|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
9 a w4 Q) u4 Y+ @9 y9 Z" Q/ T) m7 n' U% ^
一.准备工作( |- Z) p$ h4 N
: ]% ^3 K3 k+ `( N9 O* W; G: e
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0$ s2 g+ C5 K& \+ G- `
I. |$ {* Y8 \+ @2 z# x1 ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, P0 j/ t& {3 j& r8 S% W, r
! {; M) _" Q+ ]2 u% u% s
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
$ y& ^0 Q+ i2 P5 E, H& P% h# J: y( U" R. u: j
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs$ V, Z* ~$ n, Q5 \5 B
# t) ^, A& [0 D2 `
依赖关系:: S5 K) O1 X; ~1 {4 k
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 _& x! ^% g: H, R9 C) |& {
7 W7 j9 U- u" Q+ {* V" Myum install zlib zlib-devel openssl openssl-devel pcre pcre-devel7 r7 g7 G0 Q2 y( @8 T. k# {
modsecurty依赖的包:pcre httpd-devel libxml2 apr% i8 S+ M" k5 F% N
0 w* D# h+ N h' ~4 w2 o, u6 |2 \
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
9 w& z0 N: v' e* {# L二.启用standalone模块并编译 `* @5 ^& m# d: d
7 Q: m+ c! Z. i5 J. Q" s0 \/ z- P' C下载modsecurity for nginx 解压,进入解压后目录执行:& M# `2 J; G% A
9 g$ Q0 {; s" m( H, Z./autogen.sh/ M8 O3 Q9 v% K
./configure --enable-standalone-module --disable-mlogc
: M' u. ?' L( g5 ?, U6 zmake 7 p: \" [# _6 }2 Q3 k; U
三.nginx添加modsecurity模块7 W! ^! j/ u( u, Q! W
9 _4 p6 o% x9 n2 c- h
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! U, A" a& a3 y! |! G' W5 @% h
! L, ]# u- ^2 h1 B2 H/ M./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. w* {1 W5 j) @% ` Gmake && make install
5 ~; Z- N3 K. k; y% _2 {$ G6 [四.添加规则- U4 f C, y- K) ^ R
; q. `' N9 m0 \7 }8 \- k
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
1 G- P5 F" o4 f U( G e+ S- i) R- z7 D! }, `8 u& a2 q
1.下载OWASP规则:& q9 ? O, y- H
$ g5 ^3 g1 l! v k$ N) |3 p
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
0 O9 a5 b3 `6 r+ A" ?! v, S0 }/ `' w# P# z+ Q5 s1 }
mv owasp-modsecurity-crs /opt/tengine/conf/; T" C+ r+ h0 f: ]* q j
1 R7 V4 X) M, W! ?
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
) C. j" W: g" f J% x" w1 [ x4 i2.启用OWASP规则:
: g% C) |, J& B* c' q- H0 ]; s( M# s, z( ~
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。8 b+ w, s9 I" S0 T: ?
9 ]4 D0 X; x' M \: n3 C9 _; }编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% `8 X W2 u$ u1 x/ a5 T+ I: O+ s1 ]0 j/ a9 n0 W/ y" r5 r
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 F4 J. M+ G- C) m V' A' ?/ ?) D" p; R9 m! L3 d/ C- \; c
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 z0 m' ?" x" K, t" [
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 J( w3 h; {) p3 j4 x! _7 s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
. X* E+ n! v/ a4 ~0 pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
( v) n/ D9 Z1 |7 x, }% cInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 x' T9 U! \: v D3 y
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. M* `6 D! x( k0 l
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
+ u' V; t7 r" |* t$ S N五.配置nginx$ c D; q( J# ^9 m5 }- U
' K$ C; @, b9 f
在需要启用modsecurity的主机的location下面加入下面两行即可:& c; V. ~% r3 ^7 j& u
& V. Q z3 u+ q- {
ModSecurityEnabled on; , H7 N8 X2 Y' U- ^- v" \
ModSecurityConfig modsecurity.conf;
& r0 [! T5 @. u! O' D( Z下面是两个示例配置,php虚拟主机:
R q+ N4 G# z' U/ o
' u- d! x( O1 J/ e) D, {6 Rserver {! m1 j5 Y: L$ x& f5 K1 J1 q
listen 80;% V! D! \: X5 V$ _3 [. M/ l
server_name 52os.net www.52os.net;
. V. `0 p: U+ {+ a# U6 Y' R& h" I
6 v8 V+ x$ v/ b7 a; c7 n) A location ~ \.php$ {4 G; i, f0 H6 E w3 R t
ModSecurityEnabled on; ) i7 y+ O2 g) o# ], L% @7 A! Y
ModSecurityConfig modsecurity.conf;
' n7 }! H( l+ X, b7 P2 `0 N
) U# d% l/ b' Z* U4 N" t& z- y root /web/wordpress; p0 C$ u4 V4 ]( |( f
index index.php index.html index.htm;
4 C! \' [3 p5 G% J- p" Q; y ; m; D6 h) F" p+ ^5 @) i, m3 n$ ~
fastcgi_pass 127.0.0.1:9000;
+ U% x6 C3 D( H fastcgi_index index.php;3 F) N* K8 g8 t- ?1 d* n
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;8 O; E( E; K# C( X
include fastcgi_params;
+ ?3 e! `( e7 r* Z* m }
8 x4 d( s, K* j G* y. T# i }
6 n2 ?/ O" Q" D1 v& ?3 M, q) nupstream负载均衡:
& x( m, V: A6 B' D7 T# ~2 h1 Y9 U' \' J, H& P- A
upstream 52os.net {4 |& M% |- K- [( ^7 U+ U
server 192.168.1.100:8080;
7 ~- A2 f* K+ s% j9 a- { server 192.168.1.101:8080 backup;1 j" @% r: }: _: c. P8 E
}
0 r" ~7 F9 V" H0 H+ L% p! M* ]. e' K) U
server {
1 M6 f4 f( Y' E5 {; }! Qlisten 80;
" K3 v0 `5 O1 z0 P7 n; F! v+ \! Dserver_name 52os.net www.52os.net;
5 M) _8 ]+ q' _2 F/ \% S3 G) b3 C: Z8 V# [) N# u6 P5 \; q
location / {7 Z# F- l* \( y5 a( W6 g" x
ModSecurityEnabled on;
* b/ N' R& }( K W ModSecurityConfig modsecurity.conf; " I1 G a0 Z/ [, w& ^
, s) }% l* L: a$ g' K/ \. `
proxy_pass http://online;# F$ E3 Q8 ^' @9 i2 b2 Q
proxy_redirect off;0 O' Y4 j3 j$ |% W8 D- `+ H9 _
proxy_set_header Host $host;
; K- b, u3 Z& {- y3 [% E proxy_set_header X-Real-IP $remote_addr;
, K2 A) I( o& b! ] proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
9 F2 Y! F4 T. U) [5 M/ V }
0 ?4 \5 i0 S/ k4 D3 b2 Y; C}. U. p' N7 {: }9 o
六.测试5 \3 z5 u) v# R9 U
& H) E/ ^3 A2 a$ T) L我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:# {3 Q; {! s! Z. x. Z) s
8 ]+ z7 o2 h) S<?php
0 V7 F# f9 d$ P( g5 O4 m0 e# Q W phpinfo(); * E) b; g6 Y( `# i G& S! z/ |3 v
?>+ U5 X: i8 V. f8 N6 C; n4 i
在浏览器中访问:
& `: @6 [; w" r& A3 H8 D8 D \8 s l$ i2 ~ d- x5 I; t
http://www.52os.net/phpinfo.php?id=1 正常显示。2 l5 d# v2 r4 n; X: X
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 ^. k- P: R J0 F3 ahttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。) R2 O; ~, s0 R& O! F
说明sql注入和xss已经被过滤了# q( T* Q f; p. ?, M
/ B% D5 l: S! m/ X/ z) u
七、安装过程中排错3 y$ `" v& Z4 b/ z6 Q
" M* m6 E/ P' X; @1.缺少APXS会报错1 H6 a' |+ H) }) R7 H2 h& t
6 Z/ D: p/ f1 G4 L9 Q
configure: looking for Apache module support via DSO through APXS9 k% N- o1 q5 { d. c6 O3 Q
configure: error: couldn't find APXS
6 O- ]. Z/ O% oapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
: U4 X, d3 }% @# v* v: q解决方法:
$ \& N0 U/ v2 U- s( ~8 r% D
( Z3 g/ X0 T0 [4 b3 J1 gyum install httpd-devel( @, ?" V+ R& e" x$ b& {, j
2.没有pcre
+ ~, h# Q5 q. f0 h3 f4 D! C) ?
8 v+ Z" f1 F5 \configure: *** pcre library not found.
% |; N! ^4 `; d/ Rconfigure: error: pcre library is required
& N% W! @4 A0 Y7 O) Q3 g解决方法:) K. ` d7 y0 U! [( b$ M
5 B; z, F( p- \) b
yum install pcre pcre-devel
4 {6 r8 ]; q/ A2 g& f, k, N1 i, f3.没有libxml2
, S. G% z: C/ J) p9 u. a# l- |5 P0 J; _- g
! f) J9 F/ m! N8 i; s0 F
configure: *** xml library not found.$ ]5 X2 A9 z! \& Y9 P
configure: error: libxml2 is required, C2 B! a8 @4 q+ u
解决方法:4 U' l* }7 X k: a7 X/ b# w
: A* M/ L) [7 O9 m- [yum install libxml2 libxml2-devel
" l1 y! H1 R* ]4.执行 /opt/tengine/sbin/nginx -m 时有警告, Y+ s8 Y ^# ?
5 _/ Y9 h- V! [# Z) f
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
( T1 |" a% Q1 Z! w5 R3 ^nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
) R* m/ E$ V K. m原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
, y9 A- a* p: Z3 N9 a+ y, M4 ^+ x' l1 {. {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.) c, H2 T" S# x2 @1 V
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
* |3 n+ d- J6 p2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!( c+ y3 ~) i. n. H* ~1 j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 Q1 t4 r9 ?+ v. ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 p$ Q4 ] X% B9 w4 d0 U
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
. d" @: o- D0 ?1 w! F% W解决方法,移除低版本的APR (1.3.9)
! o6 \' R5 c* z6 d+ E$ h; B9 x6 s0 B, b" p3 y4 F* O
yum remove apr# x5 @" N6 C) y [
5.Error.log中有: Audit log: Failed to lock global mutex' C: ], `4 z# J
- R# W8 A" p5 S! d. h9 W
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 8 |. E! Z7 f: ~ F& d) y q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; I/ B- s% z0 m' }& z( Y6 ~9 m解决方法:* R" `$ W; O; B8 A) B9 P
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
! T5 u+ _ z, n, q1 a! v- _+ o: v8 Y0 q
SecAuditLogDirMode 0777, e9 `) f q h1 [
SecAuditLogFileMode 0550# A) ~' I f' b/ m% j
SecAuditLogStorageDir /var/log/modsecurity* x1 @ ?( E" t4 p8 g8 H
SecAuditLogType Concurrent/ M" T) j* L; J
参考文章:
5 g. F) y3 h9 n5 w1 ^5 A, N, rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
- P' W I/ ?( ^- V, T$ Khttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡