|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
0 i" d7 C k9 V- i: `- Y6 w# k4 r7 B/ z3 `, Z+ d
一.准备工作8 |( r _4 F- E7 e+ N2 \
( y8 _. I( |# u+ Q系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
9 Y6 p- @( d. L9 ~( A/ z. W* R
0 x6 ~3 ~0 p# d9 Ntengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz4 f* ]: s( ~/ h. W
; P7 B# R5 u9 d S" Bmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz0 w: v2 ~2 y3 J2 V @* b
# v! U4 _% ~; H7 T# @OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
L. G9 L4 G. O; U6 \! T! n; K3 M/ f p! j X! s
依赖关系:
" v I$ n" K8 e7 l2 P8 ptengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:. Y/ A9 |1 D* n; b
& g5 Q+ h* ~" w* U* ?% ?
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* H) z) s0 T' Z6 F$ \* u! ?
modsecurty依赖的包:pcre httpd-devel libxml2 apr
) T3 Q4 a$ g, g1 l, G8 S9 @: h, d( E
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: F8 k6 [* W% @" q/ y2 J
二.启用standalone模块并编译
/ D( j2 G0 ]. p' j; J0 k0 A' o; F8 l, n- |+ ]) F
下载modsecurity for nginx 解压,进入解压后目录执行:! H: m3 w6 h' F, A1 G/ t. ]* a
1 \4 E1 G) D' X# F' F/ f./autogen.sh
3 P/ e8 N" {0 L. s./configure --enable-standalone-module --disable-mlogc: i) Z. U+ w5 [$ K' _
make
( x$ u$ Y. |0 I9 P. r. a三.nginx添加modsecurity模块9 V8 ^6 D4 M2 ~. B7 ^& f$ V8 B
3 c8 ]7 ~- [5 F4 z在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
# I+ { |& }( C( Q6 }: C
1 @' l$ H# _! u./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ T8 N% L- o1 K) r! B+ s2 x2 Xmake && make install
$ J" _3 o: I, G( ~- u四.添加规则
7 I2 b- I" J/ Y9 G( h0 ?6 T) [+ p/ B
' Z" q9 }4 T: Y( U3 U6 }3 Zmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
9 Z& ]/ M2 @( W, Y F0 n* {, z
x! l' v& u T! ]0 h1.下载OWASP规则:
: K. ?! b, f) W0 d3 a: \* f/ H: x( Q- o! f! i) T, p
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs W ~" S. }: P- i3 E* r% ?% [. c
7 W8 V! F5 ?% Qmv owasp-modsecurity-crs /opt/tengine/conf/
: v. |4 E% u! ^ {! N2 |. d2 M! {0 E9 X5 }! g; V
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
5 J5 I8 D0 W6 L2 @8 u- Q9 G2.启用OWASP规则:
# U* S6 n& ?2 c- i/ K* S/ X1 f) R# R7 A
_4 x+ v9 Q. \" D* {复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 \3 Y! V% W, b! j. M6 A8 k$ [9 ~1 _/ z, [% i
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on% K5 N- \) P0 N. b$ F \
5 {+ }2 {! K3 |) \+ m
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. j( V" b a& |5 z
$ K$ Q& D1 [/ x8 i
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf7 |* J4 d) y) j
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf6 |! C% L" P4 y- H4 Z; i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ v C! f3 N) z1 g# iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
. n0 x' N3 l& J! g& _6 b" t0 zInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 c+ o8 [- n. E7 v- X& L& EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
/ y+ {" G3 C3 q) }/ x ZInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf% {) ~ @2 [; ]9 z
五.配置nginx [+ R1 `& F) D% ~8 X6 _
9 ? \ M0 |7 i% z' Z( ~; Q在需要启用modsecurity的主机的location下面加入下面两行即可:
?- b' Y8 ~% o& \. ]' k* a+ U- ^1 ]$ C
ModSecurityEnabled on; 9 S; K2 ~* |, ?: ]# K6 o& S3 O( l
ModSecurityConfig modsecurity.conf;
/ S2 Q8 H& P( g; t- I# x4 t下面是两个示例配置,php虚拟主机:3 K8 Y/ x% L7 z- f/ A+ ` _
/ T3 z0 s5 F9 f3 q" B! a8 Xserver {
+ ^1 s# t" J4 O' G" ~& w# c M listen 80;6 Z) S5 s/ e4 x8 }) W
server_name 52os.net www.52os.net;' |+ t- P4 Z* E
; }7 T7 ?6 M" D2 v9 Q location ~ \.php$ {
7 b e, A6 [$ E ModSecurityEnabled on; * i. o# E6 q- o6 j0 }1 Q
ModSecurityConfig modsecurity.conf;
v( f5 U$ T' j% i9 h" G/ v
, m; d, g5 V5 [7 `0 N4 ?0 X root /web/wordpress;7 V2 l. t( H" e, \% t+ V; ?
index index.php index.html index.htm;
: M0 ]. p! t. Z1 l: F P- `( a, e- R 5 V- Y5 X* g( B" j4 ?& v% q- M% X
fastcgi_pass 127.0.0.1:9000;
- S8 p% f' {0 ?6 R fastcgi_index index.php;
" D* t1 a; q0 W, x7 i% K fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;1 ^2 e) z9 ?( t, |, } b
include fastcgi_params;2 f8 G" C. A3 O2 P4 }
}
5 E5 X/ |1 \9 x' r' G7 B }
% `5 C. [: d/ ]upstream负载均衡:
0 a/ k) k1 F# i* _; ]+ i9 j% I- `: J* s/ z
upstream 52os.net {
- t3 A4 M: T- r2 u- j, q. x# S! g: V server 192.168.1.100:8080;4 x# v# F: t! ?
server 192.168.1.101:8080 backup;# j; t' f. f9 {9 U- z: {$ o
}
2 ]* E H, k3 d3 t3 l
: I* v, m- \; v3 q/ ?/ [; yserver {. N' v) d; R! n5 b4 b
listen 80;+ g2 `2 F- ]/ b" G! y' m& Z, j
server_name 52os.net www.52os.net;
! C/ x0 g$ P* G: j7 h9 R# i& m/ r* O, Y" v7 S: v3 k
location / {
' N/ Z; U k2 C: |2 l ModSecurityEnabled on;
! s% V0 g& q& Z' \) T. W4 O( v0 k ModSecurityConfig modsecurity.conf;
/ k ~, |& y" \" t1 P- z, H) w5 q C2 e2 m5 Z3 F6 t/ {! }) W- ?
proxy_pass http://online;
+ F/ G4 `) I# Y n: S+ F. E proxy_redirect off;
) V# }! R& E% \8 W) R' _3 G proxy_set_header Host $host;' A; h' _" a3 c2 Z: {' j) X
proxy_set_header X-Real-IP $remote_addr;
' }! S* {3 M y3 o8 D) [5 P( m proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
1 _, `; ` s7 h# `" e: X. M }
) F+ n' G3 A6 ?# b! n' J}
# @ v! W$ R5 X六.测试2 [! _& ]- {9 z/ E4 P, F7 V
% r- c; s/ r3 [3 Y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:2 h! g- z" K4 ?- c" q
/ }* l: y, o& v. ]* w<?php/ e0 ~: V4 @; E2 |, a g
phpinfo(); 2 `0 f2 v* A0 x$ n
?>
1 C4 j! W. A1 B( J在浏览器中访问:
6 ~: |7 }+ N0 e& W1 a
; X' V. e1 F' k8 M' @' \http://www.52os.net/phpinfo.php?id=1 正常显示。
# o7 w7 @7 v& w; a8 |http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: P) x# d- r( X' _/ @2 {http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。% |+ B6 W8 W+ _. ^7 T
说明sql注入和xss已经被过滤了) L0 F' j7 K0 ~1 F# z/ j1 V. v' j
' V9 x- A% A' t! V$ c; T
七、安装过程中排错2 F; y. F/ S' o/ K
) @5 ^ p6 u. `* M
1.缺少APXS会报错9 X# ~; O+ m3 U) T) ]
2 o5 e9 f- B+ B4 A( }+ U2 d$ u+ V
configure: looking for Apache module support via DSO through APXS
5 R4 t( s- f# D: E) G ^4 U8 Econfigure: error: couldn't find APXS
2 J) k j. n1 A: Tapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。' l `0 o' _- P$ z; K
解决方法:0 ~" e d7 N1 o) [3 S. V$ r
+ w( W2 I' [' [yum install httpd-devel7 B t+ {. |# \" e
2.没有pcre
+ B7 Z1 j0 Z+ f- t$ g2 A
. {1 a% X/ j7 z7 ^4 n( A Mconfigure: *** pcre library not found.
4 g& \8 f4 t) j# g6 _# vconfigure: error: pcre library is required
/ ^1 G7 Q K, ?3 H- Q解决方法:7 K* z7 |2 V" Z7 i9 `
L: \9 _% [% W
yum install pcre pcre-devel
2 |, O; v% w( U1 T7 Q, r# i [3.没有libxml29 f; z; k% _4 j9 U# a
6 H! p4 a& G5 K7 _
" S% N5 I. J( T. B6 b& R* U9 B9 Y
configure: *** xml library not found.
/ ~! ]8 W8 L) nconfigure: error: libxml2 is required/ k8 F0 s2 s5 }" e1 y
解决方法:( r9 _5 h0 K$ |
8 I. S8 ^8 ?/ a9 yyum install libxml2 libxml2-devel
, {: A. S& p/ I4 s ?0 f4.执行 /opt/tengine/sbin/nginx -m 时有警告
3 ~6 F1 O- Z$ m: `) [: H
$ s, b9 x( S4 l9 T! i" W# BTengine version: Tengine/2.1.0 (nginx/1.6.2)2 l q7 u6 q2 R* p% }
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, R' G0 P6 ?# P( h1 w4 P* B, G原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log' l N: o2 }& r( B3 b( h
1 w. E3 |4 d" u/ |$ O6 Z8 E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 {5 u) ?7 A( ?7 Z. T1 [/ M- E) c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
2 j4 D6 N# X8 w, P2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!) m, `( \: V9 B+ ]% {; f/ x' L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"% g7 O! G! G S1 u. ^0 W- }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 I1 c6 f: X% G5 s9 C1 l
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.0 |8 X4 L1 }" E: Z
解决方法,移除低版本的APR (1.3.9): A: U E+ O5 j/ t( J* l, u+ a0 D
: w: }% f1 p9 V: x
yum remove apr
5 b# J( z5 I& V& L) ~/ K5.Error.log中有: Audit log: Failed to lock global mutex
; x9 }, u5 D: P# [$ {2 T: y0 x5 `
" b/ F. }" t$ B; a4 W2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
, T: r) @$ R( n! C2 ?* v& wglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# t$ O' T* P& p% k/ Z( j
解决方法:/ g: t$ g( Z* M( T4 U/ {- O9 |
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ {; Y% M3 b' T, p! A: l/ N+ O& a h+ x7 V4 o2 p+ ]* @7 b
SecAuditLogDirMode 0777. M5 \! B2 L5 X# m
SecAuditLogFileMode 0550& I9 o) T/ O; W# t$ P
SecAuditLogStorageDir /var/log/modsecurity
1 e* R# }! }# o( G" l) LSecAuditLogType Concurrent% c1 G" b. i$ r; U! ^
参考文章:
6 s* }5 c. F& Ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
7 I1 M" G: j1 K+ ]http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡