|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% V$ M& |: N0 g" L
7 _ X+ ?5 j5 K! t; L3 o) s# s9 D$ |一.准备工作8 N+ T# V( e5 p: [% s
# H: \" U8 E2 b# Z% u系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
4 |( k o9 ?5 Z; ~; V
! E6 I, a) ~- w; n" a9 `tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, s4 W- Z4 Q+ H9 a
E; v7 E( V, _1 J1 ^modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( X3 e4 t2 W) P( I: j; }2 A/ p7 e+ x
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 e' l# t# u; Q( _& Q5 G, s n r4 D
依赖关系:2 Z1 o) Q; B, s _. a: L* ^( O
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
5 a' r/ M. Y) ]) g* _5 S
% r: w5 L ^- f8 e% a Zyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# Q% p3 e* e7 l( H/ f; Tmodsecurty依赖的包:pcre httpd-devel libxml2 apr- X' ?+ S8 O9 o1 ~% ~2 |: d5 V
8 j9 R! \8 W& F0 [0 X/ u: x% X# ?yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" G0 n6 p. s* v' L5 f( |2 }
二.启用standalone模块并编译
# [( l; G; Z4 [9 S* u6 @# G7 E
" r) i5 e2 [5 T% R: ~/ H下载modsecurity for nginx 解压,进入解压后目录执行:
, Y8 z: i4 t7 P9 {4 [& s. w E+ ?
./autogen.sh8 m) H7 ]6 q8 A# F. y
./configure --enable-standalone-module --disable-mlogc, |% L% |. j; c' b" d1 `
make
0 b8 i) U& H" ~三.nginx添加modsecurity模块
% H. I% B* l- \& x& q0 l1 x& ~, C+ F. h) {+ T" s# q+ S" V+ `3 W0 j
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( f0 P/ ?9 e# B, E Y+ U: T; ?9 K; W
7 a1 b4 I2 K0 n e+ H/ v7 J3 d+ c; x./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; K6 @9 d4 R5 X9 _! A. M: A! F5 Omake && make install6 ^4 Y$ t+ b. Z }
四.添加规则
, h& a) q+ X3 M4 P. _0 E3 I" _
( B! ~1 ?3 ~' @# }# Gmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。/ _' R$ u, T+ q( e7 L- j- d ?. E
g5 ?1 B8 g+ a, F
1.下载OWASP规则:
+ T3 U, U' \7 ]" `2 `: b6 r
; Z3 L# A5 H* X( V3 N% B' L! }git clone https://github.com/SpiderLabs/owasp-modsecurity-crs8 V5 |& p4 @# |% E$ Y
% v) M* m4 w. t3 J) C7 D
mv owasp-modsecurity-crs /opt/tengine/conf/9 [3 `9 X, Y$ _, c2 Q* [: k" V
2 i( I6 v* c8 [4 ?
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
- A/ d% I+ l( U [7 k, f8 A2.启用OWASP规则:3 r8 a( F5 M2 M/ N: ^
( F! e/ d! r( k f* D& W4 m) C
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。5 Y& D: t F) }9 @0 C
% }% [) @. q6 @" U
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 I! r* Q" ~2 d
) `/ h+ v, Z, u6 Y6 @& Powasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
+ {, o/ w6 g z- G5 c' F x3 a; m2 K- M5 V* [0 R
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf, u& `$ Y2 t( o6 x6 ]- B7 Y( m
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf v0 A! W: f* @( T. y9 J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
- e. J" q4 I) g* V4 `# uInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf6 h! D" C( }% ^9 C, z6 B- k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ P/ ~( W$ O! w: e
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf9 T6 F1 y6 V: ~. ?( }- |
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
% C! J! ^/ T3 I4 Z- y5 F五.配置nginx
3 J: J T* t& }( A% ]9 {2 a$ Y
, m. }1 k, X6 e! f5 Y8 K: p在需要启用modsecurity的主机的location下面加入下面两行即可:
! E( ~9 r- C8 O9 H1 K& C8 F# `) \' i- M$ T$ e4 [! @
ModSecurityEnabled on;
9 Z1 r* \8 g$ c1 jModSecurityConfig modsecurity.conf;
+ R1 b0 Z" e) {. T2 \4 y下面是两个示例配置,php虚拟主机:
+ x m% x( e e# q# v+ n& J) P
& c8 M, P+ I" l% A+ {server {: P8 G) y- \' g$ V& W# ], ?
listen 80;, k5 }. o, G4 F
server_name 52os.net www.52os.net;; _; F) `6 Z$ c; t9 I
$ @, G" u) S( Q( a+ ? location ~ \.php$ {
, a& G0 }; B/ N9 S' N; R ModSecurityEnabled on;
1 d" o1 b, m) v; x6 R ModSecurityConfig modsecurity.conf;) h6 t# x" g$ |* Y
% ^8 A: w7 |( o z root /web/wordpress;- w( J4 c6 B7 H( Y
index index.php index.html index.htm;, c8 i% `( H* N( {; P4 {0 y+ y
7 B$ q6 F; `) V' w9 l6 s+ J fastcgi_pass 127.0.0.1:9000;
3 {+ n/ d) j( P* F/ | fastcgi_index index.php;) A; U; C* x) Z2 I
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
" x& z: g# Z$ u! p- X1 g& X include fastcgi_params;
$ X7 s. l3 N0 L* ^6 P% B }7 N5 I' w% r/ X) ?
}
2 q; y7 u, p6 d' y% z mupstream负载均衡:$ _- j1 v; l: g$ t r! L( X# f
% q7 H+ n0 v! f. `8 Mupstream 52os.net {' B6 H- H: \4 T. R$ _) ^8 Z C
server 192.168.1.100:8080;
, r3 D4 o+ I' T1 T5 ]" ~+ ? server 192.168.1.101:8080 backup;
* a: f! d/ Q; p0 X}
! x2 R2 C9 I2 m7 u% p/ g. o# Y' o% O) k7 w" |; `
server {
0 @% h& V3 z7 B6 E4 Y6 }8 `listen 80;9 S7 S; L1 ?3 B$ [1 {# }/ J4 C2 k% v) a! h
server_name 52os.net www.52os.net;3 l4 _6 i' w2 v, q, b
! K6 l0 m3 e8 Olocation / {
! J: p) z1 C- l9 w8 ]; v ModSecurityEnabled on;
v# P! g1 d( z9 a ModSecurityConfig modsecurity.conf; & ?& H i6 `9 L& J: ~
9 w& h( }7 y0 R0 ]
proxy_pass http://online;$ D2 k& Q3 M0 R, K% Z3 B- a
proxy_redirect off;# `4 r( R v, u: }: _6 c% ~
proxy_set_header Host $host;- j; O2 _* c; m6 g7 q2 Q, u2 o
proxy_set_header X-Real-IP $remote_addr;8 T( F+ \3 \* [' \; ^$ A
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) Z- x. K2 v7 n, F2 U* e( Q$ M7 l }( B$ \- z6 X1 Q) [6 C& p
}
- A5 K) |) A' H% `& C六.测试# n; F( ^6 e2 a. C4 k, t* f
/ d0 s0 q& k r+ E& d/ }: Y我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:+ c1 R G3 Y- c/ x" u( V- L
9 ~* @ @- d M6 ~2 E<?php( V. y* J* [- i5 m% a; q, x
phpinfo(); 4 \2 ]# \& [& i) b# C* E
?>
/ S0 G6 K+ b) j8 ]' Q# d在浏览器中访问:
( G& [9 d9 k9 I% q* \5 Z& M1 i/ b) |9 f
http://www.52os.net/phpinfo.php?id=1 正常显示。
" d5 s; Z4 H9 Dhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。0 w' d$ T2 l3 Z; m P O( f w
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。2 ^8 J& Y, O- v9 M* G
说明sql注入和xss已经被过滤了 f) f- X% S% |( i4 V
, O0 t+ j5 Q* U七、安装过程中排错
/ b9 j3 s4 \* D1 ]2 V, R( \3 N9 a; @1 H& H) ~; i3 i
1.缺少APXS会报错3 d e( R2 ]& {6 U
# w o: e7 g) ]
configure: looking for Apache module support via DSO through APXS* [' v$ p9 Z( h$ M
configure: error: couldn't find APXS% a* |7 W7 C; {5 S
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。7 c6 I5 @5 |3 `5 k* Y
解决方法:$ H F' i( A$ y/ \7 ?4 U, F
0 ^( Z& H1 H: L, U9 ~, X& Y( Oyum install httpd-devel3 W% O2 M5 }( P8 Z
2.没有pcre& o j# L/ O1 S* B# v* n
. |! s2 M5 ^/ N8 E
configure: *** pcre library not found.0 u( w+ G7 ~4 `) _- A9 K
configure: error: pcre library is required
7 a7 g H9 ~9 T: F/ W: B# O& a4 v! K解决方法:) z' |6 f d, t; N, L0 C
; R9 n8 U- a5 E% @yum install pcre pcre-devel3 f' Q i; }/ y4 U+ t# r% a
3.没有libxml2) [8 Z7 e d- e7 N/ \9 g
" o5 F! F: f0 z+ W8 Q
3 j. k/ V" j, N, y& p) L
configure: *** xml library not found.8 ?# R$ [1 A8 c% [
configure: error: libxml2 is required
" A4 X0 i- p3 C, l; g, D0 b0 b解决方法:
/ N) h6 H% H% O- |2 A4 \* w; b; `9 {6 J! K2 m& ?' }( L; D
yum install libxml2 libxml2-devel
: {( Y. S* N! F3 \$ z4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ h7 V) d8 P$ i# B% p! @& b( _4 O8 E% u
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
! r0 K. _5 F2 G' M+ Snginx: [warn] ModSecurity: Loaded APR do not match with compiled!& u1 B( \# w. e; A% U# F
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log+ p7 t+ Q' M" i# b* C* a( l5 n6 ?
4 M$ ?/ X: Z, h# o L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured." O g g& O' |8 ^# G! }. e3 b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"6 g1 V6 ?" e& ]
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!* m7 I" t! `9 S. h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"$ i% }4 h5 s. D. `& n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"# R1 p& K, i1 J# B! j2 U* L% ?( C
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.& M5 E/ q3 s) ^/ W: P3 ?
解决方法,移除低版本的APR (1.3.9)9 @, W" O2 F3 q8 B$ r3 s
7 N( K/ C5 z' W' r
yum remove apr
1 g; a- @# _, H8 A5.Error.log中有: Audit log: Failed to lock global mutex
# p0 v% O& z3 W* s" U
; z6 `5 R U' [6 v% T9 }2 u* E2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( x" ~# ]( J9 B
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]5 z. ~6 \. o* a0 P2 ?! E
解决方法:
5 ]+ p8 k5 L7 P' Y编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
2 u. ]* Q- |# ]* V7 ?' m! _4 z- S7 O: ~ ]4 C
SecAuditLogDirMode 0777
& a3 X. Z8 ]' p3 _* ~7 eSecAuditLogFileMode 05504 ^ g& a4 F* c0 z3 e
SecAuditLogStorageDir /var/log/modsecurity
) s" `* E9 c" fSecAuditLogType Concurrent6 f- Z! B* _1 X; p, }
参考文章:
* k; d6 L) H( e2 Shttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
' k0 y1 E: i, shttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡