|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 q+ H# Y& \0 W6 q0 K: h
6 Z6 j5 L( H2 J3 w* s
一.准备工作6 b2 a7 E# x; d+ y
3 ?+ @; J' }# Y
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0. V8 D5 o/ Y @) I9 t
% s1 C+ c& k: c0 C9 htengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; {' R/ _4 l8 a# C3 a. Y; Y0 Y: G! c
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& P2 X- l2 r* D' x
; n1 t' b3 C, x( ?: c3 vOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs6 n) N0 t# w" o8 w
9 m+ S. w+ c1 e% k' b4 o
依赖关系:* n9 }9 [- q) b. A
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:' n5 y) r2 }9 Z# E6 Y8 P! u8 F+ v
! ~! L2 R$ F1 u' W1 `yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel: T+ O0 V- i3 h T6 u! |$ l5 k5 S
modsecurty依赖的包:pcre httpd-devel libxml2 apr
& F! l$ s y$ O4 T) E
& V& u: i" C8 V5 o1 G7 R+ ~0 Hyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
( B9 Y& i6 w j二.启用standalone模块并编译
! i1 A$ i6 W4 o8 b# t4 S& [. j4 `3 E# k# G* B" i# p; l
下载modsecurity for nginx 解压,进入解压后目录执行:) z9 Y9 D l& s1 K4 \" k' T
% F% ], J3 [5 D1 N/ c./autogen.sh( Y! Q+ \* F4 J! V
./configure --enable-standalone-module --disable-mlogc7 [5 ~9 [- `& j
make
1 V) }7 s' Z3 s/ V三.nginx添加modsecurity模块 x) }, L5 r" J( k; o" j) t, J r
. G" f4 p% |# G; F% A* e在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:/ N5 f: p \5 D
9 V) S4 S s) Y# N! r
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine% }7 `& I' a! R- n. V! v' ?/ e
make && make install
* m9 W/ D- t" G( z- ?- q四.添加规则
- m5 p# F+ y* f% O8 T1 u @: f: j- p! q% W6 T1 _! U( `( L
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
. Y7 n. {. b& Z% w" a% ]. F4 t) P6 n4 x/ A3 A7 f, |" L) C- S
1.下载OWASP规则:
1 E$ `: R. R# c8 E) b b* i& ?( G7 ^: x5 a
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs. p. z5 R3 I& b1 ]& Z$ X+ h
0 `9 O2 V* S4 ?" ]: fmv owasp-modsecurity-crs /opt/tengine/conf/9 Y8 n+ @% G1 i% N
& y m- z: X" dcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf2 ^2 L; d7 E5 B# N
2.启用OWASP规则:
/ _2 n# c. k$ `) e
0 O: K- i3 ]% e复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。' k2 U$ i7 K6 s: w6 |- Y, w
/ u# P: o+ `- C9 ]0 n( P" B
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on* i! z9 A5 [6 S
2 x+ c) d) [* }) R/ }
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" N. y; `' a! ?" C! V$ C, _
, [! W. S! V7 Q `2 U7 \: k
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
0 A9 g" ?& F( S# W- d. MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 V" M3 h5 h) C. y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
3 @; a9 A$ |5 `* R1 U- jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
' n* I" b* ^$ n* ~, z: G) O$ J; o) V# {Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf, l) _0 ]3 |2 m+ j; h3 ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf4 i' Z# [4 P c5 O. M p
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf4 ]8 ?7 X# C9 N c) O% S
五.配置nginx5 M( ^3 N4 H( ]% W
0 j7 A: T+ ?; } M; }
在需要启用modsecurity的主机的location下面加入下面两行即可:. B% e3 c& ^4 }/ X8 J9 H
% N* k- {$ r) dModSecurityEnabled on;
6 }+ j* a& q \' k8 g. X% t x" JModSecurityConfig modsecurity.conf;% l/ a4 k# R; t, t+ M# `: m4 e
下面是两个示例配置,php虚拟主机:4 [' w1 C2 ~1 _" S
; e- e& q! U. g" B2 _# X
server {4 }: L B( ]/ ]6 ]5 z) X5 L
listen 80;
& H9 @* X0 e- x! k0 u0 O) [ server_name 52os.net www.52os.net;
1 ^) D0 p& T4 R- a9 C
! ?# g0 U) Y& ~( @ location ~ \.php$ {
; u, T3 a3 `7 u4 | ModSecurityEnabled on; " O. a g" y. Q9 A/ ^3 a
ModSecurityConfig modsecurity.conf;1 Z; T+ x' @- p1 s( Q
: G& k; [% R$ ?% s* M5 | root /web/wordpress;
5 r, P/ F; d3 A index index.php index.html index.htm;: L6 d' c6 d* p# I
1 c/ M$ @& F3 F. O) J/ g: T, \ fastcgi_pass 127.0.0.1:9000;
[1 A4 ~8 @# r5 \/ f; ` fastcgi_index index.php;
% F( T( M7 ?9 N fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 G+ L4 _/ }+ E2 z* o3 _+ E
include fastcgi_params;* x8 L7 R, O' _
}
9 o# U- {7 x8 C3 } }
' B! t+ R i$ I9 |) A; I- O4 Lupstream负载均衡:5 {( Q: E. H+ _* t
* p4 v+ p, `* j8 e
upstream 52os.net {
2 L5 Y; J& |8 [, v0 B: M" u& _7 R server 192.168.1.100:8080;
3 T6 Z2 e* @- s8 _! H4 \; G server 192.168.1.101:8080 backup;
! Y; A3 K& @2 u/ J1 [* J; i y7 \}
0 o; z: r( Q; A2 b0 A1 T1 `( r9 U1 ]+ }; g
server {( K& w& P2 k8 }5 o+ ?
listen 80;
( b) l8 H" t( S- cserver_name 52os.net www.52os.net;
, v$ p7 g6 i! I0 ~: v
( M6 C0 L/ c/ a9 ~1 L% rlocation / {
. k7 T% D( c' Y5 J ModSecurityEnabled on; . j ^- d3 [* _) c8 Z4 I' D' ^8 r# i
ModSecurityConfig modsecurity.conf;
9 P( o' N' o' v3 t7 S4 x* i0 q: a; }: Y: C
proxy_pass http://online;0 M+ Y J d$ R% {
proxy_redirect off;
( {+ J" U+ v5 j proxy_set_header Host $host;
S* X# A2 V4 |! [3 K7 b* G* b proxy_set_header X-Real-IP $remote_addr;# r& J2 h4 ~3 O- X
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;/ z: p% ^) k1 _8 Z* |- V
}5 O6 z0 |+ G9 w6 t7 z$ O
}8 q$ X% C$ ?" s, m
六.测试
- L. ^# M' Q! ?* h: [7 ^
0 X: M# d& j& S8 [3 l5 @/ k) R, o我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
) ~* Q. ~4 S/ N
0 z: ~* B P3 c$ r' s8 C h2 H<?php
) A6 E# h# z( V phpinfo();
6 G) `& O7 D& x$ w% A7 K+ F?>' O/ C9 g( V& s+ S; n
在浏览器中访问:
; g1 Q1 N1 ^5 y+ V2 c' r8 w1 _$ I7 o' d" r6 C/ j3 g
http://www.52os.net/phpinfo.php?id=1 正常显示。
& {: G# k# A( ^$ e9 b6 X8 jhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: [$ y" ~( \- J' p& p! ?" ]# |$ P# Vhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 b: p$ f4 ?/ n说明sql注入和xss已经被过滤了1 Q/ h+ _0 d* Y- I
( J |. r, q& ]+ X2 A- P( p! _ Q
七、安装过程中排错
; A- d7 ?/ M5 ?+ q* `
( y' Y2 g* p1 I+ P9 T1.缺少APXS会报错
1 @0 I- s0 x5 C+ u0 k. i" o0 X2 I0 s7 _1 f I% M
configure: looking for Apache module support via DSO through APXS, Q, t4 U0 Q) x. f8 ?
configure: error: couldn't find APXS
8 f0 j3 Q0 k3 n5 T' Capxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
1 V9 F# u4 r4 O- E解决方法:' s5 M R2 H, N3 U" e* Q
* @% Z8 g8 \8 O Y2 Lyum install httpd-devel7 ?1 B& s9 B6 q. e+ ` a$ r
2.没有pcre
& {3 j4 B( L$ e8 u. `& p; d9 I# F3 [% I1 x
configure: *** pcre library not found.
9 q4 U) ^% E% Aconfigure: error: pcre library is required8 ?/ K" l! i4 G7 v7 x" p
解决方法:
* M$ Z5 M) e! C; P0 Y
$ x+ W% j I6 U/ t$ g( }yum install pcre pcre-devel
% L" M1 F: t1 d; s1 S3.没有libxml2
" [# t* J4 @4 |: q
& H7 F+ i, v- P9 s) q. U) k0 P3 a
configure: *** xml library not found.
( L% T0 q2 x# o0 n% Uconfigure: error: libxml2 is required' V; N- f; V4 k( M. x( `
解决方法:2 a) z( Q5 R4 k0 N! C
. d- j) G# j( w3 R' s) G- Dyum install libxml2 libxml2-devel- k9 m5 p: ], D8 }2 `* Y
4.执行 /opt/tengine/sbin/nginx -m 时有警告
% l( @. i5 r* m+ V! N7 y# E0 a3 e. M0 i0 t, G+ y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)7 R4 N/ [( g* _
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!. a3 ]) }) C; `8 F: ~/ a
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
! K Z# t/ P( p8 y F& Q* e" h8 _* r5 {" Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.. n ]9 [% t8 F& L5 s( n* H2 E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
0 z* e3 u. z" e& C6 F. L0 r2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!7 O- k8 d( w& {7 c6 O7 `- F8 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
& H) v# w& n' r2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
, b0 _! m& n' ]" A2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
9 N1 Y: G: S5 F) {" Q解决方法,移除低版本的APR (1.3.9)
& M4 I; n' `( I* c
# E4 H( K" b! ^$ Y yyum remove apr4 Z% L# }. z s2 x, @3 I. I
5.Error.log中有: Audit log: Failed to lock global mutex
# D( F! c8 q) K( @$ m2 |: ~
0 r0 {. @- B( k% D; x2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( L7 I% p' O- d, b* J5 G
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]/ v6 k0 v! W2 h- w# [+ H0 e0 i
解决方法:( b0 Y; P# O$ B$ Y) W# D
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:! t1 S X2 o1 ^$ G0 J7 U
5 t( B0 H6 M. G+ f$ ZSecAuditLogDirMode 0777
4 ]8 {' p+ k; {2 \7 PSecAuditLogFileMode 0550
8 Y2 @; p. J$ N1 m$ g0 r4 ^$ qSecAuditLogStorageDir /var/log/modsecurity
+ p6 ? r% m% p* _/ t9 gSecAuditLogType Concurrent3 N+ E' [" f2 {9 ]7 M) c. R
参考文章:
# `8 H$ _+ c0 e) z) Z8 `7 thttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 `' `' [7 Q, Z4 {& u0 k; B! ^
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡