|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- X. @* h% Q( E Z* n
1 z) F- W; b# x) x8 @5 p+ b
一.准备工作' z2 R, k6 @7 o; B4 v1 `1 I
3 ~& L! g1 B+ \& U# X; S* O! z系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
* D2 o7 q! u: y0 ^+ R' P# m8 O0 d# a' K2 N- u5 ^
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz0 }- b- ]+ @/ R8 d8 c* H$ F: G) W
7 j$ a; w/ l8 i( ^6 G3 ^modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz0 D! I4 h; d; Y& z1 A* s7 O3 N8 Z6 ]
" l7 p, k+ O0 d
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ A% ^$ t# K9 V+ V+ V/ B
: F' T4 ?. d) \* w" Q5 S( f9 r依赖关系:* o/ v5 O5 I! m6 C/ v& f5 M
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
! \* C; G9 A$ H2 g* n& M% t
r+ ^! O" i4 M, tyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel5 Z4 n& A( s6 U* @* ^
modsecurty依赖的包:pcre httpd-devel libxml2 apr
: [1 h$ f+ ?# t( l$ j& b
: Z; e5 n1 b8 ]& ~& gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ n! d" E; Y/ i* U3 v. H+ f, w5 e
二.启用standalone模块并编译
/ |# f0 A$ N8 S4 X1 t' T2 ^' `1 O, C7 `: \; O O+ t
下载modsecurity for nginx 解压,进入解压后目录执行:
5 O; l6 Q( Q. s9 I0 A6 D# p: D' w. y
8 p- V& f6 F1 B- b9 y4 o# t./autogen.sh1 H5 l0 G) u, `: k5 e: e
./configure --enable-standalone-module --disable-mlogc
+ e9 @) M0 X2 L/ Umake $ p2 @( O: ]4 P! a: N
三.nginx添加modsecurity模块4 q" ?, c) ^/ V$ n+ G* O
6 ?6 I# b# E- a( t6 d3 R
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:) u4 N9 T- @ N1 t
( l# s {# p- w5 t$ T" M2 ^. i
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine; K* u& r% g: T0 C- d+ _* M5 t5 R
make && make install" p% ^/ m. T) G% c& d
四.添加规则
0 m- e. _9 ?* j! T
0 [: C9 ^6 K+ lmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。# d7 O; z/ T* q# j* X+ n9 V
q( f- \/ \/ _- A x9 z
1.下载OWASP规则:
9 h, l |! b2 ]8 W
4 j# q' l6 M; jgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' W( }" H2 T2 x2 m% J% C6 p5 L; x! D/ q
mv owasp-modsecurity-crs /opt/tengine/conf/) S2 G2 b3 y. T- C( [
1 T2 n L! J) [. B' |1 m" dcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
* C( u7 W* ]* ]) r: B1 V5 |2.启用OWASP规则:7 U" b. N0 `; Z
7 s" ~; i- X8 X) E复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
* O# r+ {# d" W) {+ \% a" O3 p0 ~2 w2 `
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
8 j" |' r" b5 g0 c/ ]
; B. [% ^6 {1 C$ u8 towasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。3 R" F4 N# G5 W) D* O
& A9 I- L6 }( U. U, J x5 ?* h
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
% v8 u! {2 Y3 |! X% hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
! ^3 C% N- u2 z* B& D$ NInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ D+ C& f$ W7 ^! [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
: `7 S# F. P+ N5 \6 p4 ^Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ B; U. j) d. U3 r$ R/ w
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
: C) v* [; u0 |4 R8 Z* cInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf$ Q: N: P9 N( ^, D
五.配置nginx% [1 F# R. F/ d. C$ w, b3 j- f$ U2 A
$ T# h6 y2 ~2 Y$ _! |4 }" s8 v在需要启用modsecurity的主机的location下面加入下面两行即可:' a/ Q* {3 m5 N* }
5 R$ [3 h- f9 m; t& D0 J l
ModSecurityEnabled on; 3 J3 x' S0 n/ R# H3 n
ModSecurityConfig modsecurity.conf; P4 x4 ?) C( X3 N9 t
下面是两个示例配置,php虚拟主机:
& g9 l h" {. p' T: |9 r9 u, i: z
server {
N) u% n* m) w* i listen 80;
( @2 m2 ?$ }' H8 x) P' D' Q2 y- ?! Y server_name 52os.net www.52os.net;# E4 c# q/ ?- ]* P' ]
1 y* ?; E U, T8 `9 }5 P# L location ~ \.php$ {5 h* L9 Y2 s0 Z- |% g: v
ModSecurityEnabled on; - W# f' r; G% L1 m f. H n2 Q% W9 f
ModSecurityConfig modsecurity.conf;
: a8 `( }+ p' L* S6 i
& m( |& m& E; ?2 Y0 Q J( A$ k root /web/wordpress;/ V0 C0 R+ E2 r6 B
index index.php index.html index.htm;
$ c! b$ f/ d* E0 g4 h/ F9 ^4 t
/ ^ g/ Y5 B: ~3 m( X fastcgi_pass 127.0.0.1:9000;+ l0 }/ ^" \* O" X
fastcgi_index index.php;! q1 j8 {: R& n4 @0 p' L: `
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 L6 k/ W" ^ z/ `& L
include fastcgi_params;
8 i* L U& B; j: ^' a, v }1 J9 o5 f8 _/ z3 D# ]. t
}7 p5 R. f% o! l A! X4 t
upstream负载均衡:$ P: u1 ^: n& y# y$ U
7 _8 R6 {8 ?; J& D9 S$ F& Yupstream 52os.net {
# R7 O2 g! R, v" \3 M server 192.168.1.100:8080;; E k0 N5 {( T
server 192.168.1.101:8080 backup;
' U0 k# X* x" \# c0 M n}
$ m. W7 K9 u2 E8 e( f c- ^
1 q# u6 o% d' ~ E! A! ^server {
/ v+ V2 B$ ?1 S, S$ Q: mlisten 80;
& y& g Z5 G9 e& _, Nserver_name 52os.net www.52os.net;
7 H# R$ U, \- K, F
. A1 X7 F' v2 a/ L, nlocation / {. r6 U4 M* v5 o" R) ~0 @5 ?2 Z
ModSecurityEnabled on;
" Y0 n1 X9 w- ? ModSecurityConfig modsecurity.conf; 9 K4 `3 u- V, R* G
% P9 B. y0 F" { t0 N R7 U
proxy_pass http://online;
( X+ x( Y. F/ @ proxy_redirect off;
# t4 T% K/ g4 U proxy_set_header Host $host;
9 q( a; @ e! R' _( H8 p proxy_set_header X-Real-IP $remote_addr;
' P, I; V/ O; G, U6 m6 e, u proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 D9 ^9 J* Y, f) _! j3 n9 j% G6 m
}" h7 O. [ @, I) |
}
+ H5 g1 f. [5 }) D& C& s* e, x, T+ R六.测试0 z$ A% n8 Q4 M- X. S
1 c) `# I' `5 Y3 V9 Y6 {) [- R我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 s9 n/ V( @5 j) r2 D6 @3 j
& h( y& W V5 [( W: e$ q8 C
<?php
1 D, h! |7 L% d0 V5 k& k, j2 g phpinfo(); & H8 {, T# x/ x1 `& f
?>
8 A" F% z$ {4 C+ G- x7 Q( d在浏览器中访问:. R$ l; G/ i) } `0 q [. y
& D, C0 V7 K" e, X' M# X* Mhttp://www.52os.net/phpinfo.php?id=1 正常显示。4 X! O: ]% I6 ~0 ^& R! x4 g
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 Y. ^, }* v+ c; d# w* L* p
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。: g( d ], e3 u7 q. Y
说明sql注入和xss已经被过滤了: U6 F" N+ A! G: i b
! A2 [) k( d$ b5 o- l2 Q
七、安装过程中排错9 {# D. o% c+ f3 q5 o& O" h( t
1 ^3 g) T( M% {' h$ O
1.缺少APXS会报错
9 O, i1 _; ]% b' _- y- R
) X* R& {% I, \& _) y, b+ s% Wconfigure: looking for Apache module support via DSO through APXS6 K% A+ r4 e: [6 Z
configure: error: couldn't find APXS
, G k( h1 d3 b7 V4 l1 ?$ qapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。5 ~* P' `3 Q& B/ T! Q
解决方法:/ A+ I* g7 ?' T- l; k
' _* g! ?! u% A# @2 }yum install httpd-devel
' V2 o% h, J$ l/ t) ]2.没有pcre
* U" [% S C* e: \: e( {9 j* |# L- u& L0 R; b
configure: *** pcre library not found.
3 E# s6 g. u t4 O7 s, Pconfigure: error: pcre library is required
' R) u# U* F, e; {) B# e解决方法:2 m T8 j8 W8 }& F. _% H8 l
+ L! S% n0 B- qyum install pcre pcre-devel0 q5 o3 `6 {. i% L$ v5 R
3.没有libxml2
3 _4 u! X5 {0 I9 ~' @4 P: h
4 J! x z- \5 U, W3 R0 p. Y2 j' l/ o
& ^7 }) _( O) d' nconfigure: *** xml library not found.
+ Z# W x2 _8 o. p$ Bconfigure: error: libxml2 is required, J: K* @: _$ I# u
解决方法:8 A" K1 B- m. y9 T9 y
, H) ^8 K d7 o; |' w, I0 O
yum install libxml2 libxml2-devel9 D: [3 v0 w; s4 `
4.执行 /opt/tengine/sbin/nginx -m 时有警告
- u! S; Y0 U+ `7 H3 W6 W; j# w+ f
' C! A. _* F) W% V6 XTengine version: Tengine/2.1.0 (nginx/1.6.2)/ v8 ~# `% \/ r6 Y+ G/ A8 F
nginx: [warn] ModSecurity: Loaded APR do not match with compiled! A# g0 ]7 k7 T+ S$ L/ v
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log; Y& c8 R0 C; K( I1 f
# f( Y* S, t7 L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
' {. l. G( K- r6 k; U1 P/ ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"! V% p+ |; g! C Z1 g
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
* }! k6 x1 |' V& u* V8 v2 a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05". X+ T/ c6 f! O- _+ D$ J% p' o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 R6 {$ u5 W- M6 a+ T8 ?- |4 s2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.8 V3 |2 _; d& o6 m/ v
解决方法,移除低版本的APR (1.3.9)
, N& J/ h% ]7 E4 ? [, y4 \! u
~3 U- C: N+ ]# \; I T4 A! V8 uyum remove apr
/ Z- z6 h3 Y: X" z5.Error.log中有: Audit log: Failed to lock global mutex* c) F8 |9 _4 v# `( X# }
# O6 K, U2 o8 b; P0 @% b' O2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
( y" M0 M4 q4 U$ Nglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
) j, B" J( i5 ?) [4 k解决方法:
' F9 y. V. O% ^4 I7 L/ F编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:% h/ [, }- o" U, Z) b( M3 _- F$ H
- ]% z N2 V9 c. S7 c, m/ y
SecAuditLogDirMode 0777! q( a; ?" k p" |+ _+ [9 K
SecAuditLogFileMode 05501 r/ Y2 `8 F9 L2 V- h
SecAuditLogStorageDir /var/log/modsecurity
5 Q8 f) G4 c( l+ A6 MSecAuditLogType Concurrent
- b: t0 B) F; h参考文章:2 y. Y+ l1 C9 l' S$ \
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
" [0 j) {: ] ], J+ o- q% Phttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡