|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 W" S' a& y/ ? G" B2 ^
% Q @5 N: V5 X9 s
一.准备工作' Z* L' g0 M( h3 g7 {; x2 Y
, c9 q8 i' s' z, x% A" j系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: W& R$ ~" i6 ~ i. ?9 L
7 q* ]2 y# D F9 h; ]tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ q( Y: k7 E3 x+ [
" D0 f" { u/ b6 V. Umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz5 q7 v0 K3 t* m9 M# |0 e/ S
8 `: W! E/ i* R9 d" p" fOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs. ^9 ]9 L9 K4 w3 i
/ s) B1 ~. U% Z" j: _& I依赖关系:. Y* s4 l8 I2 {$ `- Y8 G8 I
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:) Q& Y8 q6 S% D2 ]: d
6 `4 N9 i& c+ a# [2 v+ Q
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% }% S8 [- x9 n- }7 h
modsecurty依赖的包:pcre httpd-devel libxml2 apr
! x; G6 y1 S/ t' O1 }# }: C2 ~8 O* e5 t/ O7 S' `
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel7 L5 Z O1 V8 T& K8 E2 K' d& x6 z
二.启用standalone模块并编译
7 G) _9 f% W. g6 H! `7 m9 X6 D7 F/ p# H! o0 N" Z3 D3 i
下载modsecurity for nginx 解压,进入解压后目录执行:
; i7 d% e% u+ A0 e0 ~2 n/ Y a2 y1 S' x# t0 @0 L) a; O
./autogen.sh
9 R0 y' A: K& a./configure --enable-standalone-module --disable-mlogc2 N% h" ^6 k- E! d
make
0 ]6 w& m, v* `# u三.nginx添加modsecurity模块
3 `- K2 w8 S' c5 z& L8 `$ V7 b' W8 {! |" U- _6 Y5 @3 H& U9 T2 Z
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( Z7 g2 p3 [5 c8 N# [6 i
, E7 c/ r; ^( a% g./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- q$ @# t7 O0 L
make && make install
: ~9 B7 N1 ~! Y# R+ T: Y6 r8 ^四.添加规则
. i+ j9 _9 ^0 J
' E( U' E% c& G5 U8 @modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
/ u; a! U7 v& V/ e, c' g
. b5 ^. Q: N j* J# t1.下载OWASP规则:
$ x( h9 J, A! d% ^" f$ K; g; y& L3 T5 T! b. t, e! Z7 A
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
) u! }7 ^4 E& k; d" A2 G5 l9 Z w- Q+ U
mv owasp-modsecurity-crs /opt/tengine/conf/6 U$ `% `, l# E
' ?+ n5 n. P1 E# O+ A+ xcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
r; p1 W7 e" _5 E( G a' k2.启用OWASP规则:
0 a) O w M B1 h, u5 L G( l2 N. F
! i' V3 M5 ~0 x; N复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。6 e/ E# x7 T7 Z& s$ b
' {8 b1 y. G; n: O( b; G. s
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on% y9 S1 ^" c- ]7 q7 r7 i
, L+ S( t% y' s. H$ d8 uowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" [. }8 o1 ?1 R$ j6 F# o. Q
' ?; U+ u4 m, V0 u0 u2 c
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
5 Z0 q6 a9 _* p; Y( M7 J. [: mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
: H6 e$ w' V/ i+ X! H0 S q+ iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
- r- ~. ~" I( ]9 `9 KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
9 L/ e; n0 b( c$ w- z0 }Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% o4 S W6 f* s1 `7 l# mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf9 k' y8 N J& Z
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
8 L# V f' s2 W. Z五.配置nginx- b- h& Q3 p: d5 ]
0 ?: r l6 r$ _5 Z0 d: N
在需要启用modsecurity的主机的location下面加入下面两行即可:
: Y, O0 {$ X% Y2 i. p: t) h7 G/ \* O& I3 ~3 m
ModSecurityEnabled on;
! u- P/ k& ?# t9 L$ rModSecurityConfig modsecurity.conf;
4 k7 ]$ U( `3 I1 E4 _下面是两个示例配置,php虚拟主机:" P9 N8 [- p; I, g
4 u) r' M7 s; }server {
% z( Q0 v1 h. J1 a; E) ~0 g listen 80;# M7 X# S) H- |' S7 z
server_name 52os.net www.52os.net;6 K; a& I6 v% w, ?+ k
' c6 ?' {5 e' P# ] location ~ \.php$ {
1 |/ j- ^$ I# s. a$ } ModSecurityEnabled on;
% y' ^. X% [9 y& c ModSecurityConfig modsecurity.conf;2 m, j( v; H! Z& n
; d9 D ~" e- C& b* ? root /web/wordpress;7 V- C% D4 l' v3 Z& N$ W
index index.php index.html index.htm;
# V1 z7 F. @7 N& |( d' q . ~9 Z' ~8 m; ]4 B. Q% z! k
fastcgi_pass 127.0.0.1:9000;& f8 W8 c8 m" A0 [
fastcgi_index index.php;
; s0 w% Q) ]0 F2 u fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* W% H6 ^; U5 L4 f' V
include fastcgi_params;
$ f5 V+ O$ `' E9 p; P2 W! G( c }
/ u/ `. G) J. Q# e; O3 M, n }# ^$ ]5 E2 Q7 R& U! B5 s f
upstream负载均衡:0 F; T: p- }0 e P
0 I/ K4 Q. f% \. [# t9 [4 }3 k3 e. Kupstream 52os.net {4 r& L2 {% ?$ ~& C- t0 E- Z
server 192.168.1.100:8080;
; b. K/ G8 v1 ], Y+ ^" ] server 192.168.1.101:8080 backup;& D; n- j ]" X8 H4 i5 j
}
& |. t# r' g3 W6 o& j* W& k/ R L0 c8 K2 i {% w5 V' {4 k; |
server {4 Z1 v: d9 Q. @% h6 |9 ]& p( c+ o
listen 80;
1 j% i, t9 d, C2 W4 C, S3 iserver_name 52os.net www.52os.net;
! z7 Y- p6 _9 T! m, n! [; d& a4 O9 Y8 [( k1 p d
location / {
& d, `; U n7 X; i9 G U/ T r ModSecurityEnabled on; 4 m* _7 ^: G) b, B' o5 _
ModSecurityConfig modsecurity.conf;
* G2 Y$ U8 c& V! u
( w) c# D S$ p/ c proxy_pass http://online;: k U0 g) {0 B W) _; r" U
proxy_redirect off; i% m! i" u6 w+ U8 j1 h
proxy_set_header Host $host;
+ h9 w: ~/ h" G6 v proxy_set_header X-Real-IP $remote_addr;
3 ~* C3 e+ M# a' [ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
1 {5 `/ B# R6 ]4 O. }- Q }
0 [, F8 R( ?8 @& [8 F; L; P8 N}9 J; ]5 S9 q1 H- a" R
六.测试6 z2 A6 t0 C. I+ w& |! J! R
t7 W. F+ a% X# S) E; ~
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
8 t! H+ s+ H$ n% o1 b' L) @% Q2 a/ C
<?php$ t8 i+ {. L" X, j; A9 `
phpinfo(); 0 ?9 A5 V' s `; p1 z. p
?>
3 q6 Q: u0 G6 M, d在浏览器中访问:; M. |2 f$ E5 L6 M3 Z) w7 S
! E9 Q0 F; x2 r% H' y/ d$ T
http://www.52os.net/phpinfo.php?id=1 正常显示。/ {6 h5 O% T: t
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
3 }; I; a) p; z2 Z$ A9 hhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。8 ?5 o- U& f3 n4 X; T |
说明sql注入和xss已经被过滤了/ J% A% k, Y. s+ i$ g+ J! ?, n
/ [* \5 N& n; F. r2 `
七、安装过程中排错
4 b4 o2 L" L ?, u9 O" r, E* F: M, I# O
1.缺少APXS会报错
/ I8 _# m& H7 V, l7 @! {* D' h0 [: K+ E' ?& p6 ^
configure: looking for Apache module support via DSO through APXS$ t2 o) H' j% ?8 d: c" N& N
configure: error: couldn't find APXS
9 U: x" F. Q5 R+ [9 y Napxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。- V/ r( h2 Z1 h
解决方法:
6 ?2 h. g8 }3 m0 n
$ x a- H2 W* R6 _6 q/ B) oyum install httpd-devel) z, _- Y* `8 i, e: C, f3 ?
2.没有pcre
; Z) _* F5 Q- x2 ~ B4 `2 m1 m- k& y- M% Z ?
configure: *** pcre library not found.4 x, n9 z% _$ o+ o3 g
configure: error: pcre library is required
* x2 R# U0 h' e$ h. A- [! Z解决方法:8 b2 U6 R8 h: T" Z4 u
/ J$ z+ W9 e! E4 \- R; _) q/ Q+ L' Ayum install pcre pcre-devel8 N( ]) C W5 ]: {% }" n5 A" `
3.没有libxml2
; N& l! F! E. \8 K& j$ \# A- h/ C$ w7 z( ^+ d* D
6 L! |' H! n/ w; U
configure: *** xml library not found./ {) S* H3 V& o6 j( [
configure: error: libxml2 is required, O& T$ f6 A$ l( @! v
解决方法:
& e. o, F) Y- l0 u/ H8 ]9 U* g M8 q: f; z
yum install libxml2 libxml2-devel
7 w% _( d8 b; S; D4.执行 /opt/tengine/sbin/nginx -m 时有警告) c5 S6 a( U$ A/ u5 K
% m, _ O) u5 w3 j0 `$ a- u ~Tengine version: Tengine/2.1.0 (nginx/1.6.2)
+ I" ^: @( G) e- f; Y" dnginx: [warn] ModSecurity: Loaded APR do not match with compiled!* M {# y; w" s3 F7 C5 w
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
' z. H m! T) u. N- m, ~! r) \. y9 r- v! f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
+ b8 @$ w9 {# p1 ?) V9 l7 w" w. ?0 g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"! N8 \* G( {/ R8 ]2 d' h
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!2 S- A- J0 x, j5 t I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05": W7 y0 @6 m$ e: O/ Y8 H) z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! J& N5 `5 I( X6 W2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.7 |+ z( D4 k- v1 D
解决方法,移除低版本的APR (1.3.9)$ ^8 L- `! H# B6 |
! h( y8 b: t: g$ r7 _
yum remove apr1 d. B4 r9 p4 c, a7 J8 s( E, W
5.Error.log中有: Audit log: Failed to lock global mutex) o8 r4 J" W4 T T
# f$ L* k! c/ r2 d" m5 L2 t
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock + e& C+ u" ^5 q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 J; r' k; H- G6 w* p9 h
解决方法:" k; s2 G! P8 Z/ ~# I
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
( B8 x* S+ L' `
$ a! v0 Y p- n7 C% rSecAuditLogDirMode 07778 o: `! ~3 A$ m& b
SecAuditLogFileMode 0550# _8 v% R" f0 S" Z) |
SecAuditLogStorageDir /var/log/modsecurity
6 `- T+ f2 k3 t3 ]8 _) _SecAuditLogType Concurrent
" n- f5 f5 Q3 T% S参考文章:/ b# }4 ~5 f8 \, E& s8 }
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
# s9 w. N2 Y( \http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡