|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( B0 N2 @8 E2 o
) S2 E; s3 q; c7 R' E. i一.准备工作% o9 K. ~/ K% z8 L' L
! B: D% B) p5 b7 Q3 o( Q7 [, Z6 b系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
7 [% g3 K1 s B8 H1 S# {8 \; B" f0 g; e! S# _& i2 Y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
9 r9 R0 |* o0 S) Z' ~# v* T) m- e
7 D4 h$ @* W; R& Y% d% lmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& S. R# A/ e0 r) @4 w" h' u9 P' `5 v" ?, _) I' G4 e
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs$ A) f8 z! t- h9 x1 v
0 s7 L3 `7 C- t! `& e& X依赖关系:1 O3 ^) r: E! m3 d/ e* D @
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 {. X4 w2 K6 U! q2 U. _3 B/ }8 L% W/ q/ r
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
( C& D. b2 h) Imodsecurty依赖的包:pcre httpd-devel libxml2 apr2 X- d1 s" E( }4 A5 g
# f* V: {8 L# d0 Ayum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel; ? j: w" j7 G3 r: q$ S
二.启用standalone模块并编译' `* ~$ ?7 n. T) [
3 k/ N( j3 a6 U! V H
下载modsecurity for nginx 解压,进入解压后目录执行:
5 r* A0 X" `7 m, k! `
4 P8 K* }( F: C4 `; U4 u. J./autogen.sh
% W# y/ Z( ?! ?0 _+ d/ m./configure --enable-standalone-module --disable-mlogc
1 H8 u; D% I0 m# b# P' Zmake
7 C) e( {/ s5 Y2 a8 u7 O# m三.nginx添加modsecurity模块
4 a$ P# |- q$ J$ |
5 C# @3 {$ k p, N: |在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
7 l' f2 L- c) x; d- B' j/ d, r/ ?( Q% O& m" b0 O
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
3 r& V8 ` R% v- \7 }" J0 Fmake && make install" k6 Y0 @7 F2 G
四.添加规则
7 W: `3 n8 `$ A. s& @ H/ G* q
% |7 h+ H: C6 ^* l2 ?+ z! Tmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: R! b& l4 @& C1 e6 y" r/ D
8 ]2 u2 i' I" g8 Q
1.下载OWASP规则:
% n" U; G$ @2 q& i* }9 ^7 q$ E# X. Q% x2 T6 O
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' u+ |6 J- q/ w) i4 F0 r/ i' n8 s# T% a! P; S
mv owasp-modsecurity-crs /opt/tengine/conf/
4 r1 U j6 U A& u5 P5 O0 h/ R0 M+ _* A# t$ d& l/ q/ \5 y8 M
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 s ~- R9 H& r) s
2.启用OWASP规则:
2 Q& V2 [# V y( D. M
2 X u$ Z, E6 R- L% e复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ b2 z0 y% X8 o) K% ^0 A$ a( \2 ?* ^8 }# t
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
( [) D' h2 u' T( r1 J( u* T3 m8 ~) X2 {/ i0 F7 t/ ^' O
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。- ?" C! g" t2 u$ {' V
- b: h( H6 n9 d! \. @Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 o) E7 J+ x2 Z! Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf( l7 E7 ^2 ~( N' p: `3 O
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
4 Z" Z0 ~- H7 P0 w4 jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf, J. |- M; C) d% Z. B
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ T* J! i4 X" x# s: W3 A0 \% s9 O2 P7 ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf7 [7 L! Y3 I' d6 v% E9 d9 C& d( _
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; t' B! x2 a2 G# `8 {1 O; f
五.配置nginx4 x/ P9 y1 c, h7 @
, [% h: o' s" `# B' |5 h! N! F
在需要启用modsecurity的主机的location下面加入下面两行即可:
$ C% ^/ E D1 M3 X6 \# j; P
/ l+ d; B1 @+ O2 ]. ]0 NModSecurityEnabled on; ' S% V7 r7 a8 b' H7 z
ModSecurityConfig modsecurity.conf;
l' H+ m& {9 s( c4 m# c1 v下面是两个示例配置,php虚拟主机:
8 b4 x* g% L3 f+ R' L6 d! {; [ p) m3 i) D; }
server {
; X1 z* L7 k0 {; p" i0 b, L& Q3 c- w) |3 v listen 80;
% H9 a2 Z: y+ q' x7 r9 y server_name 52os.net www.52os.net;1 B4 j8 m. H+ m) J3 w
: C% w+ y3 m8 u t% O; a& {# L location ~ \.php$ {
* C' e7 c! u$ W; | ModSecurityEnabled on; 7 A+ R: f6 o. F( P1 k& p9 n% R
ModSecurityConfig modsecurity.conf;+ w' V! m5 V' g3 ^
$ |/ ?4 i i, T) s: r- ^7 @' H root /web/wordpress;9 A0 `2 d& ~/ i& ~5 g
index index.php index.html index.htm;
4 |/ q2 E( z( e5 f& {8 \ 0 t0 V4 `1 S5 E/ \( T3 `1 Y9 ]
fastcgi_pass 127.0.0.1:9000;* Y. d1 D7 p' o4 Q
fastcgi_index index.php;
( k; v, v f; Y# ]% Z6 b2 D' b0 Q fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
* y9 h7 l' L" O: A5 R1 O! m/ w include fastcgi_params;* j* H/ }* T; t) @7 r3 n
}
1 \6 x3 r8 `/ I( R }
' j& u& ^ j! Zupstream负载均衡:0 C6 N p& x/ J: z# [& M/ h4 r
3 ~# [: M2 x, y( Q! M3 T& b; j
upstream 52os.net {, Y1 f6 j/ Z. N2 l9 L/ s8 }
server 192.168.1.100:8080;
- a/ h" S4 e4 c1 M2 \( P$ {, Z server 192.168.1.101:8080 backup;
9 |5 b5 B* y; |2 p1 M}9 d' {% n$ f; n0 o. c
' h; M/ K- T3 h! U# \' O, l v' ?! {* g
server {
% y, u+ U% Z* n2 |% Mlisten 80;) E) v. [ o. @1 d$ s0 y
server_name 52os.net www.52os.net;
+ D7 O1 V/ d- D; f( ]
$ ?3 o4 \ m/ qlocation / {9 e: K0 ?! [2 [3 s
ModSecurityEnabled on; 1 C/ q1 P3 B U4 D! \9 D/ B
ModSecurityConfig modsecurity.conf;
2 F2 o4 C2 B! p! A3 m) a3 l* p. B9 z5 V& `7 n
proxy_pass http://online;+ u9 k; B6 c' M
proxy_redirect off;) D& @" `* A; z4 }
proxy_set_header Host $host;# T+ Q# Z4 L8 I5 J: v6 p
proxy_set_header X-Real-IP $remote_addr;
5 w f6 z/ ]( S7 K( [& ]' G9 @ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
8 _5 q2 @0 p5 M4 M }
! k+ q F I- I: A7 k: J& x}
+ A# I- e6 l/ N; k" H六.测试( w$ i& m- ~" b7 }$ V K; q4 E- z% h
/ o& M+ k9 L& z# Z我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
5 s) j" o* w9 J+ J
1 y8 v, j' \; D! Z( t<?php
' x& w/ d) }7 [ w# X9 A: P1 \ phpinfo();
6 B0 R; {7 N" {- `+ A9 P ]+ b- K9 R?>
[ @# W, g( y, J在浏览器中访问:
8 H, w5 D4 w5 t! _6 J
' [5 N6 J' j/ a0 d; r+ c, Nhttp://www.52os.net/phpinfo.php?id=1 正常显示。
% c5 N8 h6 b) X4 t& ^http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
% ]5 `9 k! m( Jhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
h5 @$ ~* |; a- _) E说明sql注入和xss已经被过滤了# c$ [' z# a! I9 c& L* G8 t
! _ G4 \7 m) E# V6 \# K) R
七、安装过程中排错. _8 J0 m! R3 f o" v0 f
; q5 e. C- i4 K7 F4 J$ ~1 @1.缺少APXS会报错* Q; v3 T0 U* L; h. N
% |; {5 Z6 ~) A( v1 p% C' [
configure: looking for Apache module support via DSO through APXS/ ]5 C v- k1 N5 {) H* [
configure: error: couldn't find APXS
( j+ f7 s e- h2 X0 K+ I6 Z% S5 qapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。. q; Z/ e9 f: n [
解决方法:
) ~8 ^7 A! K( p2 m3 X+ ?! Q0 w/ I& J! r i2 p
yum install httpd-devel& L) q- \/ f" e
2.没有pcre
$ L1 G' f8 O1 s$ ` R7 c6 G
- E5 L, O1 l% |* w5 ^: bconfigure: *** pcre library not found.
9 f5 \ U" n7 j' iconfigure: error: pcre library is required% r8 e. s4 Z+ [
解决方法:0 T7 R4 g: j% B9 M( R
- @4 b8 R: Q1 \, ]7 b Qyum install pcre pcre-devel3 Z" [: O% H0 a0 V0 G
3.没有libxml2
; a9 `$ C8 Q" O4 M% H
G" C2 F& y' [4 |) f' }% ~' R& O6 x5 r- G. j6 A0 I7 H
configure: *** xml library not found.
6 k: d. j, r* g; A; Iconfigure: error: libxml2 is required
4 o" f g7 e2 H$ r1 ^7 r& Q; p解决方法:8 g% |9 t) c( L1 {
' [1 H' a3 A( ]% z
yum install libxml2 libxml2-devel
9 w6 W9 W$ d; i/ a$ h* _4.执行 /opt/tengine/sbin/nginx -m 时有警告
1 {4 J' d! g! V& Q7 w( c$ g1 {7 z% |" A! ~9 {% {3 g! Q `$ H
Tengine version: Tengine/2.1.0 (nginx/1.6.2)9 S: t3 _8 f4 z" I% Q
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
* F; Y% }0 Y+ P4 }2 A原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log3 ?/ A4 {9 U# b3 `( w0 r
4 M( I+ w7 V1 [# g/ g: ?2 }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 p( J* q& d3 J& F7 o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
- Z/ p6 K) n8 n: r- x- h- J- ^2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
; _- ?4 X" _3 Q8 H$ o3 H) I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"& |+ D& g1 a7 b! v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"& z& ~* R, o/ Z1 n7 }- t, d
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 \3 V& f' @2 u解决方法,移除低版本的APR (1.3.9)
& v! n# d% V2 g- T1 \4 u; C! U0 [; X/ {
yum remove apr$ ^; C! K b3 M! S
5.Error.log中有: Audit log: Failed to lock global mutex n4 d! v' _( j/ v
6 e$ D* g4 X' ^3 y; {9 o! y2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
5 Q9 K5 A& a* |1 o/ f7 Rglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
) k# C. P# k! h3 a解决方法:
/ y' i8 w0 U w; D- l编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- J4 d% Z0 K6 n$ X2 y( |; p/ o6 E# L
2 s7 h: t `0 F* l+ M. OSecAuditLogDirMode 07777 i% k# B7 c% a; ?
SecAuditLogFileMode 0550. K0 e, [1 k% v# x& I" w) @
SecAuditLogStorageDir /var/log/modsecurity' ~- k( u! z& C, d
SecAuditLogType Concurrent3 B* a& w# q" V) R% {& [
参考文章:" g6 Y7 L* h: R1 w3 R
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX! @+ k- g7 d$ ]/ N. ^7 ^
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡