|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。$ D# S" {) b% W, m$ H; Y3 ]* J& H4 f
6 t5 _8 m, B. G. j: _( F% W一.准备工作
; f4 a: K# l0 B3 e' {1 E' v w, P
4 F9 V- b7 D- a6 \ h系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: h+ R& k" C5 e- C5 y8 m- k p q" O
, I/ q9 U, c& Y: U+ G, p1 K3 P" R
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( A3 C+ N+ j7 W% K" f- K$ u; K: }( s
& Q+ @6 c0 p! y
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
; m6 e e" P: d: ?$ ]% Y8 [& s& `- j( \! E8 i4 h- T
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ H c% ~( t+ s! Z% x
8 R- k' L! s$ [8 J* z y4 r% ]依赖关系:. S' g/ J, ?7 R. w" V% s$ [1 M* V
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- y6 p5 i4 ]2 p4 D6 C+ Z- D3 Q) {% R1 K2 D4 n! K9 [
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
! _5 z( Q7 G8 t% e. ymodsecurty依赖的包:pcre httpd-devel libxml2 apr
8 H: J- s: o7 Q1 d2 T; R4 x% R& I5 O
7 b4 P8 G( _+ ^9 ~# Xyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel% k! s0 R9 s5 {, T7 U: I# Q
二.启用standalone模块并编译( \" n, C p4 D; u8 k
) E+ ?4 ^; @! f7 H2 v下载modsecurity for nginx 解压,进入解压后目录执行:
' C! `, Q* x8 \/ a3 F0 g- t; ]& t, D+ f" o; m2 c
./autogen.sh$ q2 T7 M1 k; X7 F# e/ d) ^
./configure --enable-standalone-module --disable-mlogc
6 N, ?$ `& W' ~2 }make
; D( R, ?4 l* q- R三.nginx添加modsecurity模块
6 p- \5 u% ]& f% E+ _, Z
" o8 ^2 j( c4 j在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
% F V6 h) k$ o3 u( S5 J+ p+ o
* e L6 y. X, k) d% B./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine& k |: p B8 K% [/ \
make && make install
`& ^" L& Z6 G9 \: d- r! f8 h3 ^四.添加规则2 f, a- S" Q1 C/ u
5 s( {, g: Z! a. F- ^$ P
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
# A9 H/ x4 r* {+ D
# n' ?$ `1 a/ G* J0 H0 \$ d1.下载OWASP规则:0 b5 O0 j7 R B! _* R
- q# l7 U% l3 l
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs3 y# d/ O o y
! u. |7 C* O6 E3 h* ]2 x
mv owasp-modsecurity-crs /opt/tengine/conf/
# Y% ^$ E! D) N$ |, N4 j9 m+ ^+ q# K9 u
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
0 R3 p9 c2 C. n8 @" H6 P2.启用OWASP规则:
4 B% S! f* R9 G4 R1 I& X, _+ d2 ~8 w% S( t5 ~# a+ n( b
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
: v H+ ?9 N/ D z3 E& E" g& z7 T: Y
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on* N( n; X7 i3 f3 k
) J7 B- x! L" Q6 o* S5 f& X4 E
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。9 C$ C# V' c; {" x$ n
: W4 ?: ^5 i/ x6 ~Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf! c: H: V9 O2 f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: G, i( A! L- G6 P9 ?$ J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
3 ]" h. g% L" c( h n# H( cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 r* H2 R5 q: r6 ?% D. F4 s) BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
( |: j5 F$ R3 vInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 P8 E& T3 y) Z0 }% ?2 P2 KInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf `$ a& H2 v( A& @# \& u% ~
五.配置nginx, [* Y5 o6 _* M6 G
* z- I ~6 x, D1 W在需要启用modsecurity的主机的location下面加入下面两行即可:' r* K n. N$ T- }) |6 \ c
! m0 v6 |: n" G. `9 b7 Y. d! f
ModSecurityEnabled on; : C5 C8 c8 O0 T
ModSecurityConfig modsecurity.conf;
* C5 |1 t( P- H下面是两个示例配置,php虚拟主机: K. m, X% s. H
& n& c) m& _6 ^. [' h9 _+ d1 m
server {2 V% u5 U1 h; N& D" [
listen 80;
4 n+ q& n/ D- ]( i' g server_name 52os.net www.52os.net;1 Y5 F/ O. B" v2 @" K( J
& ?' j5 v( I8 e! @
location ~ \.php$ {- I& T) _& M3 H( \% D" g& k
ModSecurityEnabled on; / O5 |: d6 E7 f4 M+ x! N
ModSecurityConfig modsecurity.conf;7 u" j3 r, D8 Y2 o2 D, X: V
1 w2 }: A- _0 d J. ~ root /web/wordpress;
& z# |5 a0 [% S( B index index.php index.html index.htm;8 I. Z1 M# o9 @' A I4 t$ X
0 \ I' A6 \5 ^/ A- t6 x fastcgi_pass 127.0.0.1:9000;
3 M# w9 o4 g. g2 v6 {$ | fastcgi_index index.php;
4 z2 u" }- N a, H3 _ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
& ?3 r3 q+ k% ~: b7 o% ^' b1 u include fastcgi_params;+ i M8 p/ p* t' v# A1 [
}
, e* Z$ ^7 C- R( T- v, a }3 d7 K4 _8 i$ Z9 Z* d* X" m" i7 N
upstream负载均衡:
G& }0 a- J* y( E8 T6 p8 }) ]
O, R/ N( r# n. t5 N$ `upstream 52os.net {. h5 i- |4 U* Y* v6 ^' i% m
server 192.168.1.100:8080;
6 @) ]1 _7 W" n server 192.168.1.101:8080 backup;
8 E: |& D2 H) s4 w}$ u$ S1 H( S& m, W; W7 r$ x. @
3 _9 ~1 ~& i6 Pserver {
, {1 t7 \. _* |( o8 \listen 80;/ R2 `- t N$ Y# d+ X5 R
server_name 52os.net www.52os.net;0 K! @- F7 m" x0 }" ]7 r1 Y
4 \$ {* F& s1 X; [8 v; Q6 Vlocation / {. g- W; \* I0 u6 e. e0 Z
ModSecurityEnabled on; 4 [6 j0 g* @( Y
ModSecurityConfig modsecurity.conf; ; }, t1 K @2 F) G
- i) }$ m1 ~/ z* E8 ]& {3 [; C
proxy_pass http://online;
7 G j( S0 A# q2 K i& v proxy_redirect off;7 N+ U, j! n" F/ k
proxy_set_header Host $host;
2 W6 V2 p% { Z; r proxy_set_header X-Real-IP $remote_addr;. B6 [$ t2 o: A* ?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% \3 C) j, H6 t' p }
! S5 [* q8 `9 Q. e+ P0 ?( j}
0 t* H( O K- A* D% m5 |六.测试
, R& b4 X, S4 |, f; w6 C( t7 c
; a2 d& e# Q: w" Q/ P3 [我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 y7 L5 D. i# C: k
. v1 @1 X, l% d) s. {9 Y
<?php" Q3 f' R6 ?+ x q- Q& t
phpinfo(); " x$ x- _9 I$ b& T; O
?>6 u9 B s8 O- R* ~( G% u$ a
在浏览器中访问:
/ a% q, E8 Q7 Z- g( C
. I5 l ?! z" v1 `/ Whttp://www.52os.net/phpinfo.php?id=1 正常显示。9 }3 B" E( P) k# S- P' H
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
! M* b# B Z& N8 Z% e9 ehttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 v, n2 J w: J1 y! C5 ~3 o8 j% t
说明sql注入和xss已经被过滤了 T/ i; }1 T4 F0 Y& N
# {6 T+ X$ |5 }( ^1 }5 S( A七、安装过程中排错
+ ^0 W1 @; y9 \; d4 e. T f
! ?& L* g" P% }+ b1.缺少APXS会报错/ p" m# ^' m1 _/ Z( [# a! p8 W
& P4 v+ ^3 W- Y# e7 G. Yconfigure: looking for Apache module support via DSO through APXS
: ^* {- s/ L8 Jconfigure: error: couldn't find APXS0 F; X+ C/ Q6 n& b
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。: Y0 z* U% z; C1 y! G7 b
解决方法:
, y& C/ O9 |, t8 |: c& D+ N8 ^; B
yum install httpd-devel
9 c6 `6 ~, t7 h; u/ B2.没有pcre# n$ a2 D" u$ p- d3 ~+ I8 y
6 ~" N3 J+ z% `0 `configure: *** pcre library not found.5 n5 M/ z' y; s9 K4 }7 j
configure: error: pcre library is required
8 P% t, \" u7 W) R解决方法:
$ }8 M# D' ~$ ]" [8 r, Q! q5 x% J8 z) h" F* d. g+ g6 q6 x
yum install pcre pcre-devel
" Y1 G( p6 t d/ I( R( G5 R3.没有libxml2
( h U( y% U- Z( S6 F
' j3 I4 L8 T' H# n7 \: a. d( G" r
configure: *** xml library not found.
- Q$ _' G( \) I" O0 d0 z4 yconfigure: error: libxml2 is required& g' |+ M: p1 J! f
解决方法:
+ v( U% j" c! J
- [$ ^ e. r! F' myum install libxml2 libxml2-devel
5 u. h! O Z$ V& s! j+ v7 h4.执行 /opt/tengine/sbin/nginx -m 时有警告
* |6 d! Q& L& S( G: Q. L' E% w( K) \' @/ v
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
1 T" u! n4 K( o* K2 n Unginx: [warn] ModSecurity: Loaded APR do not match with compiled!6 K) D% r- k5 y, P6 }
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log4 w0 d3 b2 A8 r$ h* Q, D, Y
) X" |3 x2 Z7 P5 `& g9 I2 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
% g4 z+ W) @- ~ i* ]9 u( t/ |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 z& H4 h; q3 z% x/ m* q2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
& X- H9 H. o* q/ _ Q. o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 u' c8 R/ o7 ]( N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"4 D* a- i* n- U" e4 w2 x: G
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 P. \; T+ _2 Z/ _: S
解决方法,移除低版本的APR (1.3.9)0 }. T: T3 h7 C* Y& j1 k, B( U
: y$ B2 N9 e6 K- G
yum remove apr6 q1 I9 D y) R/ R9 G* F( W
5.Error.log中有: Audit log: Failed to lock global mutex
! D" i6 X4 m5 `9 j3 a2 [" K% K3 |' }! I; G6 P
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock . }! V6 b2 e1 G7 C" ~* e4 U
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
, k/ D9 o; i8 ?1 n解决方法:
; c" O0 c4 C1 t# V X编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 [) r# w' n# [, L' [
- W: X8 ^! v& w ]. F
SecAuditLogDirMode 0777( Z: W. u3 T! p: w
SecAuditLogFileMode 0550
/ @5 _2 P6 x/ U9 O NSecAuditLogStorageDir /var/log/modsecurity
8 G2 w$ N/ ]' H. ZSecAuditLogType Concurrent
8 f5 w2 c4 K0 v+ J0 x参考文章:& Y/ i4 r( ^2 j% W% i. d
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX4 U4 d* F+ j$ T/ P" C8 m3 l* e
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡