|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
1 D! u, @: ]9 s9 u
6 ?8 f& N* l9 L: _% a/ R一.准备工作
/ A9 ]" j3 I: M: `. A% w2 ^2 g( J' [! Y) m, e# L' T
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
( X. t( B" E/ `6 e8 l- B8 C9 N E
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
! w5 M$ c8 n: O" j9 d
1 ~6 c) ~9 B% }9 w9 w0 M. s2 J& Gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz+ a6 ]3 j/ ]& o+ H" i4 A/ l
& Q: A4 z# {2 C! B
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, `: Z w+ E( q6 z0 y5 B, g% {
依赖关系:# g: h _0 s) l% W6 w& Q
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 E( n! T) f" o+ M# h! ~+ w' k( X" f( @5 a
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
8 c$ c+ n, x' u$ Q2 u( zmodsecurty依赖的包:pcre httpd-devel libxml2 apr/ R' s) `4 B3 q
8 c4 Q5 b- X6 h- K3 j s
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
8 r- ^6 C5 O i" |% J; o8 t二.启用standalone模块并编译: \7 x, Y$ O/ A1 D0 u9 X# E
% P5 D; F0 W6 q8 S6 Y/ U0 y下载modsecurity for nginx 解压,进入解压后目录执行:" A7 W( `; X4 }9 w
" x# y3 \, ]* u3 a
./autogen.sh
# }' R7 O* e5 h! k./configure --enable-standalone-module --disable-mlogc
7 ~5 W5 X/ x, w. nmake . }4 [3 B& h) @1 F% x
三.nginx添加modsecurity模块! a J/ c% s; q' D: Y, m
) M/ T- i. u T9 t, E在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:$ ]: O. X y1 r' u+ m) _' n& D
$ v Q; j' d- q/ v" W; \- J./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine; G/ R! y& V s
make && make install
6 [; A! o" ^" e% D. B' @. X四.添加规则- O0 I- M& S# T6 l" Y5 m- h
; N1 h$ I k- {/ X E; n3 ~: T
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。7 a9 Q3 `; a& {! Z, i4 V
/ u7 I$ o. z! Y0 v$ X1.下载OWASP规则:
6 `1 O% u. @/ ~6 n& z) j& E
2 \+ S$ [& T lgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
+ m8 R5 o5 j2 \+ I& g% B% F" \
; q/ ^, i5 a1 b; q4 h) Nmv owasp-modsecurity-crs /opt/tengine/conf/
P8 A* R% n4 |: p- g) K' `' \) E: R/ I& O2 b
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
; `7 L: @* P+ I# b' h) g2.启用OWASP规则:+ g; E* s& T/ F3 N& x# s3 t
" |" s. u7 T$ X7 M. V( I" m5 V4 _
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。9 O: E7 z# O. s, C
* Y. F, w1 s- s9 _$ X3 H) [编辑modsecurity.conf 文件,将SecRuleEngine设置为 on- J* d: t2 P$ ~# V; `
& J4 J; L# f% \% H# M+ B
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. p8 s7 `: r$ n; ^
; ]0 U2 `: I/ C: d
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ u' |% d2 y8 Y7 ?2 g0 `' W
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
7 t) \" w9 F8 X2 @& uInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
: F% [9 ]( z! L* XInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
* L$ g1 s r- Z* F5 X% A) T3 eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 t0 I% G X+ M; M$ a, k; t3 }Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
: `. [/ |$ ^4 V9 v3 T, mInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf( i5 ^ E" T; T0 ~" P) y
五.配置nginx
1 v' g5 H+ Q. k7 x% Y3 C
" l! Q( M# h6 `! l# ?在需要启用modsecurity的主机的location下面加入下面两行即可:
$ {5 W. E3 @; U# _- W: q) {* H
: r! \. P4 H* ~0 X+ w- ~ModSecurityEnabled on;
J& N. C% t+ Y* tModSecurityConfig modsecurity.conf;/ S2 b; z r+ B& c! S6 _9 J, W/ w
下面是两个示例配置,php虚拟主机:. v; D7 J: w6 s2 n5 I
2 B9 y2 p, ]7 E5 ]; n% p
server {
G0 Q2 o9 I" z1 q: U: Y listen 80;6 g* F9 K* a% R' F. L
server_name 52os.net www.52os.net;* Q# h( S% l* i* f
# g0 a! V. u, ^8 w6 B8 s
location ~ \.php$ {
+ W! {: n1 k) w# Y ModSecurityEnabled on;
7 |3 F ]$ J( C! k/ I1 H7 X ModSecurityConfig modsecurity.conf;
+ ~$ f2 F! z7 F7 W. a& R* i0 ?& f$ G3 v# `9 G$ A" ^
root /web/wordpress;: A$ j8 t/ Y: [% H9 p" ~
index index.php index.html index.htm;
% K S: |- P& ^+ k/ s/ z4 a2 J 4 I7 T! e. n/ U4 d( ~
fastcgi_pass 127.0.0.1:9000;
# d, S" _& f5 M9 M$ m* j2 G fastcgi_index index.php;
+ z/ {6 H- S" a& I2 z fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;( }; x' e; H# @5 E
include fastcgi_params;; [! g. X/ a K. b: q0 h
}( I$ X, [; U& p6 U6 A; a \6 [. f( _
}
2 s! S- x$ Y: Y; lupstream负载均衡:' L3 ?. y; [5 g4 i3 M* c7 G2 R& m
K2 n$ N! Q2 {9 P1 d
upstream 52os.net {. ?& }2 a9 M, w$ }* A" c+ r8 k" F( P) y
server 192.168.1.100:8080;) b$ [ u+ k* x; b3 n* A5 q
server 192.168.1.101:8080 backup;2 z" v4 @. m; ?9 `; y
}! k1 S: D% X* G3 u3 F
) _2 N- h4 w. @8 D8 H
server {
; ^2 V/ `: ?5 _& J! y8 W8 plisten 80;
) F( o$ U: B bserver_name 52os.net www.52os.net;# F" H/ U) h* z3 y9 h& O) _3 [" G
" ~) M" G& j/ N1 }1 k4 X% Glocation / {* o5 ?: _3 ~4 W( s/ q( s/ h
ModSecurityEnabled on; ' N+ Q$ a d. g$ j6 t4 A. a2 o
ModSecurityConfig modsecurity.conf;
8 D! w f h) D+ b- R) U% V. a/ I- E; x
proxy_pass http://online;. ^9 C6 v' o$ z" D) G
proxy_redirect off;' g% O/ M% k' r2 N2 A' X
proxy_set_header Host $host;
/ O/ U4 G* {1 N) Y proxy_set_header X-Real-IP $remote_addr;
$ y1 K; v1 l0 V6 R, r0 b proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' @& ^* D4 q* v# {, E
}
% v5 N. H4 v8 v, H}( C/ K6 n+ b0 {2 w
六.测试
, h; A$ a0 A# ^) f
% _; T0 S, L8 d2 Z7 j7 {我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' {& q+ W; m5 L- C- O) t
, a* I% m; s% q6 I8 X0 ~<?php# x3 b- n6 g% F
phpinfo();
) o' v) J- h% V?>% n. r- D+ d! V) x3 _: d; i- ?* w \
在浏览器中访问:3 ^. Y) `- w1 Y+ X9 ]1 e. A' Q
5 U5 r, v7 l7 o) n o) [: O2 d; vhttp://www.52os.net/phpinfo.php?id=1 正常显示。
6 D1 [4 Y( ~% v8 h1 khttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。* b s$ w# K1 {8 W4 e( b
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, w/ [! p7 ?) y: y/ h" x6 {% y
说明sql注入和xss已经被过滤了
7 W G& O H# T1 U! T% q; O! D. }/ c5 J# T. h; r7 v; q
七、安装过程中排错5 I' Z9 T; P2 j$ W6 r! L# Y
& d$ Y. P: C# l3 D l, y
1.缺少APXS会报错/ i. \. R3 s; j+ _ J
3 s+ b$ m$ |8 B/ B& v. q6 i5 }configure: looking for Apache module support via DSO through APXS) ]. N" E+ q) B+ _7 l& ?
configure: error: couldn't find APXS2 q1 T t* o$ I% P/ `
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。$ I; F0 C" _9 W/ e, {- Y
解决方法:
! K, e; i% V5 o% [' W% ^( K/ W; s) B% { i I1 ?: B
yum install httpd-devel
- |) `7 _; P+ a2 g4 j6 x2.没有pcre
7 V |# H* S, M, C: j& `# F R9 O
configure: *** pcre library not found.
( e/ \" f& C" L3 ?9 m4 hconfigure: error: pcre library is required' ?5 @) X( q( X9 }
解决方法:
: C+ P# y2 Q+ c1 ~) f4 ?" P. b- X) e. D# u f
yum install pcre pcre-devel
7 A7 j+ o. c/ {* t0 ^3.没有libxml29 `% T' G! x/ m! ~
( @6 Q( A1 k2 I$ |' O1 y6 I
. A' v- [" N* G& l, }; Fconfigure: *** xml library not found.& ~9 _* c' l8 F# n5 [1 F, O
configure: error: libxml2 is required5 P( e; P! I, p7 P& ^4 ]: S$ j
解决方法:
6 `. v. } a m& F; B% D0 d5 t' F. {$ Q! v# a4 X
yum install libxml2 libxml2-devel$ V" g5 N5 r8 X; r
4.执行 /opt/tengine/sbin/nginx -m 时有警告
/ W+ m' v. p9 T* Q; s: r
8 g1 f- O8 f2 `Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; Y2 Y; [, [5 q' @$ m- Znginx: [warn] ModSecurity: Loaded APR do not match with compiled!4 n# e2 N6 v7 R" m
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
" O8 t; ^& h E7 T3 W
1 g* G2 c. t( w2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; B6 ~! d# m+ I* k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"! t3 J f+ M1 J
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( q* D$ X& H; @- [: t' o1 S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
+ p3 x y. \) y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" v: p) y" e7 _: D# H7 y! _2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
! a, k t: j, L$ T' R' L解决方法,移除低版本的APR (1.3.9): d9 G* R+ }1 r. R! S7 m
/ ], v6 K8 P& W: w* R
yum remove apr
: D8 E. w* m/ c. g7 |+ n' R% [5.Error.log中有: Audit log: Failed to lock global mutex) G1 B# o% f. j6 G8 L
; y' g& } n S6 b2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 b, N- G5 u. w" L2 u
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 R' H! k4 T: D6 D
解决方法:
) F) e- U: {5 C- F编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:1 y7 ^# u( Y1 ^- ^; {2 L" I+ g
/ v2 ^" l- Z. T1 FSecAuditLogDirMode 07772 J) ]: o7 N' ]% @3 v& X4 R8 f
SecAuditLogFileMode 05505 d, _) Q7 f% {3 k' |7 N5 \
SecAuditLogStorageDir /var/log/modsecurity/ B4 M3 q" l) Z6 W/ K9 c
SecAuditLogType Concurrent
3 |$ H, G+ U7 x7 X( Y! X7 m参考文章:$ h) o- A- U( D3 n6 G3 }
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
f, q& v1 F6 L5 Khttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡