|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。6 Y( V/ v" z; j8 A$ i k0 @4 p( ~2 d% t
! E) q, L& o1 y( C. |( M7 m/ M一.准备工作
. v( a Q6 R$ L5 I8 @
6 Q+ C$ K- B: H! e2 f6 ^系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
- ^( c- m3 |0 e6 P+ p0 O; m" ~/ f7 y" B' R: U, A* P
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( v% ^) O0 C1 h7 O$ V" O7 }8 _
3 C$ M" |9 h9 k( b8 X6 V' c8 G. a% Mmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
/ Y2 u, Q; Y* A5 g9 w' D$ Y. X
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs/ v2 b2 _# ~0 z' s# ~& P! p
7 A6 Q2 N5 O) d8 J! W* `. }依赖关系:
; e) f3 p6 Z0 V# @) l! l7 Z: w( w: Ztengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:- X! J( u* P% t6 q+ ?: A+ A
( s! y& x: H2 X/ ]1 x( Z) V9 z1 g/ ^
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel+ P) _" t/ r5 O U% R8 b: @5 @$ \
modsecurty依赖的包:pcre httpd-devel libxml2 apr
9 ]) {' R3 m, d% R7 z( N
3 s( s- l+ l U2 ?; b# ~yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" m% A6 W5 H& D& n7 d7 b0 v4 r
二.启用standalone模块并编译
' ?) y5 {7 K/ q$ `" g8 S
" t) g+ n8 V8 {' O% p( I4 [2 `& e下载modsecurity for nginx 解压,进入解压后目录执行:
# {8 T5 ?( V6 n ?0 G; w4 }9 n& p- k0 }5 }7 e
./autogen.sh9 z- D, G2 A( ^% e+ ~
./configure --enable-standalone-module --disable-mlogc
% n: K" z+ W1 rmake
* y4 n- m( m3 j三.nginx添加modsecurity模块, S7 H$ W# l# w" m) Z) q& e
5 e7 Q! d* [. J: L在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:3 I8 k# F/ U7 E( e
& q9 M! `+ G, g& e' R- H
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine, ?* R" c7 Q; b* j& s- ?& D5 }
make && make install
5 h) n+ E( d' ?4 B5 L$ X四.添加规则
+ N- v+ e' r/ q+ W7 S
' H4 W& I: F2 \: Omodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
* S: E# d7 U' \7 s1 \. v, F
3 I/ _2 M& ?9 ]; D; n$ H1.下载OWASP规则:
+ y/ _& p) Q8 D( n7 z6 [! r7 F
! s3 ]1 w# k& ~$ B* m; L7 |git clone https://github.com/SpiderLabs/owasp-modsecurity-crs& q& L/ `, C$ Z0 C: X7 z
+ t" r! `: t: A# x
mv owasp-modsecurity-crs /opt/tengine/conf/' M% f1 x6 S' [% s: g6 O
g$ S( ]' f" m9 }* Gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf7 E$ @$ ~! f( J3 V. q
2.启用OWASP规则:
7 g4 e" H8 {! T# A! v: {; u6 r
; I6 ]8 D0 S6 p, c复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( ?8 B' a( g( B4 B a
& E" i& \6 h4 k. R7 h0 S
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on0 `& c: |9 S5 x# D2 L" h
5 G- ] i5 P' y, j K: A
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
7 ~2 p) I/ f0 L C: e2 d
( g+ `. }+ X6 s6 y% P" x+ [1 ^Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
4 q: W z" P, g- w4 }8 OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf) ?7 r# d. {6 D, C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ K1 }8 M4 x8 Y! UInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
! a9 p: Z, s2 A& Q4 p. l1 EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf; E8 t1 b3 l7 I3 d2 G
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
% o% ?5 V" p! U6 M8 o: oInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
: z- }5 S9 y% x; j2 B4 F2 i3 _8 `五.配置nginx
% t2 s! o6 j) w
! Z: x4 E) T& ]在需要启用modsecurity的主机的location下面加入下面两行即可:
& w. n; G, U2 L4 Y) w
+ a. ~$ A! x2 R' I5 a( B( hModSecurityEnabled on;
! r* \0 f. b5 E8 EModSecurityConfig modsecurity.conf;
4 L) Q, i8 Y- T: [下面是两个示例配置,php虚拟主机:) f2 p* j4 C- N! w9 @1 L- \
. z) P9 U5 a( m0 A. C5 a' P) |1 Gserver {+ `$ m& {# ]( E$ O$ W! n
listen 80;5 Z, r. O, Z1 ]8 h
server_name 52os.net www.52os.net;# P: e, v5 P) I( s4 J- k
. v/ D2 F9 i8 O' I, R
location ~ \.php$ {
& Q' U+ h- k t7 ~ ModSecurityEnabled on; / U, h$ l' P9 i1 k1 v7 p
ModSecurityConfig modsecurity.conf;
3 k1 W4 Q' s1 W, q9 P1 E9 \6 N
3 s! E% |4 T9 {; D. {" J root /web/wordpress;; x J: z$ G* f) i
index index.php index.html index.htm;( r0 A n k8 o/ _( F
0 Y7 ^: |" c+ s! X fastcgi_pass 127.0.0.1:9000;
; g1 s! w1 ?. y fastcgi_index index.php;
. d4 S7 ^+ x" |' W- a) W fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;- K: m" N9 \ K
include fastcgi_params;
1 p' @7 z& X& p7 N8 N/ ^ }
6 j; Z' s) I& j8 Y) G0 X* M }* A0 s! ^7 W( h' Z% V, C$ {
upstream负载均衡:" X7 f+ s0 R; F1 G! R h! f
$ z7 Y: b6 K: O0 e4 K' {! o/ iupstream 52os.net {: U& h6 G8 p/ c" h& p; L: b
server 192.168.1.100:8080;
; S( g" {3 S! i$ K server 192.168.1.101:8080 backup;0 Z' H6 i4 R g& \1 P
}4 E" n2 e5 j6 q% N
/ E6 G1 w2 m& A8 [& Lserver {
& k8 E0 S, k* mlisten 80;4 a+ k f0 r" W7 d7 \
server_name 52os.net www.52os.net;8 o% \$ t- c( o0 T- x; L
O6 R7 H$ P& n& f0 `location / {5 B, H% w" r) ?
ModSecurityEnabled on; , Q! S) p7 v, Y3 C* v
ModSecurityConfig modsecurity.conf; 0 ^" k9 B6 w9 X7 v0 I- {
5 K: ~1 W7 d, s+ X0 C7 A* Y: _
proxy_pass http://online;& M9 S1 O) U' \6 T" n
proxy_redirect off;* H9 m) D$ k( h j% {
proxy_set_header Host $host;7 m/ a* h* b: {& G: i
proxy_set_header X-Real-IP $remote_addr;1 `! b+ E) j0 C8 K
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;* e8 |1 P, z0 j2 z/ V$ K
}
+ t# T6 e* l& R; s}9 z" p1 w: G: ]+ J) W8 t
六.测试 X7 R0 }# _; a; v# g8 `# G
1 f( M$ C f/ r我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
9 P Y! N" q( B/ `5 d1 n: f& ?1 j9 u3 e
<?php
4 K4 ~, b1 \6 v- z& F: ?. k: _% f- z4 Q phpinfo();
. ]' n# L" \1 P H2 |?>3 X! l/ D5 D& G$ N- e
在浏览器中访问:
1 P: M. l" m. ~; ?+ L5 E+ {' q, I, T- B$ p$ s: k
http://www.52os.net/phpinfo.php?id=1 正常显示。
9 p' N1 D& `4 E0 K( k3 Chttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
5 K& ]' o$ a' Uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。% O4 m6 H2 r) ~; O: e
说明sql注入和xss已经被过滤了
5 Q8 v+ N4 h' s2 q G6 E* F! g+ H5 X
七、安装过程中排错2 y1 B3 s" r+ Q7 @, P# _$ T. o2 p
5 A( P4 Z. p9 ]. k0 l6 I1.缺少APXS会报错$ A9 s8 [/ W4 Y# K1 H% D& I
9 R G+ v" O% n, X
configure: looking for Apache module support via DSO through APXS
' h* U0 v' V! j' J3 s% |" b+ Hconfigure: error: couldn't find APXS
+ J# J8 P" g8 V& lapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* b8 i& N4 `: M! P- w$ b
解决方法: J7 p& S( K1 o" F/ }/ v
. T9 R+ f* @ z- Wyum install httpd-devel$ u- O3 v5 }3 a
2.没有pcre
6 V) l' N. p( A3 n/ F" ^
- V$ B5 ]7 e/ ]5 I. Iconfigure: *** pcre library not found.5 F5 D# x4 e: F% g1 B
configure: error: pcre library is required: T# [% H; {8 u$ ]
解决方法:5 p& [' r' l# _0 N
/ r; U6 k1 ~- B) _ fyum install pcre pcre-devel
# X; |" `$ E8 X e) L% G3.没有libxml2
7 n1 c/ E3 i! p( O6 a2 t U5 ^1 o5 w6 Z* m% W4 u/ c8 K
, D/ ~2 R+ ~+ K6 c; c- oconfigure: *** xml library not found.: y0 I) A+ q* p7 N: T/ Q3 d. p( N
configure: error: libxml2 is required' j9 m& w( s1 |, r& n8 Q3 x
解决方法:
1 Q2 w; u0 N+ [7 E) N" n) R. T1 V/ X4 x
yum install libxml2 libxml2-devel
" p, g9 H4 K# @+ N1 Q4.执行 /opt/tengine/sbin/nginx -m 时有警告
; m' A' Y7 |7 U# f9 J6 Y
7 B& E* }0 z5 \Tengine version: Tengine/2.1.0 (nginx/1.6.2). Y& M$ d8 k* ^! p8 F8 ] W# |5 z; A
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
6 L2 F( i7 |$ W, S$ H3 F+ y原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log/ Y0 M( K4 b( M5 ?' G0 q
3 a5 |/ x& d* V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.# }) A1 m8 f2 k- ~' r6 B' _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 W2 d( G" J9 M, D
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 b1 z+ t5 r$ \* e6 Q% D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 ?. R2 M9 p' d U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* U* y; ] O5 {# q: o, I8 {) `2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
4 G) S9 q {6 K* Q5 P) f解决方法,移除低版本的APR (1.3.9)
; B1 j$ p1 \# J, z2 ]4 |' g6 |2 u! k5 g" k
yum remove apr
& |% q1 X/ Z9 u+ C: T5.Error.log中有: Audit log: Failed to lock global mutex
, ?. q7 o# v8 I9 P0 D' k4 q! Q2 ?5 l8 d# u, N/ ^3 y
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 8 n, d, ]8 t3 b! `' w+ v
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
$ ]4 H% O; Y. ]5 n6 u7 E解决方法:8 [1 A0 A# Y' m
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( L; l/ b3 A' j5 j
4 U) k8 X4 L& I( O! gSecAuditLogDirMode 0777- E9 H2 l# J. b. F; u5 t! e
SecAuditLogFileMode 0550, L/ ]7 x G6 I2 T$ x
SecAuditLogStorageDir /var/log/modsecurity% A* y. r0 i2 P( U+ ~7 g0 v
SecAuditLogType Concurrent# c" z( T4 m* Y
参考文章:
% X, S3 ]9 `* P4 f' Khttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
3 {* _+ m+ e2 ]http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡