|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 D" j! F5 |# e0 Q
8 l+ } k6 U7 Z. m一.准备工作
& p* L* X6 Q5 c' g! a! s3 i8 `9 j- j1 S* T4 w% b/ u
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
' R+ f$ {) g) i+ L; e% W9 M
; |+ [; g( [* n; @1 ^/ v$ Ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz+ x2 V5 i1 T+ I
6 x; t% V% l3 i! F' C1 M
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ n8 H1 [: x, c$ Q5 b
! Q/ ]+ ` Y3 K" W! ?9 j3 H- s6 P: dOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ G+ o! _7 n0 P2 J/ z" k8 u2 u9 o* w, R/ C- m$ \
依赖关系:
# C, m! _2 Z5 Z* ?! stengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 n* X9 n; K: O/ h9 W" V0 y c; i) Z6 T5 E6 l
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel- J9 X8 n! c) R8 D( f8 k5 `2 b, s- T
modsecurty依赖的包:pcre httpd-devel libxml2 apr5 `% v0 u5 R, w9 }
7 T! Y* m) V5 h. Xyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel+ _) ~ J# |/ ?0 Y/ |; N4 c- ?
二.启用standalone模块并编译
* q% `: m3 t5 u- f5 u6 d$ r. T" t. C" K: o }* [. ^+ z& W' v
下载modsecurity for nginx 解压,进入解压后目录执行:3 R3 ]* ~4 K2 Z2 e3 d
- ?( f7 l; k$ u2 \
./autogen.sh' ]9 D5 B' u1 t& B, u5 ]
./configure --enable-standalone-module --disable-mlogc w" s0 W2 s( \0 r
make & b, ]9 ]( L" @& v8 _ e
三.nginx添加modsecurity模块# ] `5 g( E6 Z. ~
' {7 D1 a: K2 ?
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
) L* H3 i$ G( M4 e! W# U0 M6 J/ f; b& n" }
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
) n5 j, i5 V7 g) h' Imake && make install- Z3 Z3 ?! y) ?2 {# P, h D
四.添加规则% ^: s: g p* v/ V) Q
! p* x. f$ l4 C3 w$ Z7 {
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' k$ b+ C# s! b7 G# @0 h5 \3 `3 b X
* Y" I7 j: ?8 p5 x
1.下载OWASP规则:6 L \ K3 N7 m3 ]& K
/ L- O, z( W! R& F% e
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
" ^* a* f; I! a0 Z; n8 E, v
+ Q. i" s5 t# T! Z8 e7 s! Omv owasp-modsecurity-crs /opt/tengine/conf/
1 I8 m% }% v. @6 V- M5 {: P( q1 S2 v) |
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf& L% b' N W+ T' X- E: V8 |0 C
2.启用OWASP规则:
2 `, v c- P) ^: i ~3 t* ~: `& s! E# t
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。& x+ T3 B% ^5 T, Z
8 G1 H- }( ?3 o4 {4 b
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
' f) _: O; |: J7 @2 T4 J
: ]' o+ F( V. D* i. Vowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。! O3 V |* N8 i
/ y" w/ `6 u8 { U" d oInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf# P! ^1 g! L! L/ `+ }7 z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 G9 a- D" t$ T* ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 p) l0 a5 [5 [$ t e2 U" V- @Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf _0 J$ V' P0 X) H& J2 x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf! H, q6 A# R! [# v4 D' B0 K7 @
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& G5 G5 A3 y: r( X
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf" u2 V3 t z& |4 O% D( D# v
五.配置nginx
7 n) c- q9 Q6 L8 b& D
, m1 _& W! f' c3 \" X; e$ p在需要启用modsecurity的主机的location下面加入下面两行即可:& h O, T5 ^+ @& e4 @
2 Z9 j8 w _3 u: t5 R- D# wModSecurityEnabled on;
7 B& g, G- W B, c! v; ^( x3 hModSecurityConfig modsecurity.conf;
7 Z2 ~5 R) s1 V. a下面是两个示例配置,php虚拟主机:0 h+ @' X+ V C$ v5 \4 ^! q* k
! M7 f! G [* F7 N# {; x. Y9 Yserver {! s2 C/ z/ A, Y
listen 80;8 `% E2 L# M0 u/ Y7 v% Q
server_name 52os.net www.52os.net;
, T# P$ N m/ h6 B% V5 w6 x, G ; L/ Q. z9 |" N. h
location ~ \.php$ {& |" h. M% W+ |+ R
ModSecurityEnabled on; 8 Y! X$ h7 P# p
ModSecurityConfig modsecurity.conf;
2 f# Z! B0 q3 \' o9 F/ W- u3 A4 a6 P8 C9 X/ p) ?( }- ?% `
root /web/wordpress;
. H& _* E! \9 l# c index index.php index.html index.htm;( r' V: n% ]1 c( q. l% K1 _
! U8 j" ]. Y( V% |7 N fastcgi_pass 127.0.0.1:9000;
. O4 n5 _. M# Q6 [ fastcgi_index index.php;$ |" z: S6 S+ ` j$ b
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;% L. o ?$ Y; Z1 G4 f
include fastcgi_params;
s4 y* s" d' {" a, d# G }+ T( \' h+ h9 H, V0 X! y; @
}
. w2 g0 D9 \9 @. nupstream负载均衡:. S; u# a2 g- x4 g: X" U
* o s; j( E! C5 i- Uupstream 52os.net {. A1 ]0 z0 Y0 e2 [! _; m
server 192.168.1.100:8080;+ p$ r& B0 c6 O' ]7 S& \3 r# ^
server 192.168.1.101:8080 backup;9 D/ s7 h# m* u: J! N
}) u. E" m+ d$ B3 I, g
7 [0 E% i, U( h& H, _' ]: H- U
server {+ \ X1 N* j) o) ]
listen 80;1 T. F( U" [% o2 Q) W5 F& L5 ~' R
server_name 52os.net www.52os.net;/ q7 p8 c; @8 W9 \6 d# @
' J! \- P- K; n; Tlocation / {: I1 X# ?! y% z1 p; N9 s0 B
ModSecurityEnabled on;
# |8 u: e' m+ R) p' S) t& g ModSecurityConfig modsecurity.conf; ( U8 f r- t/ u* o$ |+ e
, M9 b/ M) [. \0 `" I proxy_pass http://online;
' @& g$ Z: p# F# |) `, @ V# p proxy_redirect off;
% w! t+ F/ x2 l* ]$ q1 \; R3 n0 B. Z proxy_set_header Host $host;
8 K0 Z) H9 P/ }" B+ o proxy_set_header X-Real-IP $remote_addr;
) L* O1 d; w- s# I proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
& f( [- S* r# ^+ U9 r! w }# o2 z( l; i( t! L6 f @- ]8 P
}! u5 [: ~5 O! z; F7 f
六.测试7 j, K# h5 q8 F3 A x( x+ s
* V1 F( m3 i5 y! g8 W V. N我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 O* c% ^% M$ L$ D# T
! F% P- p9 g) V0 d<?php6 h" n$ |% ^4 F5 V( Y$ V
phpinfo(); 5 _' \1 h4 A }$ d
?>
) W% w# o0 B& z" I1 D# R! g- y' F在浏览器中访问:
% \, T6 a1 A* y$ c6 x/ M. x5 z1 o6 }
http://www.52os.net/phpinfo.php?id=1 正常显示。( Z+ b- n) q/ p4 \! g2 u
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) s3 _/ F6 P4 x6 u+ } i5 {http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。2 t* P% s. K2 r$ Z) Z1 a
说明sql注入和xss已经被过滤了! B4 a/ }0 s1 ]5 G# p
% M6 b4 Q# Y6 a" T, E' i+ U七、安装过程中排错
9 G0 {7 Y; m" g& d6 J6 ?" k4 |& E* y9 \1 p
1.缺少APXS会报错
3 w! k! S' B J, t2 S% y% Q
3 G7 J) |9 v+ h2 b* m: g h$ r, \configure: looking for Apache module support via DSO through APXS
' a' Y" o2 z7 K: D: u0 M, ~% g& g; H- ?configure: error: couldn't find APXS
9 a2 x8 w, k0 x3 O2 \$ Eapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
+ b3 q+ l9 R7 S, i' D4 W解决方法:
$ u% A: j8 i% q3 ]! N e0 ~2 S+ A* f6 ^. Y& Q& s- x8 | l
yum install httpd-devel9 j! V. ~0 i: d6 P" G. f' j
2.没有pcre
! t2 Q, K! W8 ?1 ^2 o4 C m8 Q. c: K! O, [
configure: *** pcre library not found.
2 p p- U$ J. e) q4 L/ {3 dconfigure: error: pcre library is required4 V& N3 T) O, y/ l" n
解决方法:4 v! j+ c4 s- E! f6 X* n# s: U. b
4 f0 @/ ?$ L6 R$ ?+ y2 [; k( O, {5 Oyum install pcre pcre-devel9 l. L3 U& g* e* W& v. T
3.没有libxml2
1 `6 r. V" K' r' m3 M7 b1 H" X Y! p2 b( K8 _
; {6 {" y! C5 U: ~; E6 c
configure: *** xml library not found.* [0 m8 D2 h9 k' O" w, ^5 A5 s
configure: error: libxml2 is required- j. c: ^" }/ f' B
解决方法:$ _: a8 ~) o, t/ _
/ D% l( Z' ?% b1 p: W
yum install libxml2 libxml2-devel
0 `, F7 e- `& h8 m/ k4.执行 /opt/tengine/sbin/nginx -m 时有警告6 H' H2 I. F* [- l
0 W, P @7 m* P& A5 h3 y. jTengine version: Tengine/2.1.0 (nginx/1.6.2)
" ?3 q; X3 L4 D* Y' y6 Tnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
* v% q. F; F- z. Q3 y$ \6 L原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
* G* R3 i6 Y3 v7 S& @( r# ^! {& X9 A v9 I5 t1 J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.& D* w" }7 b; u2 f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ Z9 ?6 t0 D" [' @
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( D( d" Q: j# Q2 M7 }; l3 e7 Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05") E3 x$ I% l r% f0 _! W: v, i) a- @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"2 ]3 V; K* q Z. @) i: C8 x% ]: X. K6 z
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ w0 {; s4 v. a* ]; {解决方法,移除低版本的APR (1.3.9)
3 i9 K7 F* C3 y
, h" O1 O4 }0 L2 l" lyum remove apr! f* @- i" N( L, j
5.Error.log中有: Audit log: Failed to lock global mutex
. p' E6 s* y7 N
& x, c% i1 \1 A' ^ R: R2 A3 W5 c2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
5 ]- C5 F% ^$ G; I! yglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 l" z$ {: ] p' B, F0 u- s
解决方法:
1 i F( z3 c- g* r编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:: N0 B5 s0 b G3 B6 ]! D8 _' o
4 \% v' {: |( Q9 `6 s& tSecAuditLogDirMode 07772 }0 F0 y/ H9 w# ?
SecAuditLogFileMode 05505 @' E1 L8 g8 Z( l+ D5 f
SecAuditLogStorageDir /var/log/modsecurity+ F! k" P8 ~4 L/ x1 L& ?+ T
SecAuditLogType Concurrent5 Y# d! d) ~! }/ T7 B7 x
参考文章:& u9 X! H0 C0 `+ h
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX5 f& M9 o7 i6 ^7 V
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡