|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
9 Q5 s- {# F) E/ f# f
( g' A2 i. ]) w2 z+ ~' G一.准备工作
( V# u( A1 s# k' Y/ k/ M) m; F, N2 o4 k, D9 q* N
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0" p$ m8 O% C& m
7 C* Q! W ~, D) |! ]+ V
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: w8 p! i: S( j' A9 o) U$ z
& \+ i: z6 ?6 Z8 {- F3 a9 Smodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz5 _& p9 i/ i3 Z2 n6 x# i
; t) @4 N* y( W: u4 u2 c
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs1 W+ E8 \- H* { f- H
7 `7 }4 \ @2 G1 B. `8 s依赖关系:! ?" E2 V9 z3 q8 [) Z' o( B5 D
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
8 E( ^+ s7 v Z, a. ^' E8 D8 N5 i* u. \1 h, o: t9 d
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ ~/ |- h% G2 w) {' Gmodsecurty依赖的包:pcre httpd-devel libxml2 apr1 \4 k3 y% ?/ v e; q
* a# O @* {/ Q( b: t, z; y
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ w7 b a: z! `" H2 Z- N
二.启用standalone模块并编译' d& @" G& N: V; z7 j
0 `/ f/ C% h6 o$ n1 |下载modsecurity for nginx 解压,进入解压后目录执行:
' G% F ?! c# t) |5 ^( R
& A2 T l7 a: u! U1 ]./autogen.sh
4 x. n# d8 s) C/ R8 G- K./configure --enable-standalone-module --disable-mlogc: s1 i* [2 z& |' \+ I
make
, U6 p* ~+ } ^( V, X" {三.nginx添加modsecurity模块
% O& _ y3 C0 x) d0 M" o$ v& B$ S3 K4 j0 }8 L& T1 A
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:+ T& `4 F) G+ S' H
+ X4 T% P# w: U; n0 v3 f./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
8 f ^5 _% |9 E. U4 qmake && make install3 \* T0 y( l9 W& ~7 x
四.添加规则
% d1 r# v z/ F' Y# r W2 `+ X4 t, G/ H7 c3 d* v, I' P. Z8 x
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
& F- p# C' ^0 y+ ~9 M: v; B
2 u) G; C8 n6 f, Y1.下载OWASP规则:& H4 G+ |& N" z8 C; R8 [4 Z
) W1 d9 Y/ a# C: D, cgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
" H5 y9 _2 T; k
1 M; X. |0 n, d x; R* r- v8 cmv owasp-modsecurity-crs /opt/tengine/conf/1 l' X6 i" Q4 K! B1 c! C0 e) Z
" a" B! H% f" T9 r- d
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# [: s4 y, z3 H* f5 v+ x
2.启用OWASP规则:
5 H( x8 @4 Z( o7 I4 @0 n, S5 X* ]+ T7 R! z5 q+ l' V
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 B" `* `4 X& _" |. }2 n [) c
; V0 f7 }. L* v& i: I+ J/ j" t$ Q编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
9 j. I# S/ \7 j5 \9 o( d6 ?
4 N9 j' h: _0 Q% s7 [4 @, c# Wowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ n& Q4 A1 l/ V( U6 k3 y+ n5 W9 m- @2 d) O1 E
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
9 e8 S" B0 u Y6 AInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 `* E) G0 f* P8 u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
9 R! ~9 a! m; q) `: X _" S/ pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf- X" ^5 U, H; ?; X! {$ }0 h7 k. j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 z! ?. B, T. [& U1 J* O" G# [, NInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf+ }. B6 [5 h+ g- @ H
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 W+ _% }3 x- ^6 E4 c' J) V五.配置nginx* A+ V6 s9 E+ ~* i6 u
4 t4 ?% E+ |& T( \* L: r* E5 S( v在需要启用modsecurity的主机的location下面加入下面两行即可:
# Z# {+ r2 ^' Q1 W) o! H& [& y
! l) B2 x8 e* xModSecurityEnabled on; ; ~* |! }; i& N5 ~: a
ModSecurityConfig modsecurity.conf; w0 n# [: d m
下面是两个示例配置,php虚拟主机:
8 v! {0 I7 G' Z- e* c
$ U' }' D/ a6 D8 s2 o7 v" n" W/ Lserver {
! O# q N, z! J- z6 a listen 80;
& A! M! ~( O3 f6 ?. q+ ^. k0 F server_name 52os.net www.52os.net;% o, v/ X" J A* U0 S' V
2 _* r& ]# @$ `+ S7 O
location ~ \.php$ {
9 o! X2 r' I( d5 Q3 | ModSecurityEnabled on;
0 d, K. W, t: e) l5 T* I ModSecurityConfig modsecurity.conf;
" z& N/ y! q0 A: q
& s1 N2 Q; ` e" N. S2 o1 h0 B root /web/wordpress;
/ w* n0 M/ Q% z6 v index index.php index.html index.htm;" A9 t7 ] j R* d) C- G
7 d$ d: g2 G$ Q* ^
fastcgi_pass 127.0.0.1:9000;
. z; u/ \9 @& d9 [- B$ n0 N fastcgi_index index.php;6 n, ^ b3 s6 Y! e( b# s- r% J: ?
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
Q4 e$ T5 K+ v include fastcgi_params;
, f+ a; _/ t% | }
8 Y* O$ K/ E6 o: e. E) z }) x9 y+ P! H4 ]3 D# H" t
upstream负载均衡:
' j) ?0 ^1 N2 o0 }! I# U
7 Q- i& C: W) q. K8 l4 S7 g O% ?upstream 52os.net {* C5 |7 w: ~+ ^: _) L: k
server 192.168.1.100:8080;
7 W) d# r/ G$ _5 t$ S( n9 ^5 d server 192.168.1.101:8080 backup;
$ K; X) T+ x0 Y9 ^8 ^: [}
0 S& n2 |* O" c& w9 ]) y9 }4 T9 R- Q: C# k/ u
server { `4 q `5 s" v
listen 80;
$ @$ B. F, T. q zserver_name 52os.net www.52os.net; V) {5 v& p( b9 i2 v9 q( y7 q
6 ] j: e. I( ~4 u% nlocation / {. W1 J% c: }' u; |: M ]0 o
ModSecurityEnabled on; & ?# @. v- X/ r4 u: z4 e6 L, K( S
ModSecurityConfig modsecurity.conf;
8 e3 e/ r+ Q2 P. e7 M8 q* W3 f. T. W D+ k2 Y+ l
proxy_pass http://online;
1 l8 W7 l. Z, w. x# U proxy_redirect off;
+ v/ {0 R/ u( A8 k proxy_set_header Host $host;
1 |" C3 W- \7 t proxy_set_header X-Real-IP $remote_addr;/ b: ?* h7 [2 o. ]
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, `4 `4 l, g0 @ }+ S8 j* j# L4 v" s
}
1 u. Q0 d7 e ^. S, N/ I/ B" I六.测试
" N5 p4 G- f; M# D
+ f8 ?: q+ @) q/ U# H我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
8 n8 Q9 d! y* i- x: }- G
r6 i" } ^. H# ^$ k<?php
4 u& w1 G8 N3 |6 [ phpinfo(); 5 a# q9 A4 S u) D1 V- F0 u) _# s. a
?>
! f" \" R# c/ ?$ _" s在浏览器中访问:
' u" L. i$ g$ v4 `
0 f0 \$ w. Y5 p8 W. [" _http://www.52os.net/phpinfo.php?id=1 正常显示。: I5 y5 ?, S" o6 f3 A- U P! x
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 G) N9 \; o, X# x6 y5 o1 Mhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。( W2 `- W, R! r: W$ A. P8 R4 Z# }
说明sql注入和xss已经被过滤了# M$ d8 ?$ F$ n. r
/ `2 m; M: i6 R6 j
七、安装过程中排错
) x/ w# p, n4 W% m- L) K: _+ r3 d) k) O* ~3 u: g# H
1.缺少APXS会报错8 j0 k' T+ \3 I# K, x% k5 m
5 }! h( b9 l7 Y2 dconfigure: looking for Apache module support via DSO through APXS- s3 ? I5 j3 y8 r4 t% g$ s9 B1 ~
configure: error: couldn't find APXS- }: A; ] O+ R% _! x0 h: W
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
% L: @$ u/ w' b% {解决方法:
7 w$ Z& \( }/ Z5 L$ l! x4 t1 A- C/ K6 d4 [* |
yum install httpd-devel
1 ]- ~' O( O) f& h+ o- s( g" t2.没有pcre' j8 v: `; G5 Z, z6 D
3 Q. x4 B; P, {( E* Rconfigure: *** pcre library not found.
$ v7 w/ ]/ q8 \1 d* rconfigure: error: pcre library is required" J; x& ^ f/ G0 N+ [
解决方法:
- }. l. \& X' n" b# g- ^/ I
7 w+ y# X: z, h* lyum install pcre pcre-devel' D. y2 T4 a$ d7 K8 _
3.没有libxml2
% D* Q8 i3 X$ A2 \$ o S; E- e1 Y9 x% v) m4 @
\4 S( V" N" v
configure: *** xml library not found.
: T2 r& J7 j# p1 L& A: ]! }configure: error: libxml2 is required% L$ I4 V7 _' g$ C& l, S
解决方法: o8 M; O. z) A! K/ v* e* C
* g- B7 j, ~ A- n- G) S$ w
yum install libxml2 libxml2-devel0 `& o6 ^) k! j$ G& z- B( z
4.执行 /opt/tengine/sbin/nginx -m 时有警告
1 J, a% ?2 s1 b# l9 U9 [8 o
9 t: |( ~. H t4 Z, mTengine version: Tengine/2.1.0 (nginx/1.6.2)
6 ^9 s4 J8 y _( xnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
( Z3 Q, {& [9 o& S% Q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log4 Z8 Z+ ? y: F( m; E& i# O
% D2 A9 ^# a+ ?& q3 M& S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 o# p+ z$ z& K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# R; X. a9 ~1 b$ r4 P
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! M$ Q6 l3 f4 r# i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"# M$ D. Q. T$ ]) o! w) h2 y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 U0 [& n* {" u$ a/ M6 a
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 \: R( N1 _" ^+ R! `; F
解决方法,移除低版本的APR (1.3.9)
2 s7 m8 q; z3 n p4 N3 D1 ?! K2 N0 C% S7 t b: _
yum remove apr: H1 S( a4 V" O9 M: p8 O" H( u
5.Error.log中有: Audit log: Failed to lock global mutex) G/ Q- G5 s" g7 L" m, ^
6 f5 Z- k( Y2 C' Z) P2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ; w# k1 C6 c1 @$ Z" y& o
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]& T( @* o' x* b6 B
解决方法:; m2 h2 P! J; o* y& J- u" A. V
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) @: L6 R x+ T$ i8 [" G9 k! T$ f/ G
SecAuditLogDirMode 0777
! Y8 |1 n# o/ @. ^9 TSecAuditLogFileMode 0550
& C2 V1 u* y4 LSecAuditLogStorageDir /var/log/modsecurity
; _( q* `3 J8 LSecAuditLogType Concurrent8 t7 |% C( w: Y7 c! B
参考文章:/ g* U; m# j$ [
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX O1 y1 J9 ^7 I; ~
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡