|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
+ B: ^, R2 L" \/ p+ Z" |9 n% F; H5 j# o m, x( r
一.准备工作2 C1 ^) C8 n3 V5 v" E
/ Z8 Z/ H- H3 K' w% H( m& x系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
( F5 K8 R$ t: O, Q4 T
5 Q# X) s: h' T1 u4 A/ |$ wtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 \" x" Y( @) Z, w# A
: Y- _3 v5 O; l$ Qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 _# q! q8 J" j- H. g8 z
8 X5 Z. ]. _5 X9 A# R6 w# R3 A) c; hOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! Y @" f3 v" \# [8 t2 A5 k
1 ^7 a& X- l, u
依赖关系:
2 y( T$ h7 e; a9 j" s9 utengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( Z* e" w, M# E) ?" ]5 M4 K( l- p( Q
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ p& t: {+ `" Z) j+ Mmodsecurty依赖的包:pcre httpd-devel libxml2 apr
0 Y0 S# ~+ Y, O/ |* |% O, _& k% U! D6 U! ?7 x4 l, e+ M* x3 w
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel) S$ m; `4 z$ I2 Q
二.启用standalone模块并编译
3 s& `2 d6 p( N: c2 f+ W6 v
/ m0 {" ?( p& {! g$ a j下载modsecurity for nginx 解压,进入解压后目录执行:8 T. P* p. Y) x$ C$ V
8 H6 V0 J7 s; h e3 S4 U
./autogen.sh
, R3 [$ w* Q# q5 ], p0 F ?& B./configure --enable-standalone-module --disable-mlogc
. }' O. y% u- \8 pmake % b" E$ }# _4 A
三.nginx添加modsecurity模块
/ [3 n9 m$ }9 F* Y, K; J
. V- u X, L' i+ X6 O9 c/ C: N在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
7 v- [$ _9 z; p" A$ Z7 {) Q- ^4 _8 T, M2 q, q. i+ a9 ^
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ a7 A ?% D0 M% u0 C9 Kmake && make install' F# t8 z0 G; C: W
四.添加规则7 l4 H1 e5 Z7 {3 T f. D! b
* ^7 G6 S, P, Y' N7 O2 J3 T$ l% Xmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。& R4 W. {/ E% C8 E
( v: @& o; y/ J& p4 g% }
1.下载OWASP规则:# ]2 A) ~5 m, h7 W* G# T
& c D, \8 y" ?5 J3 ~# Kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs3 o5 o7 P, @: A* a' A8 @$ L1 K
" k2 n& t, d# @: c7 ]/ X1 `- ~mv owasp-modsecurity-crs /opt/tengine/conf/
' `0 i6 [( t$ O* q; ]& \
7 g0 u1 f8 H: z7 U1 D9 Lcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( w" z+ u- [- F2 c+ W, e# c
2.启用OWASP规则:
8 v; C$ K& T1 Y& ]& O3 u6 S9 U& x3 }4 m
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
* J0 w" A+ a* D8 ?5 }9 a; _( h, c' o+ V e
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
3 @+ f( W7 Z9 S) J+ x( r. L: c
6 h5 c+ u( O8 Dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ V! p; B3 k/ s+ v2 L! m4 f
( V; t! D/ e3 |" X& x' @" F
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf9 X; G; V; i! {7 a
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 D% [# U2 b5 }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf$ h [4 J# o" k9 |$ u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf. W. P, N1 K5 n) l+ ^& h, M
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf# R6 o+ B, K. k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. ? N' i1 P3 w# s& H' k. B
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf$ M( E! K9 `$ p3 W0 z3 M+ E
五.配置nginx
2 i' C% E% V R' W' b. s( s
7 q$ G [5 p$ ~. R5 z1 N在需要启用modsecurity的主机的location下面加入下面两行即可:7 W C8 B8 i7 i: W" L4 K
2 s) l/ b4 G$ U1 t2 HModSecurityEnabled on;
# C* A3 m8 ]7 k1 G, J- d! BModSecurityConfig modsecurity.conf;+ I- Q4 Z5 ~6 v$ `' i3 I1 D
下面是两个示例配置,php虚拟主机:! B K& X1 V. V1 T) p
9 ~4 }: H' T0 ?0 P2 _
server {
, ~% y8 L' t0 C& d2 u4 A4 b listen 80;
* N/ z! q1 b+ |) ]/ f) O server_name 52os.net www.52os.net;) R7 }5 O" @& ]# x& Q( U
0 D" M. U/ |+ y+ ]* d9 R
location ~ \.php$ {) {3 Q+ L" Q: {: _* j) d. \
ModSecurityEnabled on; 9 {6 E. h8 K0 S. b9 O
ModSecurityConfig modsecurity.conf;
- o$ [* d; s; V9 D" P- a5 {" h% A, U( [9 K& w: M2 m: u6 J) f
root /web/wordpress;
+ y. O2 ~- M0 o4 ?; f) Q2 U index index.php index.html index.htm;" Z9 e+ F: A' {1 \6 S" S0 U; T
" K7 z2 Y' o- i6 g% q2 i& j
fastcgi_pass 127.0.0.1:9000;+ Q0 _5 V3 B- ?" e8 i8 [+ {4 {
fastcgi_index index.php;
1 v7 y, m E8 Y1 T fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 H8 @; P4 P, w; o; u* ?
include fastcgi_params;+ a* F' s/ m7 A9 Q
}
* n; N4 w! ~$ _; O! k4 I! u- ^$ C& | }8 F" v. E3 W; q: K: `5 _' k8 f
upstream负载均衡:
: T* h" N3 z! b9 v& z8 R; p6 R% k: q; I d+ E. e+ t$ H D
upstream 52os.net {; A' d5 n/ S; u. R% _; m; q
server 192.168.1.100:8080;
$ K) w C3 o3 W8 ~ server 192.168.1.101:8080 backup;
3 A, a# D9 P: F1 x& k" S; N}
+ l3 e1 K7 W. v0 x% s2 t0 i+ f" T: ^
server {) O, }! `1 N- ^2 T/ |
listen 80;
& A c5 d) t6 L4 z% Userver_name 52os.net www.52os.net;
' l# _8 S' m: J% s$ y
3 U W) {! f3 g3 m- nlocation / {# o( {; s# [ E; `
ModSecurityEnabled on; 8 C8 {0 t0 x. |0 O) O4 G3 o% G0 r
ModSecurityConfig modsecurity.conf;
) V. v" ], l* f4 t5 P* D7 o9 ^+ v
) _5 f C! ^/ L g; l( q proxy_pass http://online;( e. P' l K% P3 v
proxy_redirect off;
0 ^5 Z% X+ k2 g! J; J& x proxy_set_header Host $host;. Z% z/ E/ H8 D6 S' j! {0 u
proxy_set_header X-Real-IP $remote_addr;3 F) F( I% C, f0 x" [3 _# [ g/ q
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
: a0 s- z. a7 _, f v9 f }" K4 \: n$ r9 {% D+ q9 p
}
% Q1 _6 L9 i' S' N% o4 A六.测试0 ^; r* _9 G. E( h- H3 I
! F) S- ?8 A% {+ F. D' g: b0 T
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, W0 M3 k5 S) |+ L b& @2 } G& B9 f
<?php$ {3 a# j2 w8 t! r% c' s
phpinfo(); . q4 q, c, A1 A! j V6 ?
?>
) B8 r- {# h9 i* M在浏览器中访问:
% [! ?$ _/ j( [+ x' c$ ^. q; J! Y- _' f% r
http://www.52os.net/phpinfo.php?id=1 正常显示。
) k5 b+ b& R2 e- C# Mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
, J' h; q& b1 A( X( thttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
: p5 o: `# t! E R- w6 t5 W( L说明sql注入和xss已经被过滤了
4 L% {7 n# p: V. [, P% _) R. u9 r8 P- c$ j/ X; g$ d( T' ?; x
七、安装过程中排错- A; B0 B% x- t1 C6 Q, B) x! k
$ x P: b& b) t# w( ?* j' f
1.缺少APXS会报错/ _/ E# ~$ |" z) `2 f2 A) C+ T
, @0 z% L1 j+ P, econfigure: looking for Apache module support via DSO through APXS+ B6 u, N" n. {- z6 [
configure: error: couldn't find APXS
4 o: }. k6 C: a) a3 q( N$ Iapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。3 M& S: c' D4 \( k' }6 y- U8 R
解决方法:/ h& X7 T6 _0 _3 ?+ @+ M r) A
. }) q, U3 E x* y
yum install httpd-devel# ?; a& t. K( l, I
2.没有pcre
; x, P" p1 ^" z9 P# C8 u2 T7 x4 F, M2 m0 ~( [
configure: *** pcre library not found.. e( ^! r3 h5 M6 K/ K
configure: error: pcre library is required% \% M1 v1 i, C2 a
解决方法:; W3 b% f. ~+ _& b$ K' }, A* N3 ]
/ Y4 ^( T+ u! S' ` y; i" T' tyum install pcre pcre-devel
% h/ E5 S) ]( Q$ y+ t7 d3.没有libxml24 S6 u% j/ v" F5 T: g7 [: r9 l+ b
) Z. @) f! c8 x3 Q
1 Y, O' |4 ]4 N7 e/ d c, m
configure: *** xml library not found.
9 o: n; R6 u1 c" ^configure: error: libxml2 is required
# g" k6 Z3 l& @解决方法:
3 G2 O2 T" ]& A7 g3 ^3 r: ^5 j# t* u
yum install libxml2 libxml2-devel; h v! j- Q# [1 z- O* C% @" i
4.执行 /opt/tengine/sbin/nginx -m 时有警告
! @3 K2 F& D8 L* g5 Z( y& \& _+ w8 ~$ N6 X
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
( q0 P( p1 k I, d! cnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ S6 }: q0 s$ s2 ]: P原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log9 Y. v( d& D9 [/ U; u& m: o" e/ A
$ j+ r4 q5 G& P: p: l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
" A1 }" _7 _! N" q" t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"* t4 ?6 l7 m3 ~& |& J$ G
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!3 ^' X5 y9 I, J$ X! w, V7 y* \, m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% p4 U) d9 Z2 G) C2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
$ ]/ V0 ? q# q+ @; i$ g j2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
5 i$ J5 T0 {: ?) U7 E解决方法,移除低版本的APR (1.3.9)
0 \ Z# L6 h% H( `2 z+ y) b1 M* N$ q: |. h# u$ H2 R( N' o
yum remove apr) e6 t. |5 i) N& l \/ r
5.Error.log中有: Audit log: Failed to lock global mutex' t% V0 W( Y G4 t+ u% F
9 a, {$ f5 m x0 ^) w- \" \2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
) L9 A1 ?% s4 B9 K2 s7 `global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]( [2 F' E8 O$ {
解决方法:
% v* V6 x% C+ S( }. }/ j编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
# W6 O: z# v k- B/ z- u3 |# r* {7 I5 K! M5 P" e- {
SecAuditLogDirMode 0777
1 k1 G) _! S! c5 l6 ~SecAuditLogFileMode 0550# u r: O' J# x" j$ v$ D
SecAuditLogStorageDir /var/log/modsecurity
0 T$ _( W3 S% I& h( {& t$ ISecAuditLogType Concurrent
: d* `# V- _6 u! D) a9 T x参考文章:
& \' [: n$ p$ o* N+ l1 }$ Ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
* j, T( `) N" f- y5 X$ v8 n+ t, Rhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡