|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% U! q0 K4 S3 a( A% I4 v1 @
& v3 G0 j: { R
一.准备工作( X6 {# s5 U6 i" o2 X0 }
2 L+ s0 @8 a; I# B4 K- d- O" V
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
9 E: N1 j" \7 Q w! A0 E; R* @! F6 e5 L6 F' i3 Y# X
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
, Q/ W* `3 o; _& E/ s# y9 i2 P! f2 \9 h: t' b1 T7 b
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
+ D: i8 y/ p' A5 T5 a- L% V2 V+ |
* f- v8 d7 k5 {7 \* l* GOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
) M) V5 r/ G3 w0 l( e2 Y
7 `3 v x- W: P依赖关系:' |3 y' l+ X' c8 P }
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
7 K9 {( W; _( u$ S+ p8 Z9 S/ y
+ P" R# D1 R! x1 o- J+ Jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
& c" F( i2 |- R7 |- zmodsecurty依赖的包:pcre httpd-devel libxml2 apr! o9 ~- p& q0 o; [
7 U+ J1 v8 x0 [0 O p l# y
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- i- X8 a0 e9 j% s5 h& Y
二.启用standalone模块并编译: ^: g( w1 D' _
% U6 I% h: w) m2 ^
下载modsecurity for nginx 解压,进入解压后目录执行:
' x3 ]( s& Q+ U) A6 w0 H. f: ^' b! A
./autogen.sh) K6 D/ U' ^3 P( E
./configure --enable-standalone-module --disable-mlogc) V- C$ V9 H/ @5 x* X. }+ v' @" G
make 4 k. {5 \3 A3 e0 |1 ^3 W0 T$ z
三.nginx添加modsecurity模块# u0 x0 V# J/ s: f# V
+ f* C! ?6 m+ h8 L: a, Z; @+ W1 V
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:9 D8 n* x+ X. H. q
/ {' d) c; i8 {4 L./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine; z* s. _% P1 V+ H) o: C
make && make install
8 c) n+ `7 q% x% E& L0 o四.添加规则
$ X4 ?7 d" N) ^3 \0 y1 X
3 P' p* _/ e- T) A: A7 Cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
. S1 k6 Z) k. i! P1 l6 Z& N8 v8 V' y, {- ?- N8 S/ W0 A' {
1.下载OWASP规则:
1 r# S" K; `/ I/ H$ |% g* `4 l* E, r1 E+ }9 I% Q# l5 f
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; G' H/ S) w; m$ `- f- f' f
; k, [+ j8 p Jmv owasp-modsecurity-crs /opt/tengine/conf/( a5 ]; P" s6 x6 b
1 f: |. H* u6 t* i1 z# a* Scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
1 A* L& y5 |' o8 {8 Q2 q$ R2.启用OWASP规则:
& V; [2 m( J5 u& c& R4 { `9 ?8 [$ W* H; d/ e2 R
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。6 Z9 N0 f% s: ^* z
% X, D) C: t: L8 g; ]9 y& E
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on) Z A3 }7 K2 C) i1 j4 x
`6 l6 `" c* a1 |( T1 o, X! Y2 x: rowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
6 j A- P3 g8 p r5 f' e% G& z% k: K& g" l* B4 l& _$ b
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf/ T. V/ d( `0 {2 K8 S8 u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf( M9 x; o4 C0 c6 c4 A9 k5 w( H3 f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ E! }. A! d: e7 l* lInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
0 T* E6 a) K% ]; Y2 K! OInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf: ~# _% Q- i& ^$ Z7 m
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
W ^! B7 \ O8 RInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
r( G; J. L9 c/ c五.配置nginx
- v: [) t/ J7 J" ^5 p- y5 Y+ O O5 ~- @0 C' c i6 V. K, e
在需要启用modsecurity的主机的location下面加入下面两行即可:
) i5 F# s" ]" V5 S4 ^- \2 j" B' s4 D( n
ModSecurityEnabled on; / A( Q: R/ H7 m, p$ C2 ]
ModSecurityConfig modsecurity.conf;4 O. J5 J% \# e. I
下面是两个示例配置,php虚拟主机:
! \' A8 ~+ V1 m6 A& d; C ?( ]9 q9 U0 P. S: b- W
server {; ^, J* x% y+ q8 F) \# d7 j% u7 u
listen 80;
" _& ]2 ` b% z' X) n0 u server_name 52os.net www.52os.net;
6 C7 ? x4 C% N0 J* { 9 ?5 {. B# C" x% [3 Q. D
location ~ \.php$ {
( n+ z& m( G' @; O/ Z0 X7 F+ {( U ModSecurityEnabled on;
6 {. j, O: V7 i/ i ModSecurityConfig modsecurity.conf;; o& G6 ?. p9 R. F" H+ {
: Y- p- i* D- ^% U/ l1 C; c k root /web/wordpress;
/ N; J9 k& T1 [- K. P/ R4 P index index.php index.html index.htm;
5 F5 Y( L! r! k" T 6 ]6 p* y8 m K+ T( P
fastcgi_pass 127.0.0.1:9000;" _. W$ t- u" w k* B
fastcgi_index index.php;
' H. _4 p7 Q& y fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;. ]" R1 [1 R% q' Q) H) t/ r
include fastcgi_params;
' v. o% b! V6 l8 a }, o/ v7 y; C* C; ?
}
6 @% I- B1 L" W0 d1 _upstream负载均衡:
/ [* c; p/ Z7 u5 j* V$ a1 y
: t, }( y4 O9 j( Wupstream 52os.net {
, s1 M& s9 ~3 X/ g: `; t server 192.168.1.100:8080;+ j4 Z- ~+ X6 Z( h0 t
server 192.168.1.101:8080 backup;
8 h) L+ k$ v3 ?$ A}3 i \% ? W8 l. W
3 R; b- C+ \, S, |# K2 C0 \, ~
server {8 @& j3 F& P. R+ q
listen 80;
& d0 i7 X5 W# ^/ hserver_name 52os.net www.52os.net;" F$ A B9 H9 f: C; _, \
: O# l* ?5 `* D# n4 T0 ]location / {7 z+ }# m1 z( {1 [2 F
ModSecurityEnabled on;
3 | U a7 t+ q! V* N, b ModSecurityConfig modsecurity.conf;
9 _( T8 a3 W- n7 f2 R) e" y$ R/ V# m
proxy_pass http://online;
- r: c& t, J& d& { proxy_redirect off;: u7 b* N4 m K: c }
proxy_set_header Host $host;
. Y2 N- q: b, d; @ proxy_set_header X-Real-IP $remote_addr;
. W: N0 B. a% Q2 Y7 H+ T5 k proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;1 s; u: R8 y! c+ o$ k/ |) e
}
+ \2 y$ n; z: K$ ~: ^6 N}+ |- [$ a+ k- _$ N
六.测试
# e: X: h1 D+ ^/ _! d
2 d# c7 L" A( u我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
+ w7 E5 r0 m( A* r) k2 B5 [/ k$ L9 {; n* s4 c. s' V$ J
<?php
7 M7 v1 i7 L/ e; j' [2 H; h. G phpinfo(); / P, L4 [. q3 } K0 Z8 p9 V8 M
?>
5 l) Y: q' U ^2 Z4 v' L在浏览器中访问:
) J; }; T. Q; D- r4 `! S
& h/ s$ }* z N4 r* _3 Xhttp://www.52os.net/phpinfo.php?id=1 正常显示。: J% d- D# c6 R3 H
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。6 |. }0 p: C- p; J0 ]) X3 O
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。% E: Q4 S3 A' z. m; }
说明sql注入和xss已经被过滤了
9 ^" {" Y! S$ h0 S, H. V
5 I1 L, a3 t$ w& c7 X七、安装过程中排错
. n" v- w0 M( c' L: Y
S/ N% b& b# L, I# X1.缺少APXS会报错
; `) t* d* H7 S6 G; b' F! I( p I/ A4 J9 a# ^: t6 d+ U3 [
configure: looking for Apache module support via DSO through APXS
: K3 I9 H8 d$ ]) o- X: Econfigure: error: couldn't find APXS' ~% K; L% Z- d( R5 r! U0 I) U
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。5 h4 L- M) b h, h5 |2 Z: `2 n
解决方法:
1 |6 {+ R9 a B; s" t7 U* F( P$ S1 p" U5 U1 u! ]% i# a
yum install httpd-devel
# m: y( k. }1 l* m# L+ w6 i2.没有pcre
& ?( q( Q6 C) j( d3 x# k& Y( h2 G) O2 G6 ~5 E1 y- u! v
configure: *** pcre library not found." e% U; Q0 i/ _% D
configure: error: pcre library is required- f/ V' `% {) h8 `4 c, [
解决方法:
8 w/ ^- y+ j V1 s& I! U% Q3 t P! L: D F( M, ~' e% a
yum install pcre pcre-devel( S5 \7 D; S: f
3.没有libxml23 P* Q% `0 j2 T: o" G: |1 ]
/ i; a3 t2 c) O$ l' F* o5 f$ l d6 \1 D. q* _9 }
configure: *** xml library not found.$ a1 U5 z1 e% o& C3 I
configure: error: libxml2 is required- t- T' D+ K% z( Y. D6 X8 l/ f c
解决方法:
+ u2 f- i- V0 R/ ^* l4 b
3 r( V; X0 f% M4 p- Eyum install libxml2 libxml2-devel$ c4 _6 g) X3 Y1 l
4.执行 /opt/tengine/sbin/nginx -m 时有警告+ N! g W* l4 \! `8 f7 O( _
% N! a( o; Q; K; e* ?, rTengine version: Tengine/2.1.0 (nginx/1.6.2)
8 j9 n! X% L& x' G) ^( Jnginx: [warn] ModSecurity: Loaded APR do not match with compiled!( A$ `; @& ^- m( A4 g( j% _3 H
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% @. N; L% W9 \6 ?& Y$ K( `# K8 [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; e2 u. v5 _% ^6 V- e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
0 h0 K9 b( y5 x4 W/ t2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
5 k8 W, l! Z# B1 Q6 p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* Z6 N6 [8 O- s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
: w$ n$ a" @6 W* x" l2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 g& |& N. K7 B3 u8 t
解决方法,移除低版本的APR (1.3.9)9 ^$ `- `# A" I$ M' s
% l' b* T @% W9 ^4 i
yum remove apr! W9 m' ?- I# M5 n J
5.Error.log中有: Audit log: Failed to lock global mutex
+ k0 @) w8 i$ {+ v2 L4 D, U) x/ j9 T& V4 z# h/ z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 O) d% I: f" V0 Gglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
! Y2 _; d! S! U* k解决方法: A) N/ Z o0 h# }8 X
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) K: C/ G# A6 i5 _/ y" j* i: }7 V% y2 n1 m3 \( D
SecAuditLogDirMode 0777
8 ~0 Q# n' b+ I- lSecAuditLogFileMode 0550
" u8 [9 R0 `. `8 i/ \) ZSecAuditLogStorageDir /var/log/modsecurity0 h7 H6 }. d- u2 k- W+ A
SecAuditLogType Concurrent
7 V5 W/ a1 |7 P8 X. w8 U参考文章: z$ x( s A7 A- |# c6 X/ |5 A
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 b( G; g3 N9 G% P) u3 ^ h5 L3 a# {
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡