|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 U% J* P& C) ^3 m: [# Y5 ?/ l
: S1 D# b3 [$ u# s% v8 f6 D4 L. m
一.准备工作$ d3 s- K& f0 @! m6 g$ h+ h
! p! ^! h+ c5 Y' A, X
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.01 S! ~" n F6 B, i
, q, i4 t5 z G. _: ~tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
, N7 I4 m; X- L$ Z+ J, y( j: O( L9 x8 l% k/ C% L) T
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
# D; @/ c& o8 N$ ^' B [% f! T$ o* H* h# J% o. d* C3 _6 C u
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs9 [; T; x7 t$ F& ~
: S5 q7 E! Q; x3 X) k" L& Y依赖关系:
* [$ V9 a) {0 I7 f* Ptengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
* w5 f9 x; x( i8 y0 M+ b
; M& ^7 `7 ~ J; uyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
1 Y8 Z0 A1 Z% `' Smodsecurty依赖的包:pcre httpd-devel libxml2 apr
% ~ w8 ~* n Y* @& d$ ]* q- x# P" n
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
" O( p' b% q$ B0 k) n二.启用standalone模块并编译; s _1 ^# C8 a: A+ k: y
. a6 Q6 l* W3 z下载modsecurity for nginx 解压,进入解压后目录执行:# h$ y# z8 p) g6 ^; _. B
/ E" `" K" o4 M2 ?8 J
./autogen.sh/ A- h' O) n; P) y7 t1 k4 p
./configure --enable-standalone-module --disable-mlogc
# X; `8 E; ]7 ?% a( U# Xmake ( ] v4 ~9 u$ F8 m% S
三.nginx添加modsecurity模块 w) L, o! [: j
& M6 G/ v$ O$ m7 N在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 M2 w" n u# S$ c5 n1 p; Q6 l* u$ z& b4 A% ?
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 e4 Z( Y* k2 E! B( z2 G. @
make && make install( ?7 } ^1 z. ^# K& y
四.添加规则7 R. ?: [/ P1 F S3 b
% D/ r! h; k% J2 e# }' omodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。0 V! {4 ] ^8 H: K* v9 u
- P2 f6 T+ r. E: h7 \
1.下载OWASP规则:
" u& b! k2 l( V4 f4 m: |. R1 Q% h$ ~ M+ H' N
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs' O' l6 F) B" E
7 m* E# d8 \1 V9 \+ e4 {
mv owasp-modsecurity-crs /opt/tengine/conf/7 k! T1 |& `( i/ n+ i V8 L: _
: r/ |9 f$ [ G; _4 v
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* F4 L# w E$ B$ m% V* B/ [" W
2.启用OWASP规则:
& @0 O: K. D2 I+ m# l/ D! l" @7 v c# X9 m
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。5 `4 l# {! A( l; _
; V7 I# @, v2 w
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; [* |6 d) H6 w" |
@) C2 {3 N: k/ ]5 T! Zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。8 O( e5 ?+ C9 m8 P# t+ t Q
4 G Q# J9 q' D
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf- T; `+ l( ~# H, }# e4 |0 {2 q" o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- X5 y: s: _8 cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 k$ }: [. ?( g4 k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
' A3 A; Z7 l+ p1 C7 [Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* _$ b6 V2 }: d5 p1 m0 }& k' m3 e( U+ [Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
# ], w P( w% k `+ ^! UInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf% U# Y& M4 D) g$ V7 h
五.配置nginx* J( c8 ~4 L$ ^ B
2 M0 t4 t+ N: G( B
在需要启用modsecurity的主机的location下面加入下面两行即可:$ ^+ g- L, Q8 t6 C9 m/ P3 M
' g5 o) z+ ] q6 |
ModSecurityEnabled on; ; }1 @0 G. }, m! J- H" Q; V! b
ModSecurityConfig modsecurity.conf;
* |8 r( [1 @0 e) s8 A: ?; z下面是两个示例配置,php虚拟主机:. y' R4 s+ N3 i, l, j9 G$ ?" C
+ N }' h5 i/ I8 v8 r/ z1 qserver {
" T, |" N6 y' k: K5 }. v listen 80;
/ c1 ^" u1 |$ f) u server_name 52os.net www.52os.net;4 A1 V( y% F' V% G0 j
/ p# n+ _# F, ?0 S5 q0 [- c location ~ \.php$ {- G Z: v8 u0 y% ?' a
ModSecurityEnabled on; 0 l8 d$ p9 ^) t2 \
ModSecurityConfig modsecurity.conf;
% b5 j2 Z g8 _/ W) n @% p) K
$ S4 u3 ^8 D2 T9 _$ U1 _0 l; h root /web/wordpress;
2 M k9 S5 l7 x f7 J1 o index index.php index.html index.htm;( E( t8 Q( F5 I% A( P8 u
* _# x" t; d# _; R fastcgi_pass 127.0.0.1:9000;
6 H3 q; @7 k) m( N. _6 u fastcgi_index index.php;
/ {* u( v L6 y1 x( w fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 P- K b$ U5 v. w* H: W% m
include fastcgi_params;$ @2 O% {; T: \$ w' B0 X2 g5 M, \. q
}
7 T+ ?" b. y/ H. y; n: o: o) j }
& P% ?6 J% P; A; o- @& Cupstream负载均衡:
) W6 F9 \% r9 n% p& h; r9 k6 z2 `* ]
upstream 52os.net {
# v9 I, V; B7 `0 n( P& o server 192.168.1.100:8080;
) j# B, W* r6 U6 r3 h4 u1 b4 ]% P server 192.168.1.101:8080 backup;, r. h: {3 p& [) X8 J
}
7 K) _, y+ d: u) l/ ?; C. e: f+ _4 R) u1 }
server {2 Z6 O7 a6 I* Z, \2 f
listen 80;1 d0 O* l% A4 ^3 P3 U
server_name 52os.net www.52os.net;) u3 x( W3 }) ~6 s1 l. i
. `1 {0 u- e6 e# `0 J l$ u6 Zlocation / {% x9 y' Y* [! R( d4 a+ Q
ModSecurityEnabled on; # B( G% [' |( x2 p) y
ModSecurityConfig modsecurity.conf;
8 b( @7 }2 V) o* o/ D" b) f6 F% j
proxy_pass http://online;
; e( H' j* ~& x6 I# y0 j* o proxy_redirect off;$ C3 |: u( Y; e4 p
proxy_set_header Host $host;
: K4 Z5 Y8 Z6 M' W0 ^ proxy_set_header X-Real-IP $remote_addr;1 l7 F$ b6 |/ y& i
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% _4 @' p7 I; A. e4 k& E! T }7 @2 v2 |, k9 G3 M
}
- k. L/ q5 f( p( `3 p( g六.测试1 @- n# o; C5 @( z$ a
! W& U/ W0 d: w- \& i7 ]我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
) T+ Q: B1 {0 ^' o# U$ {, g. U# m
+ N* q9 n s) V' H) \: a<?php1 ~6 W! Y! C' U2 N
phpinfo(); ' ^1 ~! G# F7 `) W1 H2 L5 Y
?>
" Q3 \. y& v4 Z- R在浏览器中访问:
; l( i; T }) T" A: h+ Y3 z
( I# C) E; L8 W) E% L# c$ phttp://www.52os.net/phpinfo.php?id=1 正常显示。 I \) i4 J" A+ M
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
, F) V- E6 O4 L2 K" z) @& w& ahttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。4 `: |" o( b& r4 l/ f; ~; z
说明sql注入和xss已经被过滤了
/ A9 M4 P- a0 J* D6 d5 w5 ]
, v; x" W- v4 s) P: Z七、安装过程中排错9 ]6 j1 _. \) u, [
/ Q4 _6 T$ O+ o. g) B1.缺少APXS会报错
, `; Y6 x+ I2 r. }
' f" h" `6 n; C y$ U' t2 t+ P: Sconfigure: looking for Apache module support via DSO through APXS
9 ?+ }: l- I) Q7 ^( ^configure: error: couldn't find APXS8 G5 J& R% N% Y: @2 E8 W. A) }# ~
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
- s3 x1 g* c: M7 d2 Z解决方法:
5 _, m7 g. `, p; a) |7 A# }, S: |; d$ v: E1 ~- z0 h4 l
yum install httpd-devel
2 ^! h B9 u, }: {8 w/ b( q; U2.没有pcre
' u5 J% M9 Y# h9 v* c) p+ A
& e" ]* r# I: Y6 \. d6 X4 H7 H/ _- pconfigure: *** pcre library not found.( ^% k! Z, l' e/ F6 L3 f& c- T
configure: error: pcre library is required
" t) e5 A, |' i' C/ p解决方法:
& M# I" p: H) c2 N. `# S) I0 B& E; `' x( x9 S
yum install pcre pcre-devel1 U, g, Q3 q* y9 @
3.没有libxml2) U' j* q6 W0 V/ r! _% e5 a
F8 ^% l2 N: N& H5 d" \
+ I; T( c b5 G3 Iconfigure: *** xml library not found., o; H: U( x5 G. ` q- T9 @
configure: error: libxml2 is required/ t8 Y* ~0 j; q9 R! z7 M6 x" N& R$ @
解决方法:
`9 ]- ?, `8 l* K2 I8 w* T$ \
- D; p5 U. l* C& X1 N2 S7 lyum install libxml2 libxml2-devel
, T- t* h- J, {/ L- E4.执行 /opt/tengine/sbin/nginx -m 时有警告/ Q8 d; S* \% S
- C. R: R% c' ?. ?, U, U
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
' ~% Y( |" g+ H& J7 Mnginx: [warn] ModSecurity: Loaded APR do not match with compiled!1 x% }/ D3 }0 _6 M
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ O% k# H4 U3 p+ A& G3 I5 }9 ^$ t* k' o: u& R y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.: Q5 y; w4 i6 ^4 {" r' U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"% s8 j. T' E& q1 A
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, n( `1 g& f& b! l! w4 A' z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"% T! ^( x2 |6 O3 K0 ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
8 s$ U- t! P) W: c; G/ O" @2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
r' c2 c+ {. z# U+ p& E解决方法,移除低版本的APR (1.3.9)
5 m, Q) S* s6 p" l0 `# t
7 V5 P v+ C+ u" W& [yum remove apr) o( x5 F) X$ A* O- r* s% C V
5.Error.log中有: Audit log: Failed to lock global mutex
2 ~: b' {- S" [+ l J+ i. N; [# M* j
8 p6 }1 G; l+ i" m2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 5 E- v+ e. _8 V! p
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 |9 \" Q2 E2 j5 Y" o解决方法:
' ?4 u1 {7 ]6 E. S编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 }: Y G6 q* }7 H7 `( L3 g
" E; t! e' {, Z, K1 l
SecAuditLogDirMode 0777# f2 Z% f8 }$ g# L/ f/ {0 W
SecAuditLogFileMode 0550
4 C4 w; m& Z% I0 pSecAuditLogStorageDir /var/log/modsecurity
, [1 T0 e' o$ g4 h1 p: v! c9 qSecAuditLogType Concurrent% _+ |4 b/ Q; V# ]% R4 I
参考文章:& {, e& [3 \* j8 M `
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 Q. w! _5 s3 m4 g2 \& p
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡