|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 w* l- E3 ^* n# f" R
" A) u) j* g' B* O3 P# n一.准备工作4 q m$ g# g% i
* r! j/ K1 b, Y# c) F; ^系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0( X' M/ _ ~: N4 P: _" q
2 j; {% {/ b) C/ ]# A6 C( {0 xtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz5 k e! {$ d# u4 c1 b) w% K$ M2 Z. C
8 v N; v9 b1 {/ @/ m0 Kmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& x* X9 f% |' _0 {/ |0 X) N0 r& ?" r9 Q ?! Q
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs5 U# |" j1 k3 }3 r1 E1 ^' w
: H! y) Z7 M4 o& n1 S: d9 k依赖关系:
# f& |" e8 X( Q0 ^* V3 F! Jtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:- Y& N3 I1 }, P$ v; h$ _+ ^
6 n7 u c- o# O! \yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
" n- h9 y2 i: emodsecurty依赖的包:pcre httpd-devel libxml2 apr8 S/ d) J1 K, Z0 Z! }7 `
# w3 v0 w8 F$ Iyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
& e% u, G5 Z! Z9 N% n8 e二.启用standalone模块并编译
' F( G3 U7 ]9 D5 J( g7 K
5 V! q1 i/ c) R" L4 a1 F' ^( e* _% f下载modsecurity for nginx 解压,进入解压后目录执行:
8 h; X% E6 C7 q0 n: L, t) z: p
./autogen.sh( S$ H. i/ L/ e$ c- ^- Y. f
./configure --enable-standalone-module --disable-mlogc' K2 Q6 v# R. r+ K. @
make
% ~+ _6 F5 n, m& {1 V8 s三.nginx添加modsecurity模块
( u4 i8 N: s+ _* V' b! P) k: V. k0 r; O1 c9 T# x6 S3 j
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:. x% f5 s$ f. j. k! j; w' y
8 ]1 i4 {, Y( ]$ J4 K./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine3 P, i; \: l+ D
make && make install
6 _, h* W' y2 J# c! ^1 e5 ~四.添加规则( @. b! E$ S# l' i( J$ t3 h$ _
$ N- l, P+ _# ~0 m6 K
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。, k( n5 [' M! B1 `
4 c6 n( w, @- q' q1 E7 R. K1.下载OWASP规则:
; m# S9 {4 I* Y0 v5 C7 a! X' s/ L. I
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
* ]; \; m; Y* s& E
+ U& S, }8 K8 omv owasp-modsecurity-crs /opt/tengine/conf/
& P: W1 W% C5 g
, }4 w0 e2 J" w3 w; ^cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf) O" B4 n% x- N4 o0 m2 F! O: e( c
2.启用OWASP规则:
( H& Y, P! \; s$ `
8 m( K7 c% R3 L# G4 c* ^复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。1 ^" A# E% _5 g' K
, Y2 H1 S: e' q. L+ m. s
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
( Y; T! A' X0 w- J* k: A# H+ P% E4 ^$ `% Q6 r [
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。4 d, v$ W: M8 X# _. _) o
7 T, z* F. z- _1 P7 P* `- lInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
, J. b- K! P* M; |# ^% vInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf) U2 b; {* O: }3 S8 t+ a8 y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf% h7 k6 \* d' G! A: B
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf, B# |, E( W! K, ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf% `9 v3 h; S" M& X. k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! U& `9 x/ w1 S, U$ z$ S* yInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( E* e, f! Z$ W5 n/ L9 P: \5 t& Q五.配置nginx: G2 f! D2 _' Y" c# {3 d8 W
9 d7 Z+ e' C( L: X2 p$ l( L在需要启用modsecurity的主机的location下面加入下面两行即可:0 ^* }% h [# \& t
5 O2 @7 O7 a; l& Z+ C1 z
ModSecurityEnabled on;
, O X' o. k# |- j% Y: ~ModSecurityConfig modsecurity.conf;
8 ^, ~9 c% Y+ b i9 n/ n: J0 T! U9 o下面是两个示例配置,php虚拟主机:
6 Q3 M8 f* Q" [" ?9 `2 }0 l: q2 _! w Z$ Z9 R+ X7 ^9 \% k, {
server {$ g! U+ N% W! A2 m, F( O4 a* k
listen 80;
* P* l* H7 y- X* Q& E server_name 52os.net www.52os.net;
% E! w% o. P: s" {/ f% s3 }6 R' q& y* i
& j3 B+ e7 i0 r5 A$ c& s5 C) \ location ~ \.php$ {( L( a; x% C( y; w
ModSecurityEnabled on;
' x; ?+ v- {$ ]7 H! \: E9 n ModSecurityConfig modsecurity.conf;
) r6 M2 J' k% z0 {: A+ | R8 ]0 F1 w. p0 m/ W. b
root /web/wordpress;
4 E; F! f5 V4 v0 x1 J; C index index.php index.html index.htm;( a& j9 f7 g9 X# s, x" Z. t
9 U$ P3 k& Q* k: N# y! V% W fastcgi_pass 127.0.0.1:9000;2 u: g; O( a. C: z5 X
fastcgi_index index.php;
, S, `9 Q U% w; A fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;# S3 c; ?0 S# y$ K
include fastcgi_params;. ?, Q# [7 w7 L1 I
}8 ^) _$ b7 S4 d
}9 z1 z) S- k, r, t) O$ \$ ^; Y
upstream负载均衡:7 c$ }8 \/ U* g4 j3 A/ \; p5 |) Z( {
9 c! I6 L& ?; M0 R3 T; `upstream 52os.net {5 U4 N! |9 t% \. c1 F; [
server 192.168.1.100:8080;. I. j' \( G6 m: U/ o2 Y' ]
server 192.168.1.101:8080 backup;8 I f' J) V1 Q0 F" i, l; J; P& n
}
7 a' s1 f! C2 V3 w6 q5 ?3 _! c, Z3 T8 k- e" t
server {
( T$ q) Q- |, olisten 80;& Y9 x; K# {7 Q6 B: m
server_name 52os.net www.52os.net;6 L3 T4 X5 X9 G* F; q: l8 S# A
- l2 E0 U K E6 A6 clocation / {
, x% X1 x+ A9 ` ModSecurityEnabled on; 0 @4 D0 g: C5 y' A( r
ModSecurityConfig modsecurity.conf;
$ Y7 f- c/ U, E# M" |0 T& l* b# P6 Z9 T4 s
proxy_pass http://online;
" n# g9 w. o8 I8 m- o proxy_redirect off;: s% E- Y4 V5 c/ y! i/ G
proxy_set_header Host $host;
/ Y, }9 ?/ p9 u- R8 m) v3 ? proxy_set_header X-Real-IP $remote_addr;
) \# @' f& U u; ^, d2 U! w proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- ^; k" O+ T& \4 l- W0 j& ? }
( o, x9 a q1 j. L7 e" i6 `}- }) A! b5 C! \1 W. _
六.测试. ^& ]- k: X$ d0 v% C
" K6 D- c3 M/ `: [我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:2 r% d2 G4 ]$ r/ `6 ?$ b& X
4 H2 J* [; q `) H: s
<?php) X$ m+ K5 Q; Y7 N7 p) z
phpinfo(); 1 T5 V& c2 s5 n+ I r3 m8 S$ {' X2 D
?>
1 B) V$ g+ n: X! d8 P, `# l在浏览器中访问:0 P, ?6 h$ C% Q. L; q
6 z% X; m Y# z- @; mhttp://www.52os.net/phpinfo.php?id=1 正常显示。
+ S* Y* A5 d& O- Hhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 ]4 n: J7 v. D9 {http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
5 O& v+ M3 G" v' f6 l, O说明sql注入和xss已经被过滤了
0 f" D: M! M- L7 w+ z2 @0 M6 V3 G3 l* N7 [# Z
七、安装过程中排错) H0 c4 S6 M" x& J+ N( A4 M
$ y4 A; g# J1 d
1.缺少APXS会报错4 o$ x- S% d: c \
( k& r% A' L u( m4 e& gconfigure: looking for Apache module support via DSO through APXS
5 G- c5 O& |+ D8 aconfigure: error: couldn't find APXS7 g" O7 D7 ~) r% d7 s
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。' \* D4 O4 I) _3 L
解决方法:
6 x- k4 Y1 a" r2 p u
! e/ W K0 T* L* c- N' I& k Ayum install httpd-devel
9 `" x& @% W8 A& U2.没有pcre2 Q3 l, l' J: q7 G0 G0 @0 M
( B8 P, ?! Z' J" u9 U# pconfigure: *** pcre library not found.
( J! [. Q' j& i) Y) ] j qconfigure: error: pcre library is required4 p* \% ]/ u# D% v- {
解决方法:
! k8 R! l' b3 P- p, N5 J
* `) o2 F U/ L3 iyum install pcre pcre-devel
$ @6 T, k/ J; |3.没有libxml2' F9 l) t+ R, V+ U- q2 c% a Q
) v/ d2 q, z% \7 I( L4 g3 n
2 N- H5 n# ~% h hconfigure: *** xml library not found.( O) u& h) J) I+ {
configure: error: libxml2 is required
& O3 a) v( Y: w, ^/ ^2 t& [解决方法:7 K) ?1 i; B5 i: N+ }
7 N. a+ e% j+ J7 i- C
yum install libxml2 libxml2-devel
9 i9 R3 j. i `5 v8 X4.执行 /opt/tengine/sbin/nginx -m 时有警告1 n% D8 O" A% B F3 ~8 }' q! @
5 T% r1 N% } ]; g" o# j" mTengine version: Tengine/2.1.0 (nginx/1.6.2)3 _) |6 y! p) K* x0 r/ \* d
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!* I2 K* t Q" V, ]' t
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log: m& i s9 t& T3 P+ W* P
6 P: z$ Z" S2 {% S0 a$ M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
3 C7 _7 x) K2 _4 ]! H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 [& x: x8 h! t* v2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, h& f. y" ]+ b# U$ k; w0 A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"7 j1 o Z$ i, G% m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6", v+ D! X0 @5 G* z, R
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On. G$ T% z. J! C& f8 ^4 Y
解决方法,移除低版本的APR (1.3.9)
7 f3 s3 f9 Z& I$ r/ r
7 F# w( P$ ~9 Syum remove apr( w( f# N3 G" ?' `& H
5.Error.log中有: Audit log: Failed to lock global mutex
; m5 D ?6 O% I+ m# q; W2 `, }0 w% \& W4 z% `: A" ^9 i$ Y
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 3 a; k7 r1 y3 m( u/ w$ C
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
. u, t, H! z% p y' l解决方法:7 B0 k& e6 _- O; e0 t' A [
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" f3 _% _$ \, z. j, a+ t$ p8 e( G
SecAuditLogDirMode 0777; q. I# B: n7 f, ?; | Q
SecAuditLogFileMode 0550# s, t% }! G+ J, I g# r- P
SecAuditLogStorageDir /var/log/modsecurity
% }8 a- m9 Y; ^" ~: v% g! N3 W& CSecAuditLogType Concurrent( F* L8 C# t2 e
参考文章:* _& n6 @' Y7 g0 Y) q( W; W
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
* C7 R+ o. u" ^2 ?0 H4 w, ^# v# Uhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡