|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 |5 p, L3 x% R x" I9 N
" N9 e$ T1 {: ?9 i% W一.准备工作
: A1 M; |+ c' D5 L* @8 W4 v( z. u5 p; Q& j8 o
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 |* n6 p. R* `* p: v" Z5 a. M# M2 m5 v* [! \
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
# g9 _7 s& x9 w: |4 _: T9 I) f m+ s4 ]0 k& y
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz) d* R% m4 @- `# Z
0 _7 k0 t) }6 Y8 dOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs8 ~) v; w2 a, ?" n- u. E
1 D8 e: s# b' U( `6 J- v5 I" z
依赖关系:- D0 w4 @' s; e
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:2 J) ?! L2 x, R. k7 K
. M9 Q# h5 }9 o- E1 |yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 k+ J- q P0 H1 Imodsecurty依赖的包:pcre httpd-devel libxml2 apr
; g# a# {8 d6 o' ~9 L/ f6 X
, H$ T- J9 f7 Q! Q, v' jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
4 I* U5 ^) @: H, n二.启用standalone模块并编译
( b: T/ C9 _9 C, {& f, |3 @- m& G+ ^3 L7 g1 _
下载modsecurity for nginx 解压,进入解压后目录执行:" c$ o1 O# [$ I
7 Q7 z. n1 f4 x8 s) |./autogen.sh
( ]! z$ T3 T, Q, f% K( V./configure --enable-standalone-module --disable-mlogc
! E5 `% H' e3 g& k; ^! N7 u& D! ~make : W$ o% t% b9 N. G- e
三.nginx添加modsecurity模块5 L" S% v6 }/ z p+ c" T
: n$ H- X1 h: n* g1 @在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
8 ^) @3 d7 `8 j
& ]( ]' w0 n6 N5 k./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. u `3 [% ]. h( l: [) G: ymake && make install
/ i( B; W/ `. [8 d7 `3 D四.添加规则
1 ~7 q9 |7 c3 n/ @2 I1 t" T& n6 _& l1 S1 C; |" C, D; E
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
2 ^1 J6 f9 e7 `: e0 }# O" a j- V4 H/ K4 {: Y, E( t- A' W+ ?$ U6 Q* w
1.下载OWASP规则:
5 O4 Z# C1 l4 q" A6 V8 |! Y
& w0 j* k4 V8 a3 wgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ Q6 W, v/ s2 S1 {$ _. e
! R! b$ k. D) S" ~! `: A
mv owasp-modsecurity-crs /opt/tengine/conf/
) b9 Z2 \: g) U6 |8 F) G. g$ g7 r9 h+ k2 }
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' C1 W( k8 P0 O% J' k* V2.启用OWASP规则:& t5 l- b- R- S. x
7 l8 s0 h8 L6 b9 z+ ]
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。/ e" K1 t2 Y& Y0 t
, O$ }) }# T( K. p编辑modsecurity.conf 文件,将SecRuleEngine设置为 on+ p; [4 A& C8 ~8 i$ e
+ R$ v+ `: W1 z$ w% b
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。1 r# \# \6 T1 M( d+ d
- M& b5 O. `7 Z; F1 FInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 e, r. G9 @6 g5 ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf1 E) g7 T$ V' R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! R% U) A8 |. L4 O6 d3 d6 J T
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# B+ b' X; U' l" G4 p9 V& Z/ G$ D$ h
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ {" |! \& K- Y' b
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. \- d; u$ |3 W- }
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf ?# Q1 x; |; b( b2 p0 q1 s) f
五.配置nginx
: I8 S5 B. z z# p5 ~6 X- Z- Q9 ~+ ~; h9 ~5 d, ?* Z& k
在需要启用modsecurity的主机的location下面加入下面两行即可:
' Q& C- J a' h/ z) b& n2 W7 W: J% g; o: h7 `5 L7 v
ModSecurityEnabled on;
; W8 n; u% g5 ?/ p7 wModSecurityConfig modsecurity.conf;# m6 e" D5 J; E' l4 m/ G; G; O6 l2 l
下面是两个示例配置,php虚拟主机:
$ r k7 @$ R0 w# A; c( w& G. l3 y9 O6 d' |' g$ f5 K1 I
server {+ a# R% C1 F7 x6 W4 f
listen 80;, [3 j2 t7 E4 g' I9 A$ y7 L
server_name 52os.net www.52os.net;3 ^# I. t: v0 E4 T( c6 O% I
9 i& T/ P1 ]6 Q, o. C location ~ \.php$ {
: N6 U$ x2 E& Z' A ModSecurityEnabled on;
& d& L+ `; k6 }! c' T ModSecurityConfig modsecurity.conf;, w% C- w1 u: q9 y! Y: f; H) F
0 A" S" u: f4 c, S* z
root /web/wordpress;; `' K/ l m# C* I5 B+ P
index index.php index.html index.htm;
. g- e. G) r5 y6 \
( @% f# b6 l6 C' Z8 j& q& q3 \ fastcgi_pass 127.0.0.1:9000;' O" d1 W4 h! L; f% G
fastcgi_index index.php;4 b$ a3 L+ Q w6 D0 g; g
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 c6 f3 P5 J1 v7 s5 X4 c
include fastcgi_params;* b3 j3 s/ J2 L( I8 {
}
& T# E+ ~5 @5 I- V8 H# @ j2 @ }: Q4 f4 E; Z8 S3 _8 I5 T. f
upstream负载均衡:
( s7 I& x# z0 g* Z7 \2 k* V9 j2 S% D) O2 Q
upstream 52os.net {7 W( u, M) ?! [ {9 G9 ?6 O
server 192.168.1.100:8080;
8 B/ ^' P9 E9 h3 o/ U+ u& p9 V server 192.168.1.101:8080 backup;: c5 n/ }( B$ D2 F1 C: e3 e/ l/ e2 _
}
. t" L& @- y0 J, w5 k+ ~* Y
- ^. w8 K$ o/ Cserver {! K$ `% D8 `9 ?2 o6 E( b; s5 F5 `1 {
listen 80; h( H' l$ L% I1 d6 C1 b
server_name 52os.net www.52os.net;7 `1 J* ~0 J H8 r( {6 Y
k7 F' U( M0 S3 l1 c
location / {* H3 g2 Y1 G, q5 A7 a X. ]
ModSecurityEnabled on; - r, F4 }! ?/ t+ U2 T: R- }
ModSecurityConfig modsecurity.conf;
: _' ^0 ] B# @* k8 `$ @4 }" |- P% Q" F/ x ]' J
proxy_pass http://online;& u P8 `# X4 w/ _' Z6 f- v/ f% |/ R
proxy_redirect off;1 h/ A1 Z, B# X; e: U1 {3 W
proxy_set_header Host $host;0 h% M' X: B" s. X% C+ S5 v
proxy_set_header X-Real-IP $remote_addr;
% R. S& H1 P+ D' M$ v proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
0 u. ]6 B3 X2 K. A2 g: x: y% } }
3 c# ]" B' v2 h# P}
6 U/ f' j) a: T: L六.测试
4 L& p: A2 M' @- Y$ n! G
0 C U/ y7 H2 k A7 ~$ N% }我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:- T- l; q, N# n; R- u2 b. W" {2 `
# u6 \, H9 M& \( [5 M<?php% j6 P' J* x7 ~3 C" v5 R
phpinfo(); # `/ K3 ~( W7 n3 ]
?>! @! M# ]5 I- U
在浏览器中访问:
3 r/ V) T7 u9 N' [
) {. `0 u3 Y( B% v+ N# p uhttp://www.52os.net/phpinfo.php?id=1 正常显示。! O* W9 Z2 i9 t+ J& x v9 }3 n
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。8 C2 ?2 l" t0 ^: v( O
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
. D, ]2 p! }% d6 z5 r说明sql注入和xss已经被过滤了2 ]) O7 R: B$ p# B5 d- J% o2 j( ?9 u
1 E1 k- K4 x7 e/ G: C% F
七、安装过程中排错: y1 R& @) X8 y/ ]) N3 d1 [
" f" z6 y; P6 U2 ^1 M+ h8 o7 Y! B
1.缺少APXS会报错7 Y% h. k, \3 J& o7 M) S
2 w; s" x: v S) a1 `
configure: looking for Apache module support via DSO through APXS
H1 b1 l/ \+ k, y! I7 kconfigure: error: couldn't find APXS, M3 F# v8 {; U5 e! J4 c/ ~+ k/ C
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
: b) z) z1 L7 M/ K解决方法:
2 O0 T3 Y. g# s5 I+ R
9 T$ a$ E! \2 X3 ^6 q7 nyum install httpd-devel
' G/ z1 ]" n4 ]* f) i! P' }7 D2.没有pcre
- K( c" q& i' `( J0 C+ v/ _5 d. ]6 a) i9 E
configure: *** pcre library not found.9 u% m% b8 G! _+ H
configure: error: pcre library is required
# W$ y1 w( |4 d$ @9 {+ L解决方法:% `# H. X4 }1 d( { q @5 y$ J
. Q5 P7 P" j% \) J
yum install pcre pcre-devel+ F; }. h6 ]1 h/ ~
3.没有libxml2
4 b4 v$ r$ b6 a1 S2 G! M
* s* F8 y! T+ Z& D5 B w9 n, b
; A' P% D9 s& P" f9 Econfigure: *** xml library not found.4 p2 L9 O/ ]- x2 I3 m# l
configure: error: libxml2 is required6 ~* t# ?$ M" j# `0 t, L* b! W
解决方法:2 j9 f3 G' A* W! @" V
* u2 A! B r+ Cyum install libxml2 libxml2-devel
8 e8 `' e' i0 y! l l- u1 D9 j5 ?4.执行 /opt/tengine/sbin/nginx -m 时有警告# f' E+ Q \9 i, t
0 V0 v6 o2 U/ e0 CTengine version: Tengine/2.1.0 (nginx/1.6.2)
; j5 `- S C) B% E# W* Hnginx: [warn] ModSecurity: Loaded APR do not match with compiled!4 l1 B t% q# _" N) t, v6 U
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
3 B4 r! Y5 P- e8 Z; d2 Y2 K' ^( `1 K. {; x' m0 C9 e* ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
6 @1 R6 Q# O9 [, G; ]1 L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"& n( I( M" {# S# q$ i
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ o& q: Z# C7 E- m, B5 a& q. O5 I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"$ A' u. F) d0 d" S; n+ N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
& [7 k; H7 p" y! ?& x) N2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.% e+ C+ B2 g/ r& W+ b( X
解决方法,移除低版本的APR (1.3.9)
% F& x1 O' v. ?6 m' i7 z6 J& `, \# R* W- a% i" A
yum remove apr- o* W0 G1 q) S! s# M
5.Error.log中有: Audit log: Failed to lock global mutex
$ l* E+ O! x+ q% R+ A( P m& |" N/ u: B" U7 D/ p% u3 R$ C
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 t; N7 T3 o' h0 G/ E/ Tglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' D7 i8 V2 L3 j: R8 s$ I9 I解决方法:
$ [* ]5 f" g! d编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:4 y& |) {: Q8 D
0 `; u& i# W. Q! g: M( q* n) k/ mSecAuditLogDirMode 0777
& S0 t7 C5 v. h! _! t7 ySecAuditLogFileMode 0550* g1 p% S4 d! r+ ^7 x" A+ K. [
SecAuditLogStorageDir /var/log/modsecurity
2 h* z& r! j* D, Y' WSecAuditLogType Concurrent+ t$ W( C, V1 J: P' S! @
参考文章:
8 n, a# u% g2 Y$ Thttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
# K6 Z) \0 I3 P$ E& uhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡