|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
* T# |: C5 d% U
4 E6 K8 Y: i% S( X2 N一.准备工作" u8 w& H: ^3 v/ |$ j& ~
, F3 A9 m6 p" z7 F6 t1 V
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
/ |- [0 {" f" y! g4 Q! t
0 p" R& h- h: |. ]4 {tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz" m, D e7 R$ @+ ^+ E2 y2 ]
8 g- {- k# ^( |* smodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
- f: c8 n% V( u" a8 G
" w) D& d6 V8 R- Y F. LOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, P k* N- U. T1 V. i
% V6 I) `% a; k依赖关系:
5 x! C( ^5 _) d9 q& a% z* rtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
: E+ ~' Z0 C' D: W& ^$ d+ e I' i5 d$ f
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( ]* u# M+ \3 l# D! }6 j$ J% o* B
modsecurty依赖的包:pcre httpd-devel libxml2 apr
n; s3 Z) k" p8 T( @
+ \- D) r5 `* t8 jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel! }/ v U# D( B+ N* \
二.启用standalone模块并编译
9 R6 L4 ^! I8 {
0 t, d6 s/ a6 T4 ^3 ~6 u/ k4 F下载modsecurity for nginx 解压,进入解压后目录执行:$ d' I3 D5 h7 s8 w7 C
% [6 q! [+ l2 [./autogen.sh
5 K! v& J# r6 ~9 I! U./configure --enable-standalone-module --disable-mlogc6 e+ D: S5 Z/ J8 `& K: k! L
make
3 h. v& @9 @# H" s三.nginx添加modsecurity模块
* n! N) z* _9 b/ ^+ e6 f$ V& Q3 o" _5 o/ p' I: e, s
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
5 c* x6 u0 W7 U9 J* t& c9 ~" s: k/ \3 ^1 K3 }* o6 [
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
7 h8 s2 {4 A! ~1 d0 m; tmake && make install
5 V. b8 h" q& J* ]- Y四.添加规则. C! R) c8 n5 G5 Y3 v
% _% J' }# m' n$ _2 z8 ?3 u1 Amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。2 k( h+ D1 k/ ~. Y& b
8 o* d+ d! r% Q- {' p% `/ m9 t9 a1.下载OWASP规则:* i, w# ]0 ^8 n$ J# A7 V0 |
1 S: L4 E; R, F% \; mgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ m# L1 ~# P. \$ G% E
0 u# ]+ ?( J" t5 _/ v; L- V% d
mv owasp-modsecurity-crs /opt/tengine/conf/
- M9 ~: H& D4 v% h- ~/ p; e w2 r, ?, G' E, K! ^
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ P4 E! N) L( m# h5 X9 p- @' G* r
2.启用OWASP规则:7 R, m+ h/ l7 o
" d- n" w1 I# E4 Y$ {( H复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
; d9 \8 ^1 j* _3 ?
. K7 J5 ]) v, t编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
4 V$ T) @; |" H! c. s" ^( D. l3 ?) Z$ J& x4 Z/ d2 E7 D
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。& c1 g$ Z$ Q4 O0 A4 H( A
5 ^" D/ A9 W+ Q' `6 @! O6 M+ w9 U
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf1 O" f; P3 K" @% w7 O# N3 q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf* {7 G3 e; p% V4 D! i5 u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf' w& i8 ]1 P$ \
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
* K. l+ o8 @! ?/ d% aInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ i! S* O% K6 ]* t
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
# z5 p: Z$ c- S w$ C% W$ OInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf8 u9 b2 V0 k0 k# \
五.配置nginx& s( O2 y \3 d4 S5 W
7 s5 J1 \2 P7 R! W1 f- ^在需要启用modsecurity的主机的location下面加入下面两行即可:
+ Z( s$ O' H7 Q+ G% v' F* M. U; o( m9 ^5 K$ u
ModSecurityEnabled on;
u& H% _% E% ]% `, S0 W0 S1 aModSecurityConfig modsecurity.conf;
( J* P% |: H2 \- Z% o# ^, N下面是两个示例配置,php虚拟主机:
+ r7 j/ G; s/ s# Z
7 t3 Q6 s1 N/ X6 m. C vserver {: C2 s, W. y8 `, T
listen 80;
$ y$ ~" h% W& u# B) B5 }" O server_name 52os.net www.52os.net;! \$ p- F$ R& Z
2 ^( U U0 r2 J1 R location ~ \.php$ {: g0 V$ t1 f! ]' `
ModSecurityEnabled on;
) D! z( s! T/ T2 z ModSecurityConfig modsecurity.conf;6 R% F- W, E- \, b. D
0 t4 J- D8 T" Z3 T4 w% n
root /web/wordpress;$ v5 E4 W: o/ l6 ~, ]* f
index index.php index.html index.htm;
( n& a8 _0 b8 N9 _5 S. e: x& i- p W }# q! q# P4 X( X/ `. d
fastcgi_pass 127.0.0.1:9000;
4 G& C, H: X2 d& V0 p a$ [ fastcgi_index index.php;
* F% C# H) U, l5 i fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;( V; u& |7 r, Y) ]2 a% D& p4 y
include fastcgi_params;! v/ P5 d6 w. L% ?& o
}0 z1 M ~. R) y' b7 r
}" t; H( M6 ?! q' u. p' R1 P
upstream负载均衡:
0 d8 ]0 D; l, d0 w* P& v( n' L# Q) `. P
upstream 52os.net {' N! F0 c. t/ C; n8 j; ~
server 192.168.1.100:8080;
! |/ o0 z) h9 x/ ^1 x- m+ R server 192.168.1.101:8080 backup;
0 d2 s, f* Q5 R7 c}1 U4 L! n3 f# b& a" m7 }* g
/ N3 Z) W' x/ M; X& E0 Nserver {: {* m, @ d' G5 b6 I
listen 80;- D& w7 Z% S: g% X3 R' j
server_name 52os.net www.52os.net;5 w& u6 z8 ~5 ^( y3 I0 p
6 i: _: q8 m1 Flocation / {, L N l5 w, i- _/ P* W& n5 E
ModSecurityEnabled on;
7 U5 M0 d6 h& h" N9 J ModSecurityConfig modsecurity.conf; , Y7 p; s! L+ Q* }& _* ?+ K. ]6 C
/ a# l/ R3 q4 ^
proxy_pass http://online;5 E2 | f3 `9 m3 P
proxy_redirect off;& {' \& }" J. g
proxy_set_header Host $host;
: i1 ]: H0 |0 I8 v: M! y proxy_set_header X-Real-IP $remote_addr;
( ], f. k* E& H" z. N proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;+ g: B/ `3 m r. v5 W
}. t! K, U9 H2 O# ^/ N% b7 E8 M
}* P& z( c' f5 j1 ~
六.测试
8 s1 B) @ b; H& {) o5 m$ S9 e e \# H/ Y/ {2 v7 {
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:* k# [1 X* L/ S/ ~, d+ z
) `1 s- Q/ H7 R! L! m" G$ |. o
<?php
) ^; q( O( T) d phpinfo(); : F! P* P# S$ O/ I0 f9 t5 s
?>8 R2 ]" Y3 o6 I( J( o- C6 ?7 G3 ?
在浏览器中访问:" w- ^8 x! H3 n
0 q0 z# P$ |, p8 l& {http://www.52os.net/phpinfo.php?id=1 正常显示。
- S' K! [8 q7 d. P H+ d( t1 `# ^http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。+ y2 ^6 Y4 w) @! q9 ?, X# e; g4 `# J
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 w- n3 r: V" m" Z1 G2 w说明sql注入和xss已经被过滤了
2 ?3 k9 ?" [4 L2 u+ W
5 x5 e$ A# }/ E: k) Y* U. ^七、安装过程中排错' [. E! }3 u. q; B* i
0 f% N( ^; c: ^6 r3 _$ _1.缺少APXS会报错" j! W- j, n8 V, W7 o
7 m+ y G* \0 Vconfigure: looking for Apache module support via DSO through APXS
; @; \, b1 V- |. @8 J4 wconfigure: error: couldn't find APXS# M/ n3 _0 a0 g, x" D
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。" W4 ] u8 ^5 N* e
解决方法:# }$ e7 E- j" Z: d) v9 U
% p+ L, W. U$ @8 iyum install httpd-devel% a+ V8 Q. r# n y! b' ?6 G
2.没有pcre9 G) Y& e3 X. e
) H0 E1 n# h3 l4 N4 j) v: Z
configure: *** pcre library not found.8 x8 x+ z% h2 I6 Q0 t+ D% W+ y) P
configure: error: pcre library is required
! x" o/ e* T& e: V- R+ H解决方法:
1 K$ u$ h5 z2 I6 v8 ?6 V0 m& \# {1 t1 G
yum install pcre pcre-devel
7 W! C+ U$ w+ o! F5 h$ I3.没有libxml2: z( z J5 u8 `
2 W5 V) @ D3 H0 I0 z7 F3 G/ C8 {& K4 G0 |6 u; Y; }$ H
configure: *** xml library not found.
- w8 D9 f4 v! [configure: error: libxml2 is required/ t- |& {, l! r* p0 Q4 n+ G
解决方法:
9 Y' v6 V( q/ f; A2 W; Z* U$ y8 F3 t# C4 t ?! ^$ `3 A. G, X
yum install libxml2 libxml2-devel0 R) @+ u; P3 k; o/ B* L
4.执行 /opt/tengine/sbin/nginx -m 时有警告5 B6 a. n8 p! w' Y8 t9 p
# |" e. b4 r- e/ N& NTengine version: Tengine/2.1.0 (nginx/1.6.2)
4 l* b% A! ]5 Bnginx: [warn] ModSecurity: Loaded APR do not match with compiled!# ` \2 d' y3 D( E" S6 _4 r0 t
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
. [9 |& Q0 h; k
+ Z8 r: B6 }7 ^1 o" d" C4 {( }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
/ ~0 |" K% X) @, S/ Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"* B% ^( t- _8 u
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 ?4 Y. ]* ]6 [* R" ^2 E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 f+ X: Z. g4 O* _& @/ l) d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
( H0 f4 ` u" p% _4 g9 c2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
! j# r0 a9 K* a3 d$ k- N: C解决方法,移除低版本的APR (1.3.9)
: m4 ? N3 {9 C5 J1 f8 b7 n( m: R6 ~ S$ y+ |* e
yum remove apr9 F3 i5 Y0 l; e
5.Error.log中有: Audit log: Failed to lock global mutex
, O7 L7 R6 }+ Z+ J4 ]
0 T A$ M2 Q2 U+ C7 R2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock , \6 Z0 b# N2 R9 y( E' @# A' u7 E4 K- n% F
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
" H/ g' }) D8 l( n7 r4 I解决方法:
9 z' y7 v I& ]& {% @( A Z编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ Z% J/ P# l7 e' f7 r, c7 K' ~- j. t' s8 ~
SecAuditLogDirMode 0777
6 }" R0 @2 b) VSecAuditLogFileMode 05501 P3 r- H/ b0 v% v. J$ R @" P) C& B5 F
SecAuditLogStorageDir /var/log/modsecurity8 y H }- Z: Z8 J! |6 E& u4 ]
SecAuditLogType Concurrent
; j+ c% C6 {8 K" W. [2 P" n0 A$ L参考文章:
1 I" [! g9 Q+ i6 D$ {' {5 ` ~0 Ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+ f; G' t0 p; U2 y6 A4 Ehttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡