|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) T% T# H4 U1 O" k9 F
; V; y2 z( q7 M一.准备工作
|$ G" B( G7 w* Z" y# h; U! q8 N% m; g/ J8 p( ^
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.02 `" L# k% [0 m, N
3 M1 P5 A; z& Z/ M# @* H
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. K6 ^1 E$ x& X" y
+ Q- `" |* d" N% }9 f4 B4 Dmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz$ O8 @9 M2 W1 ~0 p; B" e U) Y
7 D# N" E8 S; U/ s; Q" T
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! M+ z" T2 C( l+ a6 [! `7 l* n/ g2 k
9 }, d) F0 f9 F' p" Z! M
依赖关系:
& D- b! i1 _/ x ^4 R' V% Utengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:6 U Z# d1 l' a% O8 ]; f0 V+ K! h
; x$ F" G' @6 J: Jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* {& O2 R" L" e' Y9 D6 Q
modsecurty依赖的包:pcre httpd-devel libxml2 apr: n3 h, w+ `$ k$ _
$ _ s6 c9 C& K; A9 @
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ J; [* }7 ~% r/ K M. p8 l2 |' w
二.启用standalone模块并编译
* D2 P5 _4 X% U, X+ }+ [0 V. P" Z3 \
N1 V' i+ u1 @1 F0 t$ y" ~9 J下载modsecurity for nginx 解压,进入解压后目录执行:
+ t; h* }1 @1 ^+ E+ N1 g; X; U* [1 s: G" a& T+ c9 q, R7 G& {( J
./autogen.sh
% |& Y6 ^: b: q5 t4 ~- G9 j) u./configure --enable-standalone-module --disable-mlogc
7 u$ [6 R; o1 b/ R* B9 pmake
! c7 M5 ~( f, j) d, `- f" B+ N三.nginx添加modsecurity模块. y7 z u7 C( `& ^2 J5 Z
: k$ W) ]) v# M$ y5 r* t R$ T! l在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
% j1 x4 o0 ]3 @9 t6 Z+ ?& U! ^8 c' i+ A/ ~- \
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
' G+ i+ f" R3 W' x3 ~make && make install- o7 A; I5 {7 x1 [) r7 H" i
四.添加规则
- z8 O4 A5 z' n7 l0 ^
" |% J7 n. L y6 V7 S+ K2 F" [$ tmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* q- a/ q4 Z, h3 Y- z0 W4 y& [4 H
/ c5 p$ E4 }% \. x3 Z. ^
1.下载OWASP规则:
' X, z* s1 e! o! q9 r5 H" {$ s# D% l' b2 a
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
) J: y- _1 y& ]$ A
$ i3 ]0 \9 o- \- j+ ~& E: G3 Cmv owasp-modsecurity-crs /opt/tengine/conf/
4 f" C& H- |: K0 M$ c) ]
( K/ j( \- W+ Z1 U, V! l9 ?0 B: vcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf3 |. ?* B1 R- \: Z- Z
2.启用OWASP规则:. c6 X% ^9 R% S4 s' R- d. u
J- Q, b+ `% t7 f8 N复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
C" e: D+ P+ h. S6 d- [1 ^& B5 l" g
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 e8 G8 t# ?' t. O& G; g2 ]
2 W# Q9 m9 x8 p9 U, o% j3 yowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 }9 b6 p8 e5 g! b$ M& |
h+ ~; l$ v6 G' wInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
5 Y; f$ ]. }( P( lInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
; o5 b2 M7 |1 Q# c) GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
; x8 d4 O2 ]- p; n3 G4 o, V; FInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
8 C- [7 s/ U% KInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf6 C: t% g" p; y% X5 K, X( ^0 @
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
( Y1 n$ X' s" o7 z) m kInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
4 |8 h2 ~# s( y% w2 H8 u% s五.配置nginx
* |( ]' T" l, Y) k7 z8 S. D6 _7 h! e& Y; Z' I
在需要启用modsecurity的主机的location下面加入下面两行即可:
6 f6 a, R- u1 ^ i1 g* V4 [
( R# V& I2 i9 kModSecurityEnabled on; 1 R7 D. `6 o/ f
ModSecurityConfig modsecurity.conf;( C% S* v8 Q0 B0 X/ b
下面是两个示例配置,php虚拟主机:6 Y0 {3 d3 t9 ]
p! L0 `& A! i; |' W" j
server {* E; a9 a9 i/ ]' k/ g' v. y
listen 80;
- W! H- w& {. B( J server_name 52os.net www.52os.net;
# H: @' u) c( b; E. r1 k. s
7 V1 M# l( w; k+ x location ~ \.php$ {
5 L# Z- a9 ~! X2 ?( X y ModSecurityEnabled on; $ [4 D' F( }5 k1 @
ModSecurityConfig modsecurity.conf;
! o3 w; G- ?" N" F' z: R% \ g" }0 J# F" I7 p
root /web/wordpress;& J0 {! g+ D; `6 }" W* r0 `4 ^
index index.php index.html index.htm;. `5 d/ m% }& B
8 g) F3 }6 y: i$ C# p6 Z
fastcgi_pass 127.0.0.1:9000;3 I+ c$ k7 o, H( k
fastcgi_index index.php;# O Z' n( d4 d9 o! N" {/ g
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, h6 ~ }* {& ^$ O+ q1 L M3 U
include fastcgi_params;0 Q& t- y v9 ?7 e) N- n
}
+ ^% |' f1 w1 x/ @: l w& f }
- t" w2 A' f: n& W4 W! wupstream负载均衡:
3 V4 U; X: ]5 y2 A
3 Y+ M! c& \) e* y2 W0 B* w' ]' zupstream 52os.net {2 y# @3 Z. V6 m j
server 192.168.1.100:8080;
a% i0 p% Z7 n6 x server 192.168.1.101:8080 backup;5 ]& u! n& @. V) n
}
$ g+ \$ ]5 W" J
8 K: i- D- v' V! F% q3 Iserver {' O6 t+ l& h. w: a: x. \) s
listen 80;
. v& u7 v7 ^ bserver_name 52os.net www.52os.net;
4 W1 C; |! H: u1 { m- ?1 Z$ S7 M4 f4 B. e% I7 Q+ r
location / {
- O0 _( ^5 o6 ` ModSecurityEnabled on;
, n% z) {$ v- A ModSecurityConfig modsecurity.conf;
4 `& y9 ^. y- o% M4 G( H! J, h4 z/ }/ ~ ]
proxy_pass http://online;' l) m; c0 ]0 ]- r) O
proxy_redirect off;5 I( e9 h3 B' T/ p$ o* g2 d
proxy_set_header Host $host;
( B3 F) U# T a9 _ k3 Z9 d proxy_set_header X-Real-IP $remote_addr;0 Z* [* x" g2 ~/ ~" C. Y- v
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
8 t) D0 H$ Y, q% A* j9 _ }4 _* J* e6 A& r/ N7 B6 T
}) M2 G' y" F5 K T1 k
六.测试8 C) t# v, _) p+ j
+ W4 \+ w! w3 {我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
( V/ x4 `' O" H4 [: \& f5 Z2 ?2 A4 \# T6 O4 ?
<?php) L2 t# ^1 v: O+ y% F
phpinfo(); & Y2 M0 ^- ^; I7 Z6 j
?>
/ b* ?2 B1 c& _% c+ A- z! [在浏览器中访问:
l8 ~7 i% @4 C8 C; e+ p. S3 }# t
http://www.52os.net/phpinfo.php?id=1 正常显示。; B8 I1 P( i! ^
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。6 S' {$ h6 [" w$ `: H
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
7 C( {4 n4 \/ @) p) \& _( c说明sql注入和xss已经被过滤了
8 s) G1 Z! V# Z* Z, f7 q
/ i0 Q2 M. @* u7 N& S9 F1 n: M七、安装过程中排错
( ]! F) t: ^8 `5 R# b! \, U- s- V
6 k) p( Z" a4 I p; j1.缺少APXS会报错
" y$ C' n7 n* X# M* }/ H* y; b9 c' h4 Y/ c# b$ w. |" @1 l
configure: looking for Apache module support via DSO through APXS
3 Q4 u9 W6 y! aconfigure: error: couldn't find APXS
: E& c. E* d1 @/ J* q8 @apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
% f1 D9 K, q6 \3 o( W% P$ v解决方法:
. _5 x; R; |- g! a7 r4 x* ^0 K: z1 P7 l8 O. o
yum install httpd-devel% m! i- T8 t) z' |; [& \
2.没有pcre, ~3 k U0 P8 m6 D. C
' i- e" y& v# ~1 Econfigure: *** pcre library not found.
5 }4 `+ ?- y: e( Fconfigure: error: pcre library is required5 P+ J$ ^3 R; |1 l. w) [/ G [
解决方法:
0 k/ v; { s2 a: w$ m) v' E1 I& P$ B* k: C( U
yum install pcre pcre-devel9 B7 m2 @) K( o3 }
3.没有libxml2
~4 w1 W8 G% v6 r9 e( ?9 k2 F3 |; P5 G! {4 H6 W) s$ Z& I
0 w0 O9 D7 w. X' T, _5 v. ~, Mconfigure: *** xml library not found.1 i+ V4 {/ S% s4 h& ~; {; _# G& Z/ ~
configure: error: libxml2 is required0 q8 s2 ?1 A+ ^* P# I
解决方法:
; ~% o8 ^* c2 O% p
9 \' O2 a* l# O5 y. b' s) `9 cyum install libxml2 libxml2-devel7 s# s, {3 a' J- A2 A" }0 j2 x
4.执行 /opt/tengine/sbin/nginx -m 时有警告) Y8 Q* B- h! Z1 T( Y8 f' }- T
, L1 E/ d1 Q- y' Y6 Y. A! L$ eTengine version: Tengine/2.1.0 (nginx/1.6.2)
8 o. S5 {! b Z2 Znginx: [warn] ModSecurity: Loaded APR do not match with compiled!
0 Y7 D/ X) q2 G p3 e8 f原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log9 f: \/ R# M' H
: A* p8 I7 y. g0 B+ w' n- R: N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured./ }3 `5 S7 N( }$ M9 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
) k' ?/ b3 j$ y) Q b; c3 ?$ H2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!; ^' |' o C" y9 ]+ h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"8 ^0 q; R2 T) G6 l- ?" `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% E. Z+ L$ [( U; k2 m! v2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
2 q- V7 A& ]( s4 N- \' I( T, f解决方法,移除低版本的APR (1.3.9)
5 X" ` V/ U# O" a
% c$ o" C, n, ~9 i7 y1 |* M( q9 G; ~- Xyum remove apr7 }5 H# P+ w" N; k" U- H( w2 S
5.Error.log中有: Audit log: Failed to lock global mutex
. p: \& z# w& [$ S: U/ L( k1 b/ i' n8 t- W; W- |
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( N" I! Y$ ?8 m7 g! p
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
( m5 E; Y& X0 s; k解决方法:
5 m1 t+ E/ K. q( R: Y3 e) U编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
6 ^' {1 S7 E. j) w: j1 |- e
9 N2 i \5 }/ u' ]2 }- T9 r8 A& cSecAuditLogDirMode 0777* Q, r0 m9 S& I1 w( n
SecAuditLogFileMode 0550
" d, I. e# @/ }9 u, _- M; cSecAuditLogStorageDir /var/log/modsecurity
' Z" j- w4 ] c5 iSecAuditLogType Concurrent& Z+ q; C# _, c% i$ X
参考文章:0 S" z, E) `' T
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 G& u- `+ L. N) p
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡