|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。* S% J8 n- m/ e0 w
0 x3 f4 Z* s4 C8 G
一.准备工作
& D: V5 x* ^- o2 k; \, e( i- h
" [* k E, y* M6 q系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
7 L1 ^( s2 k, i6 c' L
7 \' `- Q# f9 _; G+ C7 Btengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
\8 E6 K& x2 V
. t7 F8 e9 m1 p5 C7 a1 A# Q% Amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( G2 t6 c- p/ D5 x6 N* W. _) \5 X
0 {' H u; z0 J* t' v5 }OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
1 v$ U; K8 w. Y8 ?& C5 P& i
, K( }9 F: ]0 |4 d0 Z: Q/ D依赖关系:3 o6 R0 e& |3 b5 [& ^7 v5 z1 G
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
1 q+ D9 |$ J5 s0 y# D! }5 I, X: e9 p0 f' b
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% J# B4 I& g6 Y9 Hmodsecurty依赖的包:pcre httpd-devel libxml2 apr
% L; _. n1 i. O4 J% s, S; d; J
- m1 M& M* Y, p* @# c0 U$ R* ^0 ^yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel, j0 @ m& \$ x/ ?
二.启用standalone模块并编译
4 X* v' a, [) u1 _9 u+ C, l. e1 _& u+ d, D) s$ b4 N
下载modsecurity for nginx 解压,进入解压后目录执行:
3 P" C' R0 W, v- e- P
3 ]( J/ ]- u+ O1 H./autogen.sh
; ~" r9 S* w0 B6 k/ Z./configure --enable-standalone-module --disable-mlogc2 z1 E# Z# ]. X: L% [
make
. ]9 Z/ n) q9 S# {/ C* f; i8 Q- t三.nginx添加modsecurity模块
" Q5 R+ S F; y' x$ G" f
5 `) H- m7 g4 S在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:0 ^% V' V) u: _9 c- b
1 s5 v6 _, z( i: b a+ a2 `./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
* Y* c7 I9 q% V" U) ~6 dmake && make install
" y& U% N- e1 v; g# B四.添加规则 w" J- x5 b2 ~9 y& G
: m5 ~8 z5 @; p( A7 R' i
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
& ~7 l& a/ N: |) y/ V' J v8 D+ d; y& g5 h
1.下载OWASP规则:
, ?. T* d+ Z [2 t5 w# }5 M$ A' k
2 b2 T& p) \6 f& l6 f- G; ^git clone https://github.com/SpiderLabs/owasp-modsecurity-crs& B. [& M3 S% H# F' ?* t
6 H* _7 R1 @" f
mv owasp-modsecurity-crs /opt/tengine/conf/
. ^" t* i) y2 t* }4 P7 m
; m! e/ }+ p. I4 ?4 j: k1 a; ocd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 i- c: e+ e6 q2.启用OWASP规则:9 @" O N" r4 P& Q* ^' S0 p
1 b6 c. d+ |0 {复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
& N, a2 f8 B" D6 L
' E9 Y) n2 @" k! k! H编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
, c, r# h3 ^- h( s. `
D0 X6 {0 L! v3 mowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ m3 R/ v% U) J% d9 j' M* b0 s5 v+ s, U! L, ]5 J" _' U% ]
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
1 D# e" _* s; m0 I0 ^. X5 iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf6 ^# M& V6 q7 I; _
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
, ]2 e4 s3 K; t* a: {$ |3 x6 o: m8 qInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
. _+ D2 f. U+ \9 zInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 _/ I, _3 l8 B* e3 eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ A) B; D6 N' c. D, T( hInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf3 p+ Z" }% s( E* \" C+ h e) f2 x3 D
五.配置nginx5 [0 T' H. s& t0 s, W- z
3 j. L% a5 b% ]- N1 R! C% o% Z0 a% t在需要启用modsecurity的主机的location下面加入下面两行即可:
0 ^8 w& J8 K- a4 `0 E2 Q* T% K+ A- m% J- |2 I
ModSecurityEnabled on;
7 F9 v7 x* y7 U4 bModSecurityConfig modsecurity.conf;/ n1 q0 ^1 @5 }7 i
下面是两个示例配置,php虚拟主机:0 ^# Q3 Z7 c& r; {) S
+ ~3 x1 K" B* ^3 K) J
server {
: s3 l; H/ V# D/ }( F' @ listen 80;5 G$ c# x- O) [
server_name 52os.net www.52os.net;
7 [+ |6 |" M. x: A9 z! { # O M. w, o( w* O. G% i6 c- U
location ~ \.php$ {: l* D0 ?; u* X& a d9 \. a
ModSecurityEnabled on; ! H" u6 c/ i. H
ModSecurityConfig modsecurity.conf;' g9 Q" w( s3 g
" i) e4 N/ O7 |* \5 t root /web/wordpress;* A7 ]5 y; c; ~+ d
index index.php index.html index.htm;
4 u+ b/ l. g8 n
5 T6 h0 |* h& h$ Z9 F" X( B fastcgi_pass 127.0.0.1:9000;, A8 C( M, T( R7 ]& H1 X$ o6 d
fastcgi_index index.php;
& @2 g- p2 {; l fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
. `4 b# c. k- O: g! R: O include fastcgi_params;4 i: s s: A: y2 M- {9 O# P
}
+ `9 ^2 i+ ]6 Q/ [' v. Z; b }
9 J6 {' }' a# B3 ^; t( S) Wupstream负载均衡:) X( L. L2 F/ q( S+ g# z0 g6 ^
3 E, M# L8 y4 a) U; C
upstream 52os.net {* |& V2 b6 B4 m N) g2 t
server 192.168.1.100:8080;$ K, K4 _+ x' h8 g6 m+ \, Y. ~
server 192.168.1.101:8080 backup;9 V5 @9 @8 B4 _
}
; K: o' H: t; f6 [4 B$ G- _0 G) X; h, c5 G* d4 ]7 D
server {
+ X3 G* ]. t8 E8 A5 y* I3 elisten 80;0 a' J0 s+ ]$ }3 n8 Y
server_name 52os.net www.52os.net;" G; ~ D5 s1 _2 H! U, j9 b
+ j4 X1 h! L; Y; @location / {
" ~$ b& }& `' z) W9 J$ R ModSecurityEnabled on;
0 T* }, c- U3 ~ ModSecurityConfig modsecurity.conf;
! p& N. A5 M% D
" J, x" A9 ]# S' S1 Q3 Y/ b' @7 @ proxy_pass http://online;
6 E1 |' p) O* J+ L proxy_redirect off;$ N' f! x- m- C6 f( }. R# ~
proxy_set_header Host $host;
) F* z. y: z# r$ T+ z+ z proxy_set_header X-Real-IP $remote_addr;
7 C$ i# L8 }, M proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;/ K7 O$ b! j: m% M7 b: N
}
' n( }3 I" Q1 X: A}
3 q' [8 E2 O# { m1 R( v" J六.测试
' n2 o6 o# j+ |) t3 P
& l- i& p/ Q1 K; V1 |8 o我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:! R3 S* \" _) O& K$ \6 H/ F @
( D7 y R: K) b/ n" ]4 F! j3 E<?php
- e* ]$ o a. F( \6 |2 Q8 U phpinfo(); 4 }( ?3 ~7 ?, Y6 z
?>2 ?! z0 \- M& {: _3 T
在浏览器中访问:! @' }! d. i9 l) o% C' w& J1 N0 }; i
; ] H/ `; S$ u
http://www.52os.net/phpinfo.php?id=1 正常显示。
s2 b; v; ^- J$ ehttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。2 m$ x& _- d# U
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
4 F4 h! _% M' a$ w2 D6 g说明sql注入和xss已经被过滤了
1 M$ S% t% n9 v1 l1 H' i' h
4 Z% j% U ?6 j/ n& E$ X$ F七、安装过程中排错
0 _/ y# |+ j2 O! d% M. X: O( E3 T r" y. G
1.缺少APXS会报错+ N* M' V. x6 F L& V2 K
8 }* q8 c0 V. L- ?$ x
configure: looking for Apache module support via DSO through APXS
! K. b; v, k. S# c& j5 O- ^configure: error: couldn't find APXS9 i; I/ `1 V# F' d5 E. @
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ F ?/ z. w0 f$ b7 I( t g" r解决方法:1 Y& ] P- @1 b; y8 W
. N& K ~# A1 m9 ?- i! Z u$ g( \' u5 Z
yum install httpd-devel
; \( |3 }) U( A9 U$ k1 E2.没有pcre
8 A4 G" ^* i! |( ?( r2 W/ x3 A4 s3 x6 o
configure: *** pcre library not found.; {3 Z3 I. B% ~% J' D
configure: error: pcre library is required' T7 a- } [/ i/ B" q/ N( a. X
解决方法:. J }5 m4 ]% y5 v
0 d' G3 U, P$ Q7 x0 {0 k7 \; E T
yum install pcre pcre-devel) R* R6 Q2 ?, D2 C, Z- g) r
3.没有libxml26 n+ a: b, x( [: `0 c5 y
% Z- \; j1 k' ]. `; X
3 @' e. d. ]+ y* Cconfigure: *** xml library not found.
2 J/ {) N/ q( D Z1 ~" yconfigure: error: libxml2 is required$ Y. H# B( ?3 j) G' I
解决方法:
5 E* u, H' b& X* x) h. d1 d- p W! u" ?# Z# k
yum install libxml2 libxml2-devel
B7 C8 b, X: R5 _4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 Z0 Z; S8 i- W3 j+ ?6 q. O9 p& f% R2 L- f5 l$ N! O. L; t
Tengine version: Tengine/2.1.0 (nginx/1.6.2)2 ]$ l" a1 B' Q' n2 }6 Q
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!) s0 Y6 {1 ?& k4 G# ~. V
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log' w! w+ z" a' b& B$ Y
[5 @6 e7 S; S; t S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.- }' |4 ]) i* y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
, |3 ^" h2 K4 U* B' b2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
- t; B& w9 C- t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% B3 v" T2 z- m; W# ^1 z, M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
( [1 ?% ]* d' x" c# i2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! ~( _8 ~/ X) v
解决方法,移除低版本的APR (1.3.9)! M, N) s2 q' `
8 y. g# ~" j" p* [7 g1 [3 kyum remove apr
% q8 k% `$ a' h4 K" k# t" n( C% z- b5.Error.log中有: Audit log: Failed to lock global mutex M5 A% s. T6 n; j7 r& S
/ D x2 \: W, B% O5 e
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
" F& N7 m9 `4 z8 p! d9 Jglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]0 S) w5 T$ d% o! M- A* v$ ?( }
解决方法:
9 Q, q* N* E$ l U& W编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& O2 `. ^7 q" a- b6 q: u7 Q# H; p" H2 P1 t
SecAuditLogDirMode 0777
: L: y: ~: _0 {3 A# ^SecAuditLogFileMode 05500 M, _! l0 s% e) L+ v8 x
SecAuditLogStorageDir /var/log/modsecurity
" U, U1 t% b- h& e- p; T: k8 M: FSecAuditLogType Concurrent4 e, _7 L3 f! R4 g6 R% z, V& t
参考文章:$ m6 |. t, Y7 x7 I, [
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' H" q3 ^& Z4 b, |
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡