|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
! r6 {& i a3 E# m* D" Q6 r& b5 G" Y' z( c
一.准备工作
' |: R* _. o; @& z/ f1 Y% b. M% d. _1 _
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
) Q: p2 T- p" m0 i) I/ \+ Q( {
# Y' U0 }- N* n" etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz o0 G7 F1 D0 ~$ N
7 V" [& D4 _% h5 D, b4 L2 p1 ?2 d/ V
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz3 ]7 q T* W1 ^8 t# z
$ H- d* \: Z1 G! d# \# v+ e
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; Y! Y1 F: G! ]% H' [
5 ?/ W: k0 Q+ V9 X8 ^5 q) }依赖关系:7 M; R5 a% q. n, }
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
" v o# w1 B( b1 U( m, f+ y& {: a4 K R, Q
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ ?; Z$ w& d! R" j/ Z$ _7 U- U" nmodsecurty依赖的包:pcre httpd-devel libxml2 apr( J! R% o6 o5 Z4 K0 O
, e3 F* ? g) |% O+ `
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 o6 U( b7 F0 h' R% p二.启用standalone模块并编译
2 S" _$ C/ {. w1 u7 J6 A& [5 q6 K
0 X ]. N$ M b( X7 w下载modsecurity for nginx 解压,进入解压后目录执行:* i" V1 y4 O2 J6 ]) W
5 E3 ]4 ]7 V" H./autogen.sh u7 `, }9 B' u" C2 \; U
./configure --enable-standalone-module --disable-mlogc6 u v# m" t( t d3 F: @
make 9 O+ C% s9 X6 y/ `5 w5 n2 H
三.nginx添加modsecurity模块
' A4 _& g: s0 Q; n% T; V( ]
1 v7 ^1 t$ ~1 ?) {, ^在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
2 t, Q; \& W- a+ f. j; n/ |
! i! v. |; [' M- ~9 }; Y./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine% w: u) M' ~/ \5 X; b
make && make install$ R! C4 R8 z" t9 i5 _
四.添加规则
3 L/ Y, |( O' V' p3 `9 K8 F
! ?" ]- e) U. @' F' I0 Xmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
D5 s ^8 y% ^! k" O, ]0 _7 G9 L2 ]
1.下载OWASP规则:
5 H! l _8 R0 R/ y' @# x. ^; \+ U9 t1 r% F, d! u
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
) R& O2 x; \# [9 R. C; ~- {' E% ~* g# |! \1 r8 W7 d
mv owasp-modsecurity-crs /opt/tengine/conf/& C; q; Y& t. a0 w8 Q" Y
! c1 G+ j& P. w8 U1 D7 g6 b) @6 f
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 B' a2 Q Z0 D) M2.启用OWASP规则:, p* t: \7 p; \, I# y
; o/ b) n( ]$ W' F/ V复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。/ [8 g1 w6 s7 d0 S: Z* _
6 d) A1 _3 V( V& m: E# ]5 k; I! `编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
" f( N# T9 @- Q
# N, G; R& S, Y) V3 A8 g1 z6 Iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。' v0 L: c* W7 j& }' j! V
( Q( X' K$ ?9 l) JInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
6 a. T: R7 T+ ]- F, U! {Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
7 ~7 I9 R- D# U" e/ Z$ f# LInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 Z% i, [% T, P6 e! UInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# A" V; {4 j9 ]. j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 w( T1 s* e6 ]0 ~9 zInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
6 _7 S2 R q" K, \' t" zInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
" i: S3 B0 l @% D( D五.配置nginx
I/ O! b3 |& n7 x: \" ]' K# ?- B; f! r1 w# j9 w
在需要启用modsecurity的主机的location下面加入下面两行即可:
; ]3 O Y% p, |# I' O0 {7 t: n5 a. [/ Q
ModSecurityEnabled on;
2 M; B9 w& p& b8 _; G$ A0 VModSecurityConfig modsecurity.conf;
+ P( W, O7 ]3 p下面是两个示例配置,php虚拟主机:( r5 n5 U; i7 r7 o. V; d7 c
8 ?) B% p T" K8 O& Xserver {
& q3 d% J. [+ L, m listen 80;
: T; W) p# K+ J! x8 w$ Q7 ~3 D7 C& D server_name 52os.net www.52os.net;2 a+ X- J% t& W2 I
& w/ d3 F; P0 C. y2 b5 F# Z _
location ~ \.php$ {
0 H/ J0 Q* ~8 x6 Q. M( f+ p$ K ModSecurityEnabled on; ) ^: X! C. j1 a& r
ModSecurityConfig modsecurity.conf;! c6 a/ W" [2 t, f! P* f+ o2 @
+ l% e9 j7 c ? root /web/wordpress;2 a3 }+ S& K0 ~* n# E( q+ `2 o4 g" V
index index.php index.html index.htm;
2 }" i" G. J$ S; B/ M. A( R 5 |" a. a5 X g& H+ l" K
fastcgi_pass 127.0.0.1:9000;7 D% `4 X! h; _/ c6 b" Q& U' W
fastcgi_index index.php;
. ~* s7 |" ~: L fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;9 E! @: W3 b6 O- v
include fastcgi_params;& d R# m; t- @ j
}- @7 f4 M l% A
}6 I% q M. c0 B0 e5 z0 l/ g
upstream负载均衡:7 B! L& ^ K4 q4 O) W- v
- g+ |& _4 p, }1 Y5 Hupstream 52os.net {
8 h& ?1 O7 G- n' ?+ T: Z+ [7 x server 192.168.1.100:8080;
- J- m! A; ?$ d- B b% Q+ \& M3 d; l server 192.168.1.101:8080 backup;
* u2 [. ~, E C) Q6 I/ t4 D}
4 @; U3 K) b( X. U' j- b& x! h) u
server {# Q: e6 d. w1 |4 Z
listen 80;+ f- H8 C: J) a! ]( i
server_name 52os.net www.52os.net;
6 j% c- w1 b( ]' V6 c/ ]6 ]6 Q5 I3 T2 r I6 R
location / {% x3 f, e- W; ?2 j6 d$ n
ModSecurityEnabled on; ! x3 k3 Q1 i( |5 J0 H
ModSecurityConfig modsecurity.conf; 7 T" ^$ C0 P4 z; V
9 N/ C, h% @+ x( [! ?& Q3 O) b3 M
proxy_pass http://online;
C; {- n# k- e proxy_redirect off;( z- H, c" @+ ~0 E9 W: O/ M
proxy_set_header Host $host;
$ c3 F6 m0 {0 R/ H U. }6 q3 X proxy_set_header X-Real-IP $remote_addr;' n5 Z5 B# w2 U" `4 q7 G) |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
8 v0 \8 f: K4 s9 g$ { }2 \$ ^ E( E+ F- F# @1 ?# `# U
}
& s0 [" C5 n) t# L. S9 `$ _& l六.测试9 Z: r) I$ S1 b% j: ?
@ G: {% ?" Y, x( _# T- w$ B$ _
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:5 q/ c) T0 g, j
8 z5 R5 W( K5 I: g+ `. P7 `
<?php: V. X6 A( d& x& Y: A2 y- f
phpinfo();
3 `& `1 T6 B* D?>6 f0 f0 ]( d+ M, I) I
在浏览器中访问:
( `" b: y- @& ~2 W5 P' i# q4 B% Z& r: _2 s( U2 `, B
http://www.52os.net/phpinfo.php?id=1 正常显示。
& B' J7 c0 h7 K1 ]! Q- a# K Z7 j( Ohttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。# D$ G& H% M4 h2 Z
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。2 X7 D, A8 Y, I& y( F- v
说明sql注入和xss已经被过滤了5 {+ N" A% K% P4 m* Z- S
- V0 R, F5 K x# l9 ^
七、安装过程中排错
; H0 \ w3 t% C7 I& o. W: X' v4 ~+ G8 z: S
1.缺少APXS会报错
O# {) X" P3 ` L
" l' g4 Y) l: q6 p4 uconfigure: looking for Apache module support via DSO through APXS- b) t4 v! P% O \$ t$ P, j, i
configure: error: couldn't find APXS, `' Z% C! G o2 C8 ~3 [
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ `3 E' V+ M, `, ^& i, e解决方法:1 Y3 y7 E! j+ z0 _4 L6 S4 a2 c
8 m' {# {$ |% o7 t8 n& [
yum install httpd-devel
0 w6 H0 V4 Y2 e2.没有pcre4 I9 N' _$ ~' y( i, t: m0 N
# ^* w) T% m4 h# v1 x% M
configure: *** pcre library not found.
. e9 h, {4 d) Yconfigure: error: pcre library is required% K! p, U2 w. V5 L
解决方法:
* g1 W( O& \5 D/ H0 P/ a
4 \. U' G$ l. iyum install pcre pcre-devel
0 E) p& \9 a+ n. T2 l" B* L3.没有libxml2, }5 ?/ _* `1 A$ ?" m
3 [: j! H3 l! I; B; w9 j+ L3 U
. F9 V4 d" G! `9 E& o4 t6 D! a9 Tconfigure: *** xml library not found.
1 d+ L4 j' U/ E6 Pconfigure: error: libxml2 is required9 S8 G6 w, t+ y# U" |# |$ o) d
解决方法:3 y& k6 H6 ?$ Z ?
/ ^; G0 l/ }4 f& y7 E9 h
yum install libxml2 libxml2-devel
. C& j# Z, b/ }! O/ U4.执行 /opt/tengine/sbin/nginx -m 时有警告
; x$ [ t' N# @ I% X& c+ V- m2 t' @, }
Tengine version: Tengine/2.1.0 (nginx/1.6.2)' V: e$ v. _- f
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!* P0 L0 }7 k) }& |7 o' D& H
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# n9 F7 I% ^ d8 ?# Y3 i
J1 N: L9 c. L: `; u8 H
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.4 f3 [( p3 \9 B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"" B5 z: d* K' _4 U0 ^; X8 y- o m
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
$ r! I) ~1 C p% [2 P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
1 `/ w& I4 }1 o- d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
# \+ j+ `- d) o' X0 {+ v5 Y6 d9 y) t3 @2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On., d& k- t' J1 Q
解决方法,移除低版本的APR (1.3.9)5 R: ]* A' o) G2 ^4 T
! q3 ?3 K1 D4 G
yum remove apr' W; v. y: Q/ d8 z: b! x( b5 v0 P0 O
5.Error.log中有: Audit log: Failed to lock global mutex
X% U9 M6 n! w5 Z: w7 v* \% J0 C9 X! P- I: M
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock . Z3 J8 t6 s- r2 H: B! G+ \! a
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]* Q" Y" {% ~9 v( J; K" D3 T h
解决方法:6 I- |- n& H% U: S& ?
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:4 }1 i& Y9 ?: ^3 }+ L4 }: s% l7 m$ g- {
' `8 X+ k0 w. f/ Y' i" D
SecAuditLogDirMode 07776 ` Q8 M1 b1 v' v" S
SecAuditLogFileMode 0550
% j, X: _9 L6 l. _: }$ Y1 K, KSecAuditLogStorageDir /var/log/modsecurity
2 W1 p+ }' N& k' ~4 Q, q( LSecAuditLogType Concurrent
3 F+ _7 Z) S& H# d参考文章:
' o6 ]( l" P) _& `# m9 a' f1 uhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
3 K3 ~( o$ s2 u; Z9 L4 hhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡