|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。7 I3 q2 L7 \. T d6 i; |
8 P+ r" @: |% s, S8 S0 u
一.准备工作! N* O/ |" V E- @
+ h v7 i% c% B) a
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0, c, v, ?! q7 a. v+ t
: \0 y) B# Y/ ~6 A7 [9 Y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
% \2 D5 J' v3 ~8 {1 z4 }: c
+ ]% M1 `: i$ m8 i/ [8 {, R9 Amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ i3 j7 Y- O4 P+ [. q4 Z
9 T4 T0 |7 y a) }2 jOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs# N. Q, j m+ A$ ?* r( D u
! G2 V1 r% }4 Z/ d7 D依赖关系:0 D7 S8 ]$ v* p$ x- V7 A
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% h/ b) ?1 X5 [3 q& v! s, ]" C
+ ]' Z% ]% l6 _, tyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
! p7 ?! W, }7 b5 J9 T0 p! p% pmodsecurty依赖的包:pcre httpd-devel libxml2 apr2 A! S4 R: W' | H# y- A7 W
, j8 J$ a7 d2 Y1 {/ x' dyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
3 c) F0 W9 `; }: G" ^# N二.启用standalone模块并编译
- [5 i( P3 P8 S' P: U6 L7 k: [# R' V% G9 [9 N- K
下载modsecurity for nginx 解压,进入解压后目录执行:+ g7 x* _# B8 M" k
. W, @# m8 }/ D
./autogen.sh5 Z+ p k- v) N- M3 D0 n' k6 ~/ E
./configure --enable-standalone-module --disable-mlogc
4 m* ?+ I8 ~" H3 N; Vmake
' C; F# v* T; T: ]0 x# A, l( { ^" w三.nginx添加modsecurity模块5 e$ r6 B+ q l) m4 c
6 J3 P# U* ?; {2 \( ^
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
( N! h/ ?6 d2 H0 |, I% a* \
Y3 [% q3 N, ~. N. D5 t./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ {( W2 i4 q( M! {* ]: ~
make && make install
% J4 Y* k* l5 e# C& X! Y. l四.添加规则
+ j% L5 l P6 G
6 T( o J, h' q) ?modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' Z7 _6 o8 ~ X
" k. n' b. A% W4 G' B9 I( V- K# Y1.下载OWASP规则:
2 f0 v" e7 ~7 F' Z5 b5 X; X3 m: t& L
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs2 y5 w8 x: ]0 e2 ~2 g9 w: e
" g& }" D8 v: p7 V+ Omv owasp-modsecurity-crs /opt/tengine/conf/
( {# k! R- C5 l. Z7 I( A! A; i% N2 U0 k' Q( X. v
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ a4 z9 S, I+ _* s0 ~4 r
2.启用OWASP规则:% Z+ }8 M6 {. ^( k& c
! f8 b K2 C ~
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
- Y3 w1 c4 {" h# G$ \+ J
; J h# _' q5 G编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
- K; [; `: P' X; {7 X
+ h% W: P2 o& w2 rowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
]$ O: a \8 D
0 | N& b: v0 M: {) B |# n y' xInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf" V. L8 x; N3 o' ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 r" F. s3 l8 K& i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 k h" H8 e/ F' ]% q# tInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
0 |9 U: @$ R8 C- ?' H2 |Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
: p" C* m; x \' N, WInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf/ ~: h, C' p7 m3 T
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
: y6 `( P: S. ?1 l' o1 I五.配置nginx# f9 [! i$ C; q$ N3 O( h
- y+ l a2 L& c+ \
在需要启用modsecurity的主机的location下面加入下面两行即可:
( h: m3 K5 d+ x+ I& w
7 v: M2 _/ e) o% D3 V8 }ModSecurityEnabled on; $ O- {, w) O! m9 k, n7 n' Z: ?' T
ModSecurityConfig modsecurity.conf;
% }- U/ p8 G9 O0 A* V6 L) N下面是两个示例配置,php虚拟主机:+ Z- x5 d* p2 b8 Y( }1 S9 U
" V2 F( w+ t D& Rserver {. r: O/ z$ V$ q2 i: ~
listen 80;
& s. I. x4 v3 q. D7 H8 h server_name 52os.net www.52os.net;
* _/ n& _' N& n
5 m9 E% A' K" J3 ?2 D6 B7 ] location ~ \.php$ {9 U; U: C* K* c# H
ModSecurityEnabled on; 8 W3 G1 X4 W, e+ i% t
ModSecurityConfig modsecurity.conf;. c% {# N& M5 r& \7 u& u
1 q. ^: l3 Q4 E: ^( `! k R& j$ d root /web/wordpress;1 q3 {7 ~/ C. u+ H5 j
index index.php index.html index.htm;" X2 V7 H( H" m# |" {9 ]
! Q$ ~7 G) O' |5 s1 R( C fastcgi_pass 127.0.0.1:9000;9 p/ y$ w4 U! ?( l- n8 O
fastcgi_index index.php;4 o0 n9 m7 k: W7 B
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
) q; s& O% M5 w5 O3 q include fastcgi_params;
1 I) I5 A- X* X$ h. i }
8 F5 {+ Q, H T6 {5 P3 r Q$ ` }
) K6 ? b' z. e( y. @' k$ K" rupstream负载均衡:2 B* M! E/ y% [+ ^' e; t3 W! U
" u% B7 @) k. e2 r5 l8 b' o
upstream 52os.net {- M5 T$ `% N1 U" T
server 192.168.1.100:8080;. v, `" I+ `8 s$ [- h
server 192.168.1.101:8080 backup;; V6 y7 E, b Y% C* }
}
, w! N* p6 }: E% x9 b; ]( T) K8 w0 g/ _0 g/ A
server {+ b+ f9 |: Y" T2 ?2 _
listen 80;5 s; a6 W) c" w9 M# H) D. y D
server_name 52os.net www.52os.net;
7 v: W k5 o, r# k. z+ f# N
, ~, m6 O) z& u6 t2 H8 A( {location / {- e" l4 o* \3 T/ U7 ]: E* j
ModSecurityEnabled on; 1 x X1 }9 ?- A; y3 v2 d
ModSecurityConfig modsecurity.conf;
3 d+ U/ A( L( j9 o/ K8 m
4 U+ ?4 S w8 z4 F, n J proxy_pass http://online;
/ d* o: l: l# n' B proxy_redirect off;" F3 t+ ]1 H L$ y% \# m3 H
proxy_set_header Host $host;
! j! D$ E, O' t0 Q- V. U4 E% K proxy_set_header X-Real-IP $remote_addr; \8 [, w5 I$ s) c% J7 P
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;9 A8 ?: c/ {% j& z4 r# c7 a
}0 \+ [' t4 }* t: E! ~7 ]. ~/ n
}& a4 a. x1 c( h( i8 y7 X; U) A
六.测试" {* D' G! ]( n: p$ \
A0 V/ l9 t) x
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
4 O% _ F6 Z4 J
- ], D4 [% T: c<?php f5 p4 A H8 \7 w' @+ m
phpinfo(); ' k0 v& p& K% y+ P; z1 a6 \+ ^6 I; M- n
?>
- F, U! Y* [( l3 G/ Z0 m" q在浏览器中访问:: [& ^. {) B- B9 m/ ^ g2 J8 v
+ y& O5 B2 ]( j1 T" {http://www.52os.net/phpinfo.php?id=1 正常显示。
; ?- m0 J1 `+ n4 `% `/ whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
( I4 V/ v% F% s: Ehttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
[1 W) e5 y' Q' }4 Y说明sql注入和xss已经被过滤了
6 u" l: J/ w: |0 S6 M0 _
+ c5 r2 s2 G2 A4 }8 g1 N" v3 G七、安装过程中排错
, n1 y4 F* i F% d+ F1 L i/ i% K$ Q+ a
1.缺少APXS会报错! X) O1 \4 v4 Z" V+ c
. E& U, Z: w4 a# S6 ^5 C
configure: looking for Apache module support via DSO through APXS: l2 \1 C5 s s) j
configure: error: couldn't find APXS. Y* w2 [' L9 l; N6 @
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。$ r M: v, T/ g4 b
解决方法:
$ o6 W5 M2 V1 V" i1 X: i! A; N1 v. B8 I8 ~ z! m
yum install httpd-devel: g5 ]8 S8 u" X+ \0 y) o4 Y# F
2.没有pcre3 R1 `, Z9 |& C/ S
) N; a3 Y% b' e4 b1 c
configure: *** pcre library not found.: _/ t s& m& h5 N/ o" |1 @+ I
configure: error: pcre library is required
/ h; p8 p H: d7 b解决方法:
+ G% j& d5 ^( b) {- a; x# c# N! p2 n, o5 P, L3 N( C ?
yum install pcre pcre-devel" U4 T ?2 l: A7 b `
3.没有libxml2
5 m7 a( G$ c7 \) T, v; h2 S0 t, e3 A
: N& x7 A- F }! yconfigure: *** xml library not found.5 w* l8 N; f1 A3 C8 q9 V- \& g
configure: error: libxml2 is required/ ` h0 w) `( J0 l o
解决方法:
% l! X( S2 Q* s. e( X$ B
4 i7 K" H+ ~2 a" {yum install libxml2 libxml2-devel: o& Z1 u! u6 |8 Q5 p' Y. Z
4.执行 /opt/tengine/sbin/nginx -m 时有警告
, P4 x' Y% W% [8 ]- m* R
# O b% Q! o, g: u: zTengine version: Tengine/2.1.0 (nginx/1.6.2)2 y. i2 k8 v$ }& `! W
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!- g+ w( t- v+ g
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log* a' y! I ^* c, w# C, P! m- V. @
4 ]! N( c5 D" F4 x" _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.' v& j4 ^3 ~. c" v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"& R$ v6 X' P8 p5 i
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 d& G/ l$ G# G4 q0 t" Y8 s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% m8 g$ i! D* \9 T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
: _# h5 }( y3 V7 W0 @2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 @8 s8 ~ N- E/ g" S8 Q1 h- F解决方法,移除低版本的APR (1.3.9)
% Q) W3 O! ^7 T5 e8 ?& Y3 [' t$ p' T$ \8 \. y4 {. m7 D
yum remove apr
% D$ U' g. \: B/ r! j: o+ e9 Y ]5.Error.log中有: Audit log: Failed to lock global mutex
: W- j8 X( R0 l( c% q8 r7 F: @3 X6 ?) o% t) f7 t$ E& S* x
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
- v, r# a+ Y6 h Z1 H0 b1 Bglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 r7 Y' ~: K7 m, U
解决方法:
5 T R* [" F! a$ T编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:4 f1 B+ W" \4 |
9 r N. K6 }* z$ t
SecAuditLogDirMode 0777
2 z2 S* T( B( k+ N7 YSecAuditLogFileMode 0550$ f; G. j/ Z" i/ `+ j
SecAuditLogStorageDir /var/log/modsecurity
; ], ?- z( E6 ]; f/ QSecAuditLogType Concurrent8 }, \ _1 [6 l" U5 `3 j
参考文章:, {. z9 L U7 v; ~% A) ]4 s s+ u
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
9 P6 m8 e, v# S( F0 l' ^http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡