|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( Y4 F- C0 Y" q$ p. B1 ?
1 j" I% E1 p- Q E. G/ O一.准备工作+ i; D1 [% \9 Q$ `
' I) B6 y5 N1 |2 V
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.05 @. q7 s' H1 w+ ~3 N& M7 [
1 G0 }7 y3 t V1 Dtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz/ t2 X/ E/ f" v4 T
`; u+ v; y2 _4 g9 F& K' G9 O) k9 e( @modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
$ L, G+ G8 T( O, ^8 D
: e4 u1 S$ O, H; n0 Z# |# bOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs- Q, g% {7 L/ s8 f; B
4 |% u: ~! z5 p# J, c. G E
依赖关系:
! J- T7 G7 y1 S5 ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
/ [, Y F+ l& I$ }0 [, o1 t, X0 [1 |: l% d/ R n
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel2 F, x1 y; Q; M, m' @$ r2 {5 ^
modsecurty依赖的包:pcre httpd-devel libxml2 apr
) ~: V9 E: @1 |# a3 W
& ~& t. ~7 c4 K# m+ W! tyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: n+ r1 S7 g9 z5 ` b
二.启用standalone模块并编译) z/ `- T4 ] |, L4 `
" s& |& r2 k/ D下载modsecurity for nginx 解压,进入解压后目录执行:
% I: M* m, O, \# X5 _+ ~: y' T! p/ y8 z- a+ @/ K
./autogen.sh1 \/ g6 r2 x2 G0 K3 `
./configure --enable-standalone-module --disable-mlogc) S( ?9 [* \, _( Q
make
1 ?/ ~% A2 m/ N) Y, W) [3 Z) i三.nginx添加modsecurity模块
% L$ r" ?& r/ t* \' g$ y, J6 `
3 [0 W. O4 F9 O4 ~在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
- ^4 \8 g0 [! A S. |6 v# N" H8 P( q4 h; u! \* E) |
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- p* T. r# }$ T3 ^3 v* w' u6 {
make && make install( ?" \& i% N' {! w3 a+ l
四.添加规则
% D# O) E; S2 s. V! q. N
$ O% ?& F1 P" h. n6 _modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。+ q. D: M& F5 ~: A9 L. x: H
3 X+ q, D2 G1 a0 @8 N# u
1.下载OWASP规则:* R m, }+ ]5 B5 W
$ ]; |8 v6 S/ {git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
- n) V& L3 R2 b! }3 {% e' u8 C
) h2 O) K. G; t0 J+ E5 ~mv owasp-modsecurity-crs /opt/tengine/conf/" a) q% \ _8 y- W6 R0 W
. l. [( P) H* {, d3 `: q7 P$ o( lcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. I. f( x# ~8 m- b! H& p7 j
2.启用OWASP规则:5 C" R; V6 C( w9 I
* Q% {8 `* y& o复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
X" s! C! p R+ }5 N1 ?3 m' n3 ~5 H* s% g+ E
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
5 M! ]7 S* w4 ]+ v* D3 \
! l" {9 _. j# |" A# ]owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ f; f/ a+ d& E- n) j
" v2 m5 Z6 C v# `3 |
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf: D. R: t% C n0 J# l1 Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf# p- b; m: x9 |+ l; g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
# @# K, q/ L% Z# sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
8 Y" J% d0 i! {9 s' KInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
+ W9 i5 v* U, Y! u3 NInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 V {4 J! J3 k! g& c0 ]Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& u+ y+ w3 C3 A3 H) K五.配置nginx
1 X5 m6 V1 F# V1 V% e- l% {! X" N9 U& V: e
在需要启用modsecurity的主机的location下面加入下面两行即可:' f0 n6 _: E' V4 A4 D5 P! E
. m5 G8 Z" J5 Z6 K4 B
ModSecurityEnabled on;
' C: ]; \) }1 X2 [& I E: F# pModSecurityConfig modsecurity.conf;0 K& @# d# B' c$ {+ Z8 L. M8 j
下面是两个示例配置,php虚拟主机:0 g3 w$ X. V- S
- I* P4 q) l6 G
server {" N; ?6 t# O' f
listen 80;1 z5 l8 G* ^0 V0 m2 ~) L" M
server_name 52os.net www.52os.net;
( z6 F% t7 ~9 ~5 l/ `
4 v* K3 S; E: J. X0 {" G5 | location ~ \.php$ {
! R) a0 Q, C' ]3 w4 A9 u ModSecurityEnabled on; % P, X8 d, M- [; Z+ |9 \
ModSecurityConfig modsecurity.conf;% \+ S" T: x0 W' n9 j7 I+ {
9 A! Y7 N8 A5 x$ A: V# R& Q5 V w) q root /web/wordpress;
" z1 u2 J: e# s0 Q" w% P0 w index index.php index.html index.htm;
) D) `. @. \9 a! {7 F/ Z' g. Q) Y 9 x, a) {; w* X/ d* {5 C
fastcgi_pass 127.0.0.1:9000;( H6 b6 X: @; q; z. d8 n
fastcgi_index index.php;
, [7 L$ E# r; u1 L) i" D6 l fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
0 R, |& A0 A6 B" W! E( f include fastcgi_params;; t; g( O- e/ N
}
, z) c: f" b3 r* [7 e% b }3 \& u5 D8 J; Q5 x2 T
upstream负载均衡:
0 z8 c! [0 G2 |+ u9 P, Z) G( @, k5 n: J% Q% c! j) J
upstream 52os.net {( B: c* ^# q/ G
server 192.168.1.100:8080;
# G" H, ~2 l/ ]/ t: p5 Q% k* M server 192.168.1.101:8080 backup;( ^6 T: X0 @0 `4 S4 B2 s$ u
}
/ u* N. Z! A+ T, k4 Q& a
! N* z6 h, X5 i8 i. O- c+ K; Gserver {
( h' ?0 Y. d: I6 Q9 Dlisten 80;
! O" B+ E- A% ?, iserver_name 52os.net www.52os.net;
& c- F' a9 f- b' t- K) C, @ m& S9 D4 N [" n2 e5 h
location / {
! }! a2 _, O3 W1 A O* l3 X ModSecurityEnabled on;
8 h* `& r {, _; d9 r: x ModSecurityConfig modsecurity.conf; & p1 O( c# j$ J. l- a# z; D
2 U! `* }9 s/ Z7 o# q0 }! a
proxy_pass http://online;, u6 X$ {: \$ C0 y7 t
proxy_redirect off;
' L2 t5 P8 X' j N2 I proxy_set_header Host $host;
! N& ]% C! n, `- X- O8 S proxy_set_header X-Real-IP $remote_addr;
. K7 |5 f' u4 m* M proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;3 k8 p! I4 j# N0 D- v4 `+ ?' R
}" b; k4 H* W4 U: ^/ T# h# a
}
9 ?& g9 Q3 T3 T9 @六.测试8 g `, ]7 R. {+ V8 ]
6 @% [! w3 s, T: s; [* d我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
& ^5 V& d Y4 _# |2 R
/ Y/ [2 B. n% W, B- \<?php6 f' ~; ^( h/ n7 {. p0 i6 U
phpinfo();
, W/ z2 ]$ y' P7 Z# a! ~8 d?>% Q: i' U* F$ G' F
在浏览器中访问:; {* |+ [- N. E6 J. L
& d; _2 G+ t) { ?. F, X
http://www.52os.net/phpinfo.php?id=1 正常显示。4 B/ m6 [4 s3 j3 m
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。9 m1 T7 D [0 o$ V1 R, {" W4 g
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
/ I* |/ _) h5 n说明sql注入和xss已经被过滤了
0 J2 r1 k( [# ~" C _8 {9 S8 f. X2 ^2 ~3 x4 V
七、安装过程中排错- ~) l# ?! C3 _; \$ j
e7 H8 l8 I& k0 M( [1.缺少APXS会报错# x! D, p; A" |6 [/ P4 m8 G- I9 z2 e
2 [) X3 r) h- ]" m2 _) {2 Iconfigure: looking for Apache module support via DSO through APXS
& r {$ B, U, Q3 Kconfigure: error: couldn't find APXS
! g' ]7 z( E, j8 E Iapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。! ~, {7 s; \6 t
解决方法:
, t5 J+ u; @1 y8 J: b7 @3 x3 {3 O
yum install httpd-devel/ ~! H9 ?3 q1 n% V6 Z1 J6 @- F
2.没有pcre
. ]8 D, f! `/ @' ?" A, R' O4 w+ q* a0 p% ?/ b
configure: *** pcre library not found.) ?; E* ^4 y) [- ]* U T
configure: error: pcre library is required
O3 P3 d0 n5 ?4 v; r解决方法:
' z4 y# J# r( p; z4 ?
5 Y7 x0 X7 l0 ]$ w% Syum install pcre pcre-devel
! a, q+ y/ Y. e- v& u5 B3.没有libxml2
9 g, z5 ]1 z, I9 o7 @! M" A. o) u; u6 R8 E2 L, M0 S
8 I) l( v! h5 O9 h' b" Vconfigure: *** xml library not found./ y, y8 `# \8 q2 i
configure: error: libxml2 is required+ C* _# o( M3 Z. H1 V2 |
解决方法:3 a7 S) f. K- v: O) s# q+ x- @
" S; T- O- j7 \) R/ v9 J
yum install libxml2 libxml2-devel1 R2 A, R2 B4 E8 Z# m
4.执行 /opt/tengine/sbin/nginx -m 时有警告
: V" F2 F0 b& C
4 I2 k$ X* [' d$ |, g/ w5 S4 cTengine version: Tengine/2.1.0 (nginx/1.6.2): S0 |! @) L! n' _0 A+ R
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!$ G1 H H! n5 D& X4 z0 a( i
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
0 k5 X7 }/ h6 T. f: @$ R8 I) ^. W
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; n& m# \, k9 |" `3 L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"( X! k* s5 ?2 m4 p# i
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% `% X' e" A+ x/ y1 b5 s# h# V
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05". B4 V5 F! h: @- I; e/ V
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
( |! N% j7 L+ W7 ~2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
: C: z Q, ]+ K3 M, |5 B# N7 H# n解决方法,移除低版本的APR (1.3.9)
3 O4 U+ w- E/ m* |& a& N" G6 p2 p9 S7 v' H: h
yum remove apr
. z' q* \( v; o! e5 K5.Error.log中有: Audit log: Failed to lock global mutex% C' k# p3 c* J4 v8 i/ b" a t
" d* Z6 _' |9 x) @& _2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ) S) J/ X; y( }" I1 c) y8 c
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]$ J% F5 X4 m/ J5 d7 O, J, W; r
解决方法:) c8 a- I. m" {, G- K
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
* |3 ~* G( }' N0 I$ i# p$ N# ~
# G& a0 h, k; Q4 TSecAuditLogDirMode 0777' ^; m: j# H# d" N
SecAuditLogFileMode 0550
% {2 ?# h, E' U3 h4 _3 u/ dSecAuditLogStorageDir /var/log/modsecurity
4 {" |. t8 A4 k1 ?( kSecAuditLogType Concurrent
- x% d, u9 X: `$ M! x! M* [参考文章:
4 Y. J3 r- O9 U6 yhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 _9 ^0 a% l. y
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡