ j, g( U: M0 a# ]
1 k; U% T3 u! n: n* O, ]; xconfigure: *** pcre library not found.9 Z4 O4 d/ g" f, s% x* [% ]
configure: error: pcre library is required
' i4 I# R& H& l* v3 ~% g* }解决方法:2 B6 x% f# B' U1 X9 d1 \
2 U* s D* @% `+ W f
yum install pcre pcre-devel
% K6 P" h9 Y+ Z3.没有libxml2
% z, }) }, B/ ~$ `' ?
6 r4 b+ b. G/ [
/ J7 U. i7 Z- c- [$ D% Gconfigure: *** xml library not found.
% l, n5 r8 ^4 L; rconfigure: error: libxml2 is required; N. N& X# O, k) Q. Y
解决方法:
1 m. L8 J V* w$ ?! \8 F- v$ b$ }7 o* G) D/ y, P- ]/ z
yum install libxml2 libxml2-devel6 {' @ ^) I8 {9 ~8 R0 J3 w; W3 @
4.执行 /opt/tengine/sbin/nginx -m 时有警告5 C6 r$ q9 W6 Y$ _+ P4 | J# I
+ f5 o6 O7 v3 Q2 Z/ s) ]
Tengine version: Tengine/2.1.0 (nginx/1.6.2)) {7 x9 Z _. m9 s' _6 T
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!# p+ s! ]& B) f/ Z6 Q* W9 B0 H
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log- ^! T) I0 x3 Z1 H* ~
* @6 {4 R5 a; g% [, N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 ~5 X8 i5 P* J: w, J. P0 Z9 K3 l8 `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
( k- \5 d, ^7 R6 f! U/ J2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
6 K, N8 `$ ?+ }8 _! g5 C3 o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"$ K l( o/ @) N# \/ G/ U8 r$ |: a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* e5 O. Q$ @4 u4 |2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' z$ u- }3 t# T5 }5 J+ o; R8 k解决方法,移除低版本的APR (1.3.9)
9 I% g2 x4 \# C9 Q# b6 Q& {
4 s) n% a; G- S7 myum remove apr' s% ^' c! ?- j) V/ X: N8 \
5.Error.log中有: Audit log: Failed to lock global mutex4 E) _: D- U* N$ Y% o, l
4 ^0 D! u1 a" t! X* }, B2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
9 P, u- p" r. F h9 ^9 p9 R) r/ wglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]) \; ^; F" u7 B5 B
解决方法:- ~0 k$ E0 `4 f, E& @& C; [" h5 p
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:, g( {( |7 ?8 }3 n! a' y2 c! `- A1 v
& b2 A9 P; e# C* X: oSecAuditLogDirMode 0777: ^6 E$ G6 X$ r
SecAuditLogFileMode 05506 o! f, e% k6 B! |5 G
SecAuditLogStorageDir /var/log/modsecurity2 B f1 ?6 e# b" {, M
SecAuditLogType Concurrent
0 x) _/ U9 {( S0 a: n, ]4 W2 m8 B参考文章:1 u3 E" z% z' F" l n
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ k; |. d9 z: c
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡