|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
& D- g0 `+ w! S# E! m- l
7 u# C; u& Q8 Q7 h5 D一.准备工作8 W& P4 E" W; _9 y
, c( f! m/ i" q n' W' b: u% Z系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.09 c# s8 A$ ^8 s
- a0 I% v- n4 N2 j! h, @tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 ?: Y( B' A, |" l& c
+ l+ r( Q: P% L# h5 E- M. [; tmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz7 }9 a6 k; C2 d
l: G, W3 [! I% Q
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; \- i( I, t0 [# _( ]' V9 B, M1 o2 q( M0 `* Z: s% T4 [
依赖关系:
1 |4 P1 X, ~+ M& M' P0 }. _tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:) R0 c6 [3 U: m* ~" x$ u
' L: m% g0 `; V! M& Xyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel1 X8 c8 t4 C1 V6 V$ t* d6 _; k* H
modsecurty依赖的包:pcre httpd-devel libxml2 apr
- x3 ]: @* T$ T, f
+ g' D: ^8 \! X' Ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
/ v; H3 J0 z- E& i) E% Q) N二.启用standalone模块并编译
7 j1 a' w9 A" h3 ~ U0 b
6 C0 n( n3 v6 a" S下载modsecurity for nginx 解压,进入解压后目录执行:
7 `, a# T' j& v" C* O" x# l% ^; c% y% a7 q: K
./autogen.sh" K7 L0 U# t% D
./configure --enable-standalone-module --disable-mlogc
4 j2 d+ G6 U" umake 3 E3 M+ \7 P# R1 }' C( J5 F; Y Q
三.nginx添加modsecurity模块
" J6 K* R9 Y3 a
7 c0 C* V: g% O& p# w0 s/ n" T( c在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
( V$ p& A/ s/ \9 i. B1 B- N0 ?
( r- Z1 w) b1 t./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine; n L6 [" g F( |& ]& f6 Y
make && make install- A) C' e3 J5 P/ Q/ f# A& F
四.添加规则) P2 W/ E' i- `8 a- H2 b) L. D
j x/ K; ]# m! Y' hmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
% u9 N1 u# H8 X1 j) q) N# [( a! ]0 E& C( g
1.下载OWASP规则:
1 P5 v3 J: k+ u w& G6 d. f0 Z# P [! a, j4 s
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs! h' P8 P8 Z2 b9 V% d2 Q
7 |% p0 V# S! G Z5 q) R& I2 ?mv owasp-modsecurity-crs /opt/tengine/conf/1 z! C# e$ F! e8 }9 r6 g6 ]3 N6 o
+ K. d9 [# y# [; [, ?cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf- w3 a# }. Q3 H) o. z0 m
2.启用OWASP规则:
+ N* _, G/ G, i m6 R
6 w" g$ [* @" Z: H; C复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 o" Q2 V6 x- a, y$ `2 K% J% u7 k3 I' _+ ]
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
+ @8 K/ B$ I+ B3 `+ R% Y; t: c" H1 s% V7 |! H* D
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" a6 Z) P& [. B8 J
( T5 ~) l' d' _# M: T3 NInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf+ @" c1 B4 A# g+ d2 _$ h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf$ |; b% U% m) X9 A
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
: o5 H* S8 [* q% E. s4 CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
9 [+ y) E* ]. [) w. E8 VInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 g& {" c/ q& I. {
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf I( H. r+ y- K9 c X
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf) ?* y( Y, r' J& j% W& E4 b' Y
五.配置nginx6 v2 w" t( o& s& v- S
$ A9 ]" O0 w4 n在需要启用modsecurity的主机的location下面加入下面两行即可:& e* `# T8 A/ S3 ?; P& o- W
/ N" d0 S$ T& L; y/ h/ s/ H
ModSecurityEnabled on; 9 s( P- M. Q! p2 y |. U
ModSecurityConfig modsecurity.conf;
( r x( @9 \1 x6 f! x6 y& ?下面是两个示例配置,php虚拟主机:7 M1 l) ^, N/ w8 d [8 O
' k; C% l) ]* m) t9 j& Tserver {
B& ?5 [ u7 y8 P2 b& Z listen 80;# |/ v5 l! L+ ~( M" M
server_name 52os.net www.52os.net;
: D! g/ N, c7 a0 t. X7 B 3 E: e) k* ]- A% d1 k$ w
location ~ \.php$ {- o! r. E' _$ x
ModSecurityEnabled on;
0 O; Z; A8 C/ v* N7 y' D3 r2 _ ModSecurityConfig modsecurity.conf;3 a; `6 s7 c7 S$ B2 A" f
& _- R b; r# D& ^' Z" ]0 J root /web/wordpress;
7 E6 r/ X+ t; v" {7 @ index index.php index.html index.htm;; x( [! Y4 e3 @; f9 T( a1 p
5 j# ], n# Y" H+ ^2 H: h fastcgi_pass 127.0.0.1:9000;
4 b% O( W+ e, q' l: U/ U fastcgi_index index.php;
: P' i e$ b5 J+ `+ v& \: E fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
- m( H, h$ a/ p' g3 N) t7 F include fastcgi_params;
- H# m3 |: P. `/ ~1 y0 Y) K' ~# n }
2 c6 R f$ g# [2 m+ K5 X }
# h( ?1 g3 x! p8 B1 yupstream负载均衡:& G$ n/ q8 P/ {! f# b+ P- @. C
/ l0 p$ Q K7 h
upstream 52os.net {
+ s( A6 W6 |- H% i6 t server 192.168.1.100:8080;" a9 ?' j7 ]" X8 K0 p5 U9 r
server 192.168.1.101:8080 backup;! L& q* q( V$ ^
}7 c: r1 q& }7 m
& d9 Y' |4 u: O4 ]7 ^0 ^
server {
4 q4 [7 i5 R8 M) [, D# |' _, Elisten 80;
! }$ Q: K w+ \ Z9 l1 P1 @! cserver_name 52os.net www.52os.net;& J: k0 T C: K1 j K' y
+ q- d" J( y) s& Olocation / {; w$ h+ M! c, r$ E f: r O' \7 W
ModSecurityEnabled on;
4 A4 ?9 S! [5 t( W! E8 a/ N. J: j! P ModSecurityConfig modsecurity.conf;
" c- L/ [% T) g0 o! A2 }- K
) a/ @# Y! S( Q0 C3 ? proxy_pass http://online;
/ X! D6 z* K M7 ~: u6 H* ^ proxy_redirect off;2 D( c4 w+ Y! u0 e+ i, v3 _
proxy_set_header Host $host;
$ U% q( Z* o n, d proxy_set_header X-Real-IP $remote_addr;1 I6 r7 E5 u6 Z- z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
9 z( h) [+ \0 U0 E3 N6 u) F }$ [- c6 v9 s, X7 O( f
}
- B7 P% H% U* Z3 s3 {8 R9 o六.测试
" l2 P/ F: u: S' r" z0 _$ f8 W( N# ~; b2 m9 }. X8 F* |" ~
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:" J& Y8 {! z8 Z( ~5 Z/ W4 x, L
0 d7 T. w$ f% I<?php$ r! w/ Q2 L, n' v. Q" H9 \
phpinfo(); 1 q. z& G; q- A6 B* {
?>! h+ m1 B: Y0 u- y( z% x
在浏览器中访问:* j) X/ q. D8 X4 S, c( ], C
1 k8 A! `/ u5 A/ e- h
http://www.52os.net/phpinfo.php?id=1 正常显示。+ q4 `, s" ]1 y5 V7 A% |
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。( D$ t5 P! c4 v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 g, S& W" j4 E# V6 X0 I1 ~ h说明sql注入和xss已经被过滤了
5 }1 L9 Q% o& {
9 I0 I5 b* {5 `* Q: n七、安装过程中排错
7 n3 k/ \9 C+ S5 J
* |+ A1 K4 j; Q1.缺少APXS会报错
, x2 e+ ^& t# ^& ?/ P4 K5 p) x ]/ Z( p5 ?2 v* u7 g$ ]
configure: looking for Apache module support via DSO through APXS
( \- @! B4 k2 u) oconfigure: error: couldn't find APXS0 b" D- Z4 o4 W8 H3 d$ P" G
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# o# K6 e! i- S, p* L2 T( |解决方法:
7 @2 y: t7 Y5 M) c0 \# l6 J
( Q6 q- H \" u2 l* w4 ?yum install httpd-devel, f8 I# [! x4 v1 r
2.没有pcre% t6 x- E/ v; P$ K3 j
! b' M3 L1 f. S- Wconfigure: *** pcre library not found.
- N' P8 k7 v( e7 _configure: error: pcre library is required
% w6 A$ S+ t3 g* r" ^解决方法:
. h/ u7 @- w* q; ^; E$ M; |# o3 F0 i
yum install pcre pcre-devel# L e- ]0 s' S5 Y! J$ z9 J1 F) C8 M
3.没有libxml2
4 E- r0 f) u3 N+ X5 D4 A; h$ x! ~& K$ k
$ G# m# Z9 L! N
configure: *** xml library not found.
0 K: s4 f O; y9 N4 vconfigure: error: libxml2 is required
5 C$ Z6 v- W6 c解决方法:9 m! I' S% ^# Y1 x! M& Y4 `
* K; z" U; s6 _3 c1 u' [yum install libxml2 libxml2-devel w$ Q0 T1 g7 W2 N, a* @$ h
4.执行 /opt/tengine/sbin/nginx -m 时有警告4 S( W0 X. j$ y2 k$ Q. u; e
7 H5 V5 q% s% Z
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
. D! [* I' T. m- F/ e& I# H" Bnginx: [warn] ModSecurity: Loaded APR do not match with compiled!9 i7 |* f0 h* i5 z3 a3 I% L
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log. G- T; J( }) d4 J6 r
) a1 x3 T9 z! N, n; [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
: q W. l0 T, |2 f: e1 u* Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
% W# K: }5 h2 F2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
* n- f+ t' |/ ]" X% H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"6 X" ~6 n( k! u. _4 m6 c; N$ {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
( i! b( a: b3 {+ ^& g' e W/ ?( v! [2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
- j( X+ B, |2 O* o+ ]0 i解决方法,移除低版本的APR (1.3.9)
$ w0 D) S. @) f @; r* L! y4 W& I
* h. L- y$ d5 y T; X# O1 ryum remove apr
! X4 N1 b" d/ a+ T) ]( z: A9 Q5.Error.log中有: Audit log: Failed to lock global mutex9 I) @4 x) I; k$ N0 |
i4 [* M; S; v, q' P
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( Z# _0 F! h4 k1 a0 R, _5 s3 C
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- w+ l; W3 Y! A
解决方法:/ c, ?5 y9 h; _5 @8 e- E; L' m$ A
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
9 F/ N' P$ x3 g: N; D- m
6 B4 c3 j1 k. V! Q7 u) `SecAuditLogDirMode 07770 u6 O) v: m, f4 J# w
SecAuditLogFileMode 05508 I. g$ ?7 \% g( H1 K; K2 l
SecAuditLogStorageDir /var/log/modsecurity4 c2 b) E; }9 R. t' B7 Y. ^
SecAuditLogType Concurrent
- N6 |6 G0 N9 b# e8 x参考文章:( w( ]/ f- Q" |, H& w1 P" E( C
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX6 l! V9 t2 c- S( E- G8 _
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡