|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
Z9 ^+ Q; B% c$ K% y& ]" [& j! u1 ?- Y
一.准备工作* g; u1 f& T* U) h! u. ^; z
; |1 }& H+ \8 w" o& N9 X; G
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.02 O) ~& P% p* t1 r! C, r+ v& w
/ s' t$ v; i7 U: Ztengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 E8 m8 y& x: y4 }$ z5 z+ O, z$ L- I1 S) Y( `4 e
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( {" P$ Q' f4 o7 ]8 L! q% L9 _% R) I N1 s+ X# z& y8 _: G8 D
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
" K8 e6 @$ F& b* S- [* ~# X6 `1 E/ {2 c1 A: j" u6 V
依赖关系:
. ?; y; u" I' ?) rtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
$ \, p3 {6 M5 y0 h& t3 Z- A) g. ?/ Z7 C5 m S+ ]8 ~+ ]
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
, N3 \( K: l B1 [! O5 V% L2 j7 {modsecurty依赖的包:pcre httpd-devel libxml2 apr4 ^6 ]6 E1 {+ Z, p
! K& l% ?% _# ^+ o z8 Syum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel9 q) D5 q) Z/ n" h$ Z) b
二.启用standalone模块并编译3 F) P" S7 _9 [. P
4 w9 U o0 v4 G
下载modsecurity for nginx 解压,进入解压后目录执行:
- ^. r& u2 c- R8 I7 m. v- h
' y4 p% F4 t* f: t( O: T0 l; R3 `8 @8 b./autogen.sh3 B' |& N# `7 d I1 l4 R$ A- G1 k
./configure --enable-standalone-module --disable-mlogc
2 c7 R7 N% v/ w+ l5 Omake + M" l+ l W* ?- X9 U
三.nginx添加modsecurity模块
# N# w, O* k$ ?+ {; L8 S0 w
1 }, w# {3 J- l7 o _5 f% _1 t4 _& b在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:2 R: K. _# C! l0 `1 W8 N6 Q# g
# K) D- c0 D! C0 m9 D( w
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine, n& j$ `) b! D! n& @
make && make install
1 e) @$ U! p) L. ^% P$ p* f四.添加规则
2 W$ ~: _ O" K# S' Z5 J1 z
" o2 H2 W* \) e3 ?% Rmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
! P A. x: K! y
! v8 w8 a6 \5 C# z1.下载OWASP规则:; G+ ?! K5 @6 T
( s& B8 ^- l; U8 Y
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs8 w2 H/ T& A6 B+ ]2 Z' Y; \/ _! N( S
8 A, f. ?& _' D! c8 `
mv owasp-modsecurity-crs /opt/tengine/conf/
' k* I6 M6 p0 V$ a; z
5 \. {% P$ Q4 z$ \6 h* ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ [; m2 Z7 g1 R# l9 i6 E( W7 e8 l2.启用OWASP规则:
- U! s+ i; {+ G* m! j' ~. A3 _; v o' l. G+ y8 u
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。2 o# k4 E3 b/ b8 E8 B5 c8 `5 P
1 _& ? ?! L% Q7 d
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on8 s: D+ M/ U2 M# Z. c
5 n5 E0 U3 E9 z, ^& n
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。$ r4 W2 [' `* [' L
" h; Y2 B1 V6 r) Q; l( ~) B i7 ZInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* G* W& e0 A) e5 b0 \ t2 ^9 D* Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf, N2 _# Q8 k8 {$ l1 Y: P( i) C' w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf+ g% P$ L5 M: A: T
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf3 d5 C: J* F2 W0 T1 g. ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
9 M$ M6 M1 \/ e: E( q e, ZInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf8 P& @& q- F4 q4 D
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* T; U6 m) D# _% }
五.配置nginx* I0 Y; k& W- N& |4 m# F$ I
u, o: s( {; G
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 I% G: c" q( P) E* p7 K
$ V" M4 J# M- _9 i" O/ t# \ModSecurityEnabled on;
; ], c3 `& k/ X: e$ \1 RModSecurityConfig modsecurity.conf;
" u! B" j" h6 D- }4 H# r4 t8 F下面是两个示例配置,php虚拟主机:
: w4 ^' A9 R( b2 v4 V9 N$ a4 ?+ @/ h: Y' D1 A) Z: U& }( F
server {5 r: w; E/ v& X. p
listen 80;. X& o, {8 Z$ p% h9 A) I' D% e
server_name 52os.net www.52os.net;
0 ^8 w" @( Q0 t/ {
; O( o" G: _4 Y* e( z1 _4 v- r location ~ \.php$ {
9 o( n: w' x4 h' Z E; `, I: A, ^ ModSecurityEnabled on;
% F: u) z2 l: V+ }2 T ModSecurityConfig modsecurity.conf;
7 c1 C" Y7 d% |# y. ?8 z) \7 E8 i; o+ M) M- @0 Y
root /web/wordpress;
+ _% d5 t5 ?+ V2 N index index.php index.html index.htm;
" [, }' b# C# i7 g5 S; u2 v4 U
4 [& M( ^& Z6 | S; M fastcgi_pass 127.0.0.1:9000;
! } ?2 X& A; O, C2 P fastcgi_index index.php;& M& P, u* ^- U9 p6 Q W" t
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
# \+ U, u' Z6 a; z$ i2 ~ include fastcgi_params;
0 G" O8 d+ P; m$ {' h1 ~$ _ }* Q$ j# A1 {! u8 m
}
# J, C7 W+ b, g/ K5 a. ~upstream负载均衡:( H- B6 i# p* n
/ A- j* {4 S- Nupstream 52os.net {5 E0 h1 Z( Q6 l+ b
server 192.168.1.100:8080;
) M4 P' o; c; Q/ { server 192.168.1.101:8080 backup;
1 _6 ?. S3 ?2 q' [, u8 A}
+ {$ {9 g% s* ]( ^: V9 B' `" U6 p c% [% ?1 }4 O
server {
! Z( C9 K: g5 M4 L9 g6 Q/ dlisten 80;
# E8 i2 L8 c# @ O- T7 \$ X/ O1 ?server_name 52os.net www.52os.net;2 V* \$ {; _/ O5 [7 B Q$ s
% m! G; N7 Q. b) A4 d% H3 M
location / {4 x+ W" e' w) n$ H, S
ModSecurityEnabled on; 5 K3 d5 d7 j9 T9 b2 r
ModSecurityConfig modsecurity.conf;
/ h+ I8 f% K6 i7 j3 p1 q [( a( ~# ?! ?. ]; N) A9 i- H1 T
proxy_pass http://online;6 H6 W1 H% J9 D
proxy_redirect off;
$ J" G7 x, j7 m$ h8 Y8 V0 o6 @ proxy_set_header Host $host;
$ p: N5 w, H( S" X proxy_set_header X-Real-IP $remote_addr;
- N4 O5 b, _ q! m proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 N$ s g: ?8 ?, d+ e }7 A9 \) v, s$ Q1 ~4 f& I
}
5 K! ^* O( A. w, o# q5 M$ }六.测试
1 a, a+ r! x2 G0 x) d5 g# U2 x# s7 p" j7 `
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 P* J: e2 q. n- d8 z7 `
+ g7 a5 [2 S& v* `: W6 R, P, v+ }<?php
r, B V% F9 a: K( o phpinfo();
- X" a1 m; p! Y3 e% t?>
6 n" ?( J8 w& ]% a" N; ^' L在浏览器中访问:
* v# P2 {; @ c0 w# m* V* [8 l3 l' C" c: J$ f
http://www.52os.net/phpinfo.php?id=1 正常显示。* C. u1 Y% A8 p( ]/ R: B* E9 i
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
' ^' z. N0 i* k2 Hhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
+ Q9 Y% D6 h& E6 Y* O6 o说明sql注入和xss已经被过滤了. Q) c! \- y$ ~) a% o) g
( w* D" h Y6 i2 m# u7 @1 k3 p
七、安装过程中排错( F9 F; s0 ]4 R9 |7 U3 d8 [
9 u |: X+ P- D$ A
1.缺少APXS会报错9 U: y. e6 Z# s+ V; B
7 X- _1 @- N9 r f9 T) \configure: looking for Apache module support via DSO through APXS" ?- c- S9 ]+ i Z" t1 `
configure: error: couldn't find APXS
7 p/ J- N+ r' y1 L' C. @0 kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ l& e4 X3 \- d( | W1 [解决方法:6 u0 j( ?4 ]( G
/ S5 j+ a" u& Q) n( _yum install httpd-devel
# U, H* I; M4 w8 f2.没有pcre4 h' x* |3 J, F. q. W
% Z( m, X+ _. l& f& _configure: *** pcre library not found.: A" p0 e' m) Z
configure: error: pcre library is required2 F0 W. W. r" k) X* }
解决方法:
# k- V4 g4 e y$ I2 z- m3 }, x; @% r
yum install pcre pcre-devel- c5 o0 e6 K& \
3.没有libxml2
5 N2 Z' }- s/ U* Y
, |6 V+ L" a+ _
7 k- t# j0 f1 Q& i. vconfigure: *** xml library not found.
* k, @ K& |' w( Econfigure: error: libxml2 is required/ b- T1 z5 {5 N N8 J
解决方法:
0 c# e2 M$ j6 ~; V# y7 b: ? {/ w; ^, z9 [
yum install libxml2 libxml2-devel
8 J7 s) h, j, n2 } P4.执行 /opt/tengine/sbin/nginx -m 时有警告5 c' U, g* @/ J' f, f
8 A: u6 O: v% S
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
6 Y0 S' \: ]+ s9 D2 D5 cnginx: [warn] ModSecurity: Loaded APR do not match with compiled!& ?; p# Q. |% A" d M" [! J
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
4 n4 z! x- ~% w8 D1 s/ v" a
; b0 T9 F& k2 Q/ E |% ]1 m1 m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
- W& O9 M/ Y& u f D# k% n1 S$ O0 q! y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 @, J& C: t L9 w( C2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!# l; k' W/ X( }8 z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
( p- |8 ~8 o7 w) ^4 f) O7 D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ R" m# F6 ^8 H8 d! n
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.2 c% f6 Q* c7 {+ [' h" f
解决方法,移除低版本的APR (1.3.9)
! C) F/ [5 K6 V% C( Z7 K
' X8 a! B4 Y# v% `. I: @yum remove apr8 \: S, M) x6 m1 C2 G; o
5.Error.log中有: Audit log: Failed to lock global mutex
0 \$ v% A6 F$ j! L- g ]& q8 }( s$ e/ n+ T8 p) W
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock * L$ E- S& F* J- N+ P& n9 j5 `
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' ^! c( i, V" Z; t+ |; N解决方法:+ m% r) G! L7 A ~+ ?8 G1 A+ d0 }
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& h! K/ }9 r" I! _9 q7 u1 P: |5 N" ~) g' I6 b" G7 C! C/ g
SecAuditLogDirMode 0777
- u/ m& `# U# e) mSecAuditLogFileMode 0550
- @% c3 x: _. A! [) z& k- i$ RSecAuditLogStorageDir /var/log/modsecurity
# }& X. o. L8 ASecAuditLogType Concurrent
2 ?& }1 L- F1 c- i5 Z参考文章:( d7 I6 Z U( n# |
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
- T+ E/ _% f$ B* D3 Khttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡