|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 Z0 o: j- D- k7 S3 d: r: T: G2 H' L' C9 o* I
一.准备工作6 F1 @- i' [0 B0 ? j0 }' S
0 `+ c5 R) l% o
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
/ N, b5 r' T S7 w- L9 U
5 A# {( P- o1 n) [) V$ k% X9 w3 ltengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz9 k$ ?# P0 W6 [( q% c
! w$ t1 G8 v8 h+ R& m1 M# a0 e4 d
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& T6 {9 O1 ]1 `% |
; ?0 U1 w, P. P5 KOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
8 y6 m% r! e! I' ~* Z: \5 B& N) b: e) r+ v$ ~2 F7 a# O% H& M& N
依赖关系:5 g+ j" V% o9 } X* O
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:: G8 U+ P/ H/ O7 M* f3 T; @5 g v
; F. G X. v4 }# V8 |% b5 h
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel6 E4 Y/ T E! O+ r: F
modsecurty依赖的包:pcre httpd-devel libxml2 apr
. I# _' n' O2 v+ C! }% O' r1 Q) u% |% @6 @4 u4 K' h% e
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
: A( W$ p) I3 L* s二.启用standalone模块并编译
( o. G/ x. y; S- x3 N8 _9 ]2 d7 H$ g3 Q
下载modsecurity for nginx 解压,进入解压后目录执行:
- X* T9 e9 x& k2 _' L& l# }
: J, _! g: m/ V$ u( z+ r2 m./autogen.sh
2 f1 F8 W6 W3 k9 @ I; x./configure --enable-standalone-module --disable-mlogc
' x" ^( N, R9 q& j$ K% @9 E! xmake / g7 O# d" D# r# w( z% Z" u& B
三.nginx添加modsecurity模块
3 Z% ]3 A9 t- @( v* j* S1 ]; }* G# F# f. Q N8 K! ~
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:+ w1 E. [( A7 s
/ O: h1 T" b0 Z% g# `& O; x3 l2 ~
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine( ?4 [9 Q# e5 @
make && make install7 W3 V+ X2 g" U; U+ t' l
四.添加规则' b: ^. p7 H) `7 y. Y
# s6 v; X& [7 i: _9 |. hmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。% e) S) @) [- D9 t8 H6 p5 d' S# K
4 q5 I4 B& c7 A1 c
1.下载OWASP规则:
0 k+ r1 x! H9 M4 _% L2 k/ W2 k2 }9 k) L- E3 M+ r
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ {& o1 |5 l% m7 s+ u
9 l, v5 o; \; G
mv owasp-modsecurity-crs /opt/tengine/conf/9 G+ h' u% y1 [& B
H8 J: q3 K4 }1 K+ L
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf% l7 D5 ~: M+ M- o$ m5 \5 g3 V
2.启用OWASP规则:
, L; ~' q9 |! X) |
+ r! T3 s R4 n2 v4 o复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ T% i9 k' J6 m, z* A- H7 Y! N) P- f O: s
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 d4 P% O9 b; N, V/ y2 z9 G
6 W$ S4 E2 L! P- I2 h6 i7 @
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。$ l! v8 }0 @) Z/ @ D, a" _/ S V( _5 }
: K- j7 s" b3 t6 W
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 c2 n& C1 j& l/ w8 h1 }: V
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
8 Q7 J3 j0 ]1 R$ _; MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
2 |, R' B. `- a. U& c0 hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf1 ]* t( m( l& S) N' X( I' i
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf5 s: l; _! A0 o6 [9 i; C
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf4 i* W4 u" F! l4 A
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
7 a7 [3 T0 m. C- N五.配置nginx
& \7 ^( S/ b7 {' X# H, p
# v* g9 }" F0 C+ v/ Q5 W6 w在需要启用modsecurity的主机的location下面加入下面两行即可:
! t: |7 S7 u1 W$ M" ~
& s& Q+ F2 P' ]$ v+ TModSecurityEnabled on;
1 v5 R+ F1 C8 e! L6 L5 WModSecurityConfig modsecurity.conf;
' Z* N! n* \1 }/ s9 m+ P2 m下面是两个示例配置,php虚拟主机:* m3 _3 z8 [ B! I5 ~ q# |
$ o8 J* |4 p6 w: Wserver {2 b1 S: G; a Z$ A* O7 @9 A
listen 80;
- [6 F3 H. V9 l6 F! a5 S N8 p server_name 52os.net www.52os.net;- m0 l( |6 U8 Z4 t# R
) m$ H2 w1 [+ B( T; R
location ~ \.php$ {; K$ L/ l0 o' _& F5 y& k2 x0 S: A
ModSecurityEnabled on;
- }7 d& u1 G2 ?+ s) X ModSecurityConfig modsecurity.conf;% A9 `4 N. }! B: |2 p0 H" y/ u
3 L( U3 t w1 n8 ]: p7 L* O$ c root /web/wordpress;
x" L$ X: r6 d3 K- ?- R index index.php index.html index.htm;+ V# _, q& f2 o; G: E* b: n
, j$ N0 [( k6 i l, j fastcgi_pass 127.0.0.1:9000;
. r; C, s" H# C fastcgi_index index.php;9 s( X* w- F& i3 k
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 ]! K: }% [3 w% L0 G9 O7 p9 A6 Q include fastcgi_params;& X2 z) z! ` R& A% v
}+ | r6 Z- e! K+ m$ J
}4 B8 B; n# c5 `0 _% K
upstream负载均衡:, E! |$ P# y) y) G
- a' Z# P0 x2 ]" xupstream 52os.net {9 H/ H3 ~8 N$ Y1 Y- d# h
server 192.168.1.100:8080;
! x, S$ \6 |, ~6 R server 192.168.1.101:8080 backup;( Y/ F- |5 t: f9 W" F% |3 |- U R
}
' S' `6 _3 [7 w; h- J+ H# O- k- O. G
8 d, F0 D" |# Z* oserver {
: F! c7 O% W! j5 @/ i* `, M* I% Nlisten 80;6 O" D! H; j0 R" Z
server_name 52os.net www.52os.net;$ |( a) u- x5 J/ d9 l
' _! X# U" M- c* P, U5 B/ i
location / {
( S: z" C; @/ _( z! f5 g ModSecurityEnabled on; 9 }, t" x! d" s9 X M5 a: Q/ h8 r
ModSecurityConfig modsecurity.conf; $ ]! m$ O# L' D" E; Y0 y
{5 Z$ ?$ I& p/ J
proxy_pass http://online;2 C1 W* \1 e; w N9 U% r. j a
proxy_redirect off;
9 ^2 x9 S$ k$ o; W4 U& }: r$ d4 B proxy_set_header Host $host;3 R4 {) ~ N$ p4 L
proxy_set_header X-Real-IP $remote_addr;
W; T6 P6 g! O- T4 L8 I. D$ i' o proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, o' e3 q( v$ Q7 K
}
3 z6 _4 ^- I# _9 ~3 s i}
6 {8 _! C8 }: p, V2 }六.测试- g# Q2 r" _ y+ d% H( e ^
% o) ^* m$ X$ W. ~9 P. w4 C我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' _) V+ r1 q2 G; J& m
) h0 a( f0 Q, y+ I, g/ v; F! g; f
<?php
2 M6 B: g3 L7 ?; G4 P( s phpinfo(); 4 g+ v2 D& k: e" N
?>6 @1 i! l, w, x( r7 V
在浏览器中访问:, c, t, N0 q6 m: j0 i
9 Y& K: J' B& E L3 H: \! J1 I
http://www.52os.net/phpinfo.php?id=1 正常显示。
: i5 m- B/ F7 H1 ^1 K9 Vhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 f" Z- b2 j$ g' {, rhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
. ^1 O5 ]2 |8 i. y4 x2 P3 n4 {说明sql注入和xss已经被过滤了7 r9 J: X) x/ d4 w
8 R3 w+ D# @9 S5 a' O2 G( ~8 M七、安装过程中排错
7 i9 O9 e- }! n% X5 {
0 v0 `7 a5 [% ~) N1.缺少APXS会报错* u5 A. [1 A% {. g- s; g
/ _- A) m% r, I- u) [( P0 nconfigure: looking for Apache module support via DSO through APXS, {3 ]( {2 B* @
configure: error: couldn't find APXS
2 W/ w7 Z) v( ~& a: aapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
2 ?7 W2 w1 K/ S- X Q2 l d3 i解决方法:
0 d% P) q# Z' _3 }- _$ u& }' }# E) y/ D: _ d c
yum install httpd-devel
4 H5 O4 [( r4 o( o. C' j5 A1 H2.没有pcre- \9 o+ m. q1 a) r! T
7 a) f1 @8 m2 [ C ?
configure: *** pcre library not found.
/ D* }" X N$ m3 ]! C$ y9 {- ]/ pconfigure: error: pcre library is required' X% k# e6 j1 s% p5 h
解决方法:
0 O1 T1 @- [% [: K" ~- I+ R, P" ~- O4 u! c" y2 }; c, N9 {
yum install pcre pcre-devel
( U! Y* c" f, b- r3.没有libxml2
. |* z0 Z( p5 T' T0 ] R; ^/ [2 X+ I q
3 W' A& |( g/ B- h h
configure: *** xml library not found.
% o% ^1 c A& xconfigure: error: libxml2 is required- E5 u8 F3 H2 u' f, ^3 X. S( U
解决方法:" E4 E3 E+ k5 c: f8 x: n+ b; S
9 d) O% `3 ^- w3 K6 uyum install libxml2 libxml2-devel
8 s; M3 L! r+ m5 u- B. t% T4.执行 /opt/tengine/sbin/nginx -m 时有警告3 A) ]$ M+ d, d3 X- v2 t
% N* Y' @8 N) x% |4 m( _2 v6 h
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
1 ~$ t& P0 U* b5 j+ r" Lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 \$ N5 l$ G4 _1 h7 C. ] B原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log" g" p# p" Y! T) p" \
, ~/ D2 V/ e2 y7 P; G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.7 W& u- R& ]0 G$ |0 S6 x2 Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"* y& {, {: }9 A8 [0 R7 w9 M) Y
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!1 h2 a8 D% o/ i) Q3 Y: N8 y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"( B4 m. I5 V ^5 E" s$ `9 R3 e( [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
7 r- l0 V4 B; V; _' D) X8 [2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
2 a! `4 }" S! H' ^解决方法,移除低版本的APR (1.3.9)7 l6 I Y) v7 ^1 {
8 N4 C3 ~0 C- I- ^* T& I$ Jyum remove apr2 X$ w+ \8 l) M9 ]3 ?
5.Error.log中有: Audit log: Failed to lock global mutex
; H }. e+ ^5 u# X& r4 m2 P$ E' t! k3 r1 F+ N9 f& R
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 6 l/ b9 [2 P& v: z0 P2 q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& B; {: u( R- [( ~; M解决方法:$ O! t. C- d. E5 G2 b) B
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
' U+ o/ O) R0 x7 f$ G7 {' h- Q5 D0 \% f; F) ^+ y
SecAuditLogDirMode 0777. Z$ C! z5 ~( E; Q) t% P
SecAuditLogFileMode 0550
! L) b6 k3 h& _) L0 A& W& ASecAuditLogStorageDir /var/log/modsecurity
5 s* v$ P8 W' l! F' q4 S9 I" |SecAuditLogType Concurrent
; Q+ L4 [4 Z% _3 d& U8 M参考文章: _4 J) \# Z2 n! t7 e
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
6 o5 v9 c4 p# l) p/ P) U0 hhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡