|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) h9 n& i# `; P" T8 f8 i
8 j) h; w" E+ w. l一.准备工作, q8 n# ?0 J# d6 u% t" ~' ]1 d
+ E# Y2 Q$ a y8 P, ]系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
' `- I2 T/ h- g; k! N9 `- B3 C5 C# {" A" l8 u1 T& l) N4 Q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: U/ Q! z" ?3 `7 R7 X
; r+ Z" l$ t/ z5 b/ F: B
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
" @; H% A- N2 B, m. K: p2 z
3 l% Y8 _) n+ YOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs9 {1 {- f7 m# G/ f, q |/ u: Y
: l |9 w/ A5 b9 {# t0 T依赖关系:4 l+ _, U3 n( M6 l
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& q* r7 d. v5 M( i M; G/ c
7 e% |- K7 r. V% myum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( ^2 O3 G6 U8 B. n5 u
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% V9 [+ {8 k) K# Q$ @6 X3 g( z6 `3 A4 y" g; K- G* {- E
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel4 k, E+ P( r; y) p! }% g4 Y
二.启用standalone模块并编译
/ N# c A6 L- U1 Q4 }3 w% m& [% y8 ?
下载modsecurity for nginx 解压,进入解压后目录执行:
( Y' H7 k" C# x2 ^' Z0 P& n4 f# x, H2 ?) Y, O- x
./autogen.sh
8 Z* ?5 u1 J7 O0 J9 j# W./configure --enable-standalone-module --disable-mlogc2 V5 U0 n& U; L) J$ v9 R0 X$ b
make
2 }' W$ I/ E m. ]三.nginx添加modsecurity模块
' W5 x1 F7 `% j. J% w. }( {: ]# k0 |0 U/ I* j, w2 E7 I& p
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:! G* X- _) N2 R3 Z2 f; e
; c. x- w# Z. X: M; ]( K. o./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% q- K9 P6 e y: ~# }make && make install
/ u/ N3 N. }3 g! k3 o& Z四.添加规则
# o) {) X* k4 P
7 y( R2 c/ j( T; x) u9 ~modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 h& `9 ~( _' P$ b. X9 ]
: f' d9 f7 k4 z4 N
1.下载OWASP规则:/ j3 e' ~5 O/ U2 R$ H
# ^6 ~- G8 C) s5 o# q# qgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
P0 r6 Y% }7 O& S0 F
0 u2 y5 u7 m6 }. @; Bmv owasp-modsecurity-crs /opt/tengine/conf/
, i& q0 a9 I1 D+ P3 I7 V$ O5 S) o) G# Q$ o* K
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 Z U8 y7 e; A9 l" v5 {2.启用OWASP规则:
- s/ z- Q8 W4 J' U0 i8 o) o
7 T0 u: O" k; K4 ^9 K, L+ V复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
1 i y( c# Z5 `
+ V5 G1 K5 G1 D6 B; P; v8 Q编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 K. e' ?. k" m( ?' |" w
! k5 C* J7 W( r9 p
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
9 K% X, x. b, ` T* A O
& D Q8 C* p" V& hInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf) `% K$ S1 `( @3 w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
0 ~( H. W5 \/ F7 iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
/ Z; I9 @7 S& @Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf$ D; \. Y3 i5 H9 c% ~6 O
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf1 N( g$ }9 ^' P7 D4 n, b Z- a
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf4 O* A: u( f3 a4 q& {
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf$ G2 Q! r) ~: T9 R4 s5 u: j
五.配置nginx
3 d: z9 M4 J& G7 d) y! W
+ D( u1 v A, n$ X0 A1 U9 Y2 m/ I5 c3 a$ X在需要启用modsecurity的主机的location下面加入下面两行即可:
# T& J: ~9 f6 k3 o% p4 y- T6 _: k( [" y% b& r3 R
ModSecurityEnabled on; ) W( {. o+ ~! T7 Y1 r
ModSecurityConfig modsecurity.conf;# x' N, n4 Z% Z4 y
下面是两个示例配置,php虚拟主机:
& O6 l: H- `$ k9 m
' o! R" i3 t8 |server {( d8 D& m& Z2 D N7 O
listen 80;7 a) h8 U4 h+ ^% E* f/ X
server_name 52os.net www.52os.net;
" z! w4 v8 X7 \; m 8 H9 I6 W t" U; S. q
location ~ \.php$ {
( Q& t7 D* H) z a1 P ModSecurityEnabled on;
3 Q, i, W& w6 k ModSecurityConfig modsecurity.conf;
- I# C& M7 [' z
- I6 e4 o) Z% \3 a% b. T9 _1 w root /web/wordpress;4 J+ I) ^6 D* f4 |
index index.php index.html index.htm;
1 S( M0 v) _' {5 ?, f0 w
; g) B9 Z, g; x2 o& [& Q fastcgi_pass 127.0.0.1:9000;
) o* f2 G( [3 y7 k# p4 i fastcgi_index index.php;& T, y1 i: \# g; P1 N2 Q
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;6 E& [, @ R$ H7 X9 |6 Y2 T' s
include fastcgi_params;
. L" \# Z! ]6 K4 [5 _ }
" j! s4 R) h+ V- R/ s }0 x T$ w3 U: a1 D) \8 E" N" A
upstream负载均衡:
" u9 h2 N% z& f/ _8 s. ^4 I1 U0 E8 e6 Z- j0 p2 b8 m
upstream 52os.net {* Q2 U7 H0 F( [. n& I. _
server 192.168.1.100:8080;% V5 V v0 |) z
server 192.168.1.101:8080 backup;3 q4 z4 r2 C3 Y }" {+ S, M
}
h/ U ? X7 Q7 Y
. G% L* i* [: D9 C1 |server {
! ]; {9 b% F, w& r9 b3 Tlisten 80;- [! T. S7 A& W, y- n" P# |: ^$ D
server_name 52os.net www.52os.net;; `7 @# H- g" }% e8 H5 V
) p7 T/ U6 r, @5 Y8 W! ?
location / {' E* j6 {; D6 H
ModSecurityEnabled on;
: L3 V- P+ l Q ModSecurityConfig modsecurity.conf; # b3 C$ o- V T: J t
5 ~4 h" w" B5 A8 c; A+ o' U
proxy_pass http://online;. z7 g: `( P& o9 u* t3 v
proxy_redirect off;
8 d8 ~1 z* o# b) \& o proxy_set_header Host $host;, K- N8 Q2 `) I+ o& Y8 \5 ^
proxy_set_header X-Real-IP $remote_addr;: o% A+ W# e/ @/ ]3 l- S b
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 _, X0 [( r8 n" O; p" k4 y4 C- g# U
}
7 S) c" v0 _2 W# `) f}
; t7 v4 k1 Z3 E4 H0 M六.测试
w% }$ D' G b7 q5 ~; l% w! X4 S8 s8 G* ~- Z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:: [6 ]* B1 A+ R+ V0 i, \- s- q
8 F# Q5 z( ]$ C* m/ s- K; G2 ?<?php
2 z7 D! [5 [7 J1 a phpinfo();
0 o6 _8 U! Q0 J& A( Z' s9 |* l) O?>
: U% [7 w3 P `6 B! h在浏览器中访问:
T+ ~( M( b6 g& m4 B0 h2 u5 t' ` ]" H R- X; m1 g- j
http://www.52os.net/phpinfo.php?id=1 正常显示。
3 x' y) C; x" W* d" n/ uhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
3 d9 _, T+ T3 g4 P% [# Lhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
0 L0 N4 q: {9 \. y说明sql注入和xss已经被过滤了
1 _! @0 w' {! O; C/ Y9 U. C. R- m! k0 q* Z
七、安装过程中排错8 e% p5 H3 O9 P# r
7 p# }1 w9 P7 u2 d/ u1.缺少APXS会报错. f# l# a) X) U2 o, R1 z7 P
$ V% D, s, B3 \. H, m; ?configure: looking for Apache module support via DSO through APXS7 Y3 M, U2 g5 a/ z' A* r
configure: error: couldn't find APXS
. w3 F5 |9 B- V* }- L' Uapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。, a' d& z( Z( o8 C4 t8 C0 v- {; c
解决方法:! ^5 O) `9 L( I- J4 ~
0 d. E/ ?0 i) z: H0 ]" x8 xyum install httpd-devel
; F% _* y* H& X1 @4 `2 Y2.没有pcre5 b; S& A. H+ c
' t. H4 x) i8 q- `configure: *** pcre library not found.
' V+ O) b- K4 ]: T; ?5 O$ nconfigure: error: pcre library is required3 x' Z% N1 _: Y8 B. C
解决方法:
4 X- H; ]: X% g) G% L
$ S8 H: d9 ?7 O7 ~yum install pcre pcre-devel
0 R5 {$ \% ~' v6 ~ u3.没有libxml2& S' o; I& H* R, c5 T
+ U/ j+ I% D; m) |' A4 x4 b4 ?6 E
& t* u( D ^8 E4 C; {+ e7 H2 F: s
configure: *** xml library not found.3 e- p q; j/ M# ], h* z3 \
configure: error: libxml2 is required
+ G" _8 [$ J8 P% d解决方法:: i/ D: c- Q7 A+ s+ r4 b
1 o8 W( _ M9 {2 |7 u) j6 Yyum install libxml2 libxml2-devel8 d& q* T0 G( j2 [1 |3 A; f D
4.执行 /opt/tengine/sbin/nginx -m 时有警告
7 n5 [' K; Q8 f' @. P: `
3 e' B5 W3 j$ Q+ NTengine version: Tengine/2.1.0 (nginx/1.6.2)8 Z" w9 ?: H8 Z1 ?% H4 r
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 H( x; K) x7 N& P& S原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
) f9 [ H4 m9 h0 r$ a' p. ~
3 @, C6 {& f% O/ }) V) h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
5 n5 p% a6 o; K, P5 k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", {! F( |& ?" i! @8 L/ |# Q5 M7 i
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 @& J& e* p: @% ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
" R; s; G9 ]* Y, y8 b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"4 o8 X5 x% s' G5 W1 k/ K$ ~* A
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
* c6 Z+ w( ~6 { |& G0 d3 n4 V解决方法,移除低版本的APR (1.3.9)+ V# x8 I% u8 z* e; ?
, E9 A+ {4 X3 b5 M& F f+ l- S/ a- nyum remove apr* R3 w7 k7 N n8 C6 B
5.Error.log中有: Audit log: Failed to lock global mutex
/ ^; G5 N) n; C/ P, m4 I- Z9 l3 S W+ m- w- l0 k( j
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock D6 o4 O% d3 E4 H, _$ q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 ?$ {. I) \, k0 G4 M& S. C- L( Z8 [解决方法:
4 B5 ^2 c8 x# U编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:% C- Q9 Z9 j5 G1 y6 V @$ U3 b
( G( k* n& i' ~- }
SecAuditLogDirMode 0777! z9 W. N& i! F" |2 q4 R
SecAuditLogFileMode 0550, |! ]% `0 u+ P+ n6 a t; Y
SecAuditLogStorageDir /var/log/modsecurity4 D: ~6 [1 N: }( ~( B; X. I
SecAuditLogType Concurrent
5 N! R1 l( U3 [3 T0 O参考文章:7 ]& r$ X; y6 E" I3 \/ o2 [' H
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX) v6 B2 ^) e4 G y& w
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡