|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。7 ^9 [/ {; V0 K0 h3 ^8 g
) i" q4 Y& j" A一.准备工作
! f0 c2 r/ @1 i+ e2 O$ S& H$ Y4 j/ `6 k' H* d
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0- G5 M. ^% F- N" i7 T
# c$ s Z7 \3 n( `7 o( t
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
, q" G2 r# c2 m
7 {& e% V. c# }9 J& t2 t7 |modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz5 d; X( }* C6 x
% F# F1 X. D5 J( L9 c/ @5 n
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 o7 E- ~5 D4 A1 A/ m8 O
2 L" y4 [( \$ z3 A& r- M依赖关系:
$ a4 ^$ h3 G8 D6 Gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
5 X1 x1 R; B+ y8 j
) X, z: U4 K9 _& g) P. myum install zlib zlib-devel openssl openssl-devel pcre pcre-devel4 T% V$ Z: P5 ]( {7 j
modsecurty依赖的包:pcre httpd-devel libxml2 apr
. O' Z& U5 j* c) R! `) L [/ E: `
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel4 x+ j' Y2 H, I6 h
二.启用standalone模块并编译; |; g+ P* J7 ?" R6 v: |: W
: Z" N* J, ?" c$ y; J# B下载modsecurity for nginx 解压,进入解压后目录执行:
M# k7 P& d* r) J0 X& L6 k Y! N T2 j. Z& x7 \/ C
./autogen.sh
- `# {, k% N1 V8 w J7 u* J./configure --enable-standalone-module --disable-mlogc
7 h$ L" D' u# o/ A+ Pmake - m' o; X3 ^1 s6 \$ |2 n
三.nginx添加modsecurity模块( J- h2 N* d0 v2 Z% f6 R: T
2 d2 u [+ {/ Q, ^# f
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
; Y/ B; w3 L/ ?: b) M t7 d0 J- B7 o9 I2 L+ Z
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine; g/ e0 M, D% t7 F- g' Q
make && make install
! J F- w9 k" B, ?/ S9 Z四.添加规则
5 T% t0 Q5 @: z9 c( |
. H# T1 F8 y3 a* [% xmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。5 c1 Q( q5 C Q
9 D+ f) x$ J/ p# W, j. S1.下载OWASP规则:
' b( B' I# u/ q& X3 `7 ?7 b7 M# t# z, `4 l* g: O# D( W/ ]" k
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs8 C8 R) j0 p% E( u% @
! V; M1 D m: N/ U/ H
mv owasp-modsecurity-crs /opt/tengine/conf/# ~/ s% R( c* \$ R7 a- Z: b
4 {0 I4 |9 g$ }+ d
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 C0 N( v2 W- ]2.启用OWASP规则:8 n2 [( H* G- I4 D) ^
9 E5 ^# I5 h5 }2 S
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
; H. t% I* s6 ^; k0 Z1 g
' g \4 C0 W# O1 v7 Z4 X8 z编辑modsecurity.conf 文件,将SecRuleEngine设置为 on& A( M3 e2 Z O+ `. F2 L) Z" S3 v
3 k5 Q5 S7 G; Q& q
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
# [9 [7 b: A' N- W/ i- W, u
' Q9 r: ^- B6 uInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf. F9 \ `7 C. l: v+ ?0 Q1 p! u% p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
; R1 c9 [/ `& a& i6 HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
# Q8 x2 A# Q6 }Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf% i- M0 d; o! E1 d! |8 c; ^! K: G0 T
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf- V/ {; P) f2 ~5 ^% z, ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
/ k* }+ E, \( XInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
5 a, q" E3 w" N$ n/ n) c0 Q j五.配置nginx9 j" r( L4 }. c, m8 L5 e8 c) R
8 i2 _: }8 a# ^. T ^, q8 l0 B ^在需要启用modsecurity的主机的location下面加入下面两行即可:$ e7 w) Q1 \& h
' |# u! E6 m g1 z- W- w1 fModSecurityEnabled on;
/ ~9 _0 P4 F; C/ d- z9 K( jModSecurityConfig modsecurity.conf;% k6 ]( l/ S( }! _) f
下面是两个示例配置,php虚拟主机:" b8 q, J4 q. R+ Z
+ e( ?- u- z8 F7 n; P* {server {
$ p5 v% X4 |( P) |6 l4 }* o) J listen 80;
1 g% W- F) ?$ _( j" i server_name 52os.net www.52os.net;& g% v+ S' H, s4 ~! |; `
% Y4 l5 s7 i/ u, x8 @3 S' |8 G9 u
location ~ \.php$ {; l3 \" c h% Q( N7 D
ModSecurityEnabled on;
, C: m6 Z3 L+ H/ a0 n8 N ModSecurityConfig modsecurity.conf;# O5 ]- Y; N6 F* |
9 o4 U; S, @6 i+ }! I root /web/wordpress;
! p; n, Z2 H: t index index.php index.html index.htm;* ]9 ?$ Y( K1 X+ {# O
& \( t5 J0 F) |, Y8 S fastcgi_pass 127.0.0.1:9000;
6 d/ p2 |* l4 I; |1 }: q fastcgi_index index.php;
) x3 T' b' P) G2 A fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
2 M1 f. y+ g J# y, l include fastcgi_params;
- |) o; \2 K9 R* j }0 {6 b7 q* ~! I! q- w, H
}
. ^! \& L8 F7 vupstream负载均衡:, t+ u) c/ y9 Q/ ~4 l; x
, ], i. \! C: G- w1 cupstream 52os.net {
% \6 a* q2 ^' a% b# T0 i2 c; J server 192.168.1.100:8080;
6 [& v0 a* o" }3 L4 x# y+ w7 [: P server 192.168.1.101:8080 backup;
- l/ V: J. R, _6 v2 a}. y2 B+ z3 ]7 V( _. e* b: S8 u
+ J# w0 e; I; H* @
server {9 d* l4 o+ \+ l3 }
listen 80;
4 b. ~) J1 b9 Z/ A8 oserver_name 52os.net www.52os.net;
7 S" [' Q- c9 D, G( a$ F3 M
, W- L3 Y9 p% F- E. t6 plocation / {
( ~1 e8 [$ M, L0 [" p- T ModSecurityEnabled on;
, l' Y2 l2 Q% v% W$ n" }& _ ModSecurityConfig modsecurity.conf;
# e1 ^; |( O. p% S' n, N" Z
/ A j7 @8 o% Q& C& M proxy_pass http://online;. r& w8 U$ i( D3 Y
proxy_redirect off;" L. M7 C: ?" Q- }' G' d" F Q* n; N
proxy_set_header Host $host;- o( K, z# `- o; [3 b/ m- c, K! Z! k0 U
proxy_set_header X-Real-IP $remote_addr;$ ]; G: @: P' h7 q% C1 |" O* ^
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) Y4 V) d* b; L1 y* O8 l }* Z, ?6 Y j' K2 J5 f
}
. a* f$ g$ t& f" f4 h3 J1 [六.测试
9 K, ~, V6 X) G. T8 i
# Y0 U/ H+ L& a& e我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: J% Y- F* K* f$ l8 v
: n, k- `; F: ^2 }& n3 X! b<?php; @9 _( H0 L1 I/ d# ]
phpinfo();
9 h8 S( c. S0 U% a?>
- s. B) D, O# b( Q) e5 h" }在浏览器中访问:1 r2 Q# g9 e! m$ E* @# N+ I
# a6 _) D3 a8 ~, z6 p4 hhttp://www.52os.net/phpinfo.php?id=1 正常显示。
2 s& @* ]% t! t3 |) D2 q0 c h/ \6 B6 _http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。. ]0 s0 c& u1 I: S' u$ j
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
" b+ b2 n. I6 M, A说明sql注入和xss已经被过滤了2 V8 d0 \: u5 P9 l% T3 S
* ?# {' Y+ p* N \0 p F
七、安装过程中排错: L- a' n3 d7 @" O+ A4 f. W
/ S5 i: I' U7 c5 p1 N1.缺少APXS会报错
! a, a6 t; ?/ b( e% ]' V& H `( L( l$ e& n
configure: looking for Apache module support via DSO through APXS* ]! f" D/ c; J: H. q- h: z1 l
configure: error: couldn't find APXS
8 Z$ U& q$ P$ r2 T+ c7 ^apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。/ G$ q4 o) i3 r1 R+ m4 f8 L
解决方法:
' i5 G9 U4 ~/ H2 j% i+ X8 k1 @! h$ Y0 D) A% y
yum install httpd-devel, D0 `7 X4 o H Q# c
2.没有pcre; a* N Z( J4 _, W3 m Z+ V* h7 c
7 W! q8 K n( b( o: [; r" p
configure: *** pcre library not found.0 ?, l$ C: o/ \$ G5 k
configure: error: pcre library is required8 E5 Z' m1 s* p9 g# l
解决方法:
% I( L: a+ A4 `
8 b# l$ U5 g. s9 [- Z) `$ Ryum install pcre pcre-devel& y5 E% \8 K7 }% ?
3.没有libxml2
! D0 W8 @6 N- y5 y2 H
5 v" G$ o0 N8 e/ {8 J* h; q' Q- B, H9 T5 ?3 Q' E' l
configure: *** xml library not found.; @- K% e: C/ C; J- b
configure: error: libxml2 is required9 v1 L$ d. c+ @0 A2 Z9 [
解决方法:! C* _4 z% N$ [' n
1 t# W" Y7 O/ `) Cyum install libxml2 libxml2-devel
' e) s* b3 O. u) G4 q3 V4.执行 /opt/tengine/sbin/nginx -m 时有警告9 }3 w0 ^) o/ F
2 B. a0 y" ?/ m- JTengine version: Tengine/2.1.0 (nginx/1.6.2) Q2 @- D1 p) E: K
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
4 m: v4 S0 L+ A1 _* v) O原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
0 E* t' v' H6 h
. q u+ m+ q6 f, _8 n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 f- g1 {# ?0 f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9") z, p0 ?) Z7 i# ~$ B% J1 z/ h
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 Y. C& T+ @2 d7 Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 A; i1 f8 N/ H+ y% l. s o2 W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
3 I( z2 O, [( P2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
* G, i) C6 L4 e: _: n8 x; J解决方法,移除低版本的APR (1.3.9)
# ] L p5 [% E' y8 [3 Y
6 [: \% t, j1 j4 uyum remove apr
6 @! E- j: s% d/ ?. D8 M3 v5.Error.log中有: Audit log: Failed to lock global mutex7 @, K) D. }* A8 T# y
# J2 r1 E( g6 ~; a' x2 f2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 C l; Y5 `4 G3 z" W! i0 {
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# b) c# ^6 r; L) d- {6 J
解决方法:: \, F1 J$ ]1 d) R! r% Z# f
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 x8 b# ^ E0 S
; p x% \( Y' K$ O8 {
SecAuditLogDirMode 0777
2 t8 c/ n9 y. s: X7 \9 i oSecAuditLogFileMode 0550* ~9 |* k% P4 ~. z% X8 e
SecAuditLogStorageDir /var/log/modsecurity& u T& `. g) j/ \+ |( d
SecAuditLogType Concurrent
/ L$ Y- X. x! W) E* P* h参考文章:
* n; N" P% w% S8 ^https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
* I2 M/ G1 j: x4 S# ^http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡