|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 ^' i6 w+ _7 Q! q+ Q! B2 q0 j; L- K1 B" h. M" e2 `
一.准备工作
' |, T8 _5 y8 ?$ _ t: N4 ~- m% t) J0 c7 o4 `# d2 P
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0+ u6 y6 h( ?9 f& \/ X, W
. F3 q9 g( }% ]
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
6 b! k" [* {' u( S
( F, w- \/ c5 d) bmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! e3 h. J% ^/ h% N$ N2 Q
8 ?- E, n4 m% w" A" KOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
) i2 @& N1 c# Q
, N! m4 S7 Y+ j依赖关系:
L2 O# E5 W! f- _. {9 P. y! i7 |tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
; M' p6 L) S, A2 k8 h+ G" B. V/ i3 m1 g% \# j! t
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
' }2 |* r/ T- r% s, Jmodsecurty依赖的包:pcre httpd-devel libxml2 apr$ g9 S& [- J" k( j) ]: u- v
$ n6 H- n- g+ `yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel8 F9 W& m ^8 k _0 I' Y! n# _! i, r8 Y
二.启用standalone模块并编译& K! l5 f6 q8 {2 E. |
8 m! t! z# @. ^6 l' a下载modsecurity for nginx 解压,进入解压后目录执行:' D* N' N' `8 ?# T7 {$ n) ^0 R, S
3 q/ s& t( e, \; x Y3 F, U( E
./autogen.sh9 I) ^3 `6 E' o' q5 E' H
./configure --enable-standalone-module --disable-mlogc
0 O4 p1 a" ^7 Q+ [3 D# m' v' I, ^make
* z5 e9 @' c0 U& {/ `7 \三.nginx添加modsecurity模块, t" B! a: C9 }3 c( @+ x4 V
! F& I( a0 w: R+ F0 g2 R; ?在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ ^( ^, l' |' O8 d8 O) ]5 ~( E
3 O& G5 C2 v+ Y* W7 a& ?1 b./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine( _6 ~, B/ M F2 `
make && make install; ]) P3 M X. _- [
四.添加规则
8 W6 I/ H7 |1 c- L8 Q. c+ Z c, X# u8 g6 T7 \" T
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 n! H* g- ?0 D$ c% C2 B
4 X% o$ M. ~- r+ T% j2 n, R1.下载OWASP规则:
* Q# L/ f1 A: g' |6 ^3 ~0 A1 q* @) s5 @; O( f+ l
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ h! r8 t& O0 D. P: n" h
# b8 M* k0 M) T/ z/ H9 W
mv owasp-modsecurity-crs /opt/tengine/conf/
- Q& J4 X/ ], G$ b+ O9 L
, p; a7 o; I/ c& }; scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf$ C4 O, F1 i, B+ r7 X
2.启用OWASP规则:
$ i+ C. N) _. k |4 {$ M: |
$ l. i" e* e' J复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。, U' f) ^8 T* D
1 [+ t3 T4 c0 N
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
' B; k, r# j8 P
3 {$ B0 B7 }+ b2 Y7 n6 Gowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: y9 o1 L- ]7 Q- i9 ?
( J6 m/ V& F( [$ K( A5 Q; l2 vInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ S/ a6 K# ^, |6 N: [) p# aInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf3 B+ X+ h, \; U9 E( d
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf {% ~: R2 R9 _, z, I7 x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf. O" r! W% o2 w
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf# i9 f. b6 O Y
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! [+ Q6 m* }1 C1 N3 HInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 r2 |( W3 J# T) f- u6 L
五.配置nginx3 {6 O- P. L6 C
' R3 M. ~ r! Z$ t在需要启用modsecurity的主机的location下面加入下面两行即可:( ^1 k5 H8 q9 q: d/ G# h
+ F( s) \( l( h0 [' w) y5 vModSecurityEnabled on; , G( w9 J6 e+ v1 P
ModSecurityConfig modsecurity.conf;
' r* P. b- c* B: b下面是两个示例配置,php虚拟主机:
7 j) @% K) |* k0 t& v5 h2 h* S- o9 ~! ^
server {- @* n0 U3 Q3 {
listen 80;* j- b. V' v, g" y- Z% F/ O' Y
server_name 52os.net www.52os.net;
. p# M+ v: m, }, s, Z
8 [2 }$ b# [" ~ location ~ \.php$ {
7 J5 F( A, p1 g0 t0 ~( t9 P ModSecurityEnabled on; # q, n# c3 M+ W& B, d
ModSecurityConfig modsecurity.conf;$ z/ n, @; |. b
) H. E( ]# l& W! Z6 M/ c6 t j; Q root /web/wordpress;+ }; d1 }' L! S* l+ b0 j2 ]! t) ~
index index.php index.html index.htm;0 k" G' C. Z; \
9 }9 C; x9 W+ k8 e" R fastcgi_pass 127.0.0.1:9000;
1 A, s5 R0 U' Y) z fastcgi_index index.php;
. ~8 d7 x+ x5 T4 N% c fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;! K+ X2 j, D: n! _
include fastcgi_params;* h' x. j9 [% P9 H- c7 C5 Y: G* @
}6 u6 w' X+ P" K- g# k$ f
}
3 q% E$ U; V3 ^! N; p7 T8 y' o0 B5 lupstream负载均衡:
: l, H4 _- Z* _8 M2 q- Q1 Y4 h/ n0 D: L7 J- y* }, `0 e# g
upstream 52os.net {' J+ m1 V( j/ J7 _# f0 _" b' B
server 192.168.1.100:8080;
2 b3 v4 W- N: U+ ^) F+ k server 192.168.1.101:8080 backup;$ q, V# c8 `* K) A, i
}
$ O; w# W/ `/ m8 ~ n9 v
# |8 q/ ~2 K6 v7 b- |- i6 c) Fserver {
U! T! t( j" X' p: ylisten 80;% \4 f. R; x" i. w2 g$ |
server_name 52os.net www.52os.net;+ q- t0 w/ Q: ~1 ^2 z
2 A. |8 X! z1 M* v4 E( ?; v% u
location / {
7 p5 H4 p! B* M% j$ V; Z" r+ X4 a ModSecurityEnabled on; 9 d( U7 k( C7 _, i1 B& @6 |
ModSecurityConfig modsecurity.conf; 0 p, F( M' R. z9 \; n. F# j
2 Q# k( }' h2 }7 f% }, ~
proxy_pass http://online;
e6 U0 `' t3 c5 u6 ]3 ^( I; f proxy_redirect off;
# X5 |) s% D- h proxy_set_header Host $host;
8 J; w) U! e; P3 B ] proxy_set_header X-Real-IP $remote_addr;6 h6 y! l# D; i9 u9 h6 p# v
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
9 A4 t: E2 W8 l; }* N }3 ~5 Y8 f: O4 y4 F
}
3 Y6 b' m! ?, T0 V" ]& D六.测试! V/ |* |2 q/ ^+ _
- f: Q5 L4 l$ t3 Y, y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
2 X5 K* ]( z( Y( E3 n0 P; g1 x" s9 l1 O) U& D/ ?8 x9 F
<?php
7 C) U: K( h5 V( _ phpinfo(); ) Y, }3 _+ d! `/ \0 o8 b2 T9 Z T
?>
! S5 ~( w2 T+ @5 S/ G, [/ x1 G在浏览器中访问:
3 V7 W' Y/ i7 ], A: m4 q' @& U: u, @' `' Q8 F- f% v2 _1 r
http://www.52os.net/phpinfo.php?id=1 正常显示。
% z* C( k8 ]( R$ C) Nhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。# d \5 r9 v% z% E% d! ?
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。/ p; l. Z! U6 v
说明sql注入和xss已经被过滤了! j% N1 X7 Z% s; M
/ S& w& @2 `" K0 d/ G/ g七、安装过程中排错/ W$ l$ J! y. T( Z. F2 _, v
- r8 m: G( S0 P
1.缺少APXS会报错9 {' N5 h! [3 _+ I3 V7 `
2 M/ q3 t0 O+ ?) G, h8 r9 u9 Q: j
configure: looking for Apache module support via DSO through APXS
! e2 _2 B3 X: Z4 G B) ~, M( jconfigure: error: couldn't find APXS
: g- I( w- t. `2 gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
4 Q: F% h4 y6 e, i& m解决方法:4 z9 w( J+ P2 u
1 y! f% p/ q4 n }" E, h
yum install httpd-devel
2 [1 T7 G3 D3 i; |$ y8 L2.没有pcre# i; p" p& S( A, B1 ~& R' W \) i
+ U C# L5 P4 L( P. B3 B
configure: *** pcre library not found.3 b* J% I* o Z- ^; E3 j
configure: error: pcre library is required. n. d4 E- J% T4 t
解决方法:
9 u7 }$ n* X3 r3 |0 w$ l, }8 B3 M- j; ^; d& ]
yum install pcre pcre-devel
5 C z+ x& A+ j; @3.没有libxml2
# d% X: n9 Z& \% e) Q/ ^
7 I2 Y& }" g1 B. g) K, \
& n6 j' W* C: R5 v8 T& B$ ^configure: *** xml library not found.. e9 z8 Y; Q0 M# D
configure: error: libxml2 is required8 x. _- Q# q. ^" \+ [
解决方法:
. C m4 x9 A1 r, D. \0 c* B9 G; o, x6 d5 N' m5 `% g5 E: `# b
yum install libxml2 libxml2-devel
* m/ U9 u' E, @/ B4.执行 /opt/tengine/sbin/nginx -m 时有警告
* f" p4 F' c5 q! v3 f- e( [
$ T* w* j( H! C* Q i) i5 o% k" ~Tengine version: Tengine/2.1.0 (nginx/1.6.2)
: Q# J& u- y! `2 N6 {( M: mnginx: [warn] ModSecurity: Loaded APR do not match with compiled!# [% t( D( X4 s8 x9 @+ s0 q
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log" S' ^. L' a+ W: ?
; g0 f# ~ l: w! F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
/ V' f. Y N9 _2 s$ D. |0 ^) x9 d7 r# ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
; H8 C; v& m7 N- C2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!; I" ]2 a+ T! b D6 ?7 D. A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
" g& `; ]7 Z6 J$ g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
$ f( C! C; U4 `2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
/ N4 I2 H1 k) B7 Y( n b解决方法,移除低版本的APR (1.3.9)( Q6 ` G% K) ?8 e8 `8 T% v
+ f) ]3 u* S2 w8 \yum remove apr
- f3 c' W0 ~0 G% D5.Error.log中有: Audit log: Failed to lock global mutex
: b1 ~# Q7 X4 ?. V6 J- b3 P
7 |5 U- u3 }- {4 S; ~' x1 `2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock * a& V: K! D6 T
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
! {" C# ^9 k' f+ |解决方法:$ y G) i/ H3 C! ?# D+ ^ i3 r
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
: v' M5 L* @' k6 {( Z
$ Y& z2 t0 S- D4 D: [SecAuditLogDirMode 0777! N: |* s: s v3 @9 z/ g: c) z
SecAuditLogFileMode 0550, j. p% u* r6 s: X. n: [
SecAuditLogStorageDir /var/log/modsecurity _: S$ Q/ W6 x) x t% W+ j2 P
SecAuditLogType Concurrent( C2 e* ?1 B: s" d. V* T& A, v' y, d0 p
参考文章:% q: d, |9 d: H3 m; ~
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 S& r' m. F& C/ W1 n. x4 Z
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡