|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, C" _- _$ G, a5 O3 }
2 ^, P( U0 u- H/ l6 b一.准备工作- u; c0 ]" a( t" G
" M/ q2 Q5 ?' F* h; @# f X# {系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
# X! M; Y9 f9 i8 L' X+ G+ c ?
, a7 {* z- m/ j; r+ \' Rtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; l( F) L- i' o0 O% L+ i$ Q' U# V2 a; E
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz, ~1 Y% K: P) C3 ]1 } A0 O
8 |0 B1 Z! m/ S7 dOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 B3 Y2 | g- H* s% y8 c
5 G9 N" x! T9 `2 {依赖关系:
9 l8 Q: }9 z0 |0 y5 K: Utengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
" W% ?$ N! l$ ]. S
6 C4 { L4 u# }7 _" ^yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
- W! D) Q/ z- I+ d# _5 x- F/ X hmodsecurty依赖的包:pcre httpd-devel libxml2 apr
9 n+ G* ?, n3 V, A# M
4 f7 T) b8 l% L) v- g. ?yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
) \" H" v2 m* v4 R) J9 A二.启用standalone模块并编译- ]7 g+ q1 V* N; V8 D5 o
! Q* N; H8 `) A5 i, [
下载modsecurity for nginx 解压,进入解压后目录执行:. A) [* L' s$ ?1 d' I
( X& ]+ y! T. F& \ U; w./autogen.sh
$ G1 k0 {6 m& Y& \- y/ C8 N2 q./configure --enable-standalone-module --disable-mlogc0 ~. ^6 ]+ p) X* w
make % v# u8 Y# F5 H
三.nginx添加modsecurity模块; K Q) n) v( J8 s
4 E; T2 `- h& C4 w在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! ~+ b' f( p# [- F
" `0 v9 i5 F% q6 {% y+ \# k; w1 D./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine h1 P' ]5 Q% k
make && make install
+ L o3 c3 Y$ B( @& n' j四.添加规则$ F( q7 S3 u" k5 `% R
- i. |2 r1 P( u+ c/ c k
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
* A4 a$ Z* f- T$ |/ ?1 C
+ m9 B, r; I+ a7 t% j" e1.下载OWASP规则:; |" E2 b% m# A7 J* h- p' X6 g' j
0 ?* ?5 ~+ c6 u! a5 R z/ x% v: B0 S" }
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs# `( N4 C# q1 K4 j6 N5 P3 o
/ Z* \8 g# k/ F0 z: ^
mv owasp-modsecurity-crs /opt/tengine/conf/ S. P) m+ p2 P8 P" l) L$ h6 Z( k
5 m( L. X6 d! W- \5 G
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
" A; g* M0 X, R6 V# o7 Y2.启用OWASP规则:
" Q2 m3 Z8 Z$ Q" H2 R: Y
, y1 x" _5 g* L* o复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
5 G* g. {8 G8 H3 O, u8 `" U, ^/ c7 u, R/ q4 G
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on7 n) m8 J% y8 f. |& f
' K6 f4 ]+ Z8 Q, I& \. r) ?
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. F9 X& N5 |1 q" `7 K: K! k" f$ E' x
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf3 F1 j8 J$ q2 ^% s, Y/ b
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
) O) g( c1 s! e wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf0 \& p, T9 ^; P; ^% t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
) k- i& ^3 S7 B3 e" O k EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
K3 f1 ]$ v5 AInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
6 S$ \0 z. W7 U+ X1 v7 l" V2 @) G% TInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf5 S' |' z3 m7 ~! W8 J
五.配置nginx- U& b: d1 |2 X6 Z0 P/ u2 Z% A
3 v2 x# d, w H4 P. g' Y; C
在需要启用modsecurity的主机的location下面加入下面两行即可:
" X% W- L [! l$ _6 R+ N6 y% \9 a7 ^& X
ModSecurityEnabled on;
2 @- o6 H1 O$ `; ?ModSecurityConfig modsecurity.conf;+ p6 v" j* A! _. l! j; `7 _$ k" ~. r7 q
下面是两个示例配置,php虚拟主机:! n8 K: n1 Q. f: \: J0 i* N
% t8 o( B! R1 K) o. k& Y
server {
$ Z! V0 U6 w; m% d4 {+ ] listen 80;; A5 u; z% A' k6 F( A# H; F
server_name 52os.net www.52os.net;
4 @. z1 Z% g& ~2 W. g t4 | : s4 k8 b" ^+ {# J) x! J/ n
location ~ \.php$ {7 a) t2 N- S7 A6 p; F
ModSecurityEnabled on; 8 e! C2 a: m* @) h
ModSecurityConfig modsecurity.conf;$ H4 w6 i" o0 z' j4 z
, V, E& S8 P' C2 p
root /web/wordpress;
# J6 C6 {- Z' k0 d$ D& x index index.php index.html index.htm;
7 I2 K) I. h& i5 O9 E
, H/ l; ~" o# r2 @- `! P/ [ fastcgi_pass 127.0.0.1:9000;% |+ t8 g8 i0 @* q7 j2 q, |5 @, S
fastcgi_index index.php;
: k9 N& X5 }4 A, g fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 K7 L% e' ~% C, j5 t: b8 z
include fastcgi_params;6 O/ }1 K* }8 H2 m. ]) R
}
3 |0 M9 v; @/ b1 P H0 i }
: Z4 {) g( I W9 W3 v& `) @upstream负载均衡:% c/ D( W U5 B" [7 A
" F$ {2 r3 n6 o& E5 iupstream 52os.net {
- r# m: c) |: i; c2 ~: \* t server 192.168.1.100:8080;- @* F0 a$ t" }' z8 K
server 192.168.1.101:8080 backup;& Z, y/ g+ Z D4 z; b
}
5 X! ^$ M9 @6 o. J! [ H! u
8 w/ F* O% A& ~) ?1 userver {
/ X- f" E: i) x g+ |% `+ ilisten 80;1 e# |; x6 J0 W2 b8 W" A
server_name 52os.net www.52os.net;
4 f1 x k1 z# p" ]7 |: g* g x( z! c" n
location / {
/ \5 `+ ~7 @: Z4 b# V2 w ModSecurityEnabled on;
+ k6 Q7 g3 d+ H/ x$ K/ z ModSecurityConfig modsecurity.conf; ' L# X. D' n' c p' t& a
5 E" \9 L! E9 A+ C4 z. ^/ T: \0 ^6 w
proxy_pass http://online;0 m( B2 W! b6 e1 [: ]
proxy_redirect off;# Q) M: w& f' D E1 Z
proxy_set_header Host $host;4 y6 r" K4 U2 \% B: R9 p
proxy_set_header X-Real-IP $remote_addr;/ q! I& N6 M6 h; L! n
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, f+ o; [5 v. R z( ]5 O+ H. ^7 ^5 I }
7 t0 c' ^" d# w, Y2 l}3 P" X, C5 {: }* c7 S
六.测试' h$ ?/ U! r! N5 F
: Q, h! y) [1 q- k3 J- S
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:# g! q% f2 o2 n p; s
% m6 [3 x; n& O$ v<?php# B4 Q$ a4 j0 c2 u [) [
phpinfo(); ; M. n' Y& j1 k. D0 d' b
?>1 I7 P0 h5 a. x. \" [
在浏览器中访问:/ p7 z6 v! |, l* C! V' z c* v
0 z- m& [: `. H ~http://www.52os.net/phpinfo.php?id=1 正常显示。
9 {5 j1 J1 e* C$ l: Whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。6 V1 B* r( s/ i( _
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
0 M/ g- P* U. K# w" r说明sql注入和xss已经被过滤了$ i' J) C* Q! T
# i6 `8 J7 Q! N) t& J
七、安装过程中排错
. f$ x! S/ K% Q' D5 x$ |1 ?+ U% v5 T
M1 z' M* ]6 s$ O1.缺少APXS会报错, P$ j. U/ d/ d8 m9 w, a
4 q+ y ~4 d- ]7 ^- Cconfigure: looking for Apache module support via DSO through APXS
" N2 ~- ?2 k4 X9 {4 c; H Wconfigure: error: couldn't find APXS
& H# g1 P' p2 capxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
5 P5 F3 o: D( @* ^, D7 D& M. V! F3 \解决方法:" F: T8 {5 d$ U. B/ U7 v
/ D" b/ r9 [! h$ B, zyum install httpd-devel ^. i# L0 u; j, [2 @
2.没有pcre
! A/ x- M! Q8 I" Q6 ~ h% G9 @% y1 `, ]% x
configure: *** pcre library not found.
- I J9 o1 Q( z% U$ h4 zconfigure: error: pcre library is required
( j2 e0 ^* {( G! ?% y- n6 B% [解决方法:
% s$ f" [# I- o
; K; m3 K! U" k) V7 j1 v! wyum install pcre pcre-devel
" [9 n5 `. N$ s" _2 s" H6 U4 ]3.没有libxml26 V$ F$ v, `, o, X3 V+ a
+ \. O1 Y1 J* y; f- |
& L# s8 Y) W5 p2 c/ I
configure: *** xml library not found.0 U# ~! }5 E( z- L2 N7 G r& [* ?0 @
configure: error: libxml2 is required$ C8 x2 R9 I5 k
解决方法:
' }1 ? \& c0 z! V4 c# }1 f3 ^5 G
yum install libxml2 libxml2-devel/ A5 R1 v5 Z; }* u
4.执行 /opt/tengine/sbin/nginx -m 时有警告6 k. K' H% ^3 s0 G* W7 r
5 t8 _ z: {# c, [5 f$ y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
' q6 W0 z/ j6 y2 Tnginx: [warn] ModSecurity: Loaded APR do not match with compiled!" \$ O+ ^2 ^: A& d/ D
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 h4 I) ^% E% Y9 n9 L! Y
( u. y* P! a8 G; ?* ^. d l* ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.# r5 ?& ^) i5 R. {& X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 r g- P2 i: v% w2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!( p& w& @8 E% U. L* ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
1 w! A' m# L7 Q- S7 v2 I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ h; |/ x0 r2 T5 {3 G
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
, X2 {' ^ y6 O$ h解决方法,移除低版本的APR (1.3.9)8 J2 J: [3 n x# a2 \
1 h0 J0 ?4 x2 E. B
yum remove apr' f, A7 j! V9 E/ h' {+ ^" p" e7 o& a% H
5.Error.log中有: Audit log: Failed to lock global mutex
6 T3 i9 T( ]7 ]% y! I
, w* a6 J+ G8 a# u/ z6 g7 f2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 1 H8 @2 {' J; ]" V3 `
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& W! X. s$ C9 V( J: n解决方法:4 b& F. c4 j5 M: |& Q, X
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. o* S( o8 v9 Z9 A! J+ V! m/ q& n. Y; n; e, u
SecAuditLogDirMode 0777
+ q( g0 c* I) [8 ^SecAuditLogFileMode 0550
/ ?3 |2 ]1 S W7 Y* HSecAuditLogStorageDir /var/log/modsecurity+ e. X+ z; U' s: w9 r& |6 G2 O p
SecAuditLogType Concurrent
- }: d2 K# B# j) e/ o/ x9 s参考文章:/ l u5 f7 U3 |: x9 c
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
. ]- Y! N' t+ y7 Q& o. l! Jhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡