|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( \# K0 B6 d$ t0 A J c J9 N% ^. [; T0 c/ r
一.准备工作; C( J5 X3 B& f' }( x- r$ J
4 G1 T. v( M; v系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
6 k; H5 R ]1 Z8 k8 C) u% [/ D0 t$ _! D5 x4 G6 q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
- N% e' A$ c. A# k* B7 x( f9 K
% F9 o) E9 }% w. Dmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz: G! x0 K5 c4 A
+ M5 v7 \( g" G: Q( |
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
x& l# Q3 C; y8 a% w: u6 r
" T$ T4 @& Y$ ~. a% `依赖关系:
% B7 _3 Z( Z5 |4 vtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:" ?# K: ?. q- P0 G
. q" M* Q6 W0 T6 h( b$ n5 G6 P0 ]
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ [, s* w! q" {9 v$ c7 ?( Jmodsecurty依赖的包:pcre httpd-devel libxml2 apr" P* [, R2 Z9 M9 m
1 }. F* I: o, _$ v, T$ ?6 X/ v& ^
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
4 R h) s" ^7 @0 _! s二.启用standalone模块并编译
1 Z; r3 ]4 e( y4 w! }) k. g+ ]
: r/ `% b4 B* P* ]& V8 }$ L下载modsecurity for nginx 解压,进入解压后目录执行:; j/ r+ F$ U( v3 \- ~
3 f. R7 ~. ~5 z# l./autogen.sh
; p% ]6 ^- q6 p# ?0 }4 i1 [; \- [./configure --enable-standalone-module --disable-mlogc
) }; N0 W' P( S; ]5 A7 O4 t$ ~6 cmake 6 a" j* s# U, J1 A; T
三.nginx添加modsecurity模块8 e4 H7 o6 `/ n. y6 P1 w
" Z, T# N6 ]/ H在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
- n! H+ R* c9 [
5 `$ a) X2 o" |, | E./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
P0 G# L% I2 M# Xmake && make install
5 H* p1 U i; d- H/ f% J/ U7 {四.添加规则5 ?, _- ?* b1 S; c
) p+ D" k5 K8 v" umodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。- e1 \9 |/ l* K4 ~4 u
* k9 l- N( r6 l2 |; g/ R& \
1.下载OWASP规则:& X7 J+ s) ^; Z7 }4 X
9 F4 u0 ?: V* l' H" j' h- m- ?) Ugit clone https://github.com/SpiderLabs/owasp-modsecurity-crs9 {( n1 b& R. c, G
$ G7 O( V' x% K Hmv owasp-modsecurity-crs /opt/tengine/conf/2 y) ]8 ?, Y2 t/ c9 x a5 U2 \
2 c' h, i. ^4 h3 fcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
( p0 ^0 R' r# E( u3 V& ]2.启用OWASP规则:
# t* l% y# @: N. p& Z
- z8 v9 z; m$ @$ [复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 h# w6 h! ~0 m6 u
, H# \, i. K; i: P* F) @. o' a编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
5 T* G8 v d. e% v
7 \4 C* Q. d1 [" Z) Sowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。1 }( B1 v" e; S! m s
) }* v6 t0 y/ i
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf3 k ]$ A' P, N: M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/ B/ a O. S% ]' |: ?Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf; c$ z) H* |* }! z3 s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf- ^1 {$ n+ @7 A3 s* o) j' v
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* J3 y5 v; B: v2 i3 @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
v2 Q7 a; n7 p2 W0 c A0 wInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, b% Q" w. l$ _8 b. m
五.配置nginx
% G" g* X/ a. y0 P1 ?! i4 }; z5 v4 T# S
在需要启用modsecurity的主机的location下面加入下面两行即可:
3 o9 t5 ?7 @' d4 T6 E2 j! |
) `+ c2 b4 z# {: `: I, x! U/ OModSecurityEnabled on; - A5 x1 P9 l; t
ModSecurityConfig modsecurity.conf;" N: L5 {+ F0 I7 R+ n; f' {- Q( w
下面是两个示例配置,php虚拟主机:
! F: ^( b2 G( p8 ?5 [. n, B; y {
server {
7 r6 r7 v6 y# M! e, F7 ?. E listen 80;1 r0 R% K/ y- _% Y4 _6 U* e' {. V* j
server_name 52os.net www.52os.net;2 p/ b3 K+ O' v$ P) |3 \, y- `
0 s) n/ t9 n" i/ W
location ~ \.php$ {$ s% ? b; N, W; l$ j
ModSecurityEnabled on; , `+ [/ R3 j8 b* q m9 }4 O, M
ModSecurityConfig modsecurity.conf;9 Y Q. \& n& P8 h& T7 a) f+ v
2 h0 n. W; k* p/ h( o d
root /web/wordpress;4 c; L1 a2 \; n; y. {7 f# \ [8 G
index index.php index.html index.htm;
; W* [% l, m: p% u a # K- {$ ]0 P# W, e5 `) R+ d
fastcgi_pass 127.0.0.1:9000;
: m+ C& K, o3 P# }: t6 u fastcgi_index index.php;
$ Z9 z; p/ K( M9 q fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;4 S! r( N+ Q+ r7 `) A
include fastcgi_params;
, L0 T/ Q% j' {1 g9 A0 @* J }' @) L* G$ V( f
}
- X. M7 C) P/ a% Tupstream负载均衡:0 e! b0 O& O7 G" J' M S
a. V' U! N* wupstream 52os.net {# }; h9 i( i" C
server 192.168.1.100:8080;
# ^5 n3 ^$ a0 e. _# b. a: h, p server 192.168.1.101:8080 backup;4 ~( }3 E- \; L1 l9 q/ e
}/ F* G+ u6 D4 E6 m# G4 Z/ e, g
, ~* T/ _. K* Z+ x' T5 d4 sserver {
' y% ], K& q+ M4 alisten 80;
2 w) r2 Q3 o! C- eserver_name 52os.net www.52os.net;3 T1 N* g$ G; R" N
) p# a% ^( G$ n9 r" X* ~' Blocation / {1 ^) G/ z8 W. U* j* _% E: F
ModSecurityEnabled on;
" K, ]7 ~/ b) W2 D" C5 d3 C ModSecurityConfig modsecurity.conf; + M2 F* {9 Z+ I5 G+ D
8 ^7 [, F. ^/ |# I) y, R8 w4 z
proxy_pass http://online;* B8 o0 M2 ~3 F# B$ u0 y
proxy_redirect off;
1 X1 Y; `' F( L5 N9 Z6 L) T proxy_set_header Host $host;
. K; u' v7 b0 B+ m5 e proxy_set_header X-Real-IP $remote_addr;! h; P. r! l/ H4 {% ], b
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;9 O3 X% {. M+ K) Q
}
: a1 b% y( M/ y- y# V! y( L$ _7 o}
$ A. w1 G9 d( v$ t6 [六.测试$ G3 [- p! i( _8 I
7 s/ |2 c! r9 d% n% Y' I3 o
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
9 b: e. l7 h$ M- J3 G% k# t" s0 K6 |
<?php1 U6 V. |5 r" E$ I4 r& a
phpinfo(); $ W6 J [% P& C3 V# ?
?>. |. r8 K y5 t! q+ |3 {( W: W
在浏览器中访问:. X3 A. X, \, |- l1 T" |
. S T; s( C* Z/ J5 a0 H5 N2 Fhttp://www.52os.net/phpinfo.php?id=1 正常显示。
0 e! ]# j5 t# Y+ S4 mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
6 i1 c4 S, a+ I7 shttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
& \, G# U) v6 ?! q% u说明sql注入和xss已经被过滤了# Z4 s; T5 j2 S
" P2 k) f5 p% Q% }. F. t七、安装过程中排错
, x* M" o A1 E9 }0 y. g# X: L" I* S
1.缺少APXS会报错+ d. {2 d/ P& y
- n8 V7 a! V- B( }0 _& r8 ]configure: looking for Apache module support via DSO through APXS! @, K) T- T: Z) X& a7 F6 ^/ E
configure: error: couldn't find APXS
% r {4 f6 C$ p' [: aapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
% e. [) z4 T. y* n9 M解决方法:
0 v9 R, R ]' y6 D9 o( e* h, z$ l9 v+ A9 O- ?; q( F
yum install httpd-devel
. M! L Q9 [9 e" U. i4 H2.没有pcre
9 |& ?0 [* z0 M+ Y. |2 P3 H
5 T7 W; E$ q5 y5 r' ]- o- v6 Econfigure: *** pcre library not found.
; o9 `$ p6 M u9 iconfigure: error: pcre library is required' R, m1 s1 I* u. f& N
解决方法:
4 W9 t, Z9 d6 S$ d( q$ @& ~+ o5 m9 G- M; N
yum install pcre pcre-devel4 c- i- U/ C. l
3.没有libxml2
" Z7 n9 `2 l7 E/ M* T& m
& C* o! y5 R2 }, ?9 G& a
% F0 ?, p8 K% B: D, Zconfigure: *** xml library not found.# d: v( w! [; ~, w
configure: error: libxml2 is required( p# h- P) u2 a' f6 | Z
解决方法:
' L$ q0 k/ v+ j% q2 |0 W+ I$ j2 h1 @) u* z% \
yum install libxml2 libxml2-devel1 w2 [; V8 b7 G/ y$ C3 L& }/ b$ H
4.执行 /opt/tengine/sbin/nginx -m 时有警告
. O5 D6 q* P! C5 G" @$ g+ s# Z) K# L5 l" I: T* ^
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
/ f# M. S6 H6 N3 y: o: Onginx: [warn] ModSecurity: Loaded APR do not match with compiled!6 y- f$ E0 X7 ?: f7 x" L/ _
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log" b4 {' a1 C- [ C4 ?2 K2 e2 Q9 O
; b4 U5 |% w8 X2 f6 C* `/ r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.& W! k: k+ J0 O G3 R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
. l- \3 r/ ]3 |' y4 E& a; ^0 T2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
+ { h& a" m' ?) w( N0 F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
# G. O8 {6 t5 L5 D9 Y& W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
. ^! U, y' C7 O% s: \2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) _0 `" T( K/ u$ z. ?9 y8 D
解决方法,移除低版本的APR (1.3.9)
5 S( A6 S7 _, t! s2 A: P2 h% m) {* r5 W% m0 x7 B1 N& a7 J
yum remove apr
$ h7 V; J6 n7 H$ ~' C5.Error.log中有: Audit log: Failed to lock global mutex" K3 V+ i5 e, V% i3 Z- b, y+ r* G2 f& g
. R# }6 B8 j/ l; e) z; X
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 6 V& H# N" t" ]$ z, t
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- Q6 }- f3 ^- L0 \, @
解决方法:
$ i- b* r; K# p. ?% I' i编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:" J1 g5 o% u2 u1 [$ m' v
+ r7 l+ s6 u& B+ rSecAuditLogDirMode 0777
7 y0 X# N7 w9 S/ d2 BSecAuditLogFileMode 0550
. l8 L( q6 p8 @# a) u d) L* R M1 WSecAuditLogStorageDir /var/log/modsecurity: _, y6 ?4 Z7 w* `; W% ]+ I
SecAuditLogType Concurrent5 R5 R t& r4 I. J
参考文章:( x; w2 m% ?/ O
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX9 [( }# B" y! ^: f. T5 i& F
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡