|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
0 W/ a1 w W6 t5 o. f
) s' c+ W8 R2 ]) ~7 |& ^5 A4 s% Y; E一.准备工作
, j0 B5 ?- C# O, ?( t8 [$ D( X) W8 n3 p1 p
' K( |! e) z' \/ B9 O$ N系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: c1 {" L, r% n C0 c5 O) {$ L
3 x/ e9 K: T: r3 ]3 jtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz* R) U$ ?6 ]( m, p( a
. K' J- v) Y4 u+ i- J, B+ p
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz; v$ W* F h5 A' d+ T
; I) S6 m/ d1 G0 X# n: {
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; c$ ?" Z+ j! C# t* h( Z+ Y' u0 d0 q# Q; x
依赖关系:
/ a) Q; h: G' m4 Jtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% s s! K# }+ P/ t
8 Y3 z6 l; r j [' Yyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel; I2 @% |5 Y; Y! w
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% ^5 f6 n) f- B$ d/ j$ q- i2 @$ Y( E; P4 _8 a
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel& i4 D# n( m4 a, x1 z
二.启用standalone模块并编译
* W' g/ p/ T( w `! J4 |/ z& S% U+ N
下载modsecurity for nginx 解压,进入解压后目录执行:
/ |, X" s7 {4 b& S- z/ s
# F8 k9 b: N F5 }./autogen.sh1 G! ]) z( t- |8 s* e
./configure --enable-standalone-module --disable-mlogc, E5 c4 j. w+ h9 T4 W# v
make . r2 m# H9 i. \: M
三.nginx添加modsecurity模块/ L$ A/ J6 F- ~/ F' o
6 X( v, L2 I5 a$ z% ]在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
) r; U. h; v+ s
* C5 M Z+ p; R4 a, l; {: z./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine, y) E$ v' ^; ^6 j9 Y
make && make install
0 y' @3 c. e* L% y四.添加规则. w3 ~# T% b8 r3 z6 ]2 l
* [% \1 t' ?0 J3 d- H4 l+ _
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
# j; G& A9 U7 C$ i( J5 E4 [$ U5 \6 {6 T; V$ F
1.下载OWASP规则:4 h3 d& n4 T5 I( D
0 P) [; T; |+ Hgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 d$ L. D, V* j, V. P
4 j& J2 ?9 |2 z9 ?, a, w# mmv owasp-modsecurity-crs /opt/tengine/conf/5 |* K7 X7 J" X( s+ j
z/ }4 S @) z& K' T- d. P
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( I0 [! e' z# r p# M- g% d
2.启用OWASP规则:* k$ D% [' m# e W
# X- l& y; n# W$ E a; q. X$ Q3 Q复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
n* s7 R4 v5 k+ b# @( W' [1 I/ e% L; x6 A, Z( J4 U% _
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
' |9 }7 d. Q- f* h0 }
3 J% O. G. X7 f( E. y7 t8 bowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。# X! I% O6 F5 V" v& r' \- Y( Y
$ x4 S6 }' G" F4 C+ Q" F
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf; ^2 H5 q# H5 D0 u: u; B$ z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
( e% ^6 f! k6 E; EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf$ x; V4 |: W6 g- [$ h O2 S1 A
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 f: U( f( n- Q6 AInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 ^/ k6 J% X1 H
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
6 n. j, H1 r4 d0 M+ O2 `/ @Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf2 {4 A& E3 ]$ x* c5 `
五.配置nginx, Z" @! `7 Y3 E6 T1 V
4 m1 ?! x+ l) i& x1 z/ m1 D
在需要启用modsecurity的主机的location下面加入下面两行即可:
4 U3 t8 J2 I$ h$ u: T1 G! e7 X$ M/ i# o4 _
ModSecurityEnabled on; , j) j J6 k( {1 N) J
ModSecurityConfig modsecurity.conf;$ D& W. t3 R6 s% y& w/ r2 i
下面是两个示例配置,php虚拟主机:" i t# t g0 \1 G2 V
8 y, f; \% t' j+ m3 d. S9 bserver {( f. C/ T ^1 y) p+ w/ ?% r) c8 [
listen 80;
+ U6 c1 g; Z4 j, Y server_name 52os.net www.52os.net;
4 }) ]. B5 G3 k6 u
* B; W& t9 n. V: I location ~ \.php$ {, b+ H( W7 s4 d) [+ O {: a
ModSecurityEnabled on; ; F" A1 E% k1 A
ModSecurityConfig modsecurity.conf;
# A, Y9 Z, |( L3 ^
+ i/ B& t6 j9 R4 p% | root /web/wordpress;$ [( T' C; v% b
index index.php index.html index.htm;% m9 K* ]/ x4 c/ n* |
$ ]! ^/ @( R! v4 } fastcgi_pass 127.0.0.1:9000;1 P8 H' Z+ G6 H2 `% z1 e6 @. p+ a1 l
fastcgi_index index.php;
6 M! }# I1 y8 z* }5 h. C fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
. [) R8 B" \! ` include fastcgi_params;" f& v9 B# q# ~% d" e0 }& q( b
}
& W' f8 H; g6 r) K }$ n3 o/ [: F8 [8 O* m0 a
upstream负载均衡:6 j* g$ B: h0 A, E( B2 t$ q" w
4 u. ]9 E) ?' M% a r3 o1 Lupstream 52os.net {
$ W R; G4 c. W) v server 192.168.1.100:8080;
! k5 x) a2 {7 I9 Y$ _/ F: b j server 192.168.1.101:8080 backup;; ?+ t. v, b+ @0 N- O: ?" K
}# e; k) q1 f, Z% d6 n' G" U- q
$ S+ H( o# _+ M H, ]$ }
server {# F4 D L! `* K4 E5 L v
listen 80;1 B$ P: o" |8 p p) A
server_name 52os.net www.52os.net;: w. V7 y# _. W1 Q
7 }& h7 c4 c5 dlocation / {" i+ p; M8 l' i3 d; \
ModSecurityEnabled on;
, ]( ~- m( L, U% [/ H- W" | ModSecurityConfig modsecurity.conf; 5 w0 r+ s2 z9 H
; w& F& {6 _0 p9 f+ z) z: J. ]
proxy_pass http://online;3 ~6 m5 e5 {0 h' O9 g- x
proxy_redirect off;
* Q' O! r( U* q0 ]) l) s- U proxy_set_header Host $host;& z) }% T) X/ p: S8 ~2 x
proxy_set_header X-Real-IP $remote_addr;
" M8 X3 {* Y: ]" T# ^+ i proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;+ S$ r% u: Z' u9 _! y! H
}- t& e8 i0 ^ t/ F0 [# P/ U
}+ |. U2 V. |' r
六.测试( M) P7 k; `+ ^! ?
3 i; t! \* P' V5 d5 Q8 p我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
& V2 K5 H9 s P
5 ^, B: `6 f7 H1 ?4 F4 |' j8 z4 Y4 q<?php
5 Y b# r7 v. m4 i" p; U phpinfo(); ' k' b: a5 \0 }1 ]& r9 s# r
?> |/ d/ x9 q7 U+ J
在浏览器中访问:
, Q3 x% \1 z8 N3 X' x6 @8 x4 G6 l0 n3 H& m* i3 ^3 W; l/ @
http://www.52os.net/phpinfo.php?id=1 正常显示。
) x* l& z {( lhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 k$ o. F9 ^; Q) B- nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。& C! l. \: }; t6 I, W i+ y: K
说明sql注入和xss已经被过滤了9 Z N1 k$ o/ G7 e' g
6 N2 ~$ M$ y- V7 N7 ^: ]( v1 ^: B
七、安装过程中排错
- A& r8 O8 l8 f% g$ N+ O: X4 p0 ^; {) D- m! O( ^7 [5 i! m0 c/ g- O
1.缺少APXS会报错) `, n1 z5 f0 v; Z+ b
; F# _& L7 f+ i% a3 x# Pconfigure: looking for Apache module support via DSO through APXS* r+ P& v- U# v% h- _
configure: error: couldn't find APXS+ q0 _4 `) _! Q! ^# w( H
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 {4 O$ ?; x" w; I( m1 L解决方法:
Q' k" q& A% q8 H$ }1 ^# K6 S
+ C# [5 {5 q" \( w: h' z1 }yum install httpd-devel
- v. ^2 Q% }" M2 x v2.没有pcre
. \3 D; K. G* n; z& @# V$ O+ b( k1 ^; M8 T9 W# K( [
configure: *** pcre library not found.
$ L: e5 T$ L# a- P) |/ G/ L" |" Pconfigure: error: pcre library is required4 c) J& s* S1 h s9 K# z4 v; i
解决方法:3 _2 G' `/ J+ ?& v$ R
4 y' D _# C: K1 m) F2 ryum install pcre pcre-devel
, |5 v/ L @9 ^0 E/ F* d3.没有libxml2
8 {2 c @) k4 X( [4 Z
7 b4 }2 `8 H9 x8 ?# i# {3 Z, N: } z3 ^ @! O5 y5 ]; H
configure: *** xml library not found.
! U, R- c% Q- wconfigure: error: libxml2 is required
" @+ S6 o# k2 s$ T n3 `解决方法:/ q) e T1 {" @$ n% Z7 o* R
4 X0 }" ?% [) u W! n. G) T: ~
yum install libxml2 libxml2-devel/ o& P" D" t. O) y, b% i
4.执行 /opt/tengine/sbin/nginx -m 时有警告. w/ Q1 d- I2 ]# H( T: T4 g* U
( ]. O- F& j/ l
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
" X8 D8 n1 ?! _8 C( m7 ~ a7 @ Anginx: [warn] ModSecurity: Loaded APR do not match with compiled!
. ?, I; B2 R5 I. m: x原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log. m4 t, E7 I2 o! V+ @
( X4 s8 ?: L4 Q1 z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.2 q2 ^7 p! b8 [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
1 x' t4 P) Q8 y2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!5 }/ O! N3 {5 U# z. Q' s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 h$ \$ g0 [" w/ j! V. {; b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
& b( _5 c0 C% F' N2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
+ Q4 t) e& _7 f6 x0 J解决方法,移除低版本的APR (1.3.9). M7 S G8 g( R8 ]) ^
: q& B. M/ O! S8 {' C& Jyum remove apr# F0 J7 L6 G2 z" {5 S2 _! ~. {
5.Error.log中有: Audit log: Failed to lock global mutex
& K4 B/ d/ C) \% h2 T* I7 [1 `$ N; O7 a- j- h
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
6 t% P+ w+ D' P. Y) fglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 l2 O c) j4 _3 l& a
解决方法:/ P! i! {4 N* F7 N0 g" u( E
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:% y( i3 F* b; O7 G) M
( U; k# z6 n3 TSecAuditLogDirMode 07777 n( h$ N2 k# k0 @5 l O2 l
SecAuditLogFileMode 0550
& C7 f! y( C: d% ~) E3 J; u$ wSecAuditLogStorageDir /var/log/modsecurity6 W$ h* A! W" d, A3 u
SecAuditLogType Concurrent
( d- ~0 i' w: S, U参考文章:& E( n. O5 e% B4 r3 I
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, ]: y( o/ d) _http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡