|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。' h5 H+ N$ X1 k0 Y
8 l& x& {% ~& a一.准备工作4 y) t5 C; w9 x; B
' w* @1 p* G# G/ Y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; C2 f$ d3 s& l5 x$ L
7 d/ L$ a. ~% Q5 T" U2 ?0 t( Stengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 E( x4 D; K6 T
6 F" E$ @/ j0 c( L! `modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) M1 e& x5 R% s( T* ^" \: \* j7 b4 P$ r: h
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* ?0 J0 J% ~- V( o
( j8 s: H7 i+ Q依赖关系:
Z) Z+ a/ H+ y6 g7 b) L$ itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:8 @; v+ D( [$ Q( l5 D
1 L& y# {$ t% ~3 O. N ~yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
; w8 b$ X( v9 ]modsecurty依赖的包:pcre httpd-devel libxml2 apr* k$ e, B3 G" o' b3 M1 B
! @# b+ d; V: P5 A
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel0 `6 I. H' W4 R$ N$ j
二.启用standalone模块并编译
8 v4 H0 V3 i3 t5 l; G+ ^. V: p# s. {
下载modsecurity for nginx 解压,进入解压后目录执行:
6 t# J' H& u- O7 E- R+ r
, g5 G% j' K3 O. h! I./autogen.sh
: R# w/ |# M1 M5 \4 b7 l" u7 C./configure --enable-standalone-module --disable-mlogc
; H+ ~, ^* h4 F7 w5 F: E: }7 @make
9 ~- w7 L! G) t5 O& @9 {; S三.nginx添加modsecurity模块; |4 C M9 `% [0 G, L
* n) ]1 j2 B3 ^6 i1 w! ~( d在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 v+ p% P/ ^) L1 _; E9 Z
+ F# M, I, F9 T) d/ C./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; Y* p: Q: z1 E+ kmake && make install+ I) W: [, z2 s! x: ^
四.添加规则
0 y& _ z# E3 I: {) t) X4 X* [4 v, X" a, ?* R2 W1 e
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
- ~. z/ _2 h( y4 ]( F5 D
$ q. z: B; c8 q3 E( c8 n* [2 ?1.下载OWASP规则:2 g, m( [; O5 B" h' s+ z5 A; A
2 f- b9 ]8 _: Y0 Z1 Jgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs Z6 m$ n, A5 \
- X6 s& b* w& C5 u2 b" T3 D, W3 O
mv owasp-modsecurity-crs /opt/tengine/conf/
! W3 X" \! |9 E1 I# o/ ]/ z1 {
+ N9 q* m$ a/ A# q3 ]$ l: m# @2 J6 Acd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. Y) @ p. o: p" u9 n2 o2.启用OWASP规则:
1 Y" |/ f! y) C8 i6 X8 b# ~
; I+ h4 m0 ^2 h! @/ H( K. z( {( @复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. I& }" N& b# r- y% N7 h
0 z/ @# p( `0 E) p: t+ d; {编辑modsecurity.conf 文件,将SecRuleEngine设置为 on( B( P1 R- X2 x
- p, [- C, U& Gowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。7 J4 p4 N0 F" _1 n: W
1 T8 [! i/ N4 H ?4 |Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf9 m9 W/ |. S9 R- w- o; S
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 K" U3 W' G- N, }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
# Q- z+ {( G; m# S* d( k2 cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf5 t6 V+ s' L( ]7 o& r
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ ~! ?3 B7 w- e, ?, I
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 X; }# l9 s# \$ ^5 U4 AInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf% ?* G4 ?: T7 D& M$ h) z
五.配置nginx
, {" r" M! t' P( ?# v8 V, O7 l
1 l2 ~. R3 ?' d H- G; ?+ r在需要启用modsecurity的主机的location下面加入下面两行即可:- I8 Y$ F" t$ M, A7 I
0 J4 N6 t- a" f; ~2 Q9 t
ModSecurityEnabled on;
R, h; Z+ F9 W& I) |. XModSecurityConfig modsecurity.conf;
& d; P$ R, \7 P d下面是两个示例配置,php虚拟主机:
; P3 Q7 b3 x& V' @5 f& @ [% q* x& |* R6 x
server {
8 x. d, B4 a8 ^! ~9 ^! q: h7 y listen 80;+ _/ f5 l" V2 |# ~$ `; D/ g4 A3 `
server_name 52os.net www.52os.net;
0 Z3 ?* ^( D- }" _: Z8 Y } / p# m1 J0 ], E" g% l
location ~ \.php$ {' z; U' h1 P/ v( j4 f. O4 {0 r7 M
ModSecurityEnabled on; ( d: a2 p7 A' J2 U1 G3 k9 {& `# M6 ~1 k
ModSecurityConfig modsecurity.conf;
2 H- X/ x$ y; U: {( H6 X9 I6 C6 C' w5 o( z9 b
root /web/wordpress;/ w( V' n( [7 j& ?
index index.php index.html index.htm;/ `( W7 E; x5 s1 ]6 }* \' _
7 J( u5 Y! N+ X fastcgi_pass 127.0.0.1:9000;! F) l% e7 y' _" C O! T9 r
fastcgi_index index.php;/ r+ K. j$ k" @) |, w" N
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& {2 M/ E( f& c% A& @
include fastcgi_params;
% X- a' O' a1 E. T }
) `- l1 K& E! R5 z }% H3 I" d H2 U8 q( n4 C
upstream负载均衡:
9 l: s8 Y) w/ n' s
: r" v; m9 S% N5 supstream 52os.net {
: \8 C0 d3 p) M; P& u5 U$ ^ server 192.168.1.100:8080;: t$ K+ p) K8 ]# H
server 192.168.1.101:8080 backup;
1 O7 z$ y% D: \- i4 y; Q}5 p1 C' l4 B- o8 k% N
, E n7 t$ x& F- M vserver {
0 i7 f" [2 b/ C. |8 ^: o0 P$ {listen 80;6 I2 r# }3 v! _! ^& o Z" B
server_name 52os.net www.52os.net;8 k9 R) p( `' @. A$ o1 {
! [% K* u0 X% P# v) Y6 C
location / {6 O& G4 v Z% \
ModSecurityEnabled on;
7 X7 ]- O/ ^& C: t5 I9 @ ModSecurityConfig modsecurity.conf; " p5 v( ^+ F3 m0 Q+ z0 u, T9 _; J: H
9 q" L8 u- b/ T& Y I2 n# T: o, o
proxy_pass http://online;
$ N5 R/ A4 E4 D- b4 G proxy_redirect off;5 ^8 x, l& Y# ?& Z7 `: b8 C8 J
proxy_set_header Host $host;5 ]( I1 s \+ ?" m
proxy_set_header X-Real-IP $remote_addr;
8 m+ e6 w& O( e1 O( Q X proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;* F+ Y4 L* l' \4 e/ p
}
7 s& g, J" N: {}) ?! k( X- ~; V) s- \& p& h I
六.测试$ d9 }- V6 W" c3 |" t1 ~
. H+ ]: _& {! f1 H+ E' M% [我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
+ q# P/ Y7 q! G' L; o
9 \0 @4 c: E' v: G7 {<?php
$ m$ \% l1 ^) ]* k phpinfo(); 2 f, M1 e0 @& D- ]3 A; ]
?>
: {- J" S3 Y' G9 g8 W在浏览器中访问:9 B8 v7 h' g9 M% @0 A
2 B5 e$ e4 S: ~, h: [) ]http://www.52os.net/phpinfo.php?id=1 正常显示。' E' o& O) D' L& s' f
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。/ `: W, u( w% q' ?
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。/ p) O- O2 ?+ L; l/ N
说明sql注入和xss已经被过滤了
& X# T \5 s3 W1 ?
5 y+ r6 H C9 a$ Q4 Y' g七、安装过程中排错 @5 w9 a# w2 b& }9 ^( x4 T1 C
0 Q8 ^' q( `: V1.缺少APXS会报错
, P. G' k8 ?$ g2 B9 k
& j) ]6 m6 a+ M! K+ sconfigure: looking for Apache module support via DSO through APXS5 j! K/ \7 [3 k3 ?% B' i. Z" o
configure: error: couldn't find APXS
2 e# M" O& Z7 J* Eapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。1 G7 i" y0 v% M* t
解决方法:7 f$ B6 i! l# s0 T P9 ]
4 A( d4 m' S$ w) D. d2 W
yum install httpd-devel
! i! r0 }8 b0 c/ y+ o2.没有pcre
& s; K0 H. K/ g% o1 C3 e$ y% ]7 i
configure: *** pcre library not found.9 g4 x$ }1 t* }0 {3 p$ C! Y( I
configure: error: pcre library is required, _" T% a# ~% z) C
解决方法:& l0 Q7 C$ j4 B2 Y0 a
* c O" X" U& h7 n$ ^5 ?7 V
yum install pcre pcre-devel( t/ ?% a- \+ Z V1 j1 A0 |
3.没有libxml2
4 ~0 f4 @8 k* j/ X* m* g9 Z8 _0 p) I
7 f6 ~' G1 I3 g- {configure: *** xml library not found.
3 V' {8 x8 Z# G( e7 P; Qconfigure: error: libxml2 is required- N+ V3 a- P1 y! Q- X% V0 o* T
解决方法:
6 }4 Q! D3 Q' w; C F" f i1 f9 E8 @* o
yum install libxml2 libxml2-devel( ], P0 W+ R* D" P5 y
4.执行 /opt/tengine/sbin/nginx -m 时有警告, o8 ?& B# x( z0 ^. q" S' a
! v5 E$ _1 S# T+ [) m( O! g$ zTengine version: Tengine/2.1.0 (nginx/1.6.2)
$ A) X% R( R& c; `! Ynginx: [warn] ModSecurity: Loaded APR do not match with compiled!
4 ~$ c% q) g. m& T原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log; s- c3 k6 }% W4 M, j
6 r& i7 `* P; q7 G1 `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
! r& C( B0 z* Q3 e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9" c; f$ a. B2 b. C3 I/ R( O
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 f8 p* a. E! J- Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 w3 [) |- ]) A- ~/ L+ V& m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"; u- R# S1 Q8 a7 ~, k+ g
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
) f! @# V- a* f1 l8 O解决方法,移除低版本的APR (1.3.9)
4 t/ \5 o* C# U. N/ ^/ z
# e7 Q5 O4 k; w3 z: H2 k1 Cyum remove apr" ^$ H5 z/ y3 L/ E# Z- o- H
5.Error.log中有: Audit log: Failed to lock global mutex" d9 T% u4 L. {. m# _/ g) |, B
$ Y4 a2 i- p$ W( h; i
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
# J2 P% k/ N; H( }5 oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"], x' ]9 y, e2 b# q& |
解决方法:
4 ?6 g9 i* Y. y% E# h编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:" E, c1 x5 ]: [+ M3 N- X
9 T' n M/ e/ i7 l/ D
SecAuditLogDirMode 07776 L4 }+ p: I" j; [) _* e
SecAuditLogFileMode 0550
# H! H1 Z3 _/ \# j3 P' @1 xSecAuditLogStorageDir /var/log/modsecurity
4 a, O9 Y& C3 \ l: H% K | hSecAuditLogType Concurrent0 f; O8 C1 X8 ?; O9 T. N
参考文章:
% L, D4 a1 g8 [0 N& y( Ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX; P; N: [- w/ L1 G0 Z
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡