|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 w) R3 z& k. u/ t6 q& Q" }# L( p6 }+ }& s O F$ Z
一.准备工作/ [" \5 q+ B& E+ Y3 H' V$ h1 Q% i
' K+ Q; [6 ?5 [ S+ B: e系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0- ^# @4 k' i+ N% |7 Z+ y
0 ^: ?( n3 U) f2 I
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
6 T1 @9 c- M. L0 x! {( [
" {# e0 f* N( H# Z' D) A/ zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
$ D8 ~0 d' \( O+ o" v
0 t) F4 b* g5 a+ _OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs1 `0 a% G, q* a0 f- l; C
) @# j3 }7 X4 T+ P3 I* _9 ^- G$ E) }
依赖关系:
6 m9 W; P( i2 F3 z9 F. G$ _- B$ c# T' Htengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; @& l0 |" S+ e' E) T8 r. S! |9 L5 m
, {( }$ S* R' X/ l" t( jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel- ?# J. ^' N1 q. c
modsecurty依赖的包:pcre httpd-devel libxml2 apr. G- N) T8 Y6 n0 M
! ~6 o) g6 D2 s4 H' ]
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" `. h* y7 m4 a; C
二.启用standalone模块并编译' f9 @4 O& f2 f3 ^+ T+ A! m+ z
8 Q) b+ J2 t. M" [. q下载modsecurity for nginx 解压,进入解压后目录执行:
0 w( W7 q0 E& y7 x+ m5 W! Q& |* y u9 N! a) F' j- T
./autogen.sh4 @ k2 H# U4 S4 c( q$ q
./configure --enable-standalone-module --disable-mlogc
/ U5 W0 ~, w! n% Y1 ~8 ^8 }make
7 o% U* ]8 F9 d2 k6 T! Q: |( c三.nginx添加modsecurity模块5 {/ r% e$ L9 k' _ e3 z
y1 r2 j3 m0 ?3 Y* C% x/ ^/ `9 b在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:$ K, f6 X8 W/ Y8 b! B0 H1 e
# N2 O% U& n. m# r7 y8 n( U./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
) q3 _% k( [7 e) imake && make install
0 e, o) M6 c6 ]3 {. q四.添加规则
) z8 N% N& i+ Q# I: c% C5 `3 _! R" {4 U4 N v" \9 }
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
) {) q U3 z/ O6 \* u/ ?! Q: Y
/ f& \3 a$ l, P k8 T0 ^1.下载OWASP规则:. D7 y G- B& x1 s0 _& t. a2 t
. [: b: v/ @9 I6 s
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs! `- c. ]! [% k
5 V! i3 U. ^# v( Y0 A
mv owasp-modsecurity-crs /opt/tengine/conf/3 E6 |) A4 L6 v" ^
, o# s' h8 _- k8 `% S: B; W
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf n/ h/ O! r0 q8 X, Z
2.启用OWASP规则:- g: X0 |) F. F+ Y; p
% \" _& W8 F7 N. s: f( I
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. ^# m$ ]1 \/ Q8 C- _3 X$ Q: l
$ }- b+ d9 n, l i! H/ N0 T编辑modsecurity.conf 文件,将SecRuleEngine设置为 on% I1 U4 w- L5 s. r9 V
- r$ f: w: O: K8 w1 E9 X
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' a r# G7 u' d3 D' Y
+ l& x# P" y- P4 x% z& K+ |. ~Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf) k, b: h& K1 b9 [2 X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
8 Y8 S) _9 _. ]8 G: X/ Z9 xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 b$ D; `( v2 F) o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
: i0 i' h9 N+ V$ ]( MInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ h, o) K0 T3 p
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* v" U7 l% D9 c, }
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
/ |- K. c: V, {; Z$ K3 n" F五.配置nginx& y6 a% Q; g7 b! B: Z
8 b6 s" }1 G9 o6 E在需要启用modsecurity的主机的location下面加入下面两行即可:
1 U: o# m, k& y7 M& d& [3 N5 m
3 f3 q* N: y/ R8 l" W3 I2 HModSecurityEnabled on; 0 t2 r% z+ F; y+ m7 L) c
ModSecurityConfig modsecurity.conf;3 E" i4 o$ B* S4 ~5 R. x
下面是两个示例配置,php虚拟主机:
a0 b3 {$ Z$ w1 G
2 V' Y. e% _2 {/ E) i/ N& z5 ^server {7 D" [ L8 Q3 u
listen 80;3 l. d$ H) ?- n. z* Q
server_name 52os.net www.52os.net;* y6 e' d) t9 Q* ], @. E' T
, _1 V8 x" ]0 i4 Z. v location ~ \.php$ {+ b j( _; N$ [) w1 [' O& }% |5 e
ModSecurityEnabled on;
& L v: b7 _/ K* c ModSecurityConfig modsecurity.conf;
3 U |/ O4 S; b) \5 A
2 F8 Z" R& }: f, a root /web/wordpress;
) k7 y. R% e4 \0 O$ d( m6 P5 \ index index.php index.html index.htm;$ }0 ~: A, u% `9 e' P5 T
; w. F5 {) \5 ]- N& Z) R k; O G! s fastcgi_pass 127.0.0.1:9000;7 t! h, o- |3 t0 N3 a
fastcgi_index index.php;" {9 f" |7 ?/ P1 M X
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;" ]/ ~* ~6 K+ e' B! j$ L9 F: Y
include fastcgi_params;$ F7 r- n1 A/ [- n
}
+ l8 ?" `! H* F6 k Q1 i7 \9 p# F7 i }
" D/ r6 L3 n2 j7 T. s$ g h2 Zupstream负载均衡:0 t5 A) j* K. H" D
! }+ `- q$ Z) D) t/ B/ E% e
upstream 52os.net {+ s T+ X. d1 U z4 E& O: q
server 192.168.1.100:8080;
0 { y* z' i! k- M. ^/ E n server 192.168.1.101:8080 backup;$ f) }: q' s0 Y7 y9 c4 U" }
}
8 d4 K( B# d& s/ n; F$ `) ?1 S( C6 R5 `* i- Z
server {
" U9 O" M3 {1 y5 Clisten 80;
7 j/ `/ v7 W |. gserver_name 52os.net www.52os.net;
i; J( S* h; \, G4 J& ?# L; [* D
! P& s8 \$ r! f9 o# b0 {' t% |, ]- ulocation / {5 |6 y8 l. u6 [/ D, _
ModSecurityEnabled on; - g0 c- w* L8 ?) d) _+ V- y o
ModSecurityConfig modsecurity.conf; . |# c7 u9 y& E4 i4 M
7 G' Y8 `1 G& ^/ {! s
proxy_pass http://online;
0 T' Y/ C" e/ P* [- J1 _ proxy_redirect off;
) `3 o5 k0 L4 M0 `" J proxy_set_header Host $host;+ |* h% v/ x5 T* v9 M/ e
proxy_set_header X-Real-IP $remote_addr;
/ t u& I5 c5 F! p- l6 u proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ o8 _# U- G1 @) ]) @) ~+ S: U0 z
}5 `* ^1 h9 P T6 s7 _
}
& W' g+ d/ M. Y六.测试
5 t+ T6 ]: | E$ X' O( r1 s) }5 T* f: F: ^+ w
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
9 |" x+ w- S, r& ^- `( z. U2 N, b( Y# T- E% ?
<?php
7 C2 ^: }! C, _ phpinfo(); ! W, I7 f1 ?8 n' Y( @
?>
9 x( T3 p: t+ @3 L& M( z在浏览器中访问:+ H+ S$ s T! H) E' V& w
, Z5 f9 O% t) _: ~% Y
http://www.52os.net/phpinfo.php?id=1 正常显示。
' Y* O, S: h; {% v0 g' Hhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。! w5 z! T' z5 B! r3 m+ i7 v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% X( R9 W1 T& j说明sql注入和xss已经被过滤了
# q+ l# t8 r2 T& R9 C! L
' H$ G* u4 u) V5 r; m. X$ @' W' W七、安装过程中排错
6 X2 @! ?. M6 l- n: U' G3 U$ k, q8 b, J! c8 |0 p) L# ^9 ?8 R0 E
1.缺少APXS会报错
; h6 q* z# b, G3 ^3 F+ U9 ?/ \3 o( e) _7 I
configure: looking for Apache module support via DSO through APXS
8 y4 C/ r! I% T; ]: M2 mconfigure: error: couldn't find APXS7 l; q R0 d( b! ^$ K" A
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& H2 X7 Z6 m5 r解决方法:- W7 E* F8 G! s; R) r! N
9 r9 S y0 |) Z, v% r4 i; J, H$ D: Cyum install httpd-devel0 v$ ]- X* m. C+ m- O! F8 B
2.没有pcre# E, e' n# f1 y8 S6 n! a/ z7 U/ o
* N( R O$ R# F7 f) u# @) I2 _configure: *** pcre library not found.
' }5 p* }' @8 e/ P9 K5 O8 Z! s, o; Oconfigure: error: pcre library is required
, N: F( n/ L* Y, H( g" F9 [4 p解决方法:
" l/ u h, ^# g& G4 s8 ~4 Z
9 m2 Y' [% ^" Qyum install pcre pcre-devel
5 G) f8 u7 D0 ~3 h0 ]3.没有libxml2) i3 W; Q8 d+ L) m# m
8 }$ O4 Q7 R- \7 K: Y( ]/ w$ |1 n' K$ v" y6 }9 |' X" } U1 {
configure: *** xml library not found.
+ M" J* H7 t8 Zconfigure: error: libxml2 is required& f1 o7 v. m3 E
解决方法:
9 q9 j k# t" m3 N* G1 S& b7 |& B2 i5 E( F6 K
yum install libxml2 libxml2-devel
4 P1 H; t- S, _& m8 Y+ i5 U4.执行 /opt/tengine/sbin/nginx -m 时有警告& x0 n. y( ?! y l
% G2 e( ^/ [$ D- LTengine version: Tengine/2.1.0 (nginx/1.6.2)' Z0 k% u: j u! e' `
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
" k' `, |+ S; f" d" ]# M4 L4 Q$ z b5 X原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 Y; }5 Q" D3 f$ |/ X7 w
" X( @+ F2 x/ I) e+ Y' P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.- T0 c, H' X8 X; @' f9 ^5 \7 U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"% l: e* {) A: r% Y
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!2 u3 {* j, J' I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"3 U) C; R9 F; n6 M7 T; n7 }8 g8 L6 w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"* Q% L! E& q5 N% l7 d6 R
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' g0 ?$ Y- y! s) w# |解决方法,移除低版本的APR (1.3.9)
3 s( r. {/ Z z( u# c3 L9 Q; w# ~: q7 Q, R7 q, e1 k
yum remove apr" q2 A3 F3 L1 S0 Y+ n5 Q6 k
5.Error.log中有: Audit log: Failed to lock global mutex
; D: A( c# Q1 u7 A& G
6 N& r" C; S% R3 T" ]2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
/ S* s/ T h7 E1 v- }9 \3 kglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' a9 B( d* [4 v& i
解决方法:
4 a6 y& b. P% B+ j! l( L/ o编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: l. U. ^0 F2 ~$ O* I6 h
1 w* g# _( G/ _0 A" lSecAuditLogDirMode 07778 [4 ?- c! `4 E& J
SecAuditLogFileMode 0550
1 n) w6 |& g$ h# F# X- p! PSecAuditLogStorageDir /var/log/modsecurity6 L" L5 `! b; X" T2 S& t. x
SecAuditLogType Concurrent/ K0 Q! w& ?0 @. v0 s$ Y3 q
参考文章:& y: Y* X( j7 n
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
9 X0 w. _& Q; [* }7 v: Ghttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡