|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。+ M4 ]4 ~5 ^( F3 N3 R- H
O& R0 t; [ [5 h' }, ~5 ^
一.准备工作
: f$ K* i% ^; [) m
4 P+ [( \1 y1 F. C& Z; _系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
* f( Y: j1 X% j$ P1 `0 c3 O
' S8 i; \$ T$ n* w* Vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
$ B% m6 K/ }0 Q) I7 h" Y* ^& ?
" k$ H: c0 |0 E. g( Fmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
/ n' U3 D& O+ U9 A# @) t; g1 N, A' u. A9 P
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
0 j# r* r9 \7 c. y b' f. R! d# ]" c3 Z
依赖关系:
5 L# A" k/ m* |* p" _8 ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
$ o5 U" E: _3 Y j) u) g7 e2 p7 T0 z% _6 p- c7 H
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
5 r& g# N2 H7 A s9 T5 D5 Mmodsecurty依赖的包:pcre httpd-devel libxml2 apr
+ S! T4 Y" l [! [) E
4 m" Z% p' o% l. C2 {. I5 ]/ p0 wyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ U# D" w+ o% S9 m二.启用standalone模块并编译
$ s" j x4 a" f; [- X( K, F' ]6 w$ d' e- i( H: h4 ^
下载modsecurity for nginx 解压,进入解压后目录执行:
0 E6 S3 `3 Z ?- e; B* [* P
. O7 O0 }8 o. Z! D: ^& R n2 Z./autogen.sh% z+ I6 S8 C* ]% M- k2 E5 R
./configure --enable-standalone-module --disable-mlogc. W# d' |( |' X8 }; O6 g
make
, J5 D* r. x9 y; z1 M; v1 G! ^三.nginx添加modsecurity模块
; s$ m! N- o3 L( C! w& v
1 G0 [/ X" f* q1 O在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 e9 d( m: p; F2 i$ M# h) X2 c7 Z: t+ y) I: {: r% R
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
$ r" G: }. k3 l7 xmake && make install
- V4 o8 D+ Q3 [0 P" w$ {( @1 W四.添加规则$ W/ V) c: X2 L$ E/ b6 N# ^1 u
# \$ }9 ]% |+ G1 O4 q5 k: D; ?modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。" j0 M* K- h7 C- t2 y% ^+ _
4 j% K6 U! t% t+ q$ B, o; m; o
1.下载OWASP规则: y* p$ g+ N/ i- k2 W" r! f7 ?
j4 O7 q+ [8 D9 K. dgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs! v1 t5 j# Z# V/ W
! ?, L6 p4 F5 q A" B! A3 @2 s
mv owasp-modsecurity-crs /opt/tengine/conf/
+ d( d4 l6 Z5 [ L8 i
% X' ?4 i' z, H# v% y7 Ucd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 Q! Z. ~2 b: }8 Z2.启用OWASP规则:
0 ]; V8 ^' O& `5 H0 B3 T+ h
- X. L; N# k0 ^# G" l+ j+ N复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
, C' y6 I; W+ ?! K" @5 Y
' C$ s. l1 i+ N* b: }编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 E; [3 ^8 p R4 t& c& O2 h
# d; h& _/ `; G+ s4 sowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ s6 u! A# ?; L7 i- K
7 i$ R) ?& {! n4 K. dInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
4 d* z P3 q; q3 \% l& i! RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: w4 w- W$ t3 _, x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
3 G0 t" P( V* X- m9 z+ QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf g0 ~* c) s8 g. j4 {
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf1 P) p! Y+ n# s9 m
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
- G: t. U& B8 q6 gInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
: Z/ {3 N( y9 H6 a) Z" n五.配置nginx
0 C& @; J& {1 f) f E g* T u8 Y0 I' R
在需要启用modsecurity的主机的location下面加入下面两行即可:
$ ]( O f# {( g% i0 l% L3 B# o* a0 k. m
ModSecurityEnabled on;
4 Y0 ~- t% h7 }9 n- b( J, ` gModSecurityConfig modsecurity.conf;
# z+ y! I% m1 }3 t* s下面是两个示例配置,php虚拟主机:: P! Z( q3 ]* m' s* C
8 l9 X/ e- K; Q3 i. ?server {* d6 f7 R( S; S- V& l
listen 80;: s f. l, X! A' |- s" ?4 ^
server_name 52os.net www.52os.net;5 u) Y, G1 D$ W: ~7 d& u" Q3 p" T
5 Y. R( r& i/ y8 z& [- S& h
location ~ \.php$ {
2 w, B/ n9 @7 T' e& w2 e ModSecurityEnabled on; H) Y" `* d) A' |. N7 t; }. Q
ModSecurityConfig modsecurity.conf;% ^5 c/ \ |+ E3 o A' V
# E {8 [8 G' @
root /web/wordpress;
1 I+ i$ D: g7 j8 | index index.php index.html index.htm;9 l" }# S* y" r5 v7 d9 |! Y C" M/ h
8 C; o0 }0 X' X: b: | fastcgi_pass 127.0.0.1:9000;6 i+ Z- J/ C3 v$ q5 U
fastcgi_index index.php;, ]# q- @- Y+ @* N0 @+ ~. j% \
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
. ^/ S: [& X& W include fastcgi_params;
4 V9 m. J @9 c' p; g }4 G8 q5 a5 ~7 s. k$ v
}
) \( f# `- l" @. ^9 Eupstream负载均衡:
7 t+ h) k) `7 K! J$ u: W4 t# j" T/ ]: ]$ Y$ O. j# T* k
upstream 52os.net {* `9 _! `3 |* U
server 192.168.1.100:8080;! [+ A) w+ H% \3 ]0 ^
server 192.168.1.101:8080 backup;
" d0 f' x9 H( s; S6 a}" e6 Z' E! N& a2 z* Y! ^$ k, O
8 k! ] i7 z% M5 L- }
server {
6 d' B: u4 [, a& n8 e% [listen 80;
% g! T! ?' F2 V6 I0 \: M7 iserver_name 52os.net www.52os.net;' {5 W' `3 G) w: j' a7 }$ I! I
' m8 ]; K! g, k4 q. `7 ?7 ~6 hlocation / {7 ]: W9 ]8 F7 l0 Y) a7 J
ModSecurityEnabled on; 6 c% z5 v. m. f; v
ModSecurityConfig modsecurity.conf;
" b) k$ O( ]! B I( _4 t+ t9 o+ b. }. c7 s& X
proxy_pass http://online;% L! ~. C: P1 Z' ~1 S
proxy_redirect off;
" a9 b; Z+ a) |# g; o. V proxy_set_header Host $host;$ D' n& m9 ?5 C% S& v. ~; K7 p
proxy_set_header X-Real-IP $remote_addr;/ q0 P+ G" K& v# l% E
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# |# V1 C9 A& y- h$ v B! l |
}, G( H. |* [0 a0 g) m6 H2 F
}
5 c" P6 P8 o) B7 N7 w9 m六.测试
2 a8 Z# V. f2 q% z% d/ f8 {2 C- s. U+ M8 T" S, o! m3 V
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
1 ?7 l+ u" `8 A3 Z
1 V( z0 @. G( G# P( j( K, P' a<?php
4 I4 w, ?. B) Y% s7 X% l" ?- | phpinfo(); ' }: d: `0 |% x* r
?>
+ U6 D/ x9 s6 |2 O2 f/ D- ]在浏览器中访问:; {9 H6 S1 g/ b& U1 d& F9 E! g
( v+ \: i6 u3 J% o$ \http://www.52os.net/phpinfo.php?id=1 正常显示。% G8 d, E4 o4 T4 h& E. O4 n, P
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。7 C6 p- {: O& ]
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。$ l& Q4 R, u6 H" X6 w
说明sql注入和xss已经被过滤了
$ R! M1 V6 F1 W# \7 O
8 l4 ~6 j; e# i! n, k0 s七、安装过程中排错
+ g% l( E! Q; G0 b* w8 `
$ U. e3 C* Q+ r# N U* R, E1.缺少APXS会报错) B7 k" o% S. g0 ?( y1 x3 v" P; S
4 f3 Z& U0 q$ rconfigure: looking for Apache module support via DSO through APXS
2 b: }/ `1 T$ d+ n4 m, C9 I/ bconfigure: error: couldn't find APXS
* c0 d; U$ x' V. g. A C) d, X1 Aapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
9 S" ^/ n% K' q5 k! a" T2 T解决方法:+ e1 I6 Y8 I1 M
+ x$ I. ^+ ?2 M( a+ }
yum install httpd-devel; _) n" b+ l7 v. K0 m
2.没有pcre
+ t" S6 A* O R# B6 g G: E9 b4 m. u/ P0 k% {8 @
configure: *** pcre library not found.6 U$ _- g7 Z' V
configure: error: pcre library is required$ g5 Y3 h4 o5 |6 {; `2 A" @
解决方法:% T. M8 L3 N' O8 |
% R6 y4 B H5 p+ o) m& }yum install pcre pcre-devel1 M) C9 w% l) y2 _6 q
3.没有libxml2
# Q) H* E6 J1 u; _6 e2 `
- F7 t. `" h/ l- C8 w! S8 E# A0 _
9 p7 ^# z$ l' @2 e q( K. Cconfigure: *** xml library not found.
# r1 Y- i' j/ f3 B5 d# {: Xconfigure: error: libxml2 is required9 \1 g" u) O+ I' n5 c! n
解决方法:
2 i9 x* C$ M: P+ J: r5 }* v- q/ h! X# a) q8 n3 @3 \' U
yum install libxml2 libxml2-devel
6 z. Y7 J6 C ~* V1 c- _! E% e4.执行 /opt/tengine/sbin/nginx -m 时有警告9 r1 _. A# B9 Z5 t& m% }: L9 R
0 X! |; o+ w1 l& P$ v- a
Tengine version: Tengine/2.1.0 (nginx/1.6.2)! V# r6 x3 @- ]1 O# ~1 Y* H- k* M
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!: c y( u0 F0 O6 m* s- r5 V
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log9 S8 L1 W$ J1 u5 u& i& ` U# k
% i+ `3 V0 p0 ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
}' P7 c# J/ J' E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"1 W* `/ H: s0 H9 P2 L" v! x# L
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!: p' Z( t) f( y$ `1 W1 l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"5 ^) a; U/ {! C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"3 h1 `3 V; i1 \
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 T' U2 J2 g8 T2 B
解决方法,移除低版本的APR (1.3.9)1 G5 o0 i* _5 W7 M
' d; f3 o0 ^# |. i- y! X* d1 ]; H
yum remove apr
5 @; p% [. r# h1 v5.Error.log中有: Audit log: Failed to lock global mutex$ Z8 r+ r) l# w. K
, W1 Y2 J5 ]( J4 i" }0 G/ z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
( c# I& G F- ?6 v: A5 R( ]global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]+ x9 i$ V! l h$ N
解决方法:
, y# X5 s* H' @编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
, l( T/ H4 e& ^, {' T
/ B7 a6 \/ n9 R1 l: N% a/ M5 LSecAuditLogDirMode 0777
0 M; c7 H3 J: |# U3 n% B& PSecAuditLogFileMode 0550+ f9 r/ @$ b. p; x6 y
SecAuditLogStorageDir /var/log/modsecurity
5 ?! x8 O$ n7 ~- [* J ISecAuditLogType Concurrent! p0 T$ F& o& h. r. [6 e+ h
参考文章:$ s i! s" f* J+ m; W4 a* s
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX. y. V, Z: T1 r
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡