|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。; d n9 v; S @4 t1 z5 ^3 l5 j
1 z& M6 U" ^$ u3 o9 K; a3 X
一.准备工作
3 I2 N4 ?% V+ ?6 q" l
' ^# ^- F& @( y- k2 A0 r1 h+ p系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.04 B# }) E& a6 n8 L
) E) B. x4 O0 a* U k( d; l
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz" L! ?3 Z- v+ L# F3 p
- N- V, k0 _; f# Bmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. R; e- `& m& q9 k! @
2 H8 J5 E; [# L' X3 _* HOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs1 N G2 {) P: H" Z0 H4 E
( w M9 j4 q& E' ]
依赖关系:
- M) u7 l z e7 Q& Y, |8 vtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:5 _4 D9 `6 d; U" o3 q2 W, R
9 s& H# N- u2 s$ s2 ^/ u* f
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel6 b# S; {, P$ }1 ?
modsecurty依赖的包:pcre httpd-devel libxml2 apr
( H) t8 l" w, A. e ]6 ~5 O& J P
, m. q A1 V' z6 C( O6 C2 f8 ~yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- M2 T7 U1 |6 t+ p* }* f+ y
二.启用standalone模块并编译7 ? k, w* f/ p& ^
; E7 X/ A/ S6 G/ @ D
下载modsecurity for nginx 解压,进入解压后目录执行:
! ^ o; q# Z- ?* c& o% s% v% y$ J+ d; x0 S
./autogen.sh
4 V; r7 x( ^8 @8 r6 G./configure --enable-standalone-module --disable-mlogc" w, R( s8 X& ?# _, z
make % J- _2 h2 V& m t: g+ {5 I
三.nginx添加modsecurity模块9 n1 a" E" s& y i- e
7 V- L: J' d" S, m4 a1 Y9 F
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:' q7 ~# z. {, k" {7 O
$ `3 Y! a0 l: K./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
3 \0 r# r% J( ?" w4 a! h7 Mmake && make install ?3 Q1 t! k( n) t+ A+ m1 J
四.添加规则* o) m0 r" `3 \1 s x) j
9 [' q# e+ i* D* @modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ A4 b9 ]/ G0 n5 X, Q; Z6 C) ^! {' [* \
1.下载OWASP规则:5 h# Y* C" J7 `/ {" y `& i
/ g! m+ Z. c& P: H! D" \3 ]0 i
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
7 n9 T0 {* a$ ]4 T* P: h# }6 @# h7 F: R) L I0 V, I
mv owasp-modsecurity-crs /opt/tengine/conf/3 J; Q' e- i) t( ^6 N7 v g( F1 Q
: R& N- S, Q* v! `+ zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 Q% V! ?- M T" e" h# ~
2.启用OWASP规则:0 r& z( }# ^; @
: ~- @+ s6 b6 C$ x F
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
: q; }% G3 n. M4 Q3 H) U8 d7 R/ L9 h9 e) Z0 e) c9 }" T7 ]7 X
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on# f! F* J/ I1 l- c. X7 K
6 J- w: |+ O" D2 V
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
2 w, u$ r" e! {4 f4 U, `" L9 t* e6 C( Z* |! {0 d3 @8 Z
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf. H& ]0 @6 H+ y% V
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- y# \ E; c0 `% u" N; \Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
' h# }3 l: b6 @. sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# _$ A% w7 C1 H
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, ~5 a l9 f0 pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
/ M' i8 N; B/ jInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf# M+ e- A7 N" T
五.配置nginx- _7 w( [2 b" ~6 N4 T
/ O, K% x3 d8 g& B
在需要启用modsecurity的主机的location下面加入下面两行即可:9 v# F( ~' F/ [/ Z% T
* I# _+ ?( D$ \: vModSecurityEnabled on; + G) p* x1 |1 t+ B6 ? `4 d
ModSecurityConfig modsecurity.conf;/ T0 Y w5 w) k5 i/ @
下面是两个示例配置,php虚拟主机:& E! I: I' Z# }% P
2 s8 R, v- ^+ _0 r Z
server {
$ K* Y3 N- X0 J: F! p listen 80;
2 \7 a# d) G: X7 V9 e' Y server_name 52os.net www.52os.net;
* q, _! Q* ?, R# S: K
6 Z( _; K; X0 C5 I5 P location ~ \.php$ {
+ {) Y: `8 z2 ]9 n8 U ModSecurityEnabled on; 9 `4 J. f* I+ u A2 v+ {/ o1 v
ModSecurityConfig modsecurity.conf;
, {, _0 f* ~2 s! q/ h# ]
( d- l2 V" U$ y9 f, t$ c root /web/wordpress;
& `- f) l# ]* Y% k3 l2 V) h$ F K index index.php index.html index.htm;
. m& g0 t/ y( {9 O; t& X ^4 t! h! ~! A% }" l
fastcgi_pass 127.0.0.1:9000;
) h5 P/ x& k# q0 ^$ ~ fastcgi_index index.php;6 N/ s: a# y1 c: H3 L+ V
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;. J2 [: X: k0 J( m$ \
include fastcgi_params;
' v* D0 P! v- w2 ?3 p1 @/ D }% y; Y' f2 P) _
}
; y/ |1 ^8 j4 x# o# h+ fupstream负载均衡:" W3 ]: k( W6 O# ~: r8 ?, p( k
. y R2 K5 r6 f( ~- v# y
upstream 52os.net {
- T, F7 @* y& T. m1 ?! d server 192.168.1.100:8080;
7 r9 H$ p: o6 F# S, l0 J* V9 J server 192.168.1.101:8080 backup;1 b, A; _" c3 z
}& M4 H$ ^* ~4 Z
4 C; S8 q% {& K! t: L
server {0 [/ [% a) q5 ]( O5 _
listen 80;' x% \. p1 c* g
server_name 52os.net www.52os.net;
4 S( c- A' S! o8 A7 S$ u& \( ~+ y* W
location / {
6 [* P) L$ _, {* R4 d4 ? ModSecurityEnabled on; ; _) c; [4 b9 m1 h
ModSecurityConfig modsecurity.conf; 8 W3 s/ r7 g! K; F4 Q
& C- {& ^' a+ z% v: }4 N( E
proxy_pass http://online;
, {6 H P7 E- u/ X( G& p proxy_redirect off;
( |8 c( E7 b5 O9 v proxy_set_header Host $host;
: U# E* i$ w5 C" u5 d( x proxy_set_header X-Real-IP $remote_addr;
% \* D: j/ x# D proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- G& f' B4 j2 I$ R# K }6 f5 x( P% A: A% G8 z3 [
}
! P& c8 x3 E6 M9 P0 X6 ~六.测试- t( u' a' }( E' r9 d
7 f u1 L u6 |& F# f' C
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:/ ?! x# G7 r* R3 B+ X H
* \# F) c1 u& d4 X, q) T) a: f<?php
) _6 P0 v4 I5 H' |4 l* N+ s2 u6 e phpinfo();
( ^. \7 Z3 B& \$ g3 i?>
. _* {6 X- @8 [4 k- \# `1 r% c在浏览器中访问:+ O5 r1 m& G/ Q. w, c
* d: J) n& x! @- k' m
http://www.52os.net/phpinfo.php?id=1 正常显示。& g! T1 P2 W6 j8 Z: X* x9 a+ X3 t
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
; R$ D4 e5 b! O+ ihttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
# d( h0 P% P/ X9 b' i' Z9 V说明sql注入和xss已经被过滤了
0 X: z. b' e9 Q5 r9 x D, }+ H8 b- b) |3 c+ @7 w
七、安装过程中排错4 v0 c* X# A+ m5 j1 ~, p9 ~' T% w
) y- v- w/ l3 j1 t" [
1.缺少APXS会报错7 v0 [& Q4 ^) l; z y- B5 T2 K
3 n+ B! l. x5 |4 Z' g
configure: looking for Apache module support via DSO through APXS
: T& ?5 k( y7 Y9 r1 M8 Gconfigure: error: couldn't find APXS9 _/ I& g1 r; r% M. k9 @
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。( A/ Z7 `8 F/ t
解决方法:
$ Q2 g- L5 v: b, K+ `! S$ c& R
# b/ l7 h$ X6 |. d. Oyum install httpd-devel& G% ~3 x/ S3 H8 y1 n' a
2.没有pcre, `- M# p( ]* J
! ^( D, b+ Z( }. s; @
configure: *** pcre library not found.
5 |' v- y' ? Q% }; jconfigure: error: pcre library is required
& D z% u9 l5 e; z! N解决方法:
6 [' A) y0 O+ ^4 C
1 c0 b7 T4 B6 w' h+ Y6 b8 ^: ]yum install pcre pcre-devel# b% g. G0 j+ R0 M
3.没有libxml2+ b1 a! u5 B- e$ O" N
. @; ^2 |( E; j! E* b
6 w s# `4 A7 Bconfigure: *** xml library not found.
! k1 \" A, }- w# y# K8 mconfigure: error: libxml2 is required
! e. U- @: {" ^) k3 ]4 k解决方法:
L! _5 l8 J8 R8 x3 V+ l% a9 I y% m$ M6 R4 E5 X5 w
yum install libxml2 libxml2-devel
9 q# J3 x8 a* T/ ~4.执行 /opt/tengine/sbin/nginx -m 时有警告' r& \' H; e5 M6 u" u
5 I! k1 K* F2 T& e1 J4 LTengine version: Tengine/2.1.0 (nginx/1.6.2)8 g( ^& |( m' ?- ^6 A2 y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
$ P7 M1 c3 R3 o+ p, ]原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
( ~' |$ M( u( Z+ Y' K, s/ c: R3 I7 {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) d2 ?/ F0 S0 \; v0 L9 ~( L: O2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 F! L( c& v2 ~- F9 b" `. g
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! M! P6 Q+ m1 t# _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
- a' V; `, I6 ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 d. S! R# ~/ f2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.1 u* M1 z- [: V/ J2 c
解决方法,移除低版本的APR (1.3.9)- } s/ J; u8 R9 R% L- y+ m @
, J6 i, | k- m/ z- _! K6 W
yum remove apr1 P( D( G9 \$ R1 ~6 M
5.Error.log中有: Audit log: Failed to lock global mutex
% y8 S# r w+ G" U1 C0 d* {. O u2 F( j) r- A: t N/ |7 ?+ b% A
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ; h/ ~5 B2 w+ C9 G3 q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; C( D0 h% p" q l5 E解决方法:* U; e+ o- `1 X; E. [2 X
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:1 f8 F) n. O j% ~9 i! B
7 ]' m6 [# a* z: i
SecAuditLogDirMode 0777
1 n2 I$ ]4 ]" @7 A' i1 c# m- WSecAuditLogFileMode 0550
9 p% q# m: [& A1 n- \/ BSecAuditLogStorageDir /var/log/modsecurity
! |, W# y9 D* c- nSecAuditLogType Concurrent4 I/ A; D' S' Y, R" [: d8 A9 G
参考文章:* [, m s; D# }$ {1 v+ x9 Q
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
5 C( W2 O, T4 R) x9 ^+ E1 P2 Ohttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡