|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。/ d1 z X; g9 \1 S: l& @* x
9 u. B9 [2 [5 I- ~+ a
一.准备工作
2 \4 `2 c( D- d4 v- @' }" X2 r
. s& i5 t3 O, A* H$ u系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
4 o" q' g+ o, k4 ?3 ~9 `% y% Z" T7 ]8 z) Y3 A4 s2 K+ E: S
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz+ Y' `# O! M! j! I/ f# B$ G$ Z
; \/ ^8 K; X y3 n0 c* Ymodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
* a! W1 z0 d7 d% g1 u3 O. n- w7 C" ~# {& B/ c
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
. | o0 G! k' U2 t+ r
' X, l; O+ Q. J3 s% e% k6 B依赖关系:
+ u. m% N& F1 w* w% Htengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:! _3 @" v1 t/ b+ Q2 M5 O
r, i: O9 v6 q0 B# H$ S2 `& A. Yyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel& f1 S$ d0 f- V" Y; k( l S8 c4 ~0 B
modsecurty依赖的包:pcre httpd-devel libxml2 apr H, j6 e2 s& Z
7 @6 @/ T* K& {' ]1 U
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
, S0 D$ O4 {8 u* e L二.启用standalone模块并编译
1 L3 R8 k. u/ w3 D: a
! A6 [* |$ I& G5 ?8 r下载modsecurity for nginx 解压,进入解压后目录执行:7 E, c( F2 t8 q3 x: l
; Q: j; s' @" I0 A' A
./autogen.sh
: J& E0 b( k6 W' [* p./configure --enable-standalone-module --disable-mlogc) [$ k& z9 ?2 s5 i: P
make " C! N! V! \% [( l* q0 V' H
三.nginx添加modsecurity模块: `* O5 X/ b; @, O" O& r7 s- |
8 _) s9 X! G$ E, r& m4 t
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:# F _+ s# C8 L
e0 l( f* a6 L2 B' ]3 b, {, h
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine4 X! K I4 ~, I/ W
make && make install2 a* \: V# v5 f4 W9 ^
四.添加规则
" }. {+ A/ q( n L" H7 F. G" n H, V0 n/ D) R
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 s$ J. {: t. o2 [) |, G
# C- b8 B2 [0 x1.下载OWASP规则:" i1 h0 z; }! f+ B; r4 h9 M* q' N- ]2 k
* Y d% T$ f4 A% l* w, d
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs, M/ l; O) \! B# Z( ]" H, j9 ^ l
% R/ r9 C8 W9 }$ i7 O9 L8 w
mv owasp-modsecurity-crs /opt/tengine/conf/: y$ O, E F4 U, j- j, _
7 _1 T1 Z) P" V+ A# z/ W3 J
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 g7 \/ {$ s9 Q3 A' }& t
2.启用OWASP规则:
& u: ]8 d3 ~) @ o$ B9 ~& Y7 h( p }6 j W X8 q; p
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 n4 v& [! p" M U2 g. ?, U9 C2 y; c- X" L
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 L4 o5 i0 _4 [6 o/ F$ G
+ L- m3 B# i j. E
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。& x7 Q! T# O# x3 n0 D
. f1 i& M9 S1 V R; LInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf5 @' P. d0 a3 @# M1 m
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf( m! P' ]; P8 q c% o' r8 e) {$ w, [
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf: @4 u2 H5 x- |. G9 b8 k- i7 ~2 G* z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' {: S; y) A% e/ i& W; V9 b q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 ^9 k, [: S( D: c' D) vInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' ], [' F+ H8 D" }- t# @) W4 PInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. l9 f$ x& t4 l8 {2 o8 R
五.配置nginx: m( m9 S& g+ R) |
+ s4 A8 ~; g& }% ?' c* n
在需要启用modsecurity的主机的location下面加入下面两行即可:
+ |+ V2 \: [, J/ o, @" g- Z1 T; J: b/ y6 O C+ }5 {! o
ModSecurityEnabled on;
2 o, s2 {* b* H2 l" K1 V6 z% GModSecurityConfig modsecurity.conf;# Y8 Y- O. ?* T8 c4 g5 o: l* e
下面是两个示例配置,php虚拟主机:
! ]4 {) h$ \1 g% u6 h% P) u
\! |7 |" `2 [2 f0 U6 Bserver {
6 X8 M& h& M3 d* L0 T+ b9 F listen 80;' H6 Q+ ]0 j L6 [7 o, q
server_name 52os.net www.52os.net;/ h# n6 A$ M1 H0 m
5 u* n4 ?/ E; ~$ p1 p5 e
location ~ \.php$ {/ j# O" d; T" q9 \
ModSecurityEnabled on; 2 y4 p, a% @7 |
ModSecurityConfig modsecurity.conf;6 N( X' U. y0 v
+ {* c9 q s& Y* U" f- N" d5 K
root /web/wordpress;
7 K. l; @* [" e5 X index index.php index.html index.htm;
4 M% N* N) G" _* K* x
* [. G, E0 R( h; J fastcgi_pass 127.0.0.1:9000;
. Y. s% G. M" }! E fastcgi_index index.php;" [$ C$ l" F9 q# N
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& t% g$ h0 a% |' B0 ^1 S+ G8 ~0 |
include fastcgi_params;
* F* s/ M" r. E$ ]8 o }
) Q, ]# W7 z( ~) k( P' V) x }; t6 M& q1 z C
upstream负载均衡:
3 x8 _) I# h8 K2 X6 I" H
' b" m6 n: i$ q- pupstream 52os.net {8 g* r; j- ~& G, z3 B9 |% o2 _
server 192.168.1.100:8080;0 ], L( ~; E2 t; H4 A. c. P
server 192.168.1.101:8080 backup;
1 V& r& G' B3 d( {$ [}: ^. d: `9 H2 z! b0 Z' b, o. Y( u7 F
- w) \3 Y' B. o5 q% i: jserver {# F6 y' z! c' X' B6 ?
listen 80;( b4 H) \5 {- ]$ e/ }1 a: o. x
server_name 52os.net www.52os.net;+ n5 W% A, V% B9 p! j" s. H
0 |, P6 Y( C* W5 E! G5 Y7 `1 `( llocation / {
. x" ~; f7 m! U: H C+ D ModSecurityEnabled on;
8 n$ R' T) ~6 Y7 ^+ m ModSecurityConfig modsecurity.conf;
2 I5 y6 O1 ]% Y" A$ L$ l
" Y# h1 _; R# L6 w6 s proxy_pass http://online;
: J7 [6 Z* ^# K proxy_redirect off;
7 G' u5 }! j1 v3 r7 K proxy_set_header Host $host;/ K8 c! U3 h! r+ u
proxy_set_header X-Real-IP $remote_addr;
& [9 n' L- r0 T: L! A proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 `! f( N3 Y& G8 ?& u" B
}8 X; k8 ?6 Y- ~1 R
}" ?. l; L1 `* S9 h0 G
六.测试) r) I% \+ h$ ^) v* h
# v6 H V! ?; A+ D9 Y7 M, q, h我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
# N" S ]( L. Y$ a: {8 G! v0 F, i1 |5 ^
4 ?, T. h" w5 l<?php) ~0 M* f1 t6 |! Z$ w5 x1 @
phpinfo(); * E% w2 J/ g; W
?>" X% _% b# K! o& y5 S8 o
在浏览器中访问:$ Z# f( w8 @1 L
2 L3 S; M5 I5 x4 @/ chttp://www.52os.net/phpinfo.php?id=1 正常显示。( m$ M0 V. e0 V# ]5 e+ }+ x2 U! g. i
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
& P' H) X$ G3 thttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。* r' Z$ P* b- a) F5 [+ z
说明sql注入和xss已经被过滤了8 v7 b1 ^4 [* P' U0 e
3 b' B# Z# J2 L: d. v七、安装过程中排错6 O; R" E4 m8 X( I. j
T. X+ V7 ^9 I& K* _1.缺少APXS会报错) {9 I4 d, c/ I" w4 a; I) _- e- b
; e1 n7 m% E+ I1 [# N
configure: looking for Apache module support via DSO through APXS6 P; {) m7 {& J9 g! s$ e
configure: error: couldn't find APXS
0 y9 h& I2 J( c* k W% F% I2 n! kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。 f3 I- T! I$ I5 d
解决方法:
8 s7 ?( _- ^: B9 \% s: p2 r6 x6 R: Q! x @" T1 D
yum install httpd-devel- a# p U9 b, \' J- _
2.没有pcre! |0 f) }- J) A7 z0 ~0 J
2 o9 i% S3 \3 L- W/ \
configure: *** pcre library not found.2 w! x+ K5 {6 u$ W6 z
configure: error: pcre library is required; P. I/ U8 E V/ G' Q# f
解决方法:
2 t% T3 R, \+ K( F) j5 B5 g4 e4 ^: z+ a( \
yum install pcre pcre-devel u; ^3 B% i g
3.没有libxml2
' U- H; `" ^) n
5 w& l: W+ x4 ^- E/ y! w/ v" P! V$ _7 E( ?+ A! c4 `3 K$ g" E
configure: *** xml library not found.
5 |& V# T5 \$ Y7 jconfigure: error: libxml2 is required+ d0 C" R# t% u* P3 C) C4 H
解决方法:
# |$ M/ A3 }- q3 e% I# Z' X* U Y- S" B) r& ~7 M
yum install libxml2 libxml2-devel
5 ^" j# |% w) w F5 Q% g4 J) [" o6 k4.执行 /opt/tengine/sbin/nginx -m 时有警告& l* }2 Z' K4 y
& Q2 `0 ?) K+ x" |; ^# ZTengine version: Tengine/2.1.0 (nginx/1.6.2)
* T, F1 l" k$ {0 m0 B/ ynginx: [warn] ModSecurity: Loaded APR do not match with compiled!
$ c% {3 A; S7 l6 I. O. p2 b原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
* s* f( o8 Y4 Z6 u% O; s: e ]0 a9 C0 w7 b/ r' \- e F3 p2 {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.1 a& B) K. b( w5 \+ M; n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"4 O/ B* r" J# X" O
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 Y, H3 L. e# k9 H3 x+ t9 j2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 H% y" _0 k( g6 a, a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% g0 U& n0 h( |8 e" I2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
) }, ?' m! ?" K8 h$ @$ n解决方法,移除低版本的APR (1.3.9)( j0 D, c/ c% R# E
4 F" |; R' ~$ @5 r9 V7 u) Byum remove apr
4 \: f, N* Y$ v6 q; Q8 b" v5.Error.log中有: Audit log: Failed to lock global mutex
% u P6 k/ M! @4 s$ ?
3 ~7 w. i! k0 i& Z+ H2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock / i5 W+ V8 n) T+ a
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]/ q4 B, L/ ?8 y) P1 n
解决方法:0 W$ U8 _1 Q: k
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:- d {, U2 ~8 F5 \5 e5 e
+ Z3 F2 O6 z' q' U+ U1 C
SecAuditLogDirMode 0777
; f6 P( Q' ~. Q" `, F" {SecAuditLogFileMode 0550% G) c2 V$ o' ~4 |! g
SecAuditLogStorageDir /var/log/modsecurity7 p6 b' I5 V8 ?/ P: N( g" B
SecAuditLogType Concurrent
7 n U* ]+ w) ~ u参考文章:0 B7 x. `% x' D7 v' K3 T5 ?
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
. e2 _% h- {! x0 `% q1 x( Y' ~http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡