|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 s9 O I. S- w( k: K# C' d3 k7 m
) y C2 m8 T7 H' }; f2 X
一.准备工作/ e- O' b7 P+ h1 _' b3 z
2 A+ Y u) T _6 s' H+ H, ]系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0* E9 T, p1 l7 |1 T6 D* Q3 R
\! {5 ?5 G( A. J: Z
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
, c/ x+ ~( c9 I, p& O5 U( T2 n
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
' j O1 e/ i6 k2 D5 y
3 Y4 W/ _3 D: l' O, i6 uOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
' D9 n5 `$ o( h& ^3 l; v$ E
; w- v W* L& \, ~8 H5 n依赖关系:; q+ \: {2 }2 x
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:5 ^/ y8 B# C9 F0 W5 j
. w. {. _( o7 Pyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# p2 G d/ ~6 x& mmodsecurty依赖的包:pcre httpd-devel libxml2 apr
& f' t+ p( U& m/ P0 A1 E* L# [* c0 h2 H8 p
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel' {, Y# F2 U0 h% s; X, J6 d
二.启用standalone模块并编译( g$ \- o$ @: Y j& e7 T: V: w S
5 R5 O1 Q) @& b2 o下载modsecurity for nginx 解压,进入解压后目录执行:) G, M) W7 A/ U$ K3 |
# }4 s5 w7 H) w. G- V) r" \! [./autogen.sh. u% H" S3 x2 D) r0 C9 ^& m& ]
./configure --enable-standalone-module --disable-mlogc6 b% n. q/ [& n. K% Y
make ; k1 E @% T$ I! M
三.nginx添加modsecurity模块* a% O3 R% l1 x1 k; Z8 u
4 ]5 P7 P& k- h& x
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
; v% v( r" z; z+ v: u0 G* {% s* V, A% J' |" A& F5 l9 @
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# ]$ P2 L8 f3 w- d1 q) Ymake && make install4 o9 L2 R' g* Y8 O# r- c2 c* B
四.添加规则0 \1 J% c2 P! ]" b
# ]/ S7 s f: p$ m: q' `
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 a3 u) F/ @* W- h3 {7 {* |8 h$ k! T3 H1 D+ B) \# ^
1.下载OWASP规则:
" s7 c) ^. o5 E5 p
/ ~& u S3 L6 ]% G5 o' M: Z0 d# lgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 B- M, n3 H' ]$ H2 t
* w/ Q8 v( w: U5 pmv owasp-modsecurity-crs /opt/tengine/conf/
: c- s/ M7 q8 Q2 ~" k; f5 Q7 A/ k+ V2 {: W) d# ^, O
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf& C: U |2 q* B
2.启用OWASP规则:+ Q% U; i- u2 \7 A
5 B( ^; T. P0 }" I" }复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
6 ~& |* ~) B, f/ L
9 Z4 m1 ]- W1 u& e编辑modsecurity.conf 文件,将SecRuleEngine设置为 on/ b$ t* r" ~8 H( P& c
$ y! J- O: Z( I8 w/ `7 U
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
x. Q; }. k& E7 m, q& W2 b8 S2 x% Q+ O. v
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf: k5 |* s$ a: {+ }5 r# r% W
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf" z! w* I6 Q. t! ]; [: t% s h$ V
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, w* Q5 K! I/ y7 E! T, T
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf& r& { R. s- C& j5 Y
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
+ n9 o- @4 K* x2 IInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
+ P! G) ~) ~/ R s9 V0 j4 nInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
, h9 l$ x! c& c# I- q5 j% j4 g五.配置nginx
# S& Y) t- Z% P; S7 \) w2 p( B; j0 U) @4 s
在需要启用modsecurity的主机的location下面加入下面两行即可:7 S4 u) K/ q0 G( D0 o" e
- C! P6 A- ?& \. H) ]$ x6 n( J
ModSecurityEnabled on; % N- F1 Q! a% q
ModSecurityConfig modsecurity.conf;1 L+ n: [' L3 b! `! h* Q
下面是两个示例配置,php虚拟主机:
% R; N+ p1 G7 r D: F; J- T% d9 B+ q. m& i3 x1 @: s
server {
) N6 H' Q% v! C [" y# D+ B listen 80;8 k9 N: m( ^/ ]
server_name 52os.net www.52os.net;
' O' ~$ j1 t7 C. {: Z3 ^0 \ k6 r4 N+ B+ K0 ^6 X, R$ z
location ~ \.php$ { w. z' L. [ O& s
ModSecurityEnabled on;
# J, n p' f" H ModSecurityConfig modsecurity.conf;: T% m' ]/ Q D# Q/ O8 c8 {
; Q& q; O" E: W/ O root /web/wordpress;
d* `/ U1 A: a K& U' B index index.php index.html index.htm;
7 ?+ q7 a6 V4 o5 G- z ?
" K. x: H r) G4 Z! Y' s fastcgi_pass 127.0.0.1:9000;) `$ K! K3 h' }
fastcgi_index index.php;
1 d% |# I, {* e, `1 t( e' F5 k fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
]4 X* L4 M- ~# ~: u" t include fastcgi_params;
" E5 x' g! Q2 l& j* S }7 G0 T2 ?2 M* \
}
% K* C+ a! t8 S) s0 k' }( X5 jupstream负载均衡:/ C* }4 d, W' Z6 n. v3 s7 H Z
6 _3 L+ \' M7 m* R- fupstream 52os.net {, \( O0 ]9 W% j8 U( v
server 192.168.1.100:8080;$ L! L* @4 p: N; D/ b7 k4 {
server 192.168.1.101:8080 backup;
C9 t+ X5 Y7 j% e}
) h0 P9 c5 E% S) U4 o1 V {7 T6 a: @8 \
server {( S2 a- _- j* y% {5 I7 y$ ^
listen 80;
1 y1 _+ v `# e8 u b3 N$ e6 lserver_name 52os.net www.52os.net;
, i3 a3 d" o4 j; w# L- ?/ f- q" F% k2 W& D, e8 r+ |: H
location / {% B* `' V7 }) R+ h. k
ModSecurityEnabled on; 0 R7 t8 L; C Q
ModSecurityConfig modsecurity.conf; $ ^6 d) Y5 N( u9 L) m3 d
% l: e3 E& E' b7 g: N- o proxy_pass http://online;2 d, `/ C! }; x
proxy_redirect off;$ H1 ?; x* V, W6 Y
proxy_set_header Host $host;9 B! w9 u4 J) O9 n( _- h
proxy_set_header X-Real-IP $remote_addr;1 H& v S+ M. s `) d! ?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
( }" S! i# `( X. C* k, C4 p }
$ N0 W" h. Y. E1 p}
3 ?- E% t9 c6 o1 x六.测试
0 ]6 r9 e9 h( T2 i6 f, y
1 W& m4 ~5 u! G' ]/ x7 V# d我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 [) s+ M, y# i$ t7 ?& {# M
7 \9 ~; d" e0 U/ ^7 T: \; @/ k8 S<?php( }9 L l9 y4 U
phpinfo();
1 s0 \$ b! I, S! i! M. k6 x# h?>! H, q) J5 Z: P; x
在浏览器中访问:0 \) i& i( h5 I1 G& |( j( u7 u% {
, @3 y7 Y4 o# q; Xhttp://www.52os.net/phpinfo.php?id=1 正常显示。
) a( u# w5 A: B j0 Uhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
M0 n0 C1 T# `! H3 }. yhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
. x) i* o& S/ f* v4 ]9 P: O( O说明sql注入和xss已经被过滤了
/ B" n3 }9 t1 j( Y& T" R. s
9 _. t o' U$ g: H) [ r. r- N七、安装过程中排错
0 P% ^7 d5 ]0 G- @
/ {7 |) E( ?; {+ \) |' U6 h1.缺少APXS会报错
" p) |& q* t! Y w6 i, E
1 N) \& @! {( Vconfigure: looking for Apache module support via DSO through APXS
2 f' }6 z/ ^: K4 o2 x) k/ Sconfigure: error: couldn't find APXS
+ F& Y" L4 U0 q3 |9 Dapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
* n6 A& z& ^6 X1 N) H3 b% b解决方法:
' v+ |& j2 M1 G9 k3 T( P+ T$ ?5 Y- x v* q; L5 I) h5 W5 \
yum install httpd-devel
6 c* O; s3 @1 t: {$ B2.没有pcre# C K6 f+ s9 Q7 y2 M% b
7 g6 O% y% c' y
configure: *** pcre library not found.3 i8 d# m" q9 [
configure: error: pcre library is required
1 A% w2 a* ^ {+ f! z$ ]解决方法:
! p l# B7 @% M6 d0 W7 e. @ w* Y5 b; B& {$ `& D- b
yum install pcre pcre-devel( E e9 Z) k8 U1 X# L7 _ P0 V) V
3.没有libxml2
9 B# M& v1 K9 |; H3 F* ]8 c/ ?& l d C
+ R' i7 H, b" k ?
configure: *** xml library not found.- f C6 \; z. C6 Y
configure: error: libxml2 is required
( \' a9 b( h: j+ ]解决方法:
) }4 }8 g; ]) k3 ~# Z% H0 m" k- V- g
yum install libxml2 libxml2-devel
5 y+ n8 F) I; F% G% M4.执行 /opt/tengine/sbin/nginx -m 时有警告' T( ^) Z: N$ J* C' l0 L
1 Q. J( K, m4 `- y, }0 N+ C" J+ h4 `Tengine version: Tengine/2.1.0 (nginx/1.6.2)
! ]& |( |3 q1 f' e- H4 v E# o8 Gnginx: [warn] ModSecurity: Loaded APR do not match with compiled!9 F H; q' Y/ x8 P' t% K5 ]
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 Y1 E) x4 P6 ^2 V, H
% Y- d+ P7 }7 P. B" T# \ ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
$ d* q w5 Q* G. m4 E( P9 D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 q8 S1 ]7 l& ]5 r8 `! r2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled! R7 D" d3 L6 H, p- _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" s2 u4 f1 j0 {1 K! Y( I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6" @, ?* ~7 q# i0 Y8 h* L$ g- p
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 [& J4 e5 S4 i4 Q; X# k, n
解决方法,移除低版本的APR (1.3.9)
$ R$ @, Y6 ]2 X9 ?/ J, W% `" p+ f" A2 o8 f( d
yum remove apr
% N' n" Y& X6 V$ @1 {# U5.Error.log中有: Audit log: Failed to lock global mutex
; L1 \6 r6 s, H8 G. @' a
. Y2 Z! m( ~5 }% Y. I8 V& U& j9 k2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ; ^* O0 T5 M& g% O4 B
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]; x! p* z- z9 g& e
解决方法:
c+ B/ o: R. S* w& T- Y编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
8 T1 Z% [: Z6 Z) `9 b4 K1 ?$ J& Q' L) h: @7 t9 u
SecAuditLogDirMode 0777$ W3 ?) i+ T/ ~ `2 f
SecAuditLogFileMode 0550
3 V! _. n: J& t" I0 n' Q' J6 f* ]3 hSecAuditLogStorageDir /var/log/modsecurity7 U6 d. o, T L) H" s, c C
SecAuditLogType Concurrent5 \# b- A5 b1 ~/ Z5 T# C5 U: j
参考文章:) z9 ^) z* T3 I" l4 j6 z
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
: D* ?. a4 R! C/ Y shttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡