|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% a: Y4 C5 [8 g0 I h# ?: q
( _! |5 o6 a6 H& f: d# ^' I- \一.准备工作
/ ~/ }6 V( a+ h& |# U1 `, n5 Y; v! v& W
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
4 l/ ~. w* s$ {* i Q1 I8 |. O; |; s" {" h9 `& i, P3 \$ S
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz) l: j3 p- V+ n( j; Y* i9 E7 m
7 S1 L! Q% U: a Z8 A
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
4 r) _% r; |' i3 Z4 Z) I% y, F4 N# I
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
& }- R1 Z3 ~7 r8 }( ^& V1 M6 p0 D% ]& ^- f
依赖关系:
* `+ A2 k" x8 M! V/ o, [tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:) L$ E8 ]& ^: q
8 n* \2 i: p: x9 F. o7 W7 Gyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
" g8 D: W) m1 vmodsecurty依赖的包:pcre httpd-devel libxml2 apr
" E$ |8 S0 O2 Y% q- u' l$ u; ]0 D @( \# j; |
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* A1 Q: u0 E2 e1 t8 u$ W% Q1 ~5 ^' }- f二.启用standalone模块并编译; M- [8 y& J9 z
8 _+ V6 w3 o; G: w: J: t/ r下载modsecurity for nginx 解压,进入解压后目录执行:. C" x7 G0 O; K3 q; C' i9 s' o
: Z- B+ F! W# K; {0 b/ J" |./autogen.sh4 s; Q$ O3 q+ K# r2 o- k- m: u
./configure --enable-standalone-module --disable-mlogc
2 F- s# W0 P2 n( i% ?9 h9 cmake
1 c* _; y& @! Z8 K5 P$ q) z# f3 t4 ~三.nginx添加modsecurity模块! S% z6 R8 r% O* `
* N8 a1 i; X* k) Q' l( u/ F
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
* C0 i w; I9 i& y3 B" a
7 ?- e7 ?) S9 d./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine. r8 X+ d2 N/ r- g5 W7 m: C; Z
make && make install
( o, M+ u5 B" |% L, j. H8 h$ @+ S四.添加规则
) z3 }+ k* D. ]2 `( H+ u, w/ n
! n3 v: M% l! q6 Z- |6 rmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 ~6 `* l @ X9 c" m
2 G- V6 ]3 f: W/ V0 Q6 g1.下载OWASP规则:
& E8 m& n0 B' p- C7 i
; Y) A) F; D' ~ T Igit clone https://github.com/SpiderLabs/owasp-modsecurity-crs: @! Q' C# i) @! E
/ @3 Y. x- l8 k/ q hmv owasp-modsecurity-crs /opt/tengine/conf/
* Y& R( M6 Y; T" `7 _
# h8 z4 w. r! @2 W; q4 d* ocd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf" f6 D7 s. x1 O$ P, q5 S) O
2.启用OWASP规则:8 ^0 q3 r8 g4 i
" v. I9 @1 V% Q2 b: k. m$ T/ V; `
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。# h$ f- T0 o* H4 I6 |4 I$ p$ Y
: y; ]3 m+ Z1 Y. j编辑modsecurity.conf 文件,将SecRuleEngine设置为 on9 I7 e$ U- `- Q! ]# I/ c
6 Y3 z3 v; ~, ~! Q
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* D% ]+ N3 S; f
) k: }; [5 n. D2 @& d+ D! g
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf5 l8 G8 k( E+ q9 ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
9 g) |( C6 f: p# Z# o; ~0 P' L( WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
/ {* M2 e3 ]: }! r7 W* k' Y$ wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf% b) l0 b/ F' S1 W5 i$ w
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
1 z. w9 z- l' s; Y* d" @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
6 X' j: P/ c- Y4 C, @/ mInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 c# E+ Y/ p1 M/ k/ D2 V五.配置nginx1 [/ D1 w/ M3 C; j; K4 D' Y `
) y6 |! y7 W1 K+ k0 ]+ m
在需要启用modsecurity的主机的location下面加入下面两行即可:0 d3 ^; ^2 L ~0 n! M) Q# s
. _+ d7 V" b, b7 r' e
ModSecurityEnabled on; 2 X: n1 l) T3 b/ [+ m% K( d5 `
ModSecurityConfig modsecurity.conf;" V, u1 H" T7 f7 I+ o
下面是两个示例配置,php虚拟主机:8 g( M3 f; F* L- `4 T. t
; P0 Q; Z$ L; h: m/ U
server {4 F7 B; b! D+ ^6 k) t, ~% O
listen 80;
: Q; b, h# F# X2 K) W server_name 52os.net www.52os.net;3 d# Y! @# Q* G- `
4 a5 X. y8 E6 X
location ~ \.php$ { a$ k0 @# Y, e6 J9 D# @( H6 Q. I
ModSecurityEnabled on;
$ p2 {' l% W8 ^ O% o( i5 @3 s ModSecurityConfig modsecurity.conf;4 P0 V8 s5 R% R4 c; B T
C. ]* t3 U8 S& o$ \: }
root /web/wordpress;
5 w# D9 C) k9 H& N7 w. K8 M index index.php index.html index.htm;
$ g. {2 v3 T* i( ^
B: l7 D- I; B fastcgi_pass 127.0.0.1:9000;9 k1 d! T8 y% A( ^2 i; E2 h
fastcgi_index index.php;6 Z& x, ~' j* ?, r2 N4 O1 |; l
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; W. O: H! z% [$ W {9 k2 T include fastcgi_params;
& C- \; L( z: X3 c9 F1 C }
! [# J. `' [5 `0 f [2 t }
; E$ g) S$ r; @- w% Pupstream负载均衡:/ G$ K v! R3 {. Z+ c" @6 N- {+ ?! m* W
! R% ^! @8 N3 C. ]upstream 52os.net {
8 A E. Y. p& }5 V. | w& R server 192.168.1.100:8080;
! A- e; z8 I1 P: z server 192.168.1.101:8080 backup;% C4 C9 i( g& v2 J W$ S
}$ g& O' g! f# e9 O6 }
& N2 Q( Z. e! ~: b/ o3 t( E& }% Nserver {( s4 a& K$ v9 U+ ~6 ^$ z
listen 80;. V$ j6 P9 e+ v& L1 Y
server_name 52os.net www.52os.net;4 [; `% L) Q/ J2 e/ a( m ~# `: h2 O$ V
/ S% B$ `+ B+ J! `& \location / {' }! W- \2 d* w) O/ c }
ModSecurityEnabled on;
' K+ S! j, q7 ]' c) n1 t ModSecurityConfig modsecurity.conf; # ^; ]% k% Q# G+ X$ k
( X2 q3 _* C' y2 I) W+ D g; K proxy_pass http://online;1 n( G, W" } Q" B! c$ I
proxy_redirect off;5 f5 {8 J. j6 s( z/ f- C% E/ x% \
proxy_set_header Host $host;
/ `4 q/ Z4 r0 y" Z- _ U! M proxy_set_header X-Real-IP $remote_addr;* a$ b6 ~, I$ |5 Z2 J0 ~, I
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
( L& f; O7 B4 e x, D }
) }7 u& b3 o9 S! i/ G @}% L2 z; f. I" q: X! M8 r, _6 L
六.测试3 }1 ]% h: f& A8 H: |0 ?
s: D* o7 M% O4 r9 k& j. D我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
+ o# P D2 z# S% F% o
3 @- _ {+ ?' V" O<?php
T2 V( g& W) k" S phpinfo();
, z5 \" e8 ?$ ~( o, e, d?>8 T ?( u. `+ C! x$ j9 V. v
在浏览器中访问:
/ y* [" P2 Q& I/ i1 k# M7 i
. C" ?. Z( ]$ H+ yhttp://www.52os.net/phpinfo.php?id=1 正常显示。
4 [ z2 T! [ F* k* A$ Mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。/ f5 Z2 |/ i9 c2 j9 }' F" c+ X1 {2 D
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
; G; y8 @* e# h% q/ p- D! v说明sql注入和xss已经被过滤了
! X- ^4 ~! M( d- g
5 q& y4 _0 ?, w! q) W" S七、安装过程中排错
- C$ v- y$ y6 z# | c5 O; d4 C e) ? q
1.缺少APXS会报错5 n" C5 M& \: O$ K, F
1 ~' X3 g u" K5 L; \9 `configure: looking for Apache module support via DSO through APXS
( R; y! c) |8 L$ n1 d6 o% Aconfigure: error: couldn't find APXS/ b# B; ]2 @% d3 j. r
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。/ n$ [3 U& m( r6 b' S7 y
解决方法:8 e5 v$ h8 d$ N V( I/ g
2 U) m" c) u7 _+ R; r9 k
yum install httpd-devel" I* e$ ]6 m7 F
2.没有pcre
! p! j# x) Q# y9 F- E+ Q( H* h6 v5 U( S4 b
configure: *** pcre library not found.- }4 ^+ O+ E+ E! x! T
configure: error: pcre library is required
, ]2 ]- R3 _2 |) ^1 x! K解决方法:
: W1 E7 T/ L5 Z1 N! c7 Z
; k( L1 l% Q3 z- ]& vyum install pcre pcre-devel
# [1 i/ C' ?) o6 R! p3.没有libxml2$ ]) Y ` ]3 @- E& ]: B
" O3 h6 a( c# N# K( K" H6 L& B# ]" p8 O, W; I$ e2 ^0 \. q5 J
configure: *** xml library not found.3 q% \& O( E- N6 F) L6 x6 i
configure: error: libxml2 is required) A; Q0 [( I. \
解决方法:8 |8 s8 E' q3 u1 Q7 r% J2 ~
' Y" _) i8 A0 g& v
yum install libxml2 libxml2-devel# a) O$ z; N+ @; W- L! d
4.执行 /opt/tengine/sbin/nginx -m 时有警告- [1 A% w. v' j# f
# |9 t( h" V1 M6 o& c
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
* R: L$ Q1 p4 H! K0 {- Gnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
; T8 u- _. C! m/ n( G G; y原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log U. _* L( Q8 q3 S, l
- n9 M0 }7 J F: Z( X( ~5 m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) |* h0 [5 f9 B, I- r$ p" _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"/ }' V; |; R& z" P1 q
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!3 N( z" A5 P# S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"! `+ i# q! K$ e* [! U9 ?
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" X: d( d$ I0 N" Z+ f2 G$ A! y" B2 A2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
m% I2 Y- R# }% J7 L解决方法,移除低版本的APR (1.3.9)/ n1 A$ _! }5 I0 _# p
. v: }. o' i/ h3 B5 V( }8 iyum remove apr
: }4 U8 }& t0 l2 x$ }- E; e; Y5.Error.log中有: Audit log: Failed to lock global mutex# C. o9 c' {( i5 o- l
( [& U. V$ x( V/ o7 G( |' T
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
: v. v( _. k* A, c8 T" d3 qglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]. E+ L: \, Y. N8 H
解决方法:
1 y0 r9 H+ s( N3 [0 Q/ O编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
4 H" {9 G$ E' v b. \5 H9 L( @ Q; ]
SecAuditLogDirMode 0777
& ^ P8 {1 _+ l l; B+ c* j2 CSecAuditLogFileMode 0550% I+ h: B! c. P; K
SecAuditLogStorageDir /var/log/modsecurity" Y/ `) {9 n- m1 a
SecAuditLogType Concurrent
7 z2 H+ z* d, X1 U2 \参考文章:: [& ^5 D1 x& C+ C+ u1 }
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, m+ G4 u1 z) t4 ~http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡