|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( i0 N5 x$ U, y/ @- V1 }' i. j K7 _( y8 Q# I
一.准备工作, V+ M9 h% B9 q2 Q2 y. u
9 K& F& A; d/ T- ?$ j" d
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 M0 s, b: r! ?8 ~2 j
! Y3 h( T! i2 o6 b/ Qtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 R7 _& G9 a Z U) `' P& _2 Y
, F: ^: C) Y9 Tmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
0 O( w; T9 I4 m1 L. V6 {
3 p% _; T) g2 |6 J" x3 j. iOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
6 n; l0 X1 e& \$ j c6 h+ t
' C; @4 k/ b) F+ o依赖关系:
5 G8 l0 A, d3 H# B8 vtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 T! y) V0 v6 O, T( }' k
0 L* L$ c4 ?% jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
5 {/ v0 `2 X& C) x5 f3 N6 C2 c0 mmodsecurty依赖的包:pcre httpd-devel libxml2 apr
$ Q( }6 ?5 m6 N5 e$ R
( H: ~, [, S+ K4 o7 f3 ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
( B9 h& z: q% r* y8 i) n' Z二.启用standalone模块并编译
( K% p0 p1 L8 p' i! { n. u; }, z1 ~" k5 M3 J
下载modsecurity for nginx 解压,进入解压后目录执行:5 C- l, ?% B' Q7 F( U. g
" _) P7 P4 p) x6 R0 t3 v
./autogen.sh( {) I9 b" K2 Q- W" u3 v' a
./configure --enable-standalone-module --disable-mlogc0 r! J% y4 \* l" W; }- e+ R9 b t
make
. J" t! Q5 h$ @, G4 ^, \7 }- ]三.nginx添加modsecurity模块
& C) N; A5 p- j- N; n/ D! Y
( k# M; [$ r0 R# S在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:5 G1 P6 D9 ?+ c W0 u8 _9 J
# u2 @; F: ^" R$ [3 Q9 m5 `7 a9 G# L: s* C./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; I4 }, l: Z9 o; y7 Omake && make install, v% O3 i4 Z! {: G
四.添加规则
& h2 _: x4 {( w- x/ {& V! w' y6 a' {) [ K' V7 e
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。/ F; F! M8 ?" R. d7 t
6 u+ u% e. `) ^( ?9 O) r0 n1.下载OWASP规则:
$ R* C# T& A8 s. e
& _0 ]+ B! I' B# ]$ y9 {! T vgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 ]- R9 o2 f* V2 T0 Y$ a& Q; X
5 E2 y, s u7 smv owasp-modsecurity-crs /opt/tengine/conf/, o7 [) Y. G9 j2 I7 u& r$ c6 Q4 I
. D0 \7 a I2 N/ F: ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ Z' y. M! J/ Z: _
2.启用OWASP规则:4 E9 R Z8 D$ b+ x$ D0 f
2 ~7 f1 ]4 o9 a3 p) Y
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
% w/ V0 v- y8 h' F- q [& D, }5 m
9 w+ ^' ?4 v4 w- F编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& Q2 }' u! I( \: B" b6 e
" L" N: B& S- _7 y% k' y- Z6 xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ u* Y3 W# v# i4 W
n* u( ]7 H' e' ~( s" U
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf4 | s% g% _7 y- o8 u" x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 w& j/ R! Y7 z5 b1 s) J; T% t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 D+ t" l1 L' k7 V) q1 G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' d# B0 e5 e0 O; ^2 @
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 v. P* ~" w( I, O4 P% V. s9 ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
5 d& T3 F! R, mInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) l3 m5 \7 H- o6 Z, g& b五.配置nginx8 N8 g Q$ Q/ I& N9 [* c
1 O, [! H0 i$ U. X* D' y( ^在需要启用modsecurity的主机的location下面加入下面两行即可:$ A9 `+ }/ G( C) w3 a& f* E
4 W% U3 M( o/ B' H6 a# ^ModSecurityEnabled on; 3 o+ \0 ~! ]; c+ l$ x$ @
ModSecurityConfig modsecurity.conf;. g+ j. A& q# [0 p' Z( a
下面是两个示例配置,php虚拟主机:
% s) {; z1 O. o0 ^. u" z2 U
4 |: J# X3 @7 V$ Fserver {
$ o9 j3 o$ P. G+ A* }" } listen 80;
2 F7 n( D8 b0 z, H. p6 z" T server_name 52os.net www.52os.net;& d% r! j/ K4 K$ G# {
8 G( o( P# n. ?# z5 y$ e* [ location ~ \.php$ {
* q$ O7 K# l& k% y5 B ModSecurityEnabled on; 7 j- Q: o- ^, D6 z) [
ModSecurityConfig modsecurity.conf;% F( t: F* `* h2 [7 P/ _3 V/ F
0 \3 D: C9 k4 L* Q5 @- E root /web/wordpress;
9 M1 P0 {" L r" ^; A. A) @( V1 O* ^ index index.php index.html index.htm;
/ o( S* h. `7 g& @ d" x 0 c# I9 Q) d) t2 G- q
fastcgi_pass 127.0.0.1:9000;
8 c3 W: a3 \. `3 e) B2 Y6 a' { fastcgi_index index.php;% E0 }4 Z5 M$ ?, Z
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 n5 a1 P) c& Y% @& U) M. D include fastcgi_params;
6 f4 r! K2 {9 ^2 } }) R s6 T. }& _( h/ `
}
) p# q3 Q+ j2 C2 z2 mupstream负载均衡:
9 Q' m! u$ v. k+ u+ O# I4 S/ t# u. R
upstream 52os.net {: u: V: w0 Y* p" {+ ?: [$ y! K
server 192.168.1.100:8080;
: o& C& ~0 L) g server 192.168.1.101:8080 backup;/ X+ G; M1 E: i" H4 [2 L* Z5 v
}
' N2 Q" o; N: s, b; m" ?# I" x8 f" y1 C, U* F, A3 G; r
server {
# ^& U$ u* I1 C& G2 \listen 80;
: |1 a9 S" ~. xserver_name 52os.net www.52os.net;
2 e; a8 ]+ p+ H& E/ p
/ X4 Y3 p- {) W9 [ p8 O* Z0 xlocation / {, ?3 m; @/ n, N3 F% H- x" m
ModSecurityEnabled on; 7 X6 T. F+ i. J( r) X% {+ h
ModSecurityConfig modsecurity.conf;
5 k( m0 v8 r- c& i2 n; K) u4 v/ W4 J8 }$ l) q* u3 b5 l0 q
proxy_pass http://online;7 V0 o( Z/ V6 f7 ~
proxy_redirect off;" B) S T6 q5 r. Y0 I- C7 z) ~
proxy_set_header Host $host;$ U( `$ o! R# ~
proxy_set_header X-Real-IP $remote_addr;
5 M$ A$ {4 Z8 G- }" F: } a proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
5 B, b& ~# V" o5 b }
3 x5 Z/ P. E0 K o; S: R}" s3 O/ t6 w! ]; |8 N
六.测试' @3 P' G' r3 u( Z/ b
. O2 M4 _4 I% O" [$ e( X我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ ~! i, X1 e1 Z' q' }; \
0 T0 B& H6 J1 s! c9 i) b<?php
! E/ A7 I6 s' s) z" r1 y& v% C phpinfo(); # n3 r1 |" h4 x! o) D0 H0 m
?>
4 S* { Y4 O/ ?( N8 z" e3 t% F9 P在浏览器中访问:" L: L+ o; V4 T. O2 T
/ x$ h$ @8 p& Z2 m- `
http://www.52os.net/phpinfo.php?id=1 正常显示。
/ r3 c1 _/ ~* chttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" p3 i2 V7 c/ v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' ]4 L% f( h$ q( a1 y- D$ ]
说明sql注入和xss已经被过滤了! Q3 u/ t( c4 R* ~8 x
; D+ x. R5 i7 ]七、安装过程中排错- q6 G7 i* u- U
& i) \5 R; z5 D% `4 {
1.缺少APXS会报错
9 R7 Q* r6 d* t( d5 J7 m
* ^: W* P$ s; B1 S% o7 pconfigure: looking for Apache module support via DSO through APXS
( v0 f7 E: Z- b- q6 }2 S h4 u, H9 z: bconfigure: error: couldn't find APXS. V: s3 R6 L: j* \( i
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) e C4 f4 C/ `, ` v
解决方法:- X9 q( e+ [2 b$ o) Q( n/ l
8 u. y$ M( N8 I% g1 i# b
yum install httpd-devel
( }8 ~1 G+ @% d. N& S% Y# e2.没有pcre
+ }: |/ J' K9 [/ R9 Z. v, s: a$ v$ `$ n+ C9 @: ?7 F/ \& J; y; Z
configure: *** pcre library not found.
0 U# d% f% Y* X: s1 B7 ^* z% rconfigure: error: pcre library is required
5 s1 i, Z- o! \ k解决方法:
. r3 J! P# a+ _: B- v1 o# r0 g
% l8 n( ^/ f7 b. _7 Myum install pcre pcre-devel6 ^4 V* X# f+ s, b' n& W
3.没有libxml2: q- o8 a5 Z& M# ~3 l X
0 F. u A! T8 C& ]" }0 n0 |* h% i& A
! G% y1 g g8 i& D" n7 R- xconfigure: *** xml library not found.1 n3 p5 ~+ L/ Y$ Z) N
configure: error: libxml2 is required( e. d; I! s0 o2 W
解决方法:8 t" u0 x, R' n& }
/ ]! l/ L# c7 u" r
yum install libxml2 libxml2-devel, r' `5 k- c6 E; h9 M
4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 T& e: w1 j% O1 y/ N" n- R/ Q
Tengine version: Tengine/2.1.0 (nginx/1.6.2)! \. c) _+ L+ `8 N5 S
nginx: [warn] ModSecurity: Loaded APR do not match with compiled! y% K$ y3 T5 f1 M
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log* Y/ Z4 v; f9 d% u6 i7 _$ Q) Y$ [, f
& m, v5 n' D4 _6 r: W" |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* W1 `0 |0 T4 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
2 G6 L4 f! _- l3 x6 [# Q2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
7 ~0 `9 U. M" e; Z5 K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
& C. c% H5 M; B+ b5 f& S. {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"- C5 Y2 c% H1 c! x* W' G
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 H6 `. X+ m/ |6 F- }2 n: q
解决方法,移除低版本的APR (1.3.9)
2 F/ D, I9 [+ z) B. X" u; L) ?( Q& K: B+ \$ J9 k7 A
yum remove apr
9 m @$ B4 f, \, P5.Error.log中有: Audit log: Failed to lock global mutex# {+ {- D/ k! Y
1 t# V5 X! ^$ [6 _2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ' h6 k& o: s. G1 U
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
* G: M3 [4 N) @5 L解决方法:
: B% J, Y. {- s; l! t编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ N: c7 I/ F& M" v1 X0 h$ D5 A) h- a- u* P2 L: @
SecAuditLogDirMode 0777
1 V% g j: l2 _1 t9 K" A& E1 vSecAuditLogFileMode 05508 {6 m7 W7 w4 n/ l$ ~5 T' S. V& v
SecAuditLogStorageDir /var/log/modsecurity0 k- f" A3 [0 P# k
SecAuditLogType Concurrent
1 C7 Q2 l4 O8 v% _/ Z& R* }参考文章:
# E/ B5 O2 E3 a3 b Hhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX( x& d1 A/ @; Q
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡