|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
1 e, _3 K* P# q3 D x, w e; c" N; j8 Q6 ~& k
一.准备工作, o2 a' \2 ^& z" q. z" a
, {, q3 D& J- }- j' l# g% m3 r系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.06 C; H8 M2 {# C; Y
; U8 M5 s/ X% }tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
I4 D$ d5 m# G- D& f5 a
L" @% `/ L' O n9 H- U, Mmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
! R. V7 O7 O, n7 g6 _! r# b; q4 _8 y: ~
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
% @6 g2 |7 T, u! E
1 V4 e9 [$ ^" V% {* L/ L3 K7 ~依赖关系:' \+ J% X: X( R( ~9 P$ V' m. [3 y
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
# J' g0 U7 y! ^- s- k/ L4 C" `3 b- B, V3 z- N* [$ m
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* U% c+ X* ^ h. w1 z
modsecurty依赖的包:pcre httpd-devel libxml2 apr
' c2 a* o, A3 h; t- K& v3 G
5 u6 J6 y% N9 ]/ W& s2 Syum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
5 w$ I0 r& P) L6 d' L# l! s% P二.启用standalone模块并编译! P$ k6 @. K) R3 r$ g h& | _
/ W }. b2 X" s' O9 B7 S0 C4 x% u) e下载modsecurity for nginx 解压,进入解压后目录执行:
$ r+ }1 Q, P. x7 ^6 v. x
) Z- X- |4 X( ~9 U1 ?6 x./autogen.sh
0 \3 s O9 {" \" C( M3 Z4 U, ]./configure --enable-standalone-module --disable-mlogc
- [( W& s# V6 w7 E8 ?, @/ jmake
" i" B5 p; q- l9 U0 a& m三.nginx添加modsecurity模块, e- M4 R( c7 Y
# s U- o" _$ p% u
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! o7 s5 {- |; ^/ p$ e) Y8 f0 Z7 o/ Z$ N% C% {# }& L, j
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine8 X1 F/ B" O: d- E- r- E0 L
make && make install
. _+ p% g, v/ W8 s四.添加规则- \4 J0 c6 p2 r9 V4 Z/ o
8 B C* C! h3 @$ V. g4 `
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。5 n8 V S& n1 l/ m& r# \
B- G+ N" ]" m% ?. A) {- B3 N1.下载OWASP规则:
; [% B; P2 }2 B4 `6 l6 i7 W6 S! u$ K$ |* c u5 {4 _# i
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs. [7 m& m0 \+ `+ B) F9 y
9 q3 G, b% q( R* d) m$ Imv owasp-modsecurity-crs /opt/tengine/conf/( w: Y( L2 n% s k; |0 N) u3 H
- v0 n: o6 J% s6 B/ n( fcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf" ?/ u: G9 K: M+ I# g/ G. s8 e$ U
2.启用OWASP规则:
; h6 A5 u! ^; u7 M
1 M3 s0 ]* J4 O8 P复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。) V+ i+ h, r" M5 b- r- W2 s
9 Y7 I% F5 w# h" O编辑modsecurity.conf 文件,将SecRuleEngine设置为 on0 R+ w" w* k" J% R$ J7 N- x
$ ~- J9 j4 F# w/ }. `; \( a: k& m
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
& [( G" O& P9 ?# @/ I
# a+ E9 q' W% E4 zInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
3 z. }/ R; F6 g% v, ~1 T. M& NInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf2 A& F% a" h' L, S
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
& E- g/ Q" H; Y7 uInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
& F6 b( f6 k) N7 PInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, c, \& G# Q' u' d+ hInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf' q/ X3 ]2 | s; z6 `
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' G; R# [. x8 z# \/ ?" b. I4 K8 M五.配置nginx( T0 f* G, L# p! f4 R
% G1 i; R6 e0 ^# G; i+ x
在需要启用modsecurity的主机的location下面加入下面两行即可:% ^8 T% d6 M& v' Y: ]6 g
; [1 P J7 W$ R5 U% |8 b V8 s
ModSecurityEnabled on;
7 N- Q! L' c. P0 E) h; O% zModSecurityConfig modsecurity.conf;
" ]) F6 e8 p( w( D+ e6 w下面是两个示例配置,php虚拟主机:
1 t3 A' K" D5 j0 Y( x6 U. o5 w5 S# Z- D( Q6 P' ~
server {
, S. C0 j. u6 k2 T7 i listen 80;
) C* V2 q6 m1 q/ `* s# S server_name 52os.net www.52os.net;
- n$ h+ q$ @! N" \
2 I, b" f/ ~, {8 l9 y5 z9 d- R location ~ \.php$ {, k. Q1 R! N, t V3 E; E/ E; r
ModSecurityEnabled on; - n. I4 E# ^! Z- S& C8 I
ModSecurityConfig modsecurity.conf;' ?8 R; \" \6 }8 m& Z6 K5 q
& ]' r' ?8 ~! Q, r6 P7 p root /web/wordpress;: E; s. E5 L6 y1 g7 H
index index.php index.html index.htm;
" V3 a! S! x+ v * F; w9 X) i+ h5 B, F4 O
fastcgi_pass 127.0.0.1:9000;
$ C4 g% F, O- p2 A5 `* h fastcgi_index index.php;/ C0 a) b/ l- K3 `' Z
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;5 L: |9 P, S* v2 B- K% h" i
include fastcgi_params;# K Q: y" v5 }
}
0 f+ L% N2 |8 z$ ^" s9 i }! Q4 A+ b/ V* W& E/ Q8 |
upstream负载均衡:
3 R* i' Q5 k- s. i4 O# K! F; L1 g
upstream 52os.net {
/ e. [5 k' ?# y% [) ` O# a5 c8 O server 192.168.1.100:8080;
# f7 P) ~* z5 z: s9 h7 o server 192.168.1.101:8080 backup;
8 H, `7 x5 v" w) z4 S} O' [/ M: N6 N$ E5 W W' y
3 |0 e& v* ]0 E" X1 l* userver {
3 g% }) a8 I% p( F7 Flisten 80;6 `) d+ W) b- _- e
server_name 52os.net www.52os.net;" U6 _- L$ g; k3 w- _
# J8 |6 o/ W* n# N$ [. q; M
location / {
* Q, E1 }" Q5 J8 g' S8 Y! U& T6 ~ ModSecurityEnabled on;
' n! o* ~* X' z% P& {' v, j6 g, G ModSecurityConfig modsecurity.conf;
" Y. i. V$ F. Q8 `
* J2 W) H3 T% k( u' ]. S) n" b; T proxy_pass http://online;
) C. c) V8 z, t* T" `5 R& E proxy_redirect off;2 n: D# |3 [- ]5 q1 ]1 `$ m
proxy_set_header Host $host;) k0 x* T5 J R/ x7 ~1 g8 R5 T1 z1 M6 U% {
proxy_set_header X-Real-IP $remote_addr;( x% U4 o) M! i( P1 g8 G+ ?' D
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
$ r# c" K# d { }% ?9 q2 _, r- E5 ^/ |7 Y
}9 b$ o4 L" ^# e* b; a. S7 o
六.测试% S$ l1 j( l$ o+ `! o7 ]
! H% m3 ^5 n% k; O8 V4 t6 s
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 q6 f4 L/ N3 ]. @
0 |6 y! ]! a8 {0 n' s<?php
8 w8 r5 ^2 ~+ H. \7 D3 X phpinfo();
0 p& E, j# ]5 h# I3 `2 f* z/ D?>
% f! b, G" H2 V在浏览器中访问:0 y- \7 J2 K) J6 ^ ^% A2 \
: x* g) ?6 o& N0 ^( W" n0 |8 i6 h( X
http://www.52os.net/phpinfo.php?id=1 正常显示。
: d% l% w3 \& r6 r) u9 yhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。8 d/ p7 J6 z* j8 o! Q0 X
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。3 L+ F D' }" C" Q
说明sql注入和xss已经被过滤了( t# w0 \0 B; G" R0 C9 ~* T- S
y" V" \ y! A/ Z
七、安装过程中排错. f1 B4 D3 T, O
8 d& x* F- u0 t4 {5 Y. l
1.缺少APXS会报错
0 ?# S" a) b$ ]% `2 L+ E; \( o( t. v B. G' Z
configure: looking for Apache module support via DSO through APXS ?) Z5 A( F" x& g& [1 O
configure: error: couldn't find APXS
, n* ~8 \1 G: F/ oapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
5 T& q& W' W$ _# H' n5 S: {' u解决方法:
' D7 ] R+ Z9 B& w9 g& x$ |- O; ~1 ^* @, @
yum install httpd-devel. e& e6 E8 g4 w% Q
2.没有pcre+ w3 j1 s. Q8 z: y8 V5 W# h
7 K# f* _! S& e5 a* @1 s8 Aconfigure: *** pcre library not found.1 o3 w2 ^9 X4 o) n' s
configure: error: pcre library is required
% I2 A3 K1 G1 `2 L1 `解决方法:
6 e: {6 }9 o: u4 d; w7 _' A# X
/ Q" h; ]6 U( `8 ?yum install pcre pcre-devel2 X7 p- h* x/ d
3.没有libxml2. o! }5 E4 [( I
9 m" r% T- d5 x1 e
+ \ @ K' V# [, A: Gconfigure: *** xml library not found.
* k& } \6 d) n3 [9 p: L* z0 Fconfigure: error: libxml2 is required+ X: D! A* R2 t1 m5 Q9 x3 ]( ]
解决方法:
1 x. X/ z+ k+ s4 W3 X' W9 _( T8 M; y/ P2 s5 g" f/ }. w% o0 h2 d
yum install libxml2 libxml2-devel
" c9 t0 H; l' s* h, K% h' m# `4.执行 /opt/tengine/sbin/nginx -m 时有警告# F9 Y) N+ x0 B ~# C$ c; U _
! N/ `& H6 ^" ?/ N2 l, {
Tengine version: Tengine/2.1.0 (nginx/1.6.2)7 G, X6 B2 g+ |5 q: D
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
6 \& b0 ?' j9 T" N9 r6 b原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
, x6 q# X9 D$ P; O' Z0 B: K* u' c# ?* p, r$ q3 c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
4 h( n) }$ e6 R/ _' b0 T# U8 E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 T# {3 m# X1 i1 A0 H2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! q/ V5 l9 o& }1 h; h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
" l$ K! o+ D7 \+ A# L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
; J" Z; p2 m$ {0 m2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.: n0 H2 d2 D3 t) V
解决方法,移除低版本的APR (1.3.9)
, d4 J- _+ O9 J) J
3 v) |9 y! {/ q/ n. _# {% {yum remove apr: D7 K( q& v6 X) M' ^- F, h+ i
5.Error.log中有: Audit log: Failed to lock global mutex
2 o; L3 X M( d( t, _0 e
2 O5 S9 w2 m8 q! n, t6 N5 W* D2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock & s+ X1 _% H9 v8 o
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
6 p! W# b6 h, k/ ]6 }解决方法:
, }( h6 c3 w. c4 V编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
1 P: \# s. _& O9 m4 s1 O
) p+ X0 M$ ]7 L2 oSecAuditLogDirMode 0777
3 r( j' x* Q- J1 h, ?" T5 bSecAuditLogFileMode 05501 f0 t+ Z8 V$ N7 b2 p' D3 A2 S3 z3 d
SecAuditLogStorageDir /var/log/modsecurity
F$ z. J4 L" _# QSecAuditLogType Concurrent' C* n" G7 E! M4 N' P
参考文章:) [( q! m' N) e) j! Z0 W
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
6 I" k, c+ Q: s) Jhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡