|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 ]$ D. |+ }+ F' i# ~5 a1 L. }: W" d. Z5 N5 ^5 y' A
一.准备工作
& d' D- @; ?: K4 g" s( V1 U
+ U6 ]1 h* d7 N" r+ c) q( A系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
V# B1 ]/ A, s2 D/ C3 h/ x. k' e( Z! X' V& j; o
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ C3 z1 d' h9 Q2 k1 \, Y
: q5 U" ^ S" x* a( z7 cmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
1 m" U7 T w/ i2 _- v9 F7 z( N3 T+ T, C' d- u% e* A! b7 _+ d
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; f0 @9 o$ V' T
, a. I& E# R* l+ E/ }8 @依赖关系:
# A1 S, I1 @* o# v, B( vtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 O [4 B+ \- ]' Y7 J+ c4 ~ j5 Z1 u$ b* F {3 L) ~. ?
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
2 _" @" o: p1 Z3 ^, [4 @4 @modsecurty依赖的包:pcre httpd-devel libxml2 apr
, d7 |0 ?; [0 G' J. B5 J, _8 b/ a p2 q4 C9 F0 l8 L V. T
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
3 }. o' O6 f& x5 i D. y/ m二.启用standalone模块并编译2 ^+ y0 K, c2 s/ h# X
& C9 ~4 m& B8 k1 W/ G下载modsecurity for nginx 解压,进入解压后目录执行:
+ G! d# Z3 a9 A% h! @- I# |, t* [0 k! `% N) Y: b5 A
./autogen.sh; k: n$ S# q) b# ^3 Q- G, F9 ?
./configure --enable-standalone-module --disable-mlogc
) W4 u3 V) |- p+ d* K( @make
. r* {% a' ~9 z" H+ w$ Y. U# ]1 C三.nginx添加modsecurity模块
# \, X' K) `- J) \' e; J; y }2 c3 F! C7 E$ q, j, A
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 A/ A& a/ @ q* J; Q- x* o) r, c3 w4 o
* l7 Z% Y( c1 F4 Y+ d' o
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ j9 ^: b' _6 ^3 Qmake && make install
7 R+ r" s2 t2 s6 n7 ?' d四.添加规则; p' h4 L: y% h0 Q8 k' i
: c- n+ e* G+ m1 a7 {# A
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
' z1 m: c0 x6 r' |7 {1 m4 G7 r: i* {2 y3 d, t/ U+ J/ z) u
1.下载OWASP规则:
9 O* P4 z0 | B( y! ?0 B& y
3 R8 I0 u1 w6 g1 K% w; S2 wgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs" P" H0 i. Z/ I$ X" e8 n
% W0 {- e$ b& x! s- E( m# F
mv owasp-modsecurity-crs /opt/tengine/conf/& Q' Y* Z4 `; p0 `5 W. N+ Q$ [
6 \: R- U1 u7 ?. i& l$ Lcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
! h( ]0 p6 d: w) z' q" T% J2.启用OWASP规则:
& V8 i1 N9 a3 T5 D4 e" f6 j2 j+ x9 I
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% r b2 C% q3 x1 j! o& r
; @# G" M: E3 V* B8 M
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 \: _+ |+ t- H
' H! |: ]- T6 P8 ~, ^, X' B6 J2 a; Iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, X6 I* y, |& y& _% ~7 W
1 U; F% V; d9 n/ nInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
) Q0 F4 ]9 f0 V* p3 hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
; f8 }; K( Q# yInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ I- Y n# A. p4 r% o+ B# w: eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 v3 N2 C/ U r# A( QInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf4 b# s% Q# A( ]$ n
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
, R, K! s. \! p7 Z8 v* w& hInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf3 e( [+ B& R5 A- r" D# _
五.配置nginx! A7 U5 f. Q! y( ?- s
2 C# |" R7 I6 o: x7 D9 _- t# P
在需要启用modsecurity的主机的location下面加入下面两行即可:
) o& D' ^: I7 O$ \9 b. d* K
* V x6 ^! B$ z2 `% VModSecurityEnabled on;
^2 U; T4 @" S: Z& m3 v4 X* WModSecurityConfig modsecurity.conf;8 [; ~" l* y! f+ b: M. m! t) v
下面是两个示例配置,php虚拟主机:( |/ |- U/ @# M& D
( a' V( U- b+ ]# W' j
server {& q6 c `0 `/ _+ \7 W2 A2 ]
listen 80;' \* f. K/ r% _6 y: z* K
server_name 52os.net www.52os.net;
) a9 y/ |6 H5 g6 V ( D2 o: Y0 d r. r: h
location ~ \.php$ {8 Q* f8 S x) V# ?- G- T
ModSecurityEnabled on; 1 Q& R3 k! q! U+ u
ModSecurityConfig modsecurity.conf;
; S1 p( `% `& _5 K* p: O
* u' J% @! j/ f- p$ @5 V0 i root /web/wordpress;0 T; C! ^! R! S( X: Y6 g) W
index index.php index.html index.htm;
5 z/ ?& ?& g+ x2 N1 R) |
$ d6 A+ W& B" P" h! ^8 c2 U, V% \ fastcgi_pass 127.0.0.1:9000;0 w3 ]3 J$ `: Q
fastcgi_index index.php;
2 X' v/ C- P2 M, u fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;: s. @- Z& t7 c" N
include fastcgi_params;4 [' ?1 c4 P$ S# p3 N
}+ V, c, M. P7 w( k d
}3 K/ F6 R# P/ J* a
upstream负载均衡:
" u( `& Q- Z" ^3 [8 {7 k. ^
$ @9 V; S9 }4 ]: xupstream 52os.net {
4 \. x! H5 _; ]$ E. ~; K6 o2 G server 192.168.1.100:8080;
* I3 \% b$ n3 i" T; Q. ?# w server 192.168.1.101:8080 backup;
% S1 r6 L7 f/ Q; f9 t1 ~/ G1 M}
6 d _8 [8 C. ]5 T4 \; f, K9 t6 N7 I, h( E5 e
server {" L- [- }, ~2 X9 c- z
listen 80;' V# o& Z: z% E
server_name 52os.net www.52os.net;
. j: l! D. }0 W8 J F) h: z+ N7 K+ D3 S* F6 I1 Z" ^
location / {1 A% j, y1 v5 N
ModSecurityEnabled on; + Q0 D3 v$ a: [& m! w9 s
ModSecurityConfig modsecurity.conf;
5 Q2 d6 r# {& a \! Z
& H, t' E% g* J9 J2 g proxy_pass http://online;: O3 f4 v7 E' v% T, O! Q8 [1 }
proxy_redirect off;, c* n; M; O# Z* \: |
proxy_set_header Host $host;( d: @! G8 I8 o7 y. I' S
proxy_set_header X-Real-IP $remote_addr;( x6 V2 E- ]7 k& a6 h
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
& U# `! _8 f2 }" [% ` }
2 M9 M7 Z! l( _7 U( b7 K' g}
: k7 K3 X* o3 ?. c9 b六.测试
9 `1 A! F# e) [' q
2 I r* F+ v1 a4 x) v我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ h# [8 s3 f# n, Y1 H: W
& ~" m8 l" r, h9 G<?php$ B( \" I# E3 e$ X$ I; d0 j
phpinfo(); 3 _' X' N6 X) b. X
?>8 J5 w2 N0 |4 F
在浏览器中访问:
* ]) j" U0 y2 A# _
+ [5 D3 R8 F! }8 Hhttp://www.52os.net/phpinfo.php?id=1 正常显示。! I$ Q* E* e4 L# [+ u
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。& j7 c) }1 _- ]' N h- [, ~1 B- Y
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
$ n% B" u5 {( d; m, V! O说明sql注入和xss已经被过滤了
1 i1 X7 F: |1 y$ T0 a
" N$ \5 Q1 N, q七、安装过程中排错
& ?% h$ q0 ^* r9 h6 t. Y8 E; R
& J; s9 c; f% v4 |# H* X9 u/ t1.缺少APXS会报错
/ S& p9 n6 _8 ~7 z, @) p' A; \( T" r4 Y) ^$ B; [
configure: looking for Apache module support via DSO through APXS
1 K% E/ N+ p+ r- D9 p/ g9 i! f6 }configure: error: couldn't find APXS
, s6 x6 T$ {" n+ j3 a) X5 kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) B" S* Z8 \5 P; r5 A# {
解决方法:7 i8 G) D2 A0 i! b3 y. |) [8 ^4 G7 W
, O6 Z( y( `8 iyum install httpd-devel
/ y/ y& z3 r9 f1 n2 T) W' L2.没有pcre
9 G5 F6 z* ?. D1 Y; r, ~
) X6 z2 X1 ^3 x# ~+ B4 aconfigure: *** pcre library not found.
3 s# c4 J, y$ w& j4 P/ mconfigure: error: pcre library is required) a- _3 r+ i6 t% v
解决方法:
`" m) ?- W8 o4 E: ^" L5 e7 z9 ]# W: o
yum install pcre pcre-devel
$ Q0 w. K" E0 O+ n3.没有libxml2
; t5 d, c7 M. ^/ i4 R, K0 g1 J* C/ F4 N" T9 C1 v7 `
# a; _4 N- }" s/ h. D5 Y
configure: *** xml library not found.3 o/ N, ] K3 q/ C# `3 M: T, A
configure: error: libxml2 is required
9 p' `4 S9 q/ W解决方法:
/ X. S; B6 s, |5 K0 x
& _: M, c, b/ j4 M" N$ Byum install libxml2 libxml2-devel/ x0 o# M( A3 \6 h7 Y1 ?2 I" L
4.执行 /opt/tengine/sbin/nginx -m 时有警告& Q/ s' @$ J2 ~$ P6 V& G5 d
4 g2 B9 f! K. A7 h! l X# n
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
8 |% `; c; c) x1 H3 h- Snginx: [warn] ModSecurity: Loaded APR do not match with compiled!
: b3 r7 D/ Q0 i0 K0 a原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
4 y; T8 o' z. |4 e/ X
( d+ d' L: Z4 F* A$ q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.4 x( M9 H a' K, b; E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9" o, w" U1 {% E' n7 n; b& r2 e) V
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!! ]$ I% p6 D% z0 o! ~3 S# `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"3 }% w( A# `0 _" H
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6". H# g) C2 q9 l7 B0 H
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On." x2 i8 j8 ]7 \9 i9 s
解决方法,移除低版本的APR (1.3.9)/ H5 d$ F' P/ K T7 j4 G3 u6 r( x
, @" j, |# `1 w/ h# o9 U
yum remove apr
1 d: X/ K9 V: w% B5.Error.log中有: Audit log: Failed to lock global mutex5 }! w4 W7 Z: q A& D
* I) Q5 l* f6 e6 l) z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ! B3 [) ^# C" v. H
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# Z ]4 X P8 m5 b& L( x1 m4 c, A
解决方法:+ I7 {/ @# L2 Z9 a1 F: s; W
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:$ E* h" h6 {3 W0 o c
4 _, ^9 A* T+ J- z( v5 O
SecAuditLogDirMode 0777
2 y* I9 O2 C% T0 j# q, jSecAuditLogFileMode 0550! f N+ d2 f! q0 R0 t& [/ B; [
SecAuditLogStorageDir /var/log/modsecurity8 H: R/ J4 K% r2 x/ y' D( Z
SecAuditLogType Concurrent
) W: I2 z' P( j' r. t参考文章:$ n0 T; ?) C6 l& |
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+ N- G) g8 ]* C) q& Ahttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡