|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
4 u$ ^, T6 p# E7 b* y9 G. \
+ @1 N+ r3 e o/ r1 r8 e0 J' ~一.准备工作0 y, c6 u: l3 W2 y0 V
% P0 M: u; ?- k) B* v: g F系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# a& N' q1 D) s) y0 |1 L
3 c3 \; Y$ I: S6 f! O4 m( q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
" ?( @) K& x! H5 i( e* z% V4 _; G8 Q4 `" z) v" P9 \7 L
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 X* N8 B! Q( N+ [
8 F% i, ?! Q- `9 W5 R! o+ oOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! c5 j, ~, w: k7 @$ l2 H: x
. m; w) s" {9 l( \" Y; o# G |
依赖关系:
& D3 g) c. |$ E; W/ G3 m: Ytengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
: {# X: _' ~- X) P, l3 N U; U8 j( p
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
' @7 v! z+ f4 l& A( Z" b2 gmodsecurty依赖的包:pcre httpd-devel libxml2 apr. q+ Q( _. X1 y" V1 t" ~
5 \( s% [7 q4 A8 Fyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel% T/ ]% i4 y7 K5 Y; d6 c2 D$ w
二.启用standalone模块并编译
( f0 ], f1 }+ v! o; a& S; k. u: ?( f
9 K/ ?' X. H/ O3 ~+ R4 I下载modsecurity for nginx 解压,进入解压后目录执行:
% l& O, T8 y! E
8 o k, F/ I/ P2 x }7 V./autogen.sh- F/ U) R4 m2 Q5 d* j
./configure --enable-standalone-module --disable-mlogc3 r6 x" z6 Y/ W" G- f: |
make
j' v: W3 o" k! J三.nginx添加modsecurity模块
9 D( _* P- K+ I% E9 p9 T2 W$ x$ g4 R; I
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:& y" l7 E8 ~ ^- N, [7 ?
, n$ B: C2 n' a! U' [- q
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- `4 _ ~, h, N* u
make && make install# T, B( G3 O0 G( R+ S6 T8 S
四.添加规则% j0 a( M9 q$ F* ^: [8 w& s
" u/ a# P n: v7 [: B7 i$ p8 M5 W
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。4 X& z. r7 o" B# J! t# B4 T4 m
* O# [$ l3 ? d& F5 x
1.下载OWASP规则:3 \6 Q; [5 ?: Z/ w
2 J* ~) ^1 O! _; N5 a! Z- \* T7 v* ^' [git clone https://github.com/SpiderLabs/owasp-modsecurity-crs( p b" E( Z9 q5 m C8 A0 r Z
$ d) N9 Q) E( z
mv owasp-modsecurity-crs /opt/tengine/conf/3 h6 m( |) e) |# Z: @. o/ `7 s+ z' I+ k
( R) D1 q% U$ Pcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf1 V+ @# b+ D3 o# @# w
2.启用OWASP规则:! t5 _+ M( ^, N. U8 H: _1 L
1 ^) m& S3 e$ c# @7 m7 W; o
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。7 n4 Z, K' y8 [% w+ _: r: _2 f3 q
) ]: N# x* w$ T) ]
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
, | E8 q* S6 N3 G3 l) m+ O& H
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。( o" ?9 r+ C5 B/ ]
2 s/ u' `0 }8 e* S- t* WInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf! s2 |4 O! w1 _8 p- e& U7 Q/ ^$ F
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
6 s9 s1 d- u0 ~: w9 d5 mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
9 p# N% e: s3 g# i- ~. W1 TInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 Z9 P# c" y) u! S- q) W* }4 \$ dInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) v6 _1 t# h% _. X+ }7 q+ Z8 k* l3 s
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
5 n6 j; r0 a$ LInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf8 Y/ X+ M4 d9 M1 [1 O7 }4 f8 t5 }
五.配置nginx
* G5 j2 M1 w: f4 p
+ o& Z$ p$ Q* \3 i- F( N, e在需要启用modsecurity的主机的location下面加入下面两行即可:$ e, Z# f7 E1 S* u- A
8 Y/ t- m' ~. ? j: Q
ModSecurityEnabled on; # v( S- T/ P. `- Q/ X& `
ModSecurityConfig modsecurity.conf;
% |( _( u* V! p5 `/ E! l0 E下面是两个示例配置,php虚拟主机:( o+ N8 [' p8 d! L
) R- N( _# M8 s1 Q' R; w8 wserver {% @* i& P9 N: G/ `; v& n/ @
listen 80;
" [& y6 N" }9 w& f9 W, e: A server_name 52os.net www.52os.net;
& m4 B! Y5 }7 B) h
) T6 K' c, C' J8 E& X location ~ \.php$ {% K( F% T% D6 C8 J) Z
ModSecurityEnabled on;
- R- r% t! i0 x) ~# a+ b/ V" V ModSecurityConfig modsecurity.conf;* X. E" D: \) ~) z) u# l
7 _0 C5 G4 d. `, D3 y) s6 z root /web/wordpress;+ d1 S5 L/ ~+ x
index index.php index.html index.htm;
4 J' f9 k7 C7 X: s/ ?# \
- r: Q! x2 y; H% @ fastcgi_pass 127.0.0.1:9000;* w3 c1 P* k4 P* Y* v+ S: P( S: E
fastcgi_index index.php;
' M. d( x5 w. ?7 ~6 A4 n fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
3 K' D2 {( v5 i9 M include fastcgi_params;; L+ ~. z% V/ q# P: K; O% F ?4 U
}1 c* d. y9 Q- K @! r0 ~
}
|( ?0 ? a @upstream负载均衡:
N0 h+ Z4 t1 d' C9 M$ E8 V1 w/ B( x. o/ p
upstream 52os.net {6 V/ [; X7 U8 n& k3 K
server 192.168.1.100:8080;
# r* S+ g! h* ?8 h2 I: I server 192.168.1.101:8080 backup;
% N, I) ~2 ?: P7 ~8 N5 ]( o: b}- k' U+ m% b) H# j7 w* {
( H5 P( S) S9 ^$ h1 Tserver {* D" W/ o8 s) k& e# `
listen 80; \' k2 F9 }; B5 J( I! Y
server_name 52os.net www.52os.net;# K7 {0 |9 z8 `
, T% Z l6 r H E" v5 ^
location / {8 A2 H, u1 e) n0 D0 V' x8 e9 V& u% F
ModSecurityEnabled on;
$ w% m, i a; I) r7 b- m7 f( ~ ModSecurityConfig modsecurity.conf; 0 Z2 U. C/ Y# w' D
8 y4 N7 V8 R: H
proxy_pass http://online;
$ W* G& j& A7 z1 `6 \1 i2 K. E3 A proxy_redirect off;
- B6 u- `) G. m& @ s) [ proxy_set_header Host $host;0 F' E- `7 C6 M- G: ~1 y0 y2 h
proxy_set_header X-Real-IP $remote_addr;! @6 w- M8 D v5 w% L' h7 ^
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;1 I2 ]: j! ~# c2 J- ~
}+ B) ~ X+ w3 c; _9 B5 _
}
0 t! g4 f2 C% o4 H) A- m3 [, z六.测试
: c& R. t! L r$ W0 m* J
( n7 ?5 W! A' P+ o9 W: U我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
X$ S9 y2 S l. p. m- W
1 L8 G1 V" V+ I& A<?php
/ S% D. ?$ k7 @) p0 Q phpinfo(); . o* Z3 g( G t/ x4 T( P" x$ _$ p$ }
?>
* f, u" `+ Q- E9 }6 _* G在浏览器中访问:) c: k. W% [( [. P/ P: r* _
; N2 I, e j* g1 P8 p& ^% ?8 ohttp://www.52os.net/phpinfo.php?id=1 正常显示。0 r3 b3 }$ n0 s; D
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
% _$ z# A% f' x+ l( b( r2 u- [; Uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
. j" O4 u! q* v7 [- Z+ T. m i说明sql注入和xss已经被过滤了. B6 m. l9 H3 B; m
( L$ O3 a7 }+ A; ?3 T; J' C
七、安装过程中排错
5 A/ D8 l0 W: V; W5 \ P
4 {3 o$ ~% T4 R2 [1.缺少APXS会报错! @2 Q3 M4 W. T P, g
$ j( n& K7 j' f% \, gconfigure: looking for Apache module support via DSO through APXS
2 r4 H4 A# |& ?" aconfigure: error: couldn't find APXS
5 W0 o* t" ^ V$ M; d1 Napxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
( H2 q A" @4 I) E解决方法:0 t4 i2 Q4 j4 L. }4 W6 ]
& ~1 R' [0 a' i: ` R1 }/ wyum install httpd-devel
Z+ G- q4 Q5 m* G/ h1 B/ n. S2.没有pcre1 w) ]" g N9 I, c/ `+ R
; w5 M) T/ G' y9 q; e3 N) T
configure: *** pcre library not found.
3 i! M# V0 r. K7 J: mconfigure: error: pcre library is required+ N, I2 i% x: U& a
解决方法:
; x; b$ Z5 K6 w- M) S
( t E% c& [* ~: E- @yum install pcre pcre-devel5 v8 k1 v& X! n2 j; g2 p
3.没有libxml2
% l7 [% X5 R( k& ], W. @: ?5 X \6 ? Z$ p+ G. X
$ ^: O7 }$ [+ T x# J) N
configure: *** xml library not found.
) x3 _/ A1 a \* ?& sconfigure: error: libxml2 is required
- k+ X" v' x+ u y" E6 C1 C解决方法:
: f% x$ F7 B2 M" N7 f3 {6 |: v' O, N/ T6 N
yum install libxml2 libxml2-devel; A; u- l$ x- V5 w+ F3 d) x
4.执行 /opt/tengine/sbin/nginx -m 时有警告
0 q/ Q2 h) l' N$ Z6 X
6 X- u, l* O M2 [Tengine version: Tengine/2.1.0 (nginx/1.6.2)
W# \9 S# d8 l+ \nginx: [warn] ModSecurity: Loaded APR do not match with compiled!/ D# V* e0 l, S/ E. K
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log3 G$ s7 h& n C/ V7 \8 p# d
' j: M% e" Y* f! q% M' f' |# ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
0 O, V5 b* p2 ~ l t0 B+ }% J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 D6 x3 K# |3 T% z( O
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
; f( Y% Q! b9 S& Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: r5 K: ~7 z: G0 L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"( ]! n! ?1 j, n/ a4 Q$ Q
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
y/ F/ p7 c/ V+ c K# B% v$ c/ E解决方法,移除低版本的APR (1.3.9)% z, j+ w$ U5 [8 D4 Q4 k# Q Q
4 _ p3 L+ O0 B2 v; u4 jyum remove apr6 d! y+ l; B' m6 A( D
5.Error.log中有: Audit log: Failed to lock global mutex- S9 c- H, D# d# Q( B
6 B8 b) t+ Y, @" ~: b/ S2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 i* p0 n+ p* A' }2 p2 p- T7 Pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& o7 w( B z3 V: ?5 I2 W* T! B% N) \解决方法:* X. h g5 t- j
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 ]( [) h9 l# H1 z: u. `& p
- e- k( a/ ?5 l& r6 X# OSecAuditLogDirMode 0777
( f' R% f) h9 ~8 ]SecAuditLogFileMode 0550
& F N# u, j. L$ _ L8 FSecAuditLogStorageDir /var/log/modsecurity: h! }. `# i$ G; Q3 n0 S
SecAuditLogType Concurrent/ Q. p8 ?9 A2 k9 ?7 b8 l! {
参考文章:
, ?" @: r" h! K2 R7 dhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) o& i6 N- V" q2 P- ^http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡