|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
; f* K, I$ R: e- l6 a/ ^" Z+ g) ?$ k0 a
一.准备工作
* R6 I) _( t" I* S, v' h
5 L) W8 J1 K1 X, ^9 T系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
) v. j. f b8 @( A b" v! O" v, u. j, v# ?
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; `2 [ p3 }5 x( o# S
/ [( O! w+ G+ r/ c# fmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz) b' @0 k: R* x
0 \. b' c9 j1 I" ~
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
1 C2 G- x7 c' l' q' S/ q
. N4 E7 f+ g3 P9 T. |依赖关系:
/ c0 J4 ?" d9 x. w5 Ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 O5 ]1 b; R9 m4 |
7 b+ g' j9 O- `6 g8 m- Vyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
& ]4 r& d% m. ]) Omodsecurty依赖的包:pcre httpd-devel libxml2 apr
- F' `9 O8 {+ H
% t# i3 b0 g: i) kyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
1 x" z1 ~! M o5 t* N- i3 R4 ?二.启用standalone模块并编译
5 I+ ~$ W7 {7 ]! }3 n, U) {1 @" t M" C* q0 K
下载modsecurity for nginx 解压,进入解压后目录执行:4 G0 {( A7 I0 A8 \$ m9 o
3 D7 n2 X0 S+ S! J./autogen.sh
6 e) K5 ^5 l5 @" P./configure --enable-standalone-module --disable-mlogc, b8 }% v3 x4 f7 J
make
4 v0 }6 S j. r7 A _' o" M三.nginx添加modsecurity模块
. ]. M, m0 P. y. S1 h; H/ J2 w) r9 x T. f( g
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' U" R+ f8 @5 c) a' |& I7 i7 S7 T/ O/ M
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 H: M+ _9 F8 o" J# W& N6 ymake && make install" Y" {: w: L" Y- z6 s) v
四.添加规则9 R' M+ _; y: q
, c6 s- |! ~8 j2 v' f* i
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
6 H9 B8 {, J8 u9 z f
- f8 j+ i6 ?" d" w1.下载OWASP规则:
- ^- v. _, {) a- u4 ~ Z( v- z6 C
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
+ t" V% o0 r1 h/ u1 A
& Q: e4 h9 r7 H/ xmv owasp-modsecurity-crs /opt/tengine/conf/7 l* }: u: X4 X3 G3 E: W& T! v6 a
* e) `! Y, ~+ V ocd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
3 k% B5 `7 |! T+ c, [$ \2.启用OWASP规则:
. R! w! W1 c# r# V. g7 B4 B# L8 W4 d. V
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。- f9 _: e' _! h; I
( t% ~1 r- H; X: d' f9 Y9 e" o编辑modsecurity.conf 文件,将SecRuleEngine设置为 on$ J! \6 i+ Z6 \( I! a
3 k9 |% e( |+ P$ T1 U qowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ Q1 w/ I, i+ e4 F6 w. |6 y. @0 S ?* o7 \) S
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf, w2 x5 }& j5 C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 [# Y- q& _% O+ S
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf/ A1 i8 C+ E m) U& c# h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf. D# N' _* C" S
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf. w+ A6 C( R' _# r5 F! T
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
* V0 p/ y/ l# z4 q& `& GInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf+ q$ x$ @7 b9 h" K
五.配置nginx
+ {3 m4 M2 g P" G0 q0 |% R5 Z; ]! A5 P4 F( l/ M. F
在需要启用modsecurity的主机的location下面加入下面两行即可:, |) x" E0 K% s0 y& g- \# V
* K, L! N1 z' U( e3 D' P5 h: ]
ModSecurityEnabled on;
% ~# \5 x+ H! u3 H' d2 MModSecurityConfig modsecurity.conf;1 j+ F2 H: N. U. T% ]; f2 Z
下面是两个示例配置,php虚拟主机:
9 y' m( K/ r" m6 _ L; F/ J' W. {: a
server {. U+ n4 {& n8 e5 C) ^( j
listen 80;" l M2 c" X9 _. w7 c
server_name 52os.net www.52os.net;1 Z. v( @; Q; m5 v& R9 U+ I6 C
- G! @, J9 E! f. Y; G
location ~ \.php$ {
" a X3 y! W0 q8 h& m T& M ModSecurityEnabled on; 4 P( |' W% T0 U& X& A# o
ModSecurityConfig modsecurity.conf;0 S/ M6 w" `/ C% f8 p- z
r! B! H1 |6 P root /web/wordpress;# C* r/ V# N" B
index index.php index.html index.htm;
# j. Q+ A: w$ T5 G, M# a& e3 P4 c 0 u0 a4 W; R4 E; v; K6 k
fastcgi_pass 127.0.0.1:9000;
. L7 x: K4 V9 f2 B7 v9 g fastcgi_index index.php;. C7 \2 L P$ C/ D9 i- O3 `( k: J p
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 n( x3 t) e* C6 D9 S include fastcgi_params;
" j5 _" E% w. v# O) f! ]: C9 e2 ~6 o }
, i- n: k: s; U+ ?. ]% d% [6 ? }
8 z6 p& `: R7 I8 u5 E8 k8 {3 Wupstream负载均衡:2 t6 m# P- L% H& V1 M
( Q0 j! W& G" P7 |& Z
upstream 52os.net {. V" R- e; s5 |1 ]
server 192.168.1.100:8080;
. O8 R% w* t0 o8 M2 W' v* V server 192.168.1.101:8080 backup; O* c5 L' |" A0 w. ~4 c
}
$ N: B- r, G0 Z" q, m# e H+ k* ^* L
server {4 J+ y/ @2 N. M* m8 F
listen 80;
' G& d5 s+ @; \0 g0 @0 p' Mserver_name 52os.net www.52os.net;+ J0 o8 R' T; Q5 T# k8 W' T
1 X5 N& W' S8 N, w: Q7 h
location / {
( V# U) A% }1 b5 }. m ModSecurityEnabled on; ! f! g& | l# ^
ModSecurityConfig modsecurity.conf; 9 l+ I* r9 e, Y. M/ L. I( i ]
9 D8 J0 R7 n" F; p7 L8 O8 I: ?
proxy_pass http://online;
/ a% W! p" d% v; ~) ^ proxy_redirect off;
' }; H k6 b0 w9 U! a1 \$ l proxy_set_header Host $host;
3 q% x5 g! m8 u proxy_set_header X-Real-IP $remote_addr;) d6 V! W- D# ^$ r8 |8 s6 Y$ q
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;6 d7 M& ], a6 Y" p
}( p3 K( K# j$ Y ~2 z: J
}5 E+ C" ]- @. L9 H; A7 ?
六.测试7 x& T2 {, p2 Y& }* F
. Z$ Y# [9 @0 y+ _' N* b我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
l1 |# l% z8 R! ?5 \. H J3 e
! `1 m* o" z @8 G( m- ^! @7 @<?php1 @# ]9 }, s. P- w" B
phpinfo();
1 N5 W7 T, d/ |- T0 }?>4 t9 w) n( Z, m7 k+ ]
在浏览器中访问:
5 D7 `. v) D; j n1 P6 s. `7 R% }5 k" n- j
http://www.52os.net/phpinfo.php?id=1 正常显示。7 m S4 R) `/ I) v
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。# t) J1 I9 ^: E
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。2 G8 Z* K3 j* p9 r! }0 Y( J
说明sql注入和xss已经被过滤了8 u3 Z/ C0 Y" H/ d! g
5 S0 y/ a# S- D9 F# q
七、安装过程中排错
' h/ m; p4 [0 N3 r$ b7 m' j3 d
5 ?; K* d1 Q) _/ b1.缺少APXS会报错
* S; g) \0 I+ J
- N, W3 i/ v0 M: L. v$ x3 P+ `, Hconfigure: looking for Apache module support via DSO through APXS
6 R7 d+ c+ k+ iconfigure: error: couldn't find APXS( r( ~( ~. ]; g
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
7 {# ?; d. N6 Y, v" }" j+ B; J2 o解决方法:- v) |6 r$ t' d" F$ R2 D
: _; d$ O& ~3 Q' E( R: ryum install httpd-devel
) P( U6 V) `( J8 c2.没有pcre7 ~5 g" W7 `( B4 K6 @ T( h
% D+ e G$ A4 t
configure: *** pcre library not found.
) T% a2 x. }6 [8 T( iconfigure: error: pcre library is required/ C8 _/ n/ X" ~2 ?6 I- ~9 s& q
解决方法:
0 u c$ Y1 ^- a: a9 O
5 z' d6 O+ F/ v- g- U: l# [yum install pcre pcre-devel
- O3 F5 E# M! ? c3.没有libxml2: q0 b }6 e+ Z: w# z
: c# N* ^& ]1 ~" R1 [
* j% E6 [" n- _* J! A
configure: *** xml library not found.
$ F6 d- V" R- ` G; i8 B6 Dconfigure: error: libxml2 is required- V8 o9 K1 k9 e6 F: I! T
解决方法:6 A6 N! q% ^1 w; h. L
" y$ d6 B' {# L# n
yum install libxml2 libxml2-devel6 q! D; h ~# o% p3 h# W8 A3 H4 ^0 h
4.执行 /opt/tengine/sbin/nginx -m 时有警告7 W% k8 |7 y& ^+ v* [4 E( t& {! i2 z
0 ^* E3 f% w0 s8 |Tengine version: Tengine/2.1.0 (nginx/1.6.2)$ Q! ~ @; p, i' c
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, P' j u) [1 b$ E6 `4 Y原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
, J4 v, ^2 ^* E/ s# f! ]2 ~4 l' F$ W% d, Q/ v" G8 i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
; L; W: r' g% }& W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
: S: E8 o& p1 x7 E6 |2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled! C! M5 T2 `5 Z* ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% [) T4 o1 B. X7 w2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6". f! W) h4 t8 Y4 F8 w% `& S% e
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
j& _1 A# |0 i3 Z q1 d解决方法,移除低版本的APR (1.3.9)/ i% {7 L, @* N3 d
; ~9 ^( Q# K$ K6 U% I2 b9 r! c* ?
yum remove apr3 b( {! b$ x+ t/ z4 c+ g2 J4 c
5.Error.log中有: Audit log: Failed to lock global mutex Q( l: c1 h3 J% u
$ `- t; L) h8 n2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
( ^' N5 j5 ?$ q$ e5 \! Hglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 D' m& j5 z4 z* E9 P3 h6 L; _
解决方法:
7 I) k- z2 W3 [7 H1 b编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:2 k$ ~0 s7 ]/ n3 C3 T( F% [
$ U2 F- {- I7 ~0 r% G( s
SecAuditLogDirMode 0777% v6 d* ~4 i+ k) U9 o4 P' F0 ?
SecAuditLogFileMode 0550# ]7 m4 `( o1 k, C7 F, o* F6 N& n
SecAuditLogStorageDir /var/log/modsecurity& B1 x, c+ x8 `. ^- [) @
SecAuditLogType Concurrent
. o' r; W: f2 n6 H5 N参考文章:
4 P! z$ i3 {$ l1 mhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) e% L$ L) O+ G9 k# Dhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡