|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
- |4 \ ^5 [2 E/ |9 W* j" k( [! A5 d, E
一.准备工作2 d% [8 h6 \7 l5 D. Q
" m* l, Y+ `7 r% H+ S+ M5 s
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.05 f% ]; C9 V- }, f
~) O; n: M3 M; G' j, atengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz3 d9 X. @8 ?+ o- ?
3 r+ ~0 S( t) q9 a5 T) ] }, Zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz: @' w( e& Z. J1 R1 m, E
5 c+ ~ K) C* {5 \- hOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 B1 N) A; E% Q k' K! \( J' U8 R
# R( v/ }; V: E2 R% w$ U& [
依赖关系:
( ~$ s t! @6 F: [& Ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:$ R6 t! ]3 e( K" w9 J& z2 v
# \( k& {0 I3 C
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 L, D+ V9 w1 o' D7 h- `
modsecurty依赖的包:pcre httpd-devel libxml2 apr# [9 ~9 [7 W8 `( B3 ?2 x* S# [; l
* g6 q# |4 E% e" e+ Q1 H! t
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
' p0 b; N6 R5 x& ]4 @# {二.启用standalone模块并编译
- ^. m( O& J2 i0 o+ R4 N) `+ @* z( [5 s, E
下载modsecurity for nginx 解压,进入解压后目录执行:
) x3 M! A4 ]- A) R9 A
6 j/ d& G8 P2 F2 A0 l: H2 ^8 @./autogen.sh2 ?0 g: Q& A8 P& ^- i- m9 I9 v
./configure --enable-standalone-module --disable-mlogc7 s8 Z) X6 |# ^8 _
make 6 `5 {: K3 O! @: ~- o
三.nginx添加modsecurity模块% ~( ~9 Q) s: I* U% } H% n, Y
9 j0 o2 P+ d, e" K5 x6 t( W
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:9 ]1 V4 T2 e! W! J
1 s' G/ z J$ O" u./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine& n ]. U; R6 U- E
make && make install+ O) a {! F; g. e" k7 l2 {* G
四.添加规则
0 J/ i" @9 Q. X, e7 E8 E( @
# Z% g5 h3 a$ Y# ^& J- Q, T3 G* E& L# vmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 P3 ~, j. S3 f6 T! {' R5 ]5 Y3 D& R* ]$ O' L p
1.下载OWASP规则:
7 m7 G9 n& p/ q
. @* k: ]1 [5 f7 f" q' {* q8 Kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
$ V6 T* b+ W6 Z) F' Z
6 V0 Y9 K/ D. L: H5 x& k0 qmv owasp-modsecurity-crs /opt/tengine/conf/5 p8 F! E$ W/ W' U
1 o0 I; n$ } |+ J: B. Y$ k' ccd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. m4 O; b/ [/ q9 I2.启用OWASP规则:; e- g, b* O* U
2 s. n5 t- u" p! h8 ~
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。; y/ d. X& i F6 w
; W [- [) k+ T$ o+ D4 F6 e& h3 }9 i
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; Y* f* ~; R& i* I7 G$ i* j( \2 q1 ~7 r
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
: y7 H, u. ]/ h! m3 B" q% b" V3 g7 q5 r# \% q' U
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf% U' Y! P2 J1 [# c: X: w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
9 U2 T$ m9 Y, zInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf. ^* o x: {6 c& B. s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf4 _ H# N, @# o# l5 X. Z
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf; k) O6 ]$ K, O5 v2 Q* ?* O; o
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf) z6 C! r3 U) b
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
. F; Q' `# Y+ x4 E4 o) Y五.配置nginx: Y; E: o3 q: F: c, m1 @
Q: T9 G) T U& \* C$ B$ D! T; G
在需要启用modsecurity的主机的location下面加入下面两行即可:
: C$ V- F% i+ u. n- B! d
4 s. g, _3 Y+ ^; J# q5 v! wModSecurityEnabled on;
. \) N& |; \; O$ x+ w. pModSecurityConfig modsecurity.conf;
0 I/ {$ P0 N. J: ~+ e& E1 E下面是两个示例配置,php虚拟主机:
0 v+ M' T8 X4 _2 I. F
6 C, d9 @' k3 N- u/ |& o! G" Aserver {1 `( R/ h" a1 F% }8 `
listen 80;
, \/ l2 B0 V& L3 r server_name 52os.net www.52os.net;
$ `% k6 ]3 }' u8 M* h; F ( M1 h8 ^$ |' n q" z
location ~ \.php$ {
; d5 h# p. F3 F8 @1 S5 N) C ModSecurityEnabled on;
2 ~# ~; w: x& y- M0 S ModSecurityConfig modsecurity.conf;
" O$ u7 ?( Q6 r6 C' S
8 B$ l6 u7 M- d* M0 r: P( N' q root /web/wordpress;
9 H$ Y. t# W7 ?! h( s0 u8 j index index.php index.html index.htm;
: d K' x# i' T# z! y9 K+ ~ [/ X
3 R! L- ^6 p5 K9 j fastcgi_pass 127.0.0.1:9000;+ D0 S* S$ X, F
fastcgi_index index.php;5 |* S1 j7 g& T$ O1 e: B
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 L& c0 r# x% q
include fastcgi_params;* R- q4 l' o% q
}, c! q( C, J9 a& y
}
# [4 P" a8 W8 l9 t4 C# A8 e8 W! ?" iupstream负载均衡:
; L/ K) F+ d' @, z* V& X' n: V) o4 _% C5 a4 A
upstream 52os.net {4 Y2 c/ _0 t. C& m) s6 L' r
server 192.168.1.100:8080;* b; O/ \& z) F" \) p+ ?1 P
server 192.168.1.101:8080 backup;3 }+ k3 R7 [ q& e8 i) z9 X
} f" J6 q' C2 r" m: L7 i M& g/ _
& Q0 z Q' O5 u! g# cserver {" P( A9 s! V3 M% f
listen 80;: M/ l- n R. `6 I4 d& J
server_name 52os.net www.52os.net;
# C9 ]% M6 K4 W: \! c: V$ R+ t+ ^- U) q& M4 t5 Q5 q5 b3 W
location / {0 G4 B3 ^' ]6 a' s: ]
ModSecurityEnabled on; 0 A! ]- |2 R& h; x) ~8 J$ V# p4 r! C
ModSecurityConfig modsecurity.conf;
T0 d* W/ v! r" _, H+ N- S: z" C. `
proxy_pass http://online;
& w' Y4 ]* v3 M! ]5 l1 D proxy_redirect off;1 F. Q% x: g5 k) I! I% s. v( B
proxy_set_header Host $host;
- @9 \* d4 L. ~% H- _" t proxy_set_header X-Real-IP $remote_addr;- x# u7 ?8 E8 L6 o
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
b2 ]1 G. N4 B/ U }
; v- h7 y( {# j}
" K- ]/ Z0 s; h/ o7 ?% f六.测试
/ T5 A) f9 e7 g1 c) {1 s& p& n2 ]% _+ x- b8 J( K
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
7 [/ X3 n9 L8 z# Y% y) I
9 R$ S' z% ]0 L6 H' Y3 z t+ G* W<?php
3 g+ t4 s: l) }' E! v, C4 r" e- c phpinfo(); 3 J, H% m8 _' K
?>. c% u* G; L% p. R
在浏览器中访问:' J. {! v- `$ Q- o3 b
3 i, r q2 ~) R+ mhttp://www.52os.net/phpinfo.php?id=1 正常显示。7 A9 |& ~( Z9 P D9 d, f
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
' M+ Z/ l( \4 k( Dhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。; i& I, V% B- R, o& r$ C, U
说明sql注入和xss已经被过滤了
1 Q% z. e, Q2 Z! n H/ R" q. o5 s+ F% l
七、安装过程中排错1 |2 B ]3 K3 ^6 _# K) [0 R! Y
- ?* o. t3 _1 T
1.缺少APXS会报错
/ m, p+ H8 \! V# h8 H1 B) M' c8 D
9 m' N8 A- D5 N7 A3 jconfigure: looking for Apache module support via DSO through APXS
1 G- G L. [! E3 D* P/ o- c j% Pconfigure: error: couldn't find APXS
a2 U0 R8 |3 k8 T1 Y$ A$ A- Kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。+ @& x& C0 @5 h
解决方法:- w# o* {- n2 e- b- w) O
% U1 ^4 L# @" [$ e1 n( ]0 uyum install httpd-devel7 N- |( |% z+ m, O6 H+ v
2.没有pcre2 s4 J: C% a; B9 T9 e4 W7 N3 O
* r/ w8 a* M# S. R* s) a; `% s
configure: *** pcre library not found.* o; Q# G& W& H% N5 Y7 D& P
configure: error: pcre library is required. _5 H) G8 i! ?. L+ y9 b8 }
解决方法:
- l- p. {$ k" A. v% v, q5 S* P c/ w. M( e- B' [& H a
yum install pcre pcre-devel
5 `5 t# f2 r/ L- K; p: J+ ?; i3.没有libxml2
! N/ I3 H1 ]8 o) I, O' g6 c# E1 s
2 B2 x# y" m) q& q3 k' N: K/ x8 W0 m: }- C9 i
configure: *** xml library not found.
o. M" Y8 R4 u g/ r* E8 Oconfigure: error: libxml2 is required/ S1 [3 A: `* C( U" M
解决方法:
1 x3 X9 J. |! o I5 b5 { K9 f! `) l( o0 |- N, ]
yum install libxml2 libxml2-devel7 h/ q+ c+ f2 b7 U" D: \8 K) \
4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 G6 ~: Q% n! t
' U; \3 j. @0 _* z0 oTengine version: Tengine/2.1.0 (nginx/1.6.2)) J* l) G/ b' e1 A; \2 q
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!1 C: d7 y8 S0 V% q. R
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ h) V6 S5 Q0 U; A5 X: ?% X( @& R4 K, f7 @ K/ t ^9 ~- \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.# ?# B+ I# i" ?8 s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
$ `. K) n7 t+ D/ ~7 U" \2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!; G& ?9 W3 x3 m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
- y2 b! {% j; n. D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"; u1 v" h- V; P5 u; h
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
% t7 l/ K0 O0 J- b3 F解决方法,移除低版本的APR (1.3.9)
3 b5 C- C$ T4 x8 h' O1 H G
, F' Y3 C: g/ X5 a( Z+ Gyum remove apr5 Z0 }0 O7 @# a9 ?+ W5 B
5.Error.log中有: Audit log: Failed to lock global mutex
. V7 o# C: a5 M
# o6 f1 G, q7 ~% O5 m# G5 `2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
' Q% Z+ N0 J# h2 U iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]! |% E$ T) s4 ?0 J6 }+ K7 ]2 J! I
解决方法:
4 Q9 ?/ f% p1 S9 j* x+ P2 c6 t编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:; h; ^9 O& R( q. w1 v, J; A( k
- F8 s; w) ` w
SecAuditLogDirMode 0777. K) ], x4 u( C7 j) E0 f& N
SecAuditLogFileMode 05505 B. R8 z+ ~" F* |1 }- _( o
SecAuditLogStorageDir /var/log/modsecurity
9 W; X: Y% B0 b" cSecAuditLogType Concurrent
' A, K9 X$ n0 U& r) r$ Y( N5 A参考文章:
9 M, H C9 a1 T# a* _& xhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
( F+ S& x- G- ?# Fhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡