|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
1 f5 c9 u H/ }7 T! c4 F+ m" ?" K9 D/ c. i: P
一.准备工作; D: t) D" l- M9 i. |& Z
$ _" {, y+ A& H( w9 k( q系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.08 D; S. ?# j! q
3 j* p$ d4 T6 q' _# U% Ltengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
. I) Q' Q& x1 l9 d* H ?
' d/ l/ V5 [& C/ kmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
6 }0 S2 m3 G$ t d& t- ?2 c( y1 g8 A6 y2 g$ p8 P# u _ M1 z4 a1 K
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs9 ]! x- g+ ?( J# i# Z, T: ~
/ d+ Y0 d5 {2 T
依赖关系:
7 g. f8 z1 j7 c! ]6 l3 ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 G$ N8 i8 d9 h+ K" s
4 P# X- P- q1 i- |yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 l! ]! I) p7 V+ @( Z$ ^( U, _* imodsecurty依赖的包:pcre httpd-devel libxml2 apr
. p1 L! ]: x4 @& ^
! v! B( [- X: ]- B2 C8 j: { ?8 ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
/ T3 X. V2 m. p二.启用standalone模块并编译8 Z* V: K& v) Z; ^+ T* Z
* m; V$ e& ^5 n; R
下载modsecurity for nginx 解压,进入解压后目录执行:
3 o$ m8 Q2 P# ~6 T: M5 m
- I" N3 \) V9 h+ T, n* _) e./autogen.sh# o; q/ y A/ q9 a5 ?
./configure --enable-standalone-module --disable-mlogc
( ~0 k* p b& Z( Fmake 0 n$ @% ~' Z+ [) k8 j- D: p
三.nginx添加modsecurity模块
& T" T) Z* p, q" `& \! P# |! ~9 y
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
; |2 U" |2 O. |) g( v/ s! H7 ^; T' l* G l1 J+ Y. H5 a
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
4 x2 f5 \$ o8 R$ W6 f$ nmake && make install- W" P4 Y' \$ K/ k' \ g
四.添加规则
4 ?9 X- m7 o7 G! L& ]) r9 f" i& Z* R$ t( P8 I) u
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( }; V1 p- X2 _: S, G) v
) O& v6 g% H5 E
1.下载OWASP规则:
/ X( d% l. T5 B/ H: e. [$ a8 t1 ?/ ^5 C" U
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs) n1 p; O- r0 ?( ^- A
7 b( K& j2 V4 O' Gmv owasp-modsecurity-crs /opt/tengine/conf/# ]6 d* m% k8 g
2 J) @: j5 @- G' t# Ocd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ a+ t& h% ]- T. |9 U6 C5 T( Q
2.启用OWASP规则:
: B5 H$ T- l& v- z) P) R5 C
+ \/ Z, h5 w+ a+ a3 x' R6 A复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 a) [: h" ^. [1 S4 v: _% t1 R$ u" P, _% U7 r0 e
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
( e( t1 U# d5 w8 l$ L+ k. {' R* G, t* h! ?3 w8 e# S) a
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。4 A# m$ S' R! q# c4 O! f9 u% \
$ R, s( n1 e) R8 R
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* C# r6 L/ r; {5 |4 \0 Z) ~7 XInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 @. R' X" ?2 m8 u! e* |Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf" x5 g: E, L, G% t, i2 N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf5 X5 k& h4 {3 u4 e1 T4 [- V# u
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
+ W3 O, b: j) v4 cInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
& E; j9 f. S7 c8 y0 |: m% x8 U5 ?' bInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
1 R7 t2 f2 \4 C- N* @; v1 f五.配置nginx5 `) m/ M5 R# S1 u3 h5 t
+ a3 ?% u) `+ P- ?2 d% d+ R
在需要启用modsecurity的主机的location下面加入下面两行即可:5 L1 ]! N- Z1 b) P& L; M
' r7 a" f, M& T, w% }2 N8 jModSecurityEnabled on;
) K& w$ @! J$ f; _# EModSecurityConfig modsecurity.conf;
+ D& V- x O. [% S2 K下面是两个示例配置,php虚拟主机:
8 w- i1 K+ U6 t1 ]! s7 O8 ]- Q) z1 K" E1 K
server {# ~8 r: H5 e1 g X
listen 80;# ]0 @( [) C0 V1 i% Z1 L
server_name 52os.net www.52os.net;
, I$ W. Z% Q* a4 ~$ x, ]: r! N . d2 E' M4 d- I1 ?4 j5 Z" j# t7 V
location ~ \.php$ {
% R) P4 [4 i" \5 Q, u5 }* Z ModSecurityEnabled on;
: I4 |4 A d6 G- @, b; a7 @7 j ModSecurityConfig modsecurity.conf;% r; K6 x; a V" \% s
( E6 X7 g4 k1 h- i* q0 l7 H root /web/wordpress;8 I$ u1 v2 D, h* s5 `7 g
index index.php index.html index.htm;
8 v4 ^& Y n+ Y7 j6 W) a( P
, x9 G& k6 c0 i( n0 ]. p fastcgi_pass 127.0.0.1:9000;
$ p2 v" C1 G6 ~: t* r fastcgi_index index.php;
{1 o) a3 s0 L2 ^ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
) q* a, ?+ n) s% \, \ include fastcgi_params;
, b% t3 y# Q+ \. t) A# e: | }
7 h6 s/ E4 S" F" k! Q% P+ r, Z( c }9 r( \% W) z& L6 M/ Z
upstream负载均衡:% ]7 b, ~9 K1 Q( p s& } a
1 U- h' r% E9 B) U; r6 u: Fupstream 52os.net { _0 n' d e, } [
server 192.168.1.100:8080;8 M/ [# y) `& o" @3 p
server 192.168.1.101:8080 backup;
* ]- \7 }6 E$ E+ e) o1 W6 D. o; G}8 F( T5 k3 w3 V. x
. s5 _$ X/ f5 X# x* F9 @
server {
/ B" K; @5 J% ylisten 80;
& [. t) X8 j2 h$ ~& N6 y+ e& Z0 bserver_name 52os.net www.52os.net;
3 O* j- ]. E N9 ~- H* p/ i
) H/ L [" f) `$ |4 qlocation / {# S& [! M) y1 x2 s0 H Z
ModSecurityEnabled on;
: p# n9 ^& W: c& N3 c2 b ModSecurityConfig modsecurity.conf;
]7 G: o* e* `/ M% h! R8 B) r8 I. i6 X! V& f0 q. j7 e, i6 i
proxy_pass http://online;
0 J8 {5 s6 |5 b1 G: Q proxy_redirect off;
" O1 {3 e6 H1 o proxy_set_header Host $host;
2 R+ \+ ^8 H7 J' n proxy_set_header X-Real-IP $remote_addr;- \9 H. I, F2 k$ q6 w
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; H7 d6 `3 L7 g9 f
}7 N& `) G ~! \
}
; M3 @4 E6 k+ I3 t; c8 A1 V六.测试; r) h- q2 G* i' \3 t3 v9 X d
6 c) x& C8 {8 y我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! U x0 i9 v6 n( ^' @: X5 [* _/ D5 K/ L! {
<?php
: f2 a5 W8 o( d& J phpinfo(); 7 e5 T$ V& ~7 l! {" R k
?>8 {! O# @% D- `! T
在浏览器中访问:
2 k) [8 E9 Q' W) k; K+ M' l/ a4 r# Z+ R1 ~9 P" W$ L4 U
http://www.52os.net/phpinfo.php?id=1 正常显示。- P; v+ j( z, ~4 A* q L
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
( x) ^% N6 j c; Z/ d) T/ M% Thttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 n0 q% ~5 Y$ o说明sql注入和xss已经被过滤了# h; o3 A# ]6 \# l% Z
- M7 Z/ _" J3 p: ~( M. q( `七、安装过程中排错
0 i2 I$ [* g$ [! P0 c/ T; p n* ?2 u
1.缺少APXS会报错
# T- i1 R) {, J i! L! i8 p' H5 h7 M: B7 n2 W1 N. f- p) Z3 Q6 R
configure: looking for Apache module support via DSO through APXS/ ^7 w: y/ d6 H) w o
configure: error: couldn't find APXS; ?8 v* T0 j- i! k. n
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
d* r. K2 D' e" Q$ [4 R解决方法:
4 U0 M. e: [- b0 Y
+ M2 m7 P1 Y+ n' h/ p* c! d3 Iyum install httpd-devel
2 i6 |, T. Z* a1 I2.没有pcre
5 c: T( ]9 ?$ K; h" D* j
) B) K: |- Q7 B1 c5 `* p/ Xconfigure: *** pcre library not found.
2 F' G1 Q( ~$ w2 u% b6 Fconfigure: error: pcre library is required( q0 @$ r' u- w Y- g6 B
解决方法:1 u r0 h; t+ k7 [5 G% g! j1 p
6 I8 ~: u- M! \; p* s2 Z7 Qyum install pcre pcre-devel g5 V+ x+ X3 l1 N6 l) x% _
3.没有libxml2
( Z5 k1 v, A/ a. \* Y( D' o ~* U7 b0 e+ j4 l0 ^
4 }! o" p( k" e$ m w" t
configure: *** xml library not found.+ m& M# _8 H% _/ m$ o+ x* ]6 v
configure: error: libxml2 is required
. r5 q2 @* |2 _" m ?4 Y' S解决方法:7 ^: b( `4 w5 n0 M" c$ w7 ]; r* w
+ ^- R8 @- Z) z9 E+ _+ Y7 ?- A$ v! cyum install libxml2 libxml2-devel+ k8 U8 P+ i4 R. ?
4.执行 /opt/tengine/sbin/nginx -m 时有警告
$ }, x' ?( x- {2 h' n
1 O7 v3 r% N8 S r/ G) ITengine version: Tengine/2.1.0 (nginx/1.6.2)& W* `/ N- L, T E I. |6 v m1 a
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!. b. H3 B7 p) A- v" u) l) y
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
. ^; F# Y% F. k. q2 q# k' e- O2 @3 _2 {& j. g, t4 }( d" C* j/ A% K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.0 M) P4 G9 s# }0 S* Q" C( ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
3 d0 i( q" v% L% q1 g: d! T2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 F# V2 C5 ?$ ]" ]* N R$ S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
- V' H: N- C8 a7 X E8 [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* W, U4 K6 o) A2 \- w) @2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.0 L" g; K# `4 e H+ U$ {1 G e
解决方法,移除低版本的APR (1.3.9)
4 \9 F" i7 {, T) a K: |) d2 h
4 e' A6 @* X8 U syum remove apr* G9 X b/ l3 ?- `0 E" m8 ]
5.Error.log中有: Audit log: Failed to lock global mutex
; S5 a: C6 ?9 n. Y' Z/ y N+ K: h, j( p
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ) d" w3 E9 [' M* M3 p4 K1 R, I
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]4 f% Y0 ]' Z1 C/ h$ Z- A
解决方法:
- H1 _9 q3 y( r4 S8 d编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:4 y3 p+ a8 u. A( C
+ v }. v) q, b
SecAuditLogDirMode 0777
& o- V4 N. E) D, t3 PSecAuditLogFileMode 0550! C5 q7 l2 \, O: k! f
SecAuditLogStorageDir /var/log/modsecurity+ W* P8 S- v9 v* p
SecAuditLogType Concurrent' Q* ?. @$ q% T2 w. s5 u5 X$ g
参考文章:6 h5 u! D! [2 O, J D" |: K
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX- {3 @$ m0 P/ Q. X) q# V6 e
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡