|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) M) @; z" X& G
: Z& R; `8 H o. ?) a! h9 V- M2 ~一.准备工作
; F% @8 h# P+ G# d$ s3 @6 ]
; R- T" j! T/ ~0 w系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0, u" {9 @0 D+ S' E) _0 @, c0 m
9 E' \/ P i/ M5 V7 M8 Btengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz& X# ]2 D, A- H7 x6 B( u$ F- |
M4 {' _0 v4 q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
2 _4 d0 [9 T" H8 X( x$ S, l6 }+ s
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs1 c' g' `- d, V! X; _
# n' m4 o% F7 b& t
依赖关系:3 V. g) K7 b' W g
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( a0 j% c& c0 \% {4 W
/ z" A6 h: s4 b6 Hyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel7 H, _2 ?+ L/ M) ?
modsecurty依赖的包:pcre httpd-devel libxml2 apr
$ H% E/ s/ L- Q4 ^+ t" N% h5 m# a% N! d! R
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel9 q; @9 Z" I" g( Y% H4 m# M7 P
二.启用standalone模块并编译
0 v% f/ n; B( x9 D' E# ] M: q
" W2 f5 o: V6 b' I: k$ Z下载modsecurity for nginx 解压,进入解压后目录执行:
4 b' D5 M2 x, D2 |
8 G: ]4 y7 g' G! c; V./autogen.sh
8 i+ v( _: o* z8 l./configure --enable-standalone-module --disable-mlogc
& p: b6 X! y0 Bmake # O! n1 C# b# Y# \# D7 Q
三.nginx添加modsecurity模块
! ~4 c& E) ?) y ]. c5 }; z( t/ P: t+ C; r
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:4 U, ^- j' Z9 y- r, m
* j4 `3 b3 v: x./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
1 H8 M# z ]4 Dmake && make install$ o9 f; C- n; P, ?: `8 @3 l* B
四.添加规则
w% Z: r9 {5 D$ E: ^& x: ~+ U6 V2 ~. B' S% O z
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
5 m. X& h; y5 o6 h) B7 }, J# s1 W" @9 H5 V2 C, t- ]7 g1 h; a
1.下载OWASP规则:& Y, C. o% h: V' T& J" c
" w# T5 q! D* G9 L
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
?+ D: A) G) S7 _0 s
0 f9 ^4 E6 |+ a& x# fmv owasp-modsecurity-crs /opt/tengine/conf/- {& i- I P+ o: D
1 r% U) t* _3 Q! }cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf8 a# x7 m6 C4 q& r) h- ?. Y
2.启用OWASP规则:
7 E2 F2 n1 p. d" W- u9 I5 D% v! q
( L4 J+ w f6 b3 e7 J* y2 _复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。5 P. L G9 |$ r7 b
8 e B# l- h' }- u) t- f2 R
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
3 C' l; b. x3 j( L7 {0 q, \# \
/ k4 {$ w' [0 J5 h2 jowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
0 p4 k n6 ^7 [! y
4 Q# ]1 d3 K9 e9 NInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf% |0 n. C/ j" X; E, p# ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf% X) O$ ]3 o$ H4 c- x/ f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
, z+ g6 c' L0 T9 }Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
& q/ `! C" j2 u4 F" v% qInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
3 N# x! Z- K' h7 f- mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf$ g/ }# f8 ~% f- R
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf6 p2 F- U! P) }, \0 U1 l
五.配置nginx" A F5 \6 r- ?7 w' `- K
5 O1 w8 M5 R: _
在需要启用modsecurity的主机的location下面加入下面两行即可:
& O1 ], f& m% |1 J N3 z! P# A, F2 ~1 }1 Y$ e
ModSecurityEnabled on;
, T( F$ R. \& C( j# }6 `# @$ |, zModSecurityConfig modsecurity.conf;! k8 H% B. k1 a5 x7 y" k
下面是两个示例配置,php虚拟主机:7 b( W% B: g% T% t
' Q0 ^7 Y" T1 J% j; {9 z2 \$ jserver {
9 A0 z# @, I: ]( K+ a$ h listen 80;
( u* G* O* P0 o3 { server_name 52os.net www.52os.net;$ e' o6 y9 Y" x* r! o# ? N+ B3 P& a. z
% l2 I0 x* m& v6 W# g& u
location ~ \.php$ {
5 j; c$ m5 n$ G+ x0 N8 A ModSecurityEnabled on;
8 [9 a P8 L" ~7 S! V) q ModSecurityConfig modsecurity.conf;
+ P) n* O1 |6 a. ]- p/ D' Z2 R( P- U3 H( N
root /web/wordpress;
8 b( ~5 u9 x+ j5 U% n# S+ j8 Q index index.php index.html index.htm;
6 q9 |8 A. E$ \2 m/ M
0 a' t0 Q w9 m, z- l3 p fastcgi_pass 127.0.0.1:9000;4 c: `7 c2 M6 d- m
fastcgi_index index.php;
* N4 h# R0 O: Q9 x" P fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;# `9 l/ D$ b( M9 a9 x+ t9 K. t+ f8 O( A
include fastcgi_params;) t3 C8 j. `, a4 a/ n p
}
* j E! Y+ \. Y- Q x# T1 ] }6 K# L2 ]- J7 p7 t$ l1 a
upstream负载均衡:# |7 a% q; M( H" D j# z, K" E' {
' E& m2 `2 X1 I" l |7 ?& Q' ^7 V7 u- yupstream 52os.net {
3 c" f4 ^% Y6 l; ~" _# k/ \ server 192.168.1.100:8080;: G, \: o+ c3 O% c
server 192.168.1.101:8080 backup;8 ]9 K2 J4 w. A8 [0 M
}" _4 S4 q% k. V
: U% c7 p6 c# I r& M
server {* `# U( M* H/ ~; A+ X$ g {. _
listen 80;! D9 K& G& i# @; }6 j s& J" ~- E
server_name 52os.net www.52os.net;
* g0 B I$ {4 o3 s1 m! ^6 m8 ?( W! j+ b5 L/ U, N8 `# s
location / {& H! i) P0 `& D: ?# R
ModSecurityEnabled on; ( G9 c8 O! Y3 {( C4 N
ModSecurityConfig modsecurity.conf;
! L2 B, E6 g7 f+ i- o$ ?# ], H# I
- p# \5 G ~9 q' Q proxy_pass http://online;6 V' n: @7 W* A) D6 M! M0 c
proxy_redirect off;8 o% }8 ^9 _6 v0 u. |( T4 u' B
proxy_set_header Host $host;
+ G3 C! ]6 O- Z! Y8 c" |# V proxy_set_header X-Real-IP $remote_addr;
3 ^; H( x+ F! X K; |5 G proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;* V% T+ h/ l0 s
}
6 _8 d+ W1 M1 E9 ^8 |: z}. C0 l. ]+ W/ |0 ^6 ]7 U c
六.测试
& i" X+ R( Z3 D
5 d0 u+ n" R- U1 [" C我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) o; o/ P6 p2 C' s1 ^
! e/ X: m0 f0 k' g: e; F' H
<?php
5 T3 {/ i; D+ w* T- u1 \7 T/ D phpinfo();
3 L$ i% v! p E# z" M?>
' E: T6 U& D, f6 M' _$ O# k在浏览器中访问:
* c0 T2 l; M7 a' _
; u. k* y, i2 G* E, Z1 ohttp://www.52os.net/phpinfo.php?id=1 正常显示。3 x; L+ p2 A `9 c' I: a
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
9 _( C$ V1 ^' Lhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' u# H6 \# }2 o) j7 R
说明sql注入和xss已经被过滤了
; z8 W+ B, Z, Q4 Z
* ?! H' Q: A3 d, x1 V4 e7 x4 P f七、安装过程中排错
/ e0 f5 k2 W d; [/ ? [0 P0 o
. K* [3 j+ B; q1.缺少APXS会报错
w" M7 H2 V8 C! E ]0 z
) H7 g6 }1 ^/ P$ _/ p4 \! T. g# mconfigure: looking for Apache module support via DSO through APXS% t" d# S1 J8 M% O3 ~
configure: error: couldn't find APXS% C; n( }' S$ ?) F9 k+ e
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。# y1 d% p% @4 f' U0 D! k2 I' e" J
解决方法:! U D0 m9 f L0 u- X* p3 j
^$ P7 i3 b8 A* H$ nyum install httpd-devel% E9 ^: Y* Z. @+ q
2.没有pcre
4 b, I3 O0 g. o8 R' z1 ~7 k4 z) k+ Z% ? d4 K# X' J, I
configure: *** pcre library not found.
8 X# {6 R7 c e9 jconfigure: error: pcre library is required
a5 G5 W( e5 M$ _解决方法:
5 v' F4 ] u( b( }* |) Q; v0 J8 N7 _8 N9 K; f
yum install pcre pcre-devel
0 g% r% [ p( H3.没有libxml2
2 c. y% [9 I8 Q4 |% ^- I
# Y; O, U$ t5 B9 M& ~6 e2 X& I" T: ^/ w2 n. S
configure: *** xml library not found.# L0 i: ]* t* g/ p, e* B
configure: error: libxml2 is required
7 V/ D' v. v3 p2 h |; x解决方法:
" z" N# m) B% C0 _8 {, w/ f( m* P) r2 M' p! Y$ y
yum install libxml2 libxml2-devel
; D0 a5 M% ]* S6 l9 {& p3 f& k4.执行 /opt/tengine/sbin/nginx -m 时有警告
) v; j8 x1 C: m
$ s7 k# t( _8 N6 f4 STengine version: Tengine/2.1.0 (nginx/1.6.2)' J7 U- m% _6 O y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!; N' k9 _* O3 X: t( y
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 x' H. t% z( D: W: G( n
! ?( L+ O! ?6 H/ n; v4 }% N, }) _& i% {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.6 ^8 P. V& L# k6 g, Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
; L& L6 r5 o3 E( n2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 ]- R- n# Q* b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
- i, }8 Q. [$ c7 g: N4 K y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ A: z0 k/ t4 E f! g7 \) O* Z
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.3 b. D O/ F; X0 I `' h) B; k- X5 f8 z
解决方法,移除低版本的APR (1.3.9)6 G) v7 D4 z. z7 c& e' D9 F
# A9 O1 B3 S9 N+ nyum remove apr! B; `5 j, s! j0 |
5.Error.log中有: Audit log: Failed to lock global mutex; }$ {- { b1 F
: U4 s$ t3 _" b$ h- ~
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
: V/ t" F# U& yglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' w5 b: z6 u' i8 l解决方法:
( j) |9 q1 b& ~& t编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:. A: {, A# ?1 k2 d* [' j! B- w
i, S% U' q5 t0 H
SecAuditLogDirMode 0777
% y) z9 M: K y2 T; ~9 @' v4 OSecAuditLogFileMode 0550
3 \8 i1 F, |* {# ?' O+ ?SecAuditLogStorageDir /var/log/modsecurity2 T8 z. i$ }$ n+ o: U
SecAuditLogType Concurrent
% O8 I, X" x/ u, a* z3 f参考文章:- ], A1 i6 M! F `1 z3 r& o! k% H
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
: b* t8 i# B7 h' G9 Hhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡