|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。' K" k7 c/ R" {/ \( I
) w7 _, M* O4 T9 i/ v7 |1 I
一.准备工作4 h7 t" u" Z' [' ?
/ N5 @, h/ f" O P
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0* }& I3 I* _! q. f
7 s+ O l% o5 q8 _2 L' t
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
4 O0 y7 ^$ ^" F
, J o1 T' I' zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz5 u' B0 O' f" ^" u: {
, j+ t" R" u; H% Z6 r; Q/ p3 @
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 N& H9 }% w9 k7 n/ U4 z' I$ j# R4 P6 I$ o3 j$ J; }, D0 N
依赖关系:
: s: @0 o! Q* D5 q2 I3 l% B# jtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- D' m( n* Y) p& G, K! Q# u3 U
4 Z0 t5 s. {, A# Z4 Wyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel; b0 S1 K. ?. c1 _
modsecurty依赖的包:pcre httpd-devel libxml2 apr
8 ?5 V3 ]) N8 l2 T: x$ j
* z( ^! ]8 M# e2 _: J4 zyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel! D! x+ Z3 r" A4 f! L1 Q
二.启用standalone模块并编译
8 S# Y* o, {3 v
2 M% D* m2 z# p1 j3 U0 P M$ t下载modsecurity for nginx 解压,进入解压后目录执行:% _$ h$ Z8 D( o
) r' Y1 ~; ?/ V/ p/ b
./autogen.sh4 c* d% E. ^6 d2 r% S
./configure --enable-standalone-module --disable-mlogc
$ \/ f5 ^, z$ _" ymake 4 E& V& H7 d1 l' v2 F
三.nginx添加modsecurity模块( F; r; l% K: Z3 I9 `
! A7 o# N2 Z) `& E2 ~. J0 f
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:% t; A7 m. W, F8 ~7 Z0 r
) X6 V8 u0 h: Z+ W! i V6 ^./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ ~) p& _# j& V! ?+ d. Fmake && make install
, L9 Q8 m* E+ A; X9 i: x1 G四.添加规则
* b7 ?. R* m3 \" ?: k0 g0 Z; W. k u) A4 ?' b7 r4 h/ a
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
4 _+ ^2 J( H4 j3 \6 b# m3 `1 Y# `8 \
1.下载OWASP规则:
4 L- u9 l0 M+ U5 I7 B
, S* V1 T9 X( c6 }) j; ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 d: g, v1 A( V# ^
2 R/ @8 m# X; Emv owasp-modsecurity-crs /opt/tengine/conf/
- n l5 X/ [5 ]5 z4 q, n3 d- j7 a4 M: L3 R2 _
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ `6 P% ?) b) Z- J& T2.启用OWASP规则:) h/ N, F# x6 H, B# W+ Z7 c! R- H+ j
0 \+ Z- F" E% s复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
( ^. j- e3 _' `9 N7 {9 |7 ^1 K2 a: R4 r8 ]
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on7 \/ ^! w* I R' M4 A; N; D8 b7 f$ f
2 r' K L/ W/ \2 G' x2 V8 U
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. ~8 P/ m4 s+ ?' A: u1 ` K
8 n$ Z! C& E D. |+ H5 hInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
5 }7 {6 o3 I# C4 E: YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 j7 Y' {* A" ^, eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ I% q% ~- I: C% c1 YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
2 r( ]6 d1 ]8 S# Y' c6 |Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
v% V/ l$ L6 W8 jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
7 k. b0 h+ l# U) I* o6 m1 q! pInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
3 c5 a9 ]' E$ \5 Q- t& _1 Q( W五.配置nginx
( R- g! v1 l5 n( Q
4 N( a* x' P4 e' J% J在需要启用modsecurity的主机的location下面加入下面两行即可:
4 R; l: \. k e# i' K
5 i' |- y% X- {. fModSecurityEnabled on;
, B3 [$ x, d+ d. T# ?- n7 }ModSecurityConfig modsecurity.conf;
+ L5 {# o7 P" r, L下面是两个示例配置,php虚拟主机:
4 a3 G- c* b8 x
, `/ |2 n4 `5 C @& S1 iserver {
) \; J& w2 l- N p0 X& z4 f( A# e$ C listen 80;
1 b3 V5 h* i% G" P8 G9 V1 } server_name 52os.net www.52os.net;3 M3 ]" c( M2 i: N# f/ w
9 A5 {! P! L3 Q, _; @) W$ @8 @
location ~ \.php$ {; f0 Q! l* t- f7 _
ModSecurityEnabled on;
0 q. J4 F& T @, M" A ModSecurityConfig modsecurity.conf;) ?6 M0 P8 E+ R6 g
" f6 C- g5 \! j1 i root /web/wordpress;1 r, W# r' X2 ]- R6 i5 R% d
index index.php index.html index.htm;
& ~: P& u N1 u# n
% [ k Z5 s" }9 J; E- v fastcgi_pass 127.0.0.1:9000;
9 F4 z) t5 l6 _. n3 \( t$ i fastcgi_index index.php;
9 ?: u* v2 V1 a fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
$ S n q$ R; ]! c- @# f' L7 Y include fastcgi_params;) Z8 o* M7 S5 Y( C7 U
}
# l. y0 |" X7 S }
4 O' F! t: Q5 {. F, y4 A' K* qupstream负载均衡:
$ F" H( z7 P3 ]- @2 w1 y0 {: t0 D+ y9 c1 S: u
upstream 52os.net {
7 `. I7 K* v" E: @* e5 S) {: Q" K server 192.168.1.100:8080;, J) S8 t2 y+ T K: f* S
server 192.168.1.101:8080 backup;
3 _" d: t: M- O! p: M}( d% j% p5 i8 G( F% T$ s+ R {
# k$ t4 V# k. \ u/ z0 E- U4 Nserver {+ v8 m- p7 ?- O3 V7 ^( \
listen 80; V/ Q; B4 ^; A3 y% M" w
server_name 52os.net www.52os.net;
7 `' [4 m* s& k) b, k0 z
0 b1 }( u% `" _# d: R$ Hlocation / {8 Q' x+ \* K, P8 k. {: ` q
ModSecurityEnabled on; 6 x6 u9 K* N7 G2 e$ v
ModSecurityConfig modsecurity.conf; 1 X+ Z% L, W- e& |# k- p$ ]0 A
) ^' i" ~5 l8 _ Z) _0 \
proxy_pass http://online;9 T" E) s0 M! ], l5 R/ x
proxy_redirect off;
( Q6 w4 \$ }" C proxy_set_header Host $host;& y- q% K$ g5 _9 ~- O
proxy_set_header X-Real-IP $remote_addr;
2 y A* z/ u" Q* J# o" J3 F G proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ W; S( G) M* Z7 p
}
7 u, ?6 Z8 x {& O* F C4 l4 e' G}
$ I V t5 b5 Z* ]7 J* W- y& H! l六.测试
5 h [' B. W8 Y7 n5 w2 v& o2 b7 T; R, y4 C! M
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& I2 m! Q; e2 h! a. ?
! o! x6 q0 B0 C$ v<?php% n. ?4 b- x9 O' U& f+ Q
phpinfo();
0 a/ H9 q0 u3 m?>
. A% Q4 W* h$ k+ L# {在浏览器中访问:
5 d7 O( X( o9 ?2 L; {
4 z# R G2 h% v0 L( rhttp://www.52os.net/phpinfo.php?id=1 正常显示。
% L4 v7 [3 }/ [/ dhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 V& Q. F3 u) ^& M4 W4 ghttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。9 M) C- ~% n0 d. C/ y" m
说明sql注入和xss已经被过滤了4 L6 ]+ K; F3 ^9 X0 b* ?) t/ k
# I. \# n5 R! l m! [% O七、安装过程中排错& R: x6 O# |1 \" ~3 Z* T/ g# }6 ^
4 |; V2 k; l6 }4 U n- B
1.缺少APXS会报错
+ D% H/ S& B) \6 I5 ]# {" B
- r0 _" l9 t$ o5 n1 W' B6 ^configure: looking for Apache module support via DSO through APXS
" I/ Q+ | }! o5 j! z, k3 P1 w, zconfigure: error: couldn't find APXS( ], @& r( Z. w$ \- J
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。 k- z8 s G8 |
解决方法:
* P0 r' y& ^# @! ]) l3 \0 S# L6 d4 F) ?
: F0 g' n! \# `, x; [5 i! {7 e* Eyum install httpd-devel
1 p! ~7 z8 j& T2 ]) a2 e' p- [5 ^2.没有pcre
' Q% _, a9 x# E! @5 H- u8 n5 O0 O: P) O+ Z( f3 O( L; s( |, i
configure: *** pcre library not found.
9 u0 b1 b9 Z& u. G- z* Qconfigure: error: pcre library is required
. o4 d% {/ g! ^0 d3 j0 Y解决方法:& ]( v2 A3 x& c8 u: A0 f, @9 m
: R: \$ ?! e9 H* r5 }yum install pcre pcre-devel
; _2 h: ^1 b7 D3.没有libxml2
; h$ `3 Z& L0 ?7 F7 e3 y# q5 \6 B; E% B) v7 n4 w: i: u' T
4 b7 f- l7 K# a+ A+ W& G* Pconfigure: *** xml library not found.
9 H2 c5 l! |) A0 t7 {configure: error: libxml2 is required
3 q9 X* X7 e1 [* I2 t9 l解决方法:/ _; E; m8 \9 b
: T/ A! N( P; \ f( Byum install libxml2 libxml2-devel7 D/ Q/ u' s0 c% N3 N6 H
4.执行 /opt/tengine/sbin/nginx -m 时有警告( M% E4 R" T. X) U" P$ \9 P
# r6 h# H$ o, N0 kTengine version: Tengine/2.1.0 (nginx/1.6.2)
$ S" ~& m; E, t+ D& ~0 E7 Wnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
T3 Q% D5 C* d' T4 H1 `5 j* P7 \5 Z原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# M9 c/ O5 g; w$ N0 r0 t
; [* \6 e/ t) H- {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
& b0 E1 q3 m! L" u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": t/ l1 B* ~9 i6 J9 M' N/ @" N, z
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!& g+ M& L: V9 u U3 h7 A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 h4 y( F. N8 z( }7 W$ d1 M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
$ W1 B( E7 C) z V- ]0 S2 `2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.6 ?/ I" i. A! f8 ~2 o6 t
解决方法,移除低版本的APR (1.3.9)
. s" l1 t/ H0 e n3 q! g: a1 k: y1 Z4 J V7 k1 Z6 }
yum remove apr7 w* I6 W* e2 D
5.Error.log中有: Audit log: Failed to lock global mutex
! y8 d. e; @, i: S$ Z& G& X" \ L1 }+ j
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 6 A( ?7 ~& u8 R1 X9 q' D
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
- O5 Z/ ~/ d: Z& Y+ f; ~解决方法:
% |0 A! g! z" R5 Z$ |& D! m编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 m ^! J, Q" H! D( _
; m% _/ ?7 {5 D# `SecAuditLogDirMode 0777
" V; [/ K0 L/ n* P3 C7 a9 hSecAuditLogFileMode 0550
( p D* @+ b0 u4 {6 iSecAuditLogStorageDir /var/log/modsecurity- z+ U$ C6 g$ U
SecAuditLogType Concurrent9 r8 l) B& A# t. b
参考文章:( v$ k7 b& {: U+ j3 r% g3 E7 v
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) s. K" \6 t8 B! n0 p* z' A! T3 l/ e/ {http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡