|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 i+ p; Z# k$ k# E1 @# ]. U
! a# U. `3 Z' J一.准备工作# f% B7 W' b$ v* {0 }) ?, |# w
+ c7 J# u( T; J- A) B1 [. I. f
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
: h' r$ z4 N8 W/ @7 d, \( T* P* F6 ]: K! p
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. I- W, ?" f5 p. h8 h
* z1 J$ I9 u% o
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
3 T8 v3 G- I5 F d# A( _, p6 j' ?- s0 r: \5 [" h" c/ e# n; X
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs& C* w9 s: W. h, Y
' ?! x9 W+ \+ d. e6 |
依赖关系:& c8 j6 M4 A2 j
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
, D1 E5 f) ]3 c# l- p3 q8 u( n$ }7 p7 i6 n5 w* \7 V
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
0 T5 f3 u- U6 K6 U5 k: R- I* Vmodsecurty依赖的包:pcre httpd-devel libxml2 apr
2 }& m5 g) U' W/ P+ ~+ W3 Z+ u4 N+ E: N8 s: N/ ^+ |
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel+ j: m) }' g. J2 n8 ]- T
二.启用standalone模块并编译
D# b: y2 p7 s" s! a" j: w( f! t
+ `$ Y. y0 K/ F& A& a下载modsecurity for nginx 解压,进入解压后目录执行:
8 f% O: g5 z3 E+ h7 s- w. j6 F. s: [- k5 R9 _
./autogen.sh: v% p7 M9 Z6 P5 [
./configure --enable-standalone-module --disable-mlogc/ J+ L8 E) C8 _& R- [! N7 |
make 5 \% J0 K) N' N3 y1 l; `/ t
三.nginx添加modsecurity模块
# g7 J( N* e f4 c& S h3 H7 n
: D2 f& Q9 J D7 I) F' `8 I2 Z. o7 U在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:# _* ]$ B+ o+ }/ Z% C* k1 a
$ G' ~& S: ]7 e% H9 z7 d1 M& B9 ^./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine) S# k X, c( s8 k1 f$ w2 l1 n
make && make install6 | s, |8 t7 {
四.添加规则
; \9 o( p. m3 a) p% V0 M' d" [" Z2 Y( e* [7 b' K2 n) t
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 K( q3 t# f$ e0 f" R1 L* c
: p. R4 F& F! u1.下载OWASP规则:/ i) w. Z, d3 \ D& g$ b9 N3 j; S
$ U4 G9 j+ r$ s+ s' e1 G8 X8 Ggit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
0 N$ V2 t- L* @5 R- x" Q1 d
" C2 d" P) Q" G# Qmv owasp-modsecurity-crs /opt/tengine/conf/4 T3 U8 ^, \; R! |2 e) s
, h+ A: l& `8 G9 z
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
7 Y6 H$ ]; k6 R9 h2.启用OWASP规则:- ~ E& W9 q% P# m- H F& x7 x
6 r" w1 X, R1 r- k2 d) M1 {& b
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。3 Z( K( M& z" U& O+ ?$ d* X& P
* p' \& ?3 s h5 S5 R
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
$ r, R4 {6 h% O# q! h. Z; V! V+ E2 z6 K1 U/ J# s+ |
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。) d7 w- j. m( M* j
- u5 A" Y$ y9 o* G5 r$ F
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" m6 @, G& ]' l; R4 A4 mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; W; S0 X; l2 N' K+ A: ?4 d( ?- k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 r# C# `2 B' \! K; yInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf$ W8 h0 k+ } H: d) W
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf Q- V1 k, [" c* n2 a
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
, U) ^1 N1 J" c" f& w& _) mInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
/ }4 D k( M3 }五.配置nginx; B# P+ T3 e K& t6 a9 v4 N
1 b3 B, r& p/ I在需要启用modsecurity的主机的location下面加入下面两行即可:+ p( ]) c) i4 Q! n' f, \2 W
: ]0 I* \5 u4 k) L2 b3 s) U: a: r
ModSecurityEnabled on; 4 a3 G# X3 b# w# J4 l
ModSecurityConfig modsecurity.conf;5 h# l' U1 Q, z. J
下面是两个示例配置,php虚拟主机:
! v# c: X9 E" B4 @ |; R
]; w$ B( J: [# Q0 nserver {1 e: k3 J( y& I. u: m0 B
listen 80;0 h; ?! g" w2 ^1 \: `3 }. N2 W1 a
server_name 52os.net www.52os.net;
9 S, F# E' L$ |- s) [% z" E ' Z" {2 [* p9 w% _- A$ K/ D& |
location ~ \.php$ {
( f2 s5 b K( ^* V ModSecurityEnabled on; 7 q0 Q. x+ X/ u3 m9 F4 t
ModSecurityConfig modsecurity.conf;7 v# E. v' w* K' F/ b
6 q' ^3 Y w4 d root /web/wordpress;
: i! [, V, e4 `9 [: x& r5 h index index.php index.html index.htm;/ d" e& o$ Y1 S- v5 v
0 K2 z& n5 u: n0 X p; Z" b
fastcgi_pass 127.0.0.1:9000;" q1 v, I t1 r* D) u
fastcgi_index index.php;
; h3 Z% _8 q: h fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, j8 Z; f# |8 v- }4 E
include fastcgi_params;" `3 T7 l w$ W u& j5 j0 X- w
}
% u8 t9 d8 u! N }
$ K; R2 N) X9 G! z, S0 uupstream负载均衡:
# N7 @; m2 z# ]3 a& R$ N8 d
0 ^, D* l/ U* s5 \$ R! A$ d7 lupstream 52os.net {$ ]* f( }, w4 @- g0 c
server 192.168.1.100:8080;4 J( ^; {3 ]: v
server 192.168.1.101:8080 backup;! F! c' Q' y9 h- k- Z. ~+ H9 d% z
}
5 `' Z. W/ b! t9 P O7 \, A6 X$ ^1 c7 ?* b( r
server {* d, t0 p$ a) G$ q
listen 80;8 o4 V! ~) H8 q% S8 D, A* w
server_name 52os.net www.52os.net;
( d3 W4 N- l! C8 k7 }" S6 W: v# `# h" i% W0 |
location / {
2 c0 z* `- y8 n ModSecurityEnabled on;
+ E5 b( I/ m' x/ c/ i* A ModSecurityConfig modsecurity.conf;
5 H1 e9 Y/ t; E& H2 ]1 }1 `# ?1 g- B( m
proxy_pass http://online; Z/ j' B+ ]+ E" m
proxy_redirect off;
8 {, F$ y* i: v! b- O( e* s6 M proxy_set_header Host $host;! d+ E& o2 I$ T G, b) o
proxy_set_header X-Real-IP $remote_addr;
: a9 d2 s1 Q( m: Y7 w proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, B' X) J% _+ r3 u }
" f- R, K, k2 Y) a5 O}
/ k& f* p# D) ~& `0 ?& X8 }7 Z六.测试
1 @5 w- F( X& r2 I$ b
^; T0 E' b3 W: \我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' o5 K% G; Z2 I& {6 D) l( y) |
: H% c/ } d! |! o! {<?php* @7 e7 P9 p. y& F; V5 \) q
phpinfo(); ' ~6 c9 h6 m* I" q0 h
?>
$ h* ~: `4 L3 r在浏览器中访问:- ~: M7 o, q7 f& U! L; c
( {( n9 {# ]0 E
http://www.52os.net/phpinfo.php?id=1 正常显示。
: z& {/ h8 O- w3 ` uhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。; @0 q! y% R$ T u
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
. c* S! \( q( X- F& v说明sql注入和xss已经被过滤了
( ~0 p- c+ R, \0 W# t
4 b4 X* @& V; X* M7 P, R$ r七、安装过程中排错- V3 O8 B5 M$ C- y
& C) H. ^" y) a7 N1.缺少APXS会报错$ L& G0 A# V4 y% q9 h- X5 c
4 D5 e. x' }. h4 |configure: looking for Apache module support via DSO through APXS. c1 L$ a4 S2 s6 ~, p
configure: error: couldn't find APXS; s M8 I& O- g- B
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。 \: l* V) d, {
解决方法:7 {: | d5 ~+ [$ b
$ j4 k$ f+ C! \yum install httpd-devel5 e( n6 h# Y/ x8 q( `
2.没有pcre
, D# L* I! u w' q* J E
8 x; K2 ~0 H/ e" g. s5 S$ ~+ Lconfigure: *** pcre library not found.* Q: P# d9 l& q( r- i. ~7 }- n
configure: error: pcre library is required, V; Q) S) H6 g6 c. t" x$ @5 Q
解决方法:+ \9 y1 _& r/ m: A5 ^/ z
# S+ D- [5 d' Wyum install pcre pcre-devel8 w! g S! ?" L% `; ~" j
3.没有libxml2' u+ q) ]2 ^. }0 F, ~
' j( f; L4 B: c$ R( [3 F% {
: G0 V1 m) [1 E2 p* Econfigure: *** xml library not found.
8 e: O* }8 R" m& Hconfigure: error: libxml2 is required
- D. K9 _, {$ n) T, \4 E, q解决方法:
3 F Z% K$ p; |8 _
6 z) _5 u4 _7 P; Syum install libxml2 libxml2-devel: h4 ?1 D L3 k
4.执行 /opt/tengine/sbin/nginx -m 时有警告
1 J+ ?! f6 J2 m
- V( Q. H v" Q- \$ }5 R- [Tengine version: Tengine/2.1.0 (nginx/1.6.2)* @" j9 @0 K7 R7 _: m7 w q
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
: y; @" S3 ^/ z/ X" g8 {原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log8 u; X2 x* y! t9 l8 B
. T& {5 g4 q" K5 f+ x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 r% S8 K) B1 Z& N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
* ~7 {- C, Z0 K+ J: h: W z2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
' l+ {5 A7 n: K; l" q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"5 A. Y" E. S. [7 `: z _/ U% z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
, y2 l4 A6 O* N8 z# C' h2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
, U* @* c2 ?5 y$ }6 |2 ?解决方法,移除低版本的APR (1.3.9); {& I, g% q5 b) J$ s5 B
' ~4 D0 |' F! ], n1 T: g$ W
yum remove apr2 G d- S5 U& }% ?+ m) C
5.Error.log中有: Audit log: Failed to lock global mutex
9 J1 Y1 _ n, R* m4 [
6 u3 X, u) c- S+ b9 |* N2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
( o) e' n8 u; O( }2 K B+ Dglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 F! k; a: J) v
解决方法:2 V" d9 ]( d7 E% e- _1 P" G+ R
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& P* L5 D. r4 H5 A! |- i
. m& U# {: d2 p7 }9 v8 jSecAuditLogDirMode 0777
* U9 G2 }' O) h- HSecAuditLogFileMode 0550
& H W* }9 Y/ F, a9 L5 I4 h, a PSecAuditLogStorageDir /var/log/modsecurity0 Y8 t3 y' Q3 O
SecAuditLogType Concurrent/ X8 K4 g( W* N1 G3 F2 d+ L2 L
参考文章:) D) v2 @9 r( j" G/ R
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
8 \, L* P- ~# r- ]http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡