|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。( O& @* W9 g! p4 {, |0 i
# T5 \+ f8 k/ o* Y" U
一.准备工作
6 m/ B$ y1 }, P& T
/ F8 g% E3 q; _. D系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0) p9 c, r% n# h& a% r
/ v0 P# ~/ V' B4 R8 ?tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
# A9 _% j6 N. {" `6 x% R& P/ v8 z |9 R3 B2 h c2 |* l
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz$ s9 q6 |+ m, v# w$ c. ^1 p
! B7 M# m* N, \OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs) L2 J$ l1 J8 o* Q
( v/ [: I. |4 m# u
依赖关系:
. ~; O; r7 Z8 K: b. M' qtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:' Q, s' V6 T( F0 h3 ]% l- S( V6 K5 p
9 ^3 _# [# t" ~, F' w' _yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel: P' v4 y$ M- f, Q
modsecurty依赖的包:pcre httpd-devel libxml2 apr7 o) O; d' X7 o# x6 k" \
3 A5 h. n; Q+ D4 h6 X& w" { S( }, c
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ P' ?, N) @7 ~4 Y* l( a二.启用standalone模块并编译) @; q6 }5 P( V" D! @
, T# c0 |2 X+ [' _2 \
下载modsecurity for nginx 解压,进入解压后目录执行:
, |/ n* C7 D) W% n3 p; ^/ ^) r) C y
./autogen.sh$ r( S+ w9 F9 k6 L' h
./configure --enable-standalone-module --disable-mlogc3 S* c, J# [$ A* y
make
- i( K u' F B/ W三.nginx添加modsecurity模块
9 i' M6 d8 l$ U. l7 w; x& X, y9 x7 x% x3 t. M& R' H( u8 }" h. K
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
" g% q$ _# L$ A" d; A& W: L4 A
k* W7 _' } x./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine! \9 U$ ^. X- b! K3 V
make && make install; y" s# A+ O% m3 u0 S& d# U/ |1 `
四.添加规则
8 d5 c8 h/ h' Y9 x0 Q4 k: h$ a# @2 x% Q
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
. z, [, P7 g0 h
3 E; F2 ^8 X- R9 t" @1.下载OWASP规则:6 z5 a5 w2 @ L: A/ C' j8 h" E2 J
* W( I- A, T F# g9 J( Fgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs! g6 q# [& A4 @1 p
; x+ G6 N. A; Gmv owasp-modsecurity-crs /opt/tengine/conf/2 m2 P8 @; g" e: H- U. t& r. D3 B
4 C, x5 U, B+ [& C
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf v9 p* ?4 A8 @5 E9 Z" Z' }
2.启用OWASP规则:) `9 M/ F7 Y& j# L) j
* b0 V; p, m p! K& h _
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
# J" \* b+ D/ t- U6 ~$ }* F( j/ U$ A( ?4 ~9 L
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& \, }, M2 A# Q6 A
, C9 g" q m3 q6 k4 {" b" {$ Towasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. g1 v1 E" R. T, C
/ k, [* ~6 \* T" z1 [6 iInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
. f3 X3 Y! Y. i5 h# rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 _" r! v! H7 v5 f. `# p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
/ ?% G/ Q5 o- g+ jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
. L) R& {* }- c0 G5 n& H3 f& [1 uInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
4 y* H3 k* g9 W) Z( NInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
% ]) J3 J- G% H* h+ ], hInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
3 V2 q, S; l9 D, R2 G& }五.配置nginx
1 z2 e; _9 w1 A/ L. W/ M7 c, S. X4 ^& K3 F( q( `
在需要启用modsecurity的主机的location下面加入下面两行即可:
. v/ o. _2 ^% ~6 p8 Z% D
( k g1 h$ |+ M( F. oModSecurityEnabled on;
; G! U3 j3 n8 w( O5 g- LModSecurityConfig modsecurity.conf;4 i2 D( L3 ], t( l+ A
下面是两个示例配置,php虚拟主机:4 J: O, M. g! l. E% H
: K* E+ p( i. @2 K
server {
. R o1 O! }* @0 t0 M" D listen 80;
3 { j2 G, M, ^! ] server_name 52os.net www.52os.net;7 ?2 U: s4 }% D L a, B
5 H( D+ @+ J& V2 L, x( }: A
location ~ \.php$ {
, ^5 u4 w2 p: u. o% f. N! G7 e% j ModSecurityEnabled on; 7 n. s( O+ c) j2 x$ }5 ~
ModSecurityConfig modsecurity.conf;/ o. T" S) o4 O# l/ v9 z
2 R; Z3 n& Y; b# s0 D
root /web/wordpress;6 ?! t+ A# i; J, U/ a
index index.php index.html index.htm;- s" @6 U1 [# K' ^& K. R
$ g& { R# n2 J& w7 ]
fastcgi_pass 127.0.0.1:9000;% ^. n& U7 D6 F( K. D6 d( \- J& S
fastcgi_index index.php;
% `9 b5 n5 ^! x. l2 K/ n fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
9 _( M: E! C2 j include fastcgi_params;
% D4 l. q4 q8 b. e' d' C0 i& q2 E }/ }3 d. `' I' K
}' P3 r5 G0 t Q1 c* l$ ~- I
upstream负载均衡:
8 D0 p# t7 B+ E: w+ s% S, V& b% b( ]% y$ f5 Q7 g
upstream 52os.net {
9 x& q: C3 i' M3 v! g6 E server 192.168.1.100:8080;+ C1 w8 j( [% |+ I+ N- t! w
server 192.168.1.101:8080 backup;+ m1 t9 l( m3 T$ Y8 K
}+ ]6 |8 v1 w3 r4 e3 e) r6 p% f
/ g9 c4 r- }* g' w
server {, [9 Y0 v. J9 ^3 J- l' v
listen 80;
0 i% n& U) f3 c% Aserver_name 52os.net www.52os.net;; J" J! f1 d6 ?1 c9 a' [
, r, P) o" P- H* t! c7 Plocation / {
4 m5 V" \9 o3 M1 x8 T ModSecurityEnabled on;
l5 ~5 D1 J; U/ m+ U' c# F/ X ModSecurityConfig modsecurity.conf; R! q3 o d5 Y. }6 h
% V2 s C: |3 D2 X, D
proxy_pass http://online;
/ l* r& q9 Y' R% c proxy_redirect off;+ U) X0 E2 W( ]/ S2 e
proxy_set_header Host $host;
4 x( X+ `% I8 ~ proxy_set_header X-Real-IP $remote_addr;
& ?6 n7 H+ v4 p proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' ?# i/ w2 d/ m. ?( A( k }
0 C6 B. f) M4 p) L0 y}
/ ~9 j# s" c1 }' b" Q六.测试/ {2 K8 `) ^' g% i: p- \5 |
1 Z0 s& w* z& I$ s7 d; m我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; V" F0 \/ I# |) ?, |- l* |
' X4 D/ h! E. ]7 s0 {! E ~* I1 j- f<?php" Z& g" l$ S. B9 x! s
phpinfo(); 2 ~5 E; x9 E2 R# d0 r1 Z
?>
& H5 e3 t; r" X' Y在浏览器中访问:+ T; a: `& y- V: b/ q% n/ [2 G
9 F2 r( M' o. l$ F
http://www.52os.net/phpinfo.php?id=1 正常显示。
. u. D2 G# h4 A7 Zhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。, J; E4 w3 s: W- N4 E4 Z- W; s) k" I
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。8 e @* H7 g2 l
说明sql注入和xss已经被过滤了
& H: _5 W- Q+ T8 x% t8 u$ {; T/ L
0 C y( K3 P# u七、安装过程中排错
0 v5 l) h& P n2 A( ~0 e4 o
3 }& c% ~3 p _6 t6 U; S1.缺少APXS会报错) R+ l- ^: s! w4 D4 a7 P% J2 k
; Q/ _2 x# L( v! x- A% aconfigure: looking for Apache module support via DSO through APXS
) Q" @* O) R" e, \configure: error: couldn't find APXS
# w" f0 h- N' a1 Fapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ K6 u: |( I0 Q* f; A# q9 Q解决方法:
2 K6 G0 ?% M/ _% U
. [4 @1 T1 n# l7 R: hyum install httpd-devel
& T' g% Q! ?/ o; y: G& K2.没有pcre
b4 f: }2 o; A: q* s- n" K6 L9 Z* P/ |. |
configure: *** pcre library not found.
0 e5 M9 m! s! \9 }" vconfigure: error: pcre library is required
3 v; M6 o9 z3 F; r- [ n2 F解决方法:
, `" P2 @: p; n9 T. n2 R8 h6 @6 M8 I
yum install pcre pcre-devel
& g. }- I: h' I8 s4 j7 P6 i3.没有libxml2# O: z# q \3 J1 U; c( b
% Y- J R: T% h1 a/ n- g% r& Z/ a( ]& [6 \0 ]
configure: *** xml library not found.7 K4 M* X" P* I4 N: _
configure: error: libxml2 is required5 u- D7 E, S- G/ f. j
解决方法:2 t* n6 v( ]7 W8 Z/ h$ g
, T+ J) Z6 H! F L+ Wyum install libxml2 libxml2-devel: W3 b/ r1 @3 v9 I& b* K
4.执行 /opt/tengine/sbin/nginx -m 时有警告! W0 j1 w6 s# L, |5 d" X+ n
7 R6 K9 M2 s7 l- I
Tengine version: Tengine/2.1.0 (nginx/1.6.2); _: e# W" ?# E& R4 K
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
5 v* q0 i' q; R1 d; c ]2 g原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log/ Z8 H) B9 D/ q# g: ]9 V3 V- o' a
6 i! { A8 L+ n8 j! C9 Y+ t% U9 O0 S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.- D- ^7 f9 z1 {: n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 w1 d/ H: d) a2 k0 T0 @2 x+ h2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!" N* Q1 y; }3 X- m, b- m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
. `- _% x; n8 H; g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* b' [4 j) u) O% N, Y2 |2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.; t T' `5 r. A* z; @
解决方法,移除低版本的APR (1.3.9)( G( m6 J7 X) V( C' |+ m% ?
$ q7 T5 V6 P% j+ s2 w
yum remove apr
5 p+ N- k! @5 Z* M% X2 d5.Error.log中有: Audit log: Failed to lock global mutex3 j& Y8 _+ w% P9 | G! n
* h+ G3 J i/ D& v4 `0 k$ ^
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock / n9 _3 W+ `( K" a7 {* L
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
7 p3 X5 L/ [5 P+ w. `解决方法:
6 J y+ Y7 q+ n% [编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
+ y! b4 K+ |* l# T/ r' H- g- F3 h. ^
/ @, i/ G$ h% b6 \- ySecAuditLogDirMode 07777 d1 W. h9 U6 ^1 A7 _4 K
SecAuditLogFileMode 0550( J2 t( n! ^5 b& d
SecAuditLogStorageDir /var/log/modsecurity; G7 G6 S/ ^0 L5 M9 r- ?+ l; ^
SecAuditLogType Concurrent0 l# R% X; I* l1 {3 k: \" w6 V5 @
参考文章:
: G% K/ b$ B; c5 |( m% B% t. o7 chttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX% k9 k+ i7 b3 d" h
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡