|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
* j/ w8 A2 \2 E8 G6 u6 m9 @2 O# K# ]
, b+ w5 P6 [7 c/ P/ s一.准备工作
4 M) @9 i( M" Q9 w) i3 q5 z
' O7 z, d4 y% s5 w: d系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.01 P6 e7 r0 h2 c B
0 A; z' ?' E+ m( ztengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
: e, X$ M2 l: ?. x4 c; I
& X. v" ^7 e, ~+ c2 i4 g8 _modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# q$ w4 j0 U4 s
8 o h4 l% b( j! Q e5 q5 H
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- D. A/ I3 Y4 \- b, s
) O; I, ]6 C3 B- {. m( d依赖关系:$ t& d; f) _- t; }3 U
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:' Y$ ?; n' ]+ h G @' ^! D! O
" j+ D: P4 _) j( y* Q! f9 x
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel2 U- M' ` q9 Q4 l8 t! j
modsecurty依赖的包:pcre httpd-devel libxml2 apr' } q: J, P5 j9 y' e' t
* v! K2 s: z: z" V
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
9 L5 j/ {! d0 T* B% P. [5 X) O二.启用standalone模块并编译7 R; A" V0 d5 _& P2 v+ b! T+ ?& P
6 }1 y( a. K: T1 b2 P6 C下载modsecurity for nginx 解压,进入解压后目录执行:; l2 P! ]+ B3 G+ [( W
, t; o& @0 \, ~& A1 k./autogen.sh
! j- o; p4 d2 [9 |. O./configure --enable-standalone-module --disable-mlogc5 S; i/ n$ n+ D t0 }& h# ?1 G
make
# |$ A# E4 e! Q2 u6 C( {5 E三.nginx添加modsecurity模块
, m+ J; m( Z9 i2 O
1 Q: }$ }3 V: {, V6 ]: r在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ I* V7 G6 ]+ t, d1 L, t% B k. U. d
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine8 n1 H0 ]; Z" D! d
make && make install$ C0 ]% X, q# u) d% u6 S* l
四.添加规则
: Q$ h) X( a: S6 \' z3 m7 l
: G9 r T0 u2 @* H4 Hmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
u1 f$ }) R2 d' ^0 p; b4 i- E
# A5 j/ D. ] c* q9 Z1.下载OWASP规则:
; d/ q6 x1 Q# K9 U) @! z8 T' S# f6 E+ `+ P1 B, {
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ Y- b) g! J6 |1 c
i: Z& |- B f* h+ T" Zmv owasp-modsecurity-crs /opt/tengine/conf/
/ v/ Q1 e }( x( \; w/ L- |+ X7 Q1 y1 V1 V& E* d% B
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ b1 K1 b. }1 t
2.启用OWASP规则: Q2 I6 l% L' Z9 u+ s6 `8 K
9 S0 Y6 k. {- j5 m复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。" z/ d; E, ?7 S
5 p/ S( }( G" @/ ]- Z) \' h6 R
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
2 G ] F! o0 T* y2 z
+ ^. }) {' _' @) v! [; a* eowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。3 T" h9 K# j& c6 B
6 ]/ P* f; d! [. j) u
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf- g; J7 c$ N5 A
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
# H" Y5 d% O8 W& p) H" AInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf" {- z i$ G" m% M y$ c9 h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
, [; Z% D: \7 c2 dInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf- \/ y9 v, A5 Y8 z O0 X0 w
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
- c. w3 D' y. XInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
$ [; `8 O, T: C五.配置nginx
8 a3 b% L3 z. p2 [8 h% i- t
% w5 }" [' x% E在需要启用modsecurity的主机的location下面加入下面两行即可:# T M: s9 S* h
& U7 {- n& F, i/ n+ A7 Q K
ModSecurityEnabled on;
8 Y/ D; j( a% [) \7 M \, cModSecurityConfig modsecurity.conf;4 J' ^8 _( l) u- E
下面是两个示例配置,php虚拟主机:
4 n/ M6 g$ b# d! k3 c5 C) T+ R1 h! |: G& E
server {* ^$ z) b2 b/ {4 l: f
listen 80;
$ M G0 | ?8 j server_name 52os.net www.52os.net;1 T( s7 X2 q) U5 K! v
* G9 B$ |0 x4 R" X+ r
location ~ \.php$ {
# N2 v: E5 Q# |( h7 f) O3 S ModSecurityEnabled on; ) F2 {) n/ G9 w- n' V+ m
ModSecurityConfig modsecurity.conf;
9 x# ]! X" S/ Q
& P7 i4 o9 C: `) V: i1 [' Z root /web/wordpress;
( f; E+ V- p" b( j index index.php index.html index.htm;( E# G, O6 [0 R, W0 L, T. q
& z5 }9 J6 d$ [9 \ fastcgi_pass 127.0.0.1:9000;
; d$ b% T: q* Y0 ^; I N$ E fastcgi_index index.php;, e1 \* ~7 I+ q
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
5 y3 G1 t. ~' Q: f4 u include fastcgi_params;
7 J/ i _. L% C# h1 C* E5 m } a3 K/ ~/ ^9 `1 M- E* b- ^4 {
}
8 E7 a7 p9 B U( uupstream负载均衡: C0 g1 z3 K7 q) V- t. M0 e/ C
% t" O, r4 L, z5 T) ?4 Nupstream 52os.net {2 ?3 q5 U4 D9 d: f3 ~
server 192.168.1.100:8080;! A z/ q; f; x
server 192.168.1.101:8080 backup;
9 _$ F% |) X# B ]}( A7 A! ^; e R0 q
+ f* V O5 L. ~
server {
' w: W& h0 l1 w% E% a$ x* [listen 80;' t, M: O! o1 m8 z0 B p3 d
server_name 52os.net www.52os.net;
0 ^* @7 z- j* i. h- N: U& L
0 p; C/ B, y# t$ H, l! \" v* Alocation / {8 B" t0 t8 u: ^2 n& _
ModSecurityEnabled on;
' {2 j* \) ~4 A& _ ModSecurityConfig modsecurity.conf; ) z2 K& j y+ v+ k
4 V" ] m2 ~" B" C! K
proxy_pass http://online;: H$ h; E+ D) H4 u
proxy_redirect off;
/ M$ X1 s) m N* u proxy_set_header Host $host;' A0 A/ {6 G- c7 R
proxy_set_header X-Real-IP $remote_addr;
8 w. C0 ^' Z3 c5 W' n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;7 o' Z. r5 }$ i( v, f p' o9 S
}
# j1 C+ G4 ~' V* @: x}
: g9 P" b3 t* M* q& u六.测试
. k2 q% y; p# m; K, \$ N% S4 }
4 R5 C: a* A2 i: }) |我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:# Q( c, p0 n. a/ v
5 m; l) g% k& ~5 g
<?php6 y4 ~/ U5 `: P/ A
phpinfo(); 9 ?0 K2 ]% f6 V. e% V X1 {
?>
- }7 A/ R/ V8 ]' O在浏览器中访问:
! c) E9 L+ W: L4 M$ v% f/ n0 b
' [/ l! A9 S; b _: A6 Shttp://www.52os.net/phpinfo.php?id=1 正常显示。
- K, z3 q4 O Fhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。 ~6 O& H( ]8 Z# g7 |/ L
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, Q; F1 q5 _% F9 B8 V
说明sql注入和xss已经被过滤了
. r+ q' k$ S/ l( {5 f8 J% B1 A
) c& P) U. N; i7 A4 o9 J& c七、安装过程中排错
* I* a4 L, G' L, u) x, N, d2 A3 Q+ w% O; V
1.缺少APXS会报错
( s2 Y | T: r. K& m, V+ C7 p# i5 u* m( ?* i, R
configure: looking for Apache module support via DSO through APXS
, j) q/ n+ o) z" L( o* O' xconfigure: error: couldn't find APXS% J( R& k! m3 D2 X$ O1 T( N
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* m* J6 P! |9 U3 X
解决方法:
* p/ x" K: e3 f9 G8 a& F& [: D
9 R7 A/ x4 }/ v# [! s a1 Eyum install httpd-devel
/ a! M. y& Z2 z4 b6 P/ C# P2.没有pcre
4 `) u5 ~/ Z0 _, M5 B* e) \- I5 `6 Y/ g& _9 l% n7 P
configure: *** pcre library not found.
* G u" D; i3 [ ^: Aconfigure: error: pcre library is required
3 ^' R$ v; t E7 b) `解决方法:- k% k- ]' R) E5 n, U% |& N3 @
- s: Q/ l" D& v% p. H5 s1 a
yum install pcre pcre-devel4 F6 F9 f3 O9 G9 d n8 n* s
3.没有libxml2
) J' Y E- q( a/ D; Q/ S3 U
- y9 y! P! F. L1 L* i9 C1 |! r" J' N; X
configure: *** xml library not found.
6 k8 `, C9 w$ ` k" yconfigure: error: libxml2 is required$ P2 _4 O6 F1 B
解决方法:
; T' `9 [1 {+ z$ ]8 O( t; g' \6 R0 z$ t* n f, ]
yum install libxml2 libxml2-devel) }3 l4 ]- n6 v9 x
4.执行 /opt/tengine/sbin/nginx -m 时有警告
% Q, E0 p; t* T0 E9 c- i* c8 s2 J9 e3 i$ K* X
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
# a* M ?9 W& D, A1 J/ Unginx: [warn] ModSecurity: Loaded APR do not match with compiled!) p8 R1 R$ a3 ~- H0 M: r7 I' A
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log$ ~. I- O8 ^$ R6 l: A
1 X9 [! s% m, d5 \+ V; \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
$ p$ w5 Z1 l l, B8 }& p: s4 A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 @ j8 V' ~; {8 u2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
: H% X [$ P! b( c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"+ f9 d6 Q0 Z# z* M- Y1 @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
6 R5 P6 R( d' L( ?/ h2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
& d" u* t9 ^4 B, V4 J解决方法,移除低版本的APR (1.3.9)
. ]' }. s0 e0 r, E
# I$ S. n5 w& m$ W0 V- j' vyum remove apr% F& _: \. o5 C u
5.Error.log中有: Audit log: Failed to lock global mutex! c& D& u3 e: ~9 v
I1 X6 Z4 c1 L1 o4 r
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 5 f7 W' ~6 j. ]4 m) q/ e
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' z1 P: Y0 D J
解决方法:6 N; m, r2 [3 a4 ^3 r9 N
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:2 v7 e. A4 n" E$ q
5 e; ` i: t8 O- |, \
SecAuditLogDirMode 0777& R" A1 `# I& I0 _: ~
SecAuditLogFileMode 0550
. [- p: X* C+ j7 S1 A6 s, hSecAuditLogStorageDir /var/log/modsecurity/ h) u# |- E/ F" I
SecAuditLogType Concurrent9 g$ D3 ]; [/ ]8 }9 k: p
参考文章:
3 s4 @* p" I! e+ Chttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 h& P9 f9 w( z; c
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡