|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) j$ |) ~, ?+ l* r+ O
9 e! f z. T! ?' L, i: H一.准备工作
( Q9 A, f' H, Y, ~
$ q0 T: T# a7 I' n$ G系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0$ s( ?" C2 x8 E& _4 F
1 z) R, n! Q! w: w$ g, x" I
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz* U7 _9 t# y3 S$ ]+ h
0 w* Q" t/ I3 C0 Q' L7 Amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz1 G7 y+ ~0 l: ]% v
( z5 j+ p" o7 J, a1 J4 KOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- a/ O% J* m+ r" d$ V3 G2 ^6 Y( F4 ?2 A
依赖关系:: L9 w( i7 H$ ]1 d" O: ~
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% L- m: L# {7 K8 M5 w
1 g. v. R* S" Q$ F* L m
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel1 g$ g E T4 a% T+ z, H- ^% X
modsecurty依赖的包:pcre httpd-devel libxml2 apr
: l [0 {/ l5 D5 X, @# p; O0 n# m# D0 L" W# |" y; V) B4 s/ D5 G
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
, ?6 g/ {8 O. j! X二.启用standalone模块并编译' Z) h1 a9 P0 G! _- E* a
# x. \+ j" ?( s! f: N# \
下载modsecurity for nginx 解压,进入解压后目录执行:4 U5 j* i- T' @) w: L( t" p
9 m4 ~7 m; v$ w6 l7 h, @./autogen.sh
* S: u$ s; ~) e# x4 q9 s./configure --enable-standalone-module --disable-mlogc) Z1 M4 ?. V% z9 T8 \" c; ~
make
0 \4 c, |, t8 Q8 }9 @1 l) Q- \三.nginx添加modsecurity模块 V! d. C. S; q; L: ], @6 Y$ u
1 m \* n( A7 {8 i
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
$ Q5 W0 n/ j/ f1 A+ z
. n7 X9 b7 |0 e* b# g" V1 y7 p$ [./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; m, l1 Z3 ?6 p* M6 }5 `make && make install6 b1 Z9 Y* h9 W2 n0 u7 a, r" u7 g3 o
四.添加规则
9 `: x) z- ~2 M$ T* |9 m( f: {" U1 [" {! b4 N/ G
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, p) O/ F; g7 c' X( | [5 B& C8 A
1.下载OWASP规则:
8 E: }( j7 l1 ]2 `7 Y; [
" @2 v% d) L" P4 c8 z1 _git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
A# F0 P- M+ s$ T. D) G$ U1 e. L% W/ q$ l2 u' [! ]: a, G }
mv owasp-modsecurity-crs /opt/tengine/conf/6 m# q9 f$ [7 a$ y( y. ?1 U
$ T. T7 X2 w% j& q9 M* P
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf4 F4 l8 G/ u# X7 ~
2.启用OWASP规则:
, v: A$ `0 Q+ j, d0 W; c" U) N6 N" [6 N+ `% l- `% G9 r" @9 ?
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 j. w+ @2 }+ F( L/ k
- M5 Z+ m: t" B3 A1 @$ m编辑modsecurity.conf 文件,将SecRuleEngine设置为 on4 ~8 K: p8 N5 r: x
5 H& f5 l2 x) H* d* i: n! s eowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
% t1 c# r @, k) _8 ?* G5 o7 ^& ^2 v% G2 x$ i& O* w
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
0 K A- v9 P; i* {$ ]8 Y) L( SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf) N4 D! `/ G/ r' y; T" W4 C0 Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, g( {" s( \9 G% M& M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf. m; q! O$ x! ^" U6 ], H
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 {8 b9 L, o% b4 r) N- w
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
( u- Q4 I7 C# u* N5 p5 r1 ~+ P& G9 yInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' F+ [# F& u- S4 J, ^6 b& |五.配置nginx
. K0 L. ]0 X: {; m0 U
! Y+ M! W! \, M \4 k: \在需要启用modsecurity的主机的location下面加入下面两行即可:
7 R: V' y0 p; z9 x9 r* s
, a7 f; P& G) o yModSecurityEnabled on;
1 R: F" d# o1 |/ a& dModSecurityConfig modsecurity.conf;# }) ]' p. P; @( P: L# L
下面是两个示例配置,php虚拟主机:
- z3 }3 _7 o. z/ j w6 y- m7 A0 K9 q6 |. _+ F5 g, ]
server {
% ~. U' j ?; E; G9 m' b8 S" e- Z listen 80;% ?& R" V5 f x: D2 s
server_name 52os.net www.52os.net;
" Y% x. K: Y/ n/ j" K 4 p7 p6 W. m; e% V8 [5 z+ C
location ~ \.php$ {, V7 b9 ~$ a- G! Q% {
ModSecurityEnabled on; 8 K: M" p& d: B0 M+ ~1 U; S, J& K
ModSecurityConfig modsecurity.conf;3 l* f' w8 ~! f+ D1 F7 r' E
( W* B9 r# I- C' A3 T1 r* _& K root /web/wordpress;) Y1 V8 N4 E: E6 _# y G8 E
index index.php index.html index.htm;1 h, @+ ] ?( w- {. ^- L: e
' k- r, W& S: U- K9 m+ h fastcgi_pass 127.0.0.1:9000;
: A* n; I* `6 R: R. u: R* |' D fastcgi_index index.php;
( |4 V. j5 l4 @1 a# R( X fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;. P# _! s# n! G( ~4 J
include fastcgi_params;
6 F0 w1 u5 m" m* L }/ P; X) q5 z! G. F; A' @$ E
}0 t; }7 w" r! a2 P4 r6 e
upstream负载均衡:
4 u- Y- q8 A8 j! m) a9 T/ l/ |$ a& l; b" p. M0 c- W6 f- z6 L
upstream 52os.net {8 c* T3 K% P1 H6 g& Z6 ~. B
server 192.168.1.100:8080;
: \. E- n7 K: l* r' v server 192.168.1.101:8080 backup;/ V% |$ [+ j4 ~, h6 L, t
}/ n- [* ]5 x; q |9 j4 N
9 x: C' a8 E$ z4 q0 m3 iserver {6 E6 v- J- Q5 J
listen 80;4 v0 M; A+ |7 r+ {# }% H. |# k
server_name 52os.net www.52os.net;! [9 k4 q9 e6 j2 {2 W% {
' C) V1 Z7 m8 M0 d3 {3 y
location / {
* P; x4 V4 F* k- o6 k+ E ModSecurityEnabled on; ; \! R5 g' g7 d; \$ C& C9 m$ |; B0 O/ a1 Q
ModSecurityConfig modsecurity.conf;
/ e, \6 j3 J! ^; u' D- j' _- f) V" S" {7 h% K9 c0 p
proxy_pass http://online;& S/ ] | }0 R- o7 l
proxy_redirect off;
9 p; B5 [: E d proxy_set_header Host $host;4 [2 g, J3 C- [. Q1 s. |; J
proxy_set_header X-Real-IP $remote_addr;
# [( @: i* s2 L1 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;1 u, f& B1 j, o3 j$ D. W
}) {* {6 p6 |9 T( U( H4 z8 N
}
8 C( F( T8 K1 ^! r. Z- @1 k六.测试
G/ x7 k- u! ~/ @1 a9 R, x) G2 ~/ M$ _6 T4 y. q
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:, y1 l9 a- O4 c; K/ d& @ w; K1 } a
* ?+ U$ Y1 J7 a" {' i% f U
<?php
+ T4 y9 i, o& y' Z phpinfo(); 5 \$ i8 E' r# y
?>
. \$ s; z' a, P) G* l1 ~6 h$ }& J9 |在浏览器中访问:0 ]7 Z- G: G# \: ^& J. v
' F5 _, Z* K7 N2 K) Q; {) G- ?
http://www.52os.net/phpinfo.php?id=1 正常显示。8 z' c I7 @, P$ V
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
; X' B; j `* g" d1 N0 ?http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
$ A) A, `4 Y1 [" i- D, k说明sql注入和xss已经被过滤了$ b, G: N* X0 o3 c5 ?
9 h1 _/ ?" W6 L# V
七、安装过程中排错
( n( E( U* v7 d) G3 I! ~6 G
! o9 J" G5 [0 p" N( A1 A1.缺少APXS会报错$ Z# Z+ t. a' W# d" ^
/ t8 |0 m* x2 d8 gconfigure: looking for Apache module support via DSO through APXS
& Y$ Y! L7 }; N! p; g4 D6 yconfigure: error: couldn't find APXS. j" B5 M" D$ @
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
' Z% F$ ^6 T3 r) e4 I5 w. U解决方法:' L* f, r% x& L4 {4 f8 }. ?$ M
4 |9 U/ Y( X# j# d0 _6 p* P% j
yum install httpd-devel
1 `, ^5 L$ b7 }" M H. e7 A2.没有pcre) p: I) e- l4 Q7 b. Z4 C
b) F! F- D; u' h& l- x
configure: *** pcre library not found.* o2 [4 Q% H7 q6 c. @
configure: error: pcre library is required( M* I+ l5 S9 f, f6 g1 P
解决方法:
1 q) y* e* V+ k" t0 ^3 N% M+ a \6 V" m" _
yum install pcre pcre-devel
+ u7 G8 N1 F( W" k; ~3.没有libxml2
* ?! E* f1 I9 [2 ^3 ?0 I
1 v& Z$ r% V) p8 m; a
1 d% N( K7 b6 |$ econfigure: *** xml library not found.5 g! \) y x% N* g$ W
configure: error: libxml2 is required
: O9 s, o" s# D! P6 S- q解决方法:
2 G* {6 D' a4 p; X/ l
4 ?3 w$ i) @; Y% Y T5 ]yum install libxml2 libxml2-devel
' c* o! ^( N2 _% f4.执行 /opt/tengine/sbin/nginx -m 时有警告, e2 _6 N# o* o7 }- y- v& J
; H; G& B9 O8 [ N8 ^$ E' p
Tengine version: Tengine/2.1.0 (nginx/1.6.2)+ H0 {' ^3 e: n) Y; u# `
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!' A3 x* o1 _ e7 Q+ }& v
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 W. B5 M6 f1 Z5 C' w7 x% S" y6 X6 i: ?' f9 w2 b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
" Y, i& X# o. | x; F2 z2 \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
. l& e4 E0 a: s! I7 |, _; W. o1 |2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!2 ? O" O. Y2 D1 X' d' ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"3 s4 ^4 i4 c. I+ g. ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
, C! D8 L% Z. l7 [2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.0 s @" y3 {" ^+ e
解决方法,移除低版本的APR (1.3.9)7 ^9 ~ O9 g4 L. k
7 ?7 e7 n0 q: ~5 ] syum remove apr# W t4 G% I# A7 ]
5.Error.log中有: Audit log: Failed to lock global mutex5 W) f; \" P' J1 _, A: B
' Z8 ?/ T8 ]9 B2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ]1 Q; p$ w5 Z' a0 J; {9 B5 G2 x
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
* z, l# {% ]3 x( e: Q; b7 W' c解决方法:5 P* @6 H' c! n$ B
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 j9 E- x2 Z( r) B
/ c# S6 _4 `4 c/ ?, h
SecAuditLogDirMode 0777
4 x7 }3 Q a7 ]! Y/ D9 B# }SecAuditLogFileMode 0550
K4 T: r. b3 q: f9 BSecAuditLogStorageDir /var/log/modsecurity( M! E: u1 d$ T
SecAuditLogType Concurrent- \) ?; r; X& Y6 q4 h9 U6 z8 N; M
参考文章:
. L6 J% \7 ^$ d6 _# A& lhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
v2 n. \& U; N: k9 u1 \http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡