|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。; L" Z# a2 F: N# Q' Y, ]
& d" U! Q4 s2 D( h+ J8 _" a5 T
一.准备工作% H5 V* T) E# V. a8 i8 U0 ^- k
$ e$ z% t! \' y2 k7 }; ?系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
! d) M! d' ]3 g* z& |* I
+ D' p+ l! D, W3 Otengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
6 X' k, V7 v' M: T( r! Z* @, b8 |, W# I
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! l# c8 |& c$ ^2 e
. q: s+ S. g$ w8 i: ~7 h& u
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 ]9 M6 O' p) [
* y2 Y- m# N1 w% I. j- l/ Y) ]
依赖关系:
% Q! `3 d- r `2 \1 ?" d6 Dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 \# Q8 D$ M7 o6 x! h1 K) Q& [/ I
$ u. f# @+ k( u# M) s h# d
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
' h4 b7 i- K6 M& V) ]1 |modsecurty依赖的包:pcre httpd-devel libxml2 apr
Z1 X6 e; V3 O+ @
: ]5 j+ s7 r3 R# o1 E7 qyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
9 ~. Q+ Z' W! E二.启用standalone模块并编译7 ~$ i' s9 y4 P5 M! j4 T! c
/ K0 l+ ^; q% C- H0 f$ D下载modsecurity for nginx 解压,进入解压后目录执行:+ d& M7 R7 ]4 t
& M; M5 e6 B6 ?./autogen.sh
: a% {! C$ r! r, d) {./configure --enable-standalone-module --disable-mlogc
. y! d% a* u( [9 V Q, Ymake 7 I! I- b, _; I) o
三.nginx添加modsecurity模块$ X$ O, k5 f' f9 x
- L4 |, E$ S w( m
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ T2 X5 Y C* w/ M6 n. o+ Q4 T& E6 ?: E5 ?5 w0 L+ {, f
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- Z; j9 C9 F/ K" a
make && make install8 |% d' d- m; O5 X" ~! Z: n
四.添加规则
J/ i) E( G9 j3 U
1 X: ?) E- C; t. s$ L+ Gmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ Y* z4 W+ ?- f8 ~* O* ]; M
! Q8 J7 o/ V5 R- ~1.下载OWASP规则:
5 s7 p% C: r6 K l; k. B
- L* s, G; O6 R$ y agit clone https://github.com/SpiderLabs/owasp-modsecurity-crs. F9 B5 S7 @3 k/ w& a) `+ A% h
3 n& e# H9 ^1 y0 y& h' l/ K8 j0 d6 G
mv owasp-modsecurity-crs /opt/tengine/conf/
' L; _2 U4 O$ U: s# h& Z; a
# V+ I& h2 I0 B5 M8 G, zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf z9 H7 [( e: V( z& r$ x
2.启用OWASP规则:3 ^+ \1 d- M/ g6 G2 ]
% W) a+ u+ f' z- G1 D复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
' j$ N9 X. p" P) n6 Q7 X. S
0 V' B1 n: x1 c8 j+ x2 M编辑modsecurity.conf 文件,将SecRuleEngine设置为 on. ?3 H: J1 p' I; M% b' p
& R- e; I2 p! h4 g
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. J9 g3 G0 b1 K& R+ K
- `' Z) r* t. X! qInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf& X* i: Z7 t% J) G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ p3 ^4 M- o1 B7 F2 j- W$ ^) y" x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 z8 s3 B3 Z. C# e; i- rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 a# ^1 W1 A* EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf" p. N$ z: O# F$ K
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
d) q% r) c8 Z" o0 j/ ~ e/ C# V: c& lInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf2 A$ J# ?2 a# [6 c
五.配置nginx
6 \+ h! E" s" Z) n0 E/ |# @! L; u" [8 @/ t! A5 l
在需要启用modsecurity的主机的location下面加入下面两行即可:
4 P7 p* M+ o7 O: _, d, [- `4 |$ J4 t
% U* ^4 [7 d+ r6 V: FModSecurityEnabled on; 9 R4 Z9 |+ V A0 b2 H& {
ModSecurityConfig modsecurity.conf;
% _5 u: N, m1 j5 d/ A下面是两个示例配置,php虚拟主机: V" P D2 V, P! P; x, S; N
4 B) ^7 {: z- W7 S1 @0 I- |2 Kserver {
5 o, S* V1 Q# r% U listen 80;3 E# `- P' k8 d
server_name 52os.net www.52os.net;3 L! V( A1 e$ E2 C3 m
8 S ]# s# M0 Z1 n- S location ~ \.php$ {% n3 O1 W" r% @; `( y& _6 @
ModSecurityEnabled on;
# U3 d7 y( O9 H+ H9 j- d+ Q ModSecurityConfig modsecurity.conf;
( t0 h/ P. s4 }2 ~( q; x
" k' H9 N' s) U) N root /web/wordpress;. W9 H2 H. `9 E
index index.php index.html index.htm;$ `) R0 ?: ^9 M; F5 P8 o
2 Z8 H; \: F% @9 d fastcgi_pass 127.0.0.1:9000;) ]) `" G9 K6 h% k) b: r/ _4 u
fastcgi_index index.php;' f6 @2 @1 p( g" T L% t
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
5 K+ j5 u# ]3 S# R$ l3 I ]4 f include fastcgi_params;
0 m7 B6 y/ k- l, o' t% e }& u- Q3 b/ `3 b
}
( R, d# j7 R; R6 supstream负载均衡:
5 k) ]1 R, v3 J2 O, }- r; `/ L* b$ Q7 ~& U/ @; K
upstream 52os.net {
1 M* D, K2 I$ Y1 k3 d, h2 k server 192.168.1.100:8080;
9 k8 e B* a9 B server 192.168.1.101:8080 backup;
6 C4 G9 f; L! _9 q}
3 m5 @# F( ]# m v; a% @2 w9 u, C8 Z+ S5 j6 Y
server {
4 _' Z& x6 _+ ]listen 80;
% |7 ~3 u) j3 O5 K4 B5 x/ E/ r( Jserver_name 52os.net www.52os.net;& M# c% {+ w4 L R. R. g( F! Q
% q. T7 |4 L; p, v% X1 [location / {. h% \* V$ y0 m: f; V# e$ P s
ModSecurityEnabled on;
' B5 {( g1 k% ~2 S9 k4 Z$ f# s$ U ModSecurityConfig modsecurity.conf;
; D* i& P0 J5 \ c1 ?4 s$ W( C3 K6 G: k2 b. J! Y! X/ l, A
proxy_pass http://online;, X: q* P4 s5 W& S& G& [
proxy_redirect off;0 }- B( N% @) I2 M6 Z& @# g4 q
proxy_set_header Host $host;
: I( G$ F1 I$ f9 U proxy_set_header X-Real-IP $remote_addr;
& k( {1 g; }/ Q/ r proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6 W% ~' V4 D9 C2 {2 r- P }
: Z3 z: E" H% u6 O' W0 W3 b3 I- m) y}5 m; p9 d8 s' v4 n/ S! p; ~: O# Y
六.测试
6 x9 R% u/ V$ O9 J- Z% _
4 l# D7 v4 m# x# R) S% a# [我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 }, X2 |: Z: _+ y" H+ N3 b, e
% u" W6 U1 j1 [: ]
<?php
- @& G& z% k! ]# T$ q. O. q phpinfo();
2 k- F" [% X+ X( a- o; X% L, ~?>. J% G- z) J4 W
在浏览器中访问: u9 w3 ~: c" L. @- }) b5 v
" A1 E' | I# x$ W, R; h
http://www.52os.net/phpinfo.php?id=1 正常显示。
- X3 f5 n- `- b$ Lhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
' |! J/ h+ h9 y2 `6 w2 mhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, b6 A0 @; d1 @5 b& N
说明sql注入和xss已经被过滤了& o3 j! M% ], B" ?1 O
' {% @: C% j, J& O, ~5 t6 t+ i
七、安装过程中排错
1 }5 V- K( j0 m+ A$ c5 r8 e; l5 X7 s- q: F7 ?
1.缺少APXS会报错7 M7 O6 P% A8 X( B! |$ E
, E+ V4 v8 O x) a! L/ X% P, B
configure: looking for Apache module support via DSO through APXS
% n0 _, p$ |+ ?& o& O+ P$ y- uconfigure: error: couldn't find APXS1 [8 E) v/ r3 S, _ ^) i* @
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
9 f- o6 g( ?1 ~# m, V# G1 k解决方法:
$ m! X4 `: E/ }' C4 s( T9 n4 _' z+ m2 k5 `8 s& X0 D+ o2 y% A
yum install httpd-devel5 u, [/ A3 l- Q, N# o
2.没有pcre& }7 U4 M" j: }) S
) Y$ J$ p; z* m& Sconfigure: *** pcre library not found.! g( D% w5 K" `
configure: error: pcre library is required+ }1 L) U8 `; O2 G- P( p
解决方法:
+ E9 s. B6 N6 ^4 N; ^6 u* S4 e$ J
yum install pcre pcre-devel2 r- D: _/ z* L4 [( D- K) o
3.没有libxml2
* `) H0 A8 \9 L5 y/ Z# N% g; T7 e- M: |
( m1 U0 W8 V. Z1 M4 V: ]configure: *** xml library not found.% g+ {' L/ g. k9 C
configure: error: libxml2 is required
) L, W6 D5 c- M& | N: P解决方法:
8 u) _- M; k4 l: }0 }
' ]; v2 w+ T- k/ O' c1 V4 ]yum install libxml2 libxml2-devel4 R# k. \, v& ~ x/ j
4.执行 /opt/tengine/sbin/nginx -m 时有警告
& R: \: x9 A) V$ \; ]# m) ]
1 N" T; [# N0 u8 L5 @& cTengine version: Tengine/2.1.0 (nginx/1.6.2)
. q% x( F6 g( P9 o0 Snginx: [warn] ModSecurity: Loaded APR do not match with compiled!, u7 ^1 K/ C N* B. A; i. T5 b
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 C' v) B& b1 C( W& H7 `
4 M8 U' l# D5 w$ H! j4 s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.4 c/ j, p9 s' H7 f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# \7 `8 e: T9 k9 ~6 T" z+ j
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!! x. a6 |3 Y* x) l/ I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 v/ a- }2 l. L k2 x4 \# e# o, k( o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"% ?( p+ Z1 Z* E: n3 B6 ^
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.3 m) ], y6 H# m) ~$ a; ]! A; P4 j
解决方法,移除低版本的APR (1.3.9)
5 B; j- E, {. F$ w7 U8 F' b; M- J( w; Q; U
yum remove apr3 R. _1 c( G; V. v1 _
5.Error.log中有: Audit log: Failed to lock global mutex- Y8 F7 ~% H7 M; F. D
( l0 |% C3 t+ {1 _9 {* }2 |7 ]2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
0 e1 w! u9 U- B' O" K, I$ Tglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
% u6 `! T4 o0 ]/ K3 Q解决方法:
! b0 s O5 D, j; K: _% d' m" ^' A- X编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 L8 A" ]) u+ d% H8 C$ q+ J4 _
' `: r% R0 X+ L0 j4 B3 tSecAuditLogDirMode 0777
/ l$ f. E2 c! n6 P# X7 G! F; \SecAuditLogFileMode 05502 [! K% l2 d6 A z4 G
SecAuditLogStorageDir /var/log/modsecurity
7 f( }* p; G- Z+ L wSecAuditLogType Concurrent4 Z# w5 ]: t8 I5 H/ L
参考文章:
5 H/ C! l, J# M9 U, E& ~" m% R" \https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
; \8 s! {2 Y7 _# S* C8 K* a* Dhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡