|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% @9 ~# `- b! l& N4 E2 V) J2 `
4 u: e$ K* @" |2 Z6 t
一.准备工作8 g! y$ a; d) I
1 \. ^# @! v8 j" h系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0* q9 Z' `$ S& d. W
: P D1 u: v/ L; f
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz k+ S6 h3 S M' p0 X
* p$ [3 N* n( E5 B* emodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! l- L! S* B" s& Z( J
! O& y) N* x' Y! iOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs& V1 x- D" T3 R, H- l* h% M; t* O
# ]9 o2 _" Y3 v* D依赖关系:
8 L& a7 ~* J/ A9 v+ j/ ttengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:4 f3 |) r/ {2 g( |8 b
9 m( m; L& e' B; N8 c' J. Cyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel3 B/ L4 D2 y5 v4 [$ q
modsecurty依赖的包:pcre httpd-devel libxml2 apr
2 t& {, o: @6 d | w
( v! ?) p, T3 M% Q; h+ {yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel! N; z+ B x. x3 E' K& G
二.启用standalone模块并编译
$ V2 X! F- u6 X* Z/ E; L4 ^2 _+ k: w8 E T$ |
下载modsecurity for nginx 解压,进入解压后目录执行:" |" |+ u9 I) D; u) c
3 Z% `0 c% Q5 X+ a./autogen.sh
4 B% r @& f, N$ M; b; C/ O./configure --enable-standalone-module --disable-mlogc+ _4 D y2 s1 c% K! h
make % O! C: f# N. [2 I ?6 V
三.nginx添加modsecurity模块' W7 K/ n* j2 F& E; ~' V
2 W$ d+ s9 \3 _
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:5 C% x0 @& E& j( R8 p
' ^! u; q" u3 Y9 l n./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
! }8 s# G. N; ^! H# l5 m+ Smake && make install3 B' H, ] C8 q' Q! N- ^
四.添加规则. |3 v4 Z3 ?7 f; e. b# k
, y- b8 N/ d! a8 ~modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。+ k+ I* J' v# |# j& V% E
* W2 m& _% j ]/ j/ G# ]7 G1.下载OWASP规则:) n( V' P0 J0 }* G- r+ }
$ x" w2 ~9 X7 d: b% H
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
: _0 w- Q/ J: z
4 ^7 c; c8 W7 b/ }% f* e6 ]mv owasp-modsecurity-crs /opt/tengine/conf/: K, z' J. n# z( @! _; q- r
, c6 M# ?& Z% [2 Ocd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
6 n5 E7 K9 N: F8 z+ ^: h2.启用OWASP规则:& O9 Z* o4 u2 d+ {) ~
3 G4 k. p6 G' Y7 n% }, \复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. M! W9 w- O- t2 o3 t4 [
& w: f3 e N* P+ V' P z! H6 Z
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
5 |4 F6 e O7 E D6 P
) g5 p6 F# }# G6 Lowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" P. b {* E4 o# s4 {: Q! p. l" p( }% N5 }% G) U' c+ y3 t
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' q/ F& c2 `, U! y& y, x8 m# ]) bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
1 ]# C/ o; ~6 iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
( H8 ~3 a; b5 e5 i o! KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf0 x U- b, @* D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
. ]* k& X5 A( l) d. `9 }; }Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
, w+ t' E8 i) Z" I6 l5 FInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
$ i2 ]/ ^7 Z4 E! Y4 z五.配置nginx0 {" x( j( G% q
, G; r) ]' b, g0 r% i$ w
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 A& Q3 B l, o9 Y, q6 ~. M0 n7 A9 ^5 q& p
ModSecurityEnabled on;
! V6 H5 y4 ?) w4 f, ^ModSecurityConfig modsecurity.conf;
0 w/ z2 o6 w% h下面是两个示例配置,php虚拟主机:
) | u6 c$ o( p& @* x: G' |& Z. O$ K0 y' |6 b/ x
server {; G. T3 U% t- Q7 h- u; q
listen 80;
6 _- {, k p0 c. R server_name 52os.net www.52os.net;- M2 @2 m0 ^- t
! N4 l- @" \* P7 T& c( C+ Z
location ~ \.php$ {) y h/ x0 Y+ K
ModSecurityEnabled on;
% l' e4 w. @" p0 b ModSecurityConfig modsecurity.conf;% C3 ?, e9 ?. K) O; H( {6 n4 A+ W& K2 L% ^
. Q: e2 i" Y0 ^0 \ root /web/wordpress;
0 y" [; C/ @" F; }- \ index index.php index.html index.htm;8 E D& g- O# K: v# ?
7 X- m' B3 N: @: L) d7 n, g8 Z
fastcgi_pass 127.0.0.1:9000;$ {) Y0 |9 ~" _) h. V' a% [% @4 E
fastcgi_index index.php;
" G3 ]: p* Y& t$ H fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 A- U, m/ i. `3 e: g/ {
include fastcgi_params;
& d1 b4 ?" k Z2 p/ g2 F, ?8 f( O }: }7 @$ {* F; y/ \
}
# T3 K2 c* I. z, Q7 R, }upstream负载均衡:: e m a$ W2 [3 {4 K. f
5 ~/ C) C. o0 l1 s
upstream 52os.net {
, i# ^% K6 a3 ~' e server 192.168.1.100:8080;/ \$ \4 \& r1 V4 X) I L
server 192.168.1.101:8080 backup;
8 I* O9 Y- e+ i' o. P, r. E1 u; J3 {}
6 ?. `) N5 B% z0 r9 B4 v% ]! ~9 B, @
server {- }: @$ m7 ]! t# M
listen 80;: q; w1 g; _ ?; g4 F
server_name 52os.net www.52os.net;6 d3 s& Q8 m( f
, w; H" E+ U" ^/ A) u8 z$ i2 i# d
location / {
+ p3 S- E& |6 b7 p/ p ModSecurityEnabled on;
$ p" R5 K# s, J4 u0 V4 ? ModSecurityConfig modsecurity.conf;
4 \2 i; M: u' N1 R) v+ O( Y$ N8 d3 W$ z: G4 `
proxy_pass http://online;
- x3 X3 J3 G* ?! W- V proxy_redirect off;
) A$ V% g! {+ j9 r) m z5 B proxy_set_header Host $host;
, y* e4 u9 u6 A proxy_set_header X-Real-IP $remote_addr;
: K4 c. {+ Z; \* _3 V( E% L' I proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
9 [- a3 p8 l6 B) t$ o5 L" @ }
, A3 b, V4 k- R' x" b6 B% ^ D}0 E% \: u( y0 r$ R
六.测试
* o5 y0 P+ K( [5 Q5 R) D
1 G! w. o0 W7 ~0 q1 K; c# y1 J我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ n7 X) n8 d- Y5 v$ D4 O' w
2 |/ J6 e6 ^# f5 p
<?php9 s" r1 s3 z5 X9 q
phpinfo(); 8 i( [5 f9 o0 }' w
?>
x4 @- [8 l& l3 e2 v0 t在浏览器中访问:
* B+ Q+ J& x, T& Z4 F! `* O0 R( ~- @) `+ ?0 b9 X( t" x
http://www.52os.net/phpinfo.php?id=1 正常显示。: O8 L. n' F! z2 }. @2 L
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: |; z( W% g9 o, { W* z0 d! j' `http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。; R8 O: ?( G4 W& P4 I
说明sql注入和xss已经被过滤了
" [- _1 Z3 z4 E; l- h+ `
* U7 @ M: T* x# b; U( p! f7 k W七、安装过程中排错- v5 d4 U# a% i o! Q* V
: v7 @2 g: [6 w8 }% f
1.缺少APXS会报错
* s* v* ]$ |3 u; |/ A* w8 Q e' n! J
configure: looking for Apache module support via DSO through APXS2 a5 U! y0 _4 E9 [
configure: error: couldn't find APXS
g1 N$ B2 _; X6 Capxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。4 J2 S: b. `; T3 ]8 ?5 v I3 Z
解决方法:+ Q% K, s8 ]# ^& ?$ O$ ^8 t
' I- ?( w. p8 Kyum install httpd-devel
s$ t3 z/ K+ x/ B- k& Y2.没有pcre; Y4 v* L3 d2 \7 j8 W
( p' w& q/ Y3 c* q7 q) X5 c/ O
configure: *** pcre library not found.
1 K# S$ A: f- ^; I. t( Rconfigure: error: pcre library is required' d) J( P2 \2 u# C
解决方法:
b& f' X! L( u
: u3 ^6 v0 C0 D1 @# `7 {+ e0 d2 jyum install pcre pcre-devel
" X. P; b' ^: }* L3.没有libxml2
+ f8 ?2 Q4 P5 Z9 X
5 |2 ]* H" [+ I. O0 k" K1 @0 d3 a+ d) \! S5 s$ [- N5 s3 e
configure: *** xml library not found.
: o1 c4 s8 K( V. jconfigure: error: libxml2 is required
8 h' S) Y2 Y2 F解决方法:
, u ^0 Q) ?/ n" V$ S
5 @/ S. E Z. }yum install libxml2 libxml2-devel
. E }7 H" m) q8 Q4.执行 /opt/tengine/sbin/nginx -m 时有警告
* m+ O1 `6 h7 L2 y( G
! L1 ]" W! X( R7 w- F" KTengine version: Tengine/2.1.0 (nginx/1.6.2)
" j J6 a( ]* O- m# Bnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
$ `6 l+ C5 r" R1 J; u% q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# g; K0 u) w6 p+ K* P
! f; y# ]) j. |) C$ \2 u6 n s; l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.1 c, e6 ]3 `1 d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": ?/ M! D. }4 P
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!9 t# F7 D) O" [8 c. L. F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 M$ K+ S9 Q/ C9 @6 D9 H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"% w% v. h( C# _% f& y; e% R5 W& G
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! c1 S; i" ~' f% w" C
解决方法,移除低版本的APR (1.3.9)
; w$ @! ^, [( `9 \* ]2 X* G
/ M$ |3 S4 c" Iyum remove apr
7 z2 J" S/ w s4 `/ S( F' q& R- f5.Error.log中有: Audit log: Failed to lock global mutex
: k$ X( P J' D* w/ r v$ w% f4 w; V2 f
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( Y% [, P4 J: e' x, V6 B
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 T* C. G$ P0 \, a: z) U' d解决方法:0 G9 b8 m0 M, _4 U+ U
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 F# i: B" Q; T( m$ `3 R
* Z. V4 E- P/ U
SecAuditLogDirMode 0777+ |% p: i, o8 L: |; p' Z! Z2 v
SecAuditLogFileMode 05506 w: s2 |( R& T% s/ K/ ^
SecAuditLogStorageDir /var/log/modsecurity
- ]7 O' V4 t0 Z2 LSecAuditLogType Concurrent- h% A" h7 J8 E' _( ^7 u) x
参考文章:
" a* u1 y* B& o: g1 B' h4 t3 Y Vhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
1 r0 g' T6 I" G) z) ehttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡