|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, t# L2 Z! A3 z# c. M8 C! b
1 O2 e* \, r( i' H; c; A/ {一.准备工作
3 Z4 g8 ] O3 Q% ~: T: p3 l
( k3 g3 n j. ?* n) G系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.03 y1 V, s* S+ u4 A3 x
9 m8 d! c3 b% Q1 r1 s5 S; I
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
: m, b% w- J: T8 K; K2 [. y8 u! a8 n- i
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz; L* X) O3 w' p& H7 g7 A2 z: p
6 c! \& S* c4 I* y
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs9 p. S- l; r+ o) ~( W& ?
1 I! G% X6 ^0 l( G/ d
依赖关系:0 z, V2 n- g. D ~8 T9 P
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 ]2 Y" s+ g% ?8 `. k( R1 d, ?& Y1 ~( |1 {4 \
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
; n* R. P' M V0 @modsecurty依赖的包:pcre httpd-devel libxml2 apr5 j1 C3 w# K5 O( u- \( v- _
2 {5 O) v, `5 M9 l( y5 e
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel5 L; O" ?$ P) d |3 g! u$ m0 @( o
二.启用standalone模块并编译
9 X5 }; |) V4 o7 h t& i2 B/ Y0 m. F; x8 Z: e; y/ u. Q# v Q
下载modsecurity for nginx 解压,进入解压后目录执行:
# h9 ?2 D; M3 w* D- V
' [/ @ U- P; |) r% x./autogen.sh: j+ d9 }# e& v* m
./configure --enable-standalone-module --disable-mlogc$ p) M; N' k3 a( W: S% X
make - g! X0 i- n/ V# }) R
三.nginx添加modsecurity模块
% F5 s! R1 y9 E) ^
s% ^( j* \" E; h在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
$ }+ `* j* t* ?+ M X) r9 l: H6 E0 e3 o, c6 i
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. X, |2 T" z- F$ k7 Rmake && make install
, y9 z- `: d% }四.添加规则
: `3 N& M( |( {3 N7 l7 c$ X! N# U) g \" r% K: V
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。% U4 I9 ~1 G- C5 O0 |
) P0 c0 a/ s2 a* Z, {
1.下载OWASP规则:
) G; c1 Z7 Y _/ A7 {) L' ]; [
; d# {- w5 q6 X# u8 Lgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 R- W6 a- k) x8 `; Y( R
# n+ l* ~% X( Z5 G! M# Y
mv owasp-modsecurity-crs /opt/tengine/conf/
5 y% M9 p0 C3 N& w' I8 p$ q2 y! B1 r6 i% O7 j, e
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
; I6 j5 J* K" s M$ L2.启用OWASP规则:8 p6 P" d) E" B8 O
7 r& y! E) ~' V# \复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
# C+ A5 V7 x, F6 j3 f/ n; z; c5 x! A* ?$ Q+ Y' F8 @: A- [
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on, s$ g+ C' a! J. t+ Y: R
7 u3 A- q/ a8 L6 l* L' b; v5 n4 D S
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
2 R% H* _4 U+ E, N- }: Q! i9 A+ z p5 w
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf4 b1 g9 M2 A; u" h: A
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/ i* Q6 ?: @) k5 r+ A1 _2 MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf+ a' l* ]* K% p$ W. h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" A4 B3 h# T0 V h) R
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
" j& T, s$ |- h- ?0 jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 f# f" y" g: ^Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf4 |, {5 F' x2 y# M$ G
五.配置nginx) g) S8 X3 |; X4 F2 q
3 z1 O0 p7 R6 F+ }0 a在需要启用modsecurity的主机的location下面加入下面两行即可:) s2 s' U' l5 c x) O& ^
8 X2 ^! A9 y7 J
ModSecurityEnabled on;
% E2 r7 u. u* z3 D, @0 L) `ModSecurityConfig modsecurity.conf;1 E2 v8 V7 S. C; ~% ?2 S$ c( A9 M+ @
下面是两个示例配置,php虚拟主机:. D9 g0 r. T9 R- x: T
; X3 V8 t1 `* dserver {4 Z% o2 q) D" C( j. l
listen 80;( t! f# p; Y# l0 R
server_name 52os.net www.52os.net;6 X3 `- K" P6 S3 C: q9 ~% r# N
+ ` Z: R! ` h8 u- V) P
location ~ \.php$ {
: x' r4 {$ g6 a9 C ModSecurityEnabled on; 5 w- U1 G8 R: \7 X7 n
ModSecurityConfig modsecurity.conf;' {/ q" J: ^- J5 H; M- K
6 A6 \( O9 b$ h4 x' s. a root /web/wordpress;3 _; j3 A* ^( x" j1 \" {1 B
index index.php index.html index.htm;( v5 X" _! H( z" |* ~
) R l! l+ f2 P
fastcgi_pass 127.0.0.1:9000;
6 d/ W1 t- H7 e! n2 ~! [ fastcgi_index index.php;" n* \1 T0 x7 T& f; j
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
" s+ ^7 ~+ c5 V0 ^# @ include fastcgi_params;4 c7 F7 Y- g& Q% i* ^
}
F5 {, z' P P, x, n/ ?" @% W }9 W' C$ p3 h" O9 x
upstream负载均衡:" p- k1 p5 A3 u
2 x* q6 g& ?1 p
upstream 52os.net {8 n* h+ S% t l9 @. C
server 192.168.1.100:8080;
. |8 R. G, Z# s server 192.168.1.101:8080 backup;" ]$ h. X( i, o ]
}2 s9 j N: _5 c. q
% r* L$ |* m% X+ \% X) J8 I9 a$ Q; Lserver {4 \) E7 S$ ^$ e, q
listen 80;& B) s3 @5 `3 I' I+ B
server_name 52os.net www.52os.net;
& i( V" k# D: s( W
, I; U L: j4 T9 k1 f' X3 qlocation / {
5 S1 U+ f& x) ?3 B+ z ModSecurityEnabled on; 7 S1 M U6 s. J* J) ]) B, X8 B9 D
ModSecurityConfig modsecurity.conf; " ?. w/ [! }' \8 }* I) L# K0 C
. V! x8 r7 k9 L* h# _# c proxy_pass http://online;
7 c& Q7 e' h; ^( i/ | proxy_redirect off;- @& p$ O- q$ v% `" m+ y
proxy_set_header Host $host;
( v: }) \( I3 i* P proxy_set_header X-Real-IP $remote_addr;$ c9 i. I; W3 n# B7 u
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; m- X, I g5 n! P2 w. q
}
/ z4 ~6 A7 q4 } F. w9 L- I}! ?: D: s2 L; S/ g, u! p; m- f5 F
六.测试
/ b! J0 R" t+ i# t% M/ ]
3 f1 x- r& N3 G我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
# n0 L/ x# a8 b2 Q b3 g
7 |- [# o% b2 J: B h6 j9 t<?php F z/ r7 } m/ O: U" }
phpinfo(); 7 {: g5 {0 Z9 \9 u: M
?>* p# I$ {: w" g9 h1 U3 ?8 v
在浏览器中访问:9 L2 e4 f! M5 a" f2 G( S
; l2 Y4 r/ @3 d _% k a8 m9 ]http://www.52os.net/phpinfo.php?id=1 正常显示。
7 c4 y, i8 u2 z. |http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。% ~3 l$ o( m7 G. Q0 z% ~: g
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. U/ O' S; i1 Y& z' E
说明sql注入和xss已经被过滤了; E9 }. c* P2 |# ]- Q Y
! y$ |) S! o/ d4 b七、安装过程中排错' i, B5 {7 N1 b! J" A1 A
/ K7 M5 d$ `' x% s9 r2 c% o( q
1.缺少APXS会报错
/ B e4 L& I5 e/ U4 q5 ^, {, q1 @/ {* h; W# ^
configure: looking for Apache module support via DSO through APXS
( o: @/ R* G8 \! P) k( Vconfigure: error: couldn't find APXS
) c+ A: x% o1 `. r+ D6 ]apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
' A3 ^" y+ l7 |解决方法:, c( Z+ W3 h3 S
$ A! ~9 [' k+ [5 t+ ?9 F5 W- T- K' v2 syum install httpd-devel
/ z) p& u7 g+ D/ r2.没有pcre( ~# [2 N1 Q8 c& b
( E! n% ^% T8 p: |
configure: *** pcre library not found.
$ E1 V( }( ^8 g' M8 E0 P+ }configure: error: pcre library is required, Q4 T5 X. Z+ A' n2 b; I
解决方法:
" a6 [& V' {' A9 f( ?4 }
2 H" ~2 O* |$ M% L. ]1 l- J/ Dyum install pcre pcre-devel, W) \, [, L4 n; F
3.没有libxml2
) g3 x( Y) I9 ^. M1 O, w/ C D* h: d+ M: W6 O8 i; N5 y- T1 ^
$ r$ _# T3 r6 v k. ]configure: *** xml library not found.5 I7 U0 X/ N J+ X0 |5 R& b
configure: error: libxml2 is required6 W- g1 [" \9 q" \+ s% B
解决方法:4 Z# |) T8 Y2 m( Z2 H
5 s9 e9 I+ `2 v7 n- ]
yum install libxml2 libxml2-devel
: u2 q, D: @! B4 J3 ?4.执行 /opt/tengine/sbin/nginx -m 时有警告% ]" Q! m1 y3 o) n* p; Z( f
6 k8 F( v& i6 @# q$ |" W) H* H9 `6 [
Tengine version: Tengine/2.1.0 (nginx/1.6.2)9 _+ ?% v. m! N: j2 ^. [& V* ^
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!' S, m6 K3 u/ Q* `9 D+ q" R5 M
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
2 Y- A$ [! k/ H. @- @* c$ ^) y
" M) p- h4 C- F4 o9 V6 A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.3 q. U$ J: E( T: v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"8 Z3 w) ^8 h$ F# o T* s3 K6 y+ q) y
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, v( v# l3 N+ r! w( Y; }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
! y, l' x5 M) M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
7 L( ^8 t8 K! P2 S- `6 i1 s2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.$ \7 @9 o7 A9 C: u/ y
解决方法,移除低版本的APR (1.3.9)
/ S" v2 N" L& `, x1 b' E! w0 W' \3 i; X/ Z
yum remove apr& L. L2 z) k6 R9 T' E) w H9 G
5.Error.log中有: Audit log: Failed to lock global mutex
( ]# z" x3 a4 g( V1 c/ b3 F
5 V* U( ~4 m1 q$ [# [. @8 r' h" o2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
8 s! }9 x7 K# f% Vglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
$ w& w4 P$ V) C2 d; b: f解决方法:
) h+ s- P# x0 l编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:2 } S# H' c4 j6 z
# I7 B2 `! h" G* v' d
SecAuditLogDirMode 0777
: d3 I, [$ y; b/ [SecAuditLogFileMode 0550
) c" ]4 o/ R0 V- |) RSecAuditLogStorageDir /var/log/modsecurity
/ T; X) t# x( S6 n' Y. D4 ?SecAuditLogType Concurrent
. v* B0 q, e) `3 @- h参考文章:
' Q1 ]* `$ a$ _7 M8 E4 s1 m6 Ihttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
/ h y/ ~' B9 O* e" G0 chttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡