|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 {5 K! ~- K$ N8 X1 O
) I+ H" \0 N! b! a1 I7 b/ Z
一.准备工作5 m. y# F) f# x1 h' C
: K% d5 H9 ~- z6 R6 Q, I
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 j$ k0 \3 @( v7 k. O2 \7 ?5 [. |0 N5 y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. B! j* d- ^! ?4 e, X* p
( z' H" W+ @4 h b) }$ X9 j
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz6 S' @, _ q1 l8 V$ g1 P) g
/ r% D/ M# N) Z, }) v$ OOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! k& [9 q- \% e n- N
# [& w5 x) H: s7 ~9 J, Z7 p依赖关系:' E* @4 H6 b' F9 t; A/ X5 i
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 M$ O Q1 C4 ^& H
& \+ {, Y8 K! tyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' @$ C: |# U% q' H! w6 B
modsecurty依赖的包:pcre httpd-devel libxml2 apr x. @/ o0 [# F! W
# E) N( J2 T9 K8 s- [
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel# U# J% ?. V) t6 b. S" ?! N; i0 R. p+ y
二.启用standalone模块并编译
* [+ i0 X, q8 B( m0 \( O
# \" C$ A# x: e( f8 b q J; o5 O下载modsecurity for nginx 解压,进入解压后目录执行:8 u: m5 }; |! s1 j# X7 C. ]1 m! o7 A4 ^
, K5 Y5 M0 k- L./autogen.sh- L0 y$ k3 b- g# ~/ |+ i8 f n
./configure --enable-standalone-module --disable-mlogc% Q' `* b; X+ N
make
+ r& M, l3 N% C- B: c1 `6 p三.nginx添加modsecurity模块/ Q# s3 H# X( z+ C% m
: _! z: e- ?- m: o, f- u* b在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:+ W, y; B, M% v5 o8 M0 D% K
% n2 V; W9 i7 q3 h# H7 v./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
/ f* c) |9 I+ h5 X& H5 H9 `+ |make && make install+ j8 X+ x+ e4 i4 }3 T
四.添加规则
" H& T* L7 k, ]' o( T/ S* f) h7 W! t3 f
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。# k2 d J3 ]. H; Q; Y
! Q- P2 [9 L/ t# D5 \7 x
1.下载OWASP规则:
4 E, x. \9 P8 p4 A: K0 s
' D' S" R" z+ _! w Dgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs# k0 Q$ u$ O# `
. N* C+ Y$ Z7 J& Y0 C& S( s
mv owasp-modsecurity-crs /opt/tengine/conf/; @& x1 s1 Q c( V% f
$ a2 f6 X/ a6 q5 r/ Scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 r5 R8 q9 w# ? G4 `
2.启用OWASP规则:
* ~! x; u1 }6 x& H+ P8 u: e) g3 ~' M
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
) G W& ~( H; ?( _1 a& k1 m) m9 R# n) g# Q7 L
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on! E4 g; | n3 J/ ], {
4 O+ E" s4 |3 E( e* q* s5 }# _ ^/ Sowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
4 w) R7 K% }( T, w$ s; g" u: ?
: O; x9 C; o% }9 rInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' x* y# K$ X+ p" M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
) K- b0 d# S; n- s5 rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf" q2 ~3 R0 G$ m) [. f* F0 B6 y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf9 p; b9 ^, E8 o# z% r
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
. K8 M. [* E3 A: v2 R" ]Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf7 T7 o% U6 v4 j$ ] G% E9 J& }
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* t ` v6 ?. f* K
五.配置nginx# D, @/ l/ m$ [, b/ w X* @
- o* K/ ]1 f& \, _在需要启用modsecurity的主机的location下面加入下面两行即可:
7 x& L4 s7 A- g7 |/ |( W' E. M7 [6 c ]
3 {0 X" D; g4 U4 H- m# b5 p3 j8 SModSecurityEnabled on;
/ {& ?# x8 q% g' nModSecurityConfig modsecurity.conf;2 W3 j+ X4 H7 H: Z4 f1 b& v
下面是两个示例配置,php虚拟主机:- a+ E( q5 G5 U; K1 [1 _ |
3 u4 b: Y1 y2 Y" Q' R9 R. T$ ?server {
; w. w0 @/ ]7 \ P* _' S listen 80;
" U7 d4 f1 ~. [$ t' B9 i# J server_name 52os.net www.52os.net;& S! E# [' {7 u. @* @! W
. u) ? f* a4 u) M location ~ \.php$ {
& l% ~ V# U; w% k$ V6 _) _9 `/ D ModSecurityEnabled on;
' K l& p/ b# b4 Z# p( G- y( H u ModSecurityConfig modsecurity.conf;' E( c g' U7 E$ N
# F4 z4 ~$ M Y; K root /web/wordpress;
" t- Q# l% {* d5 `& n* z) J index index.php index.html index.htm;
5 S7 D% Y& w) @! m! s2 f / R% o. R/ _: G3 Z7 D6 a. m
fastcgi_pass 127.0.0.1:9000;* ^4 L; V, C8 A# j C; h
fastcgi_index index.php;0 J7 W! E; F3 z: s$ P, _
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 ?8 K1 C4 X5 R9 \3 f- T! ^
include fastcgi_params;
' O) D" F6 A- [- a* i; ` }
5 E5 ~ E V7 i k* k! X }+ r; K' D J( Y3 x) q# }# ?7 F0 _
upstream负载均衡: p$ W+ \) e& ]1 A0 ~ O6 ~; h3 c
0 B T9 ]! F+ k5 k9 c5 Q. z( P9 U
upstream 52os.net {% B" N! e* }. ^3 q+ o( o
server 192.168.1.100:8080;, n$ s R" P( n% z
server 192.168.1.101:8080 backup;$ h# J1 h! n' e, x* _
}
2 x* i7 P+ `5 B; M* H# t" l! L; p1 y# `8 |0 W3 I7 s$ s
server {
6 z3 R/ E( { g2 O! Rlisten 80;8 b) o3 a: O3 w2 |: O7 }* }
server_name 52os.net www.52os.net;/ Y' H S" D/ f8 I3 G
0 R& n/ F7 X" j3 d8 [" ^" t+ Y
location / {
$ t. A @/ C" ~ ModSecurityEnabled on; : q% l3 D7 i( w0 D1 ?% f
ModSecurityConfig modsecurity.conf;
- l% O( C' z2 W4 d9 f3 i" y/ T7 F+ @/ H6 A
proxy_pass http://online;/ A! o' Y, a* o
proxy_redirect off;5 Z' ?8 \" B( G+ h1 s2 G& z
proxy_set_header Host $host;
6 Z3 H" W- H! x: B7 L2 n% H proxy_set_header X-Real-IP $remote_addr;& K- p& [/ g5 d: F
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# K. D# ? W3 ?1 C, Z' F5 |* ^ }
5 S1 c, v5 s% B% c. X3 f}
: e# L+ I, D: N J) W/ S9 f六.测试( Q7 n" j: A! O9 q, o1 P; q- @
% Q$ K0 l% Q, I
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:: F. C4 l9 t' n% E6 E" R
# n9 C$ n% `' S<?php
/ |3 k/ x, B9 j* U0 s" _6 f phpinfo();
; i* r: y% B, b1 D* _% K* g W& o?> p. H9 q4 q6 R7 b% {
在浏览器中访问:1 N1 u# e6 r: K4 f
+ h6 F; T3 J$ Xhttp://www.52os.net/phpinfo.php?id=1 正常显示。
5 U6 y2 ]6 n( l. L( k: M) L! ihttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。' v. a4 _0 e* z* Y7 b
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
9 {% m+ x, U9 a6 Y l" q, y说明sql注入和xss已经被过滤了
$ F, C1 f' z6 R
7 }7 G4 C2 R4 c6 c6 I+ @七、安装过程中排错2 Y: `9 J; @+ _
, X, x C4 v) \4 O0 a {% ?1.缺少APXS会报错
t' x$ y/ m1 t* v0 I* V1 Q( j, r4 z9 T3 {- W
configure: looking for Apache module support via DSO through APXS; A8 I1 ?% v T2 ]; J" ~8 w' G, M
configure: error: couldn't find APXS9 ^: V) o) A g! P, L( a) g6 e" ~
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
6 t6 j# G: t$ w( J: T+ x) ~5 H: T解决方法:6 i3 t* T6 m4 E( T5 d
# E" X5 b& A. s# c
yum install httpd-devel7 [4 n& `* {) t5 L- G' X' W! n
2.没有pcre
. I6 O: e) X: f) _ K- r; K9 Z2 h+ w6 m
configure: *** pcre library not found." ^2 W3 _7 B6 ~1 v: U
configure: error: pcre library is required d4 b& w( @9 b* y3 H
解决方法:
6 P8 W$ N' b" Q V' a! t! O
# B7 m2 C- t5 _+ iyum install pcre pcre-devel
! @! q" t/ u, l$ n3.没有libxml2
' f$ U1 q9 r. F9 \/ }
6 t+ j0 E" A5 L- @3 i6 N
$ Y; W3 w" k. E1 p8 f* o; econfigure: *** xml library not found.
( u! z" t* F. }6 Q: x, S: Bconfigure: error: libxml2 is required
6 e5 H1 j% D, e: n解决方法:
9 ~; O/ l. `7 H( v$ u0 h* b
) x' G0 c' ]& s1 m1 d; W; e5 U; }yum install libxml2 libxml2-devel. s- c1 s, H! f- x& F! f
4.执行 /opt/tengine/sbin/nginx -m 时有警告
7 A2 T) u8 H K5 {" h2 I# w0 K! J0 \2 N
Tengine version: Tengine/2.1.0 (nginx/1.6.2)" y6 U& w5 \# s- ~
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!1 m$ Y5 K! K2 `7 |6 i ~ c
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log( ^8 P* D8 ^6 G" D$ k; }
3 e; r: v; B) E+ T) y) C+ l) ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured./ ~4 N3 Y. ~' c. Z2 O8 I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" k8 {9 W* M$ i+ P/ p2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!8 L2 C. C7 C/ P8 Z7 T* R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 l6 Q7 }+ T! T3 D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
7 Z5 t% A( w+ X2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" \3 s, v! _# `2 N/ F解决方法,移除低版本的APR (1.3.9) s- F5 m7 O. q: R% T( v
1 x. }( Q7 z+ j7 ?2 r% Q( yyum remove apr X2 \ M7 {, `7 ^5 @: k
5.Error.log中有: Audit log: Failed to lock global mutex5 h% ?5 D8 Z# V
- f- e' D! \- J+ \
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock , o# L; i" Z) T, `
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]0 @8 \: m2 m2 Y. Z1 C
解决方法:
7 n# s* Y. j$ R编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:" ~; p; S6 K2 W! P
7 i# H. a8 Z& x( M0 N, H
SecAuditLogDirMode 07778 M" `% F) W: k# n- u
SecAuditLogFileMode 0550
" b# Z( m5 X& j: S% _4 |SecAuditLogStorageDir /var/log/modsecurity
+ `; g! T. }; {/ g) a5 eSecAuditLogType Concurrent
' t7 t0 }/ K* {3 ^5 f参考文章:
* Y" m7 m+ K2 c* {& s- Ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
# m2 r0 D7 y% I% u+ u, J! `http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡