|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( } }1 Z0 l4 i9 z2 K9 R' G# L) m) V; C. m' o" K5 u6 V
一.准备工作
) v5 n3 C4 e' W) t; o' c7 v
' a) M: [/ i! t- C, S系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
8 P# C4 [& `: P6 u: H0 z0 c5 o: k+ Q5 r
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz4 N) l2 @$ n4 \, F
E/ e/ b, y3 U9 o+ E$ Dmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
! F, [7 ^+ J! r; m& h. v' p/ \4 B- n
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 t1 A- t, p+ a: p; L' a. |" r W" M5 d4 e% |
依赖关系:: @# w) ~7 p; i' X: \6 {" d
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 h3 R1 U5 C3 L( P8 m% ^) a4 ~! Q) j+ }, v
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel3 y+ k! C7 V1 e/ {
modsecurty依赖的包:pcre httpd-devel libxml2 apr; e" J3 ~" p: n$ F6 _
% L& A6 R" ^8 p, Yyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ F7 P$ D' B6 D, }3 s5 ?4 ` p2 t& R二.启用standalone模块并编译
3 @. S) }' z# E C0 R5 i. ^/ S* T
/ {6 v- v) K. ~2 a下载modsecurity for nginx 解压,进入解压后目录执行:
: r! O, C5 b( n7 V+ d
8 r" H' H; x/ T+ ?0 q7 ?4 D./autogen.sh
: l$ R0 E& ]$ c5 r2 G: w) ?./configure --enable-standalone-module --disable-mlogc
8 ^; B% O) ~: _* Wmake
4 a7 q) d. t1 z三.nginx添加modsecurity模块
- V& S7 N6 p- C+ u4 j& [# N& f2 R% r0 q( q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块: v, `2 p/ V3 ]' Q
3 c0 W9 t8 P2 ?3 \# z$ i1 O+ c8 w./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
, ~% y/ z* }3 X* e8 C8 Kmake && make install' m# `' S* M' [/ d
四.添加规则
* [1 F* T" r; ?& @: M0 e
; O5 M! v7 d2 |) \+ ]modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
! `, N* M/ F* D$ R1 n. e5 G/ |# G; P' V% M. O. N! y6 S
1.下载OWASP规则:
% A% |% X# s7 C
& h) v6 Z d) }5 lgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
! q! E' I+ K" d& _- K/ ^" c5 v
5 n+ i3 h' a1 \; \$ V. omv owasp-modsecurity-crs /opt/tengine/conf/3 \- O- ~9 P i. i
+ x7 Z: `' U. Gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf! P8 {; Q6 S2 j' C6 D; [
2.启用OWASP规则:' N( M" |, I" j3 ]. v% o' ~
' M5 q/ S: W# _复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。& T0 b K& t/ ?) `5 @, E
2 B# w. A& }* r: f) y- _
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 R: z9 N7 `6 M* G
# Y/ V: R# f8 l6 v J. O9 L+ towasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。4 J* o$ f! t6 u0 E: e5 j. _3 ?
: F7 }' m) W8 z
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
3 d+ Q' W' d8 B3 g2 d) l$ _4 x' MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
3 G' I* a$ c" b7 N) O: Q) J8 N7 AInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
6 w% c& U& A9 @5 |% qInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf; _) V5 \/ G. h* _4 _
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf! T$ S2 f. [4 s8 y! T$ x# Q8 V3 d
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
" |2 s$ N' f* P" t' r/ o& PInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf# S! O0 _6 [ I0 @! B
五.配置nginx' g5 P2 L0 ]4 r5 J
( G% ^- d- E# o- V' Y, F
在需要启用modsecurity的主机的location下面加入下面两行即可:) P1 h+ z1 O3 d9 _) M
, G) z# S, k( V) z3 LModSecurityEnabled on; 2 M: y4 [( C% ]5 x% t
ModSecurityConfig modsecurity.conf;
. s$ }* [2 d- s# r下面是两个示例配置,php虚拟主机:
: Y+ Z% { l1 Q C3 M$ C
. r! J1 f1 f: V9 R- Userver {
& f) i8 P0 E; ~ listen 80;
$ v* g% ?5 Z! y8 c5 o) v server_name 52os.net www.52os.net;4 p% V L7 w7 ?" z. Z
& `# [" N k* x, v/ U6 K
location ~ \.php$ {- A8 B9 v$ y( }: m
ModSecurityEnabled on;
* t$ I$ _/ _- f3 ~1 U/ _ Z ModSecurityConfig modsecurity.conf;
! ~+ U6 T; K, A9 R2 `) m
6 k5 Q. N3 c/ t7 h# q. | root /web/wordpress;6 E+ r3 }. ]6 H7 @: j0 m1 J. x
index index.php index.html index.htm;
+ d# G' Q/ [9 b$ C. }" s0 c- g
' A$ s: }! f3 v: ` fastcgi_pass 127.0.0.1:9000;
1 g, m. X' }$ G/ W fastcgi_index index.php;
2 h, L. F4 R0 i, E. S fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;. B. F. }$ L* e4 D+ g8 Z& D9 w
include fastcgi_params;
|1 ]% T- \- L( M }# c9 |7 o. x- X/ b# p) {" \6 ^
}( Z1 @! g* K, [6 U# v% g: L8 h
upstream负载均衡: ~2 C% p- J U9 }6 Y8 L
& R r' g! O9 I& rupstream 52os.net {5 y* r6 a3 ?( Z- H' ~3 ~( Y
server 192.168.1.100:8080;
' G9 Q) C& ]8 w# r% Y" z# J server 192.168.1.101:8080 backup;
) ]% `4 e6 O8 d$ l}, |$ J$ N# q- z. R h" s% i0 }1 E
' g' [6 \+ ?5 g$ F+ R+ U7 y" Userver {
4 g% T5 v/ H# }, ilisten 80;
0 F. _, `' G4 F+ c% ]$ }6 ^server_name 52os.net www.52os.net;
, x7 \$ K4 U( K) \+ x
4 q' m, n$ j3 G8 ]8 P8 L' Jlocation / {
; ~' A, w, } O$ y0 L9 h ModSecurityEnabled on;
( w8 S( t+ o$ V4 J$ H4 R ModSecurityConfig modsecurity.conf; 5 I, O/ k8 d0 j
0 U8 m% s) n+ h; I/ g" U
proxy_pass http://online;! {, h) K5 c+ [
proxy_redirect off;
6 j; b8 L/ s+ r4 z% w2 h3 e5 g# A proxy_set_header Host $host;
! C0 U8 q5 g& t- A9 Q- u proxy_set_header X-Real-IP $remote_addr;9 l& N/ ?9 g; E7 U
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;1 o; Q. u- D( q! q# d
}% ]* J+ x8 W2 \
}1 ~1 k2 `2 W _9 o3 o$ U! p, \
六.测试/ Y- n, T( j: n0 h+ p% ^
0 W3 g, }; F7 O' ?; y2 d我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
7 }4 L3 n# i1 T# V# Q# n/ n- `( ^' y- m- M9 a0 R
<?php
3 y o0 K0 s- n% |/ G. a7 i phpinfo(); 4 ~5 G9 S3 H; t0 i* W
?>) f) P+ _1 V0 F. v
在浏览器中访问:
/ v. y0 x9 N; k0 F5 Y8 a7 b9 o! E4 t z
http://www.52os.net/phpinfo.php?id=1 正常显示。5 u/ K6 g* d( v$ N1 S
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。# ^6 R- E6 a5 ~* d+ i$ P: B
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. Q& Y( A3 I- u; B1 {, U
说明sql注入和xss已经被过滤了
7 I) ~/ u$ A/ d: q o/ J
7 h6 S4 _; }3 ^1 H: _( S$ e5 u七、安装过程中排错3 V7 B, E# U; t
8 |# Y7 N o' A7 g5 H& ^: q
1.缺少APXS会报错
9 U+ Y1 x% J% b( i; c# p, c9 C" T
configure: looking for Apache module support via DSO through APXS' E8 P8 ^, f! ~
configure: error: couldn't find APXS
, j- B0 O# T: dapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。5 t) X3 p, ^" t; L
解决方法:
1 v2 H7 v: K$ l0 |; y
$ C1 y( o$ d" r/ myum install httpd-devel' E' i* y: X7 | y
2.没有pcre( r+ W( s& ? z5 x: o
+ ^, l) G' `* T. s# B I4 \9 Nconfigure: *** pcre library not found.! M3 h% l8 j" A$ R( [
configure: error: pcre library is required, [- m; k# W9 ?
解决方法:) W2 S3 i2 y3 |' R' o7 o0 g6 H
' g& u$ c- A# G# p* {1 Y5 F9 c
yum install pcre pcre-devel8 Z. N* d! b* F* a0 g. B
3.没有libxml2
; r+ y$ R/ k& r. a3 T0 \" y9 X1 M0 Y' y3 m6 T& Z
5 n+ {3 B7 w% t F' p% l
configure: *** xml library not found.2 B) O& ^ M+ W2 z/ B ]
configure: error: libxml2 is required, H' W6 f* x% m a- z/ p
解决方法:; Y0 o( ~9 g3 @( a5 v( J9 s4 t" g+ n
' ?7 M' t' y h, s3 t8 s+ |
yum install libxml2 libxml2-devel
& ^, s. b' p( R( m4.执行 /opt/tengine/sbin/nginx -m 时有警告
1 v' L3 m0 `4 a+ W( b- \% T: C7 l0 A$ F; }8 _
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
1 P* S0 m2 ^( r% W% _( a) `nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ ~$ H9 l: M2 K- {1 [( j# v* u L原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
2 x) h, t5 e: {# V- F/ }; m
5 w, `/ s5 v0 {4 i" S/ c& o6 S, `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
$ s! H3 l6 W; Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"$ z3 P- l; a/ u
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!. U. v3 e9 g& m9 t; o% n# h0 w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 x& I+ n: N, j+ J' l* H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"! [6 ?2 K' @* O8 A* {- U
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
2 a2 H% G- m$ N; v, @% B解决方法,移除低版本的APR (1.3.9)
+ \! M6 p: v% ]4 N9 r7 B* a8 Q4 q- W; a( E+ K" x, ^% [+ I; `
yum remove apr4 c2 G+ X1 Z/ r
5.Error.log中有: Audit log: Failed to lock global mutex V0 J4 s/ ?% Z
3 w& F+ Z, {7 p1 @1 K% C/ j- X3 ?2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 2 E, `/ n' ^( Y& U4 o/ W
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 O! E5 @) @4 e$ f& t' J& W解决方法:" X& U7 A+ w3 _. `4 Q
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) I% }% i. @) U" }7 G: T2 ~
4 G8 U! T/ l& b6 P" G O6 E! o! ZSecAuditLogDirMode 07776 o# F" t7 P) r3 _2 E
SecAuditLogFileMode 0550
' z! {* Y9 |: aSecAuditLogStorageDir /var/log/modsecurity
/ X$ p' n9 b0 y9 K# u$ k) l; GSecAuditLogType Concurrent
1 ~3 ^) D$ S5 U' X参考文章:
! C. ~. \) {$ a6 E6 ^) @https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
4 V- Y0 s" F# G5 hhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡