|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
) |7 Z8 l+ r0 z) R: p3 K7 S% Q' ?3 p3 w Q
一.准备工作5 n/ O U6 k/ c8 C5 [$ F- m
' F7 [7 _" ?% P- C8 |3 p4 K( r
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
0 q& V( T+ n3 n, d6 H6 m
; ]4 ~8 y# e$ m, R2 utengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; m- B& X% I" Y) d x- m: N" l- a; j; v, A
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz* Y! ?( b8 k+ M3 n" X
' ?# U; c. i8 N+ x1 t. fOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
& D0 S5 ^% `$ j5 L( ?3 `+ j; X G1 ]! A& Q" p F- l
依赖关系:1 `7 r& N @5 i
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
y" _! g+ Q, h8 o! X, }3 v" i3 `& o- R/ [8 e/ r3 s
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
, r2 ^/ O: R2 ?2 A$ Lmodsecurty依赖的包:pcre httpd-devel libxml2 apr
4 S2 P; D' F6 n# S1 `) _( Q6 d# _' M; _% q
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel j6 q1 m4 p1 D9 e
二.启用standalone模块并编译
) G# h' r8 B q4 d6 Y# l Z1 ^; u# a- s6 H
下载modsecurity for nginx 解压,进入解压后目录执行:' d/ ~; I: w0 s4 H( ~& L& n
/ A# [( g' `3 c" t: s2 T
./autogen.sh' \$ B' g/ |! l. w5 U$ k& s! I5 x1 q
./configure --enable-standalone-module --disable-mlogc
' y5 K' c0 g. \. m. tmake 2 S7 @& u7 a# \
三.nginx添加modsecurity模块1 n8 z% n, \- u2 [0 V( P: i
2 G6 i. {- M/ o. ^在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:) L2 z) T. k& q8 c; Y, c
( u" J+ O6 T P0 l./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
' |6 F# E* r w( o: {make && make install
/ g6 \5 r; i+ [四.添加规则
$ E; @1 B2 I! V9 E
4 B* a/ b9 [) Umodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
; ]$ x0 Y) W0 h" _0 `- s8 R" b* r' T2 O# c3 z8 r+ j" C
1.下载OWASP规则:# i9 R3 w7 g. P5 |( S$ F3 _
0 {0 M4 F: i& |+ O/ k6 Y
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
7 N4 |: X; V- o
' B. D+ U p- r! P, W7 Qmv owasp-modsecurity-crs /opt/tengine/conf/3 }7 T: Y& O3 I
0 y5 @) a0 q! f" a
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: x0 ?5 [+ E v4 m2.启用OWASP规则:# c1 R, y% |# ^9 A7 y1 e+ C
* |( O' b K* c/ l' k7 x/ I复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% i4 L1 o9 I5 l& V0 d4 h" E
1 S* ^; I0 @+ [( X! l& l编辑modsecurity.conf 文件,将SecRuleEngine设置为 on0 {( }% l: @0 X
4 u* m. Z4 _% Y+ Q- _
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" L4 \6 @+ ^( R
; Z( g9 g1 J1 I1 Y" w+ q
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* e2 N, Q5 b* Q; H" K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
3 ]1 S9 m$ ?- B. PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 b' \4 E3 o' o, N% R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
$ Y6 D. F& e" j5 D3 f5 e7 CInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* I J% J' V( j" P3 KInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 j; X2 t6 E+ |# E l6 G1 z
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf8 t! _" X/ w+ e1 \9 j' g
五.配置nginx
3 Z! p" B2 k/ s+ x& }0 }: K" F2 ?* [! e, k* ]3 X- f6 o" f6 x
在需要启用modsecurity的主机的location下面加入下面两行即可:" w u3 P; ~. Y$ d7 O+ f
* N& T9 i1 S2 {, S: j! sModSecurityEnabled on;
5 t/ {! l% l& H) x% f2 VModSecurityConfig modsecurity.conf;* K* t: j5 k6 d8 Y8 X6 Q0 ?/ U
下面是两个示例配置,php虚拟主机:
, C' e2 W$ A. M$ w0 o* M, Y Q
6 ^* Y' C9 `9 `server {0 Y$ S2 z3 _* T1 J8 I
listen 80;4 O+ {: T6 ~0 z
server_name 52os.net www.52os.net;* O( R5 O% ^5 [
! J/ o/ z# l# Y: }5 S: Y location ~ \.php$ {: w4 o. x6 S* L8 a6 N
ModSecurityEnabled on; , V- ~0 j, j! v1 o {2 l7 `& B4 n
ModSecurityConfig modsecurity.conf;" x8 e3 u6 Q" I9 w; t, i6 X/ `
1 `3 a5 F" D" \- `4 ?& F! z0 j
root /web/wordpress;
8 T. K* S7 p" {: q) u# a" F index index.php index.html index.htm;1 o5 f, H4 ] U/ r
6 b8 P; I4 T7 X# R3 A
fastcgi_pass 127.0.0.1:9000;$ E/ C+ c# f! E1 i& C; a
fastcgi_index index.php;% D' }2 g0 T+ H! A0 q% v3 i7 e
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 t% k( N" \; D; L
include fastcgi_params;% V& g6 D% N U. {2 T% c! _$ p: i
}
' B0 C1 d0 K, g" t% } }6 m$ j# `+ ?9 i! j. k. \
upstream负载均衡:
3 t5 Y- c9 Q5 J1 d: O0 r4 z8 c2 ?! `0 O8 Y$ a4 X0 @) @
upstream 52os.net {
5 n0 |& a1 o* y& v& E/ b4 M( K" R server 192.168.1.100:8080;4 _1 {3 Q! Z. a+ G! Y( E0 T5 y
server 192.168.1.101:8080 backup;
# v7 C0 O" x9 ~/ U}" I* u8 r: {3 w- h* ?- ^: C
) ~8 y) W8 O @. |( d' G0 ^$ y( `& t
server {
9 P+ Q0 g. t" ~$ Vlisten 80;
6 e: M7 j) a( k" o) V0 t! ]3 g- sserver_name 52os.net www.52os.net;
) Q, C9 a2 Q8 w$ o0 o! b* M4 N: K+ A7 j* L
location / {
) s& l( b' o8 ?! `% h* Y! V& z ModSecurityEnabled on; 9 R) n. { e5 P5 k9 I0 O
ModSecurityConfig modsecurity.conf; ) R! Y, \& D( T. _: Z
) K; e3 y/ |& H7 } proxy_pass http://online;* O! ]9 C3 X' V7 p" y, ]" ~! E* d
proxy_redirect off;
" E* {5 G Z/ V8 |: c proxy_set_header Host $host;
( M8 R/ R+ F( q8 v proxy_set_header X-Real-IP $remote_addr;6 O% l. o2 r+ X6 v% ], z3 _
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
2 Y8 d( ?; V+ L% J: j. W* J6 u }
5 Z& S" `8 O" \" b$ V4 F9 m}
# B( U9 F) c' F) ^3 d六.测试
( A! T5 B, b6 `: L7 U& k
8 u8 ~& @5 e6 S/ j6 g# | q我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; m2 q8 S4 t( [! X
+ X. }9 W7 {$ M5 J<?php u J( v, O b# R# \8 P3 R0 u, s
phpinfo();
/ ^+ e( s6 q$ ]?>
N1 Y9 R) R/ Y) S. C/ |5 [在浏览器中访问:
- r4 i+ P& @. j. `/ ~! Q( T. v, c5 \+ |; m/ Y
http://www.52os.net/phpinfo.php?id=1 正常显示。
! x0 J5 C }; X/ g! j+ ^! Khttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
3 t, `# ], E2 `http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
# ?- ^, j- L' y- A) i说明sql注入和xss已经被过滤了
; R" h: w% {1 d$ B( e" u; G0 u$ E" Q: E2 X$ h
七、安装过程中排错
' i b) U/ @# N5 _. X2 ]& x$ j2 A0 n
1.缺少APXS会报错8 @3 x6 x$ I u) f% e/ X
0 W9 l: Z; ]% Nconfigure: looking for Apache module support via DSO through APXS3 p' R9 m, I7 C
configure: error: couldn't find APXS
$ }& p# |3 G3 I5 N2 N' E3 Gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
. y" }: N! x. \. o0 D& s解决方法:3 {# C/ i$ g$ E0 H; P" ?
; Y( p1 K% q$ y# e
yum install httpd-devel5 C1 Z: b1 X7 y4 Z. z2 @5 V" ]
2.没有pcre* ^$ x$ Y h- q+ P% A: C
! e# g) ~$ L; V4 c
configure: *** pcre library not found.0 K$ l2 D$ k2 ^' V7 ~: ?
configure: error: pcre library is required
0 H+ s; {' N6 n解决方法:# t5 w: i# |: M
) |& Z/ o& w+ a$ q) i7 a
yum install pcre pcre-devel
6 L1 C/ |" I$ O$ B3.没有libxml2
& M7 b2 m+ R. |" z8 ^* O- V4 k9 E% D. R$ P5 ~% M$ b1 o
3 q v: N8 C9 {9 ^8 @" j
configure: *** xml library not found.
3 p: w* O* U9 v2 v7 yconfigure: error: libxml2 is required0 H, C0 b/ t) l' H& g$ A
解决方法:9 T( o0 [. J+ r
* \4 s! p ^+ Syum install libxml2 libxml2-devel) J6 R, `; ?* T* G% }1 i b2 h. g
4.执行 /opt/tengine/sbin/nginx -m 时有警告( v) `! a& x2 C6 \
( M8 X6 T# E* ?4 _! MTengine version: Tengine/2.1.0 (nginx/1.6.2)* T2 X' k5 i" U; e
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 x. `: z. N8 t8 b原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
, r' `+ s& ^) I
3 U: l8 Y1 l: o" A8 A7 e) i+ k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
6 ?. O9 y* y* [( O5 ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 t8 ]+ l+ E# b
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 Q2 l0 E9 [5 q, _) \. Q/ L) I& F' P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"7 \% f0 P( N% |* d4 [- }" P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"2 z. Z3 }, J$ U( C. P+ a E
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.; R7 g3 V J# @
解决方法,移除低版本的APR (1.3.9), x ^9 U2 @8 x0 v
: F& {8 c" x, d
yum remove apr7 O% [: p6 @/ E W- g1 s- c
5.Error.log中有: Audit log: Failed to lock global mutex9 @+ R; B% x$ {, G7 o% N
$ [( ^* E# W: _* N, j- |. {
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
4 p8 _: r. W$ j; p- S1 oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]" B: S3 f3 U1 t1 Q) Q
解决方法:
% l" |; y, E$ v) u* Z' \: g编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) S2 j3 _$ c( s ]( @) k* T+ i1 K2 |+ r/ I! j9 x, q
SecAuditLogDirMode 0777
$ g+ }; s: r' n! y) [SecAuditLogFileMode 0550$ [& K/ v" O( f1 I3 b
SecAuditLogStorageDir /var/log/modsecurity
) O! j4 K' Z3 mSecAuditLogType Concurrent5 k, D) u N0 ^' \& g, a' x
参考文章:- M' f- M; z- ^* {) V# I# P. ]
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 p5 b% p7 C" e. a' v/ _
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡