|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 I' T& X2 Q4 i, Q' ~
# @7 j) L8 j: A# Y3 T. v- ]7 J
一.准备工作
# _ V/ \: `+ R2 R$ Z! m
7 W6 O5 X0 r% S" \1 [系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
9 W9 U# F w E! w8 E c- [3 j7 ]7 U+ T& z# h! T% H7 ]2 {
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz0 m) Y4 @1 {8 |! g% g# e
9 j2 v, \$ u; M% O. x3 qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# b# R( }, ?% g8 X' n* k/ Y9 X
$ z Z) c- `& v# s! b( F' eOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: n) ~7 f4 h, O- e; G3 n
: J- Q2 L" r. X9 K3 x依赖关系: ]8 y: E3 @8 r: e6 a
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
5 |6 I7 h% l p4 t6 R9 H" n. b; M0 N- r
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
; g' g" R( r2 W2 s' @$ Wmodsecurty依赖的包:pcre httpd-devel libxml2 apr
. T8 ~1 F2 G8 X# \- {- @0 a) A- a6 v. n* o# j
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
[# |" _8 J2 {1 C" T' m& y二.启用standalone模块并编译
9 b$ Q/ Y% C/ o5 Z7 n: m- K
8 C! U7 K. ?' V* n1 a下载modsecurity for nginx 解压,进入解压后目录执行:
, s) s1 _4 g9 C3 d4 m* C. y* N2 x! V! l; j n5 ]2 k
./autogen.sh$ O$ u8 j2 ?! a7 ?6 i, I
./configure --enable-standalone-module --disable-mlogc, y$ M, ]! X6 x8 D, e9 _$ O
make 3 J8 F: l% `" n% u- J% F/ Z& E
三.nginx添加modsecurity模块) A0 @3 l8 y: m$ L. S
: M5 D; ^% n$ k& O$ o2 T. W在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
, R1 B, j5 l" n( B0 _4 w9 A1 {2 O7 n) V+ X. d' U1 i8 l
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine' f# G, G" X; L- E% g& k
make && make install4 C, `$ l" L. ^# h& T: D8 A7 g1 B: g
四.添加规则
. W# z8 J& |1 j6 _+ t' S# d
Y; B2 g5 _$ ^" l! Imodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。, x9 G+ X1 X9 O1 F# L8 A+ Z$ ?6 H6 ]
2 p0 ?8 o1 `6 c1.下载OWASP规则:
7 ~8 R% \! F( Z0 L/ H9 `* B
+ ^+ }7 K$ @/ Vgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs2 H% c0 T, y9 `1 c
5 t0 o* t4 Y0 \% k- ^- b
mv owasp-modsecurity-crs /opt/tengine/conf/; f3 ?& j1 v0 B* `1 W, [+ {
) {2 F. S/ X' Pcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf2 U+ N8 m$ u6 V. S. F
2.启用OWASP规则:
' r7 A& G$ q6 T7 S R2 G3 ^, B
V+ G' t) m- z9 R复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
, S8 o, ^$ r: Q$ z6 O& O
6 v. l {$ Q! q/ F编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 F/ W# K$ Q( B* f) Z
5 {! N* p W7 h* U" A2 H7 \: ?3 X' d0 ^owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
; W, p9 {5 O( l% B* A; D
5 G4 Z8 |/ a O$ Z2 OInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf3 Q1 c0 e6 E5 g1 y: f4 J. r9 a
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/ J% P% {' n5 e# h5 F0 Z' v6 {Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
5 H8 a1 B- p4 |: a7 TInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 S5 e, S- e/ E! Q1 Z* o$ ?Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
( N2 d1 M1 _8 g. D/ c5 \0 @" DInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf: T2 Y( S# F; K. V& g
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf% Z; a0 f# s1 \: A& V' ~
五.配置nginx: H; I: ~: W& _. t$ [
1 I0 ]* g7 I7 I8 e) ]* J$ q
在需要启用modsecurity的主机的location下面加入下面两行即可:6 X+ Z! h) v B, n! R# q
4 E6 M: i" T+ q# [ U MModSecurityEnabled on;
6 T% o9 t3 s/ @$ E' CModSecurityConfig modsecurity.conf;. w3 l! x4 m3 D7 T. g& B
下面是两个示例配置,php虚拟主机:
$ ^5 O2 J2 x$ N( t0 j1 M4 o2 k5 a6 E5 ^1 z! ^( n9 G+ j) O
server {
' H, s, n0 x3 y1 Q, Q listen 80;9 A6 g1 q N; }; H5 q
server_name 52os.net www.52os.net;- h9 a% r- ]/ K* ?
, y1 s3 ^1 U6 z* G, Q
location ~ \.php$ {; ~+ a1 t0 l/ t4 S5 O7 u% |' G- L& P
ModSecurityEnabled on; 1 ?9 y& f: o* ]
ModSecurityConfig modsecurity.conf;! R5 t$ U* d; H' E2 _# E
3 z/ T5 w$ l6 T, ?0 M* J9 [% x root /web/wordpress;
2 Q2 T f6 |4 h6 p* z# u+ b1 M index index.php index.html index.htm;0 U6 {3 }! K, _/ Y i
# G3 S/ e2 L3 x. K
fastcgi_pass 127.0.0.1:9000;; b$ o `) X* b9 Q2 Y/ P
fastcgi_index index.php;
: N0 |, j' t. B- r3 T2 g4 Y fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ N: _' Z, ?3 L
include fastcgi_params;( Y# n8 ]7 V) R! B3 ] L
}
5 k* L) p$ l# X& K }. G1 c+ K. q$ D& W
upstream负载均衡:
) [6 u n! Y( l7 p; U) ~& P1 R0 B: b6 m, P+ e( q1 k
upstream 52os.net {
( G, i' d; l& M3 P( s server 192.168.1.100:8080;/ |1 t) J6 o2 ~! p
server 192.168.1.101:8080 backup;
( t3 I. ^/ [8 V9 g% E) x& ^+ \}( J- o; b0 I( `* F7 ^7 M
8 p f4 ^1 x1 ^% B6 Vserver {5 ^7 p' I! l ]- c! t& C
listen 80;" A* Z/ T( S2 ~" ]- ~" j
server_name 52os.net www.52os.net;, c- x. t8 q" q
3 [7 L c' K& F& x0 I5 ^9 ?location / {
. {8 `" i7 v+ c, O2 m ModSecurityEnabled on;
C; |* I0 i7 d5 z2 ] ModSecurityConfig modsecurity.conf; / K2 O) Q7 ]" S8 k
' x2 x3 b. y# ~9 N* B8 m. D, u
proxy_pass http://online;
7 t: \2 H+ H9 q proxy_redirect off;, F9 I# E6 n: f( T4 O; e6 q% _3 k
proxy_set_header Host $host;
% \4 {2 {' U9 s0 F; [ proxy_set_header X-Real-IP $remote_addr;
! F" V1 P8 y# Y+ W+ m- e proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 n* _9 Z r' J. x" g" t$ j4 ^ }
& x4 H4 K% N* k2 }9 x9 ]0 f ^5 w}$ y/ Q& l: [# ?$ ]
六.测试3 v/ K. M% v- F
" q) r5 ^2 {. ~1 h我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' ]4 y0 A' y+ B Q" @3 p" {1 \, ^
2 N, E5 ?6 ~% d8 X* Y<?php5 i" ^9 j7 X, k7 Q% m- x
phpinfo(); * ?' {( @" x' R( [4 W/ E$ p
?>
- L( b) K" B/ q0 O: X& k" d) q在浏览器中访问: r) O6 Q: G# _
- g! ^2 G G# `- t8 N- A# Ihttp://www.52os.net/phpinfo.php?id=1 正常显示。
: M, D- l5 P' p- K/ D2 v" ?9 C$ ?) Ohttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。* ~3 C' S. D, A1 W- A
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( R* k; Y2 }6 `. R$ H. u说明sql注入和xss已经被过滤了1 h+ D+ Z$ a1 [- a
8 C1 I/ l/ q' n L$ U. `2 A
七、安装过程中排错# D" b( g: e$ w4 h
+ K" I* g; o% P8 @9 x, Z1.缺少APXS会报错
' \$ Z7 q v/ K) h8 m$ g: `3 _
" i6 S! u( X% r. X+ p. w# ^9 vconfigure: looking for Apache module support via DSO through APXS
7 ^4 [' w3 x. K& Aconfigure: error: couldn't find APXS( k6 G) P9 U9 d9 z9 }+ a! }/ a
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。7 w" x: }& j: Q
解决方法:
5 M6 ^$ S" C2 O( `2 b. B3 k. E! \8 ]
3 J1 O; m" r4 a/ [& d7 ?/ ?+ Hyum install httpd-devel
5 j' Z- U, M8 q2.没有pcre% M' e5 u8 H4 I: E. V9 U
1 x: [" h$ ~6 c0 E' Q1 j( @& ^
configure: *** pcre library not found.+ ]( L/ H! a6 \' s0 J1 g1 U
configure: error: pcre library is required4 K) g2 P/ l! C+ F! \2 A
解决方法:
0 \; Q% I, C$ F, k4 u% @. J3 ^. N! X G: h5 E
yum install pcre pcre-devel
q" ~2 o" h' m/ `3.没有libxml2
: s0 T+ t6 B2 n2 X
$ i% F) P# p$ v& F( a8 A$ E! o$ y! S9 y- m* I @' Y) T% ]
configure: *** xml library not found.
& p8 g. W1 w$ r3 b, y8 bconfigure: error: libxml2 is required" \) g, Y1 v2 R
解决方法:
$ } [2 S6 t H9 q- ^. m! F6 S$ ?4 K# d- ^$ v9 @7 O
yum install libxml2 libxml2-devel
* }; P& @ C [8 l/ I2 f4 J- S: T2 ]4.执行 /opt/tengine/sbin/nginx -m 时有警告
# A% b3 d0 o% {( f2 n4 h+ ]' K2 }- p9 y; N2 L( Q0 n" t
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
9 h) F: ^: G2 G) E2 [nginx: [warn] ModSecurity: Loaded APR do not match with compiled!6 w* P2 }* j8 O+ n+ r% b' x3 s4 f
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
; O9 ]3 _7 S+ C- L/ N! o ]; s1 ?3 r- {" ]: v+ T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.' k5 w- @ [9 Q% f5 v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"0 f- Z( x1 A5 M& o: ^0 W1 A
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!# A* |$ s! _2 R0 L/ Y; j/ w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 h) H1 R" o) n: l" M& n8 I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"* h3 q3 I1 `7 l5 t. ^; I& t
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
: a( i& L8 @5 `0 _4 j6 r解决方法,移除低版本的APR (1.3.9)7 k3 y7 c" T( }7 E% ?# J% X
: {" v+ C. W2 F, ^8 Z
yum remove apr
# E* c' F7 H5 M5 y, \' T5.Error.log中有: Audit log: Failed to lock global mutex; a& H* w; y0 q* R% j' }; m$ f
! r: U: D1 N7 x# k# b2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 3 F! s( M# C: k
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 s, ?6 @9 \ E5 c解决方法:
6 _ l+ q7 r% ^4 N编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
5 B0 [6 O1 I2 v- y
: m8 d: k0 Y9 E' x3 ySecAuditLogDirMode 0777" q4 x" ]9 q2 N( a7 f
SecAuditLogFileMode 0550) F/ u6 r, o7 I
SecAuditLogStorageDir /var/log/modsecurity
; K8 ]0 T. n# k5 [& A1 |SecAuditLogType Concurrent4 }* f* J" @1 Y6 ~% i/ ]' f
参考文章:3 v7 R2 e* ]) H+ \7 Q
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX$ [7 A! u7 A+ `, d
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡