|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) K) Z' ^7 c: h# c8 Z( W
$ X7 ?# ?. |' }; v8 q
一.准备工作
$ A% u' m: O5 v0 t- a
/ W. I$ t) E" I; d0 o& ?系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
' @# p& J0 E% }1 M2 W8 R- }( Q, r$ }, k( z! w! \
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz2 F) L$ S: ^# k1 R% \
7 d1 P$ x" h: G8 M3 N% a
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
! Y ^: S, M& \7 @# B) n9 I/ _6 r7 d! A. ^
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
2 E+ ]2 H+ J3 @$ d
3 I4 L* l: ^ j' S依赖关系:
# c9 F" O' R6 y0 Vtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:. @6 ~+ C& B4 M v- }2 S4 I
; m, |7 a' p8 _' M- \, D' f2 \( m* A, ?
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* Z: f \% l( D `! l' j' o3 p$ Smodsecurty依赖的包:pcre httpd-devel libxml2 apr
" i8 B* b+ D' `# I! a" s d' T- t0 q' L4 |- b" L3 `
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
5 ? s: G4 x- Y二.启用standalone模块并编译5 V1 E8 }3 `# N6 o% f2 i( T; I9 y
* i/ [( |$ Y: v+ `下载modsecurity for nginx 解压,进入解压后目录执行:
# p* r7 p3 C5 I" ? v8 r0 |' b4 k$ |
./autogen.sh. z3 z) y9 {+ D3 \7 g2 J! f1 Y
./configure --enable-standalone-module --disable-mlogc
( w/ p5 l* S. Amake
. P5 @; K# t$ ]三.nginx添加modsecurity模块
M5 a; t3 v5 W5 a, ~ s, w, R6 b6 F+ Q8 x$ ^" m
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
- |$ }+ E7 o, ?3 g% u4 v- L/ y& P1 |
4 C4 D4 k3 s, x2 _6 X5 K7 {* \./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
0 E- V* r+ F! O0 ymake && make install
" @+ l$ ]1 z! T( N四.添加规则
: Q/ ^' }3 Z' ~2 m6 J1 u6 q q- \+ f. T+ z; g2 \
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
& d9 A5 m$ l9 Z' D5 L* c9 s3 d5 [2 W$ _3 t& Y0 L
1.下载OWASP规则:& b) q/ l) L M
* Z; k$ l2 M! ]2 {- igit clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 T" D* G- ?9 g/ f
! ~* x/ i* f: c; \; o
mv owasp-modsecurity-crs /opt/tengine/conf/4 D: `$ q4 ?2 o4 |6 w9 e, P7 k
' j$ B2 B+ R4 D: i- g+ R- n
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
9 @7 [) s2 i( M6 J; F2.启用OWASP规则:9 G D' ?# P F& F) I. H6 s0 ]
( f+ E, d; p- P* q, K
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
; O' C2 n* F& R# l* O# b8 J9 S, z% h+ ^: C0 v
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on4 y; L8 ?: L7 ~8 x5 W F0 }! v
/ v' @/ a+ w, H' J$ qowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
7 c% X/ \2 v% T$ C! y4 \/ h# s$ W& f9 G' l
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ Z. d# H+ N3 B IInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 Q% H; A4 {; A7 @: ^! k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 k3 s; z. s: NInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
1 W6 P: j& ?5 {, I' U) s& w qInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 y6 [, P7 ^. D3 J" p. \4 iInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 l* R. {3 ]) d I; J# o. [; a r
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf3 S3 R. [2 W2 S2 b6 M( z
五.配置nginx
, [5 t: e/ X5 y: T, r6 s& @+ F5 M: k( |: Q# ~
在需要启用modsecurity的主机的location下面加入下面两行即可:
2 {1 R- l( Y# Z! {# g
1 B2 n: ?9 E; B' V3 MModSecurityEnabled on; ( {, Q5 X' u$ e
ModSecurityConfig modsecurity.conf;% s: H& Q6 Z& C" u8 s0 M
下面是两个示例配置,php虚拟主机:
7 C4 \% @; j% ~! c" ~- f" x& @
8 p8 q% N3 r4 ~server {) e8 q7 F9 o1 T
listen 80;
& L3 q; F5 z: G) f server_name 52os.net www.52os.net;
. P+ a. o0 Y6 m 1 i% q% }% n; u) b5 P2 y! {& T/ x
location ~ \.php$ {
' ?1 C# `4 Z7 D2 ~2 H# G7 P ModSecurityEnabled on; 5 Y; l. q9 Z$ G3 p
ModSecurityConfig modsecurity.conf;; G$ [. U" @" u) z0 \3 y% ]
6 k* Y# l! \9 C( J" h5 X5 J1 P! U$ o root /web/wordpress;! y0 U0 i( M' R$ @5 h7 |
index index.php index.html index.htm;
6 ~3 s3 Q, x5 s5 s2 X2 y4 k 6 w. c; a" F: G$ T# e. b2 g
fastcgi_pass 127.0.0.1:9000;
4 C1 O) [& Z% v. m2 x' b2 q fastcgi_index index.php;* O: |# E' t" U5 f8 G
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;9 }. B ~( y, s2 {) U* f# s
include fastcgi_params;0 _: c) t; U! X% V# Q0 `
}
( [/ |* q6 m6 X% j4 K }* q% M+ ^6 ~# A4 \5 p' g" Q
upstream负载均衡:2 d5 A! H- U+ z, f- `; Q9 @) _# {
# [& q, _" U3 W0 K: l
upstream 52os.net {# s7 L) C, p6 L1 H/ w
server 192.168.1.100:8080;. v" b N, {, H" q7 u% l
server 192.168.1.101:8080 backup;2 [+ G m6 ?+ f7 x3 n; A
}8 m5 ?7 W; v& R/ W1 d
$ |2 B: d; l Q8 A/ n3 Iserver { d7 w+ a& N4 U9 L H. `8 ^
listen 80;8 k5 ?9 S5 O7 _! e5 `' E0 C9 | Q
server_name 52os.net www.52os.net;9 H! f, F8 a/ X7 s5 e0 K+ q7 d/ D
) }2 t% G# v S9 @% U
location / {3 m# E4 E# |2 d) L# {
ModSecurityEnabled on; . v, [) Z1 [) ^/ V/ Z" v2 L
ModSecurityConfig modsecurity.conf;
, i! R6 I8 G; F) @2 y9 X1 f
m1 Z' T2 y( y; N3 j; ?: ?1 o; h) } proxy_pass http://online;, P+ P# F s* a3 @
proxy_redirect off;" f: T" ]' n. X0 O a2 t4 w
proxy_set_header Host $host;0 ~( T9 W3 a! K1 |( d. U4 l. b
proxy_set_header X-Real-IP $remote_addr;
& g' H( ]0 L& U1 |6 m q( V proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
" h' L2 e+ i7 {/ r; v }
/ ^5 e/ K* c! d" e}
1 m( D! P( E" F六.测试$ x2 ^7 p& W( h5 K4 ~" y
4 L; m% O) T+ u3 o$ S1 M我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:. R Y5 S2 I1 ^ j
; Y& c& y6 D |+ ~5 F4 B
<?php
6 H" {1 T; y4 v% O- X9 O1 V. z# u phpinfo(); ' Z: m. Q) x% l1 ?1 M0 Z
?>
* U6 m1 @; t. |; b' d. \( p在浏览器中访问:4 _$ S2 X. ?) h
- j7 q, y! l. ]2 {http://www.52os.net/phpinfo.php?id=1 正常显示。
% k. L) @+ Z! z. Z6 chttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。. X( _% Q1 h; h
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。8 C: M6 T1 e- l2 ?# {% ~7 Q. f
说明sql注入和xss已经被过滤了% W* |& j5 k) A' K' s' U8 z
: K. S/ ]* V) E' ?2 [七、安装过程中排错+ y& `: X: r9 K4 i
' Q. [! X' L9 j3 L1.缺少APXS会报错
/ N& z& q T. G& V! d' V/ ]) V* a( ]: B6 b: a& M" a
configure: looking for Apache module support via DSO through APXS, a& p( J9 F7 B/ Z, L
configure: error: couldn't find APXS
7 H0 i2 X) S4 xapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ u3 x: r7 t" W5 J! o! A解决方法:
9 x% `3 ^, C2 i6 @% x5 P- O P5 O! _5 B# O* g% R5 F3 h
yum install httpd-devel2 t, S7 `% _% d- |) p
2.没有pcre9 S2 r: x! f% a1 Z) p
3 J4 e3 g7 E3 n; n8 s* t
configure: *** pcre library not found.5 N2 X. c- P$ w9 S+ u2 h
configure: error: pcre library is required* L$ u3 s* _1 n9 p. B! Q% K
解决方法:0 \! Y% ^. U* c4 x5 J2 d- f% l
0 i) |" [- ? \+ s p' ]' q2 J
yum install pcre pcre-devel) p. Z1 }/ o: V
3.没有libxml2
+ y6 ?( i( h3 O- F! ^5 b, B! N
g) j8 l2 Z$ X }$ B$ `4 D
4 Q$ B9 b: q% H; P5 t& Iconfigure: *** xml library not found.
2 p, l% k7 A' N, w- a5 }8 wconfigure: error: libxml2 is required2 d2 o7 }! x1 N9 F: J
解决方法:
+ F9 j; s( M9 Z2 F. ?3 y" o/ R6 z! r+ f$ u& w# L
yum install libxml2 libxml2-devel
$ p7 k4 E$ u9 Z) x: g0 Q+ N4.执行 /opt/tengine/sbin/nginx -m 时有警告. N' Z2 j/ `/ `4 r2 Q
5 L, y6 l p! M
Tengine version: Tengine/2.1.0 (nginx/1.6.2)! ?* `; d. \" x
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
% ^) t) q3 |: u( R& @! K. z原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
* L; n4 M9 F T4 ^# |- i/ x
' b# I7 d& H/ x3 ?# W3 J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.' t+ P( [' j- X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 H) i2 _ i$ I( ^' O2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 u6 V$ f' f& p6 v1 {/ o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 m, \7 h- K' u1 `+ L9 ?, }0 t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"+ B- K' u: ~0 K/ N& d8 Y
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.- C/ x7 {0 l% R! m$ ?9 C2 A1 c, a& d
解决方法,移除低版本的APR (1.3.9)
* u& |6 j) t+ k0 }
) p% j- X( `$ }" k( ]$ M6 X. kyum remove apr8 y" j; l7 g# }# }! X7 s5 X
5.Error.log中有: Audit log: Failed to lock global mutex- I0 D9 {4 l* N! x9 h! C
) b5 N X* v! |2 {6 w2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% f+ ?( V0 b8 V# b/ _global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 T# r% ^% F' X Q8 c/ T3 F
解决方法:: u# q- ~. @4 N
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
4 [1 {. O$ J6 x( O' Z D9 d2 R; [( Q, Z! K% M7 x
SecAuditLogDirMode 0777
9 ]- Q# y! _: _+ p) |: JSecAuditLogFileMode 0550
$ i+ p2 {7 N1 g8 g2 x( ~8 _SecAuditLogStorageDir /var/log/modsecurity# p7 c8 H5 y4 V) E7 N1 x! `* j
SecAuditLogType Concurrent/ `! h8 h' M2 q; _( a* w/ L$ L
参考文章:
6 P u% D* t0 k! a! w* vhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
7 P4 W$ q, I3 Q+ g6 ~1 U( ghttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡