|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。! {* s* C8 C/ t, v! f) O
: M6 b0 h9 ]: Y2 C* r( _+ {4 D t
一.准备工作 u! E' ~% ? y9 q, }" n: D
4 s) A9 q# \0 J
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 @1 ]" a1 r* q# h0 e$ M* q/ K
! G) A! I& G3 O# w& _4 }" o4 Ftengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
/ M/ G! s# |* b: ?
" H& B% D' d- G2 v' gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 g4 n+ [ l6 k8 v. D0 q! b2 V) ~! B9 E7 J4 ^- V6 ]
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
& t8 z& W$ K6 Y. X V
$ i! b. ^ i. b- U* v7 a; H依赖关系:0 n. o+ o8 i9 \9 A4 V
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:9 u) }9 d3 R, S0 _
3 K [" L" ?) o. i% q
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
( V* Y7 n! A: f; Y7 z1 m: ]9 `modsecurty依赖的包:pcre httpd-devel libxml2 apr2 a# T+ L; W- i6 z, W
3 _7 v9 s2 n1 i# y" nyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel; b& g! F, y, I0 Q
二.启用standalone模块并编译
, G7 t( d/ [3 g4 l5 H; @1 Q7 x
# K) P- `4 q7 |下载modsecurity for nginx 解压,进入解压后目录执行:, N: W. A' ]% k1 m' J6 K" H: h+ r
8 u* e, U# Y$ x2 P7 j$ O
./autogen.sh, O3 ^9 F; B. r2 k' w
./configure --enable-standalone-module --disable-mlogc
! S; Z( R- ^; j+ O4 `make " S# S8 x2 C8 n" d3 z
三.nginx添加modsecurity模块
0 X7 j8 I" G& P3 C, @5 k0 x+ v+ m
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:6 I+ `% S0 ~% r3 f% d; {
4 \+ S0 p, a5 H* p0 {/ ~1 A- r
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
: h4 u. N# p Z. Y1 f* rmake && make install
" `4 |6 [, y* y7 L5 Y( ?5 q5 O5 p四.添加规则! ^) j: K6 w2 T# Y3 c5 {
" q; F% B; d( h( u- xmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' s$ d9 g" o' U
. P' w( ?# q- }4 D0 v9 S' m1.下载OWASP规则:8 e% E* m7 I+ j, l' J3 t4 x( [
3 d, u: U K6 w. G, c: egit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
9 j( p+ C2 X6 K2 @' |8 g- L% o8 u% h$ i1 i$ c2 s
mv owasp-modsecurity-crs /opt/tengine/conf/2 n% f8 o0 F. f) _. R
1 k9 i5 }' I. }) E
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ p. G* F2 f! D u6 E6 s1 u! ~6 @
2.启用OWASP规则:6 M" O2 T( z; ?4 Z' H7 }: Z
/ D Z; l8 B/ N- s1 H复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。+ r8 h5 [% f, q7 n9 ~) Y
0 ~- g9 F7 c( [/ Z编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 |2 J0 g- [2 P7 H9 ]1 S. f* p0 ~% U. p. x L1 U" V
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。! d8 D8 g" F" B0 S0 v
. v% \, E$ F. r& w, |( P
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* Y3 {" o0 ? D- ?$ v' V9 w9 Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf9 J# o" G2 ?+ C3 \" J+ i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
9 k2 @( R1 F2 m" f0 UInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
) S! c4 x' a3 I) w5 x, N ?Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
& s; @: S9 p/ YInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; E* {" m7 _5 z: Z# p# h' ~, I% K0 F
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf/ }; u: I: A ~1 [4 Y
五.配置nginx
# k1 _# E9 G' ^0 u, h V- \) |/ U5 G/ v# I5 r9 {- S% t
在需要启用modsecurity的主机的location下面加入下面两行即可:
" Z; Z+ g% L* _ A" ]7 E0 v7 l. z: F2 F
ModSecurityEnabled on;
' y9 N" ~/ s) E' FModSecurityConfig modsecurity.conf;
' s% D% o. {. R6 T% L; |0 F9 g下面是两个示例配置,php虚拟主机:
3 s- a9 p& ^# F; f* K9 I3 v3 b( J% K0 H, l$ y! L, W
server {9 Z+ E; c T# q8 @
listen 80;
3 R& ]* C( b, U3 ^) W; y server_name 52os.net www.52os.net;
4 Q2 A1 o& u" l& P& Y. k! M; z/ M ; X9 d z% A9 ~6 h! I
location ~ \.php$ {
) _# A/ q8 {& ~+ f; T; q4 B ModSecurityEnabled on; % V/ o0 ^5 }! D2 i( M
ModSecurityConfig modsecurity.conf;
5 ?; X! o3 M. U9 z5 u- ~" X
( T' _2 h+ u, X1 q1 t! ?8 | root /web/wordpress;+ C+ e; J7 l, D9 t
index index.php index.html index.htm;
2 z p8 D: P/ c! S5 B7 y! d - {, o& i- r- i# l: p4 M" y
fastcgi_pass 127.0.0.1:9000;% [! R a" C* U; {' V1 L" K; K0 l
fastcgi_index index.php;
) J0 ^2 V$ F3 Y a3 P& n. r' v fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* M) f5 _: j* N1 Y
include fastcgi_params;
( B& |! v% O* M/ Q5 n }' [7 w+ m, d7 j( ?, x2 H
}) g0 Y3 n2 w- T7 W( L) O9 R
upstream负载均衡:4 V( [3 e. a6 z0 p; U7 E
6 I6 n; T5 P" S+ Tupstream 52os.net {
+ R, \! i$ u4 n4 q' o6 i server 192.168.1.100:8080;
: z1 R( u* m2 ?, j# W% h( n server 192.168.1.101:8080 backup;
( Y. ?4 x' H% m& p" I7 @! B}( l0 u( b' z. w# k
* R9 ^( o# y( A$ \+ nserver {
: Q5 {9 x6 `: D6 _listen 80;5 K; q( _( S% \' Z+ n1 b- ?
server_name 52os.net www.52os.net;& l9 O z( g5 E* F2 h
/ Z) {$ z, [4 _% G2 Z
location / {
/ G! F$ ^: ? h8 v5 S ModSecurityEnabled on; 1 G! i/ W9 H% [ H) l
ModSecurityConfig modsecurity.conf;
" T0 i+ Q+ S; k( o) p+ \" N$ E' T6 }
proxy_pass http://online;
+ V0 H. g& p/ ` R, R3 Y proxy_redirect off;1 @6 O( @* o/ M
proxy_set_header Host $host;
1 l$ J4 z. Y" Q proxy_set_header X-Real-IP $remote_addr;
# W2 k5 O+ c. n# }" w proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/ u2 z8 ~' Y/ X' O& L2 k }/ v+ r, B$ x- g4 M# S- \( U& w
}
2 L* x: a, n2 y2 w六.测试0 {3 S) j' @* q: l0 L% _
3 F) E. N0 n8 q" D$ B2 k( }我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
2 U6 k7 V( R; p: ^& K8 p$ b0 D+ Q
<?php
- `8 H B2 I T& V phpinfo(); ) {8 _" b' r/ U1 e, h
?>
( V+ B0 B4 r4 \在浏览器中访问:( F# N0 I$ |& y* F/ s' A5 u0 i9 l
- Z; p; C0 |& T: @( M i3 Shttp://www.52os.net/phpinfo.php?id=1 正常显示。$ N, @: t) p$ {0 Z4 L7 h: Z
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。 d, T0 C& e% F! |/ i
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( }3 ]" B; z) d2 p/ d说明sql注入和xss已经被过滤了6 V- ]5 p7 x: c7 o) O0 U/ s
& `2 i% r# w9 j/ s* T) Y' B
七、安装过程中排错
9 E, K F2 A9 S: }3 B C
+ i7 d r9 n5 }0 a5 E5 O" u+ H1.缺少APXS会报错/ R9 Y, p* j' i& ]7 e
$ a! H+ k$ p7 econfigure: looking for Apache module support via DSO through APXS
0 l2 ]6 e* u7 I6 B" |# Hconfigure: error: couldn't find APXS0 O' k7 J/ J" t' N! J
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。4 ^8 g: t. c2 N( |3 }
解决方法:% {8 N( J8 C# r7 r/ K8 Q
& T+ ]) |/ G9 F% q. E6 F% x% }yum install httpd-devel& Y/ f/ I& H4 W; |
2.没有pcre3 Z" d; u$ a, E: K; f& j4 r
2 x( C8 x6 P7 A9 x' c. u9 \# ?& y
configure: *** pcre library not found.1 A' r6 a9 o, M, M, Z
configure: error: pcre library is required
! }5 y9 C/ W: x5 |- j解决方法:% D0 c4 N5 f$ P& X7 `, o1 O9 I
% ?7 y' H) F) U, xyum install pcre pcre-devel
' G9 K% t) W# o! n0 E+ T! ?3 U3.没有libxml2
) A* S# z' U2 j$ u
0 L" n/ A) D9 D( Z; a' [4 i5 B% t9 Y* x0 m. J
configure: *** xml library not found.) H1 k; ^' X8 C: D9 l- d4 w7 w% L6 i
configure: error: libxml2 is required
. [ u. q0 {0 k# m" f. o; [, F7 C Y解决方法:
$ G7 ?, h' M9 A: o5 m9 m
" {7 U2 ]) l; [yum install libxml2 libxml2-devel" C! T6 Y* _% d c q
4.执行 /opt/tengine/sbin/nginx -m 时有警告
* G5 z A/ j0 m! C/ a
* L& A9 V* O6 E, ZTengine version: Tengine/2.1.0 (nginx/1.6.2)
- T; T8 w1 P4 N2 ^# _nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
( n$ w6 j. Y. L; T9 P原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log9 B/ ~" Z$ ]0 w7 D
) h: j3 v; v8 J- ]1 V1 M0 o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
! N) ^* r; ^4 d, u) L5 ]7 M9 X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 W L5 G6 Q9 r/ ?# ^
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!: Q/ S+ ], N( t) a# P* X& q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"% F3 z$ O% ~! p( h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6", s" k6 G7 ?) l3 i; \
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
. q" }0 r* {9 K" T9 u9 Y解决方法,移除低版本的APR (1.3.9)- m3 y$ D! ~. e; ^
, m% v7 a) {; D5 Wyum remove apr7 d# z5 N v( y- d" O6 [" n
5.Error.log中有: Audit log: Failed to lock global mutex7 {& K$ A5 \/ k( r0 P
* v0 @; {8 p/ Z, e5 G: G8 z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock % n# p |4 `- A t2 q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]$ d* Q$ @7 k% S9 P0 R% L
解决方法:
4 M7 |$ X T! A) h编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ f# f+ c& q. O; h
, J* Z" t- }! w+ b [5 }SecAuditLogDirMode 07770 u" U* a, @/ I1 ~' e3 n% d! Y; F G
SecAuditLogFileMode 0550
' z7 o. H! N1 V, }SecAuditLogStorageDir /var/log/modsecurity
6 }; n+ R6 C" b! \SecAuditLogType Concurrent3 D M, s+ L& O- n# _: U1 Y5 m1 y
参考文章:
4 b. M' @& a0 [! y% @# Ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
5 x0 Q; ^* O5 m+ X' j, a9 vhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡