|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。$ p' ^- ~7 {! O1 q4 m! Q2 S( t& |
6 W' ~8 e/ k& }1 A2 G一.准备工作0 T$ o0 n( U% c) M) y
% w3 k5 M( A4 `
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# o/ T0 x+ i) `2 X0 \; V
8 B2 w+ R7 m. k% I2 c( \
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
: W( j$ ~' @5 m. M3 W
2 F6 W% W. }7 {6 H% D! J9 Rmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
; b8 V) h- R ~0 S6 `* K( t- r$ W7 T6 D# j8 z# F2 L
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! g& f! \. {" Z) w, L
, ^! K" E- Q9 W/ m) ~9 ]
依赖关系:0 P* S* o1 T- j9 o" M; b
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
! C( T" c0 y D& E, h( u# ~- \" x; g0 W& W3 h
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel8 }. b8 I- ]: o x& }9 A
modsecurty依赖的包:pcre httpd-devel libxml2 apr
1 g4 W" }$ I @% M/ |9 S/ N% K# R. ]9 ^; O
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel0 h) s9 ] R( M
二.启用standalone模块并编译( c8 x3 x5 \+ p9 d1 l# U
. r6 N0 V- ?+ g3 P2 e9 _* l
下载modsecurity for nginx 解压,进入解压后目录执行:
$ b% Z. A* z( }; G) J
! A0 B6 I- L/ D I./autogen.sh
w& q( T, k+ R, _5 |# {./configure --enable-standalone-module --disable-mlogc
: T6 G E! N& l) {3 R% m1 X1 ?make u" h0 z) V' O& v+ O: \) k1 h
三.nginx添加modsecurity模块
g/ A9 U. F1 ]6 ?9 N% O/ i E& w9 |: J' s: `$ c0 q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:; i1 i1 l ?1 D7 y! r( E9 I3 Y
5 P, e ^% V/ ~
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
/ _ g" B0 _$ Y+ Emake && make install; o/ J5 i9 {. U3 J* E- n
四.添加规则
6 [! `: ~, U$ I7 ^9 M/ u+ }$ a0 X4 V1 x: h) l/ f- s
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 y& S: ?0 ~- T1 _0 ^" q
8 P7 s* Y3 q1 f X: E4 j j, U7 e1.下载OWASP规则:- p5 L: _" X! h- S
3 D) u" f$ P) G3 c9 ]( t" H* f
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
$ C w" J( e( W/ { D4 a [. x: R. U: Q: G
mv owasp-modsecurity-crs /opt/tengine/conf/
/ {: g* b% O0 r2 O7 r7 O( t$ n7 n$ f- Y8 g+ L
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf7 Q: _- G4 w9 _* }
2.启用OWASP规则:3 T: w5 a* _+ D. ~1 q( F
4 e3 j4 t+ n a
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( J% V) c1 F. B% ]( I9 D
& u5 k% M+ @! M! I/ S( u2 t
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 G( q+ f- q. i$ g$ d1 ^/ w/ ~
3 j$ N* h8 G U; d" s3 ~owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" S% a4 L) q9 i; v: c. D4 I7 `! a
- J( X; @) L9 `) F
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf" u% @2 s: Z' w, [# S) @4 r+ |
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; L& z0 V& Z4 A9 N' E
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf' S, I% e" S. e0 E/ S1 L
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
' W [, q% F* T: _Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
: i; I. B& _) a6 f) W! L+ l8 XInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
& c& k( }4 m, k3 ?+ U" [Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 m# ^" r5 b8 @. p5 z8 [4 |8 Z$ n/ K
五.配置nginx3 a* t8 |+ c( q" M, E; V! c, O
1 B5 v' _) T& P! R! o2 Q$ D在需要启用modsecurity的主机的location下面加入下面两行即可:
) h' b) f5 |- Z
) `( K; A% d& Y% ?ModSecurityEnabled on;
4 C6 y' f y& Q" h8 U, |! mModSecurityConfig modsecurity.conf;' q% Z1 V, g, B, \
下面是两个示例配置,php虚拟主机:- a& h3 W2 |" g+ P4 ^) v" b2 h, v
4 |& ?. [# u. x; _, ]server {8 {6 K% A' F" M1 w
listen 80;
% U" N3 [ ^9 o server_name 52os.net www.52os.net;% _7 a* u: V! r
( b7 X& }! _4 i- F+ O
location ~ \.php$ {; |2 Z' z* p3 m6 q) f) |7 M# t
ModSecurityEnabled on; $ m) s" ~1 _4 U5 v6 c
ModSecurityConfig modsecurity.conf;: c4 d6 G4 z, M, j6 x, K
) o5 T& W) ?( z' v6 K/ p
root /web/wordpress;
* Y# I K7 L% m" I Q: | { index index.php index.html index.htm;4 u) X5 A7 A7 D% Y* G
2 ]: n) e$ c! E6 r' c fastcgi_pass 127.0.0.1:9000;& Z* Y( S& T& ]4 |4 K- A
fastcgi_index index.php;
) F5 u/ I' w/ q fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 Q. y. o- Y' x: f3 C6 B( w& W
include fastcgi_params;. ]2 X- e+ U, l' r& R9 `
}1 ?; ]$ W4 z/ O4 m# ~
}) { b8 F' C. N4 k, A
upstream负载均衡:4 B, k. M& V: Y1 a& i2 J
( D. }! V8 b f' g. |( u w3 [
upstream 52os.net {
/ y* O9 c' `% E" n5 e8 {7 U' T# L; \ server 192.168.1.100:8080;0 J1 a* m. `! b Y; l# \7 n" n
server 192.168.1.101:8080 backup;
5 c+ ~4 Y* ~; a9 N}
7 x& w/ E4 {" q6 v: W0 i* ^
1 q" }' z% [- C; H( Xserver {
0 j; ^, v |7 K6 r5 I. ^& s! Ylisten 80;9 V; V2 W* w( K
server_name 52os.net www.52os.net;
' w) T; h" a( [( ~1 X; M! D3 P/ h) u& w& F5 a* p' ?' g
location / {
3 U# ^! \# f( ]8 }, g I ModSecurityEnabled on;
* A3 t& i6 E+ | _; }. i5 ]; M ModSecurityConfig modsecurity.conf;
* t9 L) }2 R0 N; I4 R
9 P { `4 C4 O9 Z% [, @% | proxy_pass http://online;4 V4 N6 _! w- }4 h9 g/ a6 B
proxy_redirect off;
6 B% B) i7 V1 |: v proxy_set_header Host $host;
* {6 _) r" I0 E' i7 j1 C3 x4 i proxy_set_header X-Real-IP $remote_addr;. c, W7 h1 n1 H4 R! C: j0 d9 N
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
5 |6 f+ T; A0 P, X- O, _* X# k }
0 J. u: h" {, }' h}
: Y, K" ~6 C- @% R, }2 v六.测试& x) m. X0 g+ w( q$ y8 s, J; y
* r3 _. l8 f9 B' R/ ]# v
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: H" D$ i8 ?% v# Q F; m* e6 _8 e+ f
' m; D* T, ~. e( e<?php
/ P6 R. m# |+ r) K# } phpinfo();
* G2 V5 Y. x7 a6 l( N?>4 q0 L6 P! q5 |& k
在浏览器中访问:
7 U* Q( `; n- S0 N o+ B, _! r# C
& T+ X- o& k( z; W; U5 Thttp://www.52os.net/phpinfo.php?id=1 正常显示。
( |. G8 ~+ n" l2 Mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。( ]7 z9 [% @1 X- p! }- j
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。1 ?2 |+ @; W9 V* C" ^/ O
说明sql注入和xss已经被过滤了
2 t3 K& w8 z9 B) J& t* V5 a- w: [
- j- G4 g0 u+ O. d七、安装过程中排错
6 m* @2 m/ D+ _* T3 {3 r3 y! j% X/ Y' E3 C2 u( [. l* {7 _# C
1.缺少APXS会报错$ D( I# E. ~/ T- R9 B
7 J' C& d) H) n2 P' `$ Q
configure: looking for Apache module support via DSO through APXS
( h7 r1 J9 ~( K1 i& zconfigure: error: couldn't find APXS* N& r/ M0 A" a3 x$ W3 L- q
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 w# o6 B& S6 x7 x7 I3 P5 `
解决方法:: ]/ A( Z2 h( S8 d
( C4 l) Y, k( q0 m- |7 F
yum install httpd-devel6 G; h$ i: Q u r+ f) P
2.没有pcre
c G3 l4 }) p* f( H7 b3 w) v; t- }" g) F4 \) i
configure: *** pcre library not found.4 n+ U* ~1 r4 d: \- |
configure: error: pcre library is required
. t! k/ M" f# G5 ?9 h/ V解决方法:
' W% Y7 M; @* \% s& X& l0 S5 d8 [
. q# C3 S' h" S! K$ v" j9 n) [yum install pcre pcre-devel
' i0 R6 i0 F8 I: Y" V( p: b) R1 y3.没有libxml2* z* ?- U6 B$ T( K* z
" L) x3 W4 \1 b, {- B, |; T8 |" N n8 V6 Z5 [, A7 Q
configure: *** xml library not found.
( J5 R7 D- Y/ l' `configure: error: libxml2 is required
, j3 U& B$ s& C解决方法:
( v' K+ Q# e& P% u$ Y# R! _; c+ B; H( F# a8 y3 l+ h6 R4 C w
yum install libxml2 libxml2-devel7 |3 ^. g# R+ |. J i; s
4.执行 /opt/tengine/sbin/nginx -m 时有警告+ X3 p- W6 m6 _* k
! W$ ?- p7 Y4 C8 V
Tengine version: Tengine/2.1.0 (nginx/1.6.2)$ }! q5 M& R: D4 Q# P$ Q
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
4 B; r& c$ t2 H" X原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log1 w: b1 y* |+ z* k2 C X
4 o* L: u' s ^2 [8 o# x2 k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.5 H9 k* y0 z3 I U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
- a; @! W9 x. C' \5 b6 ?2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 |, M( x8 O R# M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ J' R5 k* l7 `; |, O2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
0 B8 F7 @% n( m0 m l/ D' @2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
& H5 @/ \. g; K- \& H解决方法,移除低版本的APR (1.3.9)
$ {# N5 R0 X2 ?) \* _+ j6 a- [& _6 W! Q3 `
. M- r7 H" a. p* x* H% M' K% i$ Syum remove apr
- W; H+ H! v. ?5.Error.log中有: Audit log: Failed to lock global mutex
& n; |' s6 v/ l+ q$ S; W+ I$ |+ _' r
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 m" m, j' G4 @- i* u3 W& ~global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"] B- W. E' s0 }8 s! m
解决方法:
6 J6 h0 ~+ Z2 {6 s( J# J. H* @编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
5 ]3 Q6 E5 o8 T6 ?7 a& Z) @ r" a3 A) X( v
' S( C4 L4 [" g0 _, Z. @( L3 XSecAuditLogDirMode 0777
& b A' u! f+ e7 V. sSecAuditLogFileMode 0550
) O. e* U. K3 H! S7 ^+ R7 oSecAuditLogStorageDir /var/log/modsecurity4 k9 f7 e z r6 \
SecAuditLogType Concurrent
: i# B# G$ I8 I: y+ q8 K3 r参考文章:+ }; B# n9 r* m
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
- G% D( Y, z0 T& w$ Shttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡