|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, C6 m! ?2 m4 f8 ?9 P0 U0 [! X" J
3 b. T Q+ M# O5 c! {3 A4 `' f一.准备工作
: E: u' ?; z# s1 {
, y3 C2 Q4 v4 e: @6 W% l0 f# d系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0; ^# V, L; R. `( ]( w; U
& Y( E. X) N/ l! G2 }
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
% Q/ k/ I4 Z" J6 v4 w/ ~6 Y8 j
V2 T& B+ e6 }# `3 o+ T' fmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz7 K) ~+ F- {& p/ k: G- w% w
( f) L5 E5 P& _' w# gOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; N" y$ n! L/ I/ x* L
; y- t, n5 k$ I% N" y* q6 M/ l依赖关系:
: z K, _4 @' D, ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:( h% \1 w" N, G; y$ ]% r
. c0 N% l7 Q' x) q& V. x# f- n$ oyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel8 Q( z7 W% R) M0 W) V
modsecurty依赖的包:pcre httpd-devel libxml2 apr
/ q' ~; ?4 o {- n( o0 S6 x. i% t# ~* ^9 }. ?/ _# R2 _+ v5 R3 c9 J
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel) b+ q8 J, W. d% W: Q4 }2 a
二.启用standalone模块并编译
" W' F2 Q' A) n# `; \# m( w3 p5 s- \* w3 z2 o, @
下载modsecurity for nginx 解压,进入解压后目录执行:
0 E# I) u* p$ d7 B6 P' _+ s! T1 o/ ?2 M4 f
./autogen.sh
1 k0 ]+ C: Z, |: L, U& i./configure --enable-standalone-module --disable-mlogc
) c p+ u, u/ lmake ; w' v- i- X9 e: c
三.nginx添加modsecurity模块
) i# b% Q( x+ K5 N) u$ ^# C, k# P/ G/ b
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( {% g6 C# {: ~
2 l% }( ?+ o" `* m4 W' a; A% R
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
- ^5 d8 l) a. Umake && make install
2 l* t& o6 e) i) O$ A0 N/ A四.添加规则
, h4 m& a2 }3 h- r( o5 f- ]0 G( s3 _2 D4 A
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。& k2 h+ S# Y( E7 i) K! h
[' ~. O. J, J& @- _0 z1.下载OWASP规则:: L$ ^/ s5 S" r/ L% A8 U, c, E
$ y# a% v* r+ Q, g5 C- O, E# X
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 z0 c" Z# q# L
; Z/ y1 R, K7 G' [" _' d
mv owasp-modsecurity-crs /opt/tengine/conf/2 {+ x, j/ v9 B/ r" A3 t4 F
9 ~7 j: r, q! d; ^ F+ L
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
+ G1 P3 c9 g& _! k, M2.启用OWASP规则:7 ^ C% G$ G1 c" R6 l- X
7 s" V7 T! y! U" W8 n复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。+ O& X! w8 T/ N9 O- Z. I* Q0 |- v
- I/ t: e4 m" k# \1 a) g+ s% Y编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 Y8 V% Z+ d2 L6 ]/ \+ \8 |% w
3 B6 Q+ V U8 I* r9 c; ], p& h A& u
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。 V6 Q9 }7 p. r* x. N* A: g9 F: g3 H$ }- G
( b; E( S- @3 F q7 h, O6 zInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* j* x g: a0 \8 r% o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; u; N4 U) a. r. e
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 h) L1 p- y2 {! S
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf0 C* C; [; j+ j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* t) v/ }/ `. ?% s" mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf" j d% j( ~. h' P6 A7 Y; L
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, S5 e+ s0 R8 d0 O. z
五.配置nginx$ s, n9 ?- f5 {9 S8 H
7 W5 c7 `- e! N8 \7 w: y6 }在需要启用modsecurity的主机的location下面加入下面两行即可:
6 ~) ]5 D/ ^$ G9 C# @( X$ F' I9 x
0 b# R* I6 f4 _5 ~: s3 u7 YModSecurityEnabled on;
4 E( f$ K1 Q( b: S# R9 gModSecurityConfig modsecurity.conf;2 N/ S# b6 Z& O- _. x
下面是两个示例配置,php虚拟主机:, w! l( i7 F3 }5 c, b
$ W! x" v! I$ s5 ~7 K+ p; l2 v
server {
/ X3 ?0 t/ g8 A% S listen 80;
9 W' `# Y; v+ B9 g: o; p server_name 52os.net www.52os.net;: r* R2 v' L3 s2 l
. @1 A4 S$ ^$ ^" _ location ~ \.php$ {
2 `1 P/ |" a3 ~4 N0 x6 D ModSecurityEnabled on; 7 i' K/ R5 w5 X# p* [1 ~4 R
ModSecurityConfig modsecurity.conf;- D0 j) t+ B4 ^
5 j' s; H0 s% f1 \3 s9 V: x4 N5 K( ], l root /web/wordpress;
/ J% u; i% S+ R6 f; ^* n index index.php index.html index.htm;
+ k3 M% g3 x, k1 k8 i7 g# E6 f0 t ! F) Q* I! U+ B* w6 P0 s6 q$ p- F& P
fastcgi_pass 127.0.0.1:9000;
4 P. A2 J5 R+ Z3 Z fastcgi_index index.php;
( H0 a# g* W; j; f1 \4 \6 B; x4 Z fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
2 | J0 ]0 J1 F7 j& a4 q include fastcgi_params;9 }1 S8 \- I f1 v
}
3 X. q6 H7 ~) r$ V" q: M# Q' ` }
' Z" B1 M" }3 l9 l7 f/ ~& Zupstream负载均衡:$ o9 u0 u! J# Y* q) b4 Q3 D
& s. E: w9 P/ s' W+ Z; \" P3 Hupstream 52os.net {
- B+ M$ T1 W& [7 n6 _- l server 192.168.1.100:8080;5 ?5 @( x0 y1 P' u1 r5 V/ c
server 192.168.1.101:8080 backup;
" y2 C; _3 n4 o# o) y}
- T/ F( b* T ~' \/ M4 a% k$ q( r+ q* }( ^3 g' o' r, ?3 t
server {0 d% u. O3 x& H) r- @, K; m# R
listen 80;
; T2 k2 ~! q, `9 u; g7 f% z4 kserver_name 52os.net www.52os.net;
3 r& }' P- [4 X* _& U/ z- b m& F# ]& i6 m
location / {
; h2 h6 Z4 T3 s! S ModSecurityEnabled on; G; s0 a. G3 t4 m# P
ModSecurityConfig modsecurity.conf; ) w1 p# P+ `1 I# i( Z( A) N, S
! N4 M4 G- P- P$ K proxy_pass http://online;
/ Y: V5 u' I' k0 `1 G+ s proxy_redirect off;
2 T0 g' Q+ R9 r0 L- W) K proxy_set_header Host $host;
$ a3 H' \8 L' x+ d. A5 w7 h proxy_set_header X-Real-IP $remote_addr;$ u5 V7 [( F, u4 a8 `" u. ^
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;1 t# N( A9 |/ ?* |8 W7 X0 V9 I d3 x
}
2 d; C z4 Q, Y" D}
( o# t7 |: @! E: S/ l/ j* P5 ^六.测试$ o6 \9 K1 |1 A$ s1 q& _) H2 G
- |$ U/ @6 M" ]- b }5 [( x' S8 r我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 _0 k4 U% H9 M2 E2 l7 P2 T7 }
! c# Q& R _* i0 k% Z3 J<?php* E0 y/ \5 v9 n b; K
phpinfo();
( Z9 X* Y. L/ T- G" M?>
$ I: {* @+ c" N+ x在浏览器中访问:% y7 R! r/ Y: ?& \1 b2 i2 J
( A' L% `+ q9 a) [4 c0 jhttp://www.52os.net/phpinfo.php?id=1 正常显示。3 A' U* r# e/ N6 K9 l' m
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。# H/ z5 ?1 l" D0 D
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' V1 Z2 j% {/ K# W! c, u9 o/ [: n2 Y
说明sql注入和xss已经被过滤了3 W, t3 a0 i* G" J9 ?* K# v, R
! w% [* i! w, D' m七、安装过程中排错$ q1 n. F+ l! N0 d
$ L9 c+ _! b1 J5 X" M
1.缺少APXS会报错
( A* I% r, A9 @1 I' }- Q
$ U) ]4 j1 q! @7 l0 e/ o+ ]configure: looking for Apache module support via DSO through APXS
0 x0 R# e3 _5 O4 h% Mconfigure: error: couldn't find APXS2 p$ d2 b% f. Y* c/ g, K
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ A! E# e& B6 h! R p* B解决方法:# X5 `4 T7 E8 y8 z
$ X0 T3 z0 {0 b
yum install httpd-devel
6 a: f9 q- ?/ v2.没有pcre
# K+ R) M2 ?; q8 u. h
* Q1 p6 l4 ~9 ?7 [" Mconfigure: *** pcre library not found.+ A! X: P$ I4 v! G" e
configure: error: pcre library is required" _2 B/ n9 `; s% ^% B
解决方法:0 |$ J) F: g& t7 {8 H! ^
: D/ R+ O3 W" i7 X% y: |4 ^( X& B# iyum install pcre pcre-devel( _/ x, d3 U0 E" T9 @% Q( Q" g
3.没有libxml2
+ i& f1 j9 c; m+ Y0 `7 M3 j
X2 ]8 q; |1 a& k9 @+ i" k9 y, |4 O. v$ E3 t0 l
configure: *** xml library not found.
, O( z/ i9 {; R8 mconfigure: error: libxml2 is required
- A$ S; \) l% m6 V( g) @, D$ S0 G x解决方法:5 Z+ Z% j4 p4 ~
5 L- V) b2 \0 o8 @) y
yum install libxml2 libxml2-devel
8 i: [, s4 T+ v9 V6 ]4.执行 /opt/tengine/sbin/nginx -m 时有警告- o# f, a# g2 h0 ]1 V4 q
+ Z% A" e) r& Y$ Q
Tengine version: Tengine/2.1.0 (nginx/1.6.2)" I& y" t! d* { F' h5 b1 V" u
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 W3 ]' A! w4 ]/ h
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log5 Y/ }, ?1 e! o# |# P3 _! O6 q
" z3 ?. w& U0 M& P0 W* _' m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 j+ ]6 P& @+ M: W
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" Y9 R* X; w2 {- t8 G. p i2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!0 ^ {9 m H* |5 j$ ?# A g
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2 w5 w$ K- ~" q; j2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
0 J* b" l0 s, }, b8 X' y2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" s' H% G2 S3 N. v! s4 W, ~解决方法,移除低版本的APR (1.3.9)
* l1 }2 T- L9 }7 \2 a2 N2 m" }5 I1 {% f* B7 B! ~2 E8 M4 p
yum remove apr0 w0 T; d! H* y/ o' E* e3 D ~ \
5.Error.log中有: Audit log: Failed to lock global mutex
# z, D" b# N1 T" `' R: i
! J8 @ s) @ T% u |2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
5 s3 g( l% B: Y) d, e7 Nglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]) U7 P* z2 r# N: r7 U. I2 L# \( I
解决方法:
]4 Z/ o0 c& R编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
: ]1 b+ \1 v4 o3 ^) `7 W) c( b. V# u
SecAuditLogDirMode 0777. R: N! Y/ ]$ f2 Y; T9 p# i- P/ l
SecAuditLogFileMode 0550
/ F6 i) |8 Q5 _' USecAuditLogStorageDir /var/log/modsecurity! f9 z: J( g) x( H4 @3 L; {
SecAuditLogType Concurrent6 G! g3 Z2 K8 m* o& j1 ]6 t
参考文章:
+ Q( h$ b% x Q& ?0 P8 r" ]https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ Q% f& F& g6 a, n1 m5 t
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡