|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& j! C" e" v) [! V" _6 X M a1 @
! H7 q: n! L5 C, P" r Q# U一.准备工作! a7 g5 L3 P( P: f6 k6 Z
4 E" U. M9 R" I/ @
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
( I1 f e7 M( B
" V7 L4 \1 ?6 c6 Ftengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
' C' H3 S x+ E- a% K9 z2 r/ A4 [
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
4 W3 R; b: U" w5 D$ b
" z \: m' e. p, B2 V6 SOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 {5 ^! B5 O% `1 {3 `
3 V7 m; E2 y, G2 {& i# Y8 e依赖关系:
% u0 P9 |9 x- _4 r! Wtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:9 e, X; v3 v0 l
/ z: j( i6 {& g! o6 V" a' qyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel u( Y3 C# G4 R4 B+ Z( r5 V1 J i8 J
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% [5 N/ C* r/ i$ f. T% c* j( f+ z& o7 G6 x. A2 a
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel7 F: b H% }8 Q2 ^9 X
二.启用standalone模块并编译+ }- e% H4 u5 c" Y9 Q
# i$ j5 }2 v# P1 X% J1 H下载modsecurity for nginx 解压,进入解压后目录执行:
% X2 b S. d7 V# Q' ?# ^# k* y3 I3 @, R9 ~; k
./autogen.sh- F6 ?1 m. J7 @& J1 H0 C% g
./configure --enable-standalone-module --disable-mlogc) X- n( P1 R8 b$ S
make # @: x" M! s4 q; H6 k
三.nginx添加modsecurity模块# k: D$ Z5 w' A$ Y2 C
3 k+ h# W% }: m3 j
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:/ e1 Z) F* p3 s/ k9 o* B
( o1 a c3 y3 E" B9 q7 y
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
" D! E. w8 d k% }! \) cmake && make install
s& F/ t( q! E. g: X: o四.添加规则# i- i! F/ ]/ A
3 k0 A ^" c0 R/ ~modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。+ t _) [& V2 m; o7 G: a$ p, x
* v0 J; u Q' x" j0 r, C6 h. H1.下载OWASP规则:# t/ ~4 f: t% t2 V1 N' b
6 J8 z7 }) j( a( M4 F& z3 c0 P5 Z, Pgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
7 T& [+ D! A3 \$ }9 i8 B" t+ J/ T9 O$ ^" O1 u* D$ l0 z
mv owasp-modsecurity-crs /opt/tengine/conf/
: u7 } G8 p3 \& T; m( ~) m8 j. b- {- Q
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 ?7 `& D# S' g: O3 h% G. X# _
2.启用OWASP规则:* j K5 x) ]) L$ ?5 p
6 }. |2 g- z: l! Y: x
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ M/ \. c& W" M+ B+ N
8 d+ W$ i5 _9 C编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 ?3 g# X; e) t! l. L( u
* p0 j5 d7 }" k
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. Q& R2 n( S- ?. T; _# b4 I1 q T& ?0 {) F: }4 m
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf; g9 m" ^' l' L5 j/ L1 R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 h+ w/ ^3 C# _! i9 y8 jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf; R3 f) f. z4 S" m
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf7 Q0 V2 N, ^6 f& ?9 B
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 o0 ?' K. o0 k+ q4 MInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! G# g' A, O5 L; ?3 T+ s* N1 z. RInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. k" ^ u B% z) J
五.配置nginx7 @* n$ R5 C1 [8 y( m
5 p8 k% e, ?! y2 X6 W- X+ ^5 ?9 a2 p在需要启用modsecurity的主机的location下面加入下面两行即可:" Y- p8 u9 O% T4 @
9 S. z! r( @3 } E* [
ModSecurityEnabled on; ; N; P. @/ E9 o9 ]9 B" x: c
ModSecurityConfig modsecurity.conf;8 x+ M W8 F* s" d
下面是两个示例配置,php虚拟主机: |" d9 a6 C* D' c2 }
: j G% I- ?0 @) F
server {7 E: [6 x# S- y: p/ U
listen 80; L( c. q$ \1 O
server_name 52os.net www.52os.net;
; y( u0 q. b& B, u# `/ y- _
" C% Q$ ^- A, C$ u location ~ \.php$ {3 n( s* z% ~6 W& {
ModSecurityEnabled on;
" u {) \5 Z; M4 L$ H ModSecurityConfig modsecurity.conf;0 Z0 K# f& Y# a( A' q, }0 B
2 H1 d5 o& M: ?3 t ^- y. M
root /web/wordpress;5 K3 y- }- `" Y7 ]# ?" n# l
index index.php index.html index.htm;/ s( H. B6 ]0 n) H& G! G1 i$ B4 \
$ J7 b' L( B5 L fastcgi_pass 127.0.0.1:9000;
- J1 |9 Z3 m1 u fastcgi_index index.php;
+ ~# j" a/ T" q fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 Q; d( \7 _( y! k/ ~% e( p: q% g include fastcgi_params;
* s4 J e6 j! k1 F: ]; G }
. L7 E8 [+ m- v- \0 E5 T4 C$ ] }
( U' m$ U4 a+ qupstream负载均衡:/ l- D" m% }) t% W
; d# S) U# l5 j, p4 q* Q
upstream 52os.net {
% }" e( `/ E- V/ v. F1 X$ W server 192.168.1.100:8080;4 o+ @- \' Z4 R% D5 y5 Z8 r
server 192.168.1.101:8080 backup;* k' d9 r% l7 d, I
}
( K f6 S# P& t1 G7 I+ K
: l. ^" N5 V! R- A+ {2 Xserver {4 T$ R6 x" S, h7 X( k5 B
listen 80;
: I$ a( c' F% {' d& Sserver_name 52os.net www.52os.net;) v& K' p H9 x" ]4 G
- E; }7 g9 @7 Y& ]$ m6 }$ E' ylocation / {5 {. a9 k* _6 n, g8 Z
ModSecurityEnabled on;
( `. O' w, H& W5 l4 v- L- d* J; g3 u ModSecurityConfig modsecurity.conf;
* _) ]+ i, F2 f3 T D: H9 G. t9 Y' V! _( k) X
proxy_pass http://online;' \+ Y, S- Z* v/ ?+ Z
proxy_redirect off;
' M* w% E% I M% Y& U proxy_set_header Host $host;
% u8 h( d! y6 q proxy_set_header X-Real-IP $remote_addr;& B+ d3 d3 ?, D) W5 G) ]
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;3 ~" J J4 z. @
}
" K+ k3 E( s4 c+ l3 v8 k}
$ p+ I5 a* r" `7 X. ]: @9 i4 w六.测试
( V) P/ V3 S( Z: b$ U5 B0 i( P4 V0 N, w+ _
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:* h" \8 N, ?& H; ^
+ Y. b- N' g+ ]: s) V3 ?
<?php& r# O$ O, |& _& d0 w$ G# A
phpinfo(); 0 o8 K/ D3 K! {. f5 Q$ b0 R# U
?>3 p% z, D& l# N4 B6 t7 N
在浏览器中访问:
v) A# L Y6 Y* y7 ~7 D# n, C) G- E$ _
http://www.52os.net/phpinfo.php?id=1 正常显示。" P W. E) Y3 S) A+ v2 I
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
. O7 r$ }& z& Jhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。4 u9 |* L1 n9 J; R6 c F5 P! d8 I
说明sql注入和xss已经被过滤了
+ B) a# U+ b, m
5 |0 Z: p5 Y! B: J七、安装过程中排错
$ |3 B+ |- @( F2 N" s% ~. b0 @. x% Z5 L. @3 [: \, h
1.缺少APXS会报错
" Z: P! U% ~2 C' w, \
( I6 O7 f) D) q, l% M4 y# zconfigure: looking for Apache module support via DSO through APXS# [& S0 l1 X+ A- b" G
configure: error: couldn't find APXS2 c0 S! [2 v t: l; q
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。9 _6 V9 ?/ ^3 j. {) H4 k- d5 p
解决方法:
& W' Z7 v; o S/ }7 \
4 A# w+ K! ^: Y( \' z* Lyum install httpd-devel
! `4 x. v# B6 X1 u2.没有pcre
6 [$ W6 \. n, m, e) Q4 r) T/ v& q/ F: G
configure: *** pcre library not found.
8 b: e) P. A& Iconfigure: error: pcre library is required
* K. u- s- J& X: m' w6 R解决方法:
# O$ l3 f& F/ D# M5 z8 }7 l
# G. v2 w: B( Y+ I0 |8 Xyum install pcre pcre-devel- C, r2 J1 f( p4 V3 b# u# o
3.没有libxml2
# s# i8 L" q) f( q' W3 b: M+ }5 _# M4 r* W9 `* |* ~- c/ o9 X
8 d3 V$ t3 `" S2 k/ ^$ ?
configure: *** xml library not found.
5 }. |3 Z) d9 |; G1 ]8 r( _configure: error: libxml2 is required" r# c a" } ~2 [/ N8 q
解决方法:8 T6 M( f# A% `: j1 K( w0 g
4 c; _# x1 p `; R: E$ z( o Z* s( J
yum install libxml2 libxml2-devel: R0 E) s5 ^3 ?
4.执行 /opt/tengine/sbin/nginx -m 时有警告
9 \' c8 B# x' d9 t8 r: \ d
* W3 e( O& w+ @+ o1 pTengine version: Tengine/2.1.0 (nginx/1.6.2)
3 Q# o/ q @# k: L0 H- O9 L) B0 \nginx: [warn] ModSecurity: Loaded APR do not match with compiled!- k: f% G3 w/ C# {4 E! m8 \4 R
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
$ n8 b. S" L3 Z$ V" w D
: d4 _$ [3 j% o# K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured., S$ X: y/ }9 t- X2 [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"% E: G- o' `6 q+ s, F& X& w
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
, |( z& v1 j! x4 g# z0 k+ z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"& k- _) u( O- \0 {; _$ y5 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": Q9 L, W, q A- d& ^
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 l3 k( q# T3 H2 d: G' p
解决方法,移除低版本的APR (1.3.9)
3 M# p. _: l+ g/ ?* c8 h8 w n$ Y+ P" G% I0 q W' u2 m4 D1 [
yum remove apr& m) Z( N" Z" d" ~* {
5.Error.log中有: Audit log: Failed to lock global mutex+ }9 _3 c0 k: w% m2 K9 r
6 T) j& K7 N/ n$ D: e
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
9 P1 {. Z# h4 P- A% @global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]/ h8 d* R k% |- c6 o% t8 y
解决方法:
9 t: f/ Y* ]% O+ J编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& h) R$ T2 K* b! c3 G+ o& [( e
/ d0 a$ k% G0 @! l% _2 Y: ZSecAuditLogDirMode 0777
8 D* w) P- `7 eSecAuditLogFileMode 0550
; ]2 B) @3 H+ G9 \SecAuditLogStorageDir /var/log/modsecurity7 O$ v4 B9 f0 O6 x
SecAuditLogType Concurrent' T+ R7 S* ]0 ?/ ^; z6 c
参考文章:
, L6 t! ?& c& z7 @# U w: Phttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ F% @+ I% S1 @* H
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡