|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- y. F6 K5 q+ t% g
6 C' H0 A5 x c: Z" U, b* d: Q
一.准备工作3 h. }5 z8 Z/ Z6 R0 A! Q
1 P1 U& a- V1 F; `系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.08 r. y0 u0 k# ~, {1 a& i
2 D+ K; T; s1 h* V0 c: c! [tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz X2 h [+ S A8 u) n5 @
+ V0 l9 J, S% W' G0 q* X
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
4 V* T Y# {! I4 D+ C+ s8 j# L Q9 m% a& K" \* G
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
0 q8 N6 c- L. X9 @, Y
9 p( i# @: ~9 g依赖关系:+ d9 {4 b2 x; S1 q) ~
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
: q; I1 _( h: C! v# c' t# H* X% _! R7 n' k( E% `3 A
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel5 E! u1 q) h0 Y( j7 E1 Z
modsecurty依赖的包:pcre httpd-devel libxml2 apr8 ^% \- V1 g, m% x3 Q
; {5 ]* Q6 o- T e$ Oyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 R P- z& l+ v7 B/ c. A! w二.启用standalone模块并编译' Y; p2 D. k4 D' \5 a
& z0 Y( Z3 ]& S( }# I3 I7 U# x0 x
下载modsecurity for nginx 解压,进入解压后目录执行:
& `& {/ n* r: L8 z, X! Z9 K9 q: [* G- y$ P1 Y
./autogen.sh
5 c4 o: \7 t- b: a; i& B3 G./configure --enable-standalone-module --disable-mlogc$ l5 }$ Y) k( V0 ]+ H
make * M0 |$ k2 u# `- `$ f2 P: A
三.nginx添加modsecurity模块
$ }# y5 i* J. Z% x! c$ j/ ~( e2 o/ e w
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" y2 C9 ~( z) @3 z4 f1 T
( G1 m @' L4 L- E+ J) Y* v! C./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; e( z7 j0 n. E; v1 @make && make install
) R5 J9 Z" l) P, D' m$ q四.添加规则5 G9 X1 G1 e6 o6 i
0 Z) y/ y1 A3 R3 fmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 c+ V& n1 b; b2 A& {1 O, l
. [! R& g. S% a* y
1.下载OWASP规则:1 a5 r7 j" t% G$ J$ s1 v
' {7 l! d: Q+ S- E7 Q
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 u" X2 J' }2 v# X, T
8 o6 x1 v3 {, P* Y8 P
mv owasp-modsecurity-crs /opt/tengine/conf/+ k" {& }) W* ]
! e% g# |1 i- o$ H. Y: q. s% W) e3 m
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ M+ h2 ?* w( g
2.启用OWASP规则:
/ K. k' m9 _: W I: J* |5 h3 @7 R: w* u. c! g* b
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( ~3 ~& }, `5 k& P# L
/ _# \" s7 C- X+ P, Z: p; X
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 I' _. ~1 \! G9 H
4 y% @2 Q4 m1 x; G6 h) l5 k
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
* D6 C9 K; @; {8 K" P0 c1 t0 {3 L
" k( T0 U: Y* O5 j+ L; e F0 K2 ^* bInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
& x/ H" d$ L y1 }( l' h: z' ]Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf6 L8 P1 V" w- L& V" P
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% l6 f3 g- @. uInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf% Q& g! n; X( Y# B( M) n* y
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf4 K3 ^0 ~' \' c3 j$ {( x* h
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf4 j' d* Z9 m5 l0 b
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf0 _! B( ^0 X# W' V/ G# n% v
五.配置nginx
/ }0 _. Z( {8 }" ?/ R/ X8 h( Z- c n- w- H- A
在需要启用modsecurity的主机的location下面加入下面两行即可:
: T1 H' i: p0 d: i9 R8 T1 Z$ G, A4 S' ]4 t
ModSecurityEnabled on;
9 \1 s) M% i9 A$ d I4 LModSecurityConfig modsecurity.conf;9 E% F9 G n, b3 ^4 F5 i
下面是两个示例配置,php虚拟主机:4 i" H6 z- K2 c) Q6 x
' g7 `% g* C5 B& e3 j
server {: P* F1 p* o: q# \: N( W6 F
listen 80;4 m( B# l. i! v! O+ d0 q* W
server_name 52os.net www.52os.net;
: \& n) a9 l6 O; U8 t4 b: o+ G
* D( v. }0 i. f. D% O' j8 K; J location ~ \.php$ {
, ~1 [% S4 W: l7 S" U3 \6 V! d ModSecurityEnabled on; 9 N$ t8 ~. \, ]; j: t) B
ModSecurityConfig modsecurity.conf;; z, F# A: K( {
1 H( D S2 g( ?/ L
root /web/wordpress;
" ^! i( ]2 [+ w1 J% Z5 {" C index index.php index.html index.htm;) H0 W3 I2 {# ]% V0 @3 D
# [! X. c9 q( h
fastcgi_pass 127.0.0.1:9000;! J: Z7 ?$ J2 I- ?! U" q1 k
fastcgi_index index.php;
5 c, x, k2 v) j9 @ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;6 q1 M% P7 j" f- ~* M- V
include fastcgi_params;
2 J1 P& S7 r! O4 z" }2 }4 n; G }
: N. ?0 A! x7 i X# h, U. ` }
+ J" }. Q1 i @ V0 g' l$ \+ e& tupstream负载均衡:: Z! E! K: L6 M, K3 q0 x- x( w% I: g8 A
/ |6 l. O D7 \ p% M3 B4 Uupstream 52os.net {% i" Z9 K% s7 U
server 192.168.1.100:8080;: f6 g5 a+ O: R- L1 u' S6 E* A
server 192.168.1.101:8080 backup;
" P; ^; k# F V" C, d3 n3 k}
* S: M. _* q( f" o( Z% W
! }6 R- [; |2 A( m+ d( ?server {
G' V" j5 U# a6 |! [listen 80;9 |8 W( B: P( v* i8 o
server_name 52os.net www.52os.net;0 b4 @( F% B. c% H2 z$ {3 J: l7 s
1 w. d4 g4 y! }7 E% G+ Z1 d3 B, r
location / {" Z1 h" K3 t* r
ModSecurityEnabled on;
" O& D z1 ^% X! y3 O# C ModSecurityConfig modsecurity.conf;
1 x* [, u6 `8 q; D
4 x/ p0 ] |2 J( ? proxy_pass http://online;
) e8 ?! I. p' @7 F' p, K( Q proxy_redirect off;
: [5 x% P- B- d/ X7 H, M proxy_set_header Host $host;% \3 q8 g$ L: W- z
proxy_set_header X-Real-IP $remote_addr;
% o! N$ {2 Y, ?6 F3 o; f" }4 H proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6 Y: d. g* w! [% }% z }
/ k: T; W2 ?0 j% z}
+ q" _% r6 e5 a; } `2 f六.测试
9 q# G2 H+ M' y0 q' E% Q2 e
y% B3 _' H0 J8 F U! V" ]我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:2 j: }% @5 X. `- u; U, U
2 r8 q8 Y2 _6 r<?php3 Y; R' Z0 u7 {4 B! x
phpinfo(); " B& p9 k5 d9 T3 q+ H( V
?>6 Y* D6 J7 Q$ c& R6 }! J
在浏览器中访问:
* m, ~; q9 f X+ s+ P+ R7 X3 e) w9 w* d4 Q
http://www.52os.net/phpinfo.php?id=1 正常显示。
1 r$ R- h2 r6 T: M shttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* I+ D9 g' t5 a, @2 p( p* n6 l `http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. P! U+ P# [- y, m# |% h- \* o
说明sql注入和xss已经被过滤了; r- O2 `; }# C9 a6 G8 y6 M
0 i5 _/ v: _5 A; x
七、安装过程中排错
n9 m# N) G$ Z2 u5 ~" D5 b. f5 _; e6 ~$ G' \
1.缺少APXS会报错
& `$ A+ p# t4 K' [8 P9 u: j4 l1 E6 s6 Z6 s& r0 r/ X* _4 B
configure: looking for Apache module support via DSO through APXS M6 ^ N9 T6 c! b0 x3 Y
configure: error: couldn't find APXS
! e3 O1 d5 K0 D4 I) ?/ lapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 Y6 x9 w: Z$ Z7 `
解决方法:4 t/ H; N* T) Y* l/ Q
" ~( e% P* m& ~/ F0 L! V
yum install httpd-devel
* a% x: T8 h5 q2.没有pcre( X6 E/ w x1 v6 c9 K2 d, x
7 o+ u, b8 @2 f0 y. D0 n/ Iconfigure: *** pcre library not found.
" {1 g: ]7 W `0 J1 x, r1 `configure: error: pcre library is required5 ~% B- x6 b2 }( \ u& `0 q
解决方法:
% O) U# \) l) ~/ T; |& Z! i. B4 {. S [; J/ _3 z" g+ ?
yum install pcre pcre-devel
% J s$ m, q/ J# H, a! y/ @3.没有libxml2
6 U. W& ^4 j% _! Z
% A5 k- ~+ I, t( `' `5 W
- i9 r$ {+ L7 @) G+ e% _configure: *** xml library not found.
; {$ U8 Z) j0 i% H) |! i; S8 cconfigure: error: libxml2 is required
5 R. @" n" R6 @! T6 E2 x( O$ d0 s解决方法:' ?, I+ j+ G0 ?' X1 w" b
1 f3 w8 k ]6 k7 C5 fyum install libxml2 libxml2-devel1 D* n# [/ l* b& `3 f( w4 ]
4.执行 /opt/tengine/sbin/nginx -m 时有警告- b1 B) M. K4 ^# v( ~- j+ r
9 v" b6 d# d# {; B1 M B1 TTengine version: Tengine/2.1.0 (nginx/1.6.2)& _( l7 R" ]' ~0 z5 N- C
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!3 z. S. E+ ?! N/ @
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ t2 |" I5 T {; p3 v) N1 A/ Z2 |: p, p+ d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.' S( K0 A/ c2 p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
: _2 u$ |. e! D& d) p5 U5 y- _2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
A8 D5 N6 r; Y! W3 \! ]5 _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: S' W; q% Y# W2 D" v2 s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 \; d; A1 l4 A k5 j. y2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.& }! d. S- {9 N8 _5 A
解决方法,移除低版本的APR (1.3.9)
# _! u. P# F" q5 u& g
- |" O5 @3 o" a; _5 B( Jyum remove apr
* K" v% ~, G' Y+ `6 t5.Error.log中有: Audit log: Failed to lock global mutex4 B6 K9 x6 O8 r; E. N( z' Q! s' Q
% z+ `) ` k7 R Y" V
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock * s/ o; m: J% ]2 G0 Q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]* k! G# x) \! `; I
解决方法:
3 W- P2 z; c N3 c0 i编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
4 B% L' B O* A K" y! Z+ l. W4 n( E" a. f5 {' n
SecAuditLogDirMode 0777
5 l) }$ U4 \" m5 pSecAuditLogFileMode 0550* t; {/ S9 {+ O0 @+ ^2 ]% l
SecAuditLogStorageDir /var/log/modsecurity0 G! w d. B+ b1 T; n" f' [' m/ l
SecAuditLogType Concurrent/ i8 E. V, ?1 ]) z
参考文章:6 r" O- X% G* L1 }5 y
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) D; E) t. j! Q% Ihttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡