|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, Q- x7 d7 d2 R0 C6 ]' Z
; p; ^( I. X% b+ m& k0 H
一.准备工作+ u4 L# j u: Q0 d! e$ y
; n% x# M: u& \) w5 W$ Y1 \
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
. E+ p/ |0 U9 [7 ]2 V
$ n2 u( ~, I* A4 A/ S: X6 itengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ f: C8 i! x, i# n/ K, K
( u( g( |/ d4 \1 F
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz- T8 k h* a% v, I' h. e' e- Q
8 F: S8 ^/ R5 kOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs( y9 }- ~& u$ `! J) y) ~6 ~% {
?% x" i& [* {* C! K" w
依赖关系:8 h& J+ H6 L9 b5 O8 O- B8 o
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:# M3 Z" L& T T- ~0 B( G) K
" h r+ |* ~; A4 \; D6 j4 H' F3 m1 Fyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* t4 M) ] c _+ Cmodsecurty依赖的包:pcre httpd-devel libxml2 apr. Y, Y N r; p; ]9 p
0 h" Q; \; @& I" l$ {& D6 X* T6 @
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ Z9 K6 f3 }! }1 ?二.启用standalone模块并编译
6 L4 q& J! I; E6 l5 _- C
- l$ g) t, w$ w# q. B下载modsecurity for nginx 解压,进入解压后目录执行:, o- S3 p: } p2 z
+ q2 W6 X8 h. B* ~& M7 m+ \./autogen.sh4 r5 v7 w# B- t8 S9 W1 U
./configure --enable-standalone-module --disable-mlogc
/ V' x/ |5 j4 w3 a, k) q. Ymake + G; |3 N R- a8 x
三.nginx添加modsecurity模块
" i% j# c& X# Y# Z# T3 s
& w( H* I! R4 V! I5 [! m' @% v/ [; x" w6 ~在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! I9 T# A" T4 c6 K$ a! K# T' V Z* w( g7 Z& O2 H# @
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine' R7 G7 R- v6 ]/ i0 v
make && make install) n5 M" h, n' J. D$ B
四.添加规则. l {! O* a4 z/ R/ Y
$ ]7 x) a* E* L& V% j$ Imodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
; N9 S. ]( W, }, ~ `( p
A5 L( K4 \% \- s4 i1.下载OWASP规则:
3 F+ T0 \7 B" M# J3 t- e1 @; M. A) ?3 I' r) o
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
. P0 q, T1 r# ?9 h8 l& w0 d5 \- q
mv owasp-modsecurity-crs /opt/tengine/conf/
1 P$ E$ y( I$ H: @: \3 E! d% J, R+ r6 z6 o
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf8 `0 ~- e" w; M7 a
2.启用OWASP规则:( w! Y9 g7 Y( K/ Q. {. O0 N
. x4 A. V0 Q3 U0 r3 ]
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。/ p" S Y$ F9 o, e- U5 y1 R
; i; ^9 \1 q$ A$ D5 i
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
- Q, b: }0 Y' _- r: T( Z( s5 S! F9 R! w7 M/ V' z e
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
: v1 s# G A1 L, J: O" h; A# V3 Q5 q v, k V
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
7 |6 [% @4 m4 [" X( z4 fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
U, F% V9 t( ~( t% P# G2 Z- LInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
1 h/ d$ T3 B: b% r ^: aInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
0 \ G) k& Z! H$ I/ TInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
) J! Z7 z$ X0 E$ P- I$ A8 ^Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. h; ]& \4 D, @, [
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf: ]5 A# P8 ~1 K
五.配置nginx
+ _, G# Y. O, ?; X4 l; J2 U+ {" N* m, D- ?& r, V& W
在需要启用modsecurity的主机的location下面加入下面两行即可:
; K- r" w- }. [
5 B+ c6 E" y A0 b" T* `ModSecurityEnabled on;
$ \) g# E" s# }! L+ b/ |ModSecurityConfig modsecurity.conf;) y6 p5 D1 M% o7 m
下面是两个示例配置,php虚拟主机:. ~+ m: Z) Q: G0 q9 H& A
1 `, Y: y X. O& j) ?3 C sserver {
% V4 s2 ^ w7 Q) i listen 80;) k7 D3 s' f9 W
server_name 52os.net www.52os.net;
G% R$ y9 V' H( H ' L6 c) f6 M. \, @
location ~ \.php$ {3 i$ S9 R$ l5 n# u( a4 w1 C) _1 E
ModSecurityEnabled on; 1 d* c) @, y# T* `1 u
ModSecurityConfig modsecurity.conf;
. F: T' w" h* \% T" i1 h ?/ ?6 e$ a+ G$ P y5 @+ m8 d
root /web/wordpress;
/ H$ T+ m" Q/ n( J+ Y# Z a6 } index index.php index.html index.htm;
% \! V8 q8 M+ _; P- A+ P
* F8 K) J* q4 r. p fastcgi_pass 127.0.0.1:9000;9 t3 @7 T# u# I* v8 C0 Y
fastcgi_index index.php;
, c7 [; J4 {8 ]: x" s4 a fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 `- x3 P A- u/ P2 M; R8 A* e include fastcgi_params;
7 F" K q, \6 K4 U }
8 p' s+ U$ x& g }) \+ V$ K* c& w0 t3 m/ ~
upstream负载均衡:
, i% R6 ?8 [+ H( p& W1 Z
1 {2 Z; \8 d6 X1 M# Kupstream 52os.net {0 z, u! ~: o. c* w% I
server 192.168.1.100:8080; X" B9 `) _& J/ B7 y3 O' i
server 192.168.1.101:8080 backup;$ W) f/ v) I0 W
}" N: s6 |, Q; Z% g& P: {
; r/ `0 z* _+ kserver {/ f h6 c7 A( S3 `
listen 80;
6 w4 | ]; H9 k S0 [5 u( ]" fserver_name 52os.net www.52os.net;
9 {0 ?- _4 q9 d0 h
* x1 g; E3 v1 y- g4 r4 qlocation / {1 Y! `; g: N9 H- b
ModSecurityEnabled on; * ?' j& M7 w( J9 }9 w
ModSecurityConfig modsecurity.conf;
& K7 G% ~ p D" Q( J6 J# B, v5 Y4 W+ J2 k0 s3 u; \- v% n
proxy_pass http://online;
+ B4 j( y( Y# u. B+ V* M* F proxy_redirect off;
$ C$ ? i2 u$ V6 W+ W/ r proxy_set_header Host $host;9 D" P2 r+ ^8 p+ n$ T4 Z
proxy_set_header X-Real-IP $remote_addr;& G& Q- e' a& i- d! H
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 t7 X$ f" o8 g- u
}9 Z# u5 n! @; Y- o) H0 y
}6 j8 U2 p9 j$ k2 ^7 l* n
六.测试. D# R* k3 }. f) ^7 g. ~) X+ r
) a- X# S1 u- V* z: z. d' C我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
# a" j+ O9 ~6 f. |8 r% |8 U5 X9 \3 {: s! D2 T
<?php
8 o& H& i2 q" i9 G" r7 _8 e phpinfo();
; [2 A) c9 g. g?>: |2 X3 S2 W) j! D! r6 d$ ^, e, ^2 Q
在浏览器中访问:
# l9 K: O: l3 b- H( v: A( Q6 S$ `/ j5 q% W5 g
http://www.52os.net/phpinfo.php?id=1 正常显示。
) }( @) W0 P+ c# z. bhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: w l& J( } }2 v7 U6 rhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. V# m) W9 A0 H0 z* G
说明sql注入和xss已经被过滤了
2 t5 v( T( a$ |$ O# a- t* V3 n; M2 J; W: D" v
七、安装过程中排错* w" M" ?! ~! `2 s- M9 K1 `
6 X0 y3 C0 T3 |, q
1.缺少APXS会报错
: x, [. W; B4 v
9 G' z& t; \/ w9 h' ^3 qconfigure: looking for Apache module support via DSO through APXS
' c, T, m2 F' w6 j) k% @/ z: Bconfigure: error: couldn't find APXS( Q, X* t. G+ U
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ a5 ^" \4 m9 u$ ^0 p1 r- j解决方法:6 X; P( d; a/ ^* E; d5 R
7 C+ Z3 n( i! A7 Dyum install httpd-devel
; `# [# Q, q8 \5 U+ T6 `2.没有pcre2 p# U/ K5 u: T5 \3 X3 g( @
, N+ x6 [8 V; t* i, y$ B; [
configure: *** pcre library not found.
" }( |) ^# c0 e& I* Qconfigure: error: pcre library is required
# I; l1 K3 ]& {) _: ^4 \解决方法:
2 \/ Z: H, ]* R9 O+ H
# Q& V [5 X1 G. X) T0 J. U* Iyum install pcre pcre-devel: |' ` l7 j. P1 `8 S5 W
3.没有libxml2
+ R; I# ]* G6 H5 F) P: o
) r( {# X- K, l/ V# J4 V4 H6 M' }$ t" N1 P9 M+ w1 r- j4 h
configure: *** xml library not found.% s9 C( Q3 Q6 o/ j" W
configure: error: libxml2 is required- U( \7 O8 v: x4 f
解决方法:
2 P9 Y" K; U# q. d# L1 B' W& k. }+ Q' j
yum install libxml2 libxml2-devel5 A* h1 V1 {7 A. V# C+ |" D
4.执行 /opt/tengine/sbin/nginx -m 时有警告
. f, @! l9 r( ~ ^9 n% u0 t) i6 Z6 f% X8 c' A9 @, T
Tengine version: Tengine/2.1.0 (nginx/1.6.2): W' c" |5 ?1 J+ A
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
! j! X- s% y ?原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log! I7 h6 ?, D, V5 ^; ]. v/ u6 N
0 b% v. o% f6 I$ i$ O- A+ y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, ] h# W& ]* H( `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 V# N$ a8 m. c2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 ?9 |+ H Q- f: u+ T7 O( ~7 R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
Y: z: A( |: `% f. c. E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
. {0 b. s3 W/ y3 g3 P- }3 [6 N9 K0 m2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) |( k# K% Z& }" e$ f, S. s# S
解决方法,移除低版本的APR (1.3.9)1 [7 z0 m7 Y: _! N
" m S( O9 I- o) Dyum remove apr3 Q6 c! B# U5 e" V r& d
5.Error.log中有: Audit log: Failed to lock global mutex
6 Q& h5 m$ ?& ]( q, J9 {, A: m! K
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
8 V! |0 t% q4 Oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]4 v' V3 K9 f' B+ J* l
解决方法:) X) z/ E# B# C2 p2 H3 C
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: H: { M) p9 A/ U4 G- q+ g, {
$ G: ?2 M( y! m2 [SecAuditLogDirMode 0777
8 S* a4 i( C- kSecAuditLogFileMode 0550
) J" n7 L, V8 o u" J/ W9 M, mSecAuditLogStorageDir /var/log/modsecurity% \6 U$ F) u8 Q
SecAuditLogType Concurrent
- r& v- @6 _- I0 G9 {参考文章:
1 L: X# M; B, x$ B6 a- I, Xhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
4 \4 _% H* m. Ghttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡