|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, B2 B8 K) h$ E! N
# M, W+ w# u/ f3 r- S
一.准备工作5 l4 n2 p7 x1 d( v
5 @! h$ J+ x/ r% a) l
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
5 g7 M2 j2 T" k5 P, N! Z5 x8 K
/ N0 P/ `7 N" f& U5 ] I* }tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 H. S; ]" f/ i5 h9 l2 I/ z* t& h; T
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
, F8 F" n( h# a- K, d$ |/ f
, K% X- j' }1 [8 y3 C* f- @OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
+ D8 [; }8 @/ C5 B* j. M; y
6 @5 T4 }! n" f( \ I依赖关系:- X" O# V4 L ~4 [
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:6 e# g4 ^$ E5 j3 {$ ?
4 q% L9 t ^4 m' {2 ~3 g xyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel. @7 R0 Q8 ?6 m V3 S7 h; i" w
modsecurty依赖的包:pcre httpd-devel libxml2 apr
9 L) h# M! K( f6 r# ?' M
* \4 J, `8 c% \- b5 g5 Dyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- M3 M6 s) \4 J. L/ ^6 F3 g
二.启用standalone模块并编译8 h. T+ ]! k0 B$ w$ x3 d# a
* K U; R. C! R4 i% t
下载modsecurity for nginx 解压,进入解压后目录执行:
0 ?/ @5 m& s. l0 ?: N \% K; ^: G3 |! b9 y2 _* N+ L) C6 z7 t
./autogen.sh
9 h+ M( O( H$ v* g, R./configure --enable-standalone-module --disable-mlogc
1 b6 b( t$ _& `2 e* C& }* t' gmake , A' j0 S/ k; G2 m) g8 }! W6 g' ]7 e% b
三.nginx添加modsecurity模块; _" Y+ J" P3 J; r$ o
0 C( O* o) k/ F/ l3 `
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:& c# r7 o- n9 p( C5 v
6 l/ H) t0 `8 e) X0 _: ?
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine% f; c( V! Y0 ]* r
make && make install' \# q9 M4 u6 \- M6 s5 r
四.添加规则# [! J! w6 j7 b& z
+ L9 e2 { m7 m( Z- I5 Omodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。6 E7 s+ b G! ^* n8 a' l0 h
) P$ k6 n( [1 z% S/ y
1.下载OWASP规则:' `7 w8 B6 r% `% ~8 b
6 W0 @2 R0 i" U6 d9 d- tgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
( f2 o, c1 j" m' D3 v) z8 w) [- W( q. E+ J1 r9 u0 ? O& `
mv owasp-modsecurity-crs /opt/tengine/conf/
" `+ p$ @, J0 k0 v
' Y- r) K* V4 [$ wcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
1 k% [5 g0 Z8 d9 z1 _2.启用OWASP规则:0 g* [( T& A' C( P. g" R; w3 g( O4 n
" C( u1 n; Q- X1 y3 {' X9 g
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
' O& ~9 U8 W. J% {, G& T8 x1 f, Y Y0 L, P
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on& v1 q6 z4 u R7 T {
0 Z% V v' G# o9 z
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. \; a& N1 R4 |& P( B$ h" y
( b I% y4 v" b0 S# LInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf: I) M3 w- W# \1 W; n% S
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf/ _( ]6 } q$ ?5 i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" f ]/ e4 @. C4 U- d; c( p0 xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf0 q! s2 k/ y, H
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
8 k; ?1 O/ n; \- I$ U* r7 V) |Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf- @6 E4 t* |! M
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& B- Z$ }# F+ p4 t" }6 U五.配置nginx" T0 o! B- B4 j
, p! w8 @" O0 ?( j, Y! |7 }
在需要启用modsecurity的主机的location下面加入下面两行即可:
! B) \; r2 u: `' \! w# Y
) u6 n2 k& Z: \* @& U6 ~1 nModSecurityEnabled on;
/ M: u& X# O: H1 o$ h9 qModSecurityConfig modsecurity.conf;
1 \4 ?) Q' [, S7 f7 i+ S% O下面是两个示例配置,php虚拟主机:
9 m; d( x( F+ `8 _5 v4 @* }- j8 h, W! ^' z- l* [
server { N7 V" z, v, y' g7 r
listen 80;# K) k, ^7 o6 R0 i
server_name 52os.net www.52os.net;5 L; P, r! [8 Z4 r z
# e p+ I" w% f2 V% A( g
location ~ \.php$ {+ E5 R* E. l7 t
ModSecurityEnabled on; 3 H* U1 t% l4 J/ S* J& Y, Y: @
ModSecurityConfig modsecurity.conf;7 Z0 F& _5 p$ F1 U7 E1 {& r' B
2 \5 R! ?, R! R root /web/wordpress;
8 r7 c* R7 Y, n9 v M. o6 s index index.php index.html index.htm;4 X( n( G; q. ~" b9 n
K" t8 D: B' [ fastcgi_pass 127.0.0.1:9000;& @1 u A5 o9 ^& A
fastcgi_index index.php;3 }: K+ L0 {. E- l, @
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
+ N9 C8 f' ^: | f' K( J include fastcgi_params;4 x$ `1 j/ p+ X
} J I$ ^8 |1 L
}
; y! P6 z7 Z5 D* [. z0 Bupstream负载均衡:! z* I, S7 Q5 a8 t- n
, t1 y' z1 v5 V1 Q
upstream 52os.net {
& D8 g" E4 V2 j$ N1 F9 v server 192.168.1.100:8080;
; d# x( D O2 s server 192.168.1.101:8080 backup;! m; n0 i( U/ d2 O2 X6 y7 v2 U
}. K5 z7 T5 F* j6 _* T
- ~% R' P# P) a: m( |. g- o
server {
4 `5 r* v8 b9 l& o' a) v% p; ylisten 80;! @ h2 g& z, J4 a
server_name 52os.net www.52os.net;
; n7 y# j6 B+ z2 Y! P% T4 O0 Y1 o) |3 k! [: J
location / {$ o( U) O, B0 ^6 [- A, ^
ModSecurityEnabled on;
) ^: G( Z( ]5 `- p+ A* j ModSecurityConfig modsecurity.conf; # o0 |7 d$ N" r6 U1 s% k' t: _
" q) N# i" I$ I! q
proxy_pass http://online;
[5 O' C6 w: F5 S! | proxy_redirect off;
% Q! Y' R) I6 F3 R proxy_set_header Host $host;- c& u8 E" i* U3 z: n% p g: j
proxy_set_header X-Real-IP $remote_addr;- E! @ c* j, a5 c0 M" X& [
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, v$ X; T5 ]# L }
# X# a" H+ S0 ]* v3 x}6 U# y4 T- `2 g M6 W% i
六.测试
8 T3 j$ s& ?- j
# E' g. d4 \+ n8 u4 u我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:. f% t5 Q- Z* C4 B$ s c+ s
* d3 |9 t' u4 ~" S
<?php: o& [4 F: W- s4 o- j
phpinfo(); S4 H x7 y9 ^7 ]& w1 ~$ l% A
?>
" T$ l! ]' @% I) ~在浏览器中访问:
" w2 K! U7 A* d6 k- ?0 K% |- }& T G+ o! l+ ?% l
http://www.52os.net/phpinfo.php?id=1 正常显示。8 u" \6 @! \8 X4 Z% F# q8 J
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
# r' h- g2 |4 t" ^! ?6 d& S. Ihttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, H* e. J6 H' }/ s9 {
说明sql注入和xss已经被过滤了
4 }; {- ^$ s3 r& t2 n2 L; p2 C+ w; u7 N t8 j" I8 R, O8 m7 V2 a
七、安装过程中排错- t) q( T" E6 I' Q
. F [7 {# ~2 I
1.缺少APXS会报错
6 N s1 ?4 l3 C, ~, f. @" f2 A! A0 B1 S0 b1 [
configure: looking for Apache module support via DSO through APXS
3 q6 g! h5 Z) v! V P! e% k+ m6 Qconfigure: error: couldn't find APXS
/ T$ A. Y3 P- h* I# C& c) a. capxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" A. @5 Y$ i4 m# Q解决方法:
& h) ~5 Y% |, t, N
5 { e' I: r9 u1 |yum install httpd-devel
8 j% ?6 M. {8 x* J2.没有pcre
4 w* A3 I0 U2 _5 | Y/ B2 X% R8 f# g4 @# V$ h4 j9 M& @
configure: *** pcre library not found.
; A& ]4 v5 J3 W8 K8 nconfigure: error: pcre library is required9 ]5 l, Q- ^/ U! U2 Y$ Z# d0 u. K
解决方法:
. ]* [0 k3 S' W; d1 r) f) t) s8 A: E: c7 E% h6 S
yum install pcre pcre-devel, _& P& l; p! C) v0 i t
3.没有libxml2: E3 @' i* Y$ j! Z
) l" z7 i" \- {# G0 {% |- W4 q5 m/ Q* m' B g, d
configure: *** xml library not found.
- p/ L& g0 b: `( X& Zconfigure: error: libxml2 is required
4 p, y' J. L/ b解决方法:- v" p& o0 i) R& Z; _, P2 c
3 }+ _7 e% `( }yum install libxml2 libxml2-devel
& z" B q% V8 R6 u! ^0 F2 u4.执行 /opt/tengine/sbin/nginx -m 时有警告( X. Y. ~! C) a. V. A6 o; [6 M% D
% _9 s; r, F& k1 E
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; U" \* P% ?8 l* q! `4 _5 Onginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 M* K6 r" }" b* r2 K
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log: w0 r; K+ q, X" p+ G S
! W/ y2 i* W* G# l* ~+ b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
R* }) M0 U5 d1 e* l! ~: r2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
1 p( B+ a) ]" p; O* i1 c2 t. Z2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!9 g2 g. k2 t" @4 x% F2 D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 J9 k: p0 |5 ]4 Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
\. W: h% s( w4 e3 }2 H9 R2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 U+ H' _: b; O5 S解决方法,移除低版本的APR (1.3.9)* R+ S7 \2 F- @2 M* ?" ?/ ^
# r+ }: X% q4 o9 {& F' l6 j
yum remove apr
5 I0 o% y8 k$ u5.Error.log中有: Audit log: Failed to lock global mutex
! m. Y; ~, Q% L4 ?0 R% ?
; {) S7 d5 R: w* o: F9 J: D4 K( t2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
D5 D$ Z: ^9 y9 U3 X: `global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 X! _ R" n; i- e
解决方法:' A* p; a/ ]: C
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:, q; E) q: b! t+ F# s
3 G9 n1 [5 V7 e$ f, k( d5 u
SecAuditLogDirMode 0777' I' v+ |" |5 O, }$ Y
SecAuditLogFileMode 0550
8 ~7 l. m6 l( K% {8 T) N" DSecAuditLogStorageDir /var/log/modsecurity
* B2 c! m/ j9 f4 P; m- SSecAuditLogType Concurrent1 V: U* \. x. |( c
参考文章:# b7 B q4 {. l* x: R( k7 k1 O
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX3 v2 D- p$ e5 O2 d3 |! ^
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡