|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。" f) X' d" P# P) A4 B
: n4 `2 ~9 B4 [6 |一.准备工作
{! s. X0 B0 x8 d; {$ D' u2 M( Y I9 U" p- ]" N
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0- c( B. \) _7 q+ K- y
. P6 I3 {9 Q2 N6 z
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz2 S8 B2 R/ U9 y/ [, M, H7 z
! p Z9 E d! I$ y5 n1 G4 R
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
: `7 ]7 U/ {! o0 q' L% X7 x% S9 ?" I) Q; i( [% A! c) z1 D4 j
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; E' |3 ?* X6 l/ y' T! ]9 t$ j6 L% A H: ^0 I& Q/ z
依赖关系:
1 x- J: \5 T( |2 {4 @) Ftengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:4 {2 X/ p3 y# g( S, F$ z
0 ?4 `" Y0 v; k$ E4 K+ X. Qyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* x, R' W5 ?+ \3 g; o
modsecurty依赖的包:pcre httpd-devel libxml2 apr3 j/ c8 b* c2 f: a8 `
6 m! f6 H" U9 p/ o9 j' A
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel! f T( b5 z3 P1 D4 e6 \
二.启用standalone模块并编译
7 a4 k# M/ p0 w% j/ V; ?( b3 G1 p9 [% x% w, Z
下载modsecurity for nginx 解压,进入解压后目录执行:9 ]' Y6 i! x6 e L
9 r7 u* G! j4 s./autogen.sh# }. f! _+ p& z/ R% [" I
./configure --enable-standalone-module --disable-mlogc& [3 p) X& f# D
make . o, g7 O, p7 `( ]5 R5 }3 k
三.nginx添加modsecurity模块
* t& m+ ]! _$ Q
# R5 I/ W! D' z1 n2 B在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:* Q) f* g4 B2 v
- `: C: o) _7 D# ]! o* i) b
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
0 K* u- T) C+ g, Xmake && make install' _. S( |1 W5 \" ~
四.添加规则) w4 |0 b1 a8 H+ K
0 p5 y0 j3 H0 Xmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
% r `; N! D" z, g$ p' x1 {4 N+ G
+ |( l. k* V2 y( O1.下载OWASP规则:
" g" I) u5 V B- {9 l; E# s* j
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs! H0 y9 D9 b/ [$ T7 s8 X9 R; s
- ^4 K6 o! B/ ~; Y3 imv owasp-modsecurity-crs /opt/tengine/conf/
+ A9 p! w7 {9 e+ D9 Q# w% H+ S( o' ~8 g
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
+ X% p8 w/ M4 W% q) T# T2.启用OWASP规则:9 o, P0 j: `- C0 i( ?
, s; L; n# E6 t) r: q7 Q; E复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( k( B8 i+ x: o& K! |$ G$ _
& W0 L) {8 m' M3 d) b0 ~8 h+ I0 _6 s编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& \3 r0 c( _9 B* u; d9 m" J% T" j [3 b- ^) `5 B
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。' K }; t- U2 `) n1 Q+ ~
0 _( s; k) F- A7 q7 l' zInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
; z x' E0 E* |" b" S. Q& T2 R& MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf4 d8 c! |6 p5 K( Y; U: @
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, U. ^/ {9 Z! j' q- z6 G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
. @6 B7 L; `$ K& e9 J9 f7 N0 ` z: NInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf6 K# a: Y" u# N; v" e D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
7 J3 T- \/ p% h7 h! N; K6 TInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
9 X0 v5 Z9 D2 }( f9 y) i! Z2 o五.配置nginx( r; s% Y- J7 Y$ j
' c$ G- ^# D! ? ^0 p3 R0 z$ [在需要启用modsecurity的主机的location下面加入下面两行即可:
9 A/ k# K/ T/ H1 [' Q( G
1 S% P6 P4 a8 Z, L/ c' }8 J* i! }ModSecurityEnabled on;
3 X0 \1 z& |" q- c4 I. zModSecurityConfig modsecurity.conf;
9 T+ R: j" `0 g# Z# Y- `9 Y. G+ n下面是两个示例配置,php虚拟主机:
3 K! k" i5 ?2 O8 i; ~% j* N3 z" z. j" H- _9 J) w& w& Y
server {
1 s# M+ G/ P6 a; i* n% M Y8 R listen 80;7 `& h# R, V3 Q! ]$ P" Q, @
server_name 52os.net www.52os.net;
2 Q) D) w$ _5 K7 U$ [ z" |
( C/ v% N7 ^; {; o) H location ~ \.php$ {
" e* p0 L5 _2 o3 C' [& D! N ModSecurityEnabled on; / n" x& ?" s( N9 t/ B
ModSecurityConfig modsecurity.conf;( ]+ z- W9 ^8 r( o! ^/ y3 x, F! e3 `
2 f! ~% f3 H) z* u6 a9 t
root /web/wordpress;- S9 @3 h0 I% J; G4 E; j- ?& m
index index.php index.html index.htm;
' a' b% f* K6 V. Z, |$ b* C
k- Z0 d; P) I7 M, i fastcgi_pass 127.0.0.1:9000;0 `. r0 X8 l: F- d" ]4 p; ?% v
fastcgi_index index.php;6 ]# a1 y$ X+ ?$ G+ ~# @9 L
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;% q( r8 L7 e9 `) _+ m) I
include fastcgi_params;
7 \- q' l8 I( y9 ?: b* t% | }
2 U6 z& k) b8 g4 M2 z: x }
) X1 L2 [; v* c9 l8 C H& eupstream负载均衡:$ S+ \3 g# l: D7 p
) Q: w! z" }7 [0 `5 i
upstream 52os.net {+ {% i8 Y) o k" Y) t- K
server 192.168.1.100:8080;
6 {( x% o* u, b9 v. [ server 192.168.1.101:8080 backup;
$ H ]' f8 [( G4 J2 q) y3 S}
3 c% E+ U- \2 Z2 D- y) f4 O3 q6 Z7 D }! b: U' h
server {
! A/ D7 d4 d& d. L& i$ Ylisten 80;
/ m5 B- {' m2 h; ~) p# q% t; Nserver_name 52os.net www.52os.net;) H/ ^# D( |' S7 k. f
B- }, [7 m% ?9 s3 d. _location / {+ v7 n+ k: M- H$ s; V
ModSecurityEnabled on;
. w' X* U6 h( `6 | ModSecurityConfig modsecurity.conf; 6 T+ w' i+ ^0 f, }5 ?- ?
+ P/ A9 Q6 E$ O4 }% s" Q; X% q
proxy_pass http://online;
* w5 \! I6 Q/ L6 V+ O- \6 c2 ~ proxy_redirect off;
0 J2 X. z; X( k: r* G1 a proxy_set_header Host $host;. h& Q/ k. \( h. I Z& _
proxy_set_header X-Real-IP $remote_addr;
; [2 N6 v" j" [5 b) a: B6 h proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;- q- J9 W: e% I$ |9 z6 {) K
}
: s% N2 \# o7 \* u- a}4 B- n0 a7 C- x- o& p& T1 o/ p4 ?0 \
六.测试; d' s* i* ?# q$ u; y x
' ]# C9 _/ E9 k& z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:/ s5 W4 s! K" s/ \ Y
{3 e1 X; l, v) }2 x<?php# \. n# X% y% r
phpinfo(); " M5 @# Q. A: V5 W& \
?>
/ {- W' n( i6 V J在浏览器中访问:5 i4 w8 X! f x
/ O3 s4 O6 `# _# n: @! I# {http://www.52os.net/phpinfo.php?id=1 正常显示。
, e* L) M, t$ q1 X" c4 u4 ghttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
p6 i" ?) J. U% i4 W' |, Nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
, N2 @+ |% ^ G, n# j" `% Z- Y. B说明sql注入和xss已经被过滤了
/ g, Y0 [9 \2 s% K
( i& F7 H" q7 c& |( ?" B. F七、安装过程中排错) u4 k* v+ X6 w- i# }) Z
1 ]# @" y8 Z4 n+ U% B1.缺少APXS会报错
: C( t+ Z* t5 [4 R# b- z
7 K6 x* A6 P% ^* r* Dconfigure: looking for Apache module support via DSO through APXS0 ` |) _1 @) r: Y1 S
configure: error: couldn't find APXS
" J: M5 F# r% u3 B% D8 e' A4 T( Hapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。( J4 z- ~- T: l
解决方法:; K6 J* i2 y. w( a) B1 ~
, m8 g+ M6 S. d/ L0 o1 w" H
yum install httpd-devel2 x/ O7 K% ]/ f3 M
2.没有pcre; { J5 [+ E, S9 @! y: ?* b
4 r6 H* ~: t/ [5 Qconfigure: *** pcre library not found.! u, m6 W* s) X2 _$ x( g. A" u
configure: error: pcre library is required7 J8 _3 H: {. {
解决方法:& i# {7 _" N3 ^0 x! }
! A/ z9 k1 o! M$ G% |% myum install pcre pcre-devel1 `. s7 Y* d: e
3.没有libxml2
% r% X5 R4 c) }7 _* c2 e6 T" R- J& M
* t: ?: x4 D: e6 Y6 c( a" s5 ]* a
/ N2 c* O. g7 z$ b9 x% kconfigure: *** xml library not found.
2 N, d& A2 q/ ~! _& |6 `" O% o3 oconfigure: error: libxml2 is required% ^6 I$ A6 p, ?# F
解决方法:
# {4 W% |) i6 |5 D% S4 S* l* E/ z; ]0 Q9 q/ C% N3 ]# N6 U% G$ E6 Q
yum install libxml2 libxml2-devel# J+ i. ?1 G& w- H" ?1 C
4.执行 /opt/tengine/sbin/nginx -m 时有警告$ v. G+ q+ J" G
7 k. A$ g$ v9 n; S8 M
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
+ z8 s; l7 }) ~nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
- Z& Y7 s. r' o原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
( s& [9 {4 }8 t! ?
7 [0 Y, ^( [& X7 c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
% ~! R0 x8 E& X$ v' ?: N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
/ g; F7 I' E7 @% _& W5 n2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!5 v9 Z9 h0 @; i( f! x: w: G- i) `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" x! N! x8 q* W/ x2 d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
}+ d" ]; M0 ]; H, O2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.+ \& u0 K. y1 l# U( _
解决方法,移除低版本的APR (1.3.9)
$ r4 d8 W5 ^$ t& o& {6 q6 O8 Z8 m' h; ^7 b% W% {8 T
yum remove apr: s3 L5 \- q0 N
5.Error.log中有: Audit log: Failed to lock global mutex! w( b) ^$ P+ @0 [) s* Q
" T% U0 `1 X7 E2 x$ T) C( z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock $ s, ?, V& [- }7 `. Z) Y
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' o1 G3 u" O7 z3 O2 t解决方法:
8 b$ a+ g% [* M4 {* \编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
! b0 d- u3 ?. x ]& K/ e6 X; L; w9 E$ @( i+ {
SecAuditLogDirMode 0777
" i& h) K* K. I. `1 W& BSecAuditLogFileMode 05505 {4 w; y0 m& w9 M9 M4 H/ Z
SecAuditLogStorageDir /var/log/modsecurity: d1 k @$ {) W, a
SecAuditLogType Concurrent$ v7 P3 ~* }+ D9 d- N) H5 D! I
参考文章:
2 ~- W: f$ y& ?/ _5 F+ K. Bhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
?9 y5 P; z. s! u t& W0 Phttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡