|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。: H% n5 M/ n( W7 q* \! f, Y8 o
: L, I) L" S- L. y: ]' V5 H一.准备工作3 i# S: A. m" V5 a7 Y4 h! S9 B
% c: s; ^9 }+ _( `5 e! F$ R系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.01 V% G9 N' S; m7 z5 j" L5 ~+ o
9 }3 T9 T& K9 o! ?2 w+ K+ c0 S3 W- Rtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 Y* l, Q% l/ G$ T. O1 d2 W! s! j2 ?! w; S! u
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz* t$ N U) R3 k
+ v2 I0 N! j5 r% \OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- K5 ^( B, a6 }' w! l$ n' b- \3 n6 s. N9 e
依赖关系:
: L' e6 G: M, d4 C# h e# R' Itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 s2 D U# k6 b H5 i5 `9 I5 x0 M% u$ E
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% `# e3 s% R! ~' y+ i7 ]% lmodsecurty依赖的包:pcre httpd-devel libxml2 apr
! W# S0 R. f, C
, j. j5 M q! T% H" B: Z( T) `- Wyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* j- z3 [: ]$ r1 z1 B二.启用standalone模块并编译
' c, u1 q6 h; z q* O1 R% z0 `+ }: G# w4 b
下载modsecurity for nginx 解压,进入解压后目录执行:" ^& `, W$ ~, I( |& R. Z0 S
. M1 l, E+ {- ^6 }" R. ]6 t! \./autogen.sh
; u. Q8 _* j, {./configure --enable-standalone-module --disable-mlogc
6 K! T* i* w7 ?! |9 Pmake
: k& G1 ]# w3 i% h1 J三.nginx添加modsecurity模块% A2 o; q5 A, @8 u
' V5 |- m" i9 y在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
5 }9 V2 Y; a' |- d0 }3 O& k; ` o3 m. ^* ]9 q- w# Z. i; X; q
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine6 t K- T9 l7 L; K" S; h( e$ g
make && make install
3 g& o; ?/ C8 z3 I& y6 L四.添加规则
, ~; }- Q, S* [! |! H. E8 k) q. ?$ m! A G( S5 l. E
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。" c& ~( j( |. i# E$ R
% \$ [3 [* n u! Z4 N1.下载OWASP规则:
5 @9 o' {- a5 `. e
- Z5 |/ A9 b; {% lgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs* S2 e" a Z0 e
' }2 p# q9 k& g
mv owasp-modsecurity-crs /opt/tengine/conf/
" G( U, ?7 ?! v
& s" m @5 h$ \% V! C& Pcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ ]% t- I: N& L* K& G x8 \) D3 ~
2.启用OWASP规则:1 h+ ^8 {5 t+ q
0 B; |( Y0 f( o8 U复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。: W* `" d2 U v- l% X4 G
. G: A( Z0 e; R; T% }4 w) k) _编辑modsecurity.conf 文件,将SecRuleEngine设置为 on) W) G, }7 g% I- o9 U( e- Z% J Y
: b9 }. k _( Q ?% Q0 h. `
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
5 E/ v! U& R0 k' c! G5 ^: a4 ~! h
+ a% n! e; F8 W# l! vInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
) F4 J7 q1 i; {# D. iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
7 V( K: `0 i& {1 a0 T4 D8 r3 ZInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
( w, ~9 G* p5 v8 rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
' y @( I) U* e) `9 C7 MInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
F& s; _# I, ?4 k* yInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
4 c' L4 Z0 J6 D8 N xInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' b$ h$ x9 n4 ]8 x; B; [$ u3 K! a
五.配置nginx
! h+ ?3 e0 b9 Z- p Y% T+ g: U1 s4 G4 D a* u2 ^% ]: B. Z( ]
在需要启用modsecurity的主机的location下面加入下面两行即可:. d* u6 A, O+ w( P
6 U3 ?, F0 i8 r) bModSecurityEnabled on;
) d6 s% d: ]/ x, qModSecurityConfig modsecurity.conf;
1 c v: i9 w: H# i下面是两个示例配置,php虚拟主机:4 Z; x( Q3 \3 ~$ f
7 [! Y2 W0 C) Z; ]
server {% ?( t; J* a. C' L; S- T" ?
listen 80;: u6 L% P" t; q9 I, l
server_name 52os.net www.52os.net;: s+ C" h6 o% }) O( q
{1 T/ l3 N$ u6 | location ~ \.php$ {! d4 i; W5 P# g6 Y
ModSecurityEnabled on; % ^' ?5 D% s! z. a5 u
ModSecurityConfig modsecurity.conf;1 o& q* l, p& ]8 |; X6 L5 I0 p
2 @% ]- C" T9 I. z a, y
root /web/wordpress;# ~! r& _ Z% s y5 T
index index.php index.html index.htm;: N( }5 S& c5 c/ m/ d4 N7 s$ y% g
9 P: T8 t' Z6 v; k+ Z- W$ d( Z
fastcgi_pass 127.0.0.1:9000;
# U0 E! o9 e/ P$ U9 K* ^ fastcgi_index index.php;3 E9 _* Q) r: ^$ @2 o' a5 N$ G: F
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 M; U6 x4 q: F include fastcgi_params;( A, X2 {; T& a1 E
}: G4 r- L/ Q6 ?* V
}3 [3 a/ W% t* U1 h- J8 @
upstream负载均衡:
. ]' m& [+ r( L) Z5 S( i9 E/ G, p1 b4 M1 W8 K; N
upstream 52os.net {
) h/ E# w5 O" W! e3 X- n server 192.168.1.100:8080;* S$ D/ |8 h3 H; M
server 192.168.1.101:8080 backup;
) c; j4 F" E x}
0 a3 y# G4 [( u) @- j/ A# s, J2 w) U8 I J
server {
. s: ^, f0 Q! N$ q' [5 }2 W* ^, ulisten 80; n: I, I, q, E" ^! x& d0 F
server_name 52os.net www.52os.net;
+ j+ b! P4 L0 G4 }4 d/ } N. K$ s( U& Q, I6 j
location / {( e Q7 c6 ?4 b/ `" g( C
ModSecurityEnabled on; " h# c" Q# T- y4 r5 R
ModSecurityConfig modsecurity.conf; & K1 K/ N$ P2 D. R! z M
+ L. A* _! r% w* H1 C# k* B
proxy_pass http://online;
7 O9 [( y1 k# h8 ?9 c) b* {' E9 v proxy_redirect off;9 _; A3 i) K+ q& k+ }! T
proxy_set_header Host $host;
& H8 V- D. N/ G( h proxy_set_header X-Real-IP $remote_addr;1 b+ m1 d; M/ k1 M E R
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;* f# ]" f, n2 ]8 [* u6 z' {! R
}
" \' e" g3 ^) g% {}' @9 X- c# h" t- i5 Z. k8 \
六.测试
3 c+ {+ v. D$ w3 ?5 i. @- |! [# c, E/ R5 w, W& ]2 G* h9 M' h6 O
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:, D" T& x) P6 |6 ]: l
. _7 U* T' H8 ?( y; h+ ?5 d<?php y& q+ {* v l+ e+ L
phpinfo(); ) @* M8 I3 l7 p; `! I% ?! c
?>. }8 _- W! k& j6 h! ?) {1 ~" R
在浏览器中访问:
1 Y0 b1 a/ ?8 o$ c- P+ m5 L' a, m; a* d4 b2 l
http://www.52os.net/phpinfo.php?id=1 正常显示。; w1 W! C8 F( D3 ]. P4 C
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
V* J& @5 L1 e8 d0 S: Y2 |9 p8 Ehttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 u6 ?! H/ ?3 G1 j- S
说明sql注入和xss已经被过滤了
$ ^' k7 y& k2 U% p
) Z, n' Y9 S& Z& I( o% e" K$ t$ \2 P5 l七、安装过程中排错 D% R( Q$ ]3 j- s( Y, @
- A2 y% X% g8 B# D8 d
1.缺少APXS会报错0 ?' W0 [. H( O
6 h; | X) g" G7 }configure: looking for Apache module support via DSO through APXS
- i5 x. W H1 s# k5 Nconfigure: error: couldn't find APXS D& `! _2 D7 B6 G7 [3 t
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# y1 e* J! I+ s$ A" Q5 C0 c解决方法:# z. {1 x6 {" I% o
& W& ~6 _2 Z+ l1 s6 c+ `
yum install httpd-devel
9 V* W, P; C: _) n- S6 }6 t2.没有pcre
# F& i% k3 \6 |
; f2 g) a, ]7 L8 ]6 I8 rconfigure: *** pcre library not found.
$ I" K/ r8 J% T( a2 z. w. [configure: error: pcre library is required& f. V" j% j: \; l+ L6 @
解决方法:
/ j/ Z" x2 s6 @) L6 y8 ?) I8 a% X8 L" w
yum install pcre pcre-devel- }) J$ i4 T, r" q1 M
3.没有libxml2
' i- l0 U8 X1 n( Y, V! P" x1 u4 y: s- V
9 `6 S4 Q+ c4 @% W. X ^3 |configure: *** xml library not found.7 d$ H: t1 V2 o1 x; ]
configure: error: libxml2 is required
& ]0 Z& a- v! b2 [0 X# V; v% I解决方法:7 E; g- j- h" V7 W1 q
( h2 c6 b, [. C
yum install libxml2 libxml2-devel
7 o& E% }2 r% y% S. I' h4.执行 /opt/tengine/sbin/nginx -m 时有警告
6 A. w1 ?$ Y. {0 x1 R+ l
$ G7 x% }+ y5 |0 nTengine version: Tengine/2.1.0 (nginx/1.6.2)
8 Y/ X2 {. U7 v8 q5 k- s5 gnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
$ i6 Y. f _# O0 |' T原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
3 B8 N3 U5 o; @2 V# H/ p2 p
6 L* _) N- Z. s; C$ s* U6 D' }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
6 ?9 W! o/ g7 r2 G" g6 Y" q( n% @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
+ O. }) [/ k R2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, E8 M7 O% V' W; W% I7 j: |
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
# T+ Y& ?/ A# h2 k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"+ A7 U h9 p4 E0 U9 `& _* Y# d
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) ~4 a: f) p4 y6 H
解决方法,移除低版本的APR (1.3.9)8 f7 l) x; l" w) p4 U
# [' w3 k0 G4 d# G& O) ~" {
yum remove apr
6 U8 x: [0 I+ q5 Q9 r5.Error.log中有: Audit log: Failed to lock global mutex8 V( b& r2 q V- B2 c
8 K9 K* J9 W' t
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock # T" g+ @$ E) N1 c
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]0 v' @$ Q+ s2 G3 T) o& l8 k. z
解决方法:
3 R! ]+ [6 t' o: O) v p1 h* v编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:$ H/ f9 m$ i) r( D/ A$ ?* h
; U6 ]: J6 [, o+ {$ C$ y NSecAuditLogDirMode 0777
. e' K, t7 L4 }6 h; O4 USecAuditLogFileMode 0550) `/ [. q6 ?7 t6 M3 ^, |( n
SecAuditLogStorageDir /var/log/modsecurity
7 P5 S6 {6 K% e B! hSecAuditLogType Concurrent
' N' ~, L- f& ~, i" j% l) w0 W参考文章:% f( ]9 J8 k, d6 H
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX3 O% I8 t8 G1 [
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡