|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。8 I. m1 q4 d0 F7 l4 L4 y$ T: E
, z7 Q ]. T5 u2 y- z) Z6 g一.准备工作* }* M5 Q3 s9 ]
3 n5 P) _% X& h l: Z0 x' u
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: B0 b1 l E. V' l
0 ^, {0 D. R9 utengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz5 y' e) q2 z4 T `5 F
) I8 g& r" y0 ^+ ^) @, vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz1 {, ]/ O: i" h
) `$ ] G( E7 T/ M! |" R/ C3 O
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; m$ h6 H; F+ x3 M
1 ~* }' U+ s" A1 Z) y; i- f依赖关系:% r" s0 w" M) z
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& q) Z' {9 X' E, ]' f6 r
& Z4 L: D4 D( K D
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel7 O# I8 F. J" w. N6 M
modsecurty依赖的包:pcre httpd-devel libxml2 apr
+ x* j, r$ w, @ T7 [+ j/ Y2 Q1 ^9 D( b8 N( G- m$ U
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
0 K. p% B( c+ @* k9 m二.启用standalone模块并编译( Q- i0 J/ b* e' s, J
# B% |% b% \2 Z5 r [) F7 [% D下载modsecurity for nginx 解压,进入解压后目录执行:
0 b y9 a7 J# U; B9 o& s
: ]( i/ W+ `9 n% V' I5 L./autogen.sh- i3 B6 C" D0 p/ V- ]
./configure --enable-standalone-module --disable-mlogc. Y% G/ I- N' X. x" l& O
make 3 W5 |1 |2 \3 k- Z
三.nginx添加modsecurity模块' H& X" s3 C) v3 @
3 H, t; g* H8 f& j- x7 F0 c% @
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 _" u* }8 A7 ~/ [8 ]; h; ?3 H0 e) `, J1 |' ^$ n$ ^( o
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine+ G9 f4 o4 [) B% @5 ~- I% M
make && make install
/ n0 {& v/ d' |( k4 @' m四.添加规则3 S: M! @2 W/ K. f; z# ~8 Z/ i; H1 `
. S$ N; {( E/ X# `modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。7 ^$ l7 _4 K8 ]( T6 l1 ?3 N5 L
) M/ x. T% }3 J4 O$ E1.下载OWASP规则:
" N$ e5 s6 G3 {0 ~# R4 x$ M1 c0 v4 ~1 t/ j( Q; n4 a' Y
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
+ y) G1 T9 B6 d9 ~$ B
$ L& Y! c- I% `, J1 Kmv owasp-modsecurity-crs /opt/tengine/conf/. w% ]9 x- c8 b8 M3 d+ f
$ G$ o: t4 J& C+ `% a9 |
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf- D% i% d. P# [1 d1 `0 X# l$ W
2.启用OWASP规则:, A4 b9 k' { m8 {# m ^
{8 x3 x }5 `& d3 G* |6 r4 G! f
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。6 Q3 x1 O; ?3 C
W' D6 P& e3 J
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on: |2 y4 {+ s6 i+ w, ~
6 m+ Q1 h) A! h5 x6 w! x( J
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" v' \+ C6 w# k" K" d
8 N* Q- W5 p6 {' B: m- H9 M6 B3 XInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' B+ c: J2 c0 }# P$ T8 t% F) u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf4 T2 }" ^- | T+ g$ _8 I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, b# f1 ~0 j* ?; O% [6 Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf- J: v( q7 @% ~ ^7 }
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf1 z- Y+ u# X* ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& z# ?) c" M' ?: E7 J
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf5 Q& D( x" S* A6 E# v" L
五.配置nginx2 a1 F4 Q1 L5 o2 ]/ F' M
1 `. r' z6 o, s. w0 W! [在需要启用modsecurity的主机的location下面加入下面两行即可:
% P: @% M- r4 l! h
3 f( B: c& H$ A; i- T; JModSecurityEnabled on;
8 P ^5 O1 N" ]ModSecurityConfig modsecurity.conf;
' T0 J3 U/ H: g& c- W1 A下面是两个示例配置,php虚拟主机:
6 x1 l/ e" A6 ^. |1 O
J4 y& k. C7 h6 k2 }server {
k/ d1 I, I7 t" T" V listen 80;
% W# u. m5 F$ b, y server_name 52os.net www.52os.net;
. J, Z# P; X( p3 C! \2 N! l4 }* N 8 Q- e6 }6 d- o$ g2 W7 w; ?5 E1 i# A, {
location ~ \.php$ {
1 d8 q8 F: |5 B0 z( F ModSecurityEnabled on;
7 f f' y% M- {! l$ T6 B ModSecurityConfig modsecurity.conf;7 z4 E5 x& [% B' b
: c9 y5 W! C. m5 N r6 o7 l root /web/wordpress;1 V; G3 i2 k) n/ ^- e; y) L+ u/ ~
index index.php index.html index.htm;. Z9 J4 N$ f$ K7 G: X
( m5 Q4 Z% F* o6 m: X
fastcgi_pass 127.0.0.1:9000;: P8 \+ G5 o4 [4 p7 f F$ `
fastcgi_index index.php;
8 V' P4 [! I3 s7 F fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* \& u" r' E" s, D, K
include fastcgi_params;
7 q! d$ S% @* r( O }
1 Y* f: W8 F' r. ?. V" ~& L }9 U6 E" f7 z/ j+ P! Z" V, a
upstream负载均衡:
9 O7 V4 c8 W6 m; H
1 o& K. Y9 U5 I3 oupstream 52os.net {
/ v% {" A% g) J7 ?% e$ [( I, B9 M server 192.168.1.100:8080;
9 x e Z/ Z/ F/ J server 192.168.1.101:8080 backup;
! ?+ l7 y; q/ o% j1 o}
* J' t7 H7 o+ o& I" ]
7 b9 O; }# E& H7 C+ e* F+ i- f7 ? Cserver {1 {. v9 D$ r# F9 d4 Z8 @' p
listen 80;
! I% r8 K8 \' L+ `6 ~2 Fserver_name 52os.net www.52os.net;. d& ~/ ]: v9 C, P, g' ^; R8 e
8 |9 @+ \. S- R7 n1 ~5 t; C# e$ T! s
location / {
- `+ z7 k' W( i" x+ K# @" T ModSecurityEnabled on;
( D' l5 } d' B8 t% K" y6 i# P4 _ ModSecurityConfig modsecurity.conf;
g8 P: m! F5 S# h7 T
* i& a, `# ^* \( _8 C# g proxy_pass http://online;
4 Y( x: C# R h# ?" i G; X) @ proxy_redirect off;% l* m% H v- C. u
proxy_set_header Host $host;
0 j6 v5 k5 S9 c1 _. } proxy_set_header X-Real-IP $remote_addr;
3 k. b+ [& G @2 {! J proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;& p1 {& `% C3 D* D4 e
}
+ ^. A! s0 R; K$ V2 h, ]}1 @3 H# u9 D$ |8 a% J/ e, U5 W ^! n3 n
六.测试
! Q1 p- `4 @2 X& Y) E1 d, U& E& N
$ i _7 c8 F7 k0 A3 Y* X我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, ^; ]! U L. k4 T. b7 \+ X* k2 J. R8 E; G0 c/ e" k1 L& n
<?php
4 W( E \: l) k. y1 s, j4 ?' z phpinfo();
: |0 v7 k' \1 J% Z0 Z?>0 a( R2 } y& j8 c- U
在浏览器中访问:; Y; P/ G- J! E; L7 ^4 ^
9 B5 `5 q2 D# m% i% q
http://www.52os.net/phpinfo.php?id=1 正常显示。6 D3 `7 h; g" H m+ H$ j
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。) A- S+ h3 x8 ]! D
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。* k; J- F( G- T: [: u9 \9 z
说明sql注入和xss已经被过滤了7 x' }3 W7 i8 Z S6 l, e! H* R, s
0 ?' J8 n) a" I6 A1 v3 G' ]) @6 }七、安装过程中排错( Z2 a, O0 z- C! M8 X* A3 t0 W
0 g, e# M. ` q& t1 H2 k* m. U1.缺少APXS会报错' r* F! d& ?! `* L9 C( W
: m: d0 ~+ A% L, bconfigure: looking for Apache module support via DSO through APXS2 e2 r @& E: w
configure: error: couldn't find APXS
3 n3 `( [! O$ A3 ^$ _0 i! ?apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
5 @ v6 C# |. E6 O2 I# K. {' W c6 T解决方法:
" g! f$ n) U7 k& D
( N' j$ }6 v \) Z# H- s/ kyum install httpd-devel) X1 S! |# q( x; f& N
2.没有pcre' n6 h2 D; V1 E, Y
2 k# z/ I9 M' t6 M* [: G! k" p
configure: *** pcre library not found.
: C! E7 X( q' I- O1 ]+ W8 Qconfigure: error: pcre library is required2 ?. I% H; p! k4 u- c, w6 H& X0 B
解决方法:/ _0 w1 f6 Q4 g- g& p/ P% M& z/ b
& I6 a6 h- Q& S% Q* y. o w
yum install pcre pcre-devel2 k( `+ C% {5 W3 g
3.没有libxml2# q$ b: `* R* h) l- A
6 ~# _% T" a- G
8 O: @1 r# s2 e' u/ K; [configure: *** xml library not found.
, V' V; H8 {$ D$ P, Wconfigure: error: libxml2 is required
+ m0 t7 t! t# j. V7 v解决方法:
4 U" g% O7 y+ a2 e# G" p4 {; L! r k9 ~6 T
yum install libxml2 libxml2-devel
) D3 t* y2 H; ]2 e4 E0 [$ p4.执行 /opt/tengine/sbin/nginx -m 时有警告) o) D6 z& ]7 ?2 ^8 [
+ L$ h3 Q* b2 D- D% p0 e# RTengine version: Tengine/2.1.0 (nginx/1.6.2)" D! | C/ ^# e
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!) f6 M1 p0 T1 ^2 h& x/ I
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
- x% w2 L" N) `! p# ~$ w# z& F" z, A9 L7 R8 _; c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
& w; \8 s3 [ {, t8 m1 S# {* g f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
/ ?6 P) {) A4 k! A' D5 L8 X2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
+ {" v- o+ x' X2 q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 L3 T- G" I" K w2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"1 V! X8 L( W% O, N" R. p* b% G
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.; u3 K2 | c$ m4 o; }
解决方法,移除低版本的APR (1.3.9)
) {0 Q. d3 X/ B3 C4 x+ {! Q4 ]$ s1 u) V# b
yum remove apr
6 @& G; I' v7 {$ x5.Error.log中有: Audit log: Failed to lock global mutex
# `$ P/ v& k- f/ p& }0 k. g+ z+ o4 ^2 u7 [% ~, |) c' U/ I) ?" X
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock . g/ ]- H0 x+ l
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; t2 a+ D2 m( N2 r; h解决方法:
( [% u" c( [1 I: G编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
7 M! z6 K9 v' p+ O
1 `7 @ I/ L S1 T! ~0 k& qSecAuditLogDirMode 07772 d. I1 w, N4 \$ D2 C7 o# X
SecAuditLogFileMode 0550! Z& I( R; E9 k+ Y
SecAuditLogStorageDir /var/log/modsecurity8 i A: N8 j0 Y7 N. R* s
SecAuditLogType Concurrent) x; _8 f8 M7 q- d
参考文章:: n, ^; K0 u/ [" m0 t1 [
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
! G' Z1 n$ X: p& a- {, I( Nhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡