|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 T# \8 v5 w w# S; g$ F+ n `
3 e R/ X! w' W+ G: S0 B8 Q1 x: j一.准备工作
* q E- ]# s2 L+ t. P7 m$ e3 _6 e5 V) H& V T
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.08 S+ u1 p* k" h& c( A
8 u/ L* b- T4 }
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
4 q$ K6 v o: Y. q0 x6 u4 Q9 j, b& v0 q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
% z/ B( U$ O9 n: Q7 M( A, W- z0 A/ X% { ]6 V- n" q
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ F% ]+ g, M6 H6 d# _
: H: G k) l/ G) c" l. P依赖关系:. b6 v2 {' D- j; K4 |
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 a# S) Q) P7 H1 D' d; |: d- q
# f% x5 B4 R# G6 `8 Byum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* T M: O2 ]! R8 F
modsecurty依赖的包:pcre httpd-devel libxml2 apr
5 }8 Z7 ^9 C: w' L, t2 Q, d; @0 A/ _0 n0 h \
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel7 s; W) N* y4 `( |) J% o
二.启用standalone模块并编译% g% S6 v+ |) S0 O& }
" Q; d [5 b' w8 O. T( A
下载modsecurity for nginx 解压,进入解压后目录执行:
. l7 L# p2 G' a# @/ I
, x& {0 E7 T! ?) e' m, V0 `./autogen.sh
. x: n8 Q5 _$ Z+ z4 Z8 A, D6 ?./configure --enable-standalone-module --disable-mlogc
$ G, o0 Z, p* I+ i" [( q# X/ pmake
0 J5 o m: b/ E! g+ A$ d4 k) P三.nginx添加modsecurity模块+ s6 _' W; i {9 v; F" c
* L: A' E, j% @4 q- l" `在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:4 f8 b( c7 V, P2 s) q
% u6 M" d: q+ \5 U./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine7 L! \. A v0 s% f
make && make install9 Y( {4 V- @. S: m& N+ \3 t
四.添加规则) M7 h( ~$ l+ N/ j$ c4 [
; w& ]8 Y; S" E+ A& Z
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
" _* V* N9 i& C; o5 ~* n E
0 Y, o* s1 _/ T* |) k1.下载OWASP规则:9 ]( e5 n- d9 ^4 h( e8 s0 u
6 R% g ^: i+ T8 D* E
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
4 \: V, Y8 V+ ^: F9 S' N' P" x
mv owasp-modsecurity-crs /opt/tengine/conf/& J* w4 L% [. k m
% n [( y0 r; M$ q
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf$ H% V' H0 ^ \1 C! `# } [
2.启用OWASP规则:2 n0 d0 S2 ^* C# [( L" `. T# J
( R5 a, E4 U. f; V' P
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
5 }" W4 E4 |, ~ E* i
, ^0 C8 [7 L: J, a+ F0 j1 r% D编辑modsecurity.conf 文件,将SecRuleEngine设置为 on7 f" t* s; M1 ~8 ?" |
# m+ r( s4 s% n4 j( s
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
9 z6 M1 {; ?5 B& B, o3 U) [) Y
; X4 k( z2 u8 H' D' n+ ZInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
) m5 V/ P0 D% b" l: A- x+ _Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf2 R) x( s. @$ s/ @7 @7 {5 n
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 s( z& l( b. N: s: ^7 DInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf) {2 o, b6 E" T3 `
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
& u) T3 c e' R3 M: E: BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf0 i: @* Q9 S K. E' H6 B8 [
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' v3 E" O! l0 M2 E3 c! i0 p
五.配置nginx1 x. p. s& e1 X ]
2 A' a b Q: e% s9 P/ P9 A; I9 w9 L7 T在需要启用modsecurity的主机的location下面加入下面两行即可:
* _1 U: ^$ {. o. P5 G5 M! q) z7 }" e0 \6 L
ModSecurityEnabled on; * t: q- x3 t7 @- `' ^2 B8 Q
ModSecurityConfig modsecurity.conf;
# l: ]3 ]% W3 H0 b下面是两个示例配置,php虚拟主机:
3 I( E4 { y. Z+ l; n- F/ W" x/ i
- g; X: j* Q c3 w1 wserver {
0 }% }6 }7 @' H2 r/ b7 q3 \ listen 80;0 \' K: u( K& d/ o( S
server_name 52os.net www.52os.net;
( q. Q: s3 p: ~ 4 q0 W; D/ D1 P- B; R$ k
location ~ \.php$ {
5 q: W4 @/ T8 T* B7 o7 j ModSecurityEnabled on;
+ m" r8 M$ B5 m; e; u ModSecurityConfig modsecurity.conf;" G% u* @( \! M8 [2 | l
; a3 n) `$ H' |+ A8 G( o root /web/wordpress;; v( w: Y p8 o n! s
index index.php index.html index.htm;3 b& k# P$ O, _& S0 H8 ^' u
7 q; H4 X8 G0 M& Q* \" i2 K" Q7 F" ? fastcgi_pass 127.0.0.1:9000;' o2 G/ F; p0 p, ]7 y, M. F$ ?
fastcgi_index index.php;3 {3 f5 S1 t* u
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 L% [* V% M: Z# v& Q- z! E$ o. k
include fastcgi_params;
1 C6 V% d! D& p+ j2 B }& f/ i( M& ?2 ~. J& L
}
7 d8 m4 `4 ~' u, I6 ^upstream负载均衡:8 b: ^4 g& c q* X8 P) Y# n
4 _, b$ t8 K& n# s0 a0 W" gupstream 52os.net {
0 F9 ] X8 C& h, M) G server 192.168.1.100:8080;
0 q2 G: H h1 j" n server 192.168.1.101:8080 backup;
1 K% C* H3 M, o7 b# u7 u}
# i6 v% O# E1 @7 b4 `7 v/ ~+ s2 u# f9 [+ V6 G! ]
server {
3 V' A; `; L+ P, Clisten 80;" h* p" _7 A& Y
server_name 52os.net www.52os.net;# i0 O# a. M! T4 J" U% J
- w! z5 p. E" _2 C V
location / {
" }- A! K% B2 f6 h0 E+ l ModSecurityEnabled on; ( U: w$ A4 s# U# J& O6 |" l
ModSecurityConfig modsecurity.conf;
6 P7 s3 X! H1 @; F M
S1 i* s* g* H9 d' v; F proxy_pass http://online;8 p# D4 A% E* `% Y
proxy_redirect off;& {3 ~; x; h- }) m, U. g' j
proxy_set_header Host $host;
* _. X! |4 z2 ^: g" P8 P2 j/ Y proxy_set_header X-Real-IP $remote_addr;
6 D, V F f2 I5 H proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;- s3 s- P& z% K( f9 N% L
}
0 C' K7 _0 u4 M( q. s2 X! ~5 x}5 _& u7 C: i3 g
六.测试
8 S/ ]" V: q) V4 e" l4 t
* r% O: k, v9 U1 ?! w我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) v* P+ R! c. L7 W/ B) b- Y% O# Q. o
) E$ Z7 w5 u8 A( S }5 P3 S
<?php
+ t: i( ]- X4 D2 K) j$ { Q6 D phpinfo();
( c6 M% e1 [3 ]3 O* H?>( F! @% W2 n2 V. B
在浏览器中访问:" J7 R" P8 |) p1 ]
# y- f: M- @. Z- `/ s0 C( a
http://www.52os.net/phpinfo.php?id=1 正常显示。
9 F& J$ d: i0 @4 d! Vhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
% E& O A- y* b$ K2 [" Hhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。" c. I" E# ^: R
说明sql注入和xss已经被过滤了
3 G, Q9 b" w3 A6 r! W* o9 q' C6 C4 G5 K# p
七、安装过程中排错
I4 B- X% z8 A. b4 G s, B' F* |4 G, a2 j
1.缺少APXS会报错7 `4 B" Z& q- d& R) m; Y4 g, k
( l1 P6 r& T# T" r0 O- Z
configure: looking for Apache module support via DSO through APXS
: j) H8 ]( ]7 Sconfigure: error: couldn't find APXS$ l/ _ Q! Y1 A) w6 n m% E
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* P3 ?) X/ }( x8 _- \ K: J5 f D
解决方法:
6 H3 P1 I3 V0 \- I% `# v/ f, M3 ~1 `# V9 o2 u3 Q3 E
yum install httpd-devel# n z6 L1 E, a
2.没有pcre- w) K! o2 K6 f, b! c' _: N: W
3 z) H e* r: S+ ~4 x) nconfigure: *** pcre library not found.2 J. j4 `0 w0 s! H+ M; M
configure: error: pcre library is required4 B/ b* o9 s2 g, D
解决方法:2 k g6 k% |* g4 {
. N. }1 I @* s3 H: ] Ayum install pcre pcre-devel# h! K7 O" B+ P. `6 `7 b
3.没有libxml2' u* Q$ `& b+ N" p1 ?0 b
$ R3 d; n4 X J, J4 E1 Y
/ E5 {3 U. C; |
configure: *** xml library not found.
+ n( ?5 [( a( |. ~ A& c- qconfigure: error: libxml2 is required/ _$ D( ~& e# h. P; v% { ~, }
解决方法:
1 ^4 e! t; C7 |1 I$ ]3 y# u5 G( s* a; T$ a& l
yum install libxml2 libxml2-devel
. C% K% r% \5 u4.执行 /opt/tengine/sbin/nginx -m 时有警告
: M9 m3 g. t% R( ^2 M! I3 K$ a* e
$ L. j4 o# s4 _$ jTengine version: Tengine/2.1.0 (nginx/1.6.2)
) c4 ]0 w% }1 P/ \3 b8 J; K4 rnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
) o6 Q/ e: U: u: X& Y4 k) ~原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 ]- C' k1 q/ X2 U) t7 k2 F% Y( _. B: }6 f* k) j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.# L+ j X( A- U4 x, \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
# J. h# I% a; x5 E2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! v% Y' O$ K' |. r2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2 q: w& K9 a2 | d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"+ V C9 j, a1 Y
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
- Q. D+ A9 } p3 k" a2 R8 w解决方法,移除低版本的APR (1.3.9)* X7 S8 f3 e5 K4 L
c5 ^2 w& i0 }! `' qyum remove apr
& ~+ g* X! G' _6 z4 E; b. ]5.Error.log中有: Audit log: Failed to lock global mutex6 v- F! m/ O/ N! {
" ?: M& g1 I$ j1 Y2 o' M) Q5 k2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
" ~9 P8 _7 B: Q3 F% [global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
4 S6 n7 f: A* z8 `+ T/ F+ M0 ]解决方法:
$ Y4 `/ ]$ o1 \& m编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
1 f7 c+ Y _( @1 b
; Z$ v8 T$ i7 [0 d* Z$ |SecAuditLogDirMode 0777
2 g( F: o2 a, |) i! bSecAuditLogFileMode 0550
- c9 }" \% H9 R# ` L3 `SecAuditLogStorageDir /var/log/modsecurity
* \8 |; u& S I; LSecAuditLogType Concurrent& e- C- P9 A( x* O
参考文章:6 V3 @5 U- M: c# v ^
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX$ e/ ?, C8 p- t/ @! z, d
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡