|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
! @% p' N* c: z8 g; M1 H
0 P' o7 N# d* T7 m8 Z一.准备工作
! k2 ^8 M2 {$ Q
# L1 h, \9 Z- n' c" s6 g' C# R/ K系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
9 k# n8 D2 Y: d; o# c! O; |
# A. s8 n- t) [1 g8 W; Ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz+ }$ f) U& [) K* W. z v) V$ g) m
2 J: j7 Z; t4 g
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz4 k, w- {! B) T3 a
- Y; Y& ?- W0 gOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs$ K# h, S" k+ r( o$ I( C
; W7 j! R4 M! \0 r, ^' n7 C, |7 T依赖关系:
. v! |7 ?* h4 ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 }. N+ l# F2 k3 B' v" @$ x7 u# f5 D! G& D9 @
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# \ L# {" m* @7 V5 F; _# n! Bmodsecurty依赖的包:pcre httpd-devel libxml2 apr, i) L/ C: M% A! b- Y5 g
, e) Z- D0 O, G) |yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ ]& R6 M2 I* Z7 D1 {: H2 t/ D二.启用standalone模块并编译: C1 W8 h. ~/ w
, G: O& ?7 {$ _# K下载modsecurity for nginx 解压,进入解压后目录执行:' {# z( a/ P/ o
t1 l. s9 X1 w: |9 F7 h1 O./autogen.sh. N; ?9 J" z* b9 Y: n
./configure --enable-standalone-module --disable-mlogc
) H: _, M" Q5 L4 i* jmake
& x* Z; O6 U) a9 \三.nginx添加modsecurity模块
! H5 f. w4 G4 N7 M! F6 ]0 j1 h2 l) V
, Q' G, `2 ?- X* M1 ~# u在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 I* P( L, @9 p
8 F; M( @0 b; r7 O/ k2 o/ k./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- j" @8 Z; Z8 |6 l- d" T9 l0 Y
make && make install8 s! U4 O2 x9 [5 i4 O' v
四.添加规则3 P0 t! I$ d; ]% |
2 a% `) ^8 v2 ^! P
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
" w/ o2 |4 v3 d' l' X! R; W: d8 S8 X( a0 O* m3 b% h
1.下载OWASP规则:& N! S! E; s& R$ u
! z& f! e. \% K2 k* s2 Bgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs' E" p" R, k% M/ ?2 r* ]* m8 w+ O+ a
6 T4 w+ r& u h& I. ~6 qmv owasp-modsecurity-crs /opt/tengine/conf/: g* L1 G: |% q( w" B* p6 u# f3 R6 b
) {1 w. L8 F' c- L0 k1 O$ a
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
& N( c- W+ N2 X% I! F# z2.启用OWASP规则:) U% [8 f) F. s9 O7 h* u
) g% X- W0 D* {复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。2 Z/ ]! v/ b/ @, `
& t, S7 T5 J% G# u+ E编辑modsecurity.conf 文件,将SecRuleEngine设置为 on- h; \/ Y4 ]3 a# W s% h4 M
0 H7 A% c* `2 dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
2 ?8 e% g$ m' ^) ^ r5 l( @/ c" U5 e+ s- h3 v$ n
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( s. h% |8 z& P: z! \% ]; Y3 UInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- C+ L9 G+ i2 {# PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf' w. x; o7 o E; k& K$ h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
2 P7 Y% Q* l4 I# B: H: TInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
3 l8 Y- d4 m9 Y1 \. w% MInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf, v7 f) @! c. c9 v6 W3 o3 [2 {
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. a$ P( u, v, Q' ^/ q3 u# J! g
五.配置nginx2 `( v0 ]$ t+ L
" R+ `0 A' T6 [0 D: r9 n' x- K在需要启用modsecurity的主机的location下面加入下面两行即可:
6 q% |4 c9 b: C& @2 H$ ?" b( Z6 T5 ^9 ?2 k& Z
ModSecurityEnabled on; ! p& K0 G% ?. ~* L8 Q* P' s
ModSecurityConfig modsecurity.conf;
5 V- R6 C' s x) q ~下面是两个示例配置,php虚拟主机:
* |6 b) B8 F# I% `9 H: i0 N2 r' V2 Z
server {) g: H( U. J/ |* W7 f" V2 k
listen 80; [, _1 _( @ c# F$ F) n
server_name 52os.net www.52os.net;& d: h5 D1 r: ?; L) n2 q
! @8 K! i/ j# F& V1 J1 ? location ~ \.php$ {: a1 T% V+ z2 T5 {6 h
ModSecurityEnabled on; # K2 Y1 ?% N \: I% r8 h
ModSecurityConfig modsecurity.conf;6 }6 A( B0 ~/ j( ]5 s; L( g
2 I6 S5 k' }( ]0 R4 j; T: ` root /web/wordpress;% T; z1 Y" e- Q" X3 W; R
index index.php index.html index.htm;. P( \* p% w5 ]8 j
% @3 g. i% G! p$ a v+ z fastcgi_pass 127.0.0.1:9000;
7 s2 v9 X. q6 _) ^ R fastcgi_index index.php;
0 i& U4 O1 W. f- y3 ]. e3 k fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;; [8 A; q1 ?2 ~
include fastcgi_params;
6 S1 p9 |) i% h6 a: o% ~ }
( f, [" n! f7 x5 F }
0 t# ?0 L. y8 I& H& vupstream负载均衡:
$ G0 J7 e6 L& x" ~, o6 u1 ~ N8 K+ @$ ~( E5 f, k
upstream 52os.net {
! k+ m+ b: Q; o* s- D) b" y0 i4 j8 x* J server 192.168.1.100:8080;
' w( x& A: e) M3 n5 G+ R% z; A1 Q server 192.168.1.101:8080 backup;
8 C; F0 S8 X# ^- G# k- ~}$ Z7 @9 l) u) j: K F
$ r' l2 J' H9 @. P
server {. c/ L- O! W* z6 a7 U, j
listen 80;8 ~! ?% w; i7 o, y1 @0 l, P' M
server_name 52os.net www.52os.net;
( r2 f9 R5 K+ b. l/ ~- f' A0 U5 b% ?- j% ]: F0 z9 Z( F
location / {
7 h4 T; i* k& N5 K7 i2 E* w2 J% ?5 v4 L ModSecurityEnabled on; 7 p1 d8 z$ L( z u0 a! t& _
ModSecurityConfig modsecurity.conf;
( p* Y' | R: W7 h- S* D0 u0 P' A) }. x' X# D% b* y5 T
proxy_pass http://online;* C7 O9 ?8 Y4 a- ^
proxy_redirect off;
! `, q( [% \: J1 O3 v( F proxy_set_header Host $host;3 M9 d* b1 l1 n$ E
proxy_set_header X-Real-IP $remote_addr;/ k: C6 q# y% d7 D* K5 B+ B6 C
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% m8 _1 Y; P! z, X1 Y }
" P' H1 \" m4 c& N; w. \}$ ?" C/ h2 \ I
六.测试
$ v' ~& Q4 y( Q4 b9 e0 u6 ]
9 } O# S% d- X5 k, I# B7 j我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
2 a3 j& |" z' ~7 R0 V" d* y7 t6 b. \4 n7 j
<?php# a8 ~0 W3 [$ J9 v5 j. \' ]
phpinfo(); # o+ _/ v- f. x. L! h8 P/ G' \5 G0 |- |
?>
& P6 o! G3 M8 R* i9 ^在浏览器中访问:3 ^" N( i6 D6 x3 @: c
; B( B$ h' _" L8 L6 U6 ihttp://www.52os.net/phpinfo.php?id=1 正常显示。$ O% S1 u7 C4 M- a0 ?' B
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
6 R: h9 d3 N/ U, Ghttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( c; i* Q1 s0 u/ Y3 R说明sql注入和xss已经被过滤了
" J7 n. L1 I( H* \3 } `% U1 E5 }% [4 ~/ F+ {2 M2 f) }' ?
七、安装过程中排错
. U1 x% ~- _! T% h! @. u. x
1 n2 r" C7 @0 {' n( I1.缺少APXS会报错( S4 |3 M4 Y1 F8 ?; N6 L/ Z4 f
7 U4 w- O: \* n% h2 z
configure: looking for Apache module support via DSO through APXS
. s. W( `) t5 m* Pconfigure: error: couldn't find APXS
- c$ C% L* e' c Qapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
Q8 y( W" V, |解决方法:
# N& @4 @$ o$ C4 j0 }! Y$ H; ?+ t+ j9 G7 |. N( ]
yum install httpd-devel
( b4 J2 }% F! i8 y: L2.没有pcre6 x0 X# U( y- c+ A- S- w6 F
" |" \0 Y) V& g0 Pconfigure: *** pcre library not found.+ }6 |$ A, Q, r1 H. q4 y
configure: error: pcre library is required
3 \2 ?9 j- P8 d3 O解决方法:$ u+ u$ F" k% l$ Y
: o- n5 F: O9 q# W$ R" u9 wyum install pcre pcre-devel
) `& e9 B# H% F6 N3.没有libxml2* [& w* I1 c+ ]2 Q: ^
; c" W# C% V. a7 `
$ U7 l( M- a8 H5 X2 Jconfigure: *** xml library not found.
$ u# `! P- M* V( w" uconfigure: error: libxml2 is required
+ \* X3 [4 u0 U5 i$ s解决方法:9 r: I7 | L8 ]2 X) _; X
$ D1 z8 J g% W' g1 {3 e
yum install libxml2 libxml2-devel, t1 ~$ |' l9 T/ `2 P! F6 [& q
4.执行 /opt/tengine/sbin/nginx -m 时有警告
O$ _/ x, F9 h% l- `, Q1 a1 X/ G0 ~7 N0 b9 N
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; a ^, R( K! G# d# R6 a: Onginx: [warn] ModSecurity: Loaded APR do not match with compiled!
H# ?/ e9 S2 w. p原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log4 ]( a% ?6 C& p3 t! O, s1 F
" [6 j! Y- t3 i1 ^3 M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) {4 M1 i9 h m5 S5 A$ \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
0 E7 B2 v. v1 l* g2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!3 b8 v! B' ]" z+ i Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"$ w* e& [. r0 L/ }9 o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
6 Z, q D' s* v; s6 a2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) U! ^4 A. S) F: j( f
解决方法,移除低版本的APR (1.3.9)
+ F+ v% \2 d& r* x2 u. }+ N" v# x% M8 i [, ]" p/ m1 |
yum remove apr
- g6 I. K+ T- T* l" W7 Q5.Error.log中有: Audit log: Failed to lock global mutex5 r0 n) [' G7 ^% {6 r' j3 F3 Y
/ V. A2 C8 B) l5 ?2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
9 \4 f; k: w! g7 s a2 |, Yglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 u: F$ `5 X* b4 V* b解决方法:
+ X7 ], z7 {" X/ t C; G3 r2 B编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& s% h- E( b) R) U( h K" I& l2 P0 c H: v" K& d6 N: t, D
SecAuditLogDirMode 07779 o& s0 L8 a3 c/ C ? Y
SecAuditLogFileMode 0550
: X5 w+ g! n5 b# }3 ~* XSecAuditLogStorageDir /var/log/modsecurity
2 L L* S% F5 c# eSecAuditLogType Concurrent! K3 `# a0 M& w; f
参考文章:
. b+ r9 a1 p' A3 Z% chttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX4 `6 V3 J: U* _3 o' s f' b1 ?
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡