|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" Z* L4 U" C. y5 ~( o+ F+ }' l4 j3 D5 ]! u# s0 `, Q
一.准备工作- }7 y/ Y8 Q0 E& B- Z. P
) g+ z9 U5 @/ w# j& ~+ `9 { T" @: e4 i( s系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 q6 i+ `( Q' ?' y7 Z8 v' c; ?# x- c3 z' N! i; I! c
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, F' n8 G5 v% \: ?$ D$ k
# @$ f2 x/ y6 [3 {modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
1 S/ H3 v; b. B; R
' L/ X" l2 I$ T' Q( Z5 g- LOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, ?! J& a% E$ e- }8 j: I
& M+ u: j6 d$ J/ ^# l
依赖关系:
& J8 H. P" L6 Qtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:+ D; `' w6 e( P
1 A% W1 w# q/ V; Z- v
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 d- t# D3 P4 L! O+ B& ^ L& |modsecurty依赖的包:pcre httpd-devel libxml2 apr' W7 _( e4 Y) @ H6 `/ {5 a
/ z) a/ l( ]8 g3 myum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel) K9 w( F1 w5 e& I2 S
二.启用standalone模块并编译
5 j0 S1 {, x6 x7 F3 K1 n; \/ k& K1 i, n% y" |9 H( J" `
下载modsecurity for nginx 解压,进入解压后目录执行:
! s3 x* Q* {1 H Y' T- W% Y5 k4 m1 ]6 {+ t. Y
./autogen.sh& M5 D4 }2 j8 ]( I
./configure --enable-standalone-module --disable-mlogc$ D/ ?- Q6 Q5 t, Y6 i2 w3 v
make
5 f* G: u" F3 P" A6 u, t0 l1 `3 v三.nginx添加modsecurity模块
& r, f, ?# j, q% L# e# L: M w4 V" R2 K
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
. ^, d( e3 k$ ~+ B9 s. `4 L3 Y' m0 T, j( v0 ?. V: Q" [
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine4 j7 R8 I" u* e: i9 E
make && make install
# f$ D" k/ k9 S- Y f+ `四.添加规则3 J2 u- W3 k- ]# I3 h& R
- e! X3 V; {+ l# X, i3 a2 i
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。! Y% S9 F' l, f! ]- U' S
5 b$ R4 y& T- h! s/ `1.下载OWASP规则:/ ?3 e$ A6 O4 H& l! O) [1 {+ G
3 \0 u0 y. h: q$ a; Sgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs H9 @" H4 e; ]5 D3 y- P
, E& q+ w& i2 o, Emv owasp-modsecurity-crs /opt/tengine/conf/
' A" P+ T& U8 M8 v) m
+ ~: X$ a0 V" Q* i- gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf7 ^: \( B* j- ?. h K6 }$ C
2.启用OWASP规则:
+ p6 {# |% x( L: S; A/ J' y& J+ l% K
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% u3 E/ n0 q5 e5 Q
7 ?2 J+ r5 Q* w+ s! ~
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on4 I9 H# F5 V6 Z& [8 E( y2 L* d$ Y
& u6 k) \/ C6 {' V* E
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。2 i' B: W& _% i# k; A( w
( r, `# s3 k6 x% y% ^
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' q2 B @1 K9 I- ?* ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf" a# ~6 i, N |& N/ K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf' p; q; L! ]+ m$ T8 o1 C% Y1 I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf) R% {3 Y) {& k9 U, ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf7 A' l8 r% ]; T9 Y5 F
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 x, U* B# j, d5 L1 a3 O! e; q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf) o/ f: H9 p3 p" b& e* |# ~$ x: m; C
五.配置nginx
" ?$ `* m `3 D1 m! `' W1 `) P& I# S2 p! o0 u( o* ^% D
在需要启用modsecurity的主机的location下面加入下面两行即可:
7 I5 @. X$ w( }! w( ?
0 T3 R X, V7 CModSecurityEnabled on;
+ ^7 n* I* l$ b& eModSecurityConfig modsecurity.conf;1 G1 k, x5 h+ X9 E. {% ]; b. }
下面是两个示例配置,php虚拟主机: K+ Q0 I/ `, H' e4 o: C. @! Y; ?
4 t4 c6 T$ D2 n2 Kserver {& X; v, N% r3 z- l
listen 80;4 A9 R5 Y: b7 e( n
server_name 52os.net www.52os.net;$ b& r& c1 x! w4 s7 d8 m* x- v
% Q m( n" y: S+ ], K+ y! U% V
location ~ \.php$ {
0 L- ]( d- h) k, v! R ModSecurityEnabled on; - S$ ~# M' f9 Z& r& _
ModSecurityConfig modsecurity.conf;9 p- k+ l/ J: Q. e! `0 p" v
" m: E2 ^# t0 D
root /web/wordpress;, n9 u/ d: o+ _! d; T2 |
index index.php index.html index.htm;) D/ Q+ W) Q" ]6 w, b3 l) G
1 W# q0 A% ^" H* ]/ l
fastcgi_pass 127.0.0.1:9000;& N+ m( [1 }( |$ h6 v- b/ @7 H
fastcgi_index index.php;
& m! y( d' \: ] fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;8 C$ k4 N- y1 U3 F+ t7 H
include fastcgi_params;
! p$ n% k5 \7 M F }
# l" p( W3 J# T% n: w }
& h" N N* i' x- \7 nupstream负载均衡:
% e/ |$ s" a; z- r$ z1 B6 }) ?5 z1 [) y9 d I$ y' \" s) |
upstream 52os.net {
' r3 v7 O( G' S+ Y- H. x server 192.168.1.100:8080;+ _+ ]+ w% e( l
server 192.168.1.101:8080 backup;. ^/ t! N0 i4 R' u. I- S# |
}
7 `* L% q7 w. `
% ^6 }5 k( s4 Z6 pserver {4 p: [( Z+ ~6 f' u( c3 G' s: r
listen 80;# X4 P2 u0 w) h; C) z6 \
server_name 52os.net www.52os.net;
( N* b4 A5 j+ Q$ q4 H& Q& o% S" p5 e3 }: ?1 K8 I
location / {6 `! l4 a: X4 `: M- o
ModSecurityEnabled on;
$ x$ ?7 h* u- ?9 Z0 ?4 {; E ModSecurityConfig modsecurity.conf; 8 {$ ~9 J0 c- l' ?- O9 Y
. [ L/ p+ L! L+ X) g) A6 F/ W7 ?' M, R
proxy_pass http://online;
6 _* y9 C$ ?. L/ K) m2 @ proxy_redirect off;
+ s1 |2 M1 R5 Q8 @8 F" P$ h3 p/ R proxy_set_header Host $host;
' V. n% R+ |& }" U' Z0 @ proxy_set_header X-Real-IP $remote_addr;: f* G' e' L# M5 J7 L7 r/ m5 s' O
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
* M2 K. q: a9 J1 ?( D* G }7 M% w$ X4 N o" P8 u; f+ p" E T
}- }8 g/ T$ s1 R5 V% L
六.测试5 S8 C, \, M) Z9 N. ^
+ { ^ h O- Q我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; v4 O9 S1 Q3 D/ T$ ]
. T6 D# U6 n* [7 \+ b7 I& O<?php
5 m7 F6 d- g# h {4 J- m phpinfo();
0 l( ^: Z) _3 Q3 Y! I) p5 q?>
; z& U! d4 Z- H. _在浏览器中访问:; i# e7 d; ]) K8 c1 W% m
) V0 Z4 K+ h) Z) N5 U* \9 |/ {7 w! W
http://www.52os.net/phpinfo.php?id=1 正常显示。
2 g, U' s; Z8 {- m$ E& whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
& o: i V* V) i8 A$ E6 h3 phttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
4 o1 `: _. y: A* h# O说明sql注入和xss已经被过滤了: ^. O1 l. n# \- p8 n/ G+ s3 v
- _) N6 t4 M h
七、安装过程中排错
. I2 [- n2 r9 Z9 F+ w0 i* f1 u& H# M, B
7 } O4 X M2 n# q u' ?# H1.缺少APXS会报错
+ b4 y) Q+ M8 k$ A
6 ]$ y: }; m' _1 w( T' B; Fconfigure: looking for Apache module support via DSO through APXS
' c( F8 H/ L$ E1 p$ U7 Oconfigure: error: couldn't find APXS; z( ]2 w2 T; }' Z5 d9 f
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
, }! T# m3 t& B" z/ r- R解决方法:; L0 ~1 ?- y ?& J# `: \. a% O
, a% d& B- o% h3 Q4 f* myum install httpd-devel9 _3 n$ m$ Z) J4 Z6 J' x% u
2.没有pcre
# c {' c1 Y' o" h8 K/ h4 n7 p
+ ?1 R' B. q! } D8 E) |' gconfigure: *** pcre library not found.
3 f7 {9 b2 R( h5 o! N1 K' Fconfigure: error: pcre library is required
) R9 Q$ K2 U6 }$ ?3 B4 u$ {解决方法:1 ?; b8 k8 x) w* B) S1 c
0 k& @2 [0 V8 T4 h* o3 x. ]yum install pcre pcre-devel1 \1 Z! t, |5 F) a) z1 V( K
3.没有libxml26 c9 u, T' P$ b
8 f/ h8 @. c+ ^, H7 N3 @1 O
% x6 L# C& S/ k+ b7 H: wconfigure: *** xml library not found.
% d! H2 u. `( k4 h9 x4 s$ [ oconfigure: error: libxml2 is required
; l/ i: F! a: c; w解决方法:! S/ o% q/ ~% @
# G; I* }3 K: k: ~' I: I) Q! h
yum install libxml2 libxml2-devel0 |5 r2 I: N" q
4.执行 /opt/tengine/sbin/nginx -m 时有警告6 g' U' e" k; O% d5 ?; P
9 J ?0 n9 D0 C% {Tengine version: Tengine/2.1.0 (nginx/1.6.2)
3 s2 ]/ N5 T; H8 Lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
b8 E1 K5 Q ]# ]! K原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& Y, x7 N- ~* V- y
k# p$ T$ z# D, F7 I+ x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 q4 s0 X$ ~! V6 M1 L" q+ B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
c' q+ H2 C1 q& l2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!5 ]4 w6 \2 e7 m+ S8 I# K: K* R5 P' G0 `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 L+ p( J9 ^3 q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"! C) ^* l- X/ F/ O- }1 C' z6 t: c# v
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
) D# T& F) m- \7 R, g$ c! q解决方法,移除低版本的APR (1.3.9)* A) ~% T3 U4 f* v
/ P8 |: Y) Y( t, ^" `
yum remove apr
) T2 G2 ~$ s+ {0 I# Z p7 v5.Error.log中有: Audit log: Failed to lock global mutex
/ l6 G0 D( l @; ?6 B% y6 a
0 A n7 \) ?! b1 E5 i2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 R2 r+ S2 k0 M$ W; w' U% k3 J4 P
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]4 x; p+ b2 m" O. f/ ^% o
解决方法:
& H$ q$ ]: @, l/ W编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
: m& {. f% g4 j% o" W% ^9 Q3 G+ [$ w
SecAuditLogDirMode 0777* [- G+ |/ ^2 V5 [% n
SecAuditLogFileMode 0550- F I2 ^4 T. i# O) E( q
SecAuditLogStorageDir /var/log/modsecurity
) S: {# f0 i4 v: _SecAuditLogType Concurrent5 x$ @# B) z: }! ~2 ~; H+ G
参考文章:
: G O* Z0 n4 }* }* H4 R$ vhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
% K( \6 Z& Z. q6 t- chttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡