|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
/ P& b7 K% @; |* {5 ?: O
5 c* N5 D8 }. J) @& V" r. X/ b一.准备工作% W3 o% m" @3 w) M7 z2 S0 G( t
" `3 E z! o$ `& y* d! C' z( T系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0+ Q3 p2 I8 X* A# ^
$ J( i- N, E, vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz+ W; u0 S1 O& B/ `' W, M6 S
1 Y, \+ j+ C9 M2 \2 qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
3 R1 u- o* ^. P7 d) O4 w3 D/ l- L" v' F
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 A* n$ z: o7 b& B# d" N: }$ ?
$ J' i7 L+ c# P/ r U. f! Z依赖关系:
- Y, j, y9 v4 v/ I& atengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:9 {) ?! g$ i* X, p" O
& g+ [% r; U* V4 c. Oyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel9 D) ~7 }& r+ h6 U O4 A3 z" b7 z3 U. S
modsecurty依赖的包:pcre httpd-devel libxml2 apr
* n. ? L. ?! i4 Y8 [8 y& t5 Q& r8 I
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
( q6 h- T6 e7 i5 ]二.启用standalone模块并编译
+ i6 \: g/ y- Y2 S/ ^8 y' t7 r9 ] m0 w/ ]$ D5 ?
下载modsecurity for nginx 解压,进入解压后目录执行:) ?+ E. r6 D A* v: c
3 X. j9 U* z2 M1 h' K./autogen.sh
( U0 p: f2 D' A3 p: W+ u* |./configure --enable-standalone-module --disable-mlogc! t) { X! b3 Q
make
3 S' i9 b N! [+ ~" o1 k三.nginx添加modsecurity模块* m, K/ g% T% g7 ?" o6 d
5 A% L9 _" e: U在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:- j9 E4 @, l- ]3 Z" |: m
n8 S! i2 O( Z7 n, j
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine3 y9 X' ]* X [2 W. p
make && make install5 i3 [: h$ G. @+ F3 ~1 V3 _
四.添加规则
% D0 X# i5 t" p/ Y$ E) k+ u
, u3 I! z/ o6 @& U1 |! z7 A( xmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。0 S' G( { @. Q$ {, e6 I3 [2 S
7 R. a& |$ W4 |. q% S
1.下载OWASP规则:
- ^+ @: v. G4 ^" C0 T1 o+ A" e1 z1 `! z% B8 P
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs# F' w6 [$ _: y; M1 a# Y0 j: }; D, C
% Q) J; ^3 o, M+ s; }! p8 e
mv owasp-modsecurity-crs /opt/tengine/conf/( X( r& D+ C3 {( j- j4 T. }
- [: G O2 t- w( y9 e
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf" b6 y7 E! ?0 y7 n- [- S7 f
2.启用OWASP规则:
7 ]8 j6 g! N! S4 Z) t4 ^' k! C' j' ^3 E2 W7 J% T
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。+ x1 c( W( l# ]3 u+ t; L3 h8 V8 f9 G
) u( K4 o+ b1 s _编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
2 U" [# ~8 l8 [8 W1 I& ?% A% @: ]' P) T. j5 [3 ~
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
; O) W: n8 L( ^" `9 A9 E
* F# s3 t/ r% _0 F: Q" R& sInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf( }& d- D2 p- C/ b4 r0 ~4 U% t* v+ m
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
9 G9 }1 D/ l; V6 l, ?8 iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 m: _, T8 D- X5 s+ s3 U; }. |
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf V0 ~% V7 b- g
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf8 b, \3 J( C1 t5 \* m; O" z7 O
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! V# E: s/ e( o8 p1 M& k. p" wInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 z8 q8 ^$ S0 B
五.配置nginx
0 P* E7 l5 V% u; D1 u# P5 M' N) \6 ]- ]
在需要启用modsecurity的主机的location下面加入下面两行即可:
, I$ k3 b# @- F! r- ~ t9 l' N7 e
) Y) j8 N% F/ g; c- W0 iModSecurityEnabled on;
# ?" v6 d/ `* o+ P$ {ModSecurityConfig modsecurity.conf;* u% l2 i H2 F G {" r' M
下面是两个示例配置,php虚拟主机:9 y x3 R7 V `1 f7 F
' Y" b3 H* m6 _5 y0 j
server {6 Q2 ]& o2 a0 r% t6 H
listen 80;
2 S1 S/ O) E/ V" o server_name 52os.net www.52os.net;
, t E4 D6 h/ k: e# e4 u0 ?
$ F, K2 s6 _0 L. y7 Z# x7 | location ~ \.php$ {
$ f* @1 H4 s1 \* o. N1 z ModSecurityEnabled on; ; A0 j7 }+ i8 U2 E1 c. A V
ModSecurityConfig modsecurity.conf;4 [0 u7 N4 O3 I+ v
/ ^/ R/ _/ ^. j1 d' r1 _+ f' M2 \ root /web/wordpress;3 q7 ~+ C$ Z% p
index index.php index.html index.htm;0 l- w, {5 j& d" {/ {
* l& M0 e! I9 O0 Q( ^+ R fastcgi_pass 127.0.0.1:9000;
J/ ]+ ^4 E& s0 A) a% a3 ` fastcgi_index index.php;2 e9 y' r! v" h- M- m, {1 h
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* g( J j+ `3 e3 T0 M
include fastcgi_params;
+ @! w/ M; w+ v/ a }
9 a* H# ~- V( |2 n }+ I2 Z9 |6 |7 b& k1 m' F# q
upstream负载均衡:' s7 G, a! u6 Z% L1 P- C: h' J
3 w1 D# J& e: o# h. _- S
upstream 52os.net {
; Q6 y9 G( ~$ B" J$ h+ f$ r server 192.168.1.100:8080;6 z' ?! x6 e9 D6 k$ o
server 192.168.1.101:8080 backup;
! V; m2 l. N& Z7 ]}
8 g" _$ m! F0 y% y' @% J @ @+ T4 p7 }0 w; t. ~: E5 F
server {+ w/ o( L7 C' Q( E) x+ H/ G; r4 o6 b
listen 80;4 `: p! h$ p" [' ~& Z( E5 C" X- A
server_name 52os.net www.52os.net;
$ \. ^' A8 V$ I/ G! N/ ~; _5 w% B# g$ m
- @8 X6 C% L h' V5 f# B ]location / {) g. L& O- j. d* `( y( J/ c- E ~
ModSecurityEnabled on;
* l, Z$ I8 @$ ]8 K3 Y& ^ ModSecurityConfig modsecurity.conf;
! h1 p5 {. J X3 Z* _, g
8 e; }: p6 A! ^: _ proxy_pass http://online;4 [2 f5 b9 q8 x) @2 ?' f
proxy_redirect off;
# [( c9 |' h4 C9 I: _1 _/ l proxy_set_header Host $host; Z6 z E; h& B5 _ N
proxy_set_header X-Real-IP $remote_addr;
8 P& A6 c8 `7 S4 A$ G# j- H& j' ?6 L proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
$ X, i" Q0 z9 t5 z! i8 U }
2 J6 A8 R3 K2 h3 T}* }# S( F5 W8 e- d' I: C
六.测试0 {- s5 E7 z* B( Q; s3 j9 K
$ Q4 ?' q. ~. Y- Y& |我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:( D# V9 C+ V% X
0 t' W9 a+ S1 V& n j( [4 t" @5 n
<?php
& B0 l: b- }; s8 z; z& ]* T# C phpinfo();
/ U" V* D: J# H?>* t. F9 F/ V6 {: Q; S5 K$ d/ Z7 Z0 X
在浏览器中访问:
7 l" l. @4 M; K% B5 P) ]3 a
3 M. u5 w! K3 Y$ q4 Rhttp://www.52os.net/phpinfo.php?id=1 正常显示。
( u" W A' r* I6 b" U# O6 G% lhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。# @1 s1 j, q. w6 I$ @ k
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
' J2 Q4 p# T3 G2 E说明sql注入和xss已经被过滤了
- d2 P1 Z2 k$ c5 T+ E a7 ^) f: t" s! l2 ?7 A4 t9 V- _* G
七、安装过程中排错6 F. v& J$ |3 Q# J* L d/ Y4 a
3 V( [9 X3 \$ N2 ~2 H1 K5 j1.缺少APXS会报错
- g( v' O9 H# ]8 t$ @* ?+ H5 s0 C6 l" d/ P' S: h; V
configure: looking for Apache module support via DSO through APXS6 @& }2 o5 H8 e
configure: error: couldn't find APXS2 w2 n1 q: P" u& `" ~! d
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。0 \) o: f; _! F
解决方法:4 X8 i0 l7 {( b
8 e- [, g r0 r2 D: }6 |" d
yum install httpd-devel
2 p# [4 @4 z2 O/ v3 K2.没有pcre% d. M3 i4 h% G
8 \5 U, ? Z# M3 j. Z
configure: *** pcre library not found.9 _1 \0 {$ o( y1 c6 O7 p2 @
configure: error: pcre library is required
( \8 T X+ g( f! k- Z1 p1 @ c解决方法:
% K( |/ `6 C5 @( l
; n' w$ k# G# N9 e$ H* F$ Myum install pcre pcre-devel5 O3 ?4 X; Y% m4 W- I
3.没有libxml2
1 F* g j9 S, h6 H. N+ t: z* F0 T2 T2 _
* E$ ? [2 q& ^& C( ?7 econfigure: *** xml library not found.3 ~, @8 Y" | i
configure: error: libxml2 is required
7 O$ J4 d% s; W) V解决方法:9 Z! x8 L/ l& w; V, w+ S
* n6 M5 @, t8 t& d0 g3 Wyum install libxml2 libxml2-devel2 [' C! A" P; b
4.执行 /opt/tengine/sbin/nginx -m 时有警告
- n: v3 I) y0 {2 \1 A" _( {9 ~. E% L: ?$ r. V) \. m9 Z% \4 k9 a, A% O
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
9 w4 L6 S7 _ L! Fnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 H8 @2 x1 H) l+ h' t- F原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
' r2 F+ i1 W- d9 W7 q1 m% o
, q5 c$ ~; B' g- u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
& y+ c% \" C& U- }% Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"$ c t3 l0 P- J3 W7 N w
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 n9 L" L }4 E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" U% q3 C( t# J7 b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"1 z- p- r. `+ r6 f1 O. L) _
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.2 ~" j( U; T: l( c
解决方法,移除低版本的APR (1.3.9)
5 \1 @, n9 a4 k. f+ M( Q- d0 I ]3 A' U' [9 l
yum remove apr
: X, ?1 X% ~7 _5.Error.log中有: Audit log: Failed to lock global mutex
2 J6 m; n' z$ _2 d- c# Q
9 O* `8 _6 x# d* v7 k& @2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% U: x& t7 x% A+ xglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]6 B' u A& l2 ?; _$ U
解决方法:! x2 h$ E: w$ B3 B% f/ t
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( Z: ]0 Z% H( d+ {/ v% A& T- Y
1 A, v: Q; S9 C2 y/ eSecAuditLogDirMode 0777
6 ?% f+ `; M+ b4 j$ H- ~SecAuditLogFileMode 05500 A4 T2 \' y9 L$ s e1 f
SecAuditLogStorageDir /var/log/modsecurity# J d0 B! I' t
SecAuditLogType Concurrent
+ _& J! s4 r1 I0 E$ C0 k参考文章:$ [" Y/ F5 q* w) S
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' l j( _4 t4 Z$ L1 l8 |1 ^
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡