|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。6 E* t' m( b. {* v% R. v) H
& j) K# m5 ? \$ x3 z/ F( v
一.准备工作
7 E: P8 D1 y( y$ B( V( n+ ^
5 O# s' b, D6 p% I3 a/ P* ~系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
! _; `8 R7 m. c& q" B( f" F, _/ W
% a; _/ ]. G$ r& ^9 ?1 Utengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz7 }) ]+ ]. c2 F. m0 A1 s) B
# v: F7 O2 ?( n
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( G6 D9 H' ] m) ~! m D4 l7 [+ n' z" R5 m# ^' @
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 {) y/ _9 O/ N C; J7 O
) j$ L* e1 q7 U* Y& x7 i依赖关系:3 N4 M! F; d B2 X& S' K. M/ k
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
8 O! q7 T7 I( d: P
+ E6 g# S! L4 O$ Y1 P/ Oyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
3 [/ M4 l8 B3 f! E: \modsecurty依赖的包:pcre httpd-devel libxml2 apr4 c* \9 P1 n8 Z/ F
7 G3 V+ {, p5 c, s+ `% ]- z; u! }yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ D; u9 F9 }( }" a1 s
二.启用standalone模块并编译+ v5 u4 l( l7 q2 `/ W: b5 w) q% A
1 W0 W0 I5 P1 g4 t) \0 m9 {+ Y下载modsecurity for nginx 解压,进入解压后目录执行:
3 z1 m" r5 ~6 T" N* E. t" p& C, [( d% a( {$ [9 {
./autogen.sh6 g7 t+ M. ~% v3 d5 W1 p2 f
./configure --enable-standalone-module --disable-mlogc
7 w z2 F: l6 Q) q$ Kmake
% S8 N& b/ [; _' T6 h8 {" }0 ?三.nginx添加modsecurity模块
% d, G: [1 P' X. v" Z- u8 Y# N1 k* i" C" |/ F
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:8 U; w$ [! [' [
) G- h! y9 w+ S- D( s
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine; A! K8 _) V& H+ y
make && make install
& V3 l6 d2 K- ^7 A3 `四.添加规则
" M( l5 m, s$ l: |
6 S1 p- w! o7 P `4 Z6 lmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。+ J; M p) @4 N( G3 F) ~/ `* w# P
+ v( z' V" Z2 E5 D. [$ t
1.下载OWASP规则:
: Q% C1 G" F% h7 @, b& p2 d2 H( V% v- |6 k2 B% d& q
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
$ x6 w7 n+ Y+ @/ h5 g: \6 W8 J: g4 a) e$ s/ ^/ p
mv owasp-modsecurity-crs /opt/tengine/conf/
i$ C7 p5 R$ x( v, x% I j5 `! v. O& j, L, h' |# I
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 ^7 \+ G' D- ], c% ~2.启用OWASP规则:/ y- [* n! W2 I) B1 V: l
) @% y- m& W! K2 a) J! [- h5 T& H3 I复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
4 E3 P; G; b( f7 s4 V [% `" T4 K* e2 v! \1 x
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 ]! b& {$ r1 t: S. h+ d
4 A& P1 v- ]0 m/ a5 w5 nowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
4 H2 |7 o( j# D5 y4 r: w7 c
$ j1 D( C+ f2 j3 DInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
l& Z' b3 [% Z! nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- [3 |/ k8 M' n; J8 \
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
3 p8 F8 e7 s, T! s, E- X9 _Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
% p( v% R- Z. S2 WInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
$ X4 S6 F/ s3 u6 O9 g* ]* CInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf+ N; G: l6 x* I
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf4 S2 R* R9 F; o* ~5 }6 b7 i8 J
五.配置nginx5 m. x( S) v1 A/ ]( c: z
- n/ d& _2 O6 Z8 P/ e& h在需要启用modsecurity的主机的location下面加入下面两行即可:1 W! m6 k+ I7 s" e! D* ]$ \
6 F$ `' B5 \0 C1 v5 C
ModSecurityEnabled on; j* |$ F2 K4 t% t: K. D% G
ModSecurityConfig modsecurity.conf;
7 Y7 C6 E1 Y1 ?2 P下面是两个示例配置,php虚拟主机:
3 t( _0 t$ L, Q$ ^8 P) i+ ~* L
f% N K1 Q- m' b, i- j0 E hserver {
2 J8 K9 d' ^# o8 U( j listen 80;- l4 s( w! ~- V7 g! z% f) k! I
server_name 52os.net www.52os.net;
) f; y1 N2 m3 T: k% O
1 R3 X I2 F9 E5 N location ~ \.php$ {( P8 m* [& e7 Y: n! F- y
ModSecurityEnabled on;
( J6 m; Q8 J+ `0 I; H j# @ ModSecurityConfig modsecurity.conf;
4 E* b" A) D& f. ]' j* w- p0 y" E7 W, f! v; A
root /web/wordpress;
4 s8 m6 e! F1 E F index index.php index.html index.htm;
# j7 a& z& @5 e+ F3 j3 l
+ p& X" k0 Z- _# O9 J fastcgi_pass 127.0.0.1:9000;' R& q. A$ e5 L% y6 L: ~' T
fastcgi_index index.php;$ O( N- |9 v( W0 f
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 a- H' Y! n" r; W) s include fastcgi_params;4 D2 {# L' M6 a9 x$ \8 J1 u o# a, l( x
}
% v3 i4 R1 i& V6 A: d' t# Y# t }* y0 F% P b; j1 F( g
upstream负载均衡:
7 q1 C, Q9 M9 O4 _& d9 d
# }1 G4 }4 C y2 L. r" I- @upstream 52os.net {, A2 W2 X% s* \* `- A- J$ G
server 192.168.1.100:8080;
& J& }8 U F O. _+ i server 192.168.1.101:8080 backup;
+ s! x1 A$ t! |6 x( Z) [+ I8 `' d}% f: U- \* A, T, E/ c, A% v; u& u
, @3 j$ x3 w1 P8 V" s* m" F2 B! G7 [
server {
/ v# V- v4 A B' I Glisten 80;- ^( ~) a* D% ^; J( R
server_name 52os.net www.52os.net;
/ q: P- ?" k9 d5 r0 W) J% ~0 @5 C6 Y8 L& J0 ^
location / {$ O# D1 I4 _ B% ]$ e# T
ModSecurityEnabled on;
3 Q9 z6 _* b: q5 n$ x ModSecurityConfig modsecurity.conf; # C+ L! l$ R9 V8 u& d
/ Y) G3 P- U% y9 B# W, ?( A proxy_pass http://online;
9 G/ Q$ U) N+ A( g- s, _ proxy_redirect off;
% X$ S9 t' r8 m proxy_set_header Host $host;' ^& h$ h c2 K6 a4 U
proxy_set_header X-Real-IP $remote_addr;
" i3 n; |" U3 b/ b3 `; G proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
: e$ Z/ N0 }1 V/ _ }( r# p- d% z+ {* [0 J8 S, m: B T
}- H; G- N/ S( J; d: e& b. a. c
六.测试
: s9 S& B2 `! V: V0 b* ]. d/ H9 \; [; W& w3 Y: s L
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
) @" W( W+ s" |) E! v( R4 F2 G* ?
$ y e! p3 W: m- a) M4 {<?php2 m/ {) R+ f2 p' Y. l9 m$ V4 h
phpinfo();
- s6 F. m t: n' o% }* A% ]?>8 h, F: f' \5 T4 M8 z2 v0 I/ S
在浏览器中访问:2 r5 s9 D9 {- d, M
9 ^; J. A3 q- f3 k, u* ehttp://www.52os.net/phpinfo.php?id=1 正常显示。
J5 ~% z# P6 L0 Z9 \; J0 X( @http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
9 N# {; z5 I. b. T$ W% _. Yhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
6 R2 q1 Q) N. D/ ?2 e说明sql注入和xss已经被过滤了
/ _9 E+ G; C) Z
% e% S- Y/ V- S+ y) _* R1 D7 @& `七、安装过程中排错
: ?8 T0 u$ q$ ~( L4 x( `
, u7 A( g, g2 g$ b- a1.缺少APXS会报错( R; ~- A3 g0 ^& Y1 Q: z
1 u( m6 g H+ f9 V4 D
configure: looking for Apache module support via DSO through APXS; Q+ u3 ^7 n" I1 E
configure: error: couldn't find APXS
2 i! M8 [( N# napxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ l5 `" W8 D( k9 z2 }5 @( a解决方法:" Z7 y, [$ T5 E- N
- m3 K' P( f. S$ m3 dyum install httpd-devel/ e% r+ L# I: ~$ R
2.没有pcre
0 T ]. W8 ]7 r- c# p1 K3 c3 n* [" D( l' \
configure: *** pcre library not found." C3 K s m4 ]+ A3 L! {
configure: error: pcre library is required
! N E3 V% ?3 \+ u* B$ e解决方法:
4 p! ]' F& Z/ |4 z7 T7 k+ W( _6 @+ f0 q) |1 Y; ^/ R& R
yum install pcre pcre-devel8 ?( z' c! z, r3 R2 T7 Z8 j
3.没有libxml2
/ j' ~( \7 x* Q+ N
5 ^, y: o& e' K, h6 e, p8 `
! U1 `+ _/ e3 C8 lconfigure: *** xml library not found.
+ X, r' E3 n" d* g$ w( ?, J' _configure: error: libxml2 is required8 G$ ]. u6 m- _
解决方法:- O3 v6 k$ Y' J0 u
" a* r5 x) f: ^, eyum install libxml2 libxml2-devel
0 H: |: O9 o6 a9 t4.执行 /opt/tengine/sbin/nginx -m 时有警告$ J2 r2 _3 P. ?' q8 Y
( h( i7 Z# P0 S1 g7 p1 @4 q* }7 rTengine version: Tengine/2.1.0 (nginx/1.6.2)$ t5 O% Q' Y6 I+ Y2 K& E
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 O; w/ S0 u: Q7 H* f( u: \' F
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
2 m4 L0 V* ~! [) K
& u* x) U& u4 T$ \' n& v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
`9 ^8 _7 _2 L( }+ t5 A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" I: E7 H& H+ e R' H% i: n2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, D3 j( _, V5 ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
+ @" U. h: e* ^; O2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 g, @) R4 W: b ~; `( X) V2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
( i9 t! |0 c1 S解决方法,移除低版本的APR (1.3.9)
1 X' f9 m c' \9 H: W+ M F
7 F3 Y8 ?0 a1 k5 tyum remove apr& K. T3 G; s8 u& |
5.Error.log中有: Audit log: Failed to lock global mutex
9 F( q$ j, S' M- k% |, ]
+ Z% E5 E7 h2 g2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock . t& E0 K1 x2 f
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]$ m& @7 c; K! D" c" n
解决方法:3 f0 i: S! o) D- Q! o% z9 I7 F2 @
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:9 K4 H/ K% H4 T% {4 S( u6 H
: K/ ], D. }# ?SecAuditLogDirMode 0777
l6 ?' v. k( J" q- pSecAuditLogFileMode 05505 }+ q4 l) A8 ^. p' b# B) |" n: ^
SecAuditLogStorageDir /var/log/modsecurity
) U. T! A! ]# H& C! q7 @SecAuditLogType Concurrent. T; q I- U ]) R
参考文章:
2 Y+ @! f8 y# n4 G" Phttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX9 E" X1 |1 x) x7 F M0 ^: s
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡