|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
) g b7 o5 N, [% x9 z: F8 H, e9 l: @5 s c/ q: k% [0 Y
一.准备工作
( F7 U# W6 Q7 ^- | @, l, ]9 g
6 G+ Y2 H: E! |系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ }0 Q3 ~, n4 ?& W" \$ f
$ \3 k; I% M* g5 l2 Ctengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz; H4 z9 r; _4 U+ J0 J! U
/ U* ]9 v6 O& w% G8 F/ w) i7 P
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
- p- `* A: D5 e6 D6 e* k
8 E& s5 u" A6 C, fOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ \- W4 F- f9 q7 [2 h2 O3 F
3 Z9 p$ B5 f; d1 A0 A1 h$ A/ B9 H依赖关系:
6 @9 r& N( x% n; f% Q( Itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 l1 \2 M/ L+ M7 \! c+ f! S
8 L( v" O% A+ z; a$ Cyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel1 P8 H. c8 T" ~. \7 s
modsecurty依赖的包:pcre httpd-devel libxml2 apr
& s* `( \$ S1 C t! s6 H9 N5 e8 a/ j) c' y5 U( \
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel4 W! l5 z9 t2 k: \7 v$ H) ^
二.启用standalone模块并编译
1 d! R5 x' H, I8 | |) C% Y0 C, D7 ]" ]- t7 j
下载modsecurity for nginx 解压,进入解压后目录执行:# D9 p6 x. `9 r, o' o6 t
5 D+ U1 |) S- s. a$ Z./autogen.sh% B9 X5 t! R" l7 i% t* c5 w
./configure --enable-standalone-module --disable-mlogc0 C2 b! j8 _( z; |& W" J) s
make
2 R- i0 H. A* Z/ N- T3 P5 |三.nginx添加modsecurity模块
' z% V1 t' R4 i) f6 A' B) `& v- x' j- @
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
- v* @ [ C+ G+ _: V3 f; n1 Y2 {. U6 v& a% o" N- u/ d2 i
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ z1 K$ D# V0 ~8 J/ }make && make install2 K1 |6 _9 R: ?; q3 L' a
四.添加规则
1 Z+ b" n6 M3 z. I/ v+ x Z4 X! o
6 Y7 t0 u5 b9 ?" `, O* Y! \: U6 w5 C( imodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) W, ~8 w4 V2 Z7 ]( ~- @ n
- X: ~( c) h7 B3 z, D1.下载OWASP规则:2 g) u( M: _$ J# ^0 k; C# L. B
- Z9 t& Q3 d& l- K5 k* ?9 J, }
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs: A0 `* t3 X5 A6 s
% S- T+ D( [- T# Z
mv owasp-modsecurity-crs /opt/tengine/conf/
1 y! Z" Q- Y* j8 b+ e( A
( M; W3 A' M) O+ u7 h. |6 X6 tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf7 y& W* I* y7 e8 m, _* ]! ]; ]/ b
2.启用OWASP规则:- n& @" f" W9 d8 I
+ i# J' h6 c/ U! G# t, U
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 B* ?7 L8 t$ ^! B, ]: @6 x' _% F& ~9 {6 n2 W* e5 s/ k: W0 m& z
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on' q2 M+ h7 O S9 ^
5 h p; M' l+ a e4 I: ~4 P; U
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
! v2 r6 M) |" q4 }
0 b. ]3 {, c0 {% NInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 I' j% W2 c& `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 _8 N( r. m& ]5 v- R+ C. F" `3 wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf" r. r/ P, E& }- ^ f3 V: e9 ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf1 i* p+ O- E* D* w* k/ {$ p' b
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) {' e1 z, g7 [$ A }9 l
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf% K! U2 ?7 w) J Y5 m7 G
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 O" s5 L1 o5 v0 f7 ]& {% s: j
五.配置nginx
( B0 F0 v& I3 E% k8 z3 q, \* @" K N5 l; h I6 x7 s' h- Z# B
在需要启用modsecurity的主机的location下面加入下面两行即可:
; N# [/ W! S, ~
- X) c' a. n8 s8 U# s, S3 RModSecurityEnabled on; ) h% }( d: h' J3 `; ~
ModSecurityConfig modsecurity.conf;. E7 L% g: T. b v, R
下面是两个示例配置,php虚拟主机:( I& U' [8 S' H7 _/ n
& M; l. S) Q) n3 m6 _4 x3 j1 tserver {
6 H, I; g: v, J; ]: Y listen 80;; b9 S( S I V& _
server_name 52os.net www.52os.net;
' A1 p8 \/ O+ n J2 d( ]! e- B 6 \. k0 g2 K9 z G/ y3 `8 l
location ~ \.php$ {
" d& e" C( P0 i! c% K7 d3 r; N/ O+ R, c ModSecurityEnabled on;
% D6 ~2 k1 d/ l P/ O: P& ~- t ModSecurityConfig modsecurity.conf;) w; @. d( w" {8 z: ]
' _' c- K; z4 Y) ?
root /web/wordpress;5 s1 g( b0 p- p7 M5 q! W2 \
index index.php index.html index.htm;
6 ]) A, g2 Z7 I& n
[) A8 Y0 n8 b' O fastcgi_pass 127.0.0.1:9000;6 _# W) W. r4 Z# V7 T
fastcgi_index index.php;$ w2 P: `+ M& U$ u; O% O
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;! {2 t1 v9 K2 }" b
include fastcgi_params;
, D! ]9 b. V( ~# e5 `, H }
8 q7 T+ X/ Z: o* N3 x) n$ Z }* _) x, g7 V# o
upstream负载均衡:9 a! m" z8 G2 q, ^ k; }6 ^& a
# d/ g2 T' |0 [7 P# Q7 p8 O
upstream 52os.net {
9 u+ `1 j1 S$ C server 192.168.1.100:8080;
" L: w2 [+ D d3 T server 192.168.1.101:8080 backup;* a: Q0 k* p% ]$ ]2 J; Z
}2 d& T) O$ u9 d0 f
' f5 ~5 l0 P+ B) P2 V8 Q' M. L2 rserver {% q4 A, E6 J# q6 [: N; q
listen 80;
7 w! h3 K' Q x r9 p# Gserver_name 52os.net www.52os.net;) s6 L, Z/ b3 {/ k
, J8 L2 {. D2 n% `location / {7 R' D% h0 `0 n! j
ModSecurityEnabled on; 9 O+ S+ g x; M( \: V" E6 a* w7 v1 h
ModSecurityConfig modsecurity.conf;
# w% A( {! b: }2 G6 F$ A* J1 F6 a8 b
/ Q& V) [% k9 U8 n( p2 R proxy_pass http://online;0 D0 L5 U! ^8 H! ]
proxy_redirect off;4 X5 t0 M4 f" C j9 |6 S: g; j; t7 U
proxy_set_header Host $host;
( A" E8 \/ a ~# J$ r6 J# k, ~9 M proxy_set_header X-Real-IP $remote_addr;
% P' }: L3 i; h' e/ ? proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, m1 Q5 O. K3 ], N1 K5 j5 b }: t9 \, p; `* |0 y+ ]3 R+ \
}
' { |6 A# w$ R+ q: a" t5 s# m2 E六.测试
3 x# }& W0 l$ d5 q. D6 Z
l- C3 Q' X& V8 b# X6 |我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' W1 I9 Y9 R3 Y& f: w7 h, r
+ D# k) q- J* C* p. [<?php
5 `9 J' e* E, v( G1 H4 c phpinfo();
. O5 j) W9 D4 ]+ v( e$ C- \# q?>0 I3 b3 o, @8 H U, Y* O* W: K
在浏览器中访问:, m. \" K) m2 V. F! r _9 Z' x
% E6 p% g/ H- ~* l( B; \
http://www.52os.net/phpinfo.php?id=1 正常显示。- B" _4 W# `1 j1 ~; {+ T
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
9 Y$ |3 k- @0 _6 H( T& Mhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% z5 A2 X& X* Y% N3 l说明sql注入和xss已经被过滤了
# `5 z( [2 y" A' a, L5 l/ E1 i; G$ Q3 u) z g/ S8 q
七、安装过程中排错& {& J# B: Y; w- p! @9 V! q* A& T/ g
; [8 [# g, \- t1 }4 Z6 H) k x1.缺少APXS会报错) M: a0 [6 g( v- m. V0 K3 A
3 ~ z x& d4 N; v# Q
configure: looking for Apache module support via DSO through APXS9 S$ W5 u: M$ I7 f
configure: error: couldn't find APXS4 c: o2 O" d* f
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
I( U( H) W* q' H* g5 M/ I解决方法:
; ?) e# N) Q; U$ E' C% i& X! y/ C( A6 _2 C; I& K) K
yum install httpd-devel( M/ l# |, W8 L4 j& {8 f9 t' ~
2.没有pcre
9 V- L+ t- y5 f% }3 u) M$ B, N$ N- M6 M5 d" r
configure: *** pcre library not found.
9 f6 F. H8 ~5 o3 Tconfigure: error: pcre library is required) ^: c) V1 w; d6 ~
解决方法:
% O5 C6 l$ \" {$ O
, ~' b5 o+ K. d; C/ \/ J6 i' J: ^yum install pcre pcre-devel
, D2 K/ M2 |& }9 s/ g* J3.没有libxml2
0 i- x7 u% V0 w. g( X. o9 q( d" h4 ?- B/ \+ u+ v3 l9 P
5 v, M9 i- F' e" K! Jconfigure: *** xml library not found.* B3 w6 p( V! X5 ~% b' c
configure: error: libxml2 is required% x6 f1 P# Q0 A
解决方法:; q- P; s5 k/ D
7 ]( J- V* y6 h4 M/ j+ V3 cyum install libxml2 libxml2-devel5 w+ B s$ K) e
4.执行 /opt/tengine/sbin/nginx -m 时有警告' j6 c9 T( N4 X
3 b/ X. V, J# a. ]Tengine version: Tengine/2.1.0 (nginx/1.6.2)
8 ^, U6 t; b1 w: {+ W' e; N, `nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ P# `/ f- H4 Z- [原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log: I, A8 c0 p Z4 H
7 @# Y- l: t! r* g! e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 K% G3 P! O0 S3 a3 Y$ ]$ O y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
* d( A% N/ L1 G( x2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
* D+ {. U8 y( G+ E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 K& X* d1 ?# I5 ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"" E$ \2 Y" q' w+ B& Y, Q" m" y% N
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! _+ E9 ~$ {8 f5 W3 q
解决方法,移除低版本的APR (1.3.9)
4 r9 H% g: }6 \$ I: e/ O2 g$ R: a I6 N& H6 R6 Q2 ~+ ^& n
yum remove apr
I+ j* U/ y3 Z( h, F8 |& X5.Error.log中有: Audit log: Failed to lock global mutex: O' T+ r: Z) f6 K4 ?) l
! M! l9 [; Q8 v6 {9 e3 f" i/ z2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
1 f! ~0 N6 S4 Z4 n3 }, A" jglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 m4 H$ P9 `$ A9 M/ I# L5 C- `解决方法:
+ u$ }- m# k# A9 Z0 u编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& ?* D _( a1 J, n2 Q9 B/ Q2 |
& n4 N4 p2 |% @4 |+ hSecAuditLogDirMode 0777) `- ^. b k! f+ r8 Y; f
SecAuditLogFileMode 05508 L# p `2 P* A. h
SecAuditLogStorageDir /var/log/modsecurity
" v1 @. [0 v4 G* nSecAuditLogType Concurrent
_. k3 L% l# j' L* q }. t参考文章: z9 B% e" K0 x6 v( m
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX; S! j! Y- I! C
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡