|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, _: E3 W) o! a
3 m0 X" w* S" T" L. T
一.准备工作
! o4 d7 V { |7 y3 w1 A5 t' |( ^4 B4 ~* k/ y
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0! S5 w5 j. X" C: G+ K4 w* M1 M
1 X; E4 { c8 M4 ` b, Z
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
( A4 o* i5 B4 }
w: G/ f3 Z4 S8 A2 H, ?7 Wmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
* h4 k% f+ p5 g5 z8 w; c: ]
9 }+ W0 E& z7 f% t; A8 Q: y% rOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs% e, P* v# r0 {
6 t. c9 f4 t( C5 [! v! S5 _- g
依赖关系:
6 |8 }+ \4 ~. L# qtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:/ }7 S: ?( d: f& d e. [
3 s- b& Z2 t$ {3 O5 F! J
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 k5 n2 Q! Y+ d( x# omodsecurty依赖的包:pcre httpd-devel libxml2 apr* d( Y2 v* w* r+ f. }
6 |) l' X5 \' Eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
8 C" x7 L2 I r二.启用standalone模块并编译
; {0 Y; j2 F9 j8 Z1 a/ I2 O/ ?! O4 T9 i
下载modsecurity for nginx 解压,进入解压后目录执行:3 n' o$ U3 [3 J, ]
/ f: B! Q; v8 D2 X6 g
./autogen.sh$ y5 _" g% g6 V6 w8 E
./configure --enable-standalone-module --disable-mlogc7 ]8 j# ~, x5 H8 T8 D
make
5 u9 b3 R5 j. a# J% Q) J三.nginx添加modsecurity模块
: W* v. Y6 h: u# f' [* j# W! ?! x7 R* Q7 J, v7 q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 E( ^5 B) r" m% w* k, c! ?" z$ j4 A. y; C5 _' j. D
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
7 x( W8 V0 i+ M5 x( H" e1 @make && make install% k$ l1 j! q( M, i9 m( e; ]
四.添加规则
y' y, t4 F. v3 m! P' ~5 y6 I3 B/ {: ?: r) p4 x7 z. G V0 s
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。2 B+ b& _. M: Q+ V# m1 M
3 G* n0 I4 o* X. h: J6 U
1.下载OWASP规则: G% [5 M1 f* f
9 z D% @. [$ [. [( I* Y/ j, A
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' E- M5 T; q. S. q
/ }( Q5 H% Y$ w, {' Z6 l. n' Omv owasp-modsecurity-crs /opt/tengine/conf/
1 j9 Y/ i+ [" W! P" Q. e9 F/ y) L4 ?) }$ X5 d
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ W5 K% s. G& j' X0 z' t' }3 P
2.启用OWASP规则:
2 u7 i& m, T6 H8 I, W
; L2 c# G& c, o* m' `复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。' K2 E% W" a! T( j( n& n/ u
7 ~ e# W" C. D" p3 L1 [6 V, _7 o编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 B- p+ n6 f. _, j$ E
( ]; w. h; x* |8 b5 N
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。' ]7 _3 e1 z4 ]) w: L# p1 d
, c& J$ J+ U) X7 w7 g8 O' | NInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( c! [( { s2 M' g# J9 `9 M& h% pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf# l2 M* O0 o) d& g6 O& D- z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! a9 E1 {# ^- y! ~2 w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf) m5 G E1 A/ D& l
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
/ l7 Q0 D0 K' B( H; zInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
4 p% H" |7 i1 xInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' ^5 }" Q( i* V1 ~1 o/ G
五.配置nginx
* ~. E9 q8 s q- S0 V( J9 e+ f5 D P- d1 C* K$ P
在需要启用modsecurity的主机的location下面加入下面两行即可:- k j( v- x; r: C' q$ b
1 N+ d; ?9 V. k wModSecurityEnabled on;
% m8 B& @6 j+ kModSecurityConfig modsecurity.conf;1 V3 Z) y$ F; U7 |+ A4 f0 v) Y
下面是两个示例配置,php虚拟主机:4 T, q- x* h: B
/ m, G4 r- {" N/ i; zserver {3 Q# m6 ]$ e: ]! `! p% _5 ^1 Q" [
listen 80;
, h. S* @! |. h) Z server_name 52os.net www.52os.net;! C5 F9 l2 G* T! }, v5 X
2 g* r' d! F/ d0 O( [ location ~ \.php$ {
: z" }- e, u$ @' W4 { ModSecurityEnabled on; / r: b }# f y7 G5 g, Q
ModSecurityConfig modsecurity.conf;
; B, W& \3 j1 w
& g6 ^: s, Q9 D( b0 Y$ J7 u S root /web/wordpress;
& X7 G8 }2 `9 e! _3 R0 [5 \0 j index index.php index.html index.htm;1 g+ ]. n: b3 E9 M
. h% l, D6 E, U% ]
fastcgi_pass 127.0.0.1:9000;
3 `+ T; [, V" Q" v" v* w$ o: T fastcgi_index index.php;
v2 ]" c0 f% p* j- f fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;; `: j5 [6 v( U) `1 _# P2 p& @
include fastcgi_params;
& I; a# a% G; L! u% ], @ }# ]$ Y' p) a, @1 k% Y
}9 L1 D+ ~4 U" m" U6 a% z
upstream负载均衡:$ @6 M* B9 v+ c8 T8 b
8 C7 {! a# q2 g {& Y6 h
upstream 52os.net {
& W, @7 b, Y5 X: y0 D3 ? server 192.168.1.100:8080;
) ]# A, q H5 P) k, x g% Q server 192.168.1.101:8080 backup;
9 ?: R+ g& l. j8 [5 t/ X}6 y' B# k' w h* m
8 I! H$ a9 {6 q2 Y; P* f
server {
1 O1 a( S- z1 A% r. }: ulisten 80;0 _5 o; a* c9 S7 ^' E
server_name 52os.net www.52os.net;
) z% O2 x) m8 S- z' c0 `+ B$ Y- S* ^$ s% s0 b% y& [9 G$ X
location / {
5 i8 i4 _0 y n( Z7 R6 [- F ModSecurityEnabled on; 3 i& E6 ^3 ^& D
ModSecurityConfig modsecurity.conf; 4 g) {% c5 a: y* S5 O
3 h: J: J/ Q0 z9 R1 L) {3 V
proxy_pass http://online;7 y# r' N: e/ P6 w
proxy_redirect off;
7 S8 S$ l/ x8 O M- j proxy_set_header Host $host;; r/ g1 S6 Z- x
proxy_set_header X-Real-IP $remote_addr;
! ~- f+ r9 I4 p0 _6 N/ S6 ^( m2 ? proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; ?* T% C* v) [- j
}, l4 t5 d$ o- r) L
}) [& O+ \% m c/ |3 `: t
六.测试& D& F% E1 ] [5 B, L
$ r# q$ j L8 S
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:% c9 n |/ {0 {7 j5 K3 g
7 c. Q# T7 w' j. r6 W<?php9 q; X! A2 g4 z& Z. y# ?
phpinfo();
, C+ a0 x. ]' s' G( w+ W1 z?>0 G: V+ Y }9 j
在浏览器中访问:
) [+ z( R+ I3 X
* R2 P$ K+ }/ e: n, ^5 Nhttp://www.52os.net/phpinfo.php?id=1 正常显示。* _$ |( w& P/ \7 U. P6 N
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
5 \' I* }9 d; ~http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。- h( F' n2 D& g \
说明sql注入和xss已经被过滤了% N* \! [" F# B; m: a* V, P
7 E* D' O' t5 d! u; {; o2 m
七、安装过程中排错1 o! m. g! O& B/ Y
- r; p" X. E5 n/ N1.缺少APXS会报错
0 n5 ^# }: v8 z9 s& \
* d$ q$ H7 N. Xconfigure: looking for Apache module support via DSO through APXS1 n% w5 B* I* [+ K
configure: error: couldn't find APXS
- ^+ r1 s0 Q; p1 Wapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
) ]7 T7 u8 \& L. R2 b解决方法:
+ a: M! ?1 ^$ u1 k$ |% u) s' s; a8 M( o( i6 C5 d
yum install httpd-devel+ T- v, [3 l$ j6 w, j4 Y
2.没有pcre
. J3 h7 E( J6 t) f" g1 \- F4 x2 @6 f0 v5 c) A) v
configure: *** pcre library not found.) m$ B- F) T' i, @
configure: error: pcre library is required6 Q' `; s+ o1 U
解决方法:( o* R: [4 T! j* s- R
+ d1 \, p+ C* G' Qyum install pcre pcre-devel
5 E, i. h. C& E6 U) {: b& o3.没有libxml2 [: W$ t4 D U" b; u2 j( V+ g
" B% r% ]0 o, C6 J9 b2 i% W6 A I# C
configure: *** xml library not found.
; l: X8 l) ~8 }/ [1 ~5 Fconfigure: error: libxml2 is required3 [' r1 u3 G, U# ]2 \
解决方法:7 k1 J5 @$ z- n( f
# ~& b" u0 b' }- t- O- gyum install libxml2 libxml2-devel7 G+ c5 P$ u2 S3 x b1 b
4.执行 /opt/tengine/sbin/nginx -m 时有警告
3 K; H- v! C. w5 A* _6 d- f+ Q/ Y
$ i& P2 r! t- B l, q' OTengine version: Tengine/2.1.0 (nginx/1.6.2)' K+ z4 |! Q# }, I$ h, v. H
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
5 O: Y5 s y9 K( S% t1 B& A5 v8 I原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log5 |1 W7 R% [# `& l8 o5 R
, \8 j( h- M, [: _) c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
0 ^" [8 D; W& s2 i& x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# b# T5 F* C$ I% b0 R; w# J
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 h4 j+ ^- m3 a. N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05", O: d" H) Z* Q' D, r9 w% Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"- r6 W; G2 t) N, s) v
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 A( N( k& I- h- T/ p解决方法,移除低版本的APR (1.3.9)
& T, Q# n' c0 H, j) q
/ Z' n2 E b5 Z: _: M3 U" y& {yum remove apr
2 y7 t( h* l$ _ f" e5.Error.log中有: Audit log: Failed to lock global mutex+ i9 I6 \4 I/ N% ~/ G/ q
8 V" V; c- g a6 Q' C
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock \+ T' a) X, ?# `, S2 Z( I
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 ]( A; } r# h6 l7 G
解决方法:# d( O3 w& y5 \+ p
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ I2 V3 v- D d; `# o, v
0 [/ O* @: W. t% ]% n, i
SecAuditLogDirMode 0777* e: p/ d i# f7 X+ [" y0 q. `2 p: L- k
SecAuditLogFileMode 0550
( A$ k& t5 @3 o4 K/ h4 x+ XSecAuditLogStorageDir /var/log/modsecurity. d1 e' R* h* A: M
SecAuditLogType Concurrent
5 @* B/ t- E) S% y7 M5 R3 l参考文章: G2 z- m$ n0 x" G+ P9 Y1 Q
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX/ F) {/ `$ r9 ]' ~( j/ l- w W
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡