|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。6 f7 X* p, y& q m/ Q
\% Q( k2 ~& |- M
一.准备工作
2 b7 A( D- B S# G) w" {# V- b
9 O3 m" r( ?- u3 a# Y i4 e2 Y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% t6 Q7 @3 V! W) m8 |* q- U2 p# E
3 ~( S M/ e2 J$ t+ Mtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
$ d1 H2 s3 J' s& ~2 S
% r6 w; b/ |7 |# b1 K# Y* Q1 M; umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& W0 E' S1 ~1 e7 d
9 b9 F; H, f9 w- b" p, ZOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs. w \8 S2 w( Q/ t$ V/ |- B
* e7 {1 J5 L' h9 c" _依赖关系:
S- P' O" X& Ytengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:4 Y! s1 O' V% g: z- j
# f! s. N( e" z5 X6 f& G+ s5 b
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 f2 r! N% \) n* z1 Y) `modsecurty依赖的包:pcre httpd-devel libxml2 apr( q1 V% E, \5 ?! N0 Z
+ o3 a% Z* V& W& q5 b9 g3 \yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel8 ^7 T0 j* [. t2 r' s
二.启用standalone模块并编译9 a% [/ a3 c; H
# f, W! [* H0 U- j& i
下载modsecurity for nginx 解压,进入解压后目录执行:2 {/ M% m2 ?3 N+ C* C9 g, ^' C
3 Q5 D) u$ K4 U: S4 t; J9 a
./autogen.sh
1 c1 [* @, \5 J* u$ z3 a./configure --enable-standalone-module --disable-mlogc+ y" X( t+ I4 C: ], J' `
make
+ J ]3 i, R5 F) P- }$ _' {三.nginx添加modsecurity模块
" V. X7 T, B6 s$ r+ z) V$ v% v, @! `0 F. L, y7 Q- o. C- ]
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" R7 e1 e2 w1 f" Q/ Z% q3 V+ P
0 y: ?; r; O5 K; N& P- j/ F6 i./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% j M! d' v. V' p9 p, }& Nmake && make install
3 u! ]- I% A7 `7 s% E四.添加规则
: \; ]7 \" D# k" K& A
3 G5 |% l$ d: c& K5 _; D- B: R$ Fmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。0 G& t- v" a" j0 k( O2 M- H% A
3 J3 v- p5 E( B8 y( s1.下载OWASP规则:
& s- f; h/ p7 a, C0 h y4 k; P- \- O$ T1 M3 x; }8 }
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; U x* W/ `! }$ A) I/ b8 o8 l
6 j& g$ Q5 s- W* P5 gmv owasp-modsecurity-crs /opt/tengine/conf/9 t; r8 q# j; F
/ x4 L1 I( ?2 t- ^& B$ f/ s2 ]7 f1 K
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( w3 h6 G0 f3 O+ I7 G; P
2.启用OWASP规则:# r( s/ Q7 I0 b0 O5 j3 i d6 F$ Y
( _ ?4 u" P9 y9 v. E/ `3 L: n复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。5 W. V; j* r2 [) c3 A. p
% T6 U/ z9 Q: S* a4 ~编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
. _/ t9 \" ^" i8 w, T+ \2 V0 R0 Q, @3 z- l
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* R. f6 B$ p. |5 g
4 {; @0 Z- N3 p2 \& V/ I" l
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf- G2 e; \0 C$ i0 x2 G" @6 f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 w( i" K9 B0 N) I( n
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 ~+ p& p1 i+ R: `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf7 i8 v5 S3 \9 ~0 f! R' L
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf6 j6 B( S* q7 Z9 `0 D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; C$ U' |9 W& P3 W7 t/ ?1 j2 CInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
0 u8 a. L% s# z五.配置nginx
3 s2 \: b& T; D! e- P: b
3 ~) x. n- o+ }. D1 ^6 T3 L在需要启用modsecurity的主机的location下面加入下面两行即可:
0 ^/ k0 c! x2 b- c! @ U3 K/ _
" p; \4 s5 u3 Z( q7 t# RModSecurityEnabled on;
4 O1 y1 L2 L4 u8 A! FModSecurityConfig modsecurity.conf;
& b- r" I2 r. ~& _& F下面是两个示例配置,php虚拟主机:
6 i. Q- V1 B r1 u) p
( {' O1 d9 ]; w8 W4 gserver {" }! z+ G+ i; x, r3 e' Q( d
listen 80;
: s8 ?8 |& ?2 s server_name 52os.net www.52os.net;& F$ w" N6 k5 r9 |
6 C* _2 u0 \4 j6 r, y! W. H. ? location ~ \.php$ {
9 L! l7 W: \- P' O! O# z7 J ModSecurityEnabled on;
: W; I. \9 m. U. \ ModSecurityConfig modsecurity.conf;% ^( N9 P% w% ?6 _# n2 S$ e
, z+ z3 v) [7 m- [! h! B8 w/ ^ m
root /web/wordpress;8 V! r. P& [7 d) E1 V( d6 v& ^" e
index index.php index.html index.htm;9 o# e: T' B5 \: D$ C
, ~6 L! ^1 Z" O$ E1 v! I; i5 [8 m fastcgi_pass 127.0.0.1:9000;
% L' a/ G- i2 {$ X6 `2 m fastcgi_index index.php;
+ l* y* @8 w& x fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 ]+ W6 M& y( i; S include fastcgi_params;
) _, z9 k" I6 i& X( F }7 p& X0 z d& h# \9 l+ h
}
1 W7 k6 |) j1 u# Vupstream负载均衡:2 V& z, e9 Z5 t0 ]1 `6 }2 |; x j# x
( t; \' I3 |3 l: j/ S4 e
upstream 52os.net {
1 y; q0 D+ y- M server 192.168.1.100:8080;; B' p3 c5 T6 u+ w
server 192.168.1.101:8080 backup;4 k7 N! B, U: w, r, ^# }$ ]) N
} w6 l) j; A1 Q/ |) v) T6 K" e
7 j7 `$ c) s9 p& E' Rserver {
5 F5 O1 b) j* }6 w( N3 jlisten 80;
1 G4 [! ? h& I0 R7 E2 Iserver_name 52os.net www.52os.net;) E/ C- W, s) D1 }4 S
$ z; {% @ e% ilocation / {
$ |1 I0 J7 R0 o" @ ModSecurityEnabled on; 9 i7 A+ K' l8 u( D1 Z8 I
ModSecurityConfig modsecurity.conf; # x6 {! l8 U' a- n5 Y: o5 L
2 X; @4 x+ _4 h# n proxy_pass http://online; f5 H% t3 Y% c; t
proxy_redirect off;$ x( L m5 ]6 Q- l r
proxy_set_header Host $host;
/ S0 B& L3 M; p+ j, d proxy_set_header X-Real-IP $remote_addr;. f; `' [7 c' n( {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;+ k: S, c9 s$ n/ K" U% {. i
}8 I9 C( P; u/ [: X
}7 |* a$ n4 h; Q3 P+ @. ?2 q0 i* g' g
六.测试
: Z- A8 {3 K2 e: K; a1 s2 l8 v3 Z: E3 `0 u1 K0 _0 [0 m( O
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! F7 u, H& R; ~/ f
3 d+ [4 L1 z" p* Q4 d. Y( I<?php5 W8 D# u# E" F9 d
phpinfo();
$ M2 u! U- e+ D! H8 {& |$ h?>9 T8 O" t+ C' V8 r8 L* [
在浏览器中访问:3 S m' N# k! M( c2 ?
2 u$ M' U7 O# E! U6 U' whttp://www.52os.net/phpinfo.php?id=1 正常显示。
% b! q9 {4 j# k5 x7 V: @, Q+ hhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
4 l4 p N; m$ v+ O2 M5 }) Q' ?6 s/ fhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。4 N( _( C3 Y# u+ W& O
说明sql注入和xss已经被过滤了
# O# w3 ~4 d# I, i6 q( _! w; o3 D' G$ p: {3 O. x) V8 R
七、安装过程中排错
" x2 `% V) k1 m+ Q, K7 E
* |( Q# u ]. n9 z9 ?; M0 Y1.缺少APXS会报错0 S, L. ]5 u% d" C& L' g
" r) h5 z1 p, Z9 G. h. i+ O* s2 Gconfigure: looking for Apache module support via DSO through APXS
' z2 S9 m7 t# v3 `configure: error: couldn't find APXS+ I$ F$ b% K! o# c) t, T2 [" o
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
( g7 c- P; K, k% K. ]) |; k解决方法:8 [ Z9 T7 ]" i( n
1 P8 w2 o1 ?* O4 iyum install httpd-devel
: C5 Z& i0 w: ~5 |, ^2.没有pcre
' l% U, L( A# l3 |( Y# R3 }; X2 T
4 X- A/ X9 J% c. L% U# Mconfigure: *** pcre library not found.+ W6 s6 C5 @- y
configure: error: pcre library is required
: G, m9 N. f8 g, l+ ]& n解决方法:5 r; P5 l: ^8 `& {7 u7 ]4 W
& ? {6 n6 O/ |# d8 {3 ]0 M5 k
yum install pcre pcre-devel" [: e E; b1 N& t) A5 I: K
3.没有libxml2! T8 q* i3 T3 u& m
( a: L/ N$ Y `7 \+ q8 M j: V) ~ e( C
configure: *** xml library not found.
1 g4 L/ p% c. l* M% ?5 i( pconfigure: error: libxml2 is required/ |$ N% A2 P& |, D% e! p
解决方法:# n: B9 \7 y" G4 H# _9 ?
6 \" A# t% T9 \# y) [ @+ E
yum install libxml2 libxml2-devel1 m5 w1 v( d6 R
4.执行 /opt/tengine/sbin/nginx -m 时有警告3 n6 v, l' @% T
! `, ?$ L+ l5 FTengine version: Tengine/2.1.0 (nginx/1.6.2)& C, I! i8 g! b! S
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ a$ h4 P* V/ i# R% _" v) N原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 e3 B) k9 S# P u, d
' [- U( E! D, F0 y; [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) l1 n: A6 U2 E' c1 O2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"4 B5 o4 K9 o8 ^9 ?7 H `5 I! `
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
) p8 v9 z) p+ ]; K. H7 ?2 t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"' J6 A0 g6 k( ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
; q5 J+ f: m2 Q ?2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 w, i* u: Y# _. ~9 J9 S解决方法,移除低版本的APR (1.3.9)% c! J. {: ?$ \3 W4 K
; C- T3 h; ]; p; b' H% Jyum remove apr
# ?1 z4 \5 d- V% Z7 l5.Error.log中有: Audit log: Failed to lock global mutex
; V L3 ?/ G1 t) Z1 D
8 t9 N& N8 c+ }0 K& c2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
" I/ A2 o% X9 L- N8 w% Lglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- {3 ]1 Y: K* O
解决方法:
% I( }1 E" l8 f" f' W5 j编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" ], Q. r& e4 T( _$ X: `) a% j. [ p& X6 \! L4 _1 x
SecAuditLogDirMode 0777; k' `/ q% |4 n& |3 G- X
SecAuditLogFileMode 0550
$ {% g( u9 A1 i7 E; X0 ^# E2 mSecAuditLogStorageDir /var/log/modsecurity, w& F$ {1 o& q+ f1 `6 c
SecAuditLogType Concurrent
) q2 z2 N0 m8 S4 ?4 h参考文章:
" X1 D/ Y9 L( k0 @( ~4 Lhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX3 m! q: i: q s# N
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡