|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。: l) { U0 A$ G
* w" d' m( h! }9 J0 {0 o
一.准备工作! J* Q+ r* q3 G* Q$ h
. D* f5 A5 F. n4 i+ A6 [
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0; w1 r& s8 q/ q/ R% l
2 D# k# N% I7 _4 D
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz5 D p, z3 c/ k, U' i$ V+ V
7 s2 h! I2 L) L% u+ ~modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz: @8 v6 h+ D; n! t5 y$ I3 Z4 T! W
8 i7 q" C0 q+ S: i" l5 g
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs5 Q ~+ a9 R2 P9 Q
! c$ A) r7 n% g# X- C7 K依赖关系:
, I, i) h5 J3 V5 [4 U# q" Ntengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
* X3 {" j4 Z5 D" L B( r$ Y3 n! G. H. @2 O5 D1 k
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( A6 A4 l; j) q" [1 S& B
modsecurty依赖的包:pcre httpd-devel libxml2 apr: {0 ~; Z- _0 p8 d4 _
: A9 R7 k0 s% M/ u! i. \/ O, Hyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( f8 G1 r& c( v# }; o! D
二.启用standalone模块并编译
( b2 i" c% t$ K, m4 {
) f+ I- B3 c; W- T2 O" G4 k" U下载modsecurity for nginx 解压,进入解压后目录执行:( [; `, T, b' a* W" } A& g
6 c) t* T3 o+ y( c
./autogen.sh4 U0 N+ f! l" y6 o2 Z) c
./configure --enable-standalone-module --disable-mlogc8 H8 B( R, C/ H, S% a* Y9 ^ @7 X; k
make ) P- `& o$ u7 E& B$ [3 e( ^% [
三.nginx添加modsecurity模块$ {1 O4 Q# c% O
3 h L! x+ q' t* v9 `+ L在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
- W1 ~5 ~6 ?$ q5 T4 G
! K9 Q! \( J# P3 f' |./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine4 U3 Z- v2 B: l4 ?$ q8 {
make && make install1 W5 l- w5 W- \4 q
四.添加规则
( i+ \, B2 V R- f3 j& R% g/ W8 A Y) F$ f, i" u- V
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
( l: O& [1 l* h8 V* Q k: h/ t U* ?& ], C- P e
1.下载OWASP规则:6 t. I1 b) p6 t& j8 ~. M
6 U9 Y) i, G% |; ?$ Ogit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
# X# E+ c% _9 a$ C$ W
9 d9 W I, w# B. f+ k, Ymv owasp-modsecurity-crs /opt/tengine/conf/( W9 R/ e* y+ g$ D& q2 g
! g; n6 q k2 u6 r9 L/ l& e* o( k
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
& l- m6 H8 U- E( B/ C' d7 h% \5 T2.启用OWASP规则:8 { y% M T5 M' _
; _. {, q4 ~! l3 L c复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。6 E6 r: T" \ t" p9 I4 L4 F6 Y5 F
3 V6 p) N! U- a) Q; k( b0 M
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on, A2 p. M$ m2 u5 N/ }* z6 U0 p
. ?6 _. S: R; x9 q4 z- H* D4 Lowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. j, R; c7 b$ _9 @$ b
( k5 s& p6 p6 h# P/ U! {* D4 N; f% Y
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
3 w+ }& O8 {) }1 \# Q! ?$ _Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf& s; J/ L7 M. y5 a
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
. e+ c4 D" a; g/ RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
& h$ L5 J* m& i5 X' P) i& L) f' e4 AInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, C- J/ G" i2 d, s7 ^/ A) K8 v* e/ EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
6 `; Q4 b' G( I5 `2 H" M6 n$ ^Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
$ d. t8 @1 Q, S' }( W五.配置nginx8 Z, e7 F* E" Q8 q! b( ]
, l0 a* w4 L* X. @& ^. S, m在需要启用modsecurity的主机的location下面加入下面两行即可:# r; h# L3 ~. e L" a/ [3 j4 C
! B+ F. {% ^2 x3 _- u. V, Y6 QModSecurityEnabled on;
) T( k1 ]! H/ q* JModSecurityConfig modsecurity.conf;
: f W. z5 K7 w+ r/ O下面是两个示例配置,php虚拟主机:
$ B9 l1 {# ?4 u- |% ~) I
0 U% D/ z4 X1 b+ B s, S: N2 @server {
R+ ]& I" `* i+ x( g2 z" n listen 80;1 B! f! ?1 d, t9 J( g k
server_name 52os.net www.52os.net;
& w- V5 r! \4 q% c6 \7 B w- \5 b. C' }# @+ H+ _
location ~ \.php$ {4 K( g. a5 y% p- q8 _% e" r1 {$ x
ModSecurityEnabled on;
; j! D5 K) F! x' H6 _( G# X ModSecurityConfig modsecurity.conf;
: h* Z5 h" P3 l$ a: \* L% D9 Y# f/ {/ T+ `1 M" ?! m* N
root /web/wordpress;0 U! K9 Z% D4 a7 H, n* b. W, B& N
index index.php index.html index.htm;
+ Y5 F5 C, g% K! n% v% K, C- i6 _" J ) r7 q. f- L3 o7 d# s5 H
fastcgi_pass 127.0.0.1:9000;' d1 _- e8 T" i/ ], M8 A
fastcgi_index index.php;! ?$ m% h% t1 y) o% G+ D8 f
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 o2 T. ~; P+ W& w/ P" }
include fastcgi_params;- Q; w; f) R/ E- a, w! m
}
9 r/ m4 m( D0 k% Z }; x- s' o0 x$ y0 q: v
upstream负载均衡:
. v4 ?$ q& s+ N3 F5 n3 v4 k: a# X( A- {+ }3 ^$ x" C' L X6 n& g
upstream 52os.net {% k% I) z+ L* X8 H! l
server 192.168.1.100:8080;( e' i, R% B2 R& M7 C
server 192.168.1.101:8080 backup;
" d( a+ u( D M: |}3 I, w C/ E0 d$ q2 j" K8 [2 F
, N- Y4 V6 T% Y1 K; H7 userver {
( ^. V- j& Z4 d6 ?. Slisten 80;
& p9 K9 Z) A( F lserver_name 52os.net www.52os.net;4 H7 k' A0 d& a/ | g# k3 Y. y
) a2 }3 S! S# k5 T7 Z: n3 Mlocation / {& w1 F: i' V+ R( y9 h2 G7 o9 U
ModSecurityEnabled on; * X/ A$ L( r+ r
ModSecurityConfig modsecurity.conf;
* y, r! z5 K( ]9 C7 Y5 i# P% y. `6 X& v7 f- {1 B8 i. B6 h
proxy_pass http://online;+ X5 b. x+ R! u: c" a2 A9 v
proxy_redirect off;: V W. {2 t- E( f/ E
proxy_set_header Host $host;
# v! Z& \3 h5 ]" s: R* w proxy_set_header X-Real-IP $remote_addr;. b( P8 P( G. Y8 O
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
. k: ]3 Q$ X& e* U$ A }
! {$ {7 W- H. T4 z$ ^( k$ l- n}
* ?- L2 f: D$ ?6 T六.测试
0 u H! \& z' _, M; {! t+ v7 `" c* c& V4 c( G( Z, R( q; e' j+ \
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
' ]) Q9 k8 z W
, P- M6 t% }! j. u# z& d: o, W<?php+ N. Z# M8 M! ] n5 J) g) Z
phpinfo();
9 m6 |. x. j* B5 Z, f$ T6 y?>2 D# i k( M6 g4 |
在浏览器中访问:! Q4 P2 q2 F& A" Y% _
1 y0 P3 \) S' p) A) ]) O& D
http://www.52os.net/phpinfo.php?id=1 正常显示。
' O! I9 m( a2 x: X0 @http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。4 f$ Q6 Q- y% I2 a% |5 m
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
/ v: u' W p/ l. n* b说明sql注入和xss已经被过滤了& J% e* v4 T2 {
4 J* r" V5 q' w9 P
七、安装过程中排错, l& K3 ]; a9 \( q1 ^/ q0 V3 d
% y3 N. O( j$ e) A2 f( G) P N& t
1.缺少APXS会报错
% Y6 {; M$ K, t; v* {
) H, I) Q4 l/ c7 oconfigure: looking for Apache module support via DSO through APXS K( T. r! P) D, s
configure: error: couldn't find APXS/ U6 A2 [8 K( V0 E% x5 W+ f+ C
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。( {% I! O5 t/ Z- \- L$ a
解决方法:
+ Z/ e. g, |" Z/ _# s+ J5 Z3 a/ j/ H( P) `. e3 i
yum install httpd-devel+ n2 k7 x: m) P' ], S
2.没有pcre
8 U7 A0 ?, o% L! [* B
2 W( r+ h, v% V" K9 Oconfigure: *** pcre library not found.; r# y% |* p/ \8 v" G2 \
configure: error: pcre library is required
" B0 D/ A# D+ A$ ]* M解决方法:
( i2 K/ b2 a9 p ~* U9 n* M+ o7 o# B6 G) u/ h/ l# I
yum install pcre pcre-devel
. U+ C5 [8 p9 S& x1 @+ D9 s! Z: q3.没有libxml2
6 [# r' I$ E& U1 n+ P
5 a. D3 h: C. }0 H7 B1 a
2 v! r j# @% X" cconfigure: *** xml library not found.
5 b, v& n3 k- L% _configure: error: libxml2 is required& f) Q$ N# t9 V4 B3 ^( x% q1 J
解决方法:
; U4 k* M1 \8 q1 s
6 o: c3 ^8 G: C$ a; g1 y% f4 i6 P }yum install libxml2 libxml2-devel
2 R7 ^' N( V7 A( q4 z% k. Q7 M( a5 |4.执行 /opt/tengine/sbin/nginx -m 时有警告1 Z. U0 T0 N. L! Q
) f) k7 E+ {0 U1 x' S+ vTengine version: Tengine/2.1.0 (nginx/1.6.2)/ _7 H- S0 F% y/ f
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
! T. f9 T% m. \! J+ ?8 [原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 v( b7 {+ e- a) l/ V- a$ ?( o o* v% \8 `3 A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.6 Z8 i3 ]. E& E+ X: @2 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"1 ?. ?) d: K3 N* E! T0 r3 c0 ~
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. x# z3 j9 _0 `7 t" k; o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
d. U1 R% T& G/ p" N8 a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6" z* ?* n: |2 z* z! v
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
4 B1 d$ r) M X6 i" L解决方法,移除低版本的APR (1.3.9)) O0 z0 i# b0 v% Y3 u+ Y" D
2 s$ d% E2 W; W' L. [6 lyum remove apr
$ [% m. Q8 Q7 x& [3 o5.Error.log中有: Audit log: Failed to lock global mutex' I( r* |' t' e$ Q# r3 i0 Y) G$ ^
, V/ ]7 @1 `$ G+ E$ Q( A q9 D
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock + H) i+ S" M' e
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
# M1 z) P0 C' Z% F/ a) g% n6 b解决方法:. @% p# ~; ^5 \8 E& {
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 h6 E' r" b/ [, q6 V" a
7 L6 Q1 e/ p7 P8 R8 tSecAuditLogDirMode 0777 v5 w9 |( X0 r9 x9 V2 e0 x4 T
SecAuditLogFileMode 0550. p, p" ?% w9 _2 w9 |* P
SecAuditLogStorageDir /var/log/modsecurity" O) ]% g' K8 r
SecAuditLogType Concurrent
2 V! @& \& x* N参考文章:
! [3 | L8 c3 X N \- ^5 u$ u- thttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
* p+ t q% a. E7 P# Jhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡