|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。* c P2 L( T1 Y- s% {6 Q* w8 }* c
. M: z0 g- i9 U4 R" M& D+ P: H4 a% \
一.准备工作& r. x& I# q" \
5 M. a( f, t' S6 W系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0; r4 x+ |) Z. s1 S8 h- |* z& s0 n
- L1 \. @: e k6 o. O R
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ u' w: w9 z# J5 A6 M2 P
6 v1 @7 Q, ]0 J" g/ rmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
2 d% ]0 Y- x# L- T. R2 ^- X0 c7 t! U6 c: {4 n q$ e' @
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs( j; N; P9 A2 `- `5 a
+ @3 @. E# i* E3 S依赖关系:
8 [# i8 B' G7 G j. Q; L Wtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 F; `3 B) B% ]: f, |
: ], u/ u, e* n% ]2 `7 j$ pyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
3 G, J$ q' E& @( |modsecurty依赖的包:pcre httpd-devel libxml2 apr# Z, I* W- y" k) f
( S. x& G% ]3 b Y- ~' M
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel! ^ H H- f: G
二.启用standalone模块并编译
: q, K- Z; t* W# q
0 ^- g& C6 s: ]; Z4 o下载modsecurity for nginx 解压,进入解压后目录执行:
& F5 U' Y$ |7 O! @" `! }! h
" T$ K+ e v2 l8 h- C! p6 P6 U# s./autogen.sh$ K& k4 m1 e& I6 z9 e
./configure --enable-standalone-module --disable-mlogc
: G6 d% M9 ^8 k6 u T7 vmake 3 c# n* o; u* I" j; m1 ?. q* h
三.nginx添加modsecurity模块
( @3 ^, J0 h( U3 h! e9 O' |7 N7 q% H; q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
, n3 U$ A7 u9 [6 ~# H4 G6 L$ j! [* O; ?0 X
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
( O* [" v; S0 c! ymake && make install
' N2 K- V& | g7 h四.添加规则
0 U' P% `% e% X! ]- n) ~' ^7 Q( ?. }9 A
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( X: B4 `$ Y; W, m4 L8 S1 C
* P. k: e2 A! b" T& F1.下载OWASP规则:
2 w8 }# D- d3 @
B& K. ]1 _+ \% _/ ~git clone https://github.com/SpiderLabs/owasp-modsecurity-crs" s" h. [( b( {9 C3 p" B
& }/ \+ K& \* e2 U5 i, A1 M
mv owasp-modsecurity-crs /opt/tengine/conf/
0 W3 m3 K& r/ U$ I2 J5 G
) J/ W0 g( D# n; \; l9 W' D7 ^. Acd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. S7 C* ~* s- G' p2 |2.启用OWASP规则:
& H0 z% I4 X& {$ h B; I3 @4 h- M0 L1 E. Z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
& E1 r( R8 B0 G6 ^- G$ N# `8 `( W* n7 B4 e5 N7 p1 B: H
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 }, d4 [% ~$ a2 w$ l4 n) }& K
% U: @1 B$ i) F" U5 I; C9 {1 w( B+ powasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。! Y. N4 V, k- n) U5 ^
- t& {2 [5 Y3 f
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
4 k, r8 p0 Z, e, U8 X ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf6 w& X% P4 @" ^+ @9 V$ [/ ]8 H. h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
5 D# h5 P* v' a7 y. s: A" ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 Z" H9 A) }! ^2 XInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 s% G; E8 o8 \6 r# K4 }Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
8 p) O }0 G5 q2 SInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
# c2 l% t2 t R5 [- k1 h五.配置nginx- P( k4 `# i. ~6 J6 R1 M
2 [& ?4 m' E. R: @$ Q8 O# W4 B4 U
在需要启用modsecurity的主机的location下面加入下面两行即可:
, u, A# w0 r# q9 T C! c
$ x. G' z& ^ GModSecurityEnabled on; 6 B) Z: Y' G# A$ c2 U5 L7 x
ModSecurityConfig modsecurity.conf;) t1 X* {. B* T2 ~1 W. h7 W2 p
下面是两个示例配置,php虚拟主机:2 W o7 x ?1 j
3 L0 G. f' Z- G* m& h) C
server {/ y% o0 v# }$ ]2 W! [. O1 F
listen 80;: F k# Z1 e3 k: Q7 M1 O4 V& @
server_name 52os.net www.52os.net;
, m+ [0 s+ Z A6 `
5 ^- ~3 J5 @4 q location ~ \.php$ {9 r- S8 I0 [4 b' Z
ModSecurityEnabled on; , {) v& e! R M4 V& k( t2 ~
ModSecurityConfig modsecurity.conf;
6 C4 a3 I/ q l* }0 X& ]; N" _# r3 r# D8 ^
root /web/wordpress;
; y/ A5 Z2 M& z, g+ N2 K index index.php index.html index.htm;* w2 z Y" G# r$ H
6 `: c: \6 `) ~
fastcgi_pass 127.0.0.1:9000;
- O6 C" q8 N3 o. @' c; A fastcgi_index index.php;
% N/ a1 K- }+ O fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;6 C$ g# V$ b6 A) k3 X
include fastcgi_params;" k' W4 b6 _/ q# G6 w
}
1 i% Y) |3 {" v2 Y# q }3 B2 P( H, H/ a4 Y7 f
upstream负载均衡:
0 a; S) A O/ w/ z% a
* T" _7 l' ^+ Y' k+ iupstream 52os.net {
9 T' }4 Q' V/ \& T server 192.168.1.100:8080;) D f, h+ l6 c5 D: |
server 192.168.1.101:8080 backup;
1 W9 e2 N2 j' _} Y- ?1 N; k4 q1 X# Y
# V) l7 Z6 d# B- N l( T5 Y' q4 k" g
server {+ A u: z! c W+ S5 \6 w1 q. W) m5 A
listen 80;2 v" D& P' F5 ^3 G T" @
server_name 52os.net www.52os.net;
' P# X0 @! P+ W# I
) s4 O& [( K4 v6 {9 y- x2 Olocation / {
) C# e1 P7 o2 v8 p/ @) j ModSecurityEnabled on; , _5 `0 c% `5 w9 Z* t
ModSecurityConfig modsecurity.conf; 0 F6 ]9 N2 v0 k; e: C" q
( n$ ], f4 I# w, \$ [ proxy_pass http://online;8 s9 h" M* E/ F4 u
proxy_redirect off;
; V) n9 K8 y/ O5 G% N$ A proxy_set_header Host $host;
, ^7 O4 J5 z. `; ? proxy_set_header X-Real-IP $remote_addr;- W/ A" u1 P- J/ @
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
3 ~" e4 B$ B+ g" H }! B0 D$ `; n3 \" P2 i8 _
}
' o' v8 d+ X$ t0 @4 Y7 E. i六.测试
7 p( e6 |6 F1 N/ N
3 e6 v, F F# T- U9 A5 i$ l我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
% ~- o& R; y j$ x& _0 A
$ w: h2 t% P, _6 `! I+ l<?php
) ?) @- @& V: o& s# L phpinfo();
5 X S5 A5 s% M?>
/ W" U; N1 o D% j. m) f8 d5 Z在浏览器中访问:8 y% d& X. @ S! Q* T! a( Q( c
; ~3 W( p! g1 _! J: }. e2 m% Ehttp://www.52os.net/phpinfo.php?id=1 正常显示。
' Z4 u. v& X9 Jhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 {. `( x ?7 m) D! mhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。4 y& e' }6 ^: _! I* f0 o4 b
说明sql注入和xss已经被过滤了) N9 [) b- k8 }2 W& F5 |& E
' I0 H5 L1 M2 Y2 ?/ b
七、安装过程中排错8 X& y# _1 T7 I8 ~
. J% x1 \4 @5 O$ _$ d1.缺少APXS会报错
7 c- ?6 z% `9 Y! h1 q, Z: o2 | K5 V% t; P# N: O, a
configure: looking for Apache module support via DSO through APXS$ V' [! t3 G. m) G
configure: error: couldn't find APXS% I$ P) @# i$ |
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
6 ^" }- p+ H1 ]* D8 [. L0 _解决方法:$ R' F: [% H- { `' Z
5 f& r, `8 Z4 Z6 K" A1 |3 N2 {, t
yum install httpd-devel- l4 _+ s- P' k" [) N
2.没有pcre
+ d! ~6 t) o7 x* A/ h, r" v `) m, F( Y5 f2 g) B% @3 p
configure: *** pcre library not found., L+ \0 Z( c3 M7 h% g9 \
configure: error: pcre library is required7 K: p2 O# }: ~9 I1 l
解决方法:% W9 c' X5 D+ w
' g9 I, R* S; X! }; D! d9 Kyum install pcre pcre-devel* C2 R9 c# [; I" R& f z
3.没有libxml2
' l+ i) A& Y* o& x6 M4 ^7 M. I& F4 {5 V G9 W# P1 q/ S. I# l
# B/ \! `) B2 d3 \
configure: *** xml library not found.
9 E4 w' L1 p5 Q5 {2 aconfigure: error: libxml2 is required5 u2 d1 P* o+ ~) p' A) }8 E3 j' o
解决方法:6 t# a9 f! l6 ^1 _
$ G6 ^3 L4 @% O8 w4 U
yum install libxml2 libxml2-devel
( d6 v7 a' q6 W' E# s# H" K! x4.执行 /opt/tengine/sbin/nginx -m 时有警告
& k/ ]. d' P' E8 X
6 c% b9 ^$ F) y2 c% ]Tengine version: Tengine/2.1.0 (nginx/1.6.2)
6 Z- X5 L. \( ^2 W1 I3 F7 Qnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ Q) A$ y7 I* X原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
: q9 b; x0 M( E$ B5 r
: G2 v8 P8 F3 ~9 T" O+ ]; [4 f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 B. [9 h3 S1 v0 I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 L( h, b3 G6 O& \, W3 m! I
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!8 Q0 h, z: k- J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"; f' `7 i6 E4 D* {% t8 D8 U1 r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
E9 h. w. b8 }! ~! p2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.7 H$ U0 h+ j+ a% v: B0 f' ]
解决方法,移除低版本的APR (1.3.9)
& `; H. U* \& y2 M5 y2 \3 x9 T$ u: U
yum remove apr
0 O# L4 x3 ^7 D3 B: i% a; t6 X5.Error.log中有: Audit log: Failed to lock global mutex
7 y0 a F* p7 X9 p& y
% }: L, D9 W+ ?# e# l4 O: H* R; {2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock * _% u, j5 W6 U& i8 x
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 f- a6 d2 S; N0 x6 [1 Y
解决方法:
% m% D3 n. c- L' F5 G7 t+ j# s编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:2 {0 O5 b7 e, q
X9 q; x, F' I! j
SecAuditLogDirMode 0777& c# D) R j! }* {5 R
SecAuditLogFileMode 0550
7 K, {$ K$ I1 s6 JSecAuditLogStorageDir /var/log/modsecurity! {) z- e7 H6 A* @6 [ M
SecAuditLogType Concurrent. L; Q0 t# i+ n ?+ Q) ?4 j
参考文章:9 ?6 U, y. y3 B! o! x9 C
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX! y6 Z$ @' Q* f. G1 O8 R
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡