|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 h( x* h' I2 C; M2 Z
* q& v1 s9 D @一.准备工作
7 M' }' j2 ^+ J' G/ ^( e5 n" }/ {0 q9 x
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0. P! K2 P% e1 u2 T. D8 a
$ e7 |, m2 `) O" }; k4 S( j/ E
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
) z: l+ R! g/ f- J9 M
. j% Q8 P0 I7 ]0 M' d, rmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! s9 }4 N0 r# n# V
" _3 Z% S: m9 gOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 B( @+ Q, r/ y1 D. w
$ P# C Z, W; K. l% S, b
依赖关系:2 g$ f1 J: Y9 ]9 ^. R
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 f" \4 c/ B* i1 { c# h/ W9 e8 Q* ]) e' f4 K* B
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 B) T6 r+ Q/ l! a
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% p% y" U" Z- b4 D) x
) m2 F$ s% _! Z9 G, x+ d6 y+ w" myum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
) W' S/ b5 I5 L; }# X- b# N二.启用standalone模块并编译
5 c& h6 T6 l9 ?8 R+ q0 N9 J3 H5 i5 D X* H* b+ P, ?: x: o
下载modsecurity for nginx 解压,进入解压后目录执行:, O8 f1 x* o5 p4 W# ~- ~
) `! j! r! A2 U9 D, r3 J./autogen.sh3 L; O( w# v8 Z2 P7 N2 U- x* H
./configure --enable-standalone-module --disable-mlogc. Y( q% @3 ~* B! n" i* }& d
make
% g8 J; E8 f, z2 q( v三.nginx添加modsecurity模块
0 e R' ^* G: l8 J6 |; }* m
( C5 g( _; ^) ` n h在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 f6 q# q( K. j6 T
0 t; @% i: _) q6 [./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
6 c1 S- I* a3 Z* qmake && make install& O+ f" M* s9 H
四.添加规则/ ^7 j/ j. j/ m2 a5 @( J
0 k [3 E5 \- fmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
- m# o: M' H- E2 P7 k% y* ]+ r' J9 D$ Y) W! n9 ?! A' M; u9 {
1.下载OWASP规则:0 ~& ?/ b) Q/ M6 R" I4 w
+ W, d5 T3 A* }- p5 u' q y0 V
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs( h7 i) D" \& F" @# K
* e, i# ]6 h! i [. ~mv owasp-modsecurity-crs /opt/tengine/conf/
* h& V3 H& m. t" D5 ]* y" ]% u
& k: w2 z. o1 y9 Rcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
9 Y3 c7 h/ }% [) F2.启用OWASP规则:
/ ]4 C$ n9 E0 `2 @
7 Z' x+ o, r) @6 `复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 N4 f& l5 E# B$ j+ G# R) C
2 j- t) [# D0 `0 Q* I" k- i( g2 _编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
7 M# D% G8 W% O
: [( u& ?+ L3 gowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。7 x# u1 T' K: R' q
7 t8 f) B7 ^! S) RInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf) S! _ p# e2 _6 q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf! O0 P( p5 B. R# x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" I2 N" N5 o0 c) d: mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf5 K9 d( `! u# R0 X$ P
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 G6 d/ _% f+ w' t* d
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
/ \! S8 T) A J1 c5 E3 AInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& ~1 u: |* z8 M2 |五.配置nginx
" k- Y/ Q0 Y* s1 E$ y' N; J% v" l0 b4 Q/ C t
在需要启用modsecurity的主机的location下面加入下面两行即可:
. f6 ~! C' e* I: \1 v' g$ I! u! Q+ D' f- l1 i
ModSecurityEnabled on; 4 m2 l6 t1 t9 j3 b* e1 c
ModSecurityConfig modsecurity.conf;, [0 ]( g: P- h
下面是两个示例配置,php虚拟主机:
1 Y3 E8 u" I( m0 l D
, O$ ` F9 p$ ~+ W4 Rserver {
Q8 Z( @) d, |& y9 v listen 80;
! M) l9 K# T# v server_name 52os.net www.52os.net;
; t( }" b! K6 H! h% Q1 Z ' s, f; T& q7 e
location ~ \.php$ {
# E2 S( L2 l% ^ ]; G- u7 C ModSecurityEnabled on;
( \* `6 S! O: A4 z8 s+ t" n; T ModSecurityConfig modsecurity.conf;
8 V2 J% d/ o( x# X5 O# |1 a3 s1 T) @1 T3 B- j" h
root /web/wordpress;& d( j9 [/ p" }. [5 y1 Y7 P4 G& }
index index.php index.html index.htm;' ?6 R: [# |4 @& A3 H5 p( F
2 \4 h q6 J1 ] fastcgi_pass 127.0.0.1:9000;3 }! j$ L5 X# T8 q( [4 y
fastcgi_index index.php;5 }0 i4 Y6 }3 C S
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;5 E5 Q" B5 f& R$ w
include fastcgi_params;& g4 ^- F7 e6 b1 s* F
}
4 @6 m5 {# _. D$ C6 j+ e% O }
0 g( ]5 d# Z8 K4 c8 N& Rupstream负载均衡:
, ]0 W% p9 L. F% I r! m5 d
: @' O* c; E- ~; k0 U& w4 z0 `7 Gupstream 52os.net {
5 `# V6 M4 c3 }6 p/ l server 192.168.1.100:8080;3 q5 T; I9 A8 L4 V
server 192.168.1.101:8080 backup;
* g1 h- v" ^' s1 o k}, `% n2 ?5 ^) r9 K6 ~; G0 l+ p
5 Y6 a7 ]4 T( R" Kserver {
) ~1 V5 L& [& ~. {listen 80;1 Z( k& C: U+ f
server_name 52os.net www.52os.net;
3 `* i" p5 D4 Z
& J, t7 ]" S% u% ~location / {
9 V5 ?, m% O C/ }+ S$ ] ModSecurityEnabled on; + ^* N1 |8 i) g/ z9 n9 j+ H8 y
ModSecurityConfig modsecurity.conf;
9 v2 `$ ?# J; S- A; V, r" o8 ~( C' y1 l- ^
proxy_pass http://online;& T' u8 Z" N! P! w- B8 X6 d8 V
proxy_redirect off;
, G, \+ a) B4 b! b6 V3 P( S {# V proxy_set_header Host $host;) k) b! w2 g- B, v
proxy_set_header X-Real-IP $remote_addr;
6 I. x- U2 e6 R9 L proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;2 U; w4 a# `( n$ x7 V: o
}
( f1 j$ C4 J i+ u. S x/ B}1 Y% Q8 o a! D! \: D8 t# |
六.测试2 U- Y V; l& k' w" Q7 n% O
7 B) Y2 X( u! N4 e9 ?4 L
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:: N8 A+ j- b! C
, F m- |6 e$ O* p# w<?php& L1 d; [) {& X2 `% ^
phpinfo(); o" k, X x3 i. c
?>5 R( v$ {1 g: n# _ a) U+ U
在浏览器中访问:
3 L. ?: S& m: _ O! C3 d9 |& w' p& |' o5 ]# u: R
http://www.52os.net/phpinfo.php?id=1 正常显示。
6 r& C: Y% z+ o# ehttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: p8 D( o: V& ?http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
0 e$ I6 o! ~& e A说明sql注入和xss已经被过滤了" A& d" E1 M/ D5 n! r+ V: T
k2 e) T% }2 c1 D
七、安装过程中排错
7 N- }0 C+ c' t" Q4 ]' C& U" W3 h) C' x6 o( I
1.缺少APXS会报错! s( J+ U0 T- _& j
' N& y7 H) h# A9 t
configure: looking for Apache module support via DSO through APXS
1 T E/ P8 R' _7 l+ e0 ~configure: error: couldn't find APXS
" U& f0 X( I3 A3 ^ i3 |5 i4 e. Y; _apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
5 Z4 e/ X5 G: E/ o; z" ^: V解决方法:
) G4 Z z, {" t0 K3 R2 P( E, X3 @7 ]
yum install httpd-devel9 B6 k& A6 F3 p- A5 _# v
2.没有pcre
$ C, h0 x- h* I! G, @5 z) ~, p9 g( E c' S
configure: *** pcre library not found." e9 C7 w: @' v1 Z7 z
configure: error: pcre library is required( N: Z3 P3 t2 c% ^4 m# Q* m: j6 ?0 h
解决方法:
0 S% L. W1 g* j0 v: Z/ y, M1 r/ B% ]9 A. N% [( z. h
yum install pcre pcre-devel8 |, u# I# `* O& C" r9 w
3.没有libxml21 P- m1 U. q+ `. k2 S1 M
6 m) B+ f9 M: i; ]" t
! \/ P$ w; B1 o P1 ^3 Q9 T. i- o
configure: *** xml library not found.8 b) C. X6 X- c5 g
configure: error: libxml2 is required6 U, d- i3 a. j, s& U! s+ R
解决方法:. I9 S R3 E8 K. N0 @1 `7 l+ C
, D7 T9 Z/ f3 E0 F2 K+ X# jyum install libxml2 libxml2-devel
. S K& ?& R, E2 j( ?4.执行 /opt/tengine/sbin/nginx -m 时有警告
' X6 x, |1 ^; `. F# p. |6 Z& f6 Y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)( O! d( K3 D& W! L
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
* \' g7 a1 G' [4 \原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log. k4 C* i' [3 U0 g* a* e
& f: o* g) y- L* Q2 V
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
* L0 [2 z, v% F# }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"( U" o! V- q/ H% f! H: t
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!7 R" g) Z r0 Y8 {9 ?/ B8 c; W
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"2 l7 ^( ~3 d0 ?5 R3 i& l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
' j$ R b+ M0 U1 E2 E2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.3 M; l( U: q( G6 B1 v9 G
解决方法,移除低版本的APR (1.3.9)
+ M$ I) i; F% g; d; ^' j( c' J& R3 l7 D, `+ F2 ]% G6 K
yum remove apr! J, I v: J& o' l: [1 q C; Z5 H! ]
5.Error.log中有: Audit log: Failed to lock global mutex
) r" b X$ c" l/ m. M
Z, E/ M6 e, `: W- _- n2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 x( k/ j, a% V8 H) [" l# iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
3 Z2 ^$ H4 K9 a* Z! s X解决方法:
: w; h' I9 Y O1 C编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
; l, |! v3 x3 W1 n5 s$ Y6 @0 n4 p# ^0 y' e, [7 u# |
SecAuditLogDirMode 07776 q' R6 r( a6 L
SecAuditLogFileMode 0550
$ C! }- L/ W$ p" A0 S7 Y r' x A8 WSecAuditLogStorageDir /var/log/modsecurity
( Q' y1 A' n( H* ISecAuditLogType Concurrent' _& C% D0 s t9 C0 f# P5 Y/ w; ]
参考文章:
6 F* r' g Y* ?) n4 Mhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX: T0 ]% b( U- t- }* n
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡