|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
- u9 q+ @+ y$ c4 x# G1 E' x# t I" @& k
一.准备工作" }* N+ {' r% [7 p: P3 Q
6 k; H$ h* U/ r& A3 [
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.01 l1 S+ w f$ U
: a: B, }, f% }1 h
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. m* v0 J$ [% D" `
; A- k$ B l ~; a6 amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz$ t7 g0 `( U$ ]2 _+ D9 i1 j; g- D
5 E8 j! Q1 Q3 u3 N0 R" JOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- l( M" e) [3 S* H
) k/ p- u, c: R" v% r依赖关系:
1 A, ?5 s2 v( h( }tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:+ _8 o- F/ \; n- n w+ b; G
1 ^0 ~# T3 a! j: T
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel" @$ ~( x/ B4 E9 ^0 T7 I
modsecurty依赖的包:pcre httpd-devel libxml2 apr2 d9 b0 a: Z! m: {9 }3 x# S3 L
& o+ u" D6 n% M- W' w
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
: |% _; Z& W- n5 A二.启用standalone模块并编译, k2 g5 {4 n4 n
7 V4 A& }# W+ h8 \下载modsecurity for nginx 解压,进入解压后目录执行:
/ m7 g7 j: P- o% h: w, U8 S( V& [* _" X! C" P7 ]+ ~
./autogen.sh6 K$ M# r& d1 U% F+ S Q" d
./configure --enable-standalone-module --disable-mlogc2 n9 m5 l5 f0 y
make . v) w& j6 _/ [* ~
三.nginx添加modsecurity模块# s# g% x2 x$ o% x- f# y
7 A) |% Q( f! q7 s" F, {在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:5 R5 }" a, F% t9 M
; S; C! j& F k: _, J./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
2 [2 t% x5 @+ E! Gmake && make install" Y2 [$ w; Y* ]# G m8 ] a
四.添加规则
- m6 ^9 l E- o) H4 `6 x y$ z: P# ^( ?) g& K
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。! Y! `5 o1 o" T/ X1 E2 Z
) O2 H. q: ]4 Q
1.下载OWASP规则:" u: ~4 L( n. C4 p, ]% a9 Z1 e: b
1 P4 @! Q5 `# a( X; G! M$ Q$ k ?
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs; v# W- A. L0 u2 m& O
9 P3 u6 h! J* x' @/ y" V6 v6 j% F
mv owasp-modsecurity-crs /opt/tengine/conf/
7 x8 W9 p7 U4 E: C* _( G/ ?
7 i# W' M0 r$ q0 ocd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf `( E6 ^( V7 C! S) i0 M
2.启用OWASP规则:" N' w B7 F* Q( R; i: i
+ Q0 ]! c& w1 P复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
! b& I5 t* \; H6 A8 d C, Y9 \
- e. k% H) |# y1 P6 z+ x编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
" C% h8 W, x+ K" b ^/ d
0 u# P! {6 x0 mowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。# B6 o) _' @$ A' Z7 K7 N2 l. h& ~6 ^
3 S- ?% k2 q9 w( o7 u2 T" c1 ]
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
! C6 u9 c, \; `0 c' YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf, s) P J g5 Q; a, ]' k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
7 L3 L" \- s% D9 y7 l8 C, mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! o" {* P) r/ D' W6 N5 |
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 L) V; q3 z2 NInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. ?2 m! r) x# X4 g
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf$ j: L: p! a# w0 h9 _
五.配置nginx
9 w& v$ d( G X/ K6 ^3 ?$ i( q$ d
在需要启用modsecurity的主机的location下面加入下面两行即可:/ q: ~9 z% p8 z L! {
; w5 k/ Z8 K Z- BModSecurityEnabled on;
/ f" k% O" \ H! O- U# q( aModSecurityConfig modsecurity.conf;
5 }9 T! |; p) d- z+ `下面是两个示例配置,php虚拟主机:; t7 B! l; p. R$ s
; b3 h4 Y: `- u" Q
server {& I. L) `5 f# x" @1 w
listen 80;
! Q# w7 n) A$ ?+ P* v+ \/ g server_name 52os.net www.52os.net;- W! ~4 y/ f- Q! r" N) _) C: q
2 X. `! m2 U7 @8 ~- c, p
location ~ \.php$ {
8 a O; f: |, X; E: [ ModSecurityEnabled on;
1 y0 R2 E5 `' ?4 u" J8 ?4 H ModSecurityConfig modsecurity.conf;
9 o% e2 F! H1 [% Y
# i( ~8 _2 c( o- K. Y root /web/wordpress;
: b6 F+ T8 I4 m( Z* t index index.php index.html index.htm;
6 c; {& u; g% [# }
) x9 L# `" r1 y- q5 m- p fastcgi_pass 127.0.0.1:9000;
- D3 z/ t0 [, Q4 [9 c3 P% {: F fastcgi_index index.php;# }' p& V9 E3 R/ v! w
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 _3 |+ H) `6 ?5 q4 w" G include fastcgi_params;9 }! j2 G6 E6 Q' H
}! A3 l' F. _* F; q+ U7 P
}1 q, q1 m! m# S/ v: e
upstream负载均衡: C- ~) n4 m' j, u
+ c) J- n0 B" c& U0 mupstream 52os.net {+ Q* O/ W( [$ m! f+ R: ]
server 192.168.1.100:8080;
& `+ z: ~' a! u+ e- k, l server 192.168.1.101:8080 backup;
6 T3 f0 H( p( m5 @% ]! P; F}
! o! I) G3 Z1 S0 b _- P8 H& l$ q
server {
* z' m* e- B& N% {& I" f1 f' klisten 80;
& j* C: B: r/ [1 R8 \server_name 52os.net www.52os.net;' p( h3 i& K& b! @' e p
9 n7 g4 W8 c4 ]( V/ J3 k8 h
location / {
- F5 ^; k8 o- y* n7 m* N7 S ModSecurityEnabled on;
8 x' m4 W5 j5 V8 u" x4 { ModSecurityConfig modsecurity.conf;
+ r. y& X% r2 P( O' H7 m4 M. _* ~
6 J3 y$ B5 M5 j, L- ?9 S proxy_pass http://online; @% W, k6 K' Z
proxy_redirect off;
* G# m, y$ U( Q9 A# @$ {! u( I8 b proxy_set_header Host $host;' i3 |3 f3 X1 C, y
proxy_set_header X-Real-IP $remote_addr;9 v" r6 w0 l+ O6 z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;& \) Y( K F+ `- S0 ~/ b
}1 O" _5 X6 \( t( R+ j" c
}
9 F) |( {4 w! ]# L. G2 ^" S2 _7 @六.测试, K& S$ G, z3 h
, e5 ~# b5 D1 ]+ i我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ G2 x% |# L$ z6 U- h
* N2 ^) v8 u) ? O( m<?php. E7 Q$ |; s# C% W
phpinfo(); 3 s& B3 x) w" E+ e! B% d9 Z
?>1 I9 P) z" \7 y" A: K- t
在浏览器中访问:6 o6 }1 J. b M! C" e. T
# x0 |, G' H% @" d3 V3 b' @http://www.52os.net/phpinfo.php?id=1 正常显示。2 K Y# l1 l9 I5 g5 j
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
6 n# _8 b& ^% T% qhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。- U* J1 r# u3 M0 x. }
说明sql注入和xss已经被过滤了
( a9 K# N6 D; J" h) u$ z L+ i- ~6 C. C R* ?! Z0 g
七、安装过程中排错
" Z+ x T _8 V4 c( V, i% P
. L. R6 |& X0 k& y4 u. @1.缺少APXS会报错
) a3 {/ M- x# G% o5 \# k' _4 `) h+ d/ t+ ~
configure: looking for Apache module support via DSO through APXS
! M, J' L R8 F" Hconfigure: error: couldn't find APXS
5 |' Y2 z2 w; e6 s" o9 o+ Yapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# e4 ^& R5 T; m+ J解决方法:
* y! @) c* v! x
6 g) f1 J( l' _& \8 w3 z3 x6 d+ Oyum install httpd-devel
( k9 o1 O5 |1 V) z1 L* l( U2.没有pcre
- w x# @( \5 K
1 G0 \/ D4 u& l2 Rconfigure: *** pcre library not found.- \4 c3 k9 v6 J; ~+ D# F, w6 x: \( y: x
configure: error: pcre library is required: V5 s% f/ _4 {1 U, V; Y R
解决方法:
8 |+ y1 M$ ]! @ I8 t1 l
; Y8 Z* X9 ?# c% Z/ ~' V/ wyum install pcre pcre-devel
) l5 z/ n% U( Y8 d2 J3.没有libxml2- s& a1 ^+ H6 o
8 e `( n, u. B5 |* F% K* c9 N& C0 V: U2 \3 y0 s% Y
configure: *** xml library not found.0 i& ~9 v8 s S. H9 {! v7 `* K
configure: error: libxml2 is required
' o/ M: v: _/ ~' g K解决方法:) G/ a" F/ V! L0 U1 V, j
0 P/ y. L/ F( f5 i( k
yum install libxml2 libxml2-devel& o- F" f' ] ^# S
4.执行 /opt/tengine/sbin/nginx -m 时有警告
6 ]5 b* g3 j n: K( [ ?1 S" g' j) q% a4 }) M: O o7 Z
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
: f/ k# K) D2 Xnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ @% P# @8 L% \; D, q0 U0 [5 t原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
$ L2 K; L/ U0 G" K, u
* J* w6 V% \, Z) o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured./ y7 z6 _' n: v {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
# d6 r1 V B- v8 d5 X' q2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!+ c, x6 H% M3 V6 m- D; f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"4 A& c! m; \# I; L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
. d X* U8 c% J/ |7 Y7 Q' N! E2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
7 p. o& ?( Z+ Q( J$ L% a解决方法,移除低版本的APR (1.3.9)3 b0 D; x# ^4 t, t. B* J
j0 \& a2 D- }
yum remove apr6 J. U2 e: q: l2 W% d( q; g
5.Error.log中有: Audit log: Failed to lock global mutex
9 w* _+ g! n3 R2 d, A& z" r$ {% R+ y. y; a0 G6 O# l
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 F# }" k4 e! { \+ N+ K
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
+ {" B! A8 ^- n& \ u. ?$ \解决方法:
: a6 L9 L: V7 L5 s编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
0 E h5 F, a/ b4 l$ @7 s( |$ k0 j/ n$ f) ^* L1 m+ O4 f- z
SecAuditLogDirMode 0777
8 |- d' Z3 P( ?+ s0 X x% }/ `SecAuditLogFileMode 0550% e7 L& \% q3 M e
SecAuditLogStorageDir /var/log/modsecurity
9 f) F/ ?! n' w) @& C0 F/ O- ySecAuditLogType Concurrent
$ A! v! R7 d8 G- a& \) b参考文章:
# F8 |4 @' T7 A% {. Yhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' a' u6 }' o/ Q x% {1 O8 I# Y
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡