|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 U- m M' r( r3 G4 |, E% T8 r: S) O3 V: m5 v! I0 \3 W* Y
一.准备工作2 @7 n( c, K! \/ c6 o
: h5 { J) K0 U系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# N; E* o( ]! i/ H$ p. u; ~
5 b4 B' U" u2 h* r- r2 p
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
( G! z$ e! y' ?# ~, Q2 d+ {8 c/ ?4 Y
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
$ Y9 o7 m" c1 h% P6 ^$ d6 [" E! q
( L' `3 F0 C4 F/ A6 |* k( K! BOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; t6 p, k7 g/ N, }, C; b, V( V" F. n0 g. R. W
依赖关系:
0 z1 N' X7 _* Atengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 S' C; ^6 k5 f) w5 |9 {) ~/ x
+ p1 j. n# H+ \% ?5 V, Z+ ~yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel8 E0 i2 U! b2 V5 \+ j& n5 g+ a0 R5 N
modsecurty依赖的包:pcre httpd-devel libxml2 apr
2 i7 w. f) ?1 b* U; c! ~' ]5 G- _! l- g$ w
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
) y8 x7 O5 Z2 ^! O1 U; G8 V- Q二.启用standalone模块并编译
P2 I3 E" w" o5 e
+ s9 T1 m0 }: X% ^, k下载modsecurity for nginx 解压,进入解压后目录执行: k+ T+ G8 k! b! b0 [
4 M4 C- t; ?) |) Q. V1 f
./autogen.sh
0 }. z6 ?) [- t4 |./configure --enable-standalone-module --disable-mlogc/ n6 ^2 t( \, }7 ^( x
make
# m6 v) r2 @) a( }6 _) q9 s& D& K( L三.nginx添加modsecurity模块
! L5 O+ A& R* ^7 J1 j }
# \: w9 h$ k2 b" ?, A在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 I* x; g$ [& y) f( F) y0 _+ n$ r- {$ z9 z+ Y5 x
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
9 W4 u, o/ l) v8 D1 B8 d3 bmake && make install
' k7 Q& j5 H" y6 I6 E% l' g0 J7 ?4 c四.添加规则
$ U% h: d$ s) _, \- C/ l
9 r0 O! @$ h8 J1 k; Omodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
7 m, u* n1 m2 f0 h0 n; I' D4 A( o4 g2 e" Y; @" F" b: J7 X
1.下载OWASP规则:( t! h+ e. |7 V* M) ]4 c4 j: I
+ z) T, Y; Q, l) ~
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
$ T: z' w+ O+ z5 J
f: U4 L h: I9 t( m2 D- Amv owasp-modsecurity-crs /opt/tengine/conf/1 ~+ q# I! c. S0 i) x5 p* z# y: }
6 O* b/ G* H: N/ L3 i' ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
4 O- `% Q' s( L0 |' X, Y1 {4 i2.启用OWASP规则:% ]0 M9 _1 d7 S
4 d0 H% s: x% Q( }, _
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. h' @5 K" p% A# Z* R& }; y. O K! K
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
* K3 j$ J' e1 n1 I- J% u0 I* C% R+ l, J: H
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
2 R. F0 r8 P7 m1 {! V: j7 q# A* |/ B Z- U8 Z! N
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
/ |) }( j; |4 D' F1 S7 z3 Z1 QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
) s5 l8 V& v# O0 Y0 L$ [- T# aInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
; h/ Y) `6 R" v; ~+ r; rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
$ M3 o% d* X% }* z/ C4 _Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 b8 [' c. h8 l+ ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
9 r# ]) e3 n/ S+ iInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
* |' n5 T5 ^; a五.配置nginx
_7 H! x3 j; U4 z( O4 Y6 `- i
) @8 V" m! B% m; F$ E! m在需要启用modsecurity的主机的location下面加入下面两行即可:
! B, j- _" \, m r, z! `# V. Y- d- a% |. H6 \
ModSecurityEnabled on; # R0 @5 `: h+ N3 P+ o$ y! o7 z
ModSecurityConfig modsecurity.conf;
6 K3 q6 g* ]/ @! y下面是两个示例配置,php虚拟主机:3 x" K/ e% D- `4 b
8 y W6 B3 k0 I( }$ l9 o
server {
, o; E) Q8 c: D3 F$ N! j/ a listen 80;* i/ k1 l( ]* P2 G3 k1 c
server_name 52os.net www.52os.net;5 B+ J* ?3 U. f$ d
9 v R9 c* D! ^0 H. ?% x, _ location ~ \.php$ {
2 B6 f& ]! n+ @- V! _ B ModSecurityEnabled on;
. ^+ Z' ]) ]: a1 j' b4 b ModSecurityConfig modsecurity.conf;9 n8 Z- `2 c7 q7 g5 O7 `
+ T8 h; I% H1 K4 l! S/ A
root /web/wordpress;
+ X: A0 m( q V6 ~+ a0 ?& ~/ D index index.php index.html index.htm;
3 L! O. ^9 n* i h- N; G9 K" S
fastcgi_pass 127.0.0.1:9000;
) h( `) o' p# f+ h0 U3 t fastcgi_index index.php;" P+ e' w. L1 t2 }2 Y3 W
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
( t4 i9 g% b! z) C3 z3 [ include fastcgi_params;
. Q0 R u/ E0 I; L$ z }3 w- Y7 b: P* f* Y6 n. q0 X$ V
}
- S: ^5 ?( l: V: k- k% {4 a7 }& o fupstream负载均衡:
3 O! Q. e+ f) u9 c c
1 M- h* k3 w; L e' e$ Dupstream 52os.net {
g( C3 j1 h6 x" g E" ~) m2 D+ ] server 192.168.1.100:8080;( Q3 _- s( d) v' c- J8 ^3 r
server 192.168.1.101:8080 backup;* A' {: K8 m, H: S- Z
}' g1 B! n' h: E1 s9 q, m( i
6 s/ ^: Q/ L1 k% V: b4 x6 ~/ _server {0 e, d- \& A4 e. Y
listen 80;
! G! k, y& P+ mserver_name 52os.net www.52os.net;
5 y* e: Z c; R2 ]2 W/ F7 }5 \ ~9 k( ~ }
location / {
8 v, \; U# [2 m- V! W, Y6 z ModSecurityEnabled on; 6 @9 M( k0 I. A5 y/ w
ModSecurityConfig modsecurity.conf;
; Y+ ~: o0 \$ a6 c. s1 a% t7 e8 D! o( G" J
proxy_pass http://online;1 ~, E- A0 ^% b$ `! w
proxy_redirect off;6 \" \) B8 { G- L
proxy_set_header Host $host;
" \4 \( Y7 h0 ^9 z+ n1 k$ y6 X proxy_set_header X-Real-IP $remote_addr;4 w- K: [( P* e3 m+ o1 L
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' d. P( R: U$ l8 L5 M" q- ] }
. C, a# K% _$ Z}
! o$ ]- ~! U8 n# G1 w h! k; \六.测试% R0 U$ x: S2 C2 p# J
! \1 R8 e3 E% b3 ~" T# Y% F我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
# X6 J9 ?: n6 P' A( O! ]* H2 v
<?php
3 L- r" j4 e6 Q5 Q2 \6 ~+ e y phpinfo();
( r. {4 C2 b6 _) o; |?>. p" Y6 o( p; F6 L. ?/ L6 t( ^
在浏览器中访问:+ ^& y! Z6 m& ] j3 t) o
' [/ I! ^* F- v, q: ~/ S, u
http://www.52os.net/phpinfo.php?id=1 正常显示。
N5 t1 M" }2 c9 qhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
' S/ P$ p' j' nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
! H8 C+ ^7 P$ h8 N/ b9 I9 J/ \( `3 ^说明sql注入和xss已经被过滤了& O$ ~( [) H: C$ g& K
, Q! k, }" M( y1 |4 |
七、安装过程中排错
+ P& \1 A5 V$ N N5 ]8 c8 d
: `1 U) k! D* T- T' E1.缺少APXS会报错
, [ R; O( T& I: G; g6 l; c3 X# {2 I6 d, E8 v+ J3 C! C
configure: looking for Apache module support via DSO through APXS
5 Z& e7 b s, Z" h5 A- `6 Y/ zconfigure: error: couldn't find APXS1 ^3 F; U4 o% S
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
J+ P' q' y3 ^解决方法:
( ?2 b4 u! U* S8 W0 {( D8 J: B2 `
$ E/ C3 \4 i4 D2 b$ Byum install httpd-devel
6 S1 V/ ]1 `+ y# ?2.没有pcre
4 K" W3 n3 G, [: C
- \2 B- ]/ p, ?& y9 Q/ C4 j* S3 ? ?configure: *** pcre library not found.1 D: H4 {7 t) h. h5 \6 o
configure: error: pcre library is required$ i0 y5 q# X0 l1 e) a0 v
解决方法:1 U6 g# q* p- @
# N$ X( _ F5 j& ^. E
yum install pcre pcre-devel; ^3 h4 G! f3 C
3.没有libxml2
! a( X V; V6 }8 X1 Y4 m. U4 N; C: i3 j. Q8 V* n
1 `8 _* k& U# U: A+ J
configure: *** xml library not found.$ C _* a; P0 S3 v& E
configure: error: libxml2 is required
5 k/ H9 z# f4 K; v# D& `解决方法:5 M. D% e' Q5 G% I6 z
" d2 s9 L4 K' ]& V
yum install libxml2 libxml2-devel- x/ H( h8 q0 P
4.执行 /opt/tengine/sbin/nginx -m 时有警告/ O% Z1 {9 }# [" n' V4 r5 E
3 e1 Y7 W0 P& s m; C
Tengine version: Tengine/2.1.0 (nginx/1.6.2)1 ^# h7 n* r% m) S. u7 ?+ S
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!! l0 r5 }4 `/ \8 G
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ H/ z) \; I7 [. \* `) { y3 Z; H, |0 P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 a8 |: R H) I% ~( k) e5 z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"( u$ P/ a; ^, t5 A' H1 ]( r
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!! x# k) Q, X8 n6 o+ G; ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"# x2 }& T% Z5 Q4 D2 E5 ?
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" C9 _" o. H. q5 C2 Z7 n; r2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.3 y/ p& z( S3 y
解决方法,移除低版本的APR (1.3.9)/ }5 `, m* h' F
; a4 }; |4 F; G2 \9 ^yum remove apr' t5 B9 a8 r' J0 Q0 x* g
5.Error.log中有: Audit log: Failed to lock global mutex/ y3 W& `5 C0 L1 y0 j/ S
5 |4 y+ {; N! b+ I5 C2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
7 s" g8 t# d) Z7 [* x9 k: v7 gglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
% i0 |1 ^* M" `$ S; P" Z解决方法:
) L$ v" g/ G" D3 x编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:- X# W( Q3 x9 p# [4 Z
8 d" x, t& G& H/ b( b
SecAuditLogDirMode 0777 Y2 j; b; a2 J" ?8 J! L
SecAuditLogFileMode 0550. \' J- ]1 J4 O/ q6 C2 H x, W
SecAuditLogStorageDir /var/log/modsecurity+ |; Z: Y1 R5 O# Z, C: W# P6 X E9 ^
SecAuditLogType Concurrent
3 K* Q: F: h) C! y- [/ K参考文章:: j& Y5 S1 h8 j8 c. f8 R, `* s& E
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX; O. O" \& g# R7 `, U4 r) [
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡