|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
4 J2 {9 f C$ c7 p3 B2 ~
( B, `" }, c9 Z) u一.准备工作& D2 y! k) X5 w5 D' b" S& u5 x
) Y* } g8 @" y0 f# w
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% l" R2 Z1 _; e
* Z" A/ f% ]; s! S# E6 d2 xtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
9 j7 ^1 p/ ^& C4 D
/ |0 n. D' _1 ?8 gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
2 ~. R8 [/ P9 }9 t
. q6 E/ L. {# ~0 wOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
& J2 j/ w% ]% y; l
9 p1 O$ a7 s. l依赖关系:. a4 U" m* v9 i0 a! i4 f
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 b- G5 N4 J6 z- a3 \, Q
9 Z% x! q+ Y' j3 u) {$ s+ fyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
+ ~6 g+ q2 p& |% [! b; wmodsecurty依赖的包:pcre httpd-devel libxml2 apr
/ g7 C, X" R! @3 A
8 e( }8 y6 D# M( _4 Wyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel, [; D0 c' H6 I7 j- O
二.启用standalone模块并编译) C; B( g( b. C: s
" G. N. m/ }& q: Q$ X* U$ Q- y( T下载modsecurity for nginx 解压,进入解压后目录执行:( f5 s; |4 c( q& U
+ H4 J, L. L( z( G) B4 e
./autogen.sh
. J& y0 V+ h8 r% m6 C- s./configure --enable-standalone-module --disable-mlogc1 }# f5 L9 m7 [
make
6 m- H7 [9 i4 ]" e7 `0 ]三.nginx添加modsecurity模块
0 F8 L* \9 G& A0 h1 j. D4 y/ A+ p8 U6 n+ D+ B7 s
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:' V% P3 R2 H' q! f* M
+ J5 F( w, C5 ~7 j6 ]* R3 V( z# E( v
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
0 \9 d9 F+ w4 V: J& a( q% gmake && make install3 T& w2 D/ g. n. Q
四.添加规则
9 `7 K& ~; @+ |- ]
/ N) o/ `; u9 ?9 ^+ Q9 A6 L* Rmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 S! a* |! ]& S" i- c1 D( F5 d$ d+ X
5 J" l/ Q% k' K% T( a1.下载OWASP规则:
, Y6 [7 a; Z: u) c) ?7 e$ O* h$ T7 ~$ U9 N2 b
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs8 U7 g/ M( k' [3 t# M
8 _& C6 O0 x) r0 n, l
mv owasp-modsecurity-crs /opt/tengine/conf/3 }7 b* `, l$ M# w/ ]4 D9 _' A6 r
`+ Z% R# \9 D# ~( Z& U' z+ Rcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. R. V( |, c- b4 Q3 \5 I2.启用OWASP规则:( ~ e+ x% A& V
/ \0 g4 Q* E* f# |* `# x- P1 Q8 t复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* J2 O3 Y4 x3 o' `1 U$ t4 z
, r" c9 x/ Z) P; f1 f编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; M. J& A5 ^5 A. u
/ g2 [( O! F% S0 c6 ]1 f
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
8 b' @$ i# l$ o9 s$ J
; s3 p+ P/ T. |Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
$ n" A5 m: L' Q2 L4 @/ gInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
3 |7 a$ p1 a. x8 mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 b% G( O) ?9 J& j* q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf7 F' Z% c+ U. f" D2 \! U
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
9 i0 S. e3 b; R9 ^Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
- t# } K3 }; l; e6 AInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
0 w' X+ F. j4 t; M* \五.配置nginx
3 R3 L9 ^/ [8 ]: g. X% ?+ ]% Y6 e- T
在需要启用modsecurity的主机的location下面加入下面两行即可:
! ^# s8 T; H# N; z( p% G& P8 P2 B% Q* x' f
ModSecurityEnabled on;
% S+ M, x! f8 ]ModSecurityConfig modsecurity.conf;
' c9 J+ E( f8 [' ^2 m3 i9 K4 G下面是两个示例配置,php虚拟主机:
! p* ], j1 G# p. j3 W1 @2 B/ V
4 r; R. `5 N3 K" s7 }server {
) U; E9 e0 h$ p6 t S+ P5 @8 G# N3 e listen 80;
$ i0 l$ s0 J8 i server_name 52os.net www.52os.net;
1 u! ^# a# J' n- O+ W/ u 7 b4 Y0 }4 Q# x, t& p4 S0 W
location ~ \.php$ {6 ]9 {$ f0 z' \! K0 u8 h
ModSecurityEnabled on; ' c6 [' A- v2 T
ModSecurityConfig modsecurity.conf;
4 Z, G9 U" z5 O# V3 E7 M9 W3 D) {- z7 d, v$ t3 M
root /web/wordpress;9 k5 f& d: w7 s% w( Y% i
index index.php index.html index.htm;
$ L. Q6 s5 b( W5 \3 e 7 L8 k8 z. C- c6 H$ r# j& _9 w
fastcgi_pass 127.0.0.1:9000;$ c: y) l: T; ]
fastcgi_index index.php;
9 ?: X6 T$ Y& `) ]+ w fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
: G; a s+ [+ y- m4 j8 W include fastcgi_params;. B$ n. S; p" q/ N/ x, Q5 M
}
8 y( q1 ]# G- L! ~+ P( ^ }: U1 m3 k( P; U) I3 c9 w# \
upstream负载均衡:+ X5 k% v2 D$ i# u- r2 p: |- Z
' C9 m; ]' H6 v3 h. L& ^upstream 52os.net {
% b" f% ]8 J0 O. }- z4 d6 ]9 P n; h server 192.168.1.100:8080;
( O0 C6 I a( d3 U! X1 T) `7 D2 } server 192.168.1.101:8080 backup;
* ~' [% T$ j/ U& z! @ z# {' ]}
) Q; \" g# Y A) Y" f
; Z1 z; u: _9 r7 u" Wserver {9 E2 @, w! v: ~1 i6 K1 a& K3 I
listen 80;$ V M" d+ f5 b1 |
server_name 52os.net www.52os.net;
% c. U- k Z) F+ n5 |
: v4 l8 h; n4 Q3 w3 nlocation / {
: a. [% E; L# Q ModSecurityEnabled on; 7 F3 j3 o1 R* y7 V' ^5 s6 S
ModSecurityConfig modsecurity.conf; " J# C9 y) g! s' t0 ]" z
+ P/ \) D. F) t proxy_pass http://online;1 _( D. ]: T, `+ W6 D
proxy_redirect off;
3 E: @" v) A# E9 Z+ j% w proxy_set_header Host $host;) ^& v" {- E% _; x6 G5 S* ]7 C
proxy_set_header X-Real-IP $remote_addr;
) ^' f3 d0 _5 P) h" f* [ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 U) P! ~+ W! V+ d* w8 A
}
. O( W3 g9 ~9 } T% b}
$ ]+ Q, Y5 f7 B; ] V) M) V: _, C六.测试
5 @+ V$ U9 l |# s, w7 l( k4 i, c& W- a- W
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 z; q' y5 W% n+ Z# _( R2 K
3 p2 j% w5 v+ J7 o
<?php
+ ^6 ^8 R6 I6 r1 W0 L+ [4 U phpinfo();
( q5 _+ p$ ^/ f1 n?>
$ W; U$ ?, ^; A, s! s在浏览器中访问:& ^+ s! P: V- [; u1 X9 C6 _7 O: S+ h
E% q# f8 q: V, ]' s, g& ihttp://www.52os.net/phpinfo.php?id=1 正常显示。' r; Y, H# \( G) g: i+ G
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
- \8 p' F* P# B, o7 G( v, X0 Chttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。7 j' h1 X' x- j2 P* |5 f0 h
说明sql注入和xss已经被过滤了
3 W; L8 J, I D2 ] D: Y: ?0 ]3 v* X' C) k3 Q$ U6 b- M
七、安装过程中排错
( l |/ m6 N! t3 R
( }. e7 U0 p C1.缺少APXS会报错
, K+ R: y9 ]3 p) N3 R& o- X. H
: d1 k7 G* X, r3 ]configure: looking for Apache module support via DSO through APXS
' w4 ]8 W: o3 t3 {- Q: ]+ Gconfigure: error: couldn't find APXS
9 k: H& U: f, q; N0 V* p$ p. ~apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。! z1 y1 W; m+ i* f
解决方法:# y ^# L9 p1 g% ^" W5 K
* _5 x1 I7 N+ _$ i9 k8 a
yum install httpd-devel: x; M! T. K& X% r
2.没有pcre
3 f% {* }" f h1 d2 A0 o; ?( H( v2 b# g+ Z+ Y, N
configure: *** pcre library not found.. A# |0 d. V' D. x- j$ g2 }
configure: error: pcre library is required
?% J7 V9 x& T" B解决方法:2 d" Z7 a9 q; r0 p" G
9 T3 @ n2 S2 B
yum install pcre pcre-devel9 J. u. A$ Y: X6 ?8 S O
3.没有libxml2. \ D0 }1 {8 H0 w: l- d
) p/ m" E3 s, o
* z4 Q6 I5 Z) c6 `- s+ w& ]0 {configure: *** xml library not found.
' P4 g9 w7 ]. C' l( `configure: error: libxml2 is required
7 N0 ]1 _) ^/ \+ B2 }5 x解决方法:* d9 a% U8 f# t3 e' f7 a' b
# Y% \( a$ h2 W5 L, b! N; ?$ F' r4 w
yum install libxml2 libxml2-devel
) v: ]5 V( J% K `! Y1 \( J/ i0 i4.执行 /opt/tengine/sbin/nginx -m 时有警告+ y' j, x0 j' D4 |
- q7 c4 ~5 F1 OTengine version: Tengine/2.1.0 (nginx/1.6.2)
) _: r D( R: F9 M8 ^7 U; ?6 j* knginx: [warn] ModSecurity: Loaded APR do not match with compiled!
. [: ^ C6 |& X7 P0 V2 {原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& L) j8 j7 u, y# g. Y
( ]# w9 x0 O4 Y1 @/ g
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.' b, M, C, j9 o$ Y9 J6 M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"/ c$ k5 \+ Q" c- u& N
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. ^5 Q) o; c' ~4 J4 u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"' Y9 {6 t% W$ b1 y `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ {4 f' f% {3 K- `1 ~, J' S
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) D7 ?9 b6 t( {6 D3 l6 H
解决方法,移除低版本的APR (1.3.9)
' F7 ~ o! ?5 k7 T2 W4 c6 g% m$ Q+ I/ E2 p, T( A" a
yum remove apr" T- v% r! Q2 @5 X$ ~3 {; B
5.Error.log中有: Audit log: Failed to lock global mutex. M9 a2 ^/ a, u/ K8 c
+ I% `1 ~* A; s( o9 J& Z( J8 x2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 6 \7 P( o& ]6 y) ~' b
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ [4 A! H$ ^4 L$ Y4 s8 D# p解决方法:
" w$ S4 `* \1 J( n编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
% g2 G0 s+ E6 H% H7 i4 p# o" n+ ]) ]+ Q. x9 ?. q
SecAuditLogDirMode 0777
1 I/ Q6 j# j+ _6 n( O$ [SecAuditLogFileMode 0550! u5 T, E$ n z% H& L
SecAuditLogStorageDir /var/log/modsecurity
0 I3 v Y% P7 p9 i* L& QSecAuditLogType Concurrent
) p: f( G8 |1 Z4 G1 l, L) T0 M% R参考文章:
; [) J( F; F: s: V7 {) N0 H9 khttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, [' H; ]* P: [- X& J' t7 D- ?2 jhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡