|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。1 e7 K1 ^5 K F) y+ K0 W
& ?0 [! M! k# \: W4 h一.准备工作; b0 k8 k P9 t* X7 B# P! g
& [6 i s7 d/ e( Z' y* A5 x
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 `) f6 i8 v! O
9 i: A8 m5 ^+ o0 o% k9 H( Itengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' b/ A; O& X1 ]3 h
+ [! g$ _6 R0 f rmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
1 `3 \3 T7 H: R0 L# i$ I5 j$ v! U2 E" u6 M B3 p7 e% t/ c
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
1 L }' n% ~* w3 F" C- ?7 o7 h. m( v/ a
依赖关系:
/ }% Y8 Q+ y4 X& M) n$ w5 {tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:- v# s& p4 r. E9 t2 X" Q
0 B$ P- R# _$ u+ d
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 \2 W: A( u0 M8 }% V* E: R
modsecurty依赖的包:pcre httpd-devel libxml2 apr
* q P' p1 |8 @" }$ h2 {9 Y" \
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel! c& h4 t1 p$ z% F$ t. e" d
二.启用standalone模块并编译
; n Z" z( X6 k' S9 S4 W9 ~9 N) |5 ^ H" B v% l1 J% r2 V4 {# D
下载modsecurity for nginx 解压,进入解压后目录执行:1 m3 J& I! L" C: O; `9 ] p
4 v- E( O2 g! t" C" f1 a
./autogen.sh
& o g i6 @ ~9 j./configure --enable-standalone-module --disable-mlogc
: j* S2 @& r9 D3 s4 {make
6 k+ W7 L# u& Z, x; s& x三.nginx添加modsecurity模块' D: {: x) | V5 A2 S
: D8 p2 _ l. t( @' S' Z5 o
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:: B9 l1 N: A. U* Y3 u/ q% p
' {3 a* Y* k9 x6 n9 C1 Y6 I./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine, M/ W; i, y! F+ M3 m5 K, ~
make && make install i0 z1 F2 ]4 q3 W9 }+ n
四.添加规则6 {7 g4 z" v1 g3 O5 {) t
; F3 _$ y' d- j, Dmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, ?# x1 b! j. }* w' X
* v; ]" l2 G& x; h1.下载OWASP规则:2 \& {! F( S: z2 k) n; s
5 j' Q0 D- p3 B+ ngit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' }3 M4 {/ p* u! G$ D0 \
^. q1 b0 e5 x* A- emv owasp-modsecurity-crs /opt/tengine/conf/
- q- a6 [9 z5 g) ^1 g1 g, y( ]- L
. L' o% g7 a7 s \, _cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
5 C4 ?4 n. R2 @, U! S2.启用OWASP规则:
5 H% \8 J4 N9 X: `- M9 ~) ]3 N, T1 m; m s( @9 m. e v% q
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。; v1 l+ ?5 I3 S* `1 r8 K6 E
) Y! n% L! X! b) P2 m+ ~2 F- r0 E1 O
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
4 N3 S8 a/ w% }% q3 Y/ O: g) W% t4 l+ a s3 q
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。% t: J% F' h) Q$ P$ [% o, x
9 N! A' }) j; s6 W$ `) B- G$ G" Z
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 F# f9 K M+ F8 F g! ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
8 Y7 F% C' d* Q+ I5 p+ a+ J$ j* ZInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf1 a4 i, n8 [( ^ [$ H! Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf1 T1 W/ U/ ^! o2 N, v7 F* O
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
( ]; m" }0 T5 l" N4 iInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
( n3 J& S! q1 X: E6 s2 K# v; \6 |Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' R# X" I7 S! j1 `: ]五.配置nginx) ]) o* P* ~6 _# S3 j/ w# r3 [
7 M4 r& @! V; U在需要启用modsecurity的主机的location下面加入下面两行即可:& a* k- s0 j5 m) F
: k. `6 @" c$ g' tModSecurityEnabled on;
% n5 b ^% t2 F, C, H" fModSecurityConfig modsecurity.conf;! K7 R) x6 E8 T
下面是两个示例配置,php虚拟主机:# B, y, t* [) Z; r6 g1 ]
- c4 `- @9 @( {, Lserver {- Z0 S) h, V0 U" H7 S
listen 80;
- V$ q. z u9 s# _; y, w: W- c server_name 52os.net www.52os.net;' v/ J) g9 V$ f9 b& B
) J+ L5 k% I$ k J7 ^9 }% Q$ [
location ~ \.php$ {0 i; [, |. J8 e" O" E
ModSecurityEnabled on; 0 v. R# |- B( R# M& h
ModSecurityConfig modsecurity.conf;. d5 s5 H9 F# E- a9 e
: r: b8 f8 [ v% t' d
root /web/wordpress;8 D/ g" C7 ^/ e! s+ I" m* `
index index.php index.html index.htm;4 f, L, r. |' p. x
. @( J2 Q! J8 v; H
fastcgi_pass 127.0.0.1:9000;7 L' [8 G+ F8 u0 q x0 N
fastcgi_index index.php;
4 I, y& @8 r0 C1 y) C) o8 W3 ? fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
5 |3 i* d2 n0 |5 Y" t9 I, y8 N include fastcgi_params;& f- J) b0 K& T4 q7 ]% c
}2 G3 G/ f' U: f" h* y" n
}0 {" J7 U4 B6 v; D! m; Y' B% E
upstream负载均衡:* a2 q& u; X0 i/ g1 J, a
( T) t* @$ @2 y: U6 A: e; Yupstream 52os.net {) @" Z. `0 G+ z3 I6 I
server 192.168.1.100:8080;
) O0 S& k. n9 U/ P1 Y$ S server 192.168.1.101:8080 backup;4 S2 `8 P6 ?/ _6 o) j8 \
}
8 ~* C& S; `! B$ B$ ?2 L0 y% d* |# X7 n
server {
& I8 T& ]# `# Y4 {$ alisten 80;' v0 d$ U7 u3 ^ p7 M
server_name 52os.net www.52os.net;( k7 z5 S% s' {8 ?' b7 O# h2 G
7 Y2 E7 @4 J1 ?9 u( Glocation / {9 y8 e/ S1 e7 u8 [7 o
ModSecurityEnabled on; ! o7 Y0 N) V; B* h# K$ N) T% A
ModSecurityConfig modsecurity.conf;
7 p9 n, w% ~: L. O& T w, p/ m
( S9 i. u U8 }/ k- c proxy_pass http://online;
# ]5 b a5 n! p proxy_redirect off;# U- j3 f3 \/ w: N' ?) m1 C
proxy_set_header Host $host;/ H+ ?- Y: V1 x7 D
proxy_set_header X-Real-IP $remote_addr;
2 J2 X! j. n# \0 L) l' N. S f# S proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
: N7 W* ` \. r' f, B! ?/ j }
9 G8 I2 @; X+ a7 z- }7 R8 {% ]; V}. ~8 T% N0 d! }1 x% A8 K* ], o9 ~
六.测试; I/ i3 U/ x0 z1 u
3 m7 N/ s* n4 B& z5 Z( Z" M9 E我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
3 ~0 @8 x2 |# h: }1 ^5 d
5 b" E& |; I1 h7 N4 t) L: G9 J, \1 r<?php
% U3 |/ E) e4 C phpinfo(); 4 M- M0 b. C+ N: s, n! v
?>
0 P. N) D. y0 I/ Z在浏览器中访问:
% ?3 U2 Y. o; q9 ?( e% C$ F( T9 ?) D
http://www.52os.net/phpinfo.php?id=1 正常显示。$ ^$ @( S3 T* W9 v5 X& I( k4 e
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。$ K0 E& [( s- m7 s' K+ r/ H, O
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' C; [2 h/ r5 @$ I; @" ]
说明sql注入和xss已经被过滤了/ l( N* g; w: K7 n) h
# ~& y) b2 ^3 m
七、安装过程中排错
$ J/ W8 g( a2 V# }4 z7 R& l5 h! T9 l! U+ C5 D# S" n
1.缺少APXS会报错4 f2 d9 x$ H/ F; X& V* _
1 C. J5 b8 A6 D9 m! ^5 I9 C+ u' i
configure: looking for Apache module support via DSO through APXS
: U& [; `* F) G/ s* cconfigure: error: couldn't find APXS
5 y6 }0 s, M- k! R# l$ Zapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 i. a$ f/ p$ c8 v* B% h- O解决方法:
% l2 e4 [9 z5 o, |% n
" b5 P, d( H8 Gyum install httpd-devel% ?( V" ^' X! w2 M
2.没有pcre" }9 @( `& Q+ z9 {% n
- B7 D: k0 Q" |/ H sconfigure: *** pcre library not found.2 `4 V) t5 K# [( T) Q
configure: error: pcre library is required
2 |5 x9 {/ H7 T& n- x解决方法:
, y4 g1 Q! a* C, u! S2 c' B7 ]3 E
yum install pcre pcre-devel9 a+ q2 A+ G; `. {# U* e
3.没有libxml2
* I: L3 n* ^; p) \! D7 ? u! t( M" R) Y5 ~9 L
1 Z+ _' j3 u a- _7 [1 N! G8 Econfigure: *** xml library not found.# y9 ]# z* H$ {9 F B' {
configure: error: libxml2 is required
D* r; R) F# h2 b& e) ~解决方法:4 l) b4 ?- S) H# j; Y1 a' J. [
/ m' x; Q6 g2 Z4 yyum install libxml2 libxml2-devel9 k: l% I( C/ K0 ^! y- |, i/ j+ q
4.执行 /opt/tengine/sbin/nginx -m 时有警告 Y9 w% U ]2 g7 W8 c
7 @7 }: E0 R0 B, X0 i/ e4 x2 \Tengine version: Tengine/2.1.0 (nginx/1.6.2)5 U3 O8 V4 F* J: t0 ?
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!; U+ e+ }* Y3 M2 o8 G1 \
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log* u( O; t* R( Z' B6 |
- a' S3 | G/ h. f! y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.# n5 h* s# z+ G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
r5 L% O0 ~. l( [) M/ g2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!0 |; n7 e" K4 F4 e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"4 `7 Y7 c; s% z; h* R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
5 G. Z' m* R" @5 r% A8 o2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.$ w4 [* C5 q( I: j; a2 w3 i
解决方法,移除低版本的APR (1.3.9)& j8 k; L* c$ r1 ^* N! c9 Y, B0 z
$ N0 }( ], f; `2 u2 L9 D
yum remove apr
/ s8 {/ u! t8 E- V5.Error.log中有: Audit log: Failed to lock global mutex% q/ G8 x" U6 b& y5 I
4 I" H; _0 J" ], B" C9 z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
- l2 o) h( Q* d, _# H) qglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]% \5 ^ B$ b4 k3 D! B: R
解决方法:
& p/ f3 ?5 ^% W. |1 n- j编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" R9 p6 v! C( Z0 \% j
& { |" Z- v* l3 XSecAuditLogDirMode 0777
5 s1 i* c1 k9 ?& pSecAuditLogFileMode 05507 G! r7 m) O! W' U: L
SecAuditLogStorageDir /var/log/modsecurity- {( u A i7 t* r" q
SecAuditLogType Concurrent( x. Y' B) t+ p- z: |/ a# t [: S
参考文章:
. G9 g1 n- ~6 H$ Whttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX& R% E( M7 a0 o0 w; [
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡