|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
' C& P! C& X* {4 Q( H8 ?5 a: n- b/ i& m, q) w) Z
一.准备工作
; E- v- {9 U1 u$ e, h. h. x% e6 M+ Q0 d
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: B+ H* I: s) @4 [' C: |+ d
4 }: ^0 Z" v& u6 |8 |: Z0 `
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
& I/ r/ c, @! K( i3 s( o. }. k6 [! }: k! J$ o
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) R1 O1 B( l2 v7 }4 _
& \2 [4 r! \0 }0 N. p6 x# q, y! EOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs Y" F& Z/ q8 N4 q
2 I) u* U5 n4 v* z' v1 V R
依赖关系:8 l! q9 o d t9 L6 t) X# W/ r
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
* c4 @8 M6 T- \! v4 Q. R( t3 p9 |. g/ y( Y1 l2 T1 b% y5 B) s) s- h
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel S1 B- y' S; n7 N
modsecurty依赖的包:pcre httpd-devel libxml2 apr' r# \( p& X# M I, J& X) L$ y7 K% \
9 A) q% `' r! n+ ]9 Oyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel7 `3 w# @* x) H4 I! O
二.启用standalone模块并编译, h4 z- d$ x- t
8 x+ o9 u& J3 h9 O2 h& m下载modsecurity for nginx 解压,进入解压后目录执行:
5 B" I9 J: P3 M
+ ]8 U2 y; @6 {2 F./autogen.sh
; Y3 ~* p1 @( P./configure --enable-standalone-module --disable-mlogc, O4 ~# |: [3 n- _" b! T$ u7 T
make ) k7 t# A+ k' w0 X
三.nginx添加modsecurity模块# C- D3 x2 A1 }5 f- |2 Z; X; E3 Q
3 u7 h" W5 z. I
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:% F/ E( w1 p( W4 o; l0 f1 {
4 y$ u; q6 Z( y6 e./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 e; B, K2 z4 M# f5 x3 E1 emake && make install
6 E4 Q- f# T4 f E四.添加规则
+ N0 C' z! s! e% B9 p/ O$ s( l) ]: [$ \2 o4 C3 ?& L
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。& i9 p: I; ?; }2 I' Q6 a
/ n+ T" C- J$ o0 c
1.下载OWASP规则:
6 n9 U, d0 l' {; O2 i* w3 L0 E- z8 ~4 i
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ o" \! t, M Q0 S1 t3 d, ~' g
! o3 C5 j Q1 a( f# U4 [mv owasp-modsecurity-crs /opt/tengine/conf/) x# w% D( D- j [" p( c
9 _# v; @( F4 h& x# u9 Tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf% J' s! L) Y% N; t, F( v
2.启用OWASP规则:
, o8 ]3 F5 G: N- l6 N+ A, B( ?! B; D, n
u% k+ x1 Z9 W, e' e复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
! i. i$ a3 G' Q! ^/ N7 d$ |6 M2 p( s2 Q+ o
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on- w- w6 o3 x: I( X" B& B
2 ?. ?4 `' j; |0 M4 {owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
! D6 k& A/ v9 y0 h3 o8 o# ]* {6 n) }" ]" \9 ~& Q
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
0 X% U. U. y) z* z5 iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
, c- D; ~: E9 y& l8 M# c$ u* SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! X: j% T' a& J7 U
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
- J9 A- _! |; U# u* b/ S' pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
: m; w: R( w' D3 AInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 v4 h" R% m% S; O. ^
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
7 M% p: k, V0 K. V1 r, e7 i& l五.配置nginx" l. s6 {1 ]! h
5 P) A. _, G) s9 t* U7 m在需要启用modsecurity的主机的location下面加入下面两行即可:3 o1 E+ K/ B" W4 N
, {# `. |, e/ W. }$ B3 P+ u A8 WModSecurityEnabled on;
" o* k3 y9 o0 H& }- [0 `' ?( k+ vModSecurityConfig modsecurity.conf;, g" d" d( s. E4 Q( m( z! T+ n
下面是两个示例配置,php虚拟主机:
0 Q P5 S d; `: O: [4 \
6 M3 |6 g8 V+ D! Z- kserver {) \! q5 }' {! ~
listen 80;
8 K4 m- Y, u( _3 S1 j# W server_name 52os.net www.52os.net;, z& R2 n* T( w4 m
, n5 W k6 |" `9 e
location ~ \.php$ {
- t# e6 R0 A# t2 y) Z6 J% @ ModSecurityEnabled on; 9 b+ o5 k6 F0 a5 v- I$ f; y
ModSecurityConfig modsecurity.conf;
3 ]* W3 j% `1 O8 H
: |5 O0 o# X$ }/ v root /web/wordpress;" @; S& ^4 T$ P2 l N; }
index index.php index.html index.htm;; m" m5 H W0 ^! Z% o
. u4 \* e4 M1 E$ e
fastcgi_pass 127.0.0.1:9000;# ` J. R; Z( t- G6 g
fastcgi_index index.php;
5 g- ^# }5 A, G) B2 M% Q# p. _ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
2 d! ]5 n8 S& c0 t include fastcgi_params;
! N: M8 ~ K! Q, t }
. J3 S9 b R ?. K+ n) l+ ^3 w+ R }
- {& F( @, I; j! f! V! C7 F+ `upstream负载均衡:3 F( F5 V' d& ~) }
* l! r. H# z9 Y$ \/ Pupstream 52os.net {
0 t& o4 \2 A1 C3 T4 T/ M4 e server 192.168.1.100:8080;
6 @0 ~9 y/ Q2 L" B server 192.168.1.101:8080 backup;
+ s7 s0 k+ d& I& Q: t7 O}
) Q' Q# z0 ?. }" m. i0 \+ i& X0 n1 P9 C
server {% v* T; B V! ~, X
listen 80;& r# L+ [# Q1 B% n2 ~
server_name 52os.net www.52os.net;# o2 B% Q& `! k
6 o; m: C1 G5 R; B3 ]$ W( b- b
location / {
3 ]/ {# e8 h# \/ d* ~5 \ ModSecurityEnabled on; , m) d" y9 B* k: c# |" K
ModSecurityConfig modsecurity.conf; : D, o7 u6 [, z. _
( j2 K3 f j9 r# a proxy_pass http://online;
, h: E. M+ w8 P. E" u proxy_redirect off;, x b6 z4 r# P! ?" o$ J
proxy_set_header Host $host;. r/ `# a9 z8 z0 I" ], v. h: R( b
proxy_set_header X-Real-IP $remote_addr;
5 f5 n" Z$ x, k$ V, t$ c. Y. L3 H proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;% i0 H& @& o% S
}
$ y$ ]# V9 a3 T2 u6 y}. B" u- Z! x: D( f% D
六.测试( D9 }# G5 U6 i0 _( n0 i2 j+ b
Y( v/ _# }! f$ E7 [7 r- j我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
& z" S6 K. U- {. @" A; B* t
4 ~; L# \) x4 ^; I( o( p<?php0 E3 V' @; O: v+ `! k6 s
phpinfo(); 9 D0 N& w3 O. G7 c7 I3 i ]
?>
. a& \: g5 [3 c& r在浏览器中访问:
3 ? O: I n3 N8 u9 F& z& I N" Y
http://www.52os.net/phpinfo.php?id=1 正常显示。! Z4 O5 _4 |0 i+ a
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) V! Q( P' F" ohttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。: H2 T9 \$ c! K7 L
说明sql注入和xss已经被过滤了# V. W+ {7 B2 T8 L% b
1 I, y* a+ y+ c& c1 q' w七、安装过程中排错- w+ g' i5 z% h- }6 e- i
% y3 s* K( {+ v5 t3 X- }
1.缺少APXS会报错
" y& x% x1 m) W2 Q3 c! ]- b. H
' o9 g7 }& ]6 V( f% s& xconfigure: looking for Apache module support via DSO through APXS P9 u; e' x' b* A: P0 ? I4 U
configure: error: couldn't find APXS
2 X7 D u1 N3 b* K: ]% i lapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 o, w" F. Z' {% u
解决方法:: A. Y b8 [7 a) T* q
1 Q' M: \1 B1 B9 s2 n: qyum install httpd-devel9 V; `- W" Z! b5 \/ }4 `/ R; ]) {
2.没有pcre" j9 H) u* m% _! h- E3 d w1 F5 R! E
6 S2 J: W, m6 e! }, w9 c7 econfigure: *** pcre library not found.4 @' Q! c; ?5 h, U7 f' f6 e
configure: error: pcre library is required
" E, z) u. H, R0 z6 r; I' K' n解决方法:
" t. l! W+ j- E
% d7 n1 H M& J) ~yum install pcre pcre-devel0 Z: f) c' T) G1 u U
3.没有libxml2
# M7 t N# m" O) I- L" O2 q/ w! T. c2 ?
! L' B0 l0 I% Q) I& ` F( r2 P0 w. R. V8 i8 L. g. P
configure: *** xml library not found.
4 d( C, z8 z/ j) Yconfigure: error: libxml2 is required
$ T9 z- M/ a% } s解决方法:
G {+ q" S- ~, z& J: Z0 r/ A6 X
: K$ _: f2 s8 l4 n0 _9 cyum install libxml2 libxml2-devel
4 _3 y4 u5 R" B/ _4.执行 /opt/tengine/sbin/nginx -m 时有警告8 [; D5 L' G" \% A
) Y% j( y }& F0 G" ~% Y# `
Tengine version: Tengine/2.1.0 (nginx/1.6.2)9 ]6 ?( _0 S: u
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
$ ]: ?0 R* W5 ]1 J5 Y. O q, Z$ t原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log8 N+ ^: b1 l5 Z0 S. ~: n9 x& a
4 n& E9 K- w+ ^& J( Z* w; G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.# N+ Z- G* L9 ^4 `3 |
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"8 q; y6 a$ n2 \- T# ?/ [
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! R. l5 C6 S3 M! l% m" V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"4 L1 \, [3 D8 l" _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": C* M" Q9 r! R/ x3 I5 O
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.* R! b7 F; z: P. Y! y
解决方法,移除低版本的APR (1.3.9)
. [2 y0 A" C4 z5 J& e+ r. o1 b3 Q3 H# l' L! B% ^
yum remove apr
5 z4 d( ?# w7 d# {! \; q5.Error.log中有: Audit log: Failed to lock global mutex
! }- o5 l9 ~1 e4 ]3 T& \% f
K2 x. d d: }2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 2 M2 H9 ~: J7 [" L9 \4 a! U
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
r. _6 T1 |6 Y/ f解决方法:9 x: f P% I) T5 i, A) W
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:8 R% `( I y- b% l& @$ X
`- i+ r% P+ JSecAuditLogDirMode 0777
/ D+ N: G) h: A. mSecAuditLogFileMode 0550" \0 V* X% w8 M3 x$ z- V H" e
SecAuditLogStorageDir /var/log/modsecurity" ^. T S. ~# f6 l5 y# e1 D
SecAuditLogType Concurrent
5 J5 s5 B: u$ P0 k参考文章:
. ^ W. a4 D+ X/ Bhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
4 {0 B; ]: f4 X2 q3 X* zhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡