|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
7 C; |5 u- j) w* A/ @7 T6 F8 G) q. P* a# ]( |( I1 u/ ^- _6 Q; C0 _
一.准备工作) Z7 d/ z$ E; x1 Y
3 p* G& c4 n. R; u' E6 @2 C+ c; s系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.02 b" ?( S% e# b
2 Z5 S- A1 S. `7 t# ftengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 e7 B- Q$ |. T; Z& Q3 w6 i
6 [% K- q( t: P. R0 L, z+ Bmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz+ \1 k$ z0 X8 |6 H8 l1 [
" ]5 ^) ?( ^& o X: v0 m3 y
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 V* u3 T; k1 L0 ~. q
* D# [( H- b7 R7 t- S9 W依赖关系:
% f0 {" X# v9 X$ n% ~/ Vtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:+ `4 Y" A) Z: Y8 E5 M+ ?& ^2 z, O
9 H+ N3 G4 B7 w2 }& i4 P! L* @! @yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
; j$ ]. X Q: N% P9 L& W. \, \' lmodsecurty依赖的包:pcre httpd-devel libxml2 apr
/ [: h! h8 g1 r B0 ]: ]8 }6 Z, u* e$ ?; E$ r( T; _4 d
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
% h4 ~$ u' R# c) a, h6 s二.启用standalone模块并编译
) E3 I- d v, z; i1 Y& K+ B% v) y& i& K, Q. Y( h
下载modsecurity for nginx 解压,进入解压后目录执行:6 b T# O7 f# s$ t, p* ~
' Z+ B4 b* @2 g& g./autogen.sh
! y. ~# [4 F& t& X./configure --enable-standalone-module --disable-mlogc5 \( m8 U, k. L' _3 d$ \% p [) N
make
, u. i# v2 A- p三.nginx添加modsecurity模块1 A2 A1 U7 X# v; d2 I% O3 y
' S' A. s3 E0 _: N6 P3 j& K% U在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:5 S* L, M+ G/ v( v/ J- J1 ^
) _' Y2 B( {) W& u$ F8 U
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine. J/ W) x; M/ O
make && make install
A% }9 [- c( v. a四.添加规则
+ r2 D* h8 e+ M' C% Y4 `7 D) ^
! `6 v" [5 t6 n6 Q2 N' J0 imodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ O5 A, X9 w6 M3 _( T8 w
3 ~% b! [8 B! L/ P& `. D$ u1.下载OWASP规则:6 L7 }% n1 w; {8 Z
- e; |& a7 o& K* V
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
8 I8 l5 B7 i* q0 v+ \
* ^; c, [' ]$ q- s6 Bmv owasp-modsecurity-crs /opt/tengine/conf// Y5 ?. M8 \, T4 L; x9 }
$ V9 r/ [& z. B/ z' G4 O& k$ b
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
! X% a& {: f* H; D3 g8 D, Q t$ u( n+ o2.启用OWASP规则:9 ?6 a; p! @: V, W r- |9 b
) f# }1 C% f/ F1 Y/ `# }5 `3 m
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( d- a' b7 g9 ?2 Z( k& \, d
9 r; L5 a% }. Y1 b8 W {" l; F% G编辑modsecurity.conf 文件,将SecRuleEngine设置为 on) {0 p6 \2 P6 A- w9 L! c( _- y
$ ~' n k: l" C R: b5 \
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; R! { s6 ~+ _. f2 G$ M
6 X* ~! X B/ i) S! ^% j" `# eInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
?( ^' A6 p4 c' xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 L5 q; u; x' [ C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
/ s/ M* Q t/ p: P8 |" SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 E! G# j6 E0 q: @6 B; f+ RInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* V6 r% p5 f2 ?2 O4 E( NInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf/ P, M9 ~. Q9 ]; z0 i
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf% f/ I" P# b0 T, T
五.配置nginx
; x2 F3 L" W/ Y# o# I" d7 ?9 J( o& H$ g. S9 B7 E2 T
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 h& M2 U1 S' q9 Q- a4 a6 E7 d3 K+ F1 \# |6 _$ r8 E. Q
ModSecurityEnabled on;
$ y) Z: F3 d" b4 Y6 l6 pModSecurityConfig modsecurity.conf;0 b; g2 c/ [2 }8 |
下面是两个示例配置,php虚拟主机:
8 H. S J4 b6 A+ m. ]! T, J+ v
4 T. I9 \+ W( X+ C- [* Sserver {% @+ E5 Z F7 u# n6 B
listen 80;
2 {1 g" @! D2 O: R5 | server_name 52os.net www.52os.net;% v7 p' `6 J A; @' U
: o2 B8 I& Y2 I: o- d location ~ \.php$ {
; {8 C- `+ i# _ ModSecurityEnabled on;
+ g$ v6 t& N- `# k ModSecurityConfig modsecurity.conf;/ a1 W7 ^8 h* ~7 s- h8 d/ `
- o; P! b9 D/ F$ t' S
root /web/wordpress;7 e5 ]5 E, R0 o/ H. k( g; n
index index.php index.html index.htm;
. m- L9 s/ P u9 D6 f / w7 j7 H c% ~0 @" K' q
fastcgi_pass 127.0.0.1:9000;
! V" k8 x W! x: i+ b. M fastcgi_index index.php;
) b4 c4 M5 k5 q0 Z: K7 E) w fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;% @; t0 D: ~. q6 W J
include fastcgi_params;- h( A) J& R& T P- I; {0 o* [: n
}
: K9 {3 O K% O- E4 R: ` }
6 v3 f$ j/ Z" u9 c2 {- Qupstream负载均衡:
B# d; i# R3 B- a
( ^1 ~2 @7 A0 Y& \- D, jupstream 52os.net {, L {7 F& d. j/ F2 B+ ?
server 192.168.1.100:8080;
3 ~' }; h4 O1 Y, Z/ H server 192.168.1.101:8080 backup;# e( K9 w+ B* B$ I0 @
}6 `* y5 k T Q- c1 e% v2 e
' T* G/ s& Z" o [' ~+ z( Z8 z
server {6 ~" ]4 W+ U( l/ Y
listen 80;
$ h T9 B* Y. Y/ D' T; D5 G+ hserver_name 52os.net www.52os.net;
( s' S. z! C/ J' O* E$ {/ P0 a) |7 M" \3 ]3 e: |
location / {
0 F4 [- L& B& Z5 c- F5 ] ModSecurityEnabled on;
/ w3 j+ E) K ~/ m! \0 G! [: X ModSecurityConfig modsecurity.conf;
) n3 G4 }. m p2 _: J: R' {
* Z7 I# w' u$ Y ~ proxy_pass http://online;& z8 x7 }1 y* |" e( ~, W
proxy_redirect off;
5 v5 J$ Z% L# t4 g1 Y# S' S7 m0 p proxy_set_header Host $host;
! V- m! z( L8 e; d, y4 m proxy_set_header X-Real-IP $remote_addr;" k& J4 J4 `8 {. O- |% }
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
3 z5 v1 ]3 u; N p3 S* x' Z }
; `. u& Y. r- Q: Y6 Z. |: c+ A H}% ]- S C" [6 x( z, s1 x& k+ k
六.测试
5 W9 s! g$ y r5 x, C
: g' O) P4 b/ e$ D6 o3 f( B' p9 R我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:! A! ~6 Q6 s" \% M `2 v! N) C
0 W& F: q9 V$ j2 B9 I$ D# i
<?php6 G2 J: o4 T8 Z1 f5 X7 @
phpinfo();
* s+ u& v' L" ?2 @5 A" u?>7 A8 p1 j3 Z- N9 H0 |9 O
在浏览器中访问:
% z0 y5 `5 o5 z6 e0 ], @9 m8 Y ]( e! }- Q
http://www.52os.net/phpinfo.php?id=1 正常显示。
# }3 i: S# k' A2 g ^& l: r9 K# Bhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 Q# _ D# B' v& s/ @2 E. Dhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。5 L( ^( g9 F8 V; l# X
说明sql注入和xss已经被过滤了) M; `# n" n/ A. }" w [) ]3 q, I
; i; W$ S0 C! } G% _七、安装过程中排错9 U0 V1 p- _( V$ V. X: N- r6 M
7 O- ^5 {/ {2 @1.缺少APXS会报错- X$ m& k+ a& [0 c1 d" `
6 d4 Y m: ]& C, d
configure: looking for Apache module support via DSO through APXS
- h T) G1 }* Fconfigure: error: couldn't find APXS$ d# H- z! F% |8 z8 l
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& ^" a: Q9 U( W1 }% Q; |解决方法:3 v+ p W$ {! E% ]) Z- U$ m
# v4 x. i' I" _. m/ ]
yum install httpd-devel
) ] v4 S! |6 A' R: A4 x0 T2.没有pcre
* W% n( u+ r4 A! h
# v" _' r4 `9 v, s4 Tconfigure: *** pcre library not found.7 f, u7 `% a7 F. q" \$ [8 ~
configure: error: pcre library is required8 y" f8 R- P. g
解决方法:' ^6 h. K0 o3 }( T L
5 H6 x# d8 ?3 w8 {- E* \
yum install pcre pcre-devel
; A& E! \: y% z' ]$ C* y3.没有libxml2: G, U9 u) X1 ~" H4 s
/ U4 c5 U! S0 [/ ]
# U) |; {: j& N4 Z3 U3 w5 Gconfigure: *** xml library not found.
0 C5 @" H# l* _$ f9 [ i3 ?- @configure: error: libxml2 is required
% Z+ i$ V: }" `: r$ f0 ]解决方法:
$ g& p! q- \$ _
. l) l5 Z& W" r5 P* [# B3 Byum install libxml2 libxml2-devel
+ u4 x! l4 T8 N" [% n& E3 c: k4.执行 /opt/tengine/sbin/nginx -m 时有警告2 N3 n2 ~4 T" s, r1 ~7 s
0 i; P' j% a; @- D0 tTengine version: Tengine/2.1.0 (nginx/1.6.2)
+ R6 z6 H" g+ S; K& [- unginx: [warn] ModSecurity: Loaded APR do not match with compiled!- o+ J! P6 D+ ?: I I
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log7 Z% U* V* \1 l" d
9 ]3 y6 v0 i7 k3 `' p: ~; z& P4 T$ U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
+ X# D$ a1 ]" P3 b1 @& }( Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
3 q y0 n8 |& v+ E+ o2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!$ f5 x6 M( b$ ?! a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
* w" z* R3 R0 e8 F+ P4 F$ s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"; R% _) b' {2 T2 D4 d- f6 V5 z, Q
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.* s# y& H ~9 x4 ]
解决方法,移除低版本的APR (1.3.9)4 k6 b, M! r) H: _6 L! s2 e
! j# K! j* C: `. Y, myum remove apr
; {; I& B/ _& Y. J8 |5.Error.log中有: Audit log: Failed to lock global mutex) v- ^, z. F. V
7 g! U7 w. a! ^: d! v
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
1 D) c& J2 s$ D' d) a* qglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]% k: w, a% a8 ^( m9 X A
解决方法: {3 f) R) d6 r" ?6 W+ h
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 L/ k! s# A8 l* M# i4 j/ v& a j6 Z( U" e( z- _
SecAuditLogDirMode 0777
H" e8 s! V; M. [) f& {. j3 SSecAuditLogFileMode 0550
# E5 Q6 K" _: Y# R4 u; ySecAuditLogStorageDir /var/log/modsecurity* h$ m8 Y) W0 J E5 W$ h
SecAuditLogType Concurrent
0 D8 e# X9 ] N参考文章:
U7 N; z9 v! x6 h6 q* Rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
' Y* f1 m0 H% [/ f9 e$ \http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡