|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。; N1 E1 K, B Y
- z6 R, S% k8 S
一.准备工作# w& Q& {0 v1 G M5 j
" m! l2 l7 H! H. u' c
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0. K! y+ X( T% W( t! G1 l
# C! U( a" ?- T5 B, l
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
' z" j6 k- e3 S7 _2 I
; s; N1 |0 a3 U. d$ umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
4 R; c# L, l( \- a7 F% C. P# z q7 o4 v
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
) G) N9 m; d8 C0 i! Y
S9 _% m2 g- o. P! R; H依赖关系:
) L. P& T0 J' \# Ttengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
$ m3 @$ k4 x' T; I
/ N" `8 L( }# @0 `+ Myum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' ]2 p, A) ?8 g( c9 _
modsecurty依赖的包:pcre httpd-devel libxml2 apr) w0 m; x' K( T; v* Z& N$ t
+ {3 A& N/ H' H% B% |% w6 X1 J' Ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ ]- N+ d) Q; p/ a7 y' `* B
二.启用standalone模块并编译3 q# A! v1 V5 c
% H) p! w6 ^& p4 y1 D
下载modsecurity for nginx 解压,进入解压后目录执行:9 ]+ u8 E& A: r+ C# K# h- l4 U
7 ?; u s. t( X% M5 @3 }
./autogen.sh
7 ]4 q& ~% l- T" }5 ?./configure --enable-standalone-module --disable-mlogc
5 i6 A+ V* E. n9 |make
. I: ~4 d) ?( ]5 q# ?三.nginx添加modsecurity模块" b* z# b0 I% x+ u
6 S5 l2 v$ a8 u2 [) K5 J( U在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
; k3 R W0 I- C& s y% l* e0 _, y% ?2 U, M! l
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
6 J7 L: n. _/ imake && make install7 J& x! S7 i" s, m6 l7 g- x
四.添加规则
F0 m2 f: k) R4 f! }7 h2 c1 n& G3 X' I; g, v
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。7 l5 {' a# W2 Q* d# b' M
- w- p4 h9 w: U5 o0 f9 n5 F
1.下载OWASP规则:& |* Q9 ^. C2 O
1 U9 G4 a, j" ?2 ] A3 agit clone https://github.com/SpiderLabs/owasp-modsecurity-crs: l- `& b) h6 }
/ }( ~: z$ ^+ N7 D- Z1 \mv owasp-modsecurity-crs /opt/tengine/conf/
2 v) g+ J0 r% k; W& _6 k; N$ }# G( j' R5 f$ Z$ q
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( g- [0 ?! l( r* ]
2.启用OWASP规则:
- F5 R1 r4 ]6 ]% O! x0 H7 K' _% i q0 @; y+ M9 ^, i' Z. X
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。8 x, n" P! D8 n
' G5 l S: M6 n8 i$ o6 H# P6 V
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
) {" |) h W6 I- ~1 R: e: S9 b
/ ^' L8 u& z! f* W0 X! _owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* W4 z7 A" Q6 J2 m- M7 b' s# m
- A- Z+ R1 b+ O
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* P. U4 k" u7 t, K( K1 ]% GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
4 I/ o/ n s+ t2 P! N9 IInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 X) `- B, w; f$ e
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" x& j' x ^ M
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf( o8 ~! R: p( V# D2 a: i' _- s5 g
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf% ]% c5 e6 A( S8 i
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& ? Y L3 N3 ?$ M) V5 ^# Q" ]
五.配置nginx
& H+ Z; ?% X( v* _( p2 V- O0 K }% u8 m
0 o! z, d9 ~" x; L! g5 C在需要启用modsecurity的主机的location下面加入下面两行即可:
6 F2 p5 G$ ]/ C' x; T1 J+ a! x7 P* o( h$ \
) Z6 v" M4 g# yModSecurityEnabled on;
; B* V! ?: g2 ]" K; eModSecurityConfig modsecurity.conf;' H5 m6 `+ v" [; Z/ `/ j6 F' `
下面是两个示例配置,php虚拟主机:% D' M _9 ]) ?
: p, G& c6 U# B4 jserver {
5 ?1 y9 a% B: o0 s* s; |1 Y listen 80;: x( e! Q( h( n* L' t1 c4 _4 x
server_name 52os.net www.52os.net;
* k$ z( N' X2 E ( f8 ~) r s) h z8 b
location ~ \.php$ {
7 K9 N$ X' w5 w; N) s ModSecurityEnabled on; 1 }6 T4 M4 } n
ModSecurityConfig modsecurity.conf;" K/ y' i' {% |: s9 \' _: V) O
5 |( E2 `4 t/ h: R' {3 E root /web/wordpress;- t3 c3 V, M* ?6 u
index index.php index.html index.htm;$ r4 X0 u. _, z5 T7 H+ d7 Y2 R
2 g- \1 S) O" u4 E1 V: J1 k
fastcgi_pass 127.0.0.1:9000;
) g) ]7 @/ I: b" [3 |0 r fastcgi_index index.php;
, Z- K/ [, T" {6 W" j, R" f, Y fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* h5 {- J1 X9 G3 }- i$ V
include fastcgi_params;3 x/ Q. G& ~% q8 ~
}
' u9 r' A4 s4 w% V: m }
+ H1 w# t. A7 Q' Y, yupstream负载均衡:# C& L* T5 r0 Q! E- H
1 K" H4 ?& w1 Q
upstream 52os.net {: g+ \' G$ Y( N6 L* M
server 192.168.1.100:8080;
- ^* n, o' s8 X6 R0 n8 b8 e% { server 192.168.1.101:8080 backup;2 F0 Z2 \: ?4 ?4 Z
}
+ F( D5 L2 F2 j( ~' x$ I: ]$ \* u. r0 Z$ G7 D6 C% N/ z
server {
8 |. Y0 D1 A( F7 \! O& Dlisten 80;+ [) o1 `7 v& b
server_name 52os.net www.52os.net;$ ^, X' F0 ^; P& ^0 D' U' Q4 \9 |
1 X8 f4 ]) j" W: g$ B! u+ @! E
location / {
& `# I& B/ @% }! q ModSecurityEnabled on;
* Q R2 _! J9 Z5 y# V- B* [0 m ModSecurityConfig modsecurity.conf;
0 ~. R$ f* W2 w4 J9 ^5 q
, n d, @3 `8 `5 v6 ~0 L proxy_pass http://online;
, r: z# N3 g) I. @+ z* x proxy_redirect off; | k3 C" w$ n; _% ^8 h
proxy_set_header Host $host;
- R7 I V" y# a2 o proxy_set_header X-Real-IP $remote_addr;
5 \( H7 I0 A4 y1 A8 O6 \* p proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; q# c0 G& _4 p5 C8 S
}
# }1 f3 A' J& r' k9 j' r+ r$ c$ L}- P/ G5 F, P7 h; S- ?* `% f
六.测试, d( y: ^( S% r3 b" q: |* q7 f
" g7 N- C/ x3 P
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
4 j/ U: M2 Z d* A: v% K1 [2 Y) q( q6 E
<?php
' o( ^4 H, q- Y/ [ phpinfo(); / H$ S& i1 B p& Z2 N' \( T
?>! v6 P, v2 F3 M& G. D5 ?
在浏览器中访问:
! d1 H) D; ^# h4 Y" g" `
3 T; O6 [" f2 z: d( M) ]0 Ahttp://www.52os.net/phpinfo.php?id=1 正常显示。
7 X% S* B% A' Q# ~" L! G- ~http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。. V* \8 ]2 ~9 \+ _( Z3 X, u
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。5 I8 ]4 L0 L, n, G+ B" B; j7 h
说明sql注入和xss已经被过滤了
0 `6 {$ q) e2 L! e3 l$ F* A
& i& V3 [% ~8 {! P. r七、安装过程中排错
: j5 a3 T3 |# b. Y
: w6 J0 E4 D0 q2 ^8 A1 J F1.缺少APXS会报错3 ]* ]% }1 P; ~. k z
# q# p o" x5 f; xconfigure: looking for Apache module support via DSO through APXS
9 k# n5 d, K" r9 b. lconfigure: error: couldn't find APXS
. L1 Q* j) J5 N6 gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ g+ r8 R+ c- D# Q解决方法:
( r" R9 s+ Z& J' z6 a3 K+ G0 ~7 V3 w
yum install httpd-devel
6 T0 J9 a+ C+ T* e6 ^2.没有pcre( y8 P: q# l) w5 h6 l6 M
: u. l- p1 y+ U3 s, Oconfigure: *** pcre library not found.
$ a+ n) j- ], Aconfigure: error: pcre library is required7 g( ?$ R* j \; `* G+ T1 e
解决方法:
' ?7 O9 D/ P7 k0 b' K3 \' j
- m. R: ?4 v" t: a8 j" t) Vyum install pcre pcre-devel( H$ |2 K' t6 g
3.没有libxml2
$ Z6 O5 _9 J" r0 l. a( `6 M, M2 U9 p9 V: m
0 k. s. N& i, o6 s+ m% S9 y+ b. \configure: *** xml library not found.
; y$ g5 m% N! K3 W$ u/ Qconfigure: error: libxml2 is required X8 U( c r( L
解决方法:6 h* F# {7 p! {! `. Z T6 t" [% z
f' k" X0 |: Qyum install libxml2 libxml2-devel
* S8 Q- Z* {4 e9 a6 M1 j4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 J- s1 y& V& t! J6 y# W2 x5 [" ]* Z% _) Z* T7 f
Tengine version: Tengine/2.1.0 (nginx/1.6.2)2 S# l( F! [- U/ O" B' c& E
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!8 @7 w, B# B3 F: k
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ x& Q8 F' v9 \: j, P2 q$ v
* e- R+ p: c) V+ }* s2 a+ ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.& M" C9 d& o2 v2 X6 ]0 }2 {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
; c* B, X7 N7 b& Q. P. p2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
) l& W. x, u0 i8 D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"/ \( [( Q7 n# f2 i/ w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"& }# C* [) {% I+ n3 s5 v6 {; V( q
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 }, i7 E) t- M7 U' h
解决方法,移除低版本的APR (1.3.9)
+ U, h$ L9 Q! C+ G1 |0 Q: a6 X
yum remove apr
! A. m1 t# `' V) ?5.Error.log中有: Audit log: Failed to lock global mutex8 C9 v% F: c, O7 u' T" D5 M7 P
' `) L2 O4 M8 P+ e, n1 c" w
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( b: J R2 b" I% \3 u
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]/ q& F$ V, }2 F8 R
解决方法:
6 g: U# S; \1 y* [编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
9 U$ p8 M3 Z6 H; K/ s' q* E$ s
# H: B, X7 ~2 R# T1 h7 x5 PSecAuditLogDirMode 0777
4 |9 p5 a$ i" s2 _SecAuditLogFileMode 0550
% w4 K z" e# h7 ESecAuditLogStorageDir /var/log/modsecurity
+ o6 b8 m8 E# i" A3 XSecAuditLogType Concurrent
1 v; b- j4 @1 Z4 i2 `6 h+ O4 w参考文章:
1 [6 m6 m: k: P" |* `! Ahttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
4 b: m; W0 A. z. R& |6 [7 Ghttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡