|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。" G5 r H, ^3 s
# N1 K0 i+ X# g8 L7 W一.准备工作
3 t1 @" j) s* ]. W* i; d( E) Z! ^* }* d2 u3 w
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0" x2 O. n# Q9 {! U# a9 s
" L v% _& {8 m4 F% O+ S4 e
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
1 C3 P4 _5 Y3 }) p, m2 U9 ^9 m4 l2 `0 ~. s
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( f7 J0 ~% ^! ^+ }% Z- `
3 M ~$ `/ W) G* h1 R: X
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs$ C; A9 q% ?) z& T4 M
/ h6 L l$ Q7 e8 F8 f1 e; P# U
依赖关系:
) g. `2 O9 b5 Etengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:/ ~' F9 g, L ~2 _: H) J3 g. C
" w: V( M, z2 q# M6 ~6 k# F$ }
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel7 m4 R( s) H* z3 I$ y. q4 e
modsecurty依赖的包:pcre httpd-devel libxml2 apr# j' q2 z+ E) H/ `! Y
h% b+ Y* E9 K
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
0 k0 V: {( s6 n+ v" \. O8 ?二.启用standalone模块并编译( R5 A1 u: z4 D. @! x, M; c
( P: y- j H' E. U8 Y! q
下载modsecurity for nginx 解压,进入解压后目录执行:% v2 @6 {% p# k6 b5 {' I R
0 R0 E. Y. ~6 U |* N+ N
./autogen.sh8 i. c% z4 R& u; X/ f2 c9 |& y
./configure --enable-standalone-module --disable-mlogc5 ~- ?+ d. [5 t. b; Y
make
1 A ^5 ~3 |5 A6 U7 ~% z三.nginx添加modsecurity模块7 O4 S1 Y4 T6 F6 @& h
0 S+ k ^ P# s在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:' G( v5 J! x7 l/ W6 k8 c
' z5 u4 Z3 P9 u3 y& p. @, x./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 ]: v$ d" k4 |) h- T; Z4 T' j8 b
make && make install5 ^1 A8 x1 x% B0 Z
四.添加规则
8 o# n9 m1 X$ q) t0 o2 I$ D0 u
' w9 a5 S" \ `" U6 Dmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。& e4 m" h- F1 H% t
+ s L9 V: [% K$ K; y8 b9 X
1.下载OWASP规则:$ m7 H- G+ x1 u) X6 ]
7 p3 e/ ]' Y- T# t8 T* y: O7 a' a
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
( V8 \8 ]$ q- B1 c2 O. F1 v
9 [# u/ |2 a Q3 h* g+ F1 rmv owasp-modsecurity-crs /opt/tengine/conf/1 D4 j9 C, T4 J C. E2 D, Q6 h
7 Q2 s* W! v* W' X/ Bcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
3 E* y7 N' m( H% U4 h+ n2.启用OWASP规则:
6 L) U' V3 @; u" D2 G
8 s/ Z. v& [8 _. }' ^7 v* |5 y4 c! u" n复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
# U( H* d9 Q8 n6 f7 d7 z3 e# v
0 x, J8 ?3 n% k编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
) h, V4 r7 `' S v0 K9 \% e/ `5 |7 I- z$ q. X
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. I7 n8 ~" \1 U; K5 q2 y8 m9 V% [1 R9 G
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
1 n% R0 ^7 R7 s3 _" y" @' }$ _& _Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf0 f9 L) \# k4 J9 `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) f1 N6 h1 v% D9 S( |Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
; G5 y0 t7 _ n/ B1 RInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% `, a& @) I! `- R9 m. ]Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
- Q- T( L$ l* z( Y* a7 {Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! t' C' A7 o8 e7 L
五.配置nginx) U: ?9 t; y: h7 F
5 Z* }$ S( ?" e# `
在需要启用modsecurity的主机的location下面加入下面两行即可:
; \$ Y' Y- }2 z
8 {( y, u* ~" x: ^+ b3 NModSecurityEnabled on; " X4 f' n F* m/ t
ModSecurityConfig modsecurity.conf;
. c N2 g# J: g# `- y: Q下面是两个示例配置,php虚拟主机:/ |$ J: h6 r/ A3 a0 l r5 x7 O
9 C% _' Y0 _4 n8 [server {
- O- J8 E0 _& I) P. q; _/ l, Y listen 80;
3 [* o9 ^/ H$ L/ {& X& C server_name 52os.net www.52os.net;) h& V( U/ ~: s0 o
4 k$ o6 h" U" V5 m! s0 J. u
location ~ \.php$ {
$ U2 j' e+ P4 D+ e ModSecurityEnabled on;
4 Q6 l6 w2 h; f* A ModSecurityConfig modsecurity.conf;8 p3 n" M, v) M
Q0 w3 R* f+ z. z: x root /web/wordpress;) V! H7 g' L5 |6 o/ s" \+ W/ [/ H
index index.php index.html index.htm;1 L! i, l8 a3 c( [; P' w
$ J2 ?+ ?4 D8 z. _; y* k
fastcgi_pass 127.0.0.1:9000;. m+ s6 O0 X8 S2 ?8 S6 F$ \; t
fastcgi_index index.php; v$ t4 u l5 L+ W' H% w
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
. l9 G4 o! i# W include fastcgi_params;! O! d# S* ~$ f9 e: O# h9 n4 e9 H) ~
}
1 f0 L% h& c; w% j/ d: g7 r: n }' S! c- s" P$ e5 ]# K# f/ ?; ]
upstream负载均衡:
7 L' w! E5 k$ p: |* O" y& X+ \) P' f
0 N$ ^6 T- o! z( f Z1 X8 `upstream 52os.net {7 \, v! E3 s1 D' ~% O
server 192.168.1.100:8080;
* k+ \( L% J n$ i- |/ v( ~ server 192.168.1.101:8080 backup;
+ G, d! V+ N p, `}
6 F9 d4 j. M k( o, W$ H1 e+ b
8 p9 ~' v- C, @+ h' g6 r+ }server {
m6 z4 I W0 k. Nlisten 80;
. J! R" Y% K8 ^- f$ k4 c$ Mserver_name 52os.net www.52os.net;6 b) q+ ^# O1 V' Z
# N% v7 q' ~- @7 U& R8 t$ dlocation / {
* u& x l% `/ v( r1 F2 y+ R- ]2 P$ _ ModSecurityEnabled on;
: z7 ?" _" H# ?2 n. _ ModSecurityConfig modsecurity.conf; # O8 J m" m5 r' F+ x+ b' }2 u
x2 j* E9 X$ j( t, G2 G+ |
proxy_pass http://online;
9 | [9 Z% ^9 D2 {0 B" E i proxy_redirect off;% S9 F- |9 m- c6 e# ^
proxy_set_header Host $host;5 f+ h! I j9 g. w$ D4 B* ~8 c
proxy_set_header X-Real-IP $remote_addr;
1 F+ S5 M7 i/ F' M# |5 Q proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" h D9 \7 M. n+ K+ P- c3 |
}
) @7 P% N9 \4 c w}* L3 ?7 B- J3 F+ P$ h. o
六.测试
( ?6 G: j3 Z" O( ]7 M2 P. D7 ?6 u7 o4 q. r4 M- h+ p* m( C1 d
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:7 w7 S: E" j A/ p' J
, Q& }" z: J8 A9 M6 V, M
<?php
( M7 ]0 y& }: b& L* a6 `3 N phpinfo(); & O. Z3 z+ l; |9 L
?>
" y; `! |, k) M7 G! G在浏览器中访问:
. _# u3 m% h# k4 f0 Q
0 w7 O& o! W5 }, @/ V% nhttp://www.52os.net/phpinfo.php?id=1 正常显示。: M1 R1 f* K1 f
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。7 ~1 Q7 x% z/ } }5 c: | g
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( U, w* {0 [$ g s- Z( o* h4 {说明sql注入和xss已经被过滤了
) i) d7 a2 |$ r6 N
4 X# @2 v: D5 _6 M) ^1 A七、安装过程中排错5 M4 b0 Z/ r8 P1 Q! t* J, J( ]% |5 ^6 U
" o8 w! k `8 i
1.缺少APXS会报错
! X. W0 T7 K( Q+ g0 E+ j; x, V0 C- b x
configure: looking for Apache module support via DSO through APXS8 h1 X. z3 {5 o
configure: error: couldn't find APXS6 l, n! q, L3 ^, j, g
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。7 Z+ R [- {7 v' z7 O
解决方法:
/ q: G2 G' A b) U$ O4 p) q
8 X- f- @) d/ d: F( X4 p( U+ zyum install httpd-devel7 ~4 _( {; z/ L1 {
2.没有pcre. j$ ^5 v+ M6 }. L
0 h+ h* s1 l+ |! b# V1 l# Xconfigure: *** pcre library not found.
?: w" T: a# U8 m, Yconfigure: error: pcre library is required
4 [+ X. x9 w9 D+ S) U. U解决方法:
v* L) I4 E ~0 i* ~ ~% _* G ^ T2 Q! q9 W$ b; H
yum install pcre pcre-devel
( E R/ E C+ u, D$ d4 i3.没有libxml24 _4 [$ e1 `; v. \4 }8 |
% _9 R' {; R- F& f( q/ @: F
5 g- [; v2 r; w! dconfigure: *** xml library not found.
D' r9 U! W* q- A+ q6 c( Y8 y Tconfigure: error: libxml2 is required, @- D( x" ?9 z. R0 R& C+ E" g* f
解决方法:
/ C8 S. q( X% m. w& t, x( R
9 u* t. h; p: i1 i7 m3 Vyum install libxml2 libxml2-devel
: k2 R1 \6 ]6 [/ y H4.执行 /opt/tengine/sbin/nginx -m 时有警告 k; Z$ S, r" i7 G* w& |/ V3 U
! N! n' ~5 ^ tTengine version: Tengine/2.1.0 (nginx/1.6.2)
! d# o' |) c& x1 `" g7 Onginx: [warn] ModSecurity: Loaded APR do not match with compiled!! \0 s4 ?( h/ T# M& z" L; V+ W9 d
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
$ K8 F+ P7 P0 q, h! ~; N5 _" p/ |( }# _5 \7 C7 i* I1 W
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
0 ?4 `- n2 f3 t+ D/ ^7 _# K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
, b8 L' W* s$ l- w n* H2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
) r/ u- X% g- w. b# i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
X$ ~, w7 ~ b( t( ? g7 H5 ?) d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
3 R' ^; _& K: y8 ?1 n2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
. h8 A, R6 x$ }! P/ S$ T$ w8 t解决方法,移除低版本的APR (1.3.9)4 M$ b# E4 R# j" `
* t) a) [. ]7 ^# v L8 q
yum remove apr
6 k- f6 |5 Q4 a @$ M, c/ W1 L5.Error.log中有: Audit log: Failed to lock global mutex2 x. |8 p; }7 h" y
; Z) P, z7 `( B
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
! S1 [" p) b; `! _+ v5 g- }global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
3 k; D* \9 K ^( w' J' k3 l解决方法:4 l) u: H& z3 {
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
9 |4 H( S2 {2 L! T. Y1 [
% D$ N6 D2 q& K% F$ Q/ b( a, U0 h+ Q7 WSecAuditLogDirMode 0777+ `: `) g8 X' E0 @5 i
SecAuditLogFileMode 0550
1 k! k2 ^1 J. cSecAuditLogStorageDir /var/log/modsecurity2 Q* w! Y4 `' Q$ Z7 n
SecAuditLogType Concurrent( x% B' `1 z$ I/ X- ~& g" {
参考文章:0 j8 B8 ?! e0 p$ N# W7 v7 W3 l
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX/ O/ m& W4 p! n+ \
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡