|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
* {9 J) N+ V$ x k
, Q. w( {. V( z$ F& l一.准备工作
6 j7 \, g% ^% F# u* J/ p" V
0 ]; C/ [& v5 u系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.01 E$ F( L1 x& J3 r9 W4 ^5 |
* w4 Q0 ?. c) }+ v$ a: V& _. qtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz/ }3 i) r4 F) w, ~; n" m$ j
+ k3 M# `7 A+ C h3 ~modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
, n; ?0 C6 b% \! D6 q6 _, K/ ]9 z: O& `- e
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs# ?' p# B6 G& W0 r- w2 U3 _
0 } K8 \+ t7 e) ?( E( v
依赖关系:0 X I/ \+ Y$ Z4 g& _+ w6 l
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:/ t4 I* ~" I1 h9 t$ |3 C$ ]0 e
# w0 K% L" B% Z- O3 o0 u( O
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
5 l( E/ m1 k' G: C. I) Emodsecurty依赖的包:pcre httpd-devel libxml2 apr |9 h6 t3 v/ E4 T
# B$ o7 [% U8 K3 B( g) A3 g
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 L$ Z. J8 Y" y4 I6 ]( e二.启用standalone模块并编译# d* ^9 Q2 d. H; V2 h
# r4 \! ~. L2 h; X& T; x. F下载modsecurity for nginx 解压,进入解压后目录执行:
, f* d& A0 Q* }. S; z+ E+ t3 k7 l9 S' I
./autogen.sh
: t7 b# R, P$ u. h2 T. u# h r./configure --enable-standalone-module --disable-mlogc
7 ^) \% \0 j' p) [' Umake
: _0 O9 V9 _- h* L6 Q三.nginx添加modsecurity模块
5 o/ M2 s) l) l5 u7 N H( F
9 F- r' a7 _/ h! d* o1 ?在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 Y5 x3 v# g; [$ P' b4 `
8 {* @: s7 V* \( Q& Z# x0 X
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine+ u4 E& ~+ ?' \% D
make && make install, C _7 Q) ]6 c. ?9 |$ }* n
四.添加规则5 F% o* k! ^8 O
! _& ~% J5 _3 C" K* kmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 [" v- w- W9 A5 W4 g
3 u; J4 A% c, e7 L9 R; K1.下载OWASP规则:. I8 K# j3 x3 j. k' f. p
6 D5 d" d" C/ c8 m) l6 `2 _
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
) |7 a( ]2 s2 Q/ d& y! T
( I0 O* J8 v' O! m8 [/ imv owasp-modsecurity-crs /opt/tengine/conf/& }+ I& g" h5 L' w M1 l
% a* h& l6 S$ T$ R& m" k7 Bcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf$ A, o- F8 Q; n" o, G5 u+ |
2.启用OWASP规则:* d s% i: E0 W; h4 W7 C5 Q( H V
* W% Y2 ?4 H6 i! y5 V4 Z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。8 r5 a X: r/ z, X: E$ H
" W: v8 E) K; E' T
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% ]2 v; @ m8 l2 e; m: Y7 f- V6 `1 T9 Q6 k* E0 N. k+ M) ^
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
& C ?/ |* _6 n2 C* g4 G$ G. N6 }% p* r) Y) x' f: G7 S$ O7 Q
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
! H& H* Y- \+ L; s* E- HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- k$ N) z4 A1 V* G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf" B/ P# M4 |3 b5 @3 ]0 l M. C9 p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
% J& p6 x# Q2 X& M* OInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf! s2 a& M+ Z% C/ i" N6 d f
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf! S& M2 U' w5 Q Q' P0 m5 P
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( U+ L4 {4 J$ B( q' P五.配置nginx
5 L# k' `9 ^0 ?7 s9 Y
$ s; S' I3 e+ O' e4 s9 c, ]0 L在需要启用modsecurity的主机的location下面加入下面两行即可:; x+ V" S5 Z7 ~& J% H/ ~
4 j* `2 }* [4 N% Q$ I$ p7 J
ModSecurityEnabled on;
2 m$ E+ P9 {, w+ u0 ]+ ^, _ v" qModSecurityConfig modsecurity.conf;3 V0 Z( D& ?' J' b' h+ o) j, X
下面是两个示例配置,php虚拟主机:
& B: E4 C2 A9 @
' z7 J& ^. m0 P( w# M1 J" i1 |server {
/ @1 i9 D) N# T4 n* s/ F listen 80;
0 M J8 n; t* y! i ? server_name 52os.net www.52os.net;
9 L6 n! w+ A& T6 C. m 1 N+ Z; G) k8 j, l9 O' s+ [
location ~ \.php$ {
8 L B: W9 q: N9 L ModSecurityEnabled on;
% L( e7 X; [0 y8 P( f ModSecurityConfig modsecurity.conf;* H7 b' u, Q, C
$ O) V( L/ g) C+ v1 i
root /web/wordpress;/ a) E, t2 V$ Q5 p6 s9 F1 @
index index.php index.html index.htm;; @ `" S2 {& n8 Q: y
8 x5 d) R4 z- I! \- S2 X
fastcgi_pass 127.0.0.1:9000;
$ k& C# B5 c/ t- W6 f$ a8 ] fastcgi_index index.php;) q2 K" b& r) Y' l7 Y8 J) W( r g
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ n( e ^; s# g1 X, D N- d
include fastcgi_params;, u3 S1 Z ]$ q5 q% \. a
}
( C; Z2 ]7 p! U; E% o4 d2 H8 d: [ }; ^# O7 x1 w$ u; j* |% b
upstream负载均衡:3 t; j9 r* p; g6 k
' N) b$ k' T0 T8 W4 G
upstream 52os.net { u0 r, }% g5 l+ A$ Q3 h
server 192.168.1.100:8080;
7 p! H1 Q1 y, c6 l3 ? server 192.168.1.101:8080 backup;" }2 D+ c! {$ l# C% m9 ]% [
}8 @3 W& I# g3 f4 t, l5 O! b
0 B& A$ p( m* h7 Userver {
- U" o9 U# ^) F' P$ tlisten 80;. G; A+ y8 \2 u, o3 N6 O8 X- |
server_name 52os.net www.52os.net; l* g7 V4 F ^( S2 b+ \" |3 R
5 A& G- x/ C- J8 E$ o* Y0 j
location / {
9 {8 I5 g2 t: V2 | ModSecurityEnabled on; / G' y' \3 }" T, }; z% U$ D
ModSecurityConfig modsecurity.conf;
$ d, D# ~* M: `. n9 O
; g5 |4 D( K. o3 X" E9 o proxy_pass http://online;) `5 S0 c' v7 X, h1 Z! ^1 W; z
proxy_redirect off;/ s, l2 A, F) D1 T, Q
proxy_set_header Host $host;
3 D; E* q# W: L) C& M+ y; x proxy_set_header X-Real-IP $remote_addr;: S: L8 P1 g# g, j, i/ C) ?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% Z0 F5 ^& ?7 q" W5 e }. c$ K- H4 y+ H& J& N# Y X
}
- C( y! o$ | l! b六.测试
1 G. W4 O6 ]/ A* ~$ R' [* E
9 v4 q$ y1 A7 Q7 m我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
* M6 m( K0 g( z& E% n9 O$ \- B- W! Q3 k. l* i
<?php
9 O& `+ o5 S1 J4 ~; A- m9 ~/ @/ H phpinfo(); ) o$ q0 [' w, S# g) `% i- o% W) G* i1 }
?>
& s1 H f: o# _在浏览器中访问:
, G* h5 k! B: v# ?) I" h
4 Y0 O# T# ~1 |) P% Dhttp://www.52os.net/phpinfo.php?id=1 正常显示。
& a% f* {. b7 B' A9 b3 [1 [http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。2 S, s* w; u7 R( U
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
& l: ^$ x) i) t. X0 O说明sql注入和xss已经被过滤了
% w3 i9 @2 _5 ^3 [# F5 p# Y& z o4 B0 d- E1 a) \, t
七、安装过程中排错
. m- U- Q; O/ D( K/ J" ^* d% s M; p2 g& Q% [% P
1.缺少APXS会报错0 N+ O4 z1 E& p3 U0 _
' u4 ]; w% M. w, k" { |
configure: looking for Apache module support via DSO through APXS/ t _0 G8 E2 F" T
configure: error: couldn't find APXS. j1 O: f3 }7 G- S! b2 b! L
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 b+ r& @1 i( P6 L. `/ ~解决方法:
1 F5 x# x1 {1 [& H$ j$ E @- G: C. c3 t' f* |" \
yum install httpd-devel
0 _1 E' C$ A; Z2.没有pcre
$ {- T2 y q. ^
2 V8 ?; D, b) Q) F+ ~: |configure: *** pcre library not found.
6 E: D- h. \: n" Wconfigure: error: pcre library is required
; |1 m& [$ Z, [7 f1 @解决方法:( t9 b7 m. I& j9 B, U
( e- _1 R7 C- h3 ?9 z) Yyum install pcre pcre-devel2 [ f! i- r. G- L* o2 s% q
3.没有libxml27 q; ?; s: V& g! Z3 Z
$ c8 Q" f2 E5 Z* F# h' l/ G1 `) N8 a$ |. V; `
configure: *** xml library not found.4 t/ J, H1 h% n8 W
configure: error: libxml2 is required6 O" a. h t& w! _
解决方法:: u# i+ c2 W& ?9 a# F, v# }! m
, \$ \: R! ^. l; F3 j$ d, o3 n
yum install libxml2 libxml2-devel
& g0 H5 [" n; _2 \' v6 D# b4.执行 /opt/tengine/sbin/nginx -m 时有警告
% d1 q8 B3 B4 U8 ?" ^! R4 B5 T: ?9 U+ r; o9 r0 J9 a
Tengine version: Tengine/2.1.0 (nginx/1.6.2)/ A: \6 O4 O: A$ M
nginx: [warn] ModSecurity: Loaded APR do not match with compiled! E2 \. t- \0 ~4 N, w. x
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log, j* \9 x/ N/ L, K( K( Z$ L
! F2 W& m/ y: d: Q3 j! u* k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, g1 x: v) D: B9 b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"! `7 I8 a2 v7 Y6 Z- T$ t2 V, N1 D
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled! ~( H, t: i9 c" r0 S. p$ q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2 j! S/ a& R+ X) V3 A) y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6" b0 {# I9 G# u b2 X5 X3 o
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.. F) C2 ~6 d+ u* @
解决方法,移除低版本的APR (1.3.9)
1 K A) T# a7 l# r( y5 l% B) Y' o2 ~+ q" _8 C1 w- G0 O2 G
yum remove apr
$ r) a( I/ K% q4 D5.Error.log中有: Audit log: Failed to lock global mutex
$ y; D! }/ Z6 K; V& ?- U! Z0 T# i6 W
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
P5 r& V& _& A+ g5 i1 Z% r3 Bglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ C ^6 U8 v% k! i1 W解决方法:
4 u: K. L( D2 c1 V& t2 I# j. K5 y3 {编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( g- t7 `" Q" O% i7 [9 x3 R* P: K
- n! H* N( R U( a- \8 W
SecAuditLogDirMode 0777
0 C9 k1 H& n+ \% P+ [# ASecAuditLogFileMode 05504 _7 a3 |, k, Y
SecAuditLogStorageDir /var/log/modsecurity
5 o1 d" L4 T% V' fSecAuditLogType Concurrent
) v, K) \( M1 o1 r, t参考文章:
) ` ?+ i6 U( R& ]" P7 E& yhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
3 M& J4 R/ _% c& xhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡