|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。4 b. }- a* ?+ f# u1 j6 X, u7 _* Y& j
5 J/ ^" U! V: E5 O! s q3 Z/ d# H一.准备工作
" ?6 X6 B0 r1 a2 `) K- K, y6 Q
7 V( w! @5 A' k& k, h+ A# _系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0' J% o' ]$ F" }: i
2 f! W# [3 u, B& u1 |tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ `6 A r O! V" E6 Q
* B+ _$ s, A/ d; Umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
' s4 V% k# W+ d* n' ~% t- D
5 r* \. s/ l# \ xOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs* H9 q' x7 f! h/ L/ i
1 c, @: H: [1 V; P2 i% \# T5 g8 q依赖关系:
4 S, S& o2 X) H* {tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
6 V' f9 S5 @. i1 b9 B$ Y- }
, N! v2 U z8 o: K4 Fyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
: r. q" ^" Z% i* k/ G" \. kmodsecurty依赖的包:pcre httpd-devel libxml2 apr2 ?- ^5 q" V1 H4 h% b8 F
2 m% I+ g4 v8 p9 u- e4 X- E2 |4 Q; x# N
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 U* @9 h: w7 }! ~二.启用standalone模块并编译
$ a; i* M3 Z2 e9 _* b
- k3 D5 n( I( y- O下载modsecurity for nginx 解压,进入解压后目录执行:( ?. L* O- A x4 P6 v
( x2 r$ I! H: x0 h) r
./autogen.sh, ^2 \: R8 N" b, e! [/ b4 v% V
./configure --enable-standalone-module --disable-mlogc
/ x/ y7 i0 j+ n! H) ]make , R( s- o, s. j) h; s" W
三.nginx添加modsecurity模块9 o3 C3 b6 W( J v- y
* w; n( O& v$ {) J4 s0 A" m/ w- v
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! p2 {; R0 ~7 W) T" O) r9 t: d N& F2 J$ l4 q4 @
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% s( ]2 l& @% H4 d7 Y$ M: Wmake && make install
# P+ D# Z+ f4 }6 b$ L四.添加规则
" H. C- c5 L( r. T& Y+ a+ x% u3 {5 ]1 f; Q5 F$ r
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
1 x" r7 g3 Z+ l0 k* s0 y+ m4 x2 Q Y4 y% a7 ]6 y6 Z# a& i
1.下载OWASP规则:& q2 }/ |% i: }; N
# X* F& p% p* e6 Cgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
9 r! G# ^. n% N- \# Y/ z. H" f0 ]( O3 u# s3 e, x" U4 M
mv owasp-modsecurity-crs /opt/tengine/conf/' _- F3 f# L. i/ W, P" @. v( ?
1 `& m( d1 E: Y& q; p6 w+ ~' E0 }0 Bcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf! C2 ~4 S3 |: a4 h! @5 F7 l! v
2.启用OWASP规则:
/ M# b6 w% J7 w: z
- C6 P, u( C* x v$ ?复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
: _( e) e) U# T/ [; L7 o; m, E# Y8 z$ e9 P3 u9 f
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 i% Y8 |9 x6 Q$ e! d
, p% U9 p2 y% y% e. B* m
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" r. \$ A& h$ P- w* A/ C# @
/ k/ `# N' x. u7 ~; h/ V
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 @" H( c% R/ y* N* `( GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf' y U" ?. E! J8 P0 A
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
1 @. L( p( d! h% I! H; Z/ jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
- O7 ^9 b- q; pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf" ]0 [5 c: ]+ w
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf! Z/ [; N. t0 X/ N9 B5 ~& q9 c9 `
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf) ^' J5 \( L3 ~( C) t9 d; c
五.配置nginx3 K" n5 ~. k; a5 V" m
4 H: V2 I- |' o在需要启用modsecurity的主机的location下面加入下面两行即可:
& |" D2 j, n: O# @' k! m( }
( ]( g* \* }3 m, N$ T: lModSecurityEnabled on;
) b: i2 i/ n# y6 x1 \ModSecurityConfig modsecurity.conf;8 c2 L5 Y9 b/ z3 j. m6 n9 Q' S) O* _
下面是两个示例配置,php虚拟主机:5 h5 ]& v4 Q- h2 w) L0 ^# r. D
: _. w& z' ~5 L2 c2 `% d- b) I6 kserver {5 a3 w7 i1 r6 p- ^# b2 K
listen 80;# a/ K8 a3 R z& \% T6 g* R
server_name 52os.net www.52os.net;5 T5 t/ L9 r) D
4 p, k8 L( v3 E
location ~ \.php$ {
0 a3 ?9 r8 c1 G. ]) h' }& M ModSecurityEnabled on;
8 V# F( w7 N5 h9 } ModSecurityConfig modsecurity.conf;
* G9 T. ]& f/ N& h
2 Z4 M. j' \+ n5 \ |/ G# o7 d6 \ root /web/wordpress;
' T ?! s9 L8 }0 A' g4 } index index.php index.html index.htm;. U. @4 A- Z3 J
3 g% v% N- J9 v2 n
fastcgi_pass 127.0.0.1:9000;
0 @4 Z, B+ E" r) } [1 i fastcgi_index index.php;
) @, `8 w" V# s+ q3 O fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;' c2 [% ~* e* ?& {) P
include fastcgi_params;
8 b2 I: Z: H! p) q! O: N }) y& t( i1 d# B. Y0 S8 }/ @: Y
}
( s* `7 ]% D# s9 l+ [ }; Uupstream负载均衡:
) H! F$ V+ ~; t9 L% l# I
9 A) u: \$ i$ R! G0 @upstream 52os.net {
( m9 g3 S, E) l- m: t server 192.168.1.100:8080;
8 s7 J' N( p$ D, n server 192.168.1.101:8080 backup;
' W' K. c s! E. Z7 x" W' J7 o# u}9 ^# ?% `; ^: f' F/ G
2 c( H) t" x N) E4 @" `
server {
; F3 Q3 c* B m5 flisten 80;
# k3 I* F( A6 J; `2 V6 R% Dserver_name 52os.net www.52os.net;
; y& _- i4 E. ~4 x; q4 F* P: o' V
location / {
4 V9 X) [: J' t$ U! ` ModSecurityEnabled on;
6 G: P- g; R/ {/ A ModSecurityConfig modsecurity.conf;
0 T# g( q% i2 h$ C; k$ e1 Q+ A
( M6 q. D* V, [& H proxy_pass http://online;. J1 _2 \# T# b) D9 Q. |
proxy_redirect off;
. A; ?; j% ?0 a; ?& D3 U( t proxy_set_header Host $host;& U- X7 Q3 ^9 s$ t9 w
proxy_set_header X-Real-IP $remote_addr;: [1 {- r6 _/ l: g0 A$ g3 O6 s# [
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% e$ \% h' E7 O6 W; R+ a) L }
9 R: `. H/ o0 u" b}' ]3 L @7 j8 n1 ]5 K* y/ a- L
六.测试
, B! ?5 g' E8 d; R3 K9 e! j
; r' O) |6 y' J* z6 I% t7 g我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:1 ^/ {% C3 c+ W/ G3 o4 V
) N2 G* A6 O2 X" s<?php0 ~& F- _& m# Q, e1 f0 W$ Y7 x# N
phpinfo(); $ U& y" {1 D0 V, j# a! @
?>
' V8 [2 |8 t* v3 H1 D在浏览器中访问:2 H h5 b% U) ^1 _- ?
4 @% j2 ]9 \% _$ T3 t- R/ ~3 r5 I
http://www.52os.net/phpinfo.php?id=1 正常显示。: Z4 t5 ^5 \8 a+ y. ^3 Q. ?! ^2 B
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
6 K* d: C4 N/ t0 v; `9 W! x1 khttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
$ _5 p! \2 T& R: J说明sql注入和xss已经被过滤了9 [, z, X9 m+ A/ V5 ^* r+ F
, C$ i: Z) _' K" ^7 @七、安装过程中排错
y% L8 w# H' i f9 p9 s3 N& P D
6 r/ r1 i, S# ?/ W& w& K6 Z1.缺少APXS会报错' F D5 K m5 s, n; n' V. i) a
8 q2 O4 A2 r. |+ `& P1 }configure: looking for Apache module support via DSO through APXS
% M4 |/ a7 ]* t5 {; Fconfigure: error: couldn't find APXS
' B/ @: Y& t( T) W2 t2 q& a# O: g2 b% y; Fapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。9 R) Q- ?$ \! S! b4 l7 Y
解决方法:
+ F- |; c( O& [9 x$ e- b, n- y, h5 ^6 N" b' Y- ?
yum install httpd-devel2 c% C3 s/ L% G n' \# w9 y1 ^, O
2.没有pcre
) |0 ~' K8 y4 }" P- o! m5 j6 P1 f& {+ f
configure: *** pcre library not found.
8 ?7 ]+ ]/ Z: D- R% n$ wconfigure: error: pcre library is required% W9 a6 V3 Y, Y) e/ P- W3 ]0 c
解决方法:
9 g! \& s: d8 e" N) \) w- f: M9 U0 W' S6 W
yum install pcre pcre-devel4 B3 C6 F/ k9 I8 p% g5 z
3.没有libxml2
5 B# _: d9 r. c) h1 `: S
! O; y# K4 r3 J+ D- `! g( M2 J, M; i( j) o( t0 W
configure: *** xml library not found.
. \! R" m! X! Y1 e( n& Bconfigure: error: libxml2 is required5 k/ Q9 q% j$ V, Q+ j& R! c8 o
解决方法:+ v K$ }2 v+ b) I: a$ q2 E
2 g( L+ h( E6 z4 fyum install libxml2 libxml2-devel. D' F6 j7 B- C; ?. G% E
4.执行 /opt/tengine/sbin/nginx -m 时有警告
1 J6 H# T4 b4 c/ k H$ O5 o0 K* f- ], M0 `4 e
Tengine version: Tengine/2.1.0 (nginx/1.6.2)+ R' P+ m c- ?( Q4 F6 m+ {
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
5 v! g0 ?) k4 {* r( X原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 n& U* H7 O+ p/ P; V5 M
. Y# r! j1 f& R4 l. R7 F2 }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured./ K% C( F8 ~; z* q2 L6 T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
' L/ I' Q* x* G2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
/ R* G# d4 x5 s' w) ]( u# t% d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"- ~: S5 S9 O" `. E4 y- q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ _' x+ v& u9 c, q! | }% b3 `
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.0 `; ^; f4 G @" n- g( q
解决方法,移除低版本的APR (1.3.9)4 l2 ]7 B3 `; r* Z; M# A: x- ?; k
( Q8 t( N; c8 D5 t+ W' R
yum remove apr+ T$ v& B& C" Z+ p- q
5.Error.log中有: Audit log: Failed to lock global mutex
3 y ]/ }" i+ U: j
1 Z" c0 i! X' } F* } r2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
# |; C' [* m1 kglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]& t8 J4 D" v; b* u8 F, U, ^
解决方法:
0 O# F- S. P+ B编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:$ Z# }/ l% l9 ^& \
% K* g& @1 q/ A" j( s, n4 Q
SecAuditLogDirMode 0777" }3 I* v7 x6 _5 r
SecAuditLogFileMode 0550! M+ R' m9 `' H0 ~# }& P3 t
SecAuditLogStorageDir /var/log/modsecurity
& a( w& M. O9 hSecAuditLogType Concurrent
, v% U: e, l6 Q5 \* z参考文章:2 L0 `+ a" J. z. c' n1 Q) }6 c
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' I+ d3 M% O& l, R
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡