|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。! m. Z3 l& N, v5 S
: [% S9 m' ^8 i( j. M一.准备工作' H! U5 Y4 ~8 |8 H0 s3 y
4 R0 g0 E2 m; A系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: {# W% L1 f6 c9 z
5 P8 S4 ]: q" P% _5 T9 E' Otengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( V0 T5 R( k( M O) }, {& T
6 F8 Q; c- @. A; l
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 _1 x3 E; Z- P/ x5 t& E8 G
/ ~/ s0 P; I4 v% r- WOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 f5 C d/ H3 H' s# b5 q4 k; P+ Y# w9 \) b( r. V
依赖关系:0 m* t- {3 \; u- W5 L. }
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:( D4 W; l! t2 u4 y
! w" d$ _ m% z! a" uyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel, U; i6 Z& d9 o
modsecurty依赖的包:pcre httpd-devel libxml2 apr$ I9 X0 q) |2 H
9 P) a8 V$ I/ N
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ E- q! m6 `$ j8 e& U
二.启用standalone模块并编译$ m( s# B) }* d
4 ]# f8 B9 n9 I$ w
下载modsecurity for nginx 解压,进入解压后目录执行:% H3 z: ~& M2 I; \ ^+ x
, h7 p- B1 i, N
./autogen.sh
+ k* H, w8 H( D+ c4 R./configure --enable-standalone-module --disable-mlogc* g) ?4 i# o: G R% Z, y; r( k8 E
make ( G0 T+ ` L% |! n/ ^5 K2 {" e
三.nginx添加modsecurity模块+ D' B b4 t* E( m
. @1 e; p0 G1 S' S, f, ]- N6 [在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:& x( G1 v+ m1 _3 Q4 Q! g
7 H5 }0 G& W+ H./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ m5 o/ n- t: y" S' imake && make install: E% h0 m" D. J4 z- b; H
四.添加规则7 @5 H0 J! U& F8 b
" d" O! `- M$ Y ]8 C: s C3 gmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
9 @1 O% J9 V2 e) O( O7 C3 ^6 L d% n% q6 A+ i
1.下载OWASP规则: \4 j/ Y! _; n/ [
+ `7 W z6 y: F
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
+ }4 l7 X. ]4 h3 M7 x
" h, \/ q$ W4 d" Y( N9 e# {2 {mv owasp-modsecurity-crs /opt/tengine/conf/$ u% Q/ C% C( j3 K
$ t" V1 u' x( z4 @9 p7 d' Y, ocd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
* |) V( E' l. H2.启用OWASP规则:
J: Q: H. Y* F# K6 L1 \/ N5 c) ~0 a+ u' s- @3 W* k( W; Z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。1 G( `% t. W9 B) i: B1 T" A
' q+ {9 H& d9 A5 a4 n编辑modsecurity.conf 文件,将SecRuleEngine设置为 on$ t0 y0 ^2 Q- A2 [
# K% u" B" G1 ^* P
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
; L6 S8 e- u" v* P! H3 o2 ?6 {
0 i9 A) b& m* T$ N1 Y8 a5 uInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf3 i( D+ s# e; J# n" ~6 F) f. E
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* g4 S2 X; q: A4 I% J" ]8 gInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
5 K. H2 T" H& d: F3 tInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
2 S6 U' ^, k3 |Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf- m; J$ w% z" F9 a( @1 f
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
6 i; f) A3 n) F# k4 E3 ~Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' h% M( H1 |( t, T6 h
五.配置nginx
7 o/ X, X2 E+ [" m! M
2 I* ?" e1 K$ l在需要启用modsecurity的主机的location下面加入下面两行即可:
; Q4 O z6 |3 W0 b3 G! ~4 R6 O, O1 p" ]0 |
ModSecurityEnabled on; ) v1 @9 {7 w7 h( T' w0 ^
ModSecurityConfig modsecurity.conf;7 X1 o! N ~: i0 Y2 e" }
下面是两个示例配置,php虚拟主机:2 J- S$ A0 Q' I
1 K7 p1 ]1 j0 _server {
8 [5 |& N+ l0 A! E6 K+ f listen 80;
6 I' T O) A& h: i) U) v P server_name 52os.net www.52os.net;
8 C3 f8 s$ X- ` u8 Y
' }: d0 F: R& A( {6 s; K( [; [ location ~ \.php$ {
# w5 A. g; ~; k# G/ d3 A) w ModSecurityEnabled on; % S$ }# e/ b/ V U+ k/ f
ModSecurityConfig modsecurity.conf;9 d1 P" b. ]3 `# S
, b& O$ [/ S; q8 b5 [
root /web/wordpress;4 F5 E" C" b2 v; q: c2 T
index index.php index.html index.htm;
+ T- \/ x. r# p# X3 K ) u* t* @! _9 h/ G
fastcgi_pass 127.0.0.1:9000;, @4 n- q! g( {) ]* i/ y
fastcgi_index index.php;
) `. b; s- H2 `2 x8 a( P6 R( s fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 F6 G$ I/ W8 u% X4 d1 d/ y include fastcgi_params; }- H$ A S$ I
}$ R+ z/ O2 s* l2 p
}
4 m4 F! ^. C7 r F! x' m: Mupstream负载均衡:
0 J2 {: t& D) Y0 V% l0 [7 w9 R; V" c% b. T( P6 L
upstream 52os.net {7 q2 q; \- |; x" o8 o
server 192.168.1.100:8080;5 H; {* O; c6 ?
server 192.168.1.101:8080 backup;' a7 R0 `" t$ F2 ]# Y- w
}7 S, z' E( ], R& N# y
# ^ A% x; X4 @* i4 P
server {9 {. J# x+ y( P
listen 80;/ P6 g# J3 t! K7 U5 d
server_name 52os.net www.52os.net;
4 t' @$ ?$ i2 z4 f2 l$ F
/ M0 r0 i' w0 F+ i" [location / {. i; [6 k2 j, v+ H' ^
ModSecurityEnabled on;
3 u8 B, h4 C! _2 |3 j ModSecurityConfig modsecurity.conf; & ^; A- b" u+ e0 e
9 D; i3 U5 Y z/ b8 a" v proxy_pass http://online;
1 H; @8 s3 w, _ proxy_redirect off;0 G5 v3 j) s; m: n' a
proxy_set_header Host $host;
/ C- j$ l" R$ S$ G' \3 w, F9 g+ \ proxy_set_header X-Real-IP $remote_addr;
1 H; F' { l4 Q/ F) R, Q. r `+ M proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
3 P% G4 ~# ~) J: o# Q& ` }( k) U1 t [) l
}& @ b+ \/ [" n5 J, l+ s7 V" i# L5 w8 x
六.测试
4 {8 e8 \) f5 p0 m
[' C3 `! c: v6 J+ F- S" @我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
+ P5 W" l7 L* k9 t$ S& _* o0 q& B& p8 S G! E4 u D9 g0 \ M3 ^ g
<?php) F6 V2 b3 Q+ A) ? b# O
phpinfo();
& @4 V1 j6 T, ^5 l/ F?>
" u+ X3 Y3 q2 H* e G2 q( G6 u在浏览器中访问:$ E; a" a9 W+ l
5 x& a! S1 e! y, }' H! n$ _( Z$ Nhttp://www.52os.net/phpinfo.php?id=1 正常显示。
; z7 M* ?* L; J5 o) e7 Shttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
2 Z$ j5 W; [; q% z3 D& Ahttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。6 V+ v3 m8 d* h, I
说明sql注入和xss已经被过滤了( h2 p6 f8 L8 U; {4 P& O/ X
# c( o* x; v0 r, M) d0 s. i七、安装过程中排错
* [. y% Z. A- q2 t t6 g. J8 [; q1 E
1.缺少APXS会报错
2 ^$ C, l9 t( _# w$ Q$ y- R( c0 h
( ?4 [5 d c3 ], q3 K$ Cconfigure: looking for Apache module support via DSO through APXS8 z8 }7 X0 s4 C# p" K% i S3 m3 y1 h
configure: error: couldn't find APXS
4 b( U, d8 E5 R1 K+ fapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
- b7 [& a; q6 r3 E( S% O( }解决方法:7 f% b! a' U; [8 r
a7 Q: f" J! D e7 Vyum install httpd-devel
Z& u2 e9 G( f( l5 R& S+ p2.没有pcre
& W8 k) O; _7 P# j: \
, | N- p3 I1 N+ N5 T( J/ _configure: *** pcre library not found.
( Y. V) y o3 D/ P/ D, P* P; `configure: error: pcre library is required
6 x/ U% E" P# v2 A解决方法:
9 c- q S' m5 p n4 d+ \2 a. P m$ X6 f) D
yum install pcre pcre-devel
6 v( D1 p3 ~& B+ g; g3.没有libxml2
" t/ y# \9 R0 a! U; b* Z$ s2 \0 f. Y/ f2 Y
# J G+ i! `; L4 ^0 v
configure: *** xml library not found.
$ ^$ S. E2 a2 G* {configure: error: libxml2 is required
; F1 W3 t4 } z- l解决方法:! o" k ]" T5 J6 B
3 h6 k4 `, W* \- T" Y/ l& ?: Kyum install libxml2 libxml2-devel, R8 @8 I# d- u* l
4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 x9 E6 W; j5 Y0 ^' D3 |3 \2 p8 ]5 Z; w) a
Tengine version: Tengine/2.1.0 (nginx/1.6.2)* ~$ o8 B! v- w) e1 M
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!, H0 Z5 S' P2 R4 ~
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log; G7 c9 a* v# r) I: ]" W( g3 S
' l" I/ F9 T& Z: N0 K, U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
% b& _6 C9 C" F1 v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 v/ Y* q9 Y& G N4 J; {+ e0 R3 I2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 p% ?7 _/ q6 a5 m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"# G# _( ]) b5 M0 k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 n% i0 A8 u$ J+ d: |& @2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
0 x4 ^) W U/ e% i/ o解决方法,移除低版本的APR (1.3.9)
8 V* V) @% D$ o; `$ p* k: }& e( M! n3 z |4 E" B
yum remove apr( f2 _# l. e3 ?4 W# r" l% ~! _
5.Error.log中有: Audit log: Failed to lock global mutex, k$ a$ ?. i# p& r/ y* R
) U8 |4 w) D; C
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
6 x( ^) _2 x6 f: Jglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& {! Y( X2 a; U0 N解决方法:
4 Y, }. l2 f0 l6 R6 ]: [& M0 P ~编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:9 I5 Z9 [9 D# N/ `5 Z0 X& l O
( Y! r( H5 @! A) G# q) f8 j. w9 G
SecAuditLogDirMode 0777
2 C" v) p1 a% \SecAuditLogFileMode 0550
6 T5 J( K' S& b. A9 S* USecAuditLogStorageDir /var/log/modsecurity) I( C0 q' J0 P0 q& E% Y
SecAuditLogType Concurrent8 Y x' U# _: J4 {+ _2 L
参考文章:( I" V9 a4 ?- ]
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' T( j: m. F# X+ D: x8 q( N* m
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡