|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
W. r2 N/ W; t3 |# Q: B+ o( D+ {+ W9 b! z
一.准备工作+ \' X2 l- ~/ Y1 ^( C$ N7 w
% R( {8 F% c4 a) B! e; K7 L系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.00 i* _: l8 p8 P6 u$ Q* |1 H
$ F7 h8 t6 w/ @' l! _/ M
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
" e5 s3 t' n1 {; o, }/ S( \& r; | S0 t: h; i2 Q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz$ t7 `7 q6 j* ], Y; l
! p5 _3 Q. L5 u0 c& V$ aOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs$ J8 L4 {5 E0 y; H# a
g6 N" t( S8 i; a; `4 ?依赖关系:
7 ~- M& n8 P4 D9 @3 K6 ctengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:) M' ~+ Q7 U1 a$ V+ y* D! U- {
3 g7 r/ M- t1 a" n. ?% z; M) Lyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel; F( U* z, v5 x3 G( [
modsecurty依赖的包:pcre httpd-devel libxml2 apr
J. ?9 D' { L; e
* G% L- ] P9 T+ y. eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
# O+ _$ v) K# W! L! z; e h. j2 B二.启用standalone模块并编译5 p7 d) Q+ T; n4 G3 E% N
1 m- q* z' s8 d% j) Y下载modsecurity for nginx 解压,进入解压后目录执行:
8 |9 c `$ @# J ]
% ~( Y. w- h1 u' Q./autogen.sh2 Y5 D r3 @* I1 Z% R0 U
./configure --enable-standalone-module --disable-mlogc
, ^; U8 k& n- J kmake : H7 Q1 K+ F+ ? b
三.nginx添加modsecurity模块
0 u% K8 _1 }2 {$ ]
6 S4 ~- ~7 y/ q7 Q1 c, _/ c U5 V' R在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:+ t; e9 M0 ^% b( S% c
& t0 Y! }( O5 z4 p0 {$ _$ W7 x+ b* G./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
7 B$ N1 }' ~; |7 D1 d# A: a" smake && make install
9 c {0 z$ R9 m四.添加规则
; ^4 s% b4 g6 K9 @7 f! _5 O6 m6 a, Z( A2 j' y1 }2 Q
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 v1 Q; Z) D$ b/ S. l1 r" u
6 }* j1 c! R/ b7 o- a/ n9 {1.下载OWASP规则:
( e6 J8 |# [& ^! o* }/ i i6 W1 J# G3 ^+ f. F& Z$ {. d3 V
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
+ D+ @) } s' |& e2 A9 |
4 e/ B1 N4 k; P5 g! z7 ?% z" g9 smv owasp-modsecurity-crs /opt/tengine/conf/: A( v7 t0 ^+ S# V
* p- v3 d( _4 S) q( X, E' p9 s+ K
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf; X& N: P2 E, P3 L
2.启用OWASP规则:% S6 |, O9 n5 t' W
7 Q5 h! L8 W: t* A复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
, L( ] w P, x$ c" d5 N
0 l9 |1 G8 Q: a, Y编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
, `% y2 A: [- s, t- J: L z* n1 F7 j- y! U
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
8 o8 z5 k/ U. V
) ^* n* w, ~3 XInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* L7 K0 Y0 L7 k1 B. lInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf9 P. Z# w( Q; @% o1 H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
R0 S8 u7 a# y3 sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf( B4 l5 w7 Q' t. b
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 e; K" ~4 [. i$ R
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
, ~0 x/ |2 n6 B0 ?) E) v0 tInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( G5 K( D- M. X1 n& R" R4 z五.配置nginx+ q$ A7 X! ^6 Q
- x4 a- n+ S. E+ M: g/ b& n1 H在需要启用modsecurity的主机的location下面加入下面两行即可:
. V8 f1 y8 Y1 o5 B
; Y' e0 u6 b8 _8 E- @2 a+ {3 E& iModSecurityEnabled on;
1 R$ ?, v# ?' p6 I. zModSecurityConfig modsecurity.conf;
( i+ g4 m6 }( Z! \8 B! W0 M) _ }下面是两个示例配置,php虚拟主机:
8 Z+ K, C$ T% }1 i1 M2 C- Z' J! a* Q& n. [2 K3 |# S9 ~' E4 f
server {1 K) X7 Y% w+ C
listen 80;
) h3 ~& f3 d }0 ]8 F" T server_name 52os.net www.52os.net;
: F+ d2 e7 A Z2 }7 O7 O7 | % A% g' K) w9 ?: ^% L0 ~
location ~ \.php$ {
) j6 Z' l$ J% k& `+ x- c, Y ModSecurityEnabled on;
+ S4 W4 v9 Z4 J( n ModSecurityConfig modsecurity.conf;- x# Z. a: _6 p% [- z. B- P
% v$ l+ s; R8 D. k% z root /web/wordpress;
8 Z- R2 a# L0 x' [" X index index.php index.html index.htm;
/ j$ j: l @* ^) s ; ?4 `' h9 e4 s" H- x) j! _
fastcgi_pass 127.0.0.1:9000;3 z/ b4 {. V+ g, M
fastcgi_index index.php;
2 h% K3 A5 g) N- U- ~ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 k; Y. r1 O7 \$ g1 M$ r
include fastcgi_params;
% m$ C+ o. x: p8 X' h6 r& v }
5 T% x) Q6 H& x- B/ f! T; z2 v }/ R9 N4 @; O( L1 e% c* m
upstream负载均衡:9 Q" b8 X7 A* B' q2 ]9 ~! e
, h3 z% w; E' K# xupstream 52os.net {
) H/ e' j+ T* s server 192.168.1.100:8080; o% w! y$ d+ u" {' ]
server 192.168.1.101:8080 backup;: q% P! H# N) m3 u
}
- X+ d! C. _) o- x) ?& |5 T$ Q2 }" P6 M' i! q
server {3 ]2 i1 [8 n# y1 u& M' G! o& d
listen 80;! m* {- D5 V/ l4 d1 m
server_name 52os.net www.52os.net;
5 B3 C% v) S6 b+ e9 \3 y, [/ E- E* g9 T- ~( F( z2 @% Y
location / {/ q' v7 U6 T3 l- |9 P8 a% } f6 |' ]
ModSecurityEnabled on; $ O; L+ u7 d/ T4 G
ModSecurityConfig modsecurity.conf;
8 U/ }/ l6 h! Q! u6 ^; E2 I6 _& x c& d. N) j
proxy_pass http://online;
( y3 x' O6 H! t, D& D+ `; d! e proxy_redirect off;$ \$ j* m& B! ^% \9 P6 e4 k
proxy_set_header Host $host;/ Y9 s( z& T# ?; L; }# u, W7 B
proxy_set_header X-Real-IP $remote_addr;/ s/ ?) }! H( Z/ j2 W( D
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
: D" c) W$ ^% |# [$ } }; n9 }+ j$ W4 a/ W6 d! \
}' i7 `$ N2 c8 a5 c! A$ Y) Q
六.测试* [. ?5 e% A: D- [/ i0 q
t7 `; ?* B# I- v我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:, M: V# C2 \( T y- J, A% ^
4 @9 |/ e6 f4 c8 y& Z6 B
<?php; I. U0 A) E" r' E
phpinfo(); / W4 U$ L; y5 p
?>
' {9 D5 P- e" y1 y. _, t( u+ Z在浏览器中访问: A# u, T# p5 J
1 P8 v# v6 b3 n5 U: Rhttp://www.52os.net/phpinfo.php?id=1 正常显示。0 V7 o ^. H( m; j
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 A e( U. z2 R1 Y Khttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。3 B" V: N* {& S7 }' A9 E
说明sql注入和xss已经被过滤了+ i! X5 | S. X7 m' G; ^" D
. S5 D u1 F; q七、安装过程中排错+ S. V- o4 j8 y/ L7 i& W/ _
0 P' f8 K& A! ?
1.缺少APXS会报错1 z y+ g' ~ C3 o, Y* L2 C+ W3 ?
$ _' W4 P5 \* N# h. N2 d6 b6 Dconfigure: looking for Apache module support via DSO through APXS( M9 A/ b/ O" A$ M8 h+ Y6 s& h5 C
configure: error: couldn't find APXS
' k R4 w: @, l, w xapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* s1 q6 c d3 j0 `+ o3 ^: C! @% l
解决方法:
- w; i- F' G1 u& l; Q: m
2 l8 w7 P9 }) `2 A) nyum install httpd-devel* b% Y X. ?7 m. m7 I. r
2.没有pcre
! o/ S5 s+ B& T% d( ], j7 i1 m3 l+ r& c. m" ?' T: x
configure: *** pcre library not found.8 {+ d1 w5 x& U( I( I
configure: error: pcre library is required
{& }1 a+ K& l解决方法:
) T d; a4 n/ k5 a" s: C
* ]. c! A- e, d4 [& P9 l( ^yum install pcre pcre-devel
# G A o' Q- G& t+ t- F/ Z" k3.没有libxml2" Z. z! j' }& b/ h' n1 F1 @6 j+ y, I
1 v4 K) n5 A8 m8 z/ t" v* h% r% y$ F
configure: *** xml library not found.
' ^# M1 ]/ ^5 e/ ~' ]+ n$ Dconfigure: error: libxml2 is required) {* V$ H# J) U
解决方法:0 X/ a: R1 S0 Y/ d, x' ?
) {0 f$ M( Z2 L2 e6 xyum install libxml2 libxml2-devel
6 q# _9 T% B8 |/ x5 y4.执行 /opt/tengine/sbin/nginx -m 时有警告( ?8 ?' ~; q2 A3 b- v* G4 Z, H
! o X5 k1 w! n" v0 L) N' G
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
6 z9 h' t$ W- `% }" F. Q( ynginx: [warn] ModSecurity: Loaded APR do not match with compiled!' }! v3 P! z0 T. T
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& r) F9 g7 j/ s6 R# Y5 p8 n$ t! K4 n
1 X) \' j9 Y( i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured. B5 X- b. g3 a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9") W' k% F0 i( d3 a
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
" ]! a0 ?+ u: f { P. h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: w& O; m: t2 D. @( a, ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
: H1 E# S: H8 U; F2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.* } v0 R0 p _3 W3 ?- H
解决方法,移除低版本的APR (1.3.9), @/ T5 d1 ]6 v) t
$ C2 Y) x$ [$ T- T; Z. ~" X
yum remove apr9 j/ R$ R# r* }9 M9 u7 M# Z
5.Error.log中有: Audit log: Failed to lock global mutex
$ z6 \( n8 W2 ?0 {+ B- n
- H6 ?7 q3 H. }6 N) u4 `* [2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
! T+ l+ U0 `, m4 R3 ]global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]5 `+ C8 t* {0 t9 k" [* y3 H. V
解决方法:( G: [/ A- f4 _0 ], n( }: m
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
5 b9 l' y% b9 _; C" o
. ?+ D1 ~! n2 @5 s% i- cSecAuditLogDirMode 0777
4 j0 F% @( G. i8 SSecAuditLogFileMode 0550
" W* D2 ^- J/ A& d* E. RSecAuditLogStorageDir /var/log/modsecurity" k& |$ Q1 A7 }0 w9 M1 ~2 [
SecAuditLogType Concurrent9 y% o2 c2 d- W( D
参考文章:9 h) R+ T' L/ N! D: Y4 c: N
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
: l/ D a1 d; {5 qhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡