|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) Q0 E d9 E+ p9 d
$ V" W& l# \6 x0 x% D一.准备工作( c5 [$ Y/ ~/ J! N/ V% R% C, x
7 S0 m6 X! Y# X! g0 x系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.02 e, Y& L6 p: ]. C: N! N: E9 F
# ]( v8 ~% Y1 a0 o( B+ etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz3 j f( I; T4 x ?4 }
1 T% ~9 z5 C+ E2 ~9 x4 a7 Ymodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
1 z# ]7 f( U$ j1 s8 P- r: z4 v! r) h/ u; q5 {5 e
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
6 B3 N& E+ o3 Q9 e- D# a" q# e4 f2 y1 K: E# l) I
依赖关系:, D& A2 s5 c6 R" J' u' j
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
# {0 M( P! j% P+ @4 l$ {8 w8 L. }! [
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel. T% E! S3 B3 L& o* S% R
modsecurty依赖的包:pcre httpd-devel libxml2 apr
Q' i) ~3 v! l" F+ o( X9 r
4 \2 {5 n( m0 T5 Q; Qyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel9 o% `/ Y: ?) i. m! K9 _) V
二.启用standalone模块并编译
2 S* d. j# e! e5 C' s* u, [' q' M: k) ]* b
下载modsecurity for nginx 解压,进入解压后目录执行:6 j4 l% W4 J2 Q% W
- r, [* M# U8 K
./autogen.sh2 M! l9 `, y* _- I
./configure --enable-standalone-module --disable-mlogc5 G, ]3 s( x4 z6 k, e0 b1 U; i
make # r( v( z, i* B# `
三.nginx添加modsecurity模块/ r8 Y* ]/ n: `' [
( C( W: f& \. d- l B8 D在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
C) C7 V8 X Y. T
$ H, H, ?7 G: j& R./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine# x5 i/ p! G" h& ^
make && make install
: ] E) Q9 y$ D8 D8 a+ w四.添加规则; D1 p. f5 l2 B# p
0 o2 e6 h; R) t) Imodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
. l! v' ]7 F% A% Z6 M; R
/ v1 \" {: c! }1 \* ?1.下载OWASP规则:* O: J7 b% X, H6 Z# M
. C! X! y4 c. m$ n+ g5 B
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 r. D5 I( H( s& {4 f
# F, u+ w0 E: M) u, rmv owasp-modsecurity-crs /opt/tengine/conf/" k+ J$ t9 g0 B) W0 L8 r. h
k7 G; \4 [! k& k1 O5 E, p- ?4 B
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. J1 g2 J6 m6 \$ m
2.启用OWASP规则:
. w5 q; Z7 [9 M. y! m; Y! n, D1 O* K$ w0 H( M. I
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。' I6 R7 a/ H3 o% T4 _+ `! ^
. I7 W+ R; _7 ^% \
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on- g; u! `7 h& U. a+ a
; K2 L: ^( v6 d' F9 @2 }
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
& E+ c4 T( g0 L' f9 P U& h6 f. l9 q$ ^8 @ ?
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf& P; t4 a9 m }( ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf4 A/ m1 b2 L! q" R& G' o; ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
2 Z( j, N3 d$ l5 j8 c% a5 BInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
& F# M" V. G0 \" Q1 Y+ k6 B" @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 M" Z, Q; M' k# ~
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
`/ R6 V1 Y eInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; c% i8 ]$ p+ O$ e" D
五.配置nginx
7 Q$ k" [, @1 X {2 n X+ O
0 A7 a! h, d Y4 w, C在需要启用modsecurity的主机的location下面加入下面两行即可:
4 |6 ]) g. |: O5 t2 k4 b+ i& \8 U$ C, F$ G, E* b
ModSecurityEnabled on; ) T E% H5 F8 ?$ |5 A+ R* i8 w
ModSecurityConfig modsecurity.conf;5 \% _! X8 r1 s& v8 \* f0 P
下面是两个示例配置,php虚拟主机:4 f" |3 F6 ], b% K
- O' H6 c; J8 E/ I5 nserver {
' @6 {. B! O! l) {9 D7 L, [8 N/ k listen 80;
# w, ?1 ~" O8 \) k% k1 Y. m server_name 52os.net www.52os.net;6 m. x2 _. _' f3 {: P# F5 t
4 w# @. o! a2 S1 @" p8 \7 ?6 j location ~ \.php$ {" U* D7 S; a8 S/ d% {
ModSecurityEnabled on; + w2 b% i+ P% c, \% L) @
ModSecurityConfig modsecurity.conf;" Y; Q" a* b+ s2 V0 |
, S2 t% d) r/ A: ^
root /web/wordpress;
5 c2 _( \ e. H' O. N3 k' R) | index index.php index.html index.htm;
. w/ L7 f: {+ C# \0 Q% I9 W' E
: t j# H6 [3 I6 v |! h" B, ?2 ] fastcgi_pass 127.0.0.1:9000;1 P# J" a' i+ z' s. t
fastcgi_index index.php;; g v: e4 z* T$ n' R
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
/ v; e) t- K2 J. C/ d0 D include fastcgi_params;
0 q$ k9 M) _7 u1 c- q }
0 u. Z5 D# z8 f2 S$ Y }
% ~; U) {4 ^3 ~5 h m9 @$ supstream负载均衡:
' {7 G( s" S: H' G2 M$ x$ A$ n. q. U5 [
upstream 52os.net {
6 o# ?2 j; S: [) u% f server 192.168.1.100:8080;
9 j1 O u+ M" c) p server 192.168.1.101:8080 backup;
0 [# ?7 Z7 T8 a3 [}
$ |) g1 e0 _- N- O' `! L: |( b8 t2 K* l5 d! ^
server {
; @; q0 v3 l& v+ s/ z; n W$ K. nlisten 80;
5 `- S9 q9 w/ [server_name 52os.net www.52os.net;2 S3 }' U4 Y7 A: a9 g
* R* \7 N9 L |" b$ F# N0 e- y
location / {
/ d: C) h$ Z3 i, A ModSecurityEnabled on; ( X# B2 m3 i- w/ y' ^ q; U
ModSecurityConfig modsecurity.conf; 5 L8 t$ T- ?( x! A
/ ~: |; t L) C+ g1 I2 d" [
proxy_pass http://online;* N8 u2 _0 X- d2 F) J# |% q! X
proxy_redirect off;+ p- `) s) c' j5 B" N! q
proxy_set_header Host $host;
6 E4 O. B; V0 h3 R! z proxy_set_header X-Real-IP $remote_addr;, q( ?6 g4 J4 r L4 k0 k. M
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 i: S& ~$ | ?0 ^
}
l& W. i, `& l9 s# n g$ {! d}7 R; ~) Y( X8 |8 B
六.测试# f7 c- \+ b+ P
$ X5 Z: K5 T! {- i5 I. Q我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' V6 n; ?) A) K/ {, `/ Q/ f
) W. V+ o# L2 M3 k<?php) k. s6 a" p ?' H5 R# s
phpinfo();
; Y0 \4 A2 h! ~8 p# r?>; v& {4 s7 U' R
在浏览器中访问:6 I1 E: {* p- d1 m
3 d4 {" b7 T$ M
http://www.52os.net/phpinfo.php?id=1 正常显示。
+ @4 w! I4 Y; `/ T8 Mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ F3 a, z. @2 Whttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
2 O8 Z' x$ @8 h6 R说明sql注入和xss已经被过滤了
7 F X! N2 `# M+ i/ W- D& J* X" l/ D9 p: C& T% w5 L$ @# o* t
七、安装过程中排错
4 o* H6 h/ Z3 [7 k y9 X) [6 M) F5 Y6 S; O9 l# }
1.缺少APXS会报错1 p, z8 b$ b8 @1 J4 Z. x K7 i
1 ?) n, _* i. v8 f+ ]/ [
configure: looking for Apache module support via DSO through APXS' d/ X$ p; Z0 R1 y6 |
configure: error: couldn't find APXS' S) x' V; F' e4 h" |( D3 s
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。; ?: H, N# j' g& e% ]2 q) y
解决方法:& p5 R5 [2 P! i
, g, D7 ~+ k6 o1 m$ i4 }yum install httpd-devel/ I @+ Y2 w9 a; e
2.没有pcre
; ^5 i& c& w) f2 o. n
; n) Z f" s. o& P2 U' z- G! d4 g0 Dconfigure: *** pcre library not found.' F. `$ V; O: V3 j
configure: error: pcre library is required& O' N6 j4 c0 k3 m! b
解决方法: J1 b | G2 g
( V0 y; @- L" {3 D) |# [: O* L- K- P
yum install pcre pcre-devel
7 s3 G/ z' @: t2 e i( Y3.没有libxml2& v! ~: `5 k( H" _
2 @/ X! \" N5 ~- k# ^4 K
7 u; M s+ c0 N( Sconfigure: *** xml library not found.
* J: s/ h% X ^; q! e* I$ mconfigure: error: libxml2 is required
: K) O' w$ n; B0 r4 T- v) t% k, q解决方法:7 u" o" _- B% ?3 b
/ V- p" h! Y/ I% N# ]
yum install libxml2 libxml2-devel, d% f+ X0 d/ [( c* H
4.执行 /opt/tengine/sbin/nginx -m 时有警告
! y) c+ ^' |7 Z/ G5 Z5 W W
- e7 ?& [) a/ b0 {Tengine version: Tengine/2.1.0 (nginx/1.6.2)
+ i4 o7 W: U" vnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
3 Z! S$ G; M6 O( g原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log3 U/ d: ^, c- a
% a" H: j9 H/ P& V+ P" L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.1 M# j0 n! r& l }5 a: J# @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"5 B2 f4 D! y- U3 \
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!1 G/ c3 f$ {8 [( h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ N7 i* D4 o; Y, W, D O1 L' r2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* l# S% s! H! G* }3 L/ ?8 g# Q2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
* f' e9 R. z/ ?: \) L& @3 B6 ]解决方法,移除低版本的APR (1.3.9)5 V8 G D" \" l$ i9 u: Y3 Z
# Z* ^4 k% R5 s
yum remove apr% N+ E. l; u. _) I3 E
5.Error.log中有: Audit log: Failed to lock global mutex
% p% {' _% Z! o9 m1 j+ u/ u/ [
" m0 N# L# Q% e+ w' w' k% h2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
' P( f% C* ?$ f6 W' Z& dglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
1 K! n/ e1 w+ i! \: c# g8 N% C解决方法:
2 ~) j& c& K% ?1 u8 n- _编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ b7 e6 R4 B, F4 H8 A6 f7 T9 K! p/ Y {
SecAuditLogDirMode 07770 P2 \- ?3 f: p# a# @/ m- R
SecAuditLogFileMode 0550, f0 d6 V( E" M5 g [, J
SecAuditLogStorageDir /var/log/modsecurity6 K, Y9 y- a1 V
SecAuditLogType Concurrent
1 y9 c) r: j# ~. M; Q' l, v H参考文章:
( D# b) X) N3 ]1 a l0 mhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+ y2 l, m/ [' `$ w ?) W- c+ J/ Ehttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡