|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 n9 [. @0 n# y$ Y2 X' p; {) \
# Q: `- Z0 u2 V" p5 P
一.准备工作, c0 Z* W: B3 l+ u- h @8 c n
2 K5 j% T3 q! u+ \' |' Z系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
# x9 e9 u" ?' T) E+ F
; S! C9 H* t' M$ } K7 W; ltengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
( r; W4 z3 T9 G: p. e: I& b
; f l# y' M9 [. imodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz' |3 \$ a9 f3 Q) X. F
- n8 M2 D2 s8 s9 IOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
4 D) {$ G- X) p2 x. b! J
6 S H! r. U% a6 G# M5 U$ I依赖关系:
: A6 t4 q9 m; o. b9 q9 x+ itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 F% r; V( a$ f
( g1 I7 C9 m+ B0 V! F! Tyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel" i& Z2 q' l* q: t# l3 V5 B: [
modsecurty依赖的包:pcre httpd-devel libxml2 apr7 D& m) R7 t# d- Y+ E6 |
$ E/ J4 l2 k' z. w
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel. @: ^; F0 H4 P! J4 R
二.启用standalone模块并编译1 s Z& i, m# t
: }) A R8 ? R. L, w( a下载modsecurity for nginx 解压,进入解压后目录执行: o ~$ C9 H1 T3 g0 X2 Z2 c
* x# y( E9 ^4 V) t& T./autogen.sh
4 h9 I- D. q5 W }( S7 T, k8 M./configure --enable-standalone-module --disable-mlogc0 Y- T: Z2 I0 ]# g9 e4 t
make / _: o+ t" \% B1 U. g, J
三.nginx添加modsecurity模块3 [* j/ }; r9 `$ j0 ?- {6 d
% t6 U0 }: l+ q$ N在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:% {. q" C4 ?0 r/ g. @
1 w6 [) t: n0 G M( w. A
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
9 X1 H5 \: r+ G' p8 kmake && make install
- H, E# J* j2 V2 s) l四.添加规则
]" A9 e8 M3 U7 h. |" n" W
! B; J& ?. K+ m% D0 P. U& Zmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
1 S8 r0 z, `" T2 w: W+ i6 N% Z, P1 \, N7 C, ?( I! O& M
1.下载OWASP规则:! g# l' S' V* j: o
" M3 l, n/ U, d6 ?, {% r$ l' c- i1 cgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs, j8 I7 s" _7 ~6 m2 r' L1 {3 l% e
+ I) G K4 R; J# t0 G- P% d
mv owasp-modsecurity-crs /opt/tengine/conf/
" N+ N ]. u/ K3 g. L# V/ j { C4 j" K6 @1 y/ X. b S
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
+ e; y5 m% \, [) z1 W# i: |2.启用OWASP规则:' H& ~, Q# }2 U: i/ w# h
& h3 V0 Q* m, \) B
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。; m2 c( J) F& F2 O; V, X7 @
; E4 [( c( J, ^编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
, l' x* y& z1 d3 X' ^
/ V& O, S& G4 O8 {owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, j) _) ]1 [. L) X* h/ x. {1 F0 @8 p, [1 y
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf9 S) J" a3 V( j9 B2 J+ K0 Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 ?; M3 O$ e( b7 D( y' iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf# r/ ~( D. n Y5 d6 |2 _
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' @0 l2 |8 ]8 t2 h% d. x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 i% ~; T2 f7 h0 h+ P4 B' BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; ?! r: q! \5 J' X/ ?
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 z( D# w* [7 G五.配置nginx
* s1 R3 K4 z9 ^9 d
5 ]& C V5 V) |1 u( @$ u在需要启用modsecurity的主机的location下面加入下面两行即可:& Q( H+ n( Y- O @/ t
; Z& l% H a( O& `
ModSecurityEnabled on; . w/ A1 ~" n$ @$ e
ModSecurityConfig modsecurity.conf;; F4 x! K5 y$ L; x& { m
下面是两个示例配置,php虚拟主机:# p( ?$ a9 W& A2 }5 l0 D0 k
7 a/ `% b: \, c* U" ^! a7 P+ p( gserver {0 j6 g- W8 Z: B1 Y
listen 80;
" Q3 _" H* ~6 u& N H server_name 52os.net www.52os.net;+ V8 \% E F: j' a; l U
" u/ P, x" ^( J+ A* r* ?
location ~ \.php$ {% [$ c+ K$ n- O& t: [
ModSecurityEnabled on;
9 d9 d' ~) o% y* i1 t. L ModSecurityConfig modsecurity.conf;
" q- a+ T5 q) D9 A+ h* ^$ i5 e4 f- t5 Y' t) P
root /web/wordpress;3 B$ T6 q; N" T* J8 l
index index.php index.html index.htm;
* ]# G% S% P+ G$ G0 O- H! { & G; k$ P9 O. s. \' I) ^
fastcgi_pass 127.0.0.1:9000;; C# X7 u1 P5 I
fastcgi_index index.php;) y7 }: }+ j& a1 {' S
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
& u, ^9 o% @1 c* t) a; t( E( w include fastcgi_params;+ |" V, ?/ `6 R
}5 @+ Z4 F8 T" r; M5 Q/ t9 [2 c
} b1 f5 o. T" f$ }% {9 T! k$ f
upstream负载均衡:3 ~# [+ ~) g r% M+ r
: A2 W: W/ V; D
upstream 52os.net {
2 R& X$ i7 L. j9 h; ]6 l server 192.168.1.100:8080;5 S& G; D# Q: X: ?8 L; X( S/ o H
server 192.168.1.101:8080 backup;6 t- a# w7 L h7 U/ C& x: i
}
, P* O9 c0 K( L4 S, G- |
; h2 Y! G* Y5 u" h$ }# ^server {4 e: b1 H5 o2 M) C6 A/ N
listen 80;
# ]* `3 O7 `' Y8 X5 o. z' h$ tserver_name 52os.net www.52os.net;4 x4 b6 T- q; ?0 R: w3 k! s- M
- }0 c; U, Q: o2 }% m7 Y
location / {
1 A8 |$ G- @. ]- V$ y ModSecurityEnabled on;
2 G6 |* B/ |, w. ]( | ModSecurityConfig modsecurity.conf; # h1 S% B6 L" s' Z _
. H( a8 c# E6 \1 Y. R4 l' Y
proxy_pass http://online;2 t2 O" _" g+ ^) ^8 O$ x
proxy_redirect off;" J! u2 m% D, c7 x. r
proxy_set_header Host $host;2 s* t0 n4 w7 D/ T" h
proxy_set_header X-Real-IP $remote_addr;/ ]. J& G! S; a( o) H
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;+ @' S2 a1 @& S, E% e. [
}
! I* B1 W. d) S5 X0 q}
5 O9 B$ s" F! ~8 |4 n+ C+ }3 [. n* z六.测试' U6 D) D) H6 E' I4 d
5 E( M8 ^" Y& N( z/ z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, N. o- o+ w5 k! a
% S: C6 ^% Y' D. f" O+ @<?php& m' O& y: D/ X: ~4 }+ X
phpinfo();
1 q; H8 c0 `8 q9 F7 [?>: ]; [- U+ ?! d6 o, B
在浏览器中访问:2 P M( v# K/ v* s
- W7 E" {2 M( T$ l. V
http://www.52os.net/phpinfo.php?id=1 正常显示。& c+ J, D3 c+ g4 E
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
L, N6 I% }/ j) U$ E0 O1 Dhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
6 g0 B% |( f! I' ^6 d! ~- y说明sql注入和xss已经被过滤了; ~- t7 ^. E7 B. r. z3 O, ~8 \
* V$ ]5 L. u/ a+ ^, U. R
七、安装过程中排错
+ n& }9 h2 f% r9 w+ M+ D' K: r; B" R8 b# y; J. w' u( V
1.缺少APXS会报错
d$ A5 e3 j* \. K K$ v. \- _: F0 n" a/ J5 A! s
configure: looking for Apache module support via DSO through APXS5 @1 k1 G/ v- X0 e/ E( l/ \
configure: error: couldn't find APXS
8 D7 d* L' j7 r+ }9 eapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
8 K, D) \' {' U2 c解决方法:& G1 q. X, N! O M
* J8 \$ B( }2 g+ b& e7 k$ cyum install httpd-devel1 t$ \! H" y+ m% T2 }
2.没有pcre! ~' P8 K4 r& w
! z! X6 p" ~1 p
configure: *** pcre library not found.
/ r! s5 @; \( ]configure: error: pcre library is required
J+ Z. O6 Y( n) G, F解决方法:+ u; x% x! I0 d/ p4 L$ O) l0 w% f
' y( u) Y: M2 s7 `: T
yum install pcre pcre-devel% v1 q8 J+ g: U, e' M' |
3.没有libxml2
' @ |6 x) |: q: h, Y, c, X0 K T% P( p- T! I D
# R' i, B. |; l9 P% H5 I# |
configure: *** xml library not found.! C) A( `/ s$ T2 i q
configure: error: libxml2 is required# L) j3 R: S. M) Z/ m2 T! R$ y
解决方法:# D! _! H# ]! K. R% t/ p9 ]7 T
$ n) W/ ?( R9 b% K1 Kyum install libxml2 libxml2-devel# r+ p5 p5 k: N( E7 }
4.执行 /opt/tengine/sbin/nginx -m 时有警告) v) b/ L; u, N+ |( p \# u( h {
" w) ~# u1 }8 p2 \( y* q: PTengine version: Tengine/2.1.0 (nginx/1.6.2)6 t- j+ p6 ^8 h/ H
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
( c. u/ {- n; X! @8 R3 ^4 Q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 O/ H$ }, s8 \( ^! c+ X* b- Y3 e- [
1 W# F8 w# a! C+ Q" I. Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 K" z; R3 C% Z" U8 o4 v/ j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
$ A+ ^4 U9 q( L; B' a: G% g! m$ Q2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!* ? H5 _' z& P0 L$ d; @) {# J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"4 ~- }& H$ J+ m% H: }; t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 \7 {' _* D( y2 g2 Q* n- \. F2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
9 O5 h% w: w+ z& b5 [解决方法,移除低版本的APR (1.3.9)4 _1 w4 ~4 d6 _/ c! c3 j5 x
: P- P# g7 ~# `' H
yum remove apr
$ B; d* f( P3 t8 N' d2 v1 Q5.Error.log中有: Audit log: Failed to lock global mutex. G' Y' E8 [8 m
. Z7 D+ b0 U& ~8 ?- c+ I1 I$ O1 I7 r
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock & h: A* l8 }( j: p" s% _% Q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]. S0 Q3 z( y# _8 a$ B
解决方法:
! j5 z! N$ r4 s2 F0 T编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:# ^0 o* Y7 U, P# m, B, F+ n
4 ~5 ] j" e+ A' }: uSecAuditLogDirMode 07776 E- b% M3 B x1 a. Y2 N8 ^
SecAuditLogFileMode 0550
7 P% I0 _$ G! {SecAuditLogStorageDir /var/log/modsecurity3 D9 j4 M% l+ }0 @3 Z
SecAuditLogType Concurrent% Z/ V2 \' d' }0 d; P; y6 z6 t
参考文章:) `% G- O& h* }8 h
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
`* Y, S1 c" B7 Xhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡