|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 l/ E" A* x k* L; S/ L
# y% {" c/ Y6 O7 j7 [" d6 U
一.准备工作
4 |4 r" H+ z+ K. \# w7 I3 @ u+ `, G
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0( \' o, q. _: c1 p) R4 V- \
) A* M; o( l3 G* X
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; S d% q4 X1 F. k2 i/ V, @, Q8 n# Q& ]; S1 s
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
# O* J% Y7 ?9 Q$ c) {2 G, F% x2 G' T7 O7 t2 `* b7 Y
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
. h% A, E, Y3 P6 x$ `3 o$ W; U% r4 ^& y6 z# A* _
依赖关系:( g$ P! W! a& L7 ~8 k0 K5 Q9 T
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
, k# ^! m% `; U- O- p/ A9 z1 Z" P$ U5 z: i
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
& ]. a% y. O8 C3 c0 Q: j' ^8 s" V3 x+ wmodsecurty依赖的包:pcre httpd-devel libxml2 apr
1 r* b& p, t5 R* q( h+ S# g6 g4 a: g2 l) o: Y
/ u$ o; t1 A8 [8 y+ a5 zyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
8 R1 f6 m+ u C1 {二.启用standalone模块并编译% I: N0 i( W8 H/ S2 l
; Y `7 i4 g$ w9 F
下载modsecurity for nginx 解压,进入解压后目录执行:
& b; s4 e, b7 l! Y* L. F3 r7 ~
) {! o0 c" ?% }! x./autogen.sh- A' n" D3 ^0 T1 C& B. J
./configure --enable-standalone-module --disable-mlogc
: G2 R8 `( w9 w! ]- jmake
8 r" J, D* R" F9 w5 B三.nginx添加modsecurity模块) V" V# K5 K, y
+ F' t* R ~, G
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( |/ B( r7 H5 I8 X+ [# V
" m: w4 u3 r& \* A./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# q8 ^/ h$ ^/ n3 {7 e- A/ f& y1 i( x2 {make && make install- W* d! X- v7 J9 p' W, F1 O2 {
四.添加规则9 s1 D- u; h# L% {! ?& M
/ v& ^& ]; [+ ~& S+ I- a
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
: c `* U& i' T# x; L0 t5 J) N* }: ^2 T4 v
1.下载OWASP规则:
" o2 Y, j2 H1 t) G/ |# k l9 C# q7 M* S- R
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 Y! P3 w6 K! v9 d
1 o" y& N* J) x0 y3 h: R+ U6 [1 L
mv owasp-modsecurity-crs /opt/tengine/conf/
5 j3 H$ ?/ U# x3 {; @- K3 o7 z o5 W6 w* n2 I# z; i
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
8 }* L! G m/ s% \2.启用OWASP规则:
" F( y" j! }9 t) R" n0 ?1 z4 P( c7 b+ a/ a/ }2 s, I. N& Q, ^- W
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。4 _! t$ }) @2 c- K! H' g
- [# D6 Z# n: ~7 x$ n编辑modsecurity.conf 文件,将SecRuleEngine设置为 on9 x7 K" V& n9 y: k5 O
) t( W8 A- u8 u
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
# T) p; @2 J1 L6 T) U7 u3 {
x6 V1 C5 B* U4 oInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
- F# o4 j$ ?5 H/ q( y; |% PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: b, Y8 V& A9 `% `* }6 K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf/ h, u4 ]# w( `& k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
- I7 o5 H: P( g( N1 r0 m$ X& l! UInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
3 g4 d1 H2 D; S/ R8 r* z b* O. _8 uInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf- ? S8 r6 _8 Q* e- D1 v9 D! G
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* ^9 P4 n& z: T9 P! U w2 V
五.配置nginx3 _* X4 r# K, J- z+ t4 c
3 S2 Q1 H' V: J, \* j
在需要启用modsecurity的主机的location下面加入下面两行即可:
/ V) l) Y) Q' y7 t, f
# [8 Y" i0 C4 d2 PModSecurityEnabled on; $ L' q8 C( L9 Z! G3 ?, U
ModSecurityConfig modsecurity.conf;
8 `* \) m; f o$ ], ?7 `$ ]下面是两个示例配置,php虚拟主机:
4 k ^( J* b( E2 u/ P' u; O x4 ]2 k5 P5 N" ?
server {
: A/ _% ]. W! q listen 80;
2 ~- ?8 A: j5 |6 {/ |3 p server_name 52os.net www.52os.net;3 I; }9 G5 n1 k. }7 I" K' B A
4 T: D& W( s) _) P( R, Y location ~ \.php$ {
5 L" L% @' a& `" X9 N+ W- u ModSecurityEnabled on; 7 _8 |" g+ B8 `
ModSecurityConfig modsecurity.conf;( h) Z' M) p; G, ^# H9 b
6 Y3 O1 _- s0 ^% M4 p% W
root /web/wordpress; T% M, I# K8 u) h8 f
index index.php index.html index.htm;/ s, {7 O/ ~$ _+ f
1 |& @: P8 j+ O6 l# g( }
fastcgi_pass 127.0.0.1:9000;; {2 {- q/ V }5 E; {! l# F/ }
fastcgi_index index.php;5 E* ?' p4 J5 [' b ^1 g
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 [8 Z* \+ o( V4 j6 C/ j7 P include fastcgi_params;
4 I' ^* r: A U5 i) U }
3 r: m; W, t% e }
( N3 ?/ R/ N/ o3 w3 Z9 Oupstream负载均衡:. y# w. ~+ q5 _8 k
; _: O1 K4 p0 b; ^% n- H- V' C1 ^
upstream 52os.net {" U, o5 e" y, Y$ ?0 M
server 192.168.1.100:8080;, Q2 S9 A' {$ u& }5 n( v( Y
server 192.168.1.101:8080 backup;
* n5 c/ q4 m; k# a. P}! V' t1 c8 \9 E$ w6 {
) w( h* M8 p$ ~3 aserver {
5 X3 M% P2 d& m5 e1 L5 L3 O# B5 ]listen 80;9 n; P ~1 G0 z3 g) E2 r# m& l
server_name 52os.net www.52os.net;
0 p% z2 Z# ~, D+ _: U
% B3 O7 U* X) t7 j& Wlocation / {
& F/ j4 Y T( K6 O3 X. d* d ModSecurityEnabled on;
* F' p' @ B) J. ]0 [. n! S ModSecurityConfig modsecurity.conf; 5 g4 O" U: L( I8 ]' g
% Y% W" { F2 D1 E2 s proxy_pass http://online;
* O5 R# }0 J1 Y, s" ? proxy_redirect off;
0 O( X* Y, `# Y; F+ j$ U$ Z$ I proxy_set_header Host $host;" a: s2 g1 M! ?# u8 h; d1 L
proxy_set_header X-Real-IP $remote_addr;* V) |/ y9 V- p$ W% g0 `7 t m
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
0 V/ |+ Y, V, z4 L }
5 t E* Z4 Q% B* q- o6 \# E}$ a7 j5 s2 _+ ^3 A0 _
六.测试
8 F1 ^3 ]/ m* {% }5 k
% G9 L4 k! G# [& y+ I我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ J! p4 v+ N' m# Z) G
" p. t- d! W2 }! w
<?php
8 {: ^1 u" J: z0 O phpinfo(); ; c" b8 ~# B: E0 ]% i
?>1 H. b6 d _. Q. H. O
在浏览器中访问:
; ?" V6 Y, E+ d$ | ?1 d
/ S8 f7 f& [9 Y+ h4 whttp://www.52os.net/phpinfo.php?id=1 正常显示。
1 b K& r2 B2 X( Hhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
o5 C2 e9 t0 R. M: W- u/ Chttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。9 a. O- f8 ?, }8 @
说明sql注入和xss已经被过滤了% U7 t- x' M" ?* y5 w, s
' a/ |) g# D4 V3 e+ \
七、安装过程中排错$ a3 S. M3 A. u% r' [" o; Q0 q
; g. D. E; }1 z6 l0 E" \/ U1.缺少APXS会报错
, I4 n! I/ Z# m* T- T
. ~! f- u+ ~4 f/ |, p! ]0 fconfigure: looking for Apache module support via DSO through APXS
5 a. f: d/ U# V0 Q+ rconfigure: error: couldn't find APXS
$ b8 ~0 J. \. q% Rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。4 p" Y) Z6 [) f- ]
解决方法:
+ Y- J/ |9 a" c: B2 i; O* {& u7 x7 @; z, D2 }
yum install httpd-devel
" M: u. O# S* H' m/ I. n: ]2.没有pcre
. [7 o. q/ y; O f1 n
" O; C8 m4 b6 H* h5 e3 aconfigure: *** pcre library not found.
, O1 w9 P% i, M1 Q- r1 m/ _; kconfigure: error: pcre library is required
7 Q4 u: \$ w, _$ X: N解决方法:
; b* W O1 r% } `! `# W/ A; X* h, _; s5 H& k6 F
yum install pcre pcre-devel
4 P( `. B& e7 F' b. [3.没有libxml2
- z# t5 Z0 Q. k, c6 L8 V
& \! T+ I$ e8 m, }( I) m* {, r" Z4 f
configure: *** xml library not found.; Z; H8 T8 v0 v) L: `7 }
configure: error: libxml2 is required
( v4 J5 C" x5 Z/ v* `+ k解决方法:7 o6 k O( x& {
8 ^% [% H$ T9 r' q
yum install libxml2 libxml2-devel0 J5 H3 W2 Q- W) T% O8 V
4.执行 /opt/tengine/sbin/nginx -m 时有警告# o3 w- s$ j! x' l+ r1 J
' ~4 b3 B5 d3 j; f4 MTengine version: Tengine/2.1.0 (nginx/1.6.2)& @- i* T( [; D- m% ~! r, }
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
) r+ }% b2 L! n9 p! l" W' g原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log( W! N8 T# d/ `4 W \* H
. L& X' H; P! j, ]& l! @& g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 \/ Z4 t. s5 t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
4 N: P0 @: U) F- E% S2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!* ^$ e2 \' O5 N& B1 |
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"& E0 Y* v, R# y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
' l* Z- b8 x: f2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 D8 E, D% ^' M! d& B
解决方法,移除低版本的APR (1.3.9)
& D) E5 }" Q0 R! m7 U8 Z+ v1 W" {+ z9 x R
yum remove apr$ o2 Q; i8 j. @2 W" X. t8 c, f. x
5.Error.log中有: Audit log: Failed to lock global mutex
: w3 w7 o0 p8 u0 ^3 e
& _ V2 L6 a9 H) a) M- b: h6 F2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
# J# z- s: n1 z$ m$ `global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
1 t" ?8 q5 c# [, y o4 d+ H3 e解决方法:; @9 }3 V7 X& }6 ?9 i! |2 b. D: W7 H
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( n Q7 I4 r9 @/ D* X, _
* H1 E# u- Q1 d5 b: e* h1 C1 |
SecAuditLogDirMode 0777* W9 z1 _# Z+ T- s& k, `
SecAuditLogFileMode 0550$ N) ?$ ]7 R( f2 {
SecAuditLogStorageDir /var/log/modsecurity
+ {9 u$ X' r6 |! Y* f( F w, ?SecAuditLogType Concurrent
3 X1 K9 d1 c0 m/ W$ D参考文章:
! p# s& i' x1 Y' @+ Rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 {: i4 o/ N2 r) L) D: ]* R
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡