|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
& ^6 d" A, I. Y; J# d% c9 i, v7 q# _" H1 M$ }9 a6 d; `
一.准备工作" ^9 N. R1 Z1 L" `
) [4 f7 O- p4 z. G
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% a6 q1 ]+ d" ]5 D# S1 e0 @3 M% B8 {
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: I& N8 r: [5 X% j, d* H/ D, C
- h& V( R- \9 \1 N& [# ]) vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
4 _3 H% k( i2 j, L* l& V
; G# N0 z# @, L" i" \3 d$ j0 DOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs9 `7 z% S- G* D2 t: V
- i) b0 W' a6 W- s9 a+ } h8 [依赖关系:
1 j* Z) r8 P9 E( `! e. |4 htengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:) i M% ~" ~5 M0 H
F1 [5 f2 q/ t( Ayum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* `2 P; A6 U, _' R1 G0 C1 O- {
modsecurty依赖的包:pcre httpd-devel libxml2 apr
0 h7 |" M& Z" q! C1 n
, u7 R# I0 |9 Yyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel5 `+ L5 k' F0 M& q t
二.启用standalone模块并编译1 z5 X2 s ]3 A/ i
. D7 g. m U; C3 z+ k. f- V7 D下载modsecurity for nginx 解压,进入解压后目录执行:
+ G' f' L7 |, b, i6 @6 C, S
' X$ X6 H6 k+ E# K! [./autogen.sh
( e# [9 _5 V- E8 m# v6 x# O) `/ N./configure --enable-standalone-module --disable-mlogc7 b5 A9 J" W* F7 k
make & q+ [ {- B* z0 h$ j) Y$ L# b
三.nginx添加modsecurity模块) ]; |6 P7 U( \! v! m
G- k* G: M$ L; B/ P( }5 P在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:5 |7 X9 x D9 F, T
`! L# G& L! Z. i9 F9 H. q
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
( e/ x7 D( E( G% Lmake && make install
9 Y# ?. a3 V: @& \7 C9 T. G" d# ]7 i四.添加规则
" h3 r4 v3 p) _( v
( l, R- s! c3 x+ ]modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
) R: l2 X$ @2 A, e) n$ H
" Z* {1 Z9 u/ [9 I5 E1.下载OWASP规则:
3 D3 \$ G* \- [2 l, R. D' k5 \- \ K1 R$ H6 f( b c
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ R, Z; j, m2 V/ Z$ K
1 D# b: Y$ Z$ Z2 H2 Q# L" ?( t8 Hmv owasp-modsecurity-crs /opt/tengine/conf/$ {1 x$ l8 ~. K9 Y% j& {" J
3 p, S P" F' Qcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf! |, L1 B0 o+ }# Z/ ]7 x: W
2.启用OWASP规则:
# p: l( r( j4 o0 h8 Z) U+ f( P L. q0 o$ V, g
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。) P: h8 G& q$ s$ k; E
6 j2 j/ U1 T" _+ R) W# I4 w- J5 d! M
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on* U0 [3 }9 r9 {/ T( P4 R* m6 r* s
1 W9 D6 |7 ?9 g. D: w" R: M4 @! G/ Dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' v# ~9 W' `, J; B! g; k3 Y( y" n' `
# r1 V7 M# q1 `" oInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf( T! D* W% N8 x' q# z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
; y! @1 p+ g1 z' x1 i6 eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
4 L! O0 i" J6 V+ ^5 H; ^+ u/ A c) \/ UInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
- A8 S! n% v. ?8 A1 I& F3 |) fInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
1 }; ?2 w! B6 _Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
1 t* v- P; `, N% B* ?/ r; IInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' @) `! V0 t. c+ N, q4 p五.配置nginx
2 D \" r; X% @1 ?& y8 N, V9 T+ [$ O1 ]: U- M
在需要启用modsecurity的主机的location下面加入下面两行即可:; o( G+ w' C$ ~' H4 U5 j& A% i
, Q* |- Y, l! Z9 W' j* qModSecurityEnabled on;
9 W1 N- t+ O" o' }. D! hModSecurityConfig modsecurity.conf;. V, C( O' ~9 T$ O2 @1 F
下面是两个示例配置,php虚拟主机:% B _+ }! J2 h! U
5 M8 }" r2 v" P9 }. L3 @
server {# m1 I5 |3 G+ |+ {
listen 80;
8 c) F3 e/ w) w server_name 52os.net www.52os.net;
8 [; n+ o, U+ t+ j! c
8 ?' B+ I/ I4 g" W$ n g% ?* O5 _ location ~ \.php$ {% A/ X3 r2 A. Q1 ^, D* n
ModSecurityEnabled on;
$ S7 t" K4 m1 z7 P ModSecurityConfig modsecurity.conf;
0 T% m& ]7 N+ h' D- e
/ m7 k/ M4 Z: a5 z4 l) g2 R root /web/wordpress; f8 c s& O) _. {. u! e6 X6 Y
index index.php index.html index.htm;2 ]2 C$ T' T' V! K
: Y2 K- `# Z- k- x9 m8 q8 V fastcgi_pass 127.0.0.1:9000;
) x( {% |& J; v: t0 j7 k fastcgi_index index.php;3 {4 m* k- s; H! a' s- _4 J8 r
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
2 C, p4 ^ n; T, w% R include fastcgi_params;
" \/ ~+ p* c- y, ^* B: N V }
) {. u- T/ Z4 ?+ D+ U9 g }1 c$ N2 E& l/ F( q
upstream负载均衡:
1 i, M. B# N1 e0 E9 [& ~. @
. V6 m! X ^' L: f2 Pupstream 52os.net {/ S4 {8 r. L! r/ w7 S
server 192.168.1.100:8080;
0 [% ?: x1 @% p8 d server 192.168.1.101:8080 backup;
. K- A& T, [2 B) O- l) \}+ b2 _; Q5 X8 f+ Y9 A: I+ h
. `8 }0 q. a9 r- t8 X- c1 W* K/ Tserver {
( `/ z0 ?& O2 Y7 @8 D7 y9 _/ Plisten 80;
5 `7 ~8 A2 a' [* _4 I1 ^server_name 52os.net www.52os.net;
2 E% c: Q( k f/ |3 h/ y( r
' N7 G# ?0 d4 U8 P# Rlocation / {0 V4 l/ Q& l5 z
ModSecurityEnabled on;
/ m W G" n1 w# \* g4 S( W5 g ModSecurityConfig modsecurity.conf; 3 f4 x% E0 y- l. h# D5 A8 V
, S( k X& U* g7 w; D: _1 t3 e' U
proxy_pass http://online;
# `5 G( h/ j; y9 k1 a8 \ proxy_redirect off;5 V$ v' C% |. C# |) s, y
proxy_set_header Host $host;
0 k" _! k1 ~6 _ A proxy_set_header X-Real-IP $remote_addr;
( I5 a* `5 {/ b$ u4 }- ]9 a9 R proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
3 F i: z8 b+ t. E, y* l1 g }
/ e7 ~4 U. e7 y+ f% P}" D t, q4 {8 `
六.测试
* S6 ]: z1 S" E8 S' B# W/ C% s# |6 h D8 ~9 _
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为: E/ e+ I* G) _! h, p% E
+ ^( \, i9 u* L% C9 f; r$ E
<?php
4 ]. w, z0 A& K6 D" b0 x phpinfo();
: m' J) _& Z5 V8 m4 u( S' O! c?>
& F( A% a/ x) e" P/ u' K在浏览器中访问:9 [- R2 c# h( O- o* a
! ]& F1 ?* ]- L: Y) O7 u U3 A
http://www.52os.net/phpinfo.php?id=1 正常显示。3 Q' c4 s- P& `. g: U
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* i) b$ U. S* hhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。7 D7 L& W( h+ ?. C3 g3 O1 w
说明sql注入和xss已经被过滤了
8 j/ R {' y: E- O( ?) T7 }# J
! ^. q4 ?. d, c+ v6 S七、安装过程中排错# \$ Y; ]0 U8 ?& C: C) C0 q
" \; a9 I ]/ j: B. F$ ]1.缺少APXS会报错) I6 R' G' G. T
7 {# n. I! ?" A2 Gconfigure: looking for Apache module support via DSO through APXS
6 G- J' @$ V8 N! r& J7 J, I! qconfigure: error: couldn't find APXS+ [( y& n Z" j1 j" G" [
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& E' Y9 S. b# z* V- R- ?# B解决方法:2 ], Y( L6 K* }5 Z
& [* \- E7 T, l; G) r# }, }; [+ |
yum install httpd-devel
# a- ?% ?% F7 Q9 m- Z$ t2.没有pcre* l" A% x- K/ Q+ u+ ^5 F3 g U$ q: j0 g
/ l9 |7 b4 [9 z5 j6 T
configure: *** pcre library not found.8 ], o0 [1 r8 O, r3 `2 L; L
configure: error: pcre library is required
4 o' {$ N& _% p# I. B解决方法:
* `0 [4 n* k* G3 l& z3 g* `# k, ]& w
yum install pcre pcre-devel
0 B+ o; q" L7 X9 h3.没有libxml2; n1 X1 F$ N9 b/ v
$ N. n: ` l' I7 f& p! C# c
: \( P( S9 y: `& p
configure: *** xml library not found.$ h, ^8 ]% s2 A* W" b$ _3 ~; Q! w) U: s
configure: error: libxml2 is required) r6 Z! | w1 ?: P6 Z3 p/ n
解决方法:
+ ?" d8 i, d9 w* M% k9 Y7 T
- G( M/ ~8 N4 |7 M( Ayum install libxml2 libxml2-devel
5 K. A5 P9 ?* Q% J4.执行 /opt/tengine/sbin/nginx -m 时有警告, K" [1 [& u. h9 I5 X
# ?. G$ a, y7 a9 \+ J4 I! m* @3 V( b
Tengine version: Tengine/2.1.0 (nginx/1.6.2)4 `; Q0 H0 Q2 f2 x f" e
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!8 ^- m e9 a6 q
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
: Y0 j% D7 E" S& u! [& C* d& {: Y- V7 i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) [2 q3 R/ p: f$ v4 p* Y! E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"9 {' y( _# D& C5 l+ X6 \
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. P2 a6 i, i1 S4 g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"$ I0 d+ t$ ^0 P2 f& `1 I% k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"- c/ P, x; y) }! ^) o
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.& u% X: U* k! z& D( n$ s
解决方法,移除低版本的APR (1.3.9)
* O8 ]" F& p- [/ `1 {# C6 t% F! @6 \ I( A& W' b
yum remove apr M7 P. M, \7 t6 [
5.Error.log中有: Audit log: Failed to lock global mutex
2 G) [1 }3 c' G% G t7 v2 `- h% D( I6 c5 J* m/ I$ c
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 T* c/ _' o1 W3 D% d
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]" w3 \* v0 [5 U0 B0 V# C
解决方法:
0 W8 w! }) x: i, [编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) l. z/ p+ `3 d7 ^
) l; P |6 c' d4 V+ v" xSecAuditLogDirMode 0777
& O: v* N/ }/ q1 xSecAuditLogFileMode 05500 O8 i8 E4 E9 `( V3 S
SecAuditLogStorageDir /var/log/modsecurity* i/ O9 y5 d- r- S
SecAuditLogType Concurrent; c+ h# y+ V) `9 D! W3 e8 ?: D! R- M
参考文章:& d- d/ ^9 z0 W3 H
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX L4 e0 l5 H( C, S
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡