|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, u- R+ q, c6 X- s3 G
; ~$ o1 j3 y$ h; J" m: i一.准备工作4 B. Z( V) s( x0 F/ f
% A7 S4 R& w/ Q9 q w
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0* D7 x+ u7 L5 l- W Q
' `/ ^* y1 \# E/ W( g- F" }
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz7 I0 w. @! c& P. G" Q- ]& A
: S7 F' h: e( y% L C6 {modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( A. h7 N0 r6 W* W/ Z9 H
0 l. f: o( w! \0 NOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 c, m4 ~* V$ [- z
: Z! R* u/ K) e* Y0 ^! z依赖关系:
: f9 D! k& {9 a3 i9 J; Ttengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
8 r" r0 O. i5 x. u/ i9 ?; Q( W9 w5 Z0 g- B$ ^/ f, u) M# i$ r
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 W, Y5 }) y# Z7 X, c* W/ }' p4 ^modsecurty依赖的包:pcre httpd-devel libxml2 apr
" z' l4 R! p5 ^6 u& m+ [$ P) o1 y, \5 M6 E3 B
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
1 ~2 W+ w T; E! n0 V: J. ~4 ~二.启用standalone模块并编译
" B9 g' g# j' d0 J5 [
0 f6 o8 e5 d6 L5 U2 J下载modsecurity for nginx 解压,进入解压后目录执行:
, S7 t: v% l) k5 K7 o9 f
: L7 Y6 t1 m- L# Q7 t' k# l# O./autogen.sh
/ b8 c* B$ t/ J! A1 ^./configure --enable-standalone-module --disable-mlogc
4 ~* p& {/ Y* u+ i/ ^" imake 4 a/ o- t( o0 S) X- d: `. J2 k3 E
三.nginx添加modsecurity模块
+ t1 d, x7 d0 @- } p/ a2 C& l! j9 u$ C" g1 Z
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 t7 p: u! f k3 u( F8 A: @
8 e/ H" B. N+ s( p2 ]) c. i# J( N3 I./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
X! `6 M z0 A9 y3 C5 c2 Omake && make install0 m) w) t5 E. t n: I; T
四.添加规则7 x( y7 N* U5 r' [ c& s" B
1 q; Y% i$ f6 T5 w* @8 V
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: s; Q) _. f- ^. C& C1 B
8 | ]* P( F) L* z) D1.下载OWASP规则:
+ p2 w4 X- T% o7 F1 |! i F, Y' N0 m- o, M
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
+ B) N+ q& x: k6 s' X# N- k+ S6 ~+ ]% i
mv owasp-modsecurity-crs /opt/tengine/conf/
4 Y' x' i) n. t3 z6 F: B5 K! T/ g
8 H2 V0 X$ F5 q( n3 ?- Xcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' x3 e( V6 N, V( T. c. ?2.启用OWASP规则:
8 S. d" `! g6 B$ ]& Y
3 d( Q2 N9 S- F4 ~* p复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. b$ P }: p# B
# u1 x/ R6 K% Q( m* `编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
3 s7 ?2 h5 ~ T& |8 T: Q" b# N7 y1 A" A: I; l7 P* ]
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; ?6 E0 g: o( C# }' _+ f0 @
* x7 W( z1 M- R; S7 J- x6 [Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' F- j# l" G+ p! L/ r2 T2 D; G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: B6 L9 F0 O3 T x' g: z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf& ?- ^$ t p" ~/ ?, ]0 n! u" `, h7 p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf1 e' z6 }( }/ @( L
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf; e1 W5 q* i, c2 U. H$ m
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf, t: i: Y0 l8 y& M3 m2 m
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! z+ ? `% _4 p
五.配置nginx$ m- m+ F4 U1 K
$ U) `( h& K3 a, K# J+ P9 @
在需要启用modsecurity的主机的location下面加入下面两行即可:
5 g N# [5 u8 [+ ?1 @! `9 R$ \7 P( G; m9 G2 o
ModSecurityEnabled on;
# T! x# J* L" M! [( g: [ModSecurityConfig modsecurity.conf;- ^6 ~+ U2 I' S
下面是两个示例配置,php虚拟主机:& _& F4 f# o; a W# q8 N7 g+ d
( n+ u* C7 m( E6 k% q
server {/ x# k9 T6 D0 y
listen 80;
3 l9 O. B/ O7 ?$ u) i, ]6 H server_name 52os.net www.52os.net;
, @4 u! Z6 c$ L+ R2 a
2 C* V4 }; W/ T" l location ~ \.php$ {5 T, h! k6 q' }4 w2 r% d: ^
ModSecurityEnabled on; 2 n6 D% e2 |+ W4 X, e
ModSecurityConfig modsecurity.conf;& {& |7 \! G' Z3 U0 \ K9 L% P/ j
5 `, q Q2 w( f9 g7 \ root /web/wordpress;0 R* C5 u+ Q4 {2 y( o/ k" D9 A1 [+ O4 s
index index.php index.html index.htm;+ r, ]1 a& n' h( q
9 l% U6 q# i7 s6 S% u8 \/ V5 y fastcgi_pass 127.0.0.1:9000;
! u# U4 j a% G( G2 w1 A4 ^" M fastcgi_index index.php;
. Q9 I, ~: z }! x fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;! g& q' c+ F* w; h! z
include fastcgi_params;
* Y7 H6 P6 D( C& w& J$ H l }, F+ u; N$ R* \- p
}
( c7 @. d U) yupstream负载均衡:
: P: L; a7 @& Y% N- Z$ F7 V5 \- A- _3 f$ E
upstream 52os.net {
! J+ l! L0 d; R% t2 t server 192.168.1.100:8080;+ f7 p, V( ?% q. R, q/ c
server 192.168.1.101:8080 backup;- e0 B! A5 B2 P& X8 \, b$ W4 t
}: w0 U- k: ~; s8 [, m8 i
8 B3 D$ r) v" y9 {6 N, s
server {
6 F6 j5 B0 |5 f- z! ?; N# j5 klisten 80;! _4 m0 g! @: e/ R* l6 m
server_name 52os.net www.52os.net;4 q6 d" S& D6 X$ y# T+ T) l
; V+ `1 B+ x# v1 Vlocation / {" p, I) v% f3 U* l, c9 s9 B& j) |
ModSecurityEnabled on;
# Y: k8 k/ M& K- q9 Y' b- P3 _$ W' Z% }) Z ModSecurityConfig modsecurity.conf; 1 U) j/ W! |* l% D7 b* {7 |
n% O$ m9 m( X! H0 \0 q
proxy_pass http://online;( G% ? X2 g' v
proxy_redirect off;
: h" @; Z5 \! V' v1 z proxy_set_header Host $host;
* S7 F; z2 t% o3 @2 U8 j proxy_set_header X-Real-IP $remote_addr;7 |% P! E9 |3 U, n6 b% ^
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;8 a5 T, |2 U0 }2 K8 D" m
}
3 ^% Q: A1 U- ]1 W6 z. ?}. O }* y, P% q& p: `2 `
六.测试& ^8 u+ V( K& i
* @' P" z- h2 u# S# } U! A+ V% }我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' u6 O$ r* A, H
- l& g3 I% E* ]8 R: C<?php
# }8 G. [0 F. `0 T# w9 T* {: U phpinfo();
0 U7 N) R+ N6 s+ M L?>* R5 M) U7 O4 J: d5 I0 v1 Q" t+ T7 ^
在浏览器中访问:
0 ?+ s( A0 g4 S& C
) N. W9 G( E Whttp://www.52os.net/phpinfo.php?id=1 正常显示。! ]4 s# R" P( f ]4 A. L
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" r' [( \: h' j* F. M+ G& L
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。$ }' A/ z5 a' o- A2 P
说明sql注入和xss已经被过滤了4 e1 i7 P H4 f
/ f* r8 O& K7 J% P$ z5 v' M
七、安装过程中排错4 d N6 z# t# C1 u
, M& Q' g6 `/ l. u7 p7 L6 l3 h! R1.缺少APXS会报错 ?8 d; u2 Q4 L3 n; O9 X- T
+ l! y, U& @* ~6 S8 z, X5 F
configure: looking for Apache module support via DSO through APXS+ m7 Y: `- k& F' p# b9 W2 E5 L
configure: error: couldn't find APXS
* {' ^, _6 }+ a6 N2 h7 yapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 v/ u* |9 B- |) H5 w/ _& N
解决方法:
9 k: \7 \: o: S) c/ `7 s/ v' Q/ k) B. T7 t
yum install httpd-devel2 R2 N4 _4 |- v; r9 P
2.没有pcre( S/ j. Q1 ?, g; [! I* \. Q. O
! \0 E* n7 b3 G k6 D2 G1 {
configure: *** pcre library not found.2 |$ d' k$ H' h5 W) ~ q5 F
configure: error: pcre library is required! R) O' O8 M0 a
解决方法:
0 b: b9 {7 G! {5 _) ]9 s- g5 Q
7 J4 S4 q: ] i5 z) \yum install pcre pcre-devel1 N( i* ~, `3 E8 e+ d# d
3.没有libxml2" g5 }/ {$ y( c: p1 C x8 y
6 m! D; V O, _" M, b$ M5 c
4 e; L' H6 `3 h" E$ V
configure: *** xml library not found.
+ k5 ]0 j; X: u& Rconfigure: error: libxml2 is required7 Z' ?0 Z. H# r5 P- f# h! P+ c
解决方法:
7 C( _4 _% _# d$ ]0 c* h8 [2 e+ j3 D; ~) G
yum install libxml2 libxml2-devel
6 k* V* T$ X% _7 U* y( F& [4.执行 /opt/tengine/sbin/nginx -m 时有警告
3 q' |5 H/ N0 S& C" j) ?" D
. I/ Z4 ?5 P0 x( b6 [Tengine version: Tengine/2.1.0 (nginx/1.6.2)
+ I7 v; j8 ~& ~: M. A/ Rnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
6 y, \/ p& P( q) }/ O9 ]原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# r4 Q7 {) C/ s" u# c Z
3 l" d" |2 ~8 A2 O; ]3 O2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
5 ]" `5 v0 s9 H# F1 F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": f- X. S" b/ v7 K
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
- c' Q( W! ^6 u4 z; N" ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 g* I) v% Y: ^! q2 [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
. x) o5 ]2 X8 f% [& ~" M2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
2 Y1 L2 i0 v: R6 P# x h解决方法,移除低版本的APR (1.3.9)) E% M, l# J- e- x
8 Q8 c$ ?* e7 k3 i K yyum remove apr5 ^( |' M* o9 @1 O
5.Error.log中有: Audit log: Failed to lock global mutex
7 n; |2 h, r& n% z) [& ~1 J: ~3 t0 W
: M7 m) L* W/ U) q- n8 N2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 ~$ [9 N8 Z6 j* c0 bglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
) y+ n& `; f+ T) @6 e5 Y解决方法:
, t; ]1 f- i; O编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 P2 d# ^' n8 R! ^) H9 T& t0 e* w
: @; \4 y2 y# \* I" U8 |
SecAuditLogDirMode 0777
{( [! d* @# q, K' R) U! SSecAuditLogFileMode 05505 I; t E. E; U# G/ p
SecAuditLogStorageDir /var/log/modsecurity
/ ], J- ^. A. q& L' lSecAuditLogType Concurrent
% ~, k4 A% V7 X/ F r% p4 h* k参考文章: ^9 L, ?' L6 _9 @
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
|; c- L8 k& ahttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡