|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% ], f5 i$ W: |/ T4 }
, X& S7 e/ V" ~! N: L+ ]! j一.准备工作
0 x* j) Q: F* Y x4 Q' n0 Z4 ]5 b/ P/ Q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, H, W& E! A' [; Y5 h f0 u0 F
' i2 B% {* c- `: W: Ltengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz/ J' G; l* ]$ M8 Q B. t' G
' W/ S9 q: ^/ `% X; E& a1 G" X9 A2 @
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz& J8 c- w1 L! ^' t' q
& V, k' @7 f# P6 \1 Q7 S0 ?OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; _3 j. E7 u; }8 r0 ]2 Q1 O0 x2 s
依赖关系:( |! a4 ~0 f) f4 m+ k9 a
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 |8 [- |( E5 P) r" `$ z/ p
( K! ^/ i3 Q+ w2 dyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
0 x R: u2 W& V' smodsecurty依赖的包:pcre httpd-devel libxml2 apr( s# i: f( F4 i- P* T
9 F y0 x! i- \, e6 E" }' h
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: d! z6 q+ [* d6 g' W7 \
二.启用standalone模块并编译
' e% Y, ?' P8 E: ^; t. C% s, y) q D
下载modsecurity for nginx 解压,进入解压后目录执行:
: e' O: [+ G. |* m3 b4 x% A4 _/ `
./autogen.sh
) h2 Z4 t8 C0 G7 i, b: V2 p./configure --enable-standalone-module --disable-mlogc
9 |6 w2 Z$ n6 v" R9 Kmake * }9 a, b9 e" \- ~' J5 ~
三.nginx添加modsecurity模块% X: u8 k0 N b
3 j$ L) R$ Q5 v) N6 s
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:9 e* n8 s2 E$ _1 M5 z& I
- v( @, ~: Z+ {6 j./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine3 j% E# ^$ S+ I$ G, F" T
make && make install7 L2 h* J4 Q% K) y: ?4 b' ]1 k
四.添加规则
$ v4 c, ]: s# M; l1 Q) i- X' A& @: H; i8 F( _6 A8 |& o/ L8 C
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。" g; N8 E$ i* q/ _% K. C! i
5 d+ i; A w3 A
1.下载OWASP规则:# t. O! R1 S3 X# N
" y: q- f5 b+ x# w" r' U" s }2 ~
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs9 A& Q% d3 N1 \$ l
8 c9 |: J% N& D) Y- P
mv owasp-modsecurity-crs /opt/tengine/conf/& L8 V8 Y: Z: X0 U U$ `$ b, R+ M
7 ?7 c4 Y* _ N0 E6 D, o- k! O+ c S
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. c0 K$ o( ]/ d7 J; v/ @+ Y* u# r2.启用OWASP规则:
2 z8 ~4 |/ B' s
' y& {0 \( @( ?) C _7 \复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
C7 |- `+ I/ x
# x0 S, ]( Q' X% y编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
( L6 \& Y- u6 {7 G0 t. t5 M4 c: a! W, p/ W/ ^* V7 X
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, p& H* q! B3 G# N$ e, d
; z4 L* [, `6 [7 ~0 d4 E9 JInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 |# K- \1 k% j5 o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf3 J# n7 [! g/ W) N% Q( q- s ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
. g( T, n2 h5 K& ^ o- I8 Q0 UInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf8 h; _! [/ u- S0 q& W
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ a: z$ X, Q" |* q; w' v
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 X5 M# o& o8 k% O6 \8 mInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' G6 b d% x: z
五.配置nginx
7 s% N( n; Y! a) r$ X9 J- p' [/ W8 h0 w
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 E5 j8 l' G/ O+ P+ Y- G: l
% |' M! w; }9 Z4 i6 X/ TModSecurityEnabled on; 8 p1 M" k; D: c2 e5 D; _; q" l
ModSecurityConfig modsecurity.conf;
% }- L* p! ~$ `3 z* w下面是两个示例配置,php虚拟主机:6 K* @. s) O! K) R1 G$ Q) T# s
( v! Q8 L- T; W# P0 |+ L
server {) ?/ r; ?1 ^- C. c6 B- f) x
listen 80;
- ~$ S" v* r3 N Y server_name 52os.net www.52os.net;3 z- H4 h1 ~/ i' C2 Z* f: ~- M* M
3 N* f% W3 u9 J0 e location ~ \.php$ {( m; E# m+ g' q+ r5 g
ModSecurityEnabled on;
8 s7 z: |! `) J! ?7 A3 o ModSecurityConfig modsecurity.conf;
* `& J, J2 y! D* S( U6 V
' _( R7 j' y5 x8 B* _ root /web/wordpress;
. ]% q. A* u7 P" v index index.php index.html index.htm;$ S m1 S. U# W: [/ B' ~, B
% N0 O- |1 M1 X2 K fastcgi_pass 127.0.0.1:9000;5 G! s2 e4 ^! D+ @' q/ c% H. l
fastcgi_index index.php;! ~. m9 B8 @: m# o: m8 [/ R0 x: s
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;) s- Y9 C) R9 K% A) G
include fastcgi_params;* X4 ^6 L" ?3 b! p3 U; w
}
/ ^( U& B" E& q! _! p }- T9 x. p; |4 t* G- ^ c
upstream负载均衡: v6 {, B/ p& [4 {0 I
# D5 K! n3 X( U1 J
upstream 52os.net {
" T2 f' m4 a9 z" ^4 l5 F7 j- y" u server 192.168.1.100:8080;
/ ^6 f* c+ A% S2 g) K* P9 H; u& s server 192.168.1.101:8080 backup;8 m; ]1 R) E) ?+ \
}. A& ]3 m: d, [0 h# f
0 x% B+ Y4 `3 a& \
server {
: ~6 V Y2 V- X1 _0 Xlisten 80;0 Q1 q5 ~, v8 [" p' x# ^
server_name 52os.net www.52os.net;
1 H: _2 A: ?: |$ m( ^$ \2 e$ L/ x2 r
location / {: S N5 c& E9 s* ?1 f4 Q* M8 `
ModSecurityEnabled on;
" P$ c+ W& Z7 S4 ?; t ModSecurityConfig modsecurity.conf; ; A9 g) `1 J, x( v. A3 W
) f/ }$ B, \/ F z+ i5 K" H J
proxy_pass http://online;
) u4 Z8 I4 |8 C5 M, H7 F: Z* L proxy_redirect off;* ^0 [. `1 e, m R3 s* h
proxy_set_header Host $host;
# L4 M* I5 x2 o1 K. K proxy_set_header X-Real-IP $remote_addr;- w E; j- S/ M: o N& W/ w9 m
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) G# R3 O7 U% n }
: V3 o. R5 d" n$ t% d}0 O6 ^8 J$ k8 W) n R
六.测试% Y: T/ U- n$ _
# w% ~4 F5 t6 _6 {我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:- u7 \* M6 @. _& _7 o/ k) O$ p% n
2 F0 ?7 b- r0 `% M/ f
<?php
# m& s% U3 }. b# m& D: Z phpinfo(); + e1 B% ~$ Z( V1 i3 Q
?>
3 x0 P/ c+ J, s$ W% P9 d9 P在浏览器中访问:
/ p( H) M% l6 b! ^7 m
3 v: J/ s- n$ j; Zhttp://www.52os.net/phpinfo.php?id=1 正常显示。
6 M8 t n+ w" {+ f: ?+ X5 chttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。. x1 D4 U" V: ~' x/ K; {
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
0 U2 @+ r. J- Y; m% c4 T' _说明sql注入和xss已经被过滤了# W" O) O0 H3 e& c& ^3 o* d. ^
1 S# @8 A- u0 F# p% v
七、安装过程中排错6 r; K8 K9 p9 `+ C4 E
. O# h I& s7 P% ~
1.缺少APXS会报错
( f1 x8 M: _4 r2 C2 I: d6 f' a2 W# {- }( y1 O2 r0 u# c' ~
configure: looking for Apache module support via DSO through APXS
, U' n6 T' [* @/ j/ Gconfigure: error: couldn't find APXS# Q& i+ |) j6 M) [! e2 |8 F
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* f1 Z1 M9 k6 _* q+ h5 O
解决方法:# Y2 A3 X, F9 F$ a/ n
( a* q2 s) V0 K' yyum install httpd-devel& i$ t8 E7 n0 h& o* {- A. M; p
2.没有pcre3 h5 [: O- Y' Y2 e2 [, X
- ~! ?2 j7 L$ W/ U; B0 d; B
configure: *** pcre library not found.
2 S* m9 v3 V, wconfigure: error: pcre library is required
3 Q7 G& a2 q% a& _0 Y- j3 c解决方法:$ t* I3 \1 c3 \" z7 W" ^
4 f& G3 t8 U2 n) D7 G
yum install pcre pcre-devel# M4 X' W2 A V# i" ?5 u
3.没有libxml2
" q1 R3 c' J- w( b
) h$ R5 | m' Z, U, Y: s: ^! w ~$ J* S' a
configure: *** xml library not found.9 \$ _6 d: z( z/ l2 P' F1 O
configure: error: libxml2 is required
4 e- I& ]! H+ \) A$ }) u3 r解决方法:7 f8 j; M& |3 N" F' l
% R' f( x( S0 p, v; E1 d, F
yum install libxml2 libxml2-devel
$ b2 P6 K& }: j8 K6 O% }4 T I4.执行 /opt/tengine/sbin/nginx -m 时有警告8 U- g9 f& Q( p$ |
+ ?# z$ w' x( d) [7 VTengine version: Tengine/2.1.0 (nginx/1.6.2)* t+ l, X6 h+ I
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!/ A! a. q8 W7 ?( `$ {7 p3 \- }
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
& W( v) b5 D0 g7 D7 L0 V& n
1 F" q. r+ b2 O/ ~# Y8 k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
/ q, U0 F c, Z% u& F9 e' ^" @2 |# H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
) J @6 j" J! A* H" \2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!" h; p, q$ V" ]9 M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ l2 \" v6 z) j! j! T1 ^' Q, }3 x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 q# s2 q+ h1 }. W' M A2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
; Z& p) H/ |6 y- Z/ D解决方法,移除低版本的APR (1.3.9)7 _+ k1 J' x# F5 l
Z$ y0 I" ^3 J* k$ P
yum remove apr- R7 ^+ L6 e/ T x
5.Error.log中有: Audit log: Failed to lock global mutex
2 e0 h! n* V, W4 ?" N+ u
! P0 c8 c7 x; K& j6 F+ R$ ?2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock & Z: k2 y) Z: R0 M
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]/ S p3 h7 E, O8 J9 r$ p
解决方法:
6 C9 {! {- b. j' D6 a+ w+ q6 B% N编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- F) W# }0 {5 v9 G2 o, R& p+ v* Y, r$ U0 k4 c+ V: _
SecAuditLogDirMode 0777
& S. D$ s7 j h% k$ _5 \SecAuditLogFileMode 0550
# Y: X& L/ B6 s. w% l: F8 {% ESecAuditLogStorageDir /var/log/modsecurity4 `: V9 [( ?/ O3 J5 v
SecAuditLogType Concurrent
/ D( `6 N; |# u: x3 d7 [1 M/ h参考文章:
( H u, n" }" u' F0 O6 v7 |* ?! chttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
\2 P7 n; o6 H; ihttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡