|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。1 B* D( u. }8 }( E+ v! ~+ m
) A9 P% |) ~3 t* e6 |一.准备工作2 }7 u1 A" T1 Q/ I& v
5 W r/ W- \4 p! [
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0' E* f( C1 D+ n4 d. q, R8 j! P2 M
( s( o1 T6 Y2 {; F$ S7 z! {
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
7 T& X4 R, T6 ?# G/ d& Z' A6 ^6 I" z7 M
' _9 F1 I( @4 y+ b5 Q$ amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 V, t5 j0 N7 D0 [% [% t6 y+ y
% l* J# s6 a* @OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs' C) u5 i- V3 |3 z5 v
3 N/ v( U6 k3 I依赖关系:
7 `* S: @0 E4 g* T, {. L7 Gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
7 a' c7 L. Q* ^( O+ s0 K
w0 W, i( [& v# O6 I% B3 p& ryum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 C x" A- D2 Wmodsecurty依赖的包:pcre httpd-devel libxml2 apr
% X8 B& r; g( b f# d
' Q' I- d. t: C V3 n& L9 j, uyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
: k" q/ E* ^5 A# [5 R! d e$ X1 Y二.启用standalone模块并编译
- `0 _( r) f& t. m! u0 [+ D5 b* b- n' Q5 L
下载modsecurity for nginx 解压,进入解压后目录执行:, E) E5 W4 ~+ x9 w- V# [
3 u1 x' i$ ?, s0 n+ S2 K) K
./autogen.sh
9 T' k; G, I! O/ t1 w8 Q./configure --enable-standalone-module --disable-mlogc5 X+ R; I0 R' _2 b0 P- y! E1 ^/ w
make
( B% g+ s" b4 Y! L5 T! D( O j三.nginx添加modsecurity模块
! Y! }2 c4 y0 ^$ g! N- I; y$ m
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 I+ P0 c1 K! |% `
3 i/ h' L3 r7 g7 ^) ?./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
" B- @( b. ^! y' X: ^make && make install
* l2 c" I5 M/ A! s( s( G) C2 l四.添加规则* G; v: `7 T0 `; c( J! K1 N2 m
5 j5 e' i* Y: b$ Y; x- |modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
/ \9 S+ O$ A) ^7 c! e5 M
2 a/ D: A5 g4 V D5 N* Z- `1.下载OWASP规则:4 c& w( O5 Y0 x1 i0 g" F
. }+ n: Y2 Z. K
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
: r2 ?/ X, c- _& n8 ~* V4 w
3 H! X" o# S8 ]/ Amv owasp-modsecurity-crs /opt/tengine/conf/' K' H; I# B0 ?9 ^* Z
' ]: z& p$ |9 | h$ @
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: s! i, W, G/ L% ?. g; |; n2.启用OWASP规则:( x0 a% l* ]4 I. A
/ c* O. r- f: }3 N
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. f- L! s( d1 T8 g3 Q5 F( n! J$ ~: c
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 M% w- D) {# d! I) d* X& w" D
5 X: X% Y. W. [0 Y( I
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" J. H, |9 D2 o4 i8 c
V4 v7 ~+ A& i: ?1 ~
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf" L6 P2 F& H* o/ u7 p. z0 x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf, a* Q; r& o* u0 H- o* U1 T* l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 ~$ ^' J$ e* V f9 N, [
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
: o& v$ @0 m7 e/ E3 t3 yInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ O% f, U8 N) T6 J) ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; K! |2 _/ l% D8 k% o2 i) d/ VInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf$ [: c+ M0 i: Y. X
五.配置nginx
4 A V! K+ T, s& n) ]. R0 X A% L9 q" R) e& {8 d
在需要启用modsecurity的主机的location下面加入下面两行即可:
! C3 g3 ^, T+ u, H- ^
+ i3 m% O# L, r, n/ B+ s) y" T# IModSecurityEnabled on;
" e) @/ i1 C* d! p1 \4 W) s3 @ LModSecurityConfig modsecurity.conf;0 W8 |! u! s1 H. {
下面是两个示例配置,php虚拟主机:# r# r, D- f* N) `5 i
3 f! r0 @8 q4 X, z4 t6 [) ~server {
0 q3 Q$ n W9 T# @ listen 80;
; N0 p9 Y- J5 x# ^& J ~0 J' s server_name 52os.net www.52os.net;7 `4 H: n- U, d. d ]0 p
4 A$ z/ R: Y" Z+ e! C, |/ ~4 ], q location ~ \.php$ {# a; V9 A6 U6 d( ?: U
ModSecurityEnabled on; 7 H" j. G6 c- k1 A
ModSecurityConfig modsecurity.conf;, X* x/ p- K7 W2 k. r" \" a
% M% J1 {: K- J% R) r
root /web/wordpress;
1 i. G+ M# n! [1 E index index.php index.html index.htm;( v5 U8 a5 ^% n, l, l5 c6 c
4 i* h4 d7 D/ B
fastcgi_pass 127.0.0.1:9000;
1 V8 J& @( w3 @- A fastcgi_index index.php;/ n/ U( U- }! i9 [* f/ P
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 q4 V7 B: T8 G7 P0 Z8 T" L include fastcgi_params;
5 u* ]' Z6 i6 t$ v) U+ \ }
+ x% r- d8 I# p* ]$ r/ y }
0 A5 `1 c0 {5 @( l& b5 fupstream负载均衡:
1 @2 U2 c0 T# o. i' L& L' Z1 E4 t' t) P
upstream 52os.net {
1 }1 E9 s4 W0 j! m" H' O% r1 b$ } server 192.168.1.100:8080;
2 g2 i; F; m# Z" N$ T server 192.168.1.101:8080 backup;7 M, Y; s# S4 s9 X j/ N6 p
}
) G- r3 F5 A. [; F' m5 A
! {7 {9 J+ F) E1 E* r9 Xserver {, }9 D$ \& \2 d
listen 80;
- L+ @7 a+ n1 Z o Q# i oserver_name 52os.net www.52os.net;
" w# }2 J3 v# T, Y, O7 x
2 q. k' o' p, ~+ f4 _6 Clocation / {- U0 ]* [% h1 d$ U; y: Z" y# e
ModSecurityEnabled on;
& b j/ [2 _8 T; a2 g ModSecurityConfig modsecurity.conf; ' Y7 T$ [! D6 D% g
; k' i' G2 ~$ j) F% C- q/ L4 N4 ? proxy_pass http://online;
/ R+ x& i! K7 d Z( r proxy_redirect off;7 G$ x. y9 h8 y+ h$ X. u
proxy_set_header Host $host;
# R* a! @- x3 w! a! |$ Q% K proxy_set_header X-Real-IP $remote_addr;. `2 G, m; Y/ g" f& ]( E l
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;+ i1 t8 R" C* N s$ R& E, o0 d4 u9 U
}
% {6 C4 q8 z6 ]# K% h}
+ t3 F. n- l. R' r& {六.测试. i# X U4 _ Z+ @8 ~
4 N }+ ~5 D1 W+ u* I; @- ^' I我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
5 ~1 y( M# {+ r6 p& d" @( s! j" |: M! _3 u6 u7 R, |
<?php
, ^# n; p5 r% o& H4 B, X& I' G phpinfo();
5 t& A, u$ f3 f8 S9 Y0 t6 t?>% U( m8 f+ l# U. d( H
在浏览器中访问:
/ m& y" K6 k0 x# p1 i' t0 {8 b: V: W+ w8 X
http://www.52os.net/phpinfo.php?id=1 正常显示。
) k0 \% n. [" Z0 |http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。, w& C* d( `7 Z8 m( p. _, Z& ^
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
" K; G7 b5 E- T! k- K0 G2 M2 ?5 N说明sql注入和xss已经被过滤了
8 Y9 q% R) T% i# ~( ]" H' R0 H5 J7 Y, u# Q2 a5 s. Q x" {
七、安装过程中排错
/ W, r2 }- c3 ?, e' d. M6 ?6 O: q
1.缺少APXS会报错
- l, ?- z2 t5 L7 }5 I. h7 a* g# A% Z1 W4 U) [
configure: looking for Apache module support via DSO through APXS- V, i( q- M! f" ~8 m
configure: error: couldn't find APXS
: [) m7 T$ l' b3 fapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
4 [* w, L. O3 q6 U2 R解决方法:
! [7 O& y* B: h
6 c6 S3 X! K; o$ M; _yum install httpd-devel6 a7 ]6 v" X8 q4 C
2.没有pcre
( w& A* |% X0 e1 U8 q% k: z# u& a0 g4 N2 T5 R% U
configure: *** pcre library not found.
" o8 w% x9 ?$ d9 W5 Gconfigure: error: pcre library is required
5 k( {3 z; r0 ?) J$ t. @; N9 X& F解决方法:. |+ a+ h- v$ N# I8 @% T
8 Y& F4 ~: B' C3 X+ _: Pyum install pcre pcre-devel4 Q y4 S, K7 b: F' H
3.没有libxml2
3 X: b3 V& O1 Y; r F0 w0 x1 `$ g8 ~
' h& c$ C/ ?# ]- {7 O6 ]
configure: *** xml library not found.
1 H) r4 E! E3 U) v- Aconfigure: error: libxml2 is required
% \2 `% F; P1 l- C解决方法:
& x8 K3 g+ n! U3 t) S0 k2 U2 C1 w+ [/ h9 ]5 J) `" ^+ y7 B
yum install libxml2 libxml2-devel& d; k; Q/ v% [
4.执行 /opt/tengine/sbin/nginx -m 时有警告
/ a# q9 M$ l. \8 A' v) L3 h% M c
7 J, Y! ^# _" `* {% [2 ]0 lTengine version: Tengine/2.1.0 (nginx/1.6.2)+ s) a9 f% l" L# w) x6 X' C
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!6 z1 D: q* u8 ]0 @( \+ }
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# R4 T; t( j6 ^% ?' Y' G' F' ?
0 C% w% b' _$ f5 l2 W& Y6 Q8 m( y8 y4 X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured. ]; B+ k" Z5 t z3 o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"4 _3 ^7 T; Z5 i+ T3 o! {# C
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!6 x: L# E7 z2 B+ n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
" f& x, g1 s6 a: y) Q( l+ `( D: U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
5 J, w( M/ Z) ?4 h+ C2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.. I( H5 Y3 f$ @/ D8 ]; m
解决方法,移除低版本的APR (1.3.9) p7 T8 t7 S: C7 y
/ A0 l' A6 o* q F
yum remove apr$ O/ n1 _( N* Z0 r& b
5.Error.log中有: Audit log: Failed to lock global mutex
y4 X- p6 t e$ n; n* M8 S) g) _: h1 p( F
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 D2 a* F$ [* q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' h, H- \7 \' r
解决方法:. j0 x; U1 O1 h; O, E
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
# E& M, T% ~3 w" Q. u
, y- U+ K" A# [. MSecAuditLogDirMode 0777
' G x6 [. U9 g; d9 N* Y( P6 zSecAuditLogFileMode 0550" j6 [) E7 q5 f& q
SecAuditLogStorageDir /var/log/modsecurity
# {1 P' l+ q" O1 V) P/ ySecAuditLogType Concurrent
j8 M. ?7 m0 K' |$ c参考文章:7 o! Q' v$ {) `& R
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' t2 m' G. |( ]1 {" x4 \ n
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡