|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
$ @, b: X, V) m, o! L/ H
/ w$ c5 t2 x3 v. L* \一.准备工作3 S6 B6 y1 M, L% a
9 a. ~; W: f Q( I系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: l- P$ v9 H2 ?5 k A
2 u3 a" l# A- `tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
c* F v p- o" C1 ~
* `/ j% m W4 ]modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
, q$ t% n8 ^* n" A! W0 j6 g$ o# I6 S2 ^& ~
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 ?5 {5 q c- V8 a( W7 f8 v* X
5 T( Z8 x1 Z" e% E6 Q: M( w% _依赖关系:/ q* B6 e. R. Y' ?" B6 M) Q' [& N$ t( X
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- _. p6 Y; `5 F7 K" b0 A1 q; C( m5 e4 a! y
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* |, l) Y7 v4 Jmodsecurty依赖的包:pcre httpd-devel libxml2 apr
' e3 Y2 L) r/ j9 u1 G5 V' r; C% l
D8 o- H: x2 q9 m% W0 Z! O; eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( z0 C" y, F0 O" Q1 w# }; X
二.启用standalone模块并编译
; w: w, [9 F- G3 w
+ G7 B6 T* ~# @: f' T' H下载modsecurity for nginx 解压,进入解压后目录执行:+ K8 T; X1 D4 I$ t
) G. S1 J6 {& l./autogen.sh
: Y8 [- u2 I9 ?./configure --enable-standalone-module --disable-mlogc
+ m. q& G2 {$ Y: x6 ^make 6 Q9 ?1 `/ T8 j% x1 c# Y
三.nginx添加modsecurity模块2 e- N. t W0 _# |7 M
' p! t$ J. W! X K# f( Z2 l
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
) g! W8 W! ?5 I/ |6 D5 V0 ?/ x- a s* {' _& I0 m
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine( g7 O5 [# k$ F5 |' E1 _
make && make install {6 i' l7 p2 I
四.添加规则
8 U0 P/ s. F5 m' K9 u1 }6 T7 Z7 D3 j H& M& y4 Y) w9 D3 [
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 P! c; S- F8 t) o
" g/ Y" W0 \& S& `6 ?0 j2 @1.下载OWASP规则:
1 A4 r: U% x5 r6 K1 c r9 t+ d& W! c5 }9 y% q. J8 x6 J9 \
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ a9 t- ]/ h3 s6 H$ |
4 |0 z* q, I: h. kmv owasp-modsecurity-crs /opt/tengine/conf// ~- C, D {8 ?3 {! a+ s5 K- {
3 s, I: x+ c. s3 ]
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf6 z% L f( N& e4 `7 @3 W, U$ h
2.启用OWASP规则:
4 S% o& d; A9 c5 X# ?7 ` K0 ~/ Z6 D( w7 m5 Z& R u. L) q
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。0 Z4 V" V0 Z6 X. k& r" E! |
( W) l1 o/ P3 S, R# a/ R9 p) _: U编辑modsecurity.conf 文件,将SecRuleEngine设置为 on8 E8 I1 f% y, n# t# _5 A
# ~3 B3 ? B( J; m2 X- {
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。) k+ e- z/ y6 M: I/ L
9 n; B" I8 C4 p% z- V1 F4 O' G
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf. z+ t/ O& o3 M( A. A7 `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf& h/ B* I( X" ^ n l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 x; t3 Q1 T' [( l+ o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
1 W6 C' f; N# `; j7 NInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 ]; i# K _# W A3 x3 d# CInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf( W# R. ^& H# w- ]+ e, ]& N) y9 s
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' l1 f! C8 v5 R& Y2 K4 K# o
五.配置nginx j& _. J0 D0 X( c! B
* B8 \, x, o, y; K3 P- _" A在需要启用modsecurity的主机的location下面加入下面两行即可:& D W" J& f( w' ^8 [
2 P* K: G# E9 n) a3 l& T0 L# n$ nModSecurityEnabled on;
+ E9 L0 Z7 g+ Z0 W( H ^ModSecurityConfig modsecurity.conf;* C! X) X! r) l- P! K! X& j; P
下面是两个示例配置,php虚拟主机:8 z& c2 x0 z, Z1 @) V
; I {( `# ^/ n8 m4 f! ]( F
server {
+ Q# P: }0 G% }4 g/ \) O listen 80;
, H2 P- T; H: ~: t7 x- M" X+ A6 Q' [ server_name 52os.net www.52os.net;
; O3 i( K' F, F& p
* T8 X5 w8 _* I$ I( p5 u$ ^8 t/ J location ~ \.php$ {, ^' I0 X3 q3 @: t/ p' B
ModSecurityEnabled on; , I* B0 P6 Z8 i4 Q( z
ModSecurityConfig modsecurity.conf;
5 A7 Y1 ~1 R" x \' Y0 ~% f _4 E8 I l5 C) N
root /web/wordpress;1 J/ d) Q2 x; O+ t
index index.php index.html index.htm;
3 G. V9 B- Z' M- `5 z : r, i5 |! G+ o. O$ U& w
fastcgi_pass 127.0.0.1:9000;& K" B, B, |) J# T' S+ k
fastcgi_index index.php;
0 |# L! T7 k/ Z6 h1 y/ d& ]$ r fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
# p; r8 A% _2 B" } include fastcgi_params;
& r/ y. H* ^0 p; ^5 ? }* d& M2 S. k- r- b3 k
}, D9 o6 J2 s9 W8 K
upstream负载均衡:
4 C; R. Y. V* r, k2 J$ N2 h; V W, ]5 a/ ]
upstream 52os.net {1 I3 j. l5 z' c
server 192.168.1.100:8080;
' k3 g. X9 a4 ]! I% d; p7 n server 192.168.1.101:8080 backup;
- u6 J" u' f* j2 Z# i}
; ]4 s4 n+ J2 Y: e1 Y- `3 S$ W v5 |: u& r/ f; t5 [
server {2 g2 r7 }0 w# \. t) Y2 P
listen 80;
) p6 Z0 z0 j7 K* E1 o+ f7 Cserver_name 52os.net www.52os.net;
( R5 `' g8 U8 W* u6 ]2 I1 z( F1 Z) m" s6 y8 w2 k( W, h
location / {5 R+ ?' l* o* a: ~
ModSecurityEnabled on;
" P! z# d* @4 h7 Z* p ModSecurityConfig modsecurity.conf; 7 M; R3 D. Z. c! v2 |
7 Q& o5 t- H" G4 K proxy_pass http://online;
! I% {, T/ N/ a. S$ t; l9 F8 U) p3 k% E proxy_redirect off;6 ~" S3 e) y* V9 y+ A+ ~/ e* F
proxy_set_header Host $host;! {% L( z9 Q. i4 w- H. J
proxy_set_header X-Real-IP $remote_addr;
6 ^' ^' X. n9 F: [ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;) `( X9 q: M7 z8 F4 A7 s( j
}
! ~: N+ `' M* I! n! k2 N( b}
3 l) Y% w) N4 v. t: Z8 i! f* y六.测试
6 M7 a3 m9 ?; T4 X5 b; o8 H x" p# }" P3 W9 S" j9 [% S& I* ]7 E
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
5 }. f$ `2 L5 K" ~7 X4 v
' {7 Y9 M, l1 f4 W( U5 y! x<?php* \) V2 x" g3 S7 j
phpinfo(); 9 f) w$ F% B6 t& g' n$ [
?>
J. v: W& n; @在浏览器中访问:8 X2 b! C& |' E7 s% s9 O. P4 {
9 r6 u A4 l- D) g ^, ]. L
http://www.52os.net/phpinfo.php?id=1 正常显示。
2 J3 n/ y/ ~; @) dhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) x8 o; D/ U& m; ohttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
" D* k1 x0 c/ ]说明sql注入和xss已经被过滤了) Z+ Y* K$ T2 M6 P1 p2 N9 [/ a" W
* M; ?. m( L3 s& @; X七、安装过程中排错
" d5 k( x3 ?& S! d. q" d! ^
+ b; V1 q2 X. V e1.缺少APXS会报错$ q# {+ _' F- t: n2 W5 Y) [( T
e7 m, Q$ s1 Q, z7 M2 d& rconfigure: looking for Apache module support via DSO through APXS
: e! `/ n3 K+ ]6 Uconfigure: error: couldn't find APXS" Z& d8 i, q& |, \
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 D3 I: Y/ y: C/ k0 j- R解决方法:
( B; q, W$ j8 _# T/ [
; i( G9 q# h' b2 Pyum install httpd-devel
, X# a# ~* l8 @( ~2.没有pcre
3 `6 x) q! D6 D- h% s' K
' Q( f* |8 `2 i6 @; B! q4 |8 z gconfigure: *** pcre library not found.
; O6 Q& ~( W1 s# J% nconfigure: error: pcre library is required( J. Q; O. ]2 H4 [
解决方法:
, o& R+ h4 O( A) \% F/ ~4 `
2 X7 F& y7 E4 \0 x, ^ D# C( Tyum install pcre pcre-devel
4 w. k9 d$ \2 _5 z- [( `3.没有libxml2& j6 ^2 R/ K# _! C, n9 a# M
3 L+ U) E" O* W" [# T! s" u; h% j& J+ ~, ^, Y3 `/ b
configure: *** xml library not found.
" ?9 a3 L5 a% y hconfigure: error: libxml2 is required
" u* \! T/ ]" S2 k, w+ a' ?解决方法:
' l4 b# r* F1 q( j1 R9 X
' e0 Y; K/ {) Z/ d& ~$ hyum install libxml2 libxml2-devel
3 ~2 S8 l0 }% d3 L4.执行 /opt/tengine/sbin/nginx -m 时有警告
1 z* g; A5 k1 ]" f$ s4 X v& R4 l9 x" Y# f6 B9 y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)4 o# x, p0 i& e/ _* w$ t; O
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
% F7 Q6 @5 P3 l3 n0 T; p7 u原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 {) Z5 p& w+ P4 d' {. z4 A2 I( e- Y# q( {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
. Y" ~3 }4 V: E0 T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 ]& A7 B/ G( _9 t" d2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!9 [! y8 g, \3 V* s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* p" p% p$ d" M% }& ]# n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
( x8 { e( a1 E2 n. X$ m0 x2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.7 W- V* t+ ?3 H1 O
解决方法,移除低版本的APR (1.3.9)$ Z' R0 K$ \) U
3 s: Y( Z% W& z/ ]yum remove apr9 N. L' Y; S( T1 N9 }; T2 n
5.Error.log中有: Audit log: Failed to lock global mutex
9 ?) D1 F' q4 B& D; {. a' t( j
1 }" J+ Q7 ~: I9 O2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
/ c0 H5 y* @4 o; T( a& iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- }) g) W# ^; V. w, l
解决方法:
) S; T. y6 d4 y8 ~/ q, p编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:9 m ?- z* _7 I- Y7 [5 B Z1 F
# j5 A9 W* f: {0 L
SecAuditLogDirMode 07770 v' A2 D# t2 I& C9 a, f
SecAuditLogFileMode 05506 W3 M- s+ d' [3 t4 E* z2 c; {
SecAuditLogStorageDir /var/log/modsecurity& L, S9 |+ U$ I5 U' M& M# G- F9 C; _
SecAuditLogType Concurrent3 r! P' q+ A% \) z4 s$ Y( [' n
参考文章:
& d( w3 a5 U, T' Qhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
" M7 w; Q; ?6 khttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡