|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 y8 G" i. G' N6 R0 e1 E3 R
0 ~! C; b0 I a/ A一.准备工作2 J2 X+ e# r6 o+ x
- W1 R: v! x3 y1 x- g系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0" J! U# h1 ?2 K8 v
' C1 J$ g: [3 q; [tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
0 y4 W; R8 f3 o! D% x& n: a" k& P( W) A$ L7 B
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz, H# U6 u& p! B+ ^1 B
9 n& ^; E0 E$ e$ a5 Y( d. k3 ~8 N
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
! n0 z3 k+ z% b9 n
' Q& E' a4 [- P* S+ ^' ]7 {7 \依赖关系:
+ ~ |& o4 K: c7 I8 ]; stengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:( }- s4 e+ [" r5 E/ [: F
# J7 e7 F7 Z$ ]( ]5 b. m" y% |
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel& t9 x4 E4 _: E7 h' Z5 U" E5 w2 C8 R
modsecurty依赖的包:pcre httpd-devel libxml2 apr
( n7 U* x( S" P+ {4 s- }3 L
; o8 N7 N" ~ y2 M" @- gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
% ^( b7 J! H5 `二.启用standalone模块并编译3 I2 }7 ]: t8 g- X, k! h7 o/ e/ c
/ x+ q( X, ^7 ]下载modsecurity for nginx 解压,进入解压后目录执行:+ ?( s3 E# t* e
$ T( j: o0 o7 D6 B" j4 \+ U7 X
./autogen.sh4 J& U5 w4 i9 o0 p( B
./configure --enable-standalone-module --disable-mlogc
4 `7 O ]6 M" E, U2 N, umake
9 Z7 s' D( L; k. w' J. M三.nginx添加modsecurity模块
! _' z A! p! x8 v. F+ e7 L% |" W" f- u ^6 Y9 ?1 F& Y4 \6 Y% F0 L! V
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:8 A: Z& ^ E+ W0 ~7 g X! Y" @
6 m3 G0 j/ q& Y- P8 H
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine' `: g( _; S$ U- E f+ ?
make && make install/ S; _% {' V, W) R% N( w
四.添加规则
- {+ f7 D/ N m6 a6 ]& ]) d3 N: L
. n# q( j! t: D( \! D+ A6 Cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
( U9 ]. l5 \% D1 P
! R5 _% S! ?, \8 ~/ M1.下载OWASP规则:
/ r9 m' [# r0 Q/ a( t
; a3 w5 u- R" [# kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
7 V. K/ l; V3 v, w9 }# W. ^- |7 W% k- F9 o$ M0 D) q! k( E
mv owasp-modsecurity-crs /opt/tengine/conf/. T+ h8 {1 q( K! E: M3 f! u* i, l: G
8 A% j+ k- c/ x3 x9 ]. z1 Scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
$ M* K+ L1 q1 v5 h: i# t9 O0 |8 |2.启用OWASP规则:
" s+ w4 s' E& @: r. [+ h3 @ L0 q' ^
" b% f" B% P3 `5 B$ H5 Y2 y复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。& r) V/ ?9 P# _
( m6 ]" l. f. v' H编辑modsecurity.conf 文件,将SecRuleEngine设置为 on0 Q. A6 f8 S0 @( x2 g" Q; v
. b$ K4 _) T: q& L
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' b! r8 W' }" q W5 B4 [7 w1 g3 R* y
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
8 n- N7 s. d6 _: M/ Z8 T! t+ k+ }Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- @9 o5 f& p9 r9 `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 f4 v. M' `7 A7 `& Q) |8 x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf4 _7 Y; ]8 z. X
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf! X; i2 n- w: J1 a# q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& l9 {! E" L4 R1 |8 \, w
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf9 t: m8 t1 b- d/ m
五.配置nginx3 U! h9 e; ?: w! r. \2 e0 j
5 y* ^4 K' o: X. D9 t1 K2 ]( t
在需要启用modsecurity的主机的location下面加入下面两行即可:
# j3 |: a3 i# u$ V0 M! w2 e" f
. `% B; e# J* v! {+ a/ o4 e$ uModSecurityEnabled on; + v* d1 K U2 d4 G3 d8 Q
ModSecurityConfig modsecurity.conf;8 Q) O& y H6 k4 b
下面是两个示例配置,php虚拟主机:
& F# g! y9 o# _" _+ \3 R) x0 ~4 q+ L5 L
server {5 Q: B" k8 l/ F+ U0 h
listen 80;% _( ?( L: T- p5 v `: Z
server_name 52os.net www.52os.net;& M: {( L# P0 k0 a
T% B5 h6 s) {0 |8 U6 H& O
location ~ \.php$ {
/ s. m! e5 S0 i( e0 u ModSecurityEnabled on;
1 ~/ W, m, G1 L# L ModSecurityConfig modsecurity.conf;
: m( }1 ?# V8 F7 k: Y8 ?5 P( Q/ f" z
& I2 w9 R8 ~- { root /web/wordpress;
( p3 y. ^1 N! s5 Y6 [! W; B) I index index.php index.html index.htm;
+ j4 O+ K0 t1 g, o; K
8 v& b2 v8 o# V0 l) I h% U( v fastcgi_pass 127.0.0.1:9000;. o {6 q: P' w! ?" V
fastcgi_index index.php;
3 q# H. i& P- I+ `. H fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
0 T* O* f" U, F) i- I/ x include fastcgi_params;* O. ^, |, b: A q6 B {8 u
}) g6 U! N$ c% P) a
}
6 n7 ?: x- Z3 G! lupstream负载均衡:
' T ~) n% n! p1 n! [. ^4 K/ E' d0 c9 }
upstream 52os.net {1 o: D! C, K5 ]3 D. e. P R
server 192.168.1.100:8080;
9 G: E7 G9 W1 ^; h8 X server 192.168.1.101:8080 backup;
+ x S* i. d% i! H$ w}* |8 O. w6 s4 J0 k9 u% k
% n. M- F$ _" Y+ S6 G c
server {& b+ U+ j& v3 M
listen 80;
. h f' A) C# A: ?server_name 52os.net www.52os.net;: J* i& }3 P: ^
0 {7 k; a( d) g" l" U$ f& s, O
location / {: P% p/ b( Q7 L0 C( f( L
ModSecurityEnabled on; . ?- ~( O/ I- _5 W
ModSecurityConfig modsecurity.conf;
# X& c S0 N7 G7 ^. |; Z# v6 ?& m
" \3 z/ h8 |( c% A8 j; r proxy_pass http://online;9 {, t2 ^4 h7 k+ Q3 I% D+ B2 N
proxy_redirect off;
# ]5 p; I+ ?8 L+ L2 w+ l9 Q: B proxy_set_header Host $host;" j* L! o7 A& n9 }- H
proxy_set_header X-Real-IP $remote_addr;. T" j( F: I# X! H0 Y, |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, `; o) R, Y# @ }
/ L; Q$ W6 r" j8 a4 x2 H}
A, q V7 |* N六.测试
6 V: F2 r/ k$ V. Y ^/ e
4 a, z) {( D9 n7 T& _3 k9 f0 p我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
6 u! p) _$ M2 z$ R1 S: B
7 T9 d, y0 A- J6 i- V<?php3 t5 d% Y$ L8 u/ g0 x! c
phpinfo(); # w. ~! ]) j q
?>5 B8 c% D8 m7 O! J" P* ?. \: Q L! [
在浏览器中访问:" ]! f0 K6 f( d: I! T
: M" i) S- `$ Jhttp://www.52os.net/phpinfo.php?id=1 正常显示。+ `2 x' ~! m4 z8 ^+ l+ j
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 }* Q6 G) \ a" P
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。" ^9 P. B6 V5 {. K# F4 b* v4 d
说明sql注入和xss已经被过滤了2 K0 o: [7 F' t) z" l7 O+ P" w
" I1 n; R9 W) X4 e& E9 ?" ]七、安装过程中排错
, E% x# ?& k6 X4 D5 S& j, c# V8 F
1.缺少APXS会报错
2 Y. n/ t5 d9 ]' {0 @; _2 X q& }- @+ L. [
: o8 o" ]- Y0 W; `3 j, d" mconfigure: looking for Apache module support via DSO through APXS: x8 b `& M7 V0 H' p+ q: j6 c
configure: error: couldn't find APXS
5 M, ]; ?3 _) a7 Hapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。, N( n. V& o4 L n L0 E5 `% z
解决方法:
4 B0 e0 i" V; u: g" p. h$ ^2 L% B. |! L0 I
yum install httpd-devel
# v1 }) O9 s3 L$ D2.没有pcre
+ c/ S _% w) ~1 d7 B" R& R* G0 V, i c4 ?3 r
configure: *** pcre library not found.; @$ U J. A; _+ a5 \4 q/ e$ t
configure: error: pcre library is required
% a( z8 _$ W% E5 X" I! v, k' M解决方法:6 K1 Q4 ]% s* D
8 `: h/ m. s' U$ S2 K& Z: H
yum install pcre pcre-devel
* x2 b0 e$ H8 p" ?& r0 Q3.没有libxml2
$ W, x" \5 q8 ^; B" \/ r( {0 u4 Y
; S& ]' R' n" g3 e+ \! ]
1 a& a4 Y& ~0 X' Wconfigure: *** xml library not found.
: c3 `+ \# o$ A4 xconfigure: error: libxml2 is required
G; s1 D2 {7 h" l0 q9 q! d" o) G解决方法:0 L; w5 l1 c+ w5 A( i m# X. ^
p s3 _2 q$ M3 P5 ~5 I8 ]3 E; w
yum install libxml2 libxml2-devel
/ J, x: ~3 H; {/ _$ C) ^' M6 I4.执行 /opt/tengine/sbin/nginx -m 时有警告$ G/ i$ N* P D+ X2 k
* X8 \9 O" X- T2 @9 K6 K! t
Tengine version: Tengine/2.1.0 (nginx/1.6.2)- |/ o D' @% i/ [1 b5 @( d$ Y3 y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!# b$ d6 L5 i/ V4 j
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 h1 |' t* C# M I8 F }8 p
9 p# J, o/ i3 J* r9 y9 E$ ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
& f# \$ O) G% J' B# u* S7 O- m6 M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
( m2 p# G! z' ?1 p8 P$ v1 M' ^% K, G+ F2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 }; g7 c$ P+ C2 H9 @' C2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: Z2 g& @/ A1 B8 L4 V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
4 R7 x' A4 e. j4 C1 ^+ i6 c0 a9 y2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# A b" \" O8 T' l1 E6 w; ^. S: X
解决方法,移除低版本的APR (1.3.9)
% C% I X' U( [2 s- H/ E; n3 R7 [7 X, q2 f d
yum remove apr
" Y' B7 c c9 g( m3 a+ P5.Error.log中有: Audit log: Failed to lock global mutex
' ?( C! U1 ]& T2 S
8 k- i6 R. Q$ P. T9 R6 i- c2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
' A$ r- E' M. j* Qglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
2 h! W7 i4 w5 S. M |9 w" q& ?% q解决方法:. m4 E0 O6 l0 G% k
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
! [. O3 X# G7 a* h2 f# y* \1 V, W- ]5 X: L4 C* q* ]* A
SecAuditLogDirMode 0777
6 }+ J8 B! @# _; L% \7 a5 U7 KSecAuditLogFileMode 0550
6 _- f/ H4 M \, P$ \7 VSecAuditLogStorageDir /var/log/modsecurity
Z7 F2 W' k, v3 NSecAuditLogType Concurrent
% q6 X9 c/ t1 S% R参考文章:
# l4 Y/ ?9 C: m7 D9 s" a% fhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
* d- d3 u6 c2 I; I& J! e2 f5 L4 Ihttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡