|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。$ ]& H0 Q1 w3 G$ e
v; c7 s' ^& G) i9 z9 o& s$ e8 k一.准备工作- `& X; F: j. X! p- v" m
; }8 ?0 J0 b ^3 _7 {系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
# z0 } Y6 ]( A: M. t- K' X U8 X8 h4 }* v4 O
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
$ D: t: |. a' H% l' l
) A" Z) G- y+ ~% f# imodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz+ n: U! p9 w# w% r, Q
, W8 P* J* N: C0 v! f# T' c8 p
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, y" a$ c/ K4 Y' M# k: v# S- {7 G* W4 T) p- e% c
依赖关系:
. y9 B( ~6 G/ u3 I% Qtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
" \' M# G! i# s4 T L7 @0 K( p- B
: k& {& n+ x0 s7 Gyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel) `9 d) N& f- c
modsecurty依赖的包:pcre httpd-devel libxml2 apr- P- K I& f% Y' C6 l6 q8 Q3 i d, v
9 s! F# C/ W9 ]+ }' }# P% I
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
0 w" }) ^0 P: l& ]二.启用standalone模块并编译
" J8 K+ ^* A. G! a; E
# A5 `$ z1 w1 g ^0 [8 ^9 J# Q下载modsecurity for nginx 解压,进入解压后目录执行:
' O' ]- x! c5 v* h g8 z, Y2 ^" m0 Y) x" {
./autogen.sh9 [3 O- \& Z9 j/ L" D
./configure --enable-standalone-module --disable-mlogc) B) L8 ?! s2 h
make 1 d; I9 V+ ?' T; u& f
三.nginx添加modsecurity模块
# q& p$ ? m* N8 q+ W
V3 g* g( [+ A: k在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:3 x% R3 s% U' Y2 o9 _* ?
. W2 `4 \9 N" p2 Q' m' o
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
" h8 }: q' k/ e% Q$ {! _make && make install
6 ^% M/ F3 Z: M, c* C6 h四.添加规则: V& u' d5 g- [! J6 b1 k; b/ b4 Y
" w$ u8 a0 H+ z: {3 `" pmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。& M; F1 e( E- |
' h; v9 H/ m+ S5 j
1.下载OWASP规则:
3 ?# {1 W! Q) d
, y) p/ C. N+ L6 |git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 i& \& |$ [$ E/ C3 v
) r r# H+ F5 xmv owasp-modsecurity-crs /opt/tengine/conf/- V: Z+ F$ [ F5 u0 [, n# Z
5 _# u( D9 h9 h b& w
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf$ p7 I: H! ~' q3 p: i% Z
2.启用OWASP规则:
/ f1 A/ o, S" r. N) G5 r |& h, ^0 N" e# T5 l% @; g
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。$ N9 @. c3 l/ a# B' X" f8 @
6 q: e5 J1 d& p- B. L L9 }+ U
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; o/ r- O% |* @% w6 n5 t7 q
3 r4 G+ V0 b3 T3 e O' w' Sowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。( M* I0 K1 P7 }7 l# h
- o8 a2 B1 T$ eInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
% d. K; E. {+ oInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
, V1 u% N \2 L3 f- y' \$ jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
' [( E9 }" q0 ]* n. }) v: A; A0 J# OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
) M9 ^( A3 r, nInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 v3 F# `, w- E8 B c0 `6 EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 E+ @ G0 b: I8 i; A4 F
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
p- s, i1 y4 M- M. [五.配置nginx- m9 j8 I& I& T: o2 w0 ?3 l8 I9 W2 v' t
0 R$ W% Y7 G( V. I2 y+ ^- T. R- A
在需要启用modsecurity的主机的location下面加入下面两行即可:
& O, ?0 c' Z, y4 e4 x, s
8 t; _! [4 }9 w3 U* f: V- mModSecurityEnabled on;
7 {$ b& ?* }, Z8 F. dModSecurityConfig modsecurity.conf;
; \6 F+ L3 l" j" m: D9 U下面是两个示例配置,php虚拟主机: p a# ?1 i% U7 o* i+ A
( \, m/ T! B/ m6 Hserver {
& D; S `9 z; p+ o* \9 L$ ~6 v3 o listen 80;4 o! j0 k( z) t. A* B" {# U& G
server_name 52os.net www.52os.net;
5 l3 a# q; v: a/ o1 y ' U G+ F% D1 L2 K% \* i0 Y; C- ~; z
location ~ \.php$ {
3 G2 w; a1 V& \* h `5 `+ k ModSecurityEnabled on;
' `) w4 }# V E, O4 n ModSecurityConfig modsecurity.conf;
/ G1 m* Z: E% s
' K- d8 _8 k% W5 m- U root /web/wordpress;- n2 e9 e% O4 C
index index.php index.html index.htm;% o( k, G4 K8 ]! R5 o/ e, H) J
( z9 M! a" C& b& k- C, f) R: D# I fastcgi_pass 127.0.0.1:9000;
" ~! r4 r0 |2 r6 e* f fastcgi_index index.php;
& O* o1 G4 K; r' i1 z. q fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
) }" L; P2 d+ W1 Z0 V/ N# b+ S9 I! B" |1 w include fastcgi_params;9 N) |( n( U5 ^( d& i- P
}
8 f" ?5 E: r- `! k7 W( Z }1 Q! e$ _! @: W3 H$ s! W( p# R
upstream负载均衡:
. N0 ^. e+ I/ y3 x) y( `
8 `; h/ Z: `4 ]upstream 52os.net {, d. u# R" k, d# N$ a! q( S
server 192.168.1.100:8080;2 O0 m9 o% @; A5 \1 v2 Q) M/ K
server 192.168.1.101:8080 backup;
( E3 y) C* E/ z& V}9 B( N7 f/ X+ ?4 c' D1 {" S
, h8 @2 b+ i: \% a2 wserver {& d0 [& K4 k5 H
listen 80;
; Y# P$ \% ], W2 B0 n) n' }$ ^server_name 52os.net www.52os.net;
6 N+ d1 c- x1 B6 n M; e
8 J: J4 p9 ~2 f4 G, l5 W- zlocation / {6 ?1 j# d. V0 M# |0 K8 [! A
ModSecurityEnabled on;
8 k' P1 `' L# N* Z/ O; d" Q; S ModSecurityConfig modsecurity.conf; ) a5 Q4 i6 B% M/ x/ y" ~: y- K
A$ c9 m* m4 V/ r1 ]& d
proxy_pass http://online;
- M9 B& u& N& B+ W( u m5 \ proxy_redirect off;
4 s7 b( I; @# r. T, [7 G! p. | proxy_set_header Host $host;
/ z% @* _% G" U& o proxy_set_header X-Real-IP $remote_addr;! c0 @" ~2 K- e; [, Y
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" Y5 M/ F( j; B$ Q! _3 E! ^
}- S8 B" w. W! M) ]& B
}( Y. F1 n; h7 l4 y4 D4 H. k4 L
六.测试7 q8 I8 D+ `& n4 C: U# g% `& }( e
) u( p5 p8 E0 W* B$ m4 w2 O% [我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:: a2 P6 y" ?; o1 P
: q3 \$ w; o9 y( p( f9 z! M( ?<?php( H/ |' _; k6 Y( C, u! c! x
phpinfo(); 9 `4 |3 Z$ l2 E) @
?>8 C% X9 }) n' _. F9 k
在浏览器中访问:0 U) ?7 l3 j7 G9 i- y- N' g& W4 ^
% U0 n; e4 e0 W- i. d$ ]2 Uhttp://www.52os.net/phpinfo.php?id=1 正常显示。
: }8 {5 I* N: F! Thttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。' S' E/ k& B! P' F7 | ?* L
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
k0 k- M$ @4 x# G; ?4 W2 \2 u6 k1 N说明sql注入和xss已经被过滤了
8 {- s& q9 n* }9 R
% s* y6 h5 }$ `2 @3 M/ k七、安装过程中排错$ q% d. m; ~" P( u+ R6 Q
6 A1 e/ N9 ?# L. j; C0 |$ r
1.缺少APXS会报错) c$ l- I& M( ^3 E: r+ T
. d( a. W9 R: { w9 W
configure: looking for Apache module support via DSO through APXS+ q. u3 R4 u0 {: G
configure: error: couldn't find APXS
2 U) z: t8 N5 Dapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
' m* ?& W* F! |1 c4 C8 I8 @解决方法:* G( b& r( M9 [+ _/ c
! |' y7 M; J3 M' u* I
yum install httpd-devel2 @ \8 U) w) n
2.没有pcre9 J& ?" y) Y& ~5 j l+ E
# `( Q2 T( H( E6 z- u, g
configure: *** pcre library not found.0 Q+ u* e2 h$ Z
configure: error: pcre library is required
) X! ^ ]* I( \ I) q$ p解决方法:! O1 e3 p6 [4 q. g0 D4 n% k" h
* H, u8 E( N0 @# k7 Jyum install pcre pcre-devel. c I- p/ B( X h
3.没有libxml2, |' |- e% ?' r5 [1 t! K7 B7 D+ x
3 K$ D+ r5 O4 G3 R
s$ G' i% ?+ m. Tconfigure: *** xml library not found.4 l1 C. x! n; ~% L' I5 i) ?
configure: error: libxml2 is required
, L7 y6 `! j+ _1 v5 W' t解决方法:
f8 U* d& B3 G5 m
' u) ^( J& A$ L- nyum install libxml2 libxml2-devel! @- S% l- m6 D' B# f# Z
4.执行 /opt/tengine/sbin/nginx -m 时有警告
0 a& v; V! V J/ a* {) y# z, u( ~. R9 S! t) A
Tengine version: Tengine/2.1.0 (nginx/1.6.2)$ B! |2 I2 w- V6 Y# e* {
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, l9 t, w: {/ q) P原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ b/ B, `% ]+ F E7 y8 c% I
( D- V9 v8 }2 {, B) q: U( U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.4 j4 C- N) w% f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"8 v8 v" I* I; ^+ W% B9 R+ E
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. l9 x; J$ ]8 F, r2 p$ }4 p$ ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
1 p- a4 t2 ]# a2 b. p3 e U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
: c, y: Q8 x7 Z2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
* n: |$ B0 w2 k6 V解决方法,移除低版本的APR (1.3.9)
8 z8 I- R; z% `& p1 z) H
5 [% l5 w+ d% x$ O; U8 T4 \yum remove apr0 v/ }. v( T) N4 K: |$ b
5.Error.log中有: Audit log: Failed to lock global mutex' F7 V3 Q1 Q. B2 J
2 S! H# t9 k1 @0 G- c! L2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 8 {% M1 H6 P! U- s/ R1 G1 ?
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
! X; \& n" [4 `+ e: J. g解决方法:" O; @$ x, B* s4 f1 V& m
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. [& }$ T3 t. a Z$ z( K3 L- h' W0 ~- W6 m
SecAuditLogDirMode 0777% F8 F6 h% s: Y$ w2 Y/ U
SecAuditLogFileMode 0550
6 j% K% h0 _4 ~, L8 ~. cSecAuditLogStorageDir /var/log/modsecurity7 d3 k9 r3 G, ~0 ~. `, [6 P8 [
SecAuditLogType Concurrent
6 Q+ p; ~; Y- z0 C参考文章:
8 A; Z0 s( q8 b( zhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
0 i" T, X+ V; J0 F: q2 |% Chttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡