|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。* x. I6 N5 }6 {& g# w& K- A6 ]. l+ _
) g) F+ U* \: ]
一.准备工作
' O! g, R0 j6 N/ p- r
3 R# O$ ~4 z {3 Z系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 c5 N7 t0 i1 d4 h: {
; }5 y3 M" m" G0 X; @tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
% S, _( g8 ]0 V
/ R) i- N9 N" T$ |modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ H7 ^- ~( a, P9 _8 s
1 M& _# V% w& {
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ O! w X7 _! I8 }
' k+ t$ X/ E. g0 V) u8 ]依赖关系:! ~/ ]* D H$ P) b
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% _; t: z3 E2 m$ k9 A
2 {6 w" U0 s0 ?7 M
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
; B$ g! q4 K& Wmodsecurty依赖的包:pcre httpd-devel libxml2 apr
' o: Y7 n2 i3 E8 z" P G2 F( s2 O+ b* i! i
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel* b8 p! ^$ f; e; A7 k$ R! r/ F1 B
二.启用standalone模块并编译- S, H. W/ U5 L) f3 }$ t8 f
1 a6 U& H% `# R, [' O; B i* h2 S4 L
下载modsecurity for nginx 解压,进入解压后目录执行:* A! u8 c# n+ ~& K/ ~$ t
4 o& X* b- \9 J& C./autogen.sh
_4 c( k% b0 z) K( H./configure --enable-standalone-module --disable-mlogc
8 W b2 k# y0 D! Y. ~7 [0 Dmake
- O) f2 o0 b0 i' @% e8 E/ A0 y三.nginx添加modsecurity模块! g- \( z3 P5 V4 a% O+ A) _: ]
3 z" n; {4 b! B0 e
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
, e. w' l7 [4 d8 x# H# c1 u- `
7 ?& |9 z) U1 b" ~) b/ W./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 f# W. A* O; R2 @, bmake && make install- m1 p. R" J. m
四.添加规则
- a5 u6 l* S: b" o2 n, t
1 C0 Y& m' F0 K; G' j. Mmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
: A3 e# {7 l) |2 V& x2 R
9 V- w. [( b e( d9 E1.下载OWASP规则:
6 P& s7 N0 U5 ^2 c/ O% \
2 N0 V: ^. W+ b8 I5 n9 bgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' z4 d* V8 U9 I; a$ ]( U! k- A+ s7 }
mv owasp-modsecurity-crs /opt/tengine/conf/" z9 w5 x7 _, K! S
* H7 ]& j" S/ v7 a* i/ k# Q# ]+ _5 Y
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
6 |3 P3 ^3 z! o2.启用OWASP规则:
, B9 K$ J- q1 e" k; v, e" f Z1 a3 H ?8 m9 C$ }
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
' h, i8 N& \0 e4 ?9 c
7 g+ R9 }, i [编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
8 V; A% n: v% m D5 M; q
/ }- x5 k1 g3 y% g: q3 ^# Bowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。, n, _- z: y# ]3 l( ~6 L
4 b; ?) V6 Z }' ]# o7 `: N( jInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf% O( Q! n' q! K! W4 l; h, X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
0 z. g: L3 g, h3 E: VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 E1 E9 S# ^4 F5 A2 M5 D
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
% u! B6 W% \( cInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf, \+ v/ c# d/ o$ J( m2 l2 {
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
4 Z. H0 k+ _1 J/ T8 G" A$ m# t# h0 uInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* ]& L! i& O. c" a
五.配置nginx7 S8 ^: b. X0 O, m! l
" r$ A' H0 N" K在需要启用modsecurity的主机的location下面加入下面两行即可:
# l: D* o _/ R, }% I) \& N; l: d, p0 _, h9 a A/ `: w% {
ModSecurityEnabled on; " d" h& ~7 ?/ p% d
ModSecurityConfig modsecurity.conf;! r7 M4 R/ l1 E6 A7 J8 m
下面是两个示例配置,php虚拟主机:
+ z' Q0 I* R' S" a' E& k( |, ?! y: p5 t# P% d, ^ G$ b! x
server {
: c) O) `* N' W3 T listen 80;
9 k7 A$ U! q9 G6 l2 V0 A/ X7 c) e server_name 52os.net www.52os.net;* Y! y, G( B- d& w' X
7 S3 b" s: ]6 `( y8 A& Y7 a6 I9 `
location ~ \.php$ {
- D2 m3 ^! _! { ? ModSecurityEnabled on;
Y& a8 F9 X2 T2 P6 _4 Q ModSecurityConfig modsecurity.conf;( A' S6 h! O+ k5 S! p+ f
4 k. F+ S& b, }( ~
root /web/wordpress;
$ ?8 X# c" x4 ]8 l" ` index index.php index.html index.htm;
* _* k% b( \) u
8 f. T8 r+ f+ [4 A7 u7 k fastcgi_pass 127.0.0.1:9000;
' t7 C5 b/ \+ a2 H fastcgi_index index.php;( V/ q M; ^$ c! L5 g4 [$ e
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;. A. I$ c- I1 |: U( r
include fastcgi_params;
" E0 Y$ H- S( o+ \ }& X" L' W* g4 F+ t
}$ C8 w# M: w! ~3 H
upstream负载均衡:
+ B6 O2 y) X; R( n3 p; h
% {5 U L6 \% Z) F2 T3 H& r) p2 \& {8 X3 Mupstream 52os.net {" W) l' `2 z; n$ A
server 192.168.1.100:8080;* @3 K8 B9 f( J' {
server 192.168.1.101:8080 backup;
* _6 v! H5 H. \8 h a}9 `4 n, |0 d) Z/ U# c5 q5 j+ D
3 k5 P5 l$ P% ^
server {5 q. O, V, Y( O1 x) p5 F
listen 80;$ I" |7 Y0 Z' ^, A, F- c% k) g M
server_name 52os.net www.52os.net;
0 l' |+ V# Q1 f! S& k4 A o+ J' N+ a3 p4 ]9 l
location / {
4 O* P" Z2 m! o& X ModSecurityEnabled on;
- O1 n, R/ X+ k: I ModSecurityConfig modsecurity.conf;
6 `. m( W) ]4 A: `, s c
6 Q- ~2 b% L. g) q- S proxy_pass http://online;# U' O# a. e. k/ T6 J: b
proxy_redirect off;
: Z2 z$ i9 W `3 V9 Z* D$ { proxy_set_header Host $host;. r9 s+ r9 I& M4 O
proxy_set_header X-Real-IP $remote_addr;5 d- h0 S! Z2 R' V1 m3 i$ Y
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;) I# [/ Q. @5 E" T
}( G/ j8 V" {; c+ k2 B! n
}4 M2 I1 D9 C4 r& l% C
六.测试
8 Q, }6 u/ t) r7 {7 X9 |! b: }
# [; [7 C$ e) O* Y6 B我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
6 E4 S4 P3 ~0 b3 B# V0 T2 A2 r7 r, J$ ~1 ~! @5 G$ Q
<?php
* a, F% a2 {6 K! E5 V' [' I8 O phpinfo(); 9 O) p+ _3 u. L& v$ d1 B& T1 ~# A8 ]
?># ]6 C \: Q1 h+ m( W5 u
在浏览器中访问:0 z. {9 K6 ^" I L
. j; W K5 `2 Z- E# u2 W( ghttp://www.52os.net/phpinfo.php?id=1 正常显示。% X* m. ~' ]; o; }6 }. Q. D- ~
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 _3 T' [2 `5 i2 }0 K: r1 K" c
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 D' g$ R' C+ H5 ]4 V( q
说明sql注入和xss已经被过滤了
0 C# g& c! m5 \$ v; p9 J& o$ n$ Z
/ i3 g# D6 t- w七、安装过程中排错: f; [, H( s9 b, ]. b% y B
" R; H0 ^) ?, ]& a, i; P
1.缺少APXS会报错" y) k) [' i6 {& m, c
! t$ i, P& I: Oconfigure: looking for Apache module support via DSO through APXS" {! k* F: h. N9 F
configure: error: couldn't find APXS: S5 N7 V2 {% n% h3 Z) q. o" o, m, B
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。6 ^/ e& a- |' i4 ?
解决方法:; T$ x0 o' P& h) L2 ^* a
( E4 u. ^' ~' s6 U. ?2 ayum install httpd-devel
1 }+ r" Z$ @* m {/ p2.没有pcre* i4 o: I6 E0 `1 T3 n$ s
- ~- [: [( d3 J; s- ]configure: *** pcre library not found.
3 P) @ N& X6 V, h. H Zconfigure: error: pcre library is required
; M' t/ ^# S6 A! q2 T解决方法:
3 j* i- u0 {" @" C: |. k( s1 p$ B0 b4 c+ J% d% U
yum install pcre pcre-devel' T( ]( f0 e2 U, h: ?
3.没有libxml2# p9 @. b5 P6 h$ b. W( n2 F% |8 z
6 y4 `2 s7 L8 H" ^ n$ M$ @8 _
) }, i' @( W; F2 Z( M0 z- iconfigure: *** xml library not found.0 A$ p) a, @* ^5 {
configure: error: libxml2 is required/ [5 ]3 A/ C/ J s9 `
解决方法:
0 b8 b$ V4 N: o+ v2 q: p! n6 S \4 P( R) V
yum install libxml2 libxml2-devel) D. e$ T4 W Y1 u
4.执行 /opt/tengine/sbin/nginx -m 时有警告
" ?, Z$ I# Q! m/ R# y: y. S" R3 r! _- k7 b) m
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
1 Z* {0 B( Y% g1 {+ nnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
8 r& G1 ?! M( l* h( x0 M7 ~2 J: U6 P原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 {6 k# E ]' Q2 l; B6 F0 D, x2 y% j! r u0 N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.0 S6 q, C; g0 M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"8 Y8 |- T; Y I: B# f/ w% s
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ ]& G2 @ P) u% L0 q- d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"6 t6 Q! o6 b$ P) t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6" ~6 N1 n" t* h3 x1 |9 l0 o# P4 `
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.6 C4 z" q& ^; M$ x" I
解决方法,移除低版本的APR (1.3.9)! C% ?7 M3 W1 x+ E& h
7 e h2 ]) N' m8 W% P$ k/ c
yum remove apr, L8 ~* g. k3 i2 s0 j" @5 k) T/ ^
5.Error.log中有: Audit log: Failed to lock global mutex
) f, j, e( S) G2 [2 k% V
! D* m& a9 f$ T6 n2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock + ~% ~' J! l) g* t# M2 w7 T4 _
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 v$ t1 P5 V* V5 U解决方法:, q% k$ y2 Z& b% G
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:2 M, x* U0 `# r
8 D0 K9 e/ V, U) M
SecAuditLogDirMode 0777; ~* @, g1 A( l! a- R9 y2 j
SecAuditLogFileMode 0550* a% |% s+ D. s, u$ i; ]
SecAuditLogStorageDir /var/log/modsecurity
* A6 G/ y% _+ c6 ISecAuditLogType Concurrent1 `% Z5 I/ z9 h* D2 E# u
参考文章:( q% Y1 b8 A/ k
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 A9 L. {3 g2 q2 k; j
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡