|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( o) L0 C3 t4 I
5 o4 e/ F5 H4 {* D0 @+ Y: [一.准备工作0 R. L! U# w/ J- v. j* W' D
/ x+ V& a6 N7 H: K7 t
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: n3 L+ \$ a0 N# y) k$ ]( w
0 o7 ^/ ~; } x4 `tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
$ d; B4 M: H; o# C' v7 s$ x1 Y$ z! D6 C& l( x0 X/ w: p: {* I. D, J
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
! s& l% E& N# N0 t# H8 C: l/ j; o2 E, _' {
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
7 u5 ~3 J& J q7 C" P j
% b/ }; V0 e( M3 Q5 _ x7 b5 g/ m2 r, T依赖关系:8 E! h6 x' j& T% D) M
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
/ K' Z/ X9 [: ?
4 b) a( f$ ?% d2 w2 Vyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel) C+ S7 l: e$ h* b! A- z
modsecurty依赖的包:pcre httpd-devel libxml2 apr+ R3 _) h9 j! R
3 d3 B! h3 M8 O. @yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 Y$ u) e( ?/ u3 F, X二.启用standalone模块并编译4 j+ q# \* s3 p2 m3 C1 W" B
" `; a* G, x, }0 ^& x下载modsecurity for nginx 解压,进入解压后目录执行:
( l: J; \0 Y7 t2 A; L- [ E+ v8 P# v9 k% o% T; h0 L7 B8 A
./autogen.sh
; ~) |4 \5 ^. {& x$ e& ^2 U: Y( x./configure --enable-standalone-module --disable-mlogc
, {8 \1 B7 ^' ?2 R) umake
+ x z( A" e9 @三.nginx添加modsecurity模块! F' Z4 m6 E8 b/ n
" R$ f# a2 V- f: h1 I
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:: _. `# |4 H# k2 j; _2 Y7 }
, E. X! s$ N1 B( ]
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
' `7 G0 Y* i) G. rmake && make install7 m u( _. y& _9 C; d( V4 g' p" |$ e% h
四.添加规则
, ~% c* c& H8 z
" U3 F5 @, I6 A9 o, Cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
( G# E5 [0 i2 c% F v- U7 F1 A( m4 z+ a- J; Q0 i) r4 h+ s4 l
1.下载OWASP规则:0 L( ^$ `, @# f* _: E6 c8 \
7 ?( a( o5 r. H$ C8 Fgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 e* u- U* L& a' e" j$ t8 Z; W7 L7 J6 m! h5 W6 v& ]
mv owasp-modsecurity-crs /opt/tengine/conf/
9 `' D" E+ P; F; k' Z3 o/ x/ z, R% P) C
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf: R3 l6 l. @* m) V6 L2 o
2.启用OWASP规则:
, E4 |6 K5 Y' _! w& _9 x; s$ u- f# v; R, L0 _3 [$ a8 Y/ n4 J
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
' k" D1 j! S! `+ L" y- C9 k
5 w% p# P: y1 w; `( W. Y2 D, O. T2 }1 O编辑modsecurity.conf 文件,将SecRuleEngine设置为 on- ?9 ^" h- F3 U a$ s0 O
' @" h: f6 z, G) O$ H) k& J/ r( Qowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
+ m1 Z- u4 p( N" u( X9 @ y* J4 ?: X& f+ O5 S. Y$ N
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( ^1 {9 ?( W9 b- lInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf/ f P5 y+ Y/ Q) ^. P7 M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! j: a7 v0 Z' }9 _5 Y# Q+ p$ P! W4 E
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
1 t( ?) Q, r0 D$ J8 I! lInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
6 U% q$ J8 }$ _ X) z" KInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf9 T2 r2 G( `) \% I2 r
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' T* s( \3 {. L1 O% J
五.配置nginx+ F) G' D0 S$ }' k8 C6 B
6 s6 y9 i# y& s( h A在需要启用modsecurity的主机的location下面加入下面两行即可:& l2 m/ E6 _# e2 |6 E7 a
/ K' E( Q g {7 H# i& p
ModSecurityEnabled on; & }& z& v5 B; N# o7 u3 z7 d
ModSecurityConfig modsecurity.conf;
& l; Z6 `/ o R. `6 m下面是两个示例配置,php虚拟主机:
( h4 @+ O6 r6 G$ k. J1 C( ^6 }& I* o! i2 z+ D- P
server {
) C1 ?9 [% l: \$ J% @ listen 80;
+ g- `$ d+ N6 j server_name 52os.net www.52os.net;
& j4 r# V# ? Z$ j
& Y1 U& Y" z" ~* w" d6 j7 e# { location ~ \.php$ { p1 E9 |5 q! L: y* X C& z
ModSecurityEnabled on;
$ ?+ g! f" g( M* [$ } ModSecurityConfig modsecurity.conf;
3 L+ o& M9 v* L
6 O: Z* d# A% u+ a6 R6 h root /web/wordpress;) e* r, q; M' e) k) w2 n; `: n
index index.php index.html index.htm;/ z- `! G+ y# J( K) a- n
1 J3 P8 C& p9 r fastcgi_pass 127.0.0.1:9000;
* S1 Y$ h9 V& j( r; e' F' O: x fastcgi_index index.php;
, q) a& c( x- L" `, M- n+ m fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;: y8 X5 v+ u* v4 y0 @/ o7 E( |% B$ r
include fastcgi_params;+ {; c# O, w1 b2 k' ?. P
}7 M* X1 k, {# z" g
}1 ]* f/ n) }- J+ t7 A% g0 A
upstream负载均衡:. q# s; v7 `; }9 Z! p
0 @) c% `, S3 c) f1 O& N
upstream 52os.net {% E l. w0 v- Z7 K5 x
server 192.168.1.100:8080;
8 x! a7 `# {: T- N+ z$ ? server 192.168.1.101:8080 backup;
. {/ T* K% F% U. s, h3 F9 @}% j( e3 q" {' \6 \3 w1 t% L& n( U
9 v/ t# E% O" I' |" i. h
server {
; h0 |& o# o$ M+ A" zlisten 80;" v4 |; K7 F% }3 N! m0 H7 E
server_name 52os.net www.52os.net;4 m, s* Y) ~2 s) p7 W2 b
( m+ i" j5 U' p9 ^ J
location / {
% r9 D, j- ~4 u! o/ S# R: i, _$ U ModSecurityEnabled on; 4 a( b0 ]. p/ C# T! D3 R2 d
ModSecurityConfig modsecurity.conf;
" l' p7 V, V$ U2 `1 C. t
4 t7 T* r9 t* p" W6 q, M proxy_pass http://online;
) s. t1 o' G& ?. |1 i proxy_redirect off;
0 P. h: O9 R- v; l; i2 O6 B proxy_set_header Host $host;4 B! l* b+ J/ t) U0 ]* d5 Y; o0 e
proxy_set_header X-Real-IP $remote_addr;+ c: U8 l8 U( U# m* X/ ?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
c! e x! e& \6 \ J* U }4 u. O0 ?' [) K- l
}8 q' G/ U; r; \1 X1 A# n* N2 R
六.测试; [7 a6 A7 g5 }1 S l
0 C" G% S# N% e% l$ F我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: N9 l7 \9 v1 t, g* P; k
: h5 c- i, l/ U. n L<?php
- e: Y7 b2 p6 t" v" O P$ w1 G: G phpinfo();
4 ]! h) F! n$ I' _?>7 {5 T5 h# Y" ], k6 O
在浏览器中访问:1 |2 J1 M5 D4 ~" U8 Q; e1 `4 E# X. O
- W) o0 k* k5 j' o# ^0 O% phttp://www.52os.net/phpinfo.php?id=1 正常显示。, s5 {- A$ t1 v% h0 d6 i
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。' O& S* g$ V* i1 v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
& \+ C0 e6 x# j4 f% }5 z说明sql注入和xss已经被过滤了1 ^ w& n& y) S/ W0 E0 m
1 S8 Y6 c2 j7 a2 B) O
七、安装过程中排错
4 h2 Q+ \# I- Q7 k* d3 j j
' W# |. u N+ p1.缺少APXS会报错
4 \/ o0 Y0 i8 P3 d" j+ |% h. H2 W( k2 W7 @
configure: looking for Apache module support via DSO through APXS
! `& N* D$ U) cconfigure: error: couldn't find APXS
- g% t& I3 E: s0 B/ F& @. ~. e2 H, Rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。8 ]$ ~! a/ k4 O% w$ M
解决方法:) i4 s$ p# q9 |( [. H8 J7 P. B
2 G) C5 j( ?4 e0 Pyum install httpd-devel1 T' @3 s- n V# n# u: M3 \
2.没有pcre5 Q& N3 f0 C1 |! ]* y7 X- _, E
: t' p: z2 E' A+ |; F3 Z, [# X0 {configure: *** pcre library not found.
# \& t# ?# y% lconfigure: error: pcre library is required4 t6 O# C! Q3 I3 ]' h O
解决方法:
, M% N* z3 o( ~9 m5 P7 G1 ~ U+ E/ M8 R" t3 Y
yum install pcre pcre-devel l6 Z5 j$ z; n V+ ~5 n
3.没有libxml2
( z5 K$ v6 m3 I2 z# Z# Y" N
% `# q( l F- R5 T. A/ N& Q
$ V ^6 a6 l/ {) mconfigure: *** xml library not found.
3 C0 b2 q$ D" p1 }/ j+ ^configure: error: libxml2 is required2 n6 R* W* H8 M$ C: P( C* ^
解决方法:
0 C1 q" R' `/ n( Q3 Y. M- \# ~0 E$ h& |1 y$ S# @
yum install libxml2 libxml2-devel
0 g2 Z8 c }# D, m: V5 K3 ~. a4 y4.执行 /opt/tengine/sbin/nginx -m 时有警告
- ]# R8 v* ~3 y$ t( i/ R& \
/ o. \% U& _: j7 kTengine version: Tengine/2.1.0 (nginx/1.6.2)
/ Q5 k5 J- J/ b$ I2 Q9 y! Mnginx: [warn] ModSecurity: Loaded APR do not match with compiled!/ a0 g/ v, n) t, z
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
9 O5 x Y L" Z% v: K9 P0 S& }7 M6 t! d* V; E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
# e/ ]+ | s2 u1 h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" V, T& E# F3 K2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 U7 Q" A4 V& l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 o, H9 u4 ~# X0 O4 l: r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
# q. G$ H c+ q9 @3 D2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 T' i C, O: F0 o8 T) q9 Z解决方法,移除低版本的APR (1.3.9)
- n* \" a2 l' Z& `
" o1 m. v9 y( w# H [yum remove apr: ]8 }+ I# H/ ^# Z$ A8 n0 o3 @/ `$ A
5.Error.log中有: Audit log: Failed to lock global mutex
; B6 ^. K0 v# f; \; q g* k5 u K' u* a t, W9 n$ V5 Q
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock % f; A9 p% i: v
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]0 F1 F0 n9 |, d5 J5 U& n3 V
解决方法:( k& i1 d' d( \+ Z/ N. v. \ ^
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- {+ ^5 x0 G* w3 X
" e3 S1 D4 }. a8 @% n: eSecAuditLogDirMode 07778 z5 Z' G4 `( D: k1 f
SecAuditLogFileMode 05503 a7 E, o* v6 x, K
SecAuditLogStorageDir /var/log/modsecurity
. w, i1 n1 t* ZSecAuditLogType Concurrent' @1 Z; Q0 I1 w. f D. [
参考文章:3 Q& @$ S, ]: ?) ~% L
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX9 [+ m3 n# @/ _7 t
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡