|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
7 I) b, L" i$ _5 ~# O; p+ ]* q; z' c# p
一.准备工作
+ o* ?' v8 q7 V" s o3 k
( o; s _* Z4 e系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% U5 l) T v+ [
. l1 F0 _' r3 J, z( Otengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
" W, l2 l. ^3 I8 \; n6 i. l- s8 w7 Q$ v# ~4 _6 a' h
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz4 C3 {- C$ N" x2 D$ i) |$ ?
7 H- m+ B. ?* {" C' LOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs: a/ E1 [; |$ C
1 g0 E( p( O3 O5 n! K0 z6 g" `依赖关系:( f$ d( \( V8 y+ j! x
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
& V, {, l; T% o; }
( p. \! ^9 m( V4 K; q) Cyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
8 I$ W Z/ F8 m! }4 _( Rmodsecurty依赖的包:pcre httpd-devel libxml2 apr
4 Q. ]8 n# L% X4 j$ ^+ r+ _' V3 ? K
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
# P6 J; ^4 Z7 i3 C二.启用standalone模块并编译
; d& d- s% ?4 o& o9 s+ ]4 a6 v
" F% [* y h3 _; D0 L& [/ n. b下载modsecurity for nginx 解压,进入解压后目录执行:. }* ~; i3 ]8 l, i: w( h5 n
0 [4 N# B1 f3 g: D4 J. f% ]./autogen.sh9 q8 d4 h! d- C$ V
./configure --enable-standalone-module --disable-mlogc6 h) |% m4 s: `% k
make
; u; h# O! `: E0 v% y; |6 L三.nginx添加modsecurity模块
5 m4 b& E' u4 y7 n; S( U* k
( d- ^$ t9 _' Q8 r5 ~+ h! F在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:' e0 @* g% w. ]! J3 k
9 q% h: l) W7 b) r j# s
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 U, M6 ]9 C" k- S2 ?* X( G
make && make install
! Q9 [' R; e& E四.添加规则
# l/ v& v1 h: o% s: a% j
- k8 M( y. Z! O! Y; B$ |modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
: x3 \9 d6 ~5 \+ \0 a
6 i$ B( O; Y0 D6 X" ` {( k r( s1.下载OWASP规则:
& G9 {! O/ b! H' s5 _3 l% E
; K+ k' q3 E$ `git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
9 F5 W( h& ~/ z5 B9 R
- o! ]3 }0 h7 i+ y1 \mv owasp-modsecurity-crs /opt/tengine/conf// T5 T, F+ Y/ ^
% ]& O( r/ G0 L! Ucd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
3 I: S4 u) \( b1 ^! E2.启用OWASP规则:, O' T f, U: l8 W5 X
. D6 H4 B& A1 A6 K复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。+ v; A; }: ?, h4 B o# q
. ?) b' m M1 Q$ J9 J- F2 `7 n
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
" a1 x+ C# r" l. h
6 C- o8 j, L! e- M9 B( g0 Iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。- K! _; r- x9 c2 T
+ y- K' t: K; E- y
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
. b8 T3 `' m* Z, K3 fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf# t1 B+ U. s* e$ J& u6 Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf0 Z4 Y# B; I! k/ D7 f( i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf( V8 o+ R- T; f0 w* O7 e+ l
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, X/ y) P3 g3 a. e% C+ W7 zInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf/ d7 K6 V5 a: E
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf/ Q1 X) Q& K. O
五.配置nginx U+ b1 I' @3 P# S
$ n0 }7 V) l( r7 u: c7 g在需要启用modsecurity的主机的location下面加入下面两行即可:
( i% L6 M# l( Z
' j' I9 n& A- A" W1 q0 MModSecurityEnabled on;
& f k- v+ k' ~ModSecurityConfig modsecurity.conf;( ]0 n8 ^9 S8 c' k9 l% |4 \
下面是两个示例配置,php虚拟主机:+ J8 E6 V$ m# R l% Z1 ~; M
1 |# d4 ~ B5 m! ^+ \" x' C
server {2 w8 e4 N$ o7 n5 |2 P
listen 80;8 E, o2 k# s! q% d1 K, I) Z
server_name 52os.net www.52os.net;
; |. n, K* K+ E% ~. U7 r- ~' s
! }& t c. P4 F, |/ V' R- r) Y" t location ~ \.php$ {
' |3 s3 M0 R; L1 S+ b% ^ ModSecurityEnabled on; 3 \4 d: ?9 }1 F
ModSecurityConfig modsecurity.conf;
* r5 Q* d0 e# S5 v+ d+ j8 d
: J* E0 o! I, h) { root /web/wordpress;/ K$ ]2 V& J( b7 K/ ]' X. p6 i
index index.php index.html index.htm;
4 n# c. x+ Q% N& b9 p) I
/ A" v/ C4 w0 q# i3 V: U fastcgi_pass 127.0.0.1:9000;) C7 n$ m. _6 y0 u0 R
fastcgi_index index.php;
' E/ T k% L& [ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 u8 {, A' e2 z; n, O7 }5 T- b/ X
include fastcgi_params;8 Z( k) a" @/ H( q* k5 z
}' X1 F- K( l4 y7 W
}) @+ [$ v8 I8 V
upstream负载均衡:
& S1 s' m, y/ j2 e9 w- H3 K4 |# [( T! {# M7 O
upstream 52os.net {
# x0 E+ D$ K' Q# T+ e/ N server 192.168.1.100:8080;
# z$ V# L; A3 C: I9 W server 192.168.1.101:8080 backup;
' w( o4 | ]( M}/ c6 _8 k& j9 V$ D' H/ l
; Y8 B+ a6 ?7 N5 F- lserver {
. t; c: G) g9 ~2 F$ P( ^9 ]listen 80;
* s- [& C, W! b! o0 f: r% ~$ G! Userver_name 52os.net www.52os.net;; |" H2 h6 \6 v! ~/ U1 B
: c4 d. h# H+ xlocation / {, K) ? ~" r) V7 y6 H
ModSecurityEnabled on;
! q. i1 \: m& J6 h3 W1 I* C ModSecurityConfig modsecurity.conf; : q& J8 @; O. D8 e
$ y. c, z; Q: _# T proxy_pass http://online;
! k D P% k4 c/ z9 s' `- o proxy_redirect off;
- l' c" f2 f) N. `1 y+ o proxy_set_header Host $host;" w9 R) P7 Z1 t; V; Y8 {( j
proxy_set_header X-Real-IP $remote_addr;# w& x4 {' Y- S/ _: [# B
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' s+ E/ W2 ?7 c# ]9 C1 | }$ M5 Z1 Z! _0 ]7 z2 j
}
4 b4 B' U; Z0 a, l3 ^' Z六.测试
0 I- f' X6 }9 p2 O8 e
5 K$ @) ?, n( _' |$ R4 q我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:6 a, i" s I4 K) w1 R) B" I5 A
1 i+ v/ T4 u. S. I8 w0 o, r- `<?php
4 z- g+ z; e2 u. a phpinfo(); 6 A6 ?2 Z9 E: d; I' A
?>& h! Q" ?: {6 d- d5 |. D5 i
在浏览器中访问:8 f7 m% B, U. k; e
( z: B1 S0 U* y/ s0 nhttp://www.52os.net/phpinfo.php?id=1 正常显示。
2 M- q+ @) |# S% n! k" [9 r# M& Phttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。& Q' c" i2 f, d3 P3 }: t
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 T3 t' E' u1 a) C+ c说明sql注入和xss已经被过滤了2 D' z& F6 t4 L. U" E( O7 Q: Z& _
2 x8 y, W0 [) m9 A2 i+ w- P' G
七、安装过程中排错. k2 a& V0 g+ t3 J, \
0 u' T! |5 c+ J2 u; [7 x# T1 C
1.缺少APXS会报错
R: r) `- X, O9 T, f0 ` p1 L8 Y0 w# }2 n6 U
configure: looking for Apache module support via DSO through APXS
' @8 f- I1 ?9 u* sconfigure: error: couldn't find APXS+ i! L* X; \/ U. U2 u, Z. Y
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 N3 a) U% C! d# @: p解决方法:) b% D5 v3 i2 w& Q2 l
: W* i6 P- A" C5 U$ L) m+ t. @
yum install httpd-devel
$ ^# a4 q8 L8 P% t0 y2.没有pcre
. n( x: L* u5 a3 r) F& W; \
& F$ o+ P1 O4 N- Q- o) lconfigure: *** pcre library not found.7 C+ s n( C( w+ \+ `
configure: error: pcre library is required
+ }$ F+ V$ N- Q' Z8 w解决方法:
0 a+ L- R& K5 N" g! p) E2 |/ p- E, |! ?& F9 h
yum install pcre pcre-devel5 c$ v0 U* X1 x2 d9 ?9 F* {1 v
3.没有libxml2& h& v r4 c j
& [6 a( O3 f. t5 ] U. s
( t: l M8 U+ i3 j' g# g# O# Vconfigure: *** xml library not found.- _ q- c% x6 C% S# Q. k
configure: error: libxml2 is required6 N8 E# h, I4 {; N& v
解决方法:4 |4 W5 B3 Z) b5 H# b2 u4 F3 D
- c, j% \! f6 Ayum install libxml2 libxml2-devel1 Q( G3 @! D9 E5 T8 K% I
4.执行 /opt/tengine/sbin/nginx -m 时有警告
/ a1 c0 ]0 X% }! _$ {9 e( K* _" M( k% g1 ~7 `% q. s& b1 l
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
( E0 w& A6 g6 ~4 i' _nginx: [warn] ModSecurity: Loaded APR do not match with compiled!. F% P- C% g1 i. ^9 r
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
) d9 Z3 [. N+ @0 ?
( a" I2 \0 L) ^, P' H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
& P3 K9 H" U2 n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": r/ O, _5 X& N3 j9 J- b/ H
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 z9 s: l7 U) I. o- A3 ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05", Z. Q, R4 f9 R* G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
w2 T9 l( Y" g' K' [( r2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.+ T; y0 S, G+ Y
解决方法,移除低版本的APR (1.3.9)* y2 W6 k' n6 B, l1 d& {7 u' T- |5 o
v* W' _( \ I0 B5 j5 ~( t5 y6 L
yum remove apr
" N% A. W6 A! z4 f& p7 q, s5.Error.log中有: Audit log: Failed to lock global mutex3 k( h9 w6 `5 M
5 g- A/ g5 x: G. w3 T5 G
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
/ s6 L: l4 R+ ^# `& L' Y5 u8 ?3 {global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]" o- m1 Z' c" v( e. X
解决方法:
$ }- }% d4 J$ @% K$ p* i8 P6 Q% r编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. z1 _+ r) j4 h8 d, V6 i+ S2 k- M4 q2 o: `& U4 j$ f
SecAuditLogDirMode 0777
0 s4 P6 e* u0 C$ k5 USecAuditLogFileMode 0550
5 P" C% [8 S. E8 YSecAuditLogStorageDir /var/log/modsecurity, k+ }5 C( v1 s+ f7 B9 `2 Z
SecAuditLogType Concurrent
3 }2 t4 N K+ X# y1 X+ f2 k0 ~参考文章:0 v+ L6 C* c: l( x+ v. ?
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
8 w/ E8 v# e4 h$ hhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡