|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
& d. o* r! y: \" v+ V0 A. J# U2 m8 C1 m& B% J6 y5 A8 z/ B
一.准备工作
0 p" E6 Q6 n; `: H% y/ X4 i
y1 }" ?# I, L7 O+ r: k' [& @系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
6 n5 r0 r2 y4 h* `& k+ a* `7 A C; P4 o7 j! J: `6 ]9 Z+ x
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
0 @2 I( H- C% \5 k# ^) d4 s0 M5 X. I6 y% Y, L( j
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
2 S( w8 @3 o% x+ L$ \2 v* a7 p6 X1 i& `" C* ~' p. Q
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 l6 s. Z* ~* h) K; \+ u$ `) w- |3 c2 {$ W! c+ K
依赖关系:& U! _6 L- w; ~. C$ \6 u
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
. {3 a& N8 s- g4 U# b, @; ~
' ^: v3 k, {. S$ ^# dyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* D" a; \+ f; p' F6 x# a
modsecurty依赖的包:pcre httpd-devel libxml2 apr* S* m( b3 a4 m; J$ B u) s
( n& n- A+ x# q ?
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
' }5 W2 Z9 ^. L# O7 k/ C二.启用standalone模块并编译7 h7 {/ s2 v9 c6 c
+ W" z' @1 |9 b+ G% |1 ~+ _/ k' C8 d; O
下载modsecurity for nginx 解压,进入解压后目录执行:" \( `0 b; C4 S( `& i2 r
6 L, n9 q; Q) a" v./autogen.sh+ O5 E/ y, O x+ X
./configure --enable-standalone-module --disable-mlogc
) Y1 l( V- f' i& P( h2 pmake
! L) p0 ^. G; | v5 s7 T5 Y ]0 @三.nginx添加modsecurity模块
: U4 f% _2 y+ `" Z3 k0 U* O2 Q
7 x; F8 _! {# L3 P8 F" l) u' P9 R在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 e6 p3 ~% b2 @4 J2 u
( |. H$ ~) k8 I2 b5 ^./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine8 _2 L! Y2 t4 s8 K
make && make install4 }( P5 x6 R) u/ X4 Y
四.添加规则
. `2 r! |; d, |
- R& [) Z7 W6 a) W& N, J% v& k w! Omodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) K3 K3 g9 }2 D* O4 W8 k7 u
3 p Y$ S/ v& k
1.下载OWASP规则:% @3 A5 Y' ~' K" C c
; u4 j% n0 _, e; H- kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
7 p; a* K% A! H" J/ ~% x" ^1 |; a8 v( m: s# ~# h0 V
mv owasp-modsecurity-crs /opt/tengine/conf/
) m& P p3 c' n4 P$ D c9 m/ A7 [$ B$ n9 H$ D3 n+ u$ U, P: r! U
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
5 `$ F8 W! ~6 v6 |) O5 ]/ w2.启用OWASP规则:
7 G8 x5 }) }# b5 F. f! ?: L# P& ^0 Y. O4 P3 P1 K0 H4 q& u- S
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。) H; j5 D, x% Q5 o5 F
- ]2 M! ?! K6 I5 t4 I! f# e编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
2 I$ W$ @! ]: q$ r2 H
7 d G# j+ A9 E4 v* o- @owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。) E, z- l0 z# P: | R. k- M' d A
" g9 i$ _* E- y& ]7 H4 D/ d
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf9 ]2 p' g$ Y4 w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf$ F" O* `* t r, J3 M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf) y8 x3 O0 v# x& X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
- G) Z+ K; a- C2 ?0 BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
; Q* x0 N2 k' v) ~9 f5 U/ XInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf- n( A" ]# @; c5 y2 Z2 Z6 C
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
. K9 l0 C& ]7 x+ h+ r五.配置nginx
. J6 R$ r, e0 A# J7 @+ F% c# k" ~5 t4 r* a
在需要启用modsecurity的主机的location下面加入下面两行即可:
) ^& ^2 |7 x: l6 e
) Z$ R& d% `' GModSecurityEnabled on; ( B7 b) B g! {7 R' t" [% Z4 w
ModSecurityConfig modsecurity.conf;
9 ]$ }+ h7 W1 O ?, u下面是两个示例配置,php虚拟主机:' K, D, G! b% |# G3 ^
- m, g k: V% d& j2 Y
server {
$ g h3 K' _0 x- k listen 80;/ p; E8 C# F: S
server_name 52os.net www.52os.net;, V$ j/ M6 H1 P
2 u) z$ O/ u) t' [: E; C. h) q8 Q9 m
location ~ \.php$ {) `# @3 i5 ]/ @* \- s3 G
ModSecurityEnabled on;
% r" g. Y4 h! X5 @3 X+ p4 d8 I ModSecurityConfig modsecurity.conf;' j. w) P8 f# z; x" u' k
5 w k7 i- U% j
root /web/wordpress;
; O# y% o( Z6 P) d5 X index index.php index.html index.htm;- N9 A- \* T$ v5 |4 N+ P* k$ c
. w- Q$ M7 ?* z9 ?' ]
fastcgi_pass 127.0.0.1:9000;, o- u: x x" D2 y4 K3 D" S/ f" o
fastcgi_index index.php;+ T' C) e2 Q) {; l9 n
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;8 ~4 `0 k& E3 R/ }9 ]
include fastcgi_params;' E4 B, W w9 C* b
}
: {3 E/ h8 p+ Z- E }- M2 z9 |9 ^" ]0 ~+ d/ j( E* E+ F
upstream负载均衡:2 z3 ?: }( Z' m' M: q" _* h
0 m) d- l; f& E/ p( O" Dupstream 52os.net {
5 k8 Y/ J) O5 S r' r server 192.168.1.100:8080;* r- T3 p2 T; s9 v5 ?; J) x& r" z! F* @
server 192.168.1.101:8080 backup;/ _, q: q8 v- O! H- B& x7 `0 w
}2 L& Y' _0 \& @8 j/ M
# ^6 S. @7 g# D5 X2 Q$ ]
server {
3 I6 ]! F M6 V# F9 E9 _5 glisten 80;. }* Q& `+ T9 l2 b( k/ ?0 I
server_name 52os.net www.52os.net;
m3 f( l3 R& y6 a) @2 x. A, m' p; T r! m
location / {
5 x7 w" G# c0 i0 R. g5 J ModSecurityEnabled on;
' I* W( l* Q% V9 u. w# ^( D9 ? ModSecurityConfig modsecurity.conf; + ~) Y# d7 m% X8 l: D
/ a# X" N/ {& t
proxy_pass http://online;' _* {* b! H! [5 P; ~! N
proxy_redirect off;( ?% |) {) C# @6 X( J
proxy_set_header Host $host;' C9 T8 q L" {; Q
proxy_set_header X-Real-IP $remote_addr;& }3 G; f4 B! Q4 L
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 m, C' m0 K! y0 r4 \. I( \/ g3 i* | }
, Q, f2 E' F* a& y% ], p}
0 h' J) K0 C$ q4 Q六.测试: G$ d) [) ^5 i4 k- s4 o; y
" V; T$ E7 I; f" D
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 Q2 @6 i9 ]# v- B
0 Q4 K, P$ ?- r. I
<?php
+ }$ Y" q7 r; Y4 d# N* M3 o# q6 Q6 s( Z phpinfo();
' z' c4 H) C5 L?>7 z( g$ N! `) s
在浏览器中访问:
# v/ `7 X' f# A5 D$ B) n% o* @1 b) Z+ Y/ @/ V3 j
http://www.52os.net/phpinfo.php?id=1 正常显示。
! u6 s. e# b5 s9 r" Nhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
. g( g J" \, U8 |6 J0 ?# J3 m, X1 fhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
& B! w1 E' B( s5 [; a8 h6 n说明sql注入和xss已经被过滤了
4 g" B$ Q; h2 h, d# `% X6 H/ @# A" X0 v; }
七、安装过程中排错
+ k6 n# [- i0 k
3 m4 S2 q2 ^# h5 q: A1.缺少APXS会报错" F( b. r$ S4 K3 H3 O0 ~9 {
7 d* E( U$ j" I- h6 J( i2 bconfigure: looking for Apache module support via DSO through APXS: {- v7 e7 h$ g% D: _
configure: error: couldn't find APXS& Q) R# Z* m6 r
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。& k9 P; Q2 e$ l7 @0 `' X9 G$ @' c
解决方法:2 `' v5 h2 g& M
3 k- j7 t+ {; s r# x: p
yum install httpd-devel2 J- S8 G+ K3 {, [/ v
2.没有pcre
1 P2 Y2 u% S0 e( \+ t- K: Z
; ~7 R3 v% y5 M' ^9 Hconfigure: *** pcre library not found.7 d" A4 u5 H6 e6 ]
configure: error: pcre library is required
3 x1 X) p E/ W) P( P) M解决方法:
% \! ?: g" R' }0 G V$ `
& i' b7 w+ k2 }- `6 V {5 t! d4 dyum install pcre pcre-devel0 k5 |4 m. k0 ?1 c$ v
3.没有libxml2! k. d I8 D* J2 `! U( z+ p+ M
$ Y6 h1 ~5 |' E& w
. w! h& f6 @: c* W: @" m$ h _; Fconfigure: *** xml library not found.
) w0 g9 l) }2 H/ v, B7 vconfigure: error: libxml2 is required7 F% p5 |7 `3 M+ p" l
解决方法:
1 E3 c1 n# K& B4 Y2 E( ]
/ t- \- U* ~' W: S; yyum install libxml2 libxml2-devel: G# h5 u" k$ H' I) s
4.执行 /opt/tengine/sbin/nginx -m 时有警告$ d% D( N d3 U. b, x; o
/ n3 J2 ?, s; Q, H0 hTengine version: Tengine/2.1.0 (nginx/1.6.2)6 ^/ ~" G* M: {1 ^: B- |
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
' y" m. y+ a5 \8 [2 R4 ]原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ }* m8 {) m' E, d U
1 I4 |4 z% Q+ B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
: w; s0 O0 z6 |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", o# }5 ]) Z- S3 h4 E8 f
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 R. ?3 p6 J9 U1 N- M4 ?' _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* _) D7 w4 g# Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
( _0 w) j* S: t4 A' X2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.; k' G) f& L3 z( t9 k4 A" P
解决方法,移除低版本的APR (1.3.9)
. S+ [% C- o0 w0 G& v2 X" I4 s8 y; _; o- x( R
yum remove apr
% T8 y3 }* c ]* R& `5 W/ O0 b5.Error.log中有: Audit log: Failed to lock global mutex+ R* k* f$ a% g8 R. T- d( [
* i4 h/ e; u- s* f( Y. R: a
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
; D H2 \( t3 D" K8 iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ ~+ P/ `% J- L0 W$ G3 d解决方法:1 u& @* e t) _! h/ A
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:9 m6 l! f! d' C4 W' ]8 d @
; A0 Q' v7 j, {5 e/ h- S
SecAuditLogDirMode 0777
" I. ]% \+ V3 i( A1 YSecAuditLogFileMode 05504 a: w# \9 V: J1 @! M# C
SecAuditLogStorageDir /var/log/modsecurity* O) v# K3 `! b8 o' p
SecAuditLogType Concurrent
- |$ F$ r4 C4 I参考文章:
' x# Q3 o. U% o: }) Uhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX. z! i G# T m8 ]: m/ c
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡