|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 l3 G& A# ?- |& z A& p6 v% p
6 C: J; K( S: [& P& }一.准备工作4 H+ v8 U p3 A6 D, h9 b' j+ _
+ K; a z: ]$ K系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
9 _! M, k Z: \3 g" w! G
4 C8 @- E. F6 G: g' C# ~1 htengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz& A0 M8 W, B6 w8 c6 s' r
$ I1 s! ?! R& n
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz8 x2 F( b* j8 o+ [
! @: P1 f8 {0 k' d! W' fOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs. i8 ~ S! \2 \4 P, j% ^
6 d3 K9 ?4 }& e: y2 f+ C9 m依赖关系:
( p, E! f# N" _1 K* ]/ f% g# ?3 itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
5 }) e. o3 S) ]( h @* S% C/ [6 W: j f
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
: B: V0 e" z' c, z" Z' c( Lmodsecurty依赖的包:pcre httpd-devel libxml2 apr. T1 p2 E+ S, U; J6 l* g, s4 a
1 h. f! i: v" ]9 y5 Xyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel3 l5 v9 k; T' J) w. v8 b9 D
二.启用standalone模块并编译- {* y8 D8 P# {* N9 |9 E2 V
0 U* e2 w/ W3 V" N下载modsecurity for nginx 解压,进入解压后目录执行:
# w( O% K6 E+ d" P- Q% L
0 @# i# x3 h" C. B% f" o./autogen.sh
5 Y) O# |# t5 x2 Y4 U1 H& W./configure --enable-standalone-module --disable-mlogc f; r1 k/ ~, R5 M
make - O! d0 i& f# f0 N# ]2 F" _/ `
三.nginx添加modsecurity模块
4 i; N7 x. |! ^" @6 E5 l' g, {3 U. r7 j+ @9 y# o; d; ~
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 f4 F7 r9 g. G9 G Z8 n
% r7 }! r0 T0 y6 k( y6 T$ ]( _
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; [! s% h+ P; bmake && make install
. W' A7 C, x& b! p四.添加规则
' h2 I, Z; L, {4 ], m3 b1 Z3 y* ?, \# r0 N @1 a2 I0 m. d! j
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。. f3 K, }8 k" t% b z
X8 y" A* A. }! ?$ \2 U4 ]% v1 ]5 p
1.下载OWASP规则:: A% j& `% _$ E. }4 H9 R
9 P1 X1 x1 @; [$ k3 X' ]# a+ T2 Y
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs0 E( o7 n% R+ l6 r% B. }8 c* ^. ^
2 A X7 n. ~& h; W# i* _
mv owasp-modsecurity-crs /opt/tengine/conf/) k/ J T2 _; I. Q9 V& O
9 o& y0 i$ {& [* b8 J
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
% w$ G+ A8 d3 {9 D, Z2 [2.启用OWASP规则:' L* }2 F. e. ]; U7 u! z% [9 i& Z
+ _9 t6 X0 I: w) [2 Z) V- E复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* J. s& n6 { D& U; b
7 p* l' k5 q2 O) T& K, G) }编辑modsecurity.conf 文件,将SecRuleEngine设置为 on) V B4 Q# y4 U3 w3 ~7 D5 \
1 D' A) X8 f: B7 V9 R* X. o
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
7 K" `+ v7 x& k+ k- _- _4 \" t8 b" j" r; {) b3 t/ p* J2 C
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" N! k% Y1 Y" b1 `# r: Q; f d, ?" DInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ t* P6 W) j! V6 D. Y! z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
/ Q3 e: L$ `5 }Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
4 W+ \( W0 P# @( ?9 A2 H! T1 q# RInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
3 N% w5 e% q+ e3 i/ PInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! D% `' d( b0 }& m9 xInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
7 Z" X6 D5 N8 S. Q. Z五.配置nginx6 O) r4 r- B U4 U
1 d( ]: X8 v9 `% q
在需要启用modsecurity的主机的location下面加入下面两行即可:
+ I8 o( B7 u- X6 G' A
: R e8 Q6 Q- I Q- nModSecurityEnabled on; 1 j* u: a. v# e) P4 e
ModSecurityConfig modsecurity.conf;/ o! a8 u c$ p& ? C0 Q
下面是两个示例配置,php虚拟主机:
" Q1 C6 ~* d+ |# p6 m% P) `* m" h0 K. g3 b G8 ?# e, b
server {& o7 M4 Q5 G9 V8 \3 |0 O$ b
listen 80;
6 q! ~" {; |, l6 \3 c4 F server_name 52os.net www.52os.net;$ e4 ~- G9 |# c' b
& v6 K7 B4 x5 n$ i) P location ~ \.php$ {
9 `# r k9 B) G ModSecurityEnabled on; 0 k, J) s2 A4 S3 P& ]
ModSecurityConfig modsecurity.conf;
& }% q& |8 X' L6 t9 @* K+ `- B- x y& }# Y' N
root /web/wordpress;
; r# `8 H) z0 t& ]3 }# G, d1 u+ X index index.php index.html index.htm;
7 I' D( e; R3 G+ x o' E E2 S % O/ g+ M. q: y! b) H
fastcgi_pass 127.0.0.1:9000;
, i& Q. F+ O# S3 l9 m) H+ r7 M( U fastcgi_index index.php;
" K; U: S- ^8 o" C fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;5 r* ^7 r h; I5 i0 t
include fastcgi_params;
" w( r! O- ^/ E) F* { }
; f) `1 S* C9 |/ [, r) K/ b }
, i& V) Y6 r5 D7 i' @& j( H; xupstream负载均衡:4 B/ Z& t. i% d% g+ k/ }& X8 i+ o
+ v& _! u* V6 }- z
upstream 52os.net {3 C& g+ Q' |$ @# W& D
server 192.168.1.100:8080;
! e; L' L! W3 s( g9 N server 192.168.1.101:8080 backup;
t. u/ V7 w, u" Z- l9 }! X}0 x' U V5 n6 r8 o' C& A( c$ F
% y( @8 W1 p* qserver {* E, l& `1 g( `% H1 u1 N$ [& F! D( z
listen 80;4 o7 l& w9 R3 S. ?4 e" }: z4 f
server_name 52os.net www.52os.net;. b" K. L+ Z: E! G- p3 c
6 s! Q" x5 p+ U8 c; l
location / {" }+ s- N6 d$ }& ]
ModSecurityEnabled on; $ P# G; i9 c: `3 T% X
ModSecurityConfig modsecurity.conf;
y* p, E- I) Z9 i& m( @2 c1 s* Q3 z7 r
proxy_pass http://online;
8 Y7 u) K2 I7 J0 V proxy_redirect off;. M2 E# _% ?2 Y. i4 X$ a
proxy_set_header Host $host;" L6 D' d `# c+ c' U$ d( ^: S% a
proxy_set_header X-Real-IP $remote_addr;
% J* o3 c* U9 d proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ^8 p, m- m6 ]; ~6 U, L! A
}! ?( u, m1 ]7 l4 ~6 u3 Z" i' E
}
* v' h5 q' u$ A2 b5 S六.测试
$ H2 B9 |* @: |1 @5 ~. g+ r" W
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: z I8 G9 R) [1 Y& w1 Q. D* {- o! f6 s
<?php1 P% Y- T7 `/ x! a" Z; d1 O
phpinfo(); 6 _; T4 _1 h$ s. m G9 ^% f7 r9 ]( B" c
?>
3 |: }7 w" R. l1 ~# K在浏览器中访问:
; W" ?' l# {# H9 m/ [' K
5 {4 \/ T h" x/ k6 Shttp://www.52os.net/phpinfo.php?id=1 正常显示。
( V: X5 Q* i7 F/ J7 C% H' Ohttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 k: u: o% k% Y; s U" shttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, {# w" H5 D% |/ p
说明sql注入和xss已经被过滤了
& w' S" o# C( z% _2 o' |; b- M
" e, D' W$ i+ [ Y2 k七、安装过程中排错: D9 _) h3 h% s6 |0 D* R
( c) e" M; `' x4 V1.缺少APXS会报错; k- u! S4 K& \: ]; s" u
6 Z2 n: c4 G) J' a1 W
configure: looking for Apache module support via DSO through APXS; ^: a3 n9 B# L0 t3 w
configure: error: couldn't find APXS9 d; t, S' u0 J, a; R
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。9 N; Z: C: U* d Z; ], Z
解决方法:
% {# I f: n: I& P( }7 h# e+ W. t' [2 L7 T' M: R9 B& |+ w" h
yum install httpd-devel5 c; |: F9 A* j) O
2.没有pcre" Z+ w) {; {# J3 V/ J4 h
* [- A( ]- \% e4 P; @! J5 v& l
configure: *** pcre library not found.* O0 E7 z3 U/ k: C
configure: error: pcre library is required; Y( m" Q2 z$ r- H
解决方法:
: I! F/ s5 i$ x/ h. Z
5 E5 u5 _' ]# U L4 @yum install pcre pcre-devel+ ~) i8 ^, x5 {, G3 R
3.没有libxml2& L/ |, s- V. v( f/ k
3 n9 Q! S: n; t7 z$ B N" ^# \* r) [0 b
configure: *** xml library not found.
0 E4 T3 i( G/ Q. }" _0 s4 y) Nconfigure: error: libxml2 is required
5 Q4 U' ]" o) R0 a解决方法:
|! r0 l" g6 W1 V$ R) q3 Y% D% z9 @4 P; j
yum install libxml2 libxml2-devel
& E" M# d8 z% d3 J4.执行 /opt/tengine/sbin/nginx -m 时有警告
$ t* H# z. W! R2 Z
. V8 ]7 G" J% G" _0 [8 vTengine version: Tengine/2.1.0 (nginx/1.6.2)
4 w7 b% K; M6 M; N0 e6 Ynginx: [warn] ModSecurity: Loaded APR do not match with compiled!( R) k* W ?: E
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
( w! u4 g. q Y* U9 l- s/ W& g/ I- h% y; m, V
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
* I, G; O1 O( m- l# h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"% o5 @# d; H+ m' ]/ ~' H' W2 Y
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 L0 K8 q1 C& A. M C: F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"8 P `" b! C i) T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
3 }7 Q1 g9 x) N! Q2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
5 t5 U& D% p# x解决方法,移除低版本的APR (1.3.9)0 n7 y# ?) l" V& o, r9 p3 {* w' S
0 { K9 U" J! U& B! D! ^+ Ryum remove apr
( _: _9 s2 y" o: O5.Error.log中有: Audit log: Failed to lock global mutex6 c7 ?/ C- N- Q0 G. m$ }- J
) i& R. M+ Z+ W
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
7 r; h( `/ U6 a. j3 |1 Uglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]3 |# G7 o, R6 N) n6 N
解决方法:' [9 |+ h7 K- N
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 ?9 [) a+ O- i( N2 ]
: k9 n k7 o+ n' {
SecAuditLogDirMode 0777
% ]* e) j! s; U& k% K$ U( vSecAuditLogFileMode 0550
# }7 [! D9 k+ B) r+ u: E% ]1 ZSecAuditLogStorageDir /var/log/modsecurity
. V! [* B' T+ I$ n5 f# X1 ISecAuditLogType Concurrent
) G# d( u" s' v1 l参考文章:
; H4 I7 w% }4 f0 W# M* W: ]' ~' Shttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+ Z! H6 w/ p# m& S9 V8 v# _. Thttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡