|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。; z4 d0 S1 y: w! r6 u+ A
4 G1 ^: z1 C; C1 k- j
一.准备工作
! y$ D2 u& Y( n) u/ y0 ?- [, b. h5 q$ g7 L
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0/ z" Y# h& b" W) u6 L/ X
7 F: |9 e5 G9 M' Ktengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 U5 Q% R: l2 Y% r- h) |8 r/ K* P5 W* I9 Z) a
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
4 }. R& X7 A e9 X8 D! e( q( d9 I4 |( @/ D
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
8 i4 ]6 g) S" i& y: n/ c/ E1 V$ Y
依赖关系:- V# e7 }5 [3 m& `7 y
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:* u5 C V, E/ I1 ]5 y; j( p
7 z w) _6 }1 t& Uyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 ~; I+ i/ p8 H* imodsecurty依赖的包:pcre httpd-devel libxml2 apr/ B0 |) n' A; b6 u5 }3 ^
/ P/ D$ s0 i3 Qyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
9 i. q# o6 w* U- y+ ~2 `7 c. K7 W+ P二.启用standalone模块并编译
6 A& m" T. P( K; H C5 Z$ _) X# h6 T
* f5 \3 Q& ^+ P+ y4 O4 u5 V下载modsecurity for nginx 解压,进入解压后目录执行:
5 C7 U7 p+ D2 s# y8 V' ^6 b4 @/ J+ t# d) s7 P8 I7 j/ i6 i, a1 L
./autogen.sh( D2 _) b+ d2 j, o# @4 [
./configure --enable-standalone-module --disable-mlogc
! x5 J$ }4 Y4 O! J4 L, @1 W2 w6 y0 |make
" C1 J7 r9 A& A# y三.nginx添加modsecurity模块
. L A; V) Z- D6 v1 R6 o' `- v# l4 F/ H
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( C, _: N5 r2 [5 G S# Q
! F2 `' ^% C, _0 A0 ?
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine7 `$ ~2 I. g+ y" x: C2 U
make && make install
0 Y$ }( u* d& ~3 L+ T四.添加规则
, k4 M: g$ O- t% }; x
" l7 @! J+ R! p( X0 m! W' Z0 fmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
; T7 Q# I/ J' f3 i$ C
N9 Z$ M4 ~2 }/ S0 Y5 M% L1.下载OWASP规则:* l7 Q7 x, I& N5 P
$ b6 _$ d% ]0 L2 O3 P$ ~git clone https://github.com/SpiderLabs/owasp-modsecurity-crs' [$ T% R/ _& \5 a2 B& t) x- L. R, H
% y% v( i4 l" i& F$ jmv owasp-modsecurity-crs /opt/tengine/conf/: i2 l5 d5 j& @
9 g; L7 |5 S Z# l& i1 _cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
6 w$ C4 v* p7 o4 L# t$ y2.启用OWASP规则:
5 z/ |/ F5 p0 E0 A( {" R9 k1 m* Z! y2 h3 K" h2 J) b$ B1 d. h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。1 a" r1 x% }9 i% a, M+ l
* A V8 c1 x j/ B+ q) i
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on& F' E3 b- y: q8 @9 W+ h
P) {1 E0 h8 w
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
* F) ^& _' n( T6 w! r X' f+ Q( \4 ]0 y
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
7 `& O0 o: a& A0 {0 iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
# f0 K6 l+ V' N5 N Z5 c. B0 MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf% B/ i8 t4 A$ S2 H% u- m3 G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
^- B! C: E0 B2 V4 u2 Y- O0 l g1 AInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf; n5 Y, d, z4 l3 W3 f& I6 r: o
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf9 D9 H9 K9 Q0 s4 c3 {
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf) c) h" c# m9 |% Z u
五.配置nginx- N8 C' R$ _0 P, e, R! ~
7 w. n* c0 D6 l在需要启用modsecurity的主机的location下面加入下面两行即可:
- o+ X# l( T; y8 p; O! d- a- v/ |9 d# T$ m/ j; H% E/ t; L7 I
ModSecurityEnabled on; 5 B2 f- ~" ~$ X: t
ModSecurityConfig modsecurity.conf;
1 {, v4 F: b8 m) v% q+ p. ^( e1 J下面是两个示例配置,php虚拟主机:
% Q+ V2 _$ V- v! ]- B# V' p1 P! B# }9 ?8 \2 Z o
server {
; o; }) a' l- C: m listen 80;
3 [3 [/ T# w# B2 B9 Y- G server_name 52os.net www.52os.net;9 a, c, h: p; X+ K; {/ s, c3 ]/ J8 v. u
7 p! v& j' w; g! k$ q
location ~ \.php$ {1 N v' m/ {1 i% E' y
ModSecurityEnabled on; 4 [: ?- }7 |" ?/ @2 b# {! p
ModSecurityConfig modsecurity.conf;, `7 x; O+ |+ ^( c1 p4 I0 t
2 e9 n) c7 D8 f1 C: p1 z/ I' Z; a
root /web/wordpress;+ R" U0 G1 Q1 Z) p: ^
index index.php index.html index.htm;
/ b: {% P& I+ `! R $ E ], h4 k" C( \5 I( O; t' W
fastcgi_pass 127.0.0.1:9000;3 g ], ~# J$ B. z& S6 G* `
fastcgi_index index.php;
9 e4 }0 |9 m* D0 l# v* e g+ ^ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
/ o+ a; f3 \0 a- p include fastcgi_params;
e3 W( Z8 v- a$ q+ j }: c+ b4 t0 N" Y0 U8 g' ]+ q+ L$ ^6 w
}
5 a0 Y' A% u" q/ F5 X% b: R" }upstream负载均衡:0 j1 y' `% N6 H; j
% i' a0 G; P& S* X
upstream 52os.net {
3 t+ v1 p6 P( z Z/ T3 b server 192.168.1.100:8080;
1 @/ C. T( g2 m! l$ O server 192.168.1.101:8080 backup;
6 j" Z5 n' F# I7 `: j}
! n) h8 }. r' z
# `, s% ]' v+ F' Zserver {/ a. J# x0 K7 a# T0 X
listen 80;$ J, V4 y! |$ n4 x
server_name 52os.net www.52os.net;8 X" ?# ^4 G2 B, A
, Y5 E ^5 m5 M6 Q" g5 c/ e
location / {
# |, B8 b G+ g9 G2 n6 H! n ModSecurityEnabled on; # B( p! T, w Q" n) Z1 g
ModSecurityConfig modsecurity.conf; ! P# H3 l+ N% D; Y
! O7 i$ n+ ]5 B- E9 | proxy_pass http://online;2 C% S0 h* d1 q/ Z2 {
proxy_redirect off;
4 n: v/ s5 T7 `, c" A proxy_set_header Host $host;
# W- K+ y( b& D proxy_set_header X-Real-IP $remote_addr;
) B/ S6 z; z* R7 @8 g proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) t7 m* E2 K2 b" v' P0 p }
: c9 O: s- |6 E7 F}+ D8 n0 q7 x* L2 y* G# p! m! u
六.测试
|7 m E6 c) H5 e
' M8 [3 `1 k. e4 i, x我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, Y/ G. f& {' L! F' V3 x
) ?* ^% i# q; J& h<?php9 B( j: v7 a; H {7 V; R
phpinfo(); 3 ^7 {0 `5 h( Y
?>
+ G6 ^1 y2 p% D在浏览器中访问:' K* _5 M# @1 s, t9 x; C
9 y% P4 ~7 s' L
http://www.52os.net/phpinfo.php?id=1 正常显示。$ u5 p% Y' ^! }# R2 q
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。 f4 E) K4 O/ d5 O: {
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
0 S% S" _" g- n说明sql注入和xss已经被过滤了3 t& |! u- z' P5 P9 d8 v- Y7 Y
0 E. v& ? { G9 C% _- k5 ^' q+ r& R
七、安装过程中排错
/ n2 J( q2 x& o$ U0 O' w7 z0 l f) |2 w& f
1.缺少APXS会报错
: C0 R0 j$ w, Y: t- `' k
0 S- o6 B: c+ W5 \/ o9 m& g/ Jconfigure: looking for Apache module support via DSO through APXS" F q# a8 ^& u/ J& V
configure: error: couldn't find APXS
/ M8 ?) w3 v/ W; J8 {8 ]; Yapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。, \. k4 D0 L5 ^4 N: i7 {
解决方法:5 u: A# x( D6 W: h1 r- y7 O
6 z, A) X' K5 [
yum install httpd-devel
* {" K( i$ b# u" o8 n' ~' @& H2.没有pcre
+ S" w |$ C U- A# t
3 e {; d f4 t/ U! r0 o- yconfigure: *** pcre library not found.
\! A% z3 i- J9 k7 D5 C2 qconfigure: error: pcre library is required
# n7 ^# j" T' B6 Y; [解决方法:
@2 N+ ]8 N- Q0 v( V: y, u' j1 z6 |( m' A" O
yum install pcre pcre-devel
/ j3 ^2 e3 P. `: Q6 b% K3.没有libxml21 G9 h' F8 |. ]; c
% y* F8 G5 P T4 U$ r3 U$ c& s
j7 o8 \" q7 qconfigure: *** xml library not found.3 P. B' Q2 G! i" }$ p( W5 q
configure: error: libxml2 is required2 ?% f0 {* l( b+ r6 i
解决方法:
5 g3 K; A4 u8 o+ ~7 Z" h4 B1 j5 d8 Y9 }9 j
yum install libxml2 libxml2-devel* u" T P. B+ J3 L
4.执行 /opt/tengine/sbin/nginx -m 时有警告6 R& i7 W- y; y+ T
( o9 Z; D5 R9 ]" ?, e4 a, e
Tengine version: Tengine/2.1.0 (nginx/1.6.2)9 i, f1 ?4 {" y, n: A; `' `
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
% o" T$ U" [% V5 }8 @& T5 Q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
4 V) G. ]8 {( w; t a) \
" q/ Z7 u5 A8 Z1 r! Q9 s( {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.3 u/ C! z7 i; s6 [8 t, B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# n* y& h5 F& n3 W7 Q+ @7 L5 A
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
; z2 `& f' B% Z, X. g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 D6 f8 I. U; `) C( Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"' m8 Z* C, _3 D) B2 g
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
& S B( B7 C8 X/ C* c1 G解决方法,移除低版本的APR (1.3.9)' E k# W5 M P' A
% w1 g7 A5 a( {1 l4 Kyum remove apr9 i3 l9 n ?' j9 Q$ F2 p
5.Error.log中有: Audit log: Failed to lock global mutex4 L0 i0 N0 \, j; W3 x; O
7 b2 ^/ j/ m3 ]5 g' y
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 @1 M' Y6 Z4 v% @global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]: z4 |' T1 L+ _8 x0 H
解决方法:
! J( b, H( h+ V9 Y6 u! J6 k ~编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:2 Q+ g) g) Y9 y% e
+ D7 C8 x8 X5 e2 S$ ?' PSecAuditLogDirMode 0777
/ z& ^# p7 z% b/ i8 FSecAuditLogFileMode 0550
$ n- E1 U4 \# JSecAuditLogStorageDir /var/log/modsecurity i* r. \1 C" l. W Z- Y. w
SecAuditLogType Concurrent
8 t" E4 H6 R/ M4 [参考文章:
1 y3 I) M, }5 s# } b( ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
5 e: V! b( Y; E! p! Y1 Phttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡