|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。: V& `' t2 _3 ?+ y. V* A0 v
$ h' ` F* f7 T# f1 X. O
一.准备工作
v, h) Z6 o* T+ M2 f0 f/ C+ G* {
+ N0 F* P' o( Y, O* h2 `系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
9 q* W, H% b* B5 [5 K- r/ {$ r+ t" D! [, C5 ?, o
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
f j, I# D2 T0 g
6 I6 V2 n9 [( T! Z) {( o! ~) omodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! U9 z3 o- O+ Y
2 ~+ V: o' S9 \9 }OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 J. O" W) M h$ @; C
# w x0 y5 a3 H, T4 r& B% D
依赖关系:, e9 W4 K6 L+ o
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
7 B3 @* j( f6 A# v! h6 N# H1 A
4 K, O6 p: }, Ryum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' r0 v9 e4 |/ n% N; [
modsecurty依赖的包:pcre httpd-devel libxml2 apr
/ E0 L: e9 z% `8 n$ a+ Y+ e
l- C) G5 i+ \, W2 _7 \# A: F- U6 pyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ @; M9 `5 t) @1 _二.启用standalone模块并编译
. R. L+ L& J5 G) I8 L `; I
$ K# p' ]$ U- Y: R/ S下载modsecurity for nginx 解压,进入解压后目录执行:* y0 W# ^% }# n9 d
/ ?% N2 `5 z5 H; G0 L8 A
./autogen.sh
6 T$ e. Q6 ^4 {" ~# N1 M' g./configure --enable-standalone-module --disable-mlogc
$ W; _4 a" m7 @make ( a4 D( R! w& P& j$ q8 H$ d+ g- F
三.nginx添加modsecurity模块" j" P6 g! i. Q$ A! M. ~
( ^: d3 `+ \1 j5 l9 C
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:3 O4 K1 w3 l! I5 g: b
3 m% y! e9 V# F" K) a3 h
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. e0 s( w$ v4 W& J2 z8 [6 a9 q$ mmake && make install' q8 S, ?# q7 r! ^, o
四.添加规则
% S3 n6 g) u, U6 s, `9 U% S" V2 a8 K3 g
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( _/ q' a& }% t7 b& L! I
# b' L& U/ } q# D; V3 l8 F3 i1.下载OWASP规则:
O, n! x$ C" f$ _% T
H& Q6 e/ f0 Cgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
% |6 r( e: C/ O& o+ ^7 T$ u, Z1 G: l. H3 X6 B q7 U, H3 |- M0 j
mv owasp-modsecurity-crs /opt/tengine/conf/
2 K5 e% |% A/ @3 O$ X% J
/ x- G4 n B2 ]" d) Kcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
! O1 b: \/ Z( V% _+ @2.启用OWASP规则: u$ L3 B7 V5 \+ p
" b t; j* W6 ]( M复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
- ^* t* A3 J+ A; u
x- u$ R: n4 C% O0 X编辑modsecurity.conf 文件,将SecRuleEngine设置为 on- J5 S! h8 ^2 W% s5 F0 k
& V" r+ k. V. o5 L) f
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
@' o% {3 O% X
1 O/ {- j6 s# p$ d$ Y9 FInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' h( h1 ~2 P) G$ F$ J9 X5 NInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf! P4 s8 r2 w, w' @: m
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 V6 f4 a" u; r7 K5 s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf& m9 P; @3 w$ ~. h% H7 `
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf1 C. P2 }3 c2 G+ Z) m1 t+ R, D6 k$ l% P
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
: |5 z) V. i) X6 C5 ~" nInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
" e. u: G+ g A/ Z7 e0 w u/ ~五.配置nginx
0 @) ^& y$ D5 K
0 g# Z& r' m f' Y在需要启用modsecurity的主机的location下面加入下面两行即可:8 @, b; C' I: x. N$ f+ F* ^$ `) X' ?* t
u3 c; g# Z% e& \8 q
ModSecurityEnabled on; - F' q o- ?2 c' ]/ N7 t
ModSecurityConfig modsecurity.conf;; X* \+ G; f) X# h4 X4 h+ ?, g
下面是两个示例配置,php虚拟主机:* p' a; `! Q" b1 x2 j5 {; a% S) p
& O* L& T n! _" Y" g
server {
4 ?: h: Y* n9 `, \5 H listen 80;
% @$ X/ E3 [- p( | server_name 52os.net www.52os.net;
1 m h9 i. D( j, |1 [' n6 f& c 2 }3 i( I6 r" O
location ~ \.php$ {8 @, u* f6 K% h4 f' _0 {7 e, G% [
ModSecurityEnabled on;
1 e0 u* l3 }" ^! E/ w ModSecurityConfig modsecurity.conf;& {3 V& ?/ n! d' P
( q% r( K4 m1 R, v' Q" `3 w% ~3 x" j root /web/wordpress;6 f3 }9 r4 a9 E; J; ^) K
index index.php index.html index.htm;& h& y; W. A; q4 U& A) w
* p, a- ?9 Z8 F fastcgi_pass 127.0.0.1:9000;7 w: v1 ~0 ?; M D/ @% z
fastcgi_index index.php;
9 U, G$ }9 z( d s fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 R5 _2 @8 ?/ J3 O% `: n. i
include fastcgi_params;0 ~- j8 N0 P5 V4 P& W. y& \# o; @
}( r6 g, S* C9 x* Q$ B, L
}
2 e& l* N/ k# a+ o! W& M( Gupstream负载均衡:
' L* _- }' V: z& P) Y4 X) E8 i/ R
7 ]( m, O& I4 f, q- Z/ tupstream 52os.net {
" k" b* }! U% l( x8 x server 192.168.1.100:8080;
, H. B0 F3 d7 Y1 M server 192.168.1.101:8080 backup;, A4 T2 g' `% ^% n& Z
}; P# [; }. a5 `, {- Y/ z8 |
2 o( D, N6 f9 Cserver {7 k8 m' J' M* }0 b- O
listen 80;
* M- `9 h+ y: Z( d6 ~server_name 52os.net www.52os.net;
# ~/ }5 H/ M, t/ m. s. G
$ W6 ?# q7 a$ q4 g4 z6 }location / {6 o; H- S9 f* X( m
ModSecurityEnabled on;
& D! W7 k$ |7 x7 q; z, Z* d ModSecurityConfig modsecurity.conf; # h% f; [7 V% a
! ]- _1 Y) F# z proxy_pass http://online;
2 g8 d) j/ W- t8 T/ f9 D) I proxy_redirect off;) z$ }+ q: g; Y0 L# M
proxy_set_header Host $host;# a4 p- @2 m/ [% e5 t. N0 C' I0 f( U
proxy_set_header X-Real-IP $remote_addr;
9 @) F0 W8 m( e' p! d proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;: ?: }" f( s# {0 p# n) W
}
, V/ z$ e5 s7 n) k7 m8 q# g5 h% K}/ \- V3 b2 E5 i
六.测试
% w( o' ]! a$ `0 Q' m* i a( o7 s! b9 Z: b
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:" N0 \% T4 h. S0 E3 B2 |
8 L) q6 [ D6 G* j$ n<?php2 r8 `- _/ C1 R3 b r
phpinfo(); ! j) N0 [. l# ]0 S! ?" J" U
?>1 A. d+ |5 E7 [- _" T, V9 ^1 a
在浏览器中访问:& o4 S; p# k$ m/ _% j' A
7 x! b2 d! s' E& u! |" x
http://www.52os.net/phpinfo.php?id=1 正常显示。* r" L; i5 U, `2 F/ s
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。4 t n6 W3 v! Z7 j$ j3 n9 I
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
$ c. W! R* ^ @. S" @说明sql注入和xss已经被过滤了
$ s; T& a& o2 Y
7 C4 E) J7 k( t# z. b七、安装过程中排错
/ G6 K. F" G- L4 K" @
5 `! l' |5 J1 }$ F1.缺少APXS会报错
^1 p% ]( ]5 o/ [6 L9 x+ P0 b1 Q
" o: K: N Y% U" Iconfigure: looking for Apache module support via DSO through APXS
4 y) g9 \1 q( w' Gconfigure: error: couldn't find APXS4 c6 f& ~* G) m3 A# b/ z# @8 @
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。# L) [; c/ f: t0 X. m5 e9 c" \
解决方法:
% ^! Z9 Q |# L, j, |5 }7 I$ @$ J: r4 F( Q v
yum install httpd-devel b6 [5 y8 g9 | ]" q* p6 e0 K9 Z" k- ?
2.没有pcre
( W8 u; S5 q2 U: ^1 q. P5 q
1 r. ^# H6 |+ p( ^- econfigure: *** pcre library not found.
! C$ l* I: a, s8 k( w c' E$ jconfigure: error: pcre library is required D- f& {7 D8 Q$ r
解决方法:* d# _ g. @( g. L6 w3 a0 A
' x7 s/ ^0 Q' h! [' Dyum install pcre pcre-devel+ u4 g* w& R, _1 ?3 Q2 `
3.没有libxml20 @8 X8 ~+ h& ?# H
3 `) k. R0 r/ A; U+ r g, N& r/ |
$ Y# w$ i9 C5 Wconfigure: *** xml library not found.
3 z. N5 c5 \" {7 f( h: d y6 i9 [configure: error: libxml2 is required: i2 j% h% I% g# E9 z
解决方法:
' _# {4 l5 _5 K& T% c8 k! T' I# v! @, M0 [3 S9 y/ A9 Q8 j
yum install libxml2 libxml2-devel6 b0 Q+ g! W* u# E W; @; k$ A
4.执行 /opt/tengine/sbin/nginx -m 时有警告
9 S1 p& E' [8 H, t9 [8 ]0 n. \5 q) a- L
Tengine version: Tengine/2.1.0 (nginx/1.6.2): V- L' q1 s) H0 _* y" g* i
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!3 y4 u* Y' s* N( ^
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
8 S6 J" F) o3 }4 j$ T0 d4 U+ } n. V' H! W& j8 b& o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.: ]' |0 t! t7 |& U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"' a a; Z( g/ w8 g6 Z9 O& f& d l
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 e1 l8 n$ B8 x+ H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
) d$ E7 J) h9 B2 T& |& M6 Q/ l- l6 I6 j' q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
4 e9 y* B" `( x4 \# U$ z2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.- T* q. z+ x% R9 E' I, @
解决方法,移除低版本的APR (1.3.9); X! [5 G9 Q& k* B$ f
" A2 V, ^+ H( W3 i! g' `$ myum remove apr
% |/ e/ Q9 K8 I. U" L7 m7 n/ O6 [5.Error.log中有: Audit log: Failed to lock global mutex
( X2 o8 ~$ B5 u6 `8 U
4 c' O" I4 F! m; ~% e+ c# j2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
" A/ H' @+ D/ [- ]7 L0 oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
3 O" a" G2 f$ O: D' e$ i$ G/ |解决方法:3 }. u1 V& V0 p3 r$ i8 k, @) S8 C
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 R" r/ ^. {* G2 ^2 B. \. t4 k) q
# W5 D+ I; |9 e; {" t* |. @( oSecAuditLogDirMode 0777% A* ` P- N+ k. O* \
SecAuditLogFileMode 0550
: y" T H& P; j) x6 XSecAuditLogStorageDir /var/log/modsecurity2 t7 v. Y! O* j& T- N: h& m
SecAuditLogType Concurrent0 b3 t( T. J. j4 H! E
参考文章:
6 C9 M: `, B+ Khttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
! L% ?7 E+ }( m, L0 V4 X- zhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡