|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。4 c! w& ?- [/ g) J
6 c7 u7 O+ x) @8 s' [, t
一.准备工作9 A) l O8 W1 Z) a+ u) h
7 [& K0 k3 s6 f9 e& w+ B/ `系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ ^8 s8 l4 g" Y( L6 h4 ~0 W# M8 i
) m! ]' b3 {6 V4 g# K; n5 ?' w! Itengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
7 w% k7 X* v! v
* N" X0 G& B( _8 n- A6 W4 L5 vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
3 }; g: U/ U s/ f1 j" @9 a' v& O% R6 S& K4 f/ o( ]4 U
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs% |. v; O# J7 v8 e1 j# }4 y
4 `) j1 d8 w: D& i依赖关系:
7 _# T# T5 K, m9 ~# o( _/ s, Ctengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 x! u1 w, }$ j0 D9 j0 v7 W, L
* o9 S& i; d( s2 y! h1 s* p* m7 t4 s1 Iyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 G7 W4 ]; _7 ^; k- O8 ], P
modsecurty依赖的包:pcre httpd-devel libxml2 apr! H! Q4 _6 x: h6 ?8 S8 Z: w- x
& S! e" N; m7 ~, j
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
' l% [" T6 B+ a$ C M2 o二.启用standalone模块并编译) o/ _1 i4 @ K1 L1 r$ X
* M& T/ x/ l# c4 P7 h下载modsecurity for nginx 解压,进入解压后目录执行:
; m) q$ F5 @3 }3 M6 D9 S, x' V3 e) n; b
./autogen.sh
4 X2 u8 u' W. {./configure --enable-standalone-module --disable-mlogc
4 @8 x# ^% E( omake ) R" ^ _1 f( C( m! @2 ]' D' R3 j. Y
三.nginx添加modsecurity模块
# T( ~% I( u; C. l* K* O3 _1 {
$ ]6 k9 Q5 [. o. u在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
# b& K" t3 l% i$ Z, z% V: H
$ F$ n$ }" e# O./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine, E, ^5 Q% J& W
make && make install
* X5 P9 L/ \' X, {四.添加规则, f( n$ G% _# B& s
9 o" A6 ]& J1 K+ L" s" o
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* ]" N9 G* t% m/ d3 @# R8 D) ^
4 |2 Q A5 X# ?! z1.下载OWASP规则:
) A2 ^6 e& h6 H" Q5 c2 t4 Q
: Y* a0 ~" d, T1 I+ \& mgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs# K- k. @ W+ z* i0 P9 r
$ Z! d' ?' R% }+ l9 ~& \
mv owasp-modsecurity-crs /opt/tengine/conf/
. ~% ? [ k+ N9 `4 J8 k' } z7 @7 ~7 c% ?+ C
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf% L+ M1 o9 @4 Q0 ~2 g7 q; G- z
2.启用OWASP规则:% s9 f3 V9 ]; e7 }
$ u* Y" [( O _0 X- M5 s5 A9 h3 {! m复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。2 h8 D5 A) C& ?% @# h }8 L4 i8 k
. H5 C5 _* V( x0 y0 I6 n编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 C4 ^: R. h1 W$ _. o
+ Z1 h, k- T/ p% `& j8 ~) j+ q5 nowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. l: a6 ~ [1 Y! z# |+ |; ~3 o% n
$ ?/ S# K! r6 y) t9 yInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
5 M n- P' e& b5 s1 f, p; L2 xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& N$ k2 B H- v; DInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
! `5 j$ |% n9 F w" ]# wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
1 w( Y! B7 S, @6 PInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
. i; D/ d! t6 k0 k) D6 ?3 lInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf2 Y% @! J: I7 X F( r! P! c, d
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf5 ` k0 l% }3 o; D7 u' D- o4 G
五.配置nginx
) A0 j4 R: S: l4 n; g. b. R1 v6 `4 ?/ h; E) W
在需要启用modsecurity的主机的location下面加入下面两行即可:3 t/ O$ n1 a* W% w
7 `$ \1 d0 I; x: @% F
ModSecurityEnabled on; ' O; p8 `; z4 Z+ o( Q: \* z
ModSecurityConfig modsecurity.conf;! j$ W1 F7 ^/ I& s9 g3 s
下面是两个示例配置,php虚拟主机:$ f8 e1 J, }9 w$ N
7 f5 R7 E2 c+ Y/ `+ S2 D/ u/ P* W3 tserver {
8 l& H$ P0 m8 p, w8 s! J listen 80;
( W. X) z) I1 \1 N/ A; P server_name 52os.net www.52os.net;2 k& n+ Z5 t2 u& g; s; O
, L: w8 g \; X6 l7 c location ~ \.php$ {' \6 K$ j; r# X! Y/ T0 q
ModSecurityEnabled on; 0 y, D" F. g I8 f, k& v
ModSecurityConfig modsecurity.conf;
: n b* x9 w3 z r, l- ~* Y' C7 p9 h6 y5 r8 k
root /web/wordpress;
; B R5 p( d* Y- F: o5 \6 L& g index index.php index.html index.htm;
, w$ h" }4 {$ t3 M" L5 c& | : Z* U# M. S* @6 O& f' D& |
fastcgi_pass 127.0.0.1:9000;& x+ }! ]* N% f1 M; K" \1 ~$ Y
fastcgi_index index.php;; A3 j, F5 W- y+ a' I1 h* [
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
( H: Y8 U+ S6 O include fastcgi_params;& D/ U$ B' m- ~7 V+ U# t
}
* d- A5 L- }. l. |; U/ N; o* i8 ~ }
/ e2 z4 X( d; yupstream负载均衡:; e; j8 N# w5 l, d
6 @8 [' v9 X" v' Z% h; p. yupstream 52os.net {
2 p+ }5 E. S |; o' D* l server 192.168.1.100:8080;
3 l# V- i' A' [- U2 }$ u, ~ server 192.168.1.101:8080 backup;
P' I. i3 u7 \1 c: F/ ~% X. v}
" v- I y6 W3 [4 b3 F# N8 @' n! N0 y& h7 ~& x9 H
server {4 e7 _6 X* w4 f
listen 80;5 a" z" L1 O; H* o
server_name 52os.net www.52os.net;9 A9 Z0 B4 P, F6 z0 _1 ^) D) L
[* r7 R6 F3 _5 Q8 L8 Rlocation / {, J1 t5 M0 ]: y) l
ModSecurityEnabled on; ! T# G) E& q0 K1 ?4 L4 D4 c
ModSecurityConfig modsecurity.conf; 6 X7 b! Q4 F2 h: ~" {( W
- N3 q" {1 p/ v, m, h
proxy_pass http://online;
7 q+ k1 Q4 Q1 D' v( P! r5 a proxy_redirect off;
) c7 g4 c- c+ b4 F3 G proxy_set_header Host $host;" k# a+ s0 P6 v3 ]# u
proxy_set_header X-Real-IP $remote_addr;
8 _1 W& I2 h1 {9 [7 G/ F proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
; ?8 [9 B( v* k. f9 s: D }
4 H- m. ], n3 ?6 z, K# S: k2 F}
' s$ [* l* q8 [4 H k C) {六.测试+ H- J2 |$ c6 i4 H7 w m
l: ]+ I" q9 }0 m6 h# \我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
2 M% P7 K, m7 t4 |. s: M& r' L1 v. u3 o, R! [/ e) }
<?php
. ~$ u8 g2 P8 t2 [ phpinfo();
, l2 V9 p0 t2 M5 B S?>
0 B" B2 j3 I) L g在浏览器中访问:
7 j6 ]3 l; C; A7 E6 H* W1 D
H! ^$ r$ o: V" w( xhttp://www.52os.net/phpinfo.php?id=1 正常显示。
5 i8 P; p* ^' m+ g6 p" Shttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
4 M* C) g0 b- Khttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
! ^' t6 Y/ W. h* \2 h5 `' U说明sql注入和xss已经被过滤了
) D% b3 h) b" [$ }' L: Z1 }. z3 u5 r, E9 P$ ?8 `! w/ _
七、安装过程中排错
; [: E1 p4 W4 [- `- T, h. o& E, q
1.缺少APXS会报错
; w* _+ O) G8 I8 L# z( `( K3 A0 I8 g1 h( U
configure: looking for Apache module support via DSO through APXS
& n0 S; f3 A5 ~1 ~/ c jconfigure: error: couldn't find APXS
% Z- `3 H# R6 t, u- E* j$ ]0 |$ ]apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
; n+ g; e9 u% H* I" s* P3 d! U解决方法:8 [+ p; J& {: L9 g9 Z6 s. |
# T. j1 B, }7 L6 W* i! j$ Tyum install httpd-devel& e( O; d! C; Y. |5 z! n
2.没有pcre
: x2 e: x* P9 W Z5 M. @7 |; d$ o) E8 \, t8 _
configure: *** pcre library not found.
' G2 v6 K+ m0 v/ Wconfigure: error: pcre library is required
( w5 q, J O. M0 D解决方法:
: [8 A) C4 n% q! f+ k
: L) _6 L5 b9 F7 t( Q8 {" {yum install pcre pcre-devel& f$ d" Q: x2 M: b2 `8 \/ `6 ?
3.没有libxml28 n4 t4 W. B% q8 m
$ [1 x$ Q- ~1 m7 M7 G6 O
: A- {( ?( F( E' Yconfigure: *** xml library not found.# |& W: }. Q- b) s5 D$ N# |" ^) ?+ G
configure: error: libxml2 is required9 z/ m( R2 w$ V) Q q# Q6 J1 D x
解决方法:
* w$ B) O, E5 O0 C1 u" d" W1 z- N. a% H: V. d& D k: j
yum install libxml2 libxml2-devel$ f6 O" J' X. g/ q$ W! C
4.执行 /opt/tengine/sbin/nginx -m 时有警告1 E! n) T- P5 K
! b0 d: Z5 I8 l% b, b: tTengine version: Tengine/2.1.0 (nginx/1.6.2)0 n2 `! s- X2 m0 F: t* |0 I
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!9 f0 ^0 ~/ F$ K* }
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
2 K0 Z: X/ P; Z! a! \, c! v: [+ a' Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 ?/ W$ K j0 N4 H. I+ b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 }/ i6 x0 d. Z. I; F9 O. K2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!& ?5 D' t; [/ b& J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
" _( t! j; C3 J4 W6 l8 q# g. ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
6 Z$ x; f& q% i; n/ Z- t/ |) G* c2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On. ~4 N' X7 c$ A
解决方法,移除低版本的APR (1.3.9)4 C* y) w- e- z/ `# I0 D3 n) F
- L' w8 q" r4 l
yum remove apr
, `/ S. }# e& z) ~0 y5.Error.log中有: Audit log: Failed to lock global mutex4 ]0 |. Y! r) U) _1 J
1 C: k! F( S" a* W) q: D
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
4 C$ u9 }, p$ I1 R& B" Q, e+ vglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]! s2 B% ^% g3 I/ I3 d: `7 W4 r
解决方法:
4 c" ~9 a8 p9 j4 ^编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: N' A. E+ N/ H8 g) [' K/ r& k
) K7 `; D9 X+ i& w2 x O5 b5 C
SecAuditLogDirMode 0777
& ?5 {+ N, m6 t8 P. `SecAuditLogFileMode 0550' i5 { Q. B2 q
SecAuditLogStorageDir /var/log/modsecurity
$ D9 D7 i2 y2 L4 S3 fSecAuditLogType Concurrent
- y* P; Z2 C- n' o7 a5 S7 n参考文章:
1 Y0 s/ ~9 c1 c o3 ^& n5 [https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX, N4 o" v) L2 W3 V% a3 S& q: p
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡