|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
* z. q$ ^, F8 E; E
* b: U( y+ {! B, y( ]: D一.准备工作
, O7 f5 N4 a2 r( I2 T8 k5 O
( Z# _) i4 H7 M# O. { s2 C系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
# b- C4 H" T1 O& i( ^3 { j( [- V" ?% l7 {2 B
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
- S* X+ I' k" Z) U4 q9 e+ p7 c1 G1 A+ F" K( n; t. T6 |1 r
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz. z1 R* V) u7 {' ~6 u7 p
3 z* t; [& P2 ^0 ?OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
& x/ M, s6 I& [9 W' e
- Q- C+ R1 f$ D3 d- v0 {0 A依赖关系:8 ?1 X& S6 z7 _3 i. Y( [/ A
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; M2 W- D2 x+ t5 @
7 Z# h1 Y( j' J8 Ryum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ O3 l, }+ o4 p( s' hmodsecurty依赖的包:pcre httpd-devel libxml2 apr
$ |( U5 d1 ^7 v/ k* G! p# y0 O9 y9 f/ \( {5 F# [ ]
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ l) x; h0 J) ]. F
二.启用standalone模块并编译: o! P. E, B# }3 y) U
' _7 r, H* i* H( u3 d! V! D, h下载modsecurity for nginx 解压,进入解压后目录执行:5 H" K. U, {# U
! v/ ^/ Q& H: z: u./autogen.sh8 @7 g* |" _1 B `" g, R
./configure --enable-standalone-module --disable-mlogc
+ n' `# s O9 H* g( k9 Mmake : Y' U1 R5 K" B' C* B( q" l
三.nginx添加modsecurity模块# ?6 n9 M+ W' Y0 G i
- a% D# N4 z5 W7 G- y在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
( ~3 x9 I, K! j+ p& M( v1 b
4 n; @, I- Q0 M" Y+ {1 V./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine9 u7 t6 I" E! N; E
make && make install# g6 w4 e# I7 E% C0 [" f
四.添加规则
5 P% Z$ z4 `+ R. \) d- a* {+ A: O! x
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 C [5 p. R% }/ \
1 C& A9 ?5 x0 i- d
1.下载OWASP规则:
3 W, I# W# K2 y% h# G
5 ]5 G' Q0 N# A+ D4 }. ^& Q3 zgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs( L! w' H8 J! F( G& t% b7 r- @
- z ?" C+ [+ K4 Zmv owasp-modsecurity-crs /opt/tengine/conf/
6 M) C% B$ l) B. g# s
3 F2 W" F. b+ }cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf: X( {9 _. Y! ?: M- d' O
2.启用OWASP规则:
, K. @" r1 \- v; t1 v8 h# E8 N% h) n4 u* e
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。! |( b7 c( h3 r7 J8 }
" P! C3 D4 [/ m1 C/ W0 ^编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
H! Q+ W. H- t& ]. p# \/ d I' f9 R5 H/ t$ Z
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* g3 Q4 s2 f0 K) w- k
* @& J4 D& d3 T, f; j RInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf& z( Q0 w ^8 e& E; P% C5 P$ x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
8 O7 U, |4 D. D" r8 n; u& |0 L5 bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
2 D5 q9 m4 a% }0 _" }/ VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf I3 N: [( F3 Q0 y) i* U) Q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
1 j% ^; M+ W1 Z1 kInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf' ~& {6 f7 }' F9 B$ `7 q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf- R& N5 C! `% |/ B: J
五.配置nginx
: ]; W3 A- ^0 F, r- o T& k6 ~5 w4 W$ _2 X0 e
在需要启用modsecurity的主机的location下面加入下面两行即可:2 O p: M* L! [2 w/ c
: ^; w2 |! i) J2 QModSecurityEnabled on; * ]# r8 a/ Y$ z
ModSecurityConfig modsecurity.conf;
, e5 m# O$ h2 g9 K" U2 t9 n下面是两个示例配置,php虚拟主机:5 _6 a8 }5 J9 w+ K
% J1 L% I, M# v. `7 k, bserver {5 h, j- W: E1 H+ x% x! ~
listen 80;
! o# d2 \$ }& u6 `7 U- \6 k server_name 52os.net www.52os.net;, s# F8 O* F" Q$ P& m; P" L
9 r0 e+ @9 u& m) Q9 a% m
location ~ \.php$ {, y F6 _ E8 }8 M
ModSecurityEnabled on;
8 G: l( j$ C+ n: F0 K4 W- s ModSecurityConfig modsecurity.conf;
# \1 S' a, N" ]( \6 K( s
; H% b) H( g m0 X root /web/wordpress;
* Q0 f3 N3 f! a ]. @* S index index.php index.html index.htm;6 Z$ n8 A' ~3 U
; B3 O$ z4 ^9 R. s
fastcgi_pass 127.0.0.1:9000;
2 |( j: G( C; i$ F, z5 m# y' U fastcgi_index index.php;
& z, M4 q; [' z0 n6 j5 _ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;! s! a. X1 S1 o/ |9 ~( c3 d- I
include fastcgi_params;. H9 W0 X" R/ d; Z" {) j
}
' b* D D- W$ D1 p+ u/ M }0 T% N( |. z g5 C$ |
upstream负载均衡:
" G, S. T7 p5 C7 k) m/ R
* o! d% y' R+ W6 s" p) @9 `5 ~upstream 52os.net {, _! v4 h- g3 @. D& `
server 192.168.1.100:8080;* E2 [$ G$ b- G9 B( L* N
server 192.168.1.101:8080 backup;4 W+ }9 i$ Z! Y: V$ T2 a
}
- g. J1 [& P' q# W+ g0 Y
7 T- b: w5 _6 f! K+ oserver {
# C+ j' F1 }) g" e% n1 @- e" q5 Glisten 80; h! W% _ h+ N& F2 v$ f& i
server_name 52os.net www.52os.net;' S+ j) F6 O( j* ]% w+ o3 S
4 w. }& n: B9 X: g. Q9 L- q5 ~$ ~! |
location / {' H* H: j( |0 `1 l! l
ModSecurityEnabled on; % e5 m) v( z; y
ModSecurityConfig modsecurity.conf; & p# e1 ~/ p& l5 k4 p0 m
8 w, k- i& w" t4 v proxy_pass http://online;
. z% O2 D3 D- b& y proxy_redirect off;3 z/ Z' D3 @% |
proxy_set_header Host $host;
+ m, P5 T# d, n4 R2 q proxy_set_header X-Real-IP $remote_addr;$ @/ Q' C j( d5 ^/ D' W5 g% }
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;7 ?! F2 g6 \' V
}
9 w6 V S+ _ {6 F& x6 T/ u} m5 P( A# _2 F- P
六.测试/ x. e0 Y' I) ~1 L4 c9 W$ a
" {$ Z" L5 h9 S3 K8 x: q我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:. d+ i+ U3 W; u. K) d
8 m; r( q& |% t. R* _5 Y
<?php3 I1 W# s' q+ H) K- N' y0 p1 c
phpinfo();
5 a) C2 @1 `3 W" t3 m?>
5 \ w7 S, W0 j/ H在浏览器中访问:
$ w6 y% a- b7 ^$ d. [* p0 P" G
6 ]4 p& y$ G% dhttp://www.52os.net/phpinfo.php?id=1 正常显示。
0 A$ x7 }" S# n7 `# ~; Nhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。) L1 b/ i3 {1 Y+ B1 B$ I w7 F
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% S6 S9 K1 J1 H" V& a; F- j说明sql注入和xss已经被过滤了! J- r: N, w6 |9 f3 b% j
( C; k, Q* e- k7 t2 r
七、安装过程中排错6 L) ?( R4 z% G+ @$ r1 T) P
- S) X5 g( U4 s0 n: a" k9 e1.缺少APXS会报错
( j% I* {7 o9 A @- r9 r% ~* F# e6 `) F8 ?3 }! r
configure: looking for Apache module support via DSO through APXS7 l* X; B& W# S
configure: error: couldn't find APXS
3 m! ?+ e- N% `9 C1 r' P Hapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
4 w; y* j' a* z0 p解决方法:
4 l8 q5 y+ `( a5 O8 J' ^. B$ Y8 m0 W8 ?: z/ p/ k; C, A
yum install httpd-devel% Z6 k) {7 B- R. E1 a
2.没有pcre% u6 }; r' v0 _' @. J0 \/ B
5 m/ `4 Y0 L; ]+ J* w+ A2 l+ Z+ E) uconfigure: *** pcre library not found.
" n! t |2 m f5 T6 ]configure: error: pcre library is required# D$ k6 }& }+ ^. g
解决方法:. j& Q8 F3 j8 Y( x
( `3 Z G+ V) w/ l
yum install pcre pcre-devel
9 m6 }4 U& v+ u- }9 I1 G+ b- a, J# K3.没有libxml22 l* z! M- u1 B% ?
9 G- C, n. ]5 \- M
8 v+ e3 K+ | _. Dconfigure: *** xml library not found.
% c, A ?5 {. A6 E" X- `3 h/ Bconfigure: error: libxml2 is required" o& v3 n! \! d% s8 x( d
解决方法:7 E7 x8 m) }, L: d% w
/ _( m/ \# ?8 _6 eyum install libxml2 libxml2-devel; O" a1 O# t* t+ ^
4.执行 /opt/tengine/sbin/nginx -m 时有警告; d" m7 Z0 g+ `7 S1 X7 s
* c0 c8 a s& H5 G: y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
7 z- m0 n3 E, a0 `4 \) x# e: ]nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
6 t$ H( r2 |9 H原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
" N; i8 a% I8 z% R: U8 h$ w# f4 V5 @5 K+ i. P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured., {9 i# c9 h" h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"/ R; }% h* }/ J+ w; J* f
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 `$ d* p- z5 v5 k" g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05". e5 Y" `$ I& N- P0 _# P, }0 h! ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": m9 E* H; X0 w( }6 l) K7 o& U
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.3 K. Q4 _: t, d9 [1 x
解决方法,移除低版本的APR (1.3.9)
8 q" l0 o' }8 b' w) B
+ f( H% V% e. w! Syum remove apr( v* S# I/ `6 |! R8 @- r
5.Error.log中有: Audit log: Failed to lock global mutex
% \+ _2 M* U5 |/ z5 F* f& d
6 E" r' i" _' h/ Q3 [2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ) e5 H0 u) k: {' z* s
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]/ i8 E: D3 [0 q+ I
解决方法:4 Q) A3 f; d Y- O2 ?
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:$ Z1 @/ c3 U: c* M+ x5 n X$ a
3 q$ p$ G# V, i
SecAuditLogDirMode 0777/ k7 G M" V+ f% Y. K
SecAuditLogFileMode 0550
8 E' f! u0 `/ a- sSecAuditLogStorageDir /var/log/modsecurity \6 J0 X# S* ?! q, b0 F
SecAuditLogType Concurrent& O# T h4 ?3 Z6 k, E
参考文章:
7 | V3 i. a9 v3 ?6 k4 ahttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
0 _6 R: |1 }4 z9 W0 W: A6 T1 X' c" Xhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡