|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
; [# m/ M6 X1 l+ T' z9 k7 S9 l2 B; |3 D8 n
一.准备工作6 K$ f9 [+ p0 @0 W% }
9 \: b1 q+ s6 \# R# g
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
# K( J* ]9 T8 \* ]% N3 V F% Z( `3 w% O P
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
0 R( Q& B. F( M# N: Z3 ~5 ~ n6 ^' ~+ F t
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz8 U+ V; [# G8 S; `9 |1 `# r' B+ V
) I4 ~& S9 q$ g8 K5 xOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ R" [; {) |$ L8 V0 x" j2 W9 l" Q8 p( f2 e J1 ^6 }) y% o: }0 j3 h' y$ I
依赖关系:
2 e! m) K; z6 v" D4 Stengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 L. G) H. l' u/ [( M- l# ?" e
5 f# e; \" y6 R6 `- b5 qyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) ^2 y" [! ]: f7 I/ U& smodsecurty依赖的包:pcre httpd-devel libxml2 apr: G1 E7 t. e+ \6 F( U
- U! l x/ [1 k C( z7 d9 D, `
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel, @0 @& s, \" e' Q
二.启用standalone模块并编译
) L. A% {$ a+ `6 Q. p
( Z/ E. ]4 u: ?7 G/ R下载modsecurity for nginx 解压,进入解压后目录执行:# l6 s* H" I) a
9 C% p$ t* {& o, Q U+ C4 a+ h) j./autogen.sh
/ K) }: _0 q# }1 l0 X./configure --enable-standalone-module --disable-mlogc5 D6 @9 m5 f8 ?6 e
make
$ v# Z- i; [+ |6 ~$ h+ H6 U三.nginx添加modsecurity模块
* V( g- M1 \. ?# g' j7 }6 Y# s: P$ r8 D2 T
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:! e% E/ K7 J2 ^; Y R! [
0 L: c$ a' o9 i" O! H
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% ]8 y3 A* ^) F5 pmake && make install
& f# o/ B' c' F6 c+ e$ O' F! B1 ]四.添加规则- d$ `& k1 |4 P6 Q, z- W
+ @9 f$ |: [4 J; v8 f9 K* g
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( E; P$ Q" o* m! Y4 X
5 p3 c, `" S" t1 Q% V& u1.下载OWASP规则:# ~. P6 S' e' C9 S9 Q
8 B. g3 G2 [0 \9 [ k% Ngit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
\% A# n; d; |2 k7 P. M* M5 a
5 m A# _( ]& x# xmv owasp-modsecurity-crs /opt/tengine/conf/; J1 Z$ b7 e# t9 K$ C' z2 `: z
9 x+ z; N! u- I& v) x" O" N
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# g6 J H, L' t8 F
2.启用OWASP规则:
! q$ e% o! c8 l6 O& _
: Z' \9 H* K) E: Q8 @! d复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
" L8 s" O) S" h: r6 N- \4 a7 X/ E% O. Q/ @$ T
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& s0 s/ V+ M% r# ]
. O. }4 p8 W, z8 Oowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。3 d" n: s0 W; U: h+ }0 q
4 Z5 J; ]/ r% P, ?8 r
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
6 D# ^ k! s& p6 E9 L$ CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf1 X& P: ^8 b S8 Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 \9 }% X1 |- X `3 w/ S% M, X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf9 p7 t5 F) _9 O, ?! Z; K% D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
! k \3 P; Y+ g. s1 U3 UInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
+ g: o& @; h8 KInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& h! j( s, n T: y# O
五.配置nginx5 Q9 g7 m+ G4 }6 F R+ C: T
3 l% s( C# [, c: R! k- d5 E
在需要启用modsecurity的主机的location下面加入下面两行即可:% C% o' X$ r2 r) Q* `7 Z
# H4 {. s7 l, ^7 R* O$ K' v' wModSecurityEnabled on;
3 i) l8 p) q# u7 ?( GModSecurityConfig modsecurity.conf;
$ P* u- k, Y0 I3 B" a* c+ }下面是两个示例配置,php虚拟主机:
% ?1 u5 l, C2 _+ T; g: q$ a7 T( [- {# S: F
server {
# j J: e! x% M( a" d" q+ E- M1 S" g listen 80;
0 `) T! y0 Y7 ]$ p2 Z v server_name 52os.net www.52os.net;
( o {: x2 P2 A3 J- z ) a( r$ r' R: R% P; p& K+ y
location ~ \.php$ { J' S5 R; L7 Y9 ?0 _
ModSecurityEnabled on;
, b) P* S7 ?8 f; W7 ~5 G$ ^' J ModSecurityConfig modsecurity.conf; G/ G* I8 l: v) B3 u# z( [! W
8 v$ m- g; T `0 @$ |2 b$ n" ` root /web/wordpress;6 H6 M g- L& H
index index.php index.html index.htm;, i( y2 L- J+ t. L) e$ R# n, T
% r) H1 o( u, T/ Z! v D fastcgi_pass 127.0.0.1:9000;
! S( l/ ^6 X7 U6 N. Y7 H) H% v fastcgi_index index.php;
7 K1 X: V/ V9 e1 s$ m fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;# G/ L( f1 ~3 `8 T* e3 T$ l* S e
include fastcgi_params;3 @9 w# {$ j+ o: |7 h4 T
}9 S6 D! ?' x: Q
}
4 A# A1 |$ d8 O9 F. `upstream负载均衡:
3 k1 |- `! x4 D! `4 I; Q5 t% R
0 F, u! t, [! E) B3 n* I4 Xupstream 52os.net {
0 p4 U$ R$ E1 r# j3 L server 192.168.1.100:8080;
. v/ r" X+ g$ l' F8 E8 N server 192.168.1.101:8080 backup;3 }2 T- M2 F+ j, I
}
3 O, G4 W3 O* L: X& T3 |7 {* K& W
+ [2 }9 V! J, ^) _2 Cserver { [/ U) d' a; I7 X1 `
listen 80;
5 X, z5 `* H: {, ^server_name 52os.net www.52os.net;7 a, _- _$ ~/ G0 {6 C7 \* Q5 H
( S R& Z% w9 d8 }
location / {
+ v& [3 v: w4 O$ W6 K1 c ModSecurityEnabled on; 8 J+ h% K5 y: m$ \' }+ _8 z
ModSecurityConfig modsecurity.conf; , K/ q9 S. P1 ]- A2 {
3 }8 \- [+ C3 D
proxy_pass http://online;- o2 Q u' F4 Q$ a. u
proxy_redirect off;8 R8 X* X) |. K6 y6 _
proxy_set_header Host $host;* J. m( M1 u' W6 E; Z8 {- l4 V
proxy_set_header X-Real-IP $remote_addr;
2 w3 e7 ], G" p3 i2 F proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;3 v* o% B7 b: ~0 ~: _* X6 a w% W
}- v( `" }. u( B# C
}- T+ K; ?# n0 w, |, @* H. ?! x C y
六.测试
- J2 Z l. W9 | r( t: n$ ~
# }2 Y! t! e+ g9 p- X, @- K. Z; |我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:: M7 u' k* t8 @- e# N8 n
! J. X# M: `& @<?php2 s/ n. Y% t C) ]1 S3 H3 o4 b
phpinfo();
' [! F& x/ ~$ E% q1 [; n3 a?>
7 U5 }& m2 F6 i. e& k2 D在浏览器中访问:* E6 L+ e$ w, E. Q9 {% ~. S
2 F% b5 y+ o! h; H
http://www.52os.net/phpinfo.php?id=1 正常显示。" t/ r+ i* M& @7 V. W, n/ K
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。; ^8 V. I! j6 \0 d4 k6 U8 s. O
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 R9 g4 |/ c3 W* `. M4 d% A7 S) }
说明sql注入和xss已经被过滤了- v' d+ [5 D# a! P/ S: V: U
& J9 |& {: |& I1 c& m9 S2 ?& U4 W
七、安装过程中排错! M) L! M& U x6 i2 _
6 R @; u8 S4 a3 K
1.缺少APXS会报错! R# @8 c( |- w3 {$ j' V
0 v6 l) N( z! W C% R. _configure: looking for Apache module support via DSO through APXS
/ P! a5 H& X' ]configure: error: couldn't find APXS
' Q) N. j$ h$ N+ B, i7 e# j/ o4 bapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
5 A# S& A& Q$ d( W: ~- L2 N. w解决方法:6 E) o9 |$ U3 y) L
0 T7 N5 ]/ l/ Z) H
yum install httpd-devel
2 R8 P8 W# l. {+ m" x4 ]2.没有pcre
) ~ W& t* b4 f, @1 ~# M X2 l! v/ o1 Y4 `, n& z
configure: *** pcre library not found.' I9 O' E" d8 R: Y! m: O
configure: error: pcre library is required# N: a S! J Q U. v; @& Z' T) |
解决方法:
# P9 g% g2 h* a' _# X5 [; o. G9 d, e! ^* Q$ x0 z
yum install pcre pcre-devel
8 O, v1 q3 f% ]- b" F# a" h" p3.没有libxml2- B0 x( K' b0 p" e8 S* }
4 y1 W" y' c* ?% ]( f S. ?) a* T
: y# C+ m R7 I" B/ C/ tconfigure: *** xml library not found.2 U3 `: c `( M. g; d7 J
configure: error: libxml2 is required
) {3 J+ l) H8 I; H解决方法:, U& X L& g# p3 N
+ i: U8 I* A% `' F3 C5 _' p$ `yum install libxml2 libxml2-devel1 {9 }) D2 n5 G, _5 B; v
4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 ~+ N2 p5 F! F( O1 L$ B7 w+ M
8 i4 Y( J+ |, DTengine version: Tengine/2.1.0 (nginx/1.6.2)
: Z8 v. _$ w4 Gnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
! c* i5 I8 m- Y' n原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log: @ U( ~: G% Q* H
7 [2 t& Y: g. r9 V0 H
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
: w1 L+ {9 w( J/ |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
8 o) { i# L8 ]1 A2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( f3 ~7 W8 A! y) |. }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"# {$ u1 z4 m& W! F/ l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 g9 m9 T& G3 w2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# M$ m$ d" U5 E3 P2 ^' E9 U) ^
解决方法,移除低版本的APR (1.3.9)
4 j$ e$ P8 f$ Y8 j; f u/ N0 H! e9 p8 T; r: |$ k3 ]% a! }( A
yum remove apr+ Y# F9 H% X! s# ^3 q1 ~% a4 {2 J
5.Error.log中有: Audit log: Failed to lock global mutex9 _7 L; M0 }/ d( M/ }; x8 v, _) A
% [9 ?/ T4 B" I! {5 m
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 3 ?' R0 R# }# l& |" T" [3 G
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]+ C6 j: M. J/ y7 g. l7 R9 U+ V1 z8 s
解决方法:
! D b. o1 ^3 e; e8 z编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:% a6 k0 t$ K: g% }! z
( z1 V- b' V: A
SecAuditLogDirMode 07776 |, W0 n3 M R$ _6 D
SecAuditLogFileMode 0550
8 F( S7 _) r0 F LSecAuditLogStorageDir /var/log/modsecurity q% i g: @! d( g; k
SecAuditLogType Concurrent3 s. D$ ]5 x) V; ~0 D- v* ^& e
参考文章:% N$ p8 Q: ?5 z( U
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX5 X0 c J. l% X9 D( H, o' z
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡