|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 [9 P$ O% q8 q- [: g1 [# a& I( m/ P; E d9 F
一.准备工作/ e _+ ~' G7 O: o5 ~. f% W; O
) c- _8 m5 `7 C2 U I/ I系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
4 n& f$ y/ z- I, N5 }% Y% p6 [8 h D- G% D' v, b. `- D7 I3 P" C
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ k) _. t v9 C9 T; X, S3 }$ l# K- v5 o; {, ~+ b" j
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
/ [% G7 n/ `3 S! V$ D0 Z# X8 l5 E u, h
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ j8 S5 h- Z H: X+ Z
! S# `! E% K- i
依赖关系:
7 n4 K" a( u( l' N8 G! ~/ Etengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
/ @. x+ x9 d3 t% h4 [' U$ A9 T# g3 p4 w# ]! g1 \, |) X
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
! a1 L; l; z2 ^; g; ?modsecurty依赖的包:pcre httpd-devel libxml2 apr6 \$ e* N: ]7 p* ?
; Y1 Z1 B' }. j. C+ q8 {- K- X4 Dyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel3 J& }# }+ A, S( W$ u; z5 p! J
二.启用standalone模块并编译( W. h$ [ y2 d0 {% {( W' w
' G7 Z; z1 x2 R1 h4 |
下载modsecurity for nginx 解压,进入解压后目录执行:6 [. E9 E. L" S( X
' J+ `$ y4 J5 m) d
./autogen.sh
) k8 u$ w- @, ~" S./configure --enable-standalone-module --disable-mlogc
6 O. P3 a) \3 _( v o$ z5 ]make ! @4 h/ J9 Q' o
三.nginx添加modsecurity模块, J# ~ S1 D0 S" {: E
$ m" I: d: `+ E7 Z$ \2 {在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:. W/ P- H& e" C# O! t9 P
t( J5 ~( F" d+ D$ p4 f./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
( {( s- P' g8 n0 W7 z. ^5 emake && make install+ n' E% c7 _: f
四.添加规则4 N( i$ M7 I/ S* U" j4 G3 C, W# N* Q
4 t! T. w b0 m! ^# Kmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ P$ N2 B( q* c3 r4 l( a/ `
0 \9 f! A5 x" r, ^3 {' o7 B, X& f1.下载OWASP规则:+ N& C% f4 U0 j
% ?* Y+ |3 u2 l: X: H* O" E( b
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs, ?5 n! R G1 }6 i
: o! \# \; S4 k) M. {3 f6 }1 Bmv owasp-modsecurity-crs /opt/tengine/conf/ h8 |7 e4 ~: y+ `% b
; z3 d1 k; N# Y: U* wcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf6 H/ N4 k$ g' X# Z1 { X5 b: V( D
2.启用OWASP规则:7 {0 x- y- y8 O/ ^' _! ~
( }7 \4 o0 }+ a, Q& k* F
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。2 Z3 j+ a$ i; k6 T
: W& }% S! `' e$ e6 e9 K
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
, L! J6 E$ p& o6 w0 T
4 s4 M& S* @& ^ j# H$ I7 Z1 B: Dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。0 c& n U* h1 c; P, B/ B
/ }1 p, a" U4 z! K' u
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
9 U1 L; B& T: B& @" P$ DInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+ ^; I/ m$ p4 H9 f- o! tInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf' A5 C( J. i+ ?0 T( I4 L
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
( E3 {* @: M$ k& B( h& S4 z7 }& hInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf# @+ s+ V7 f) C p5 |
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
+ ~. }3 W9 P C$ M) H$ i& q- W, ~Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf" j! W& Z0 ?& i4 d! r; `
五.配置nginx; D# `9 {- _$ x4 t4 J4 G* Z% `) I
9 F; |4 w9 z- h2 n* h在需要启用modsecurity的主机的location下面加入下面两行即可:
+ _+ L5 c2 P& f x9 Y, Z0 Y3 P5 u, M/ |/ |! {
ModSecurityEnabled on;
3 J* Y) T6 b* o: \& q2 QModSecurityConfig modsecurity.conf;( P8 ^, Q% ~2 q2 ]. E
下面是两个示例配置,php虚拟主机:
7 h" g7 f% J6 U5 d3 T) {$ V$ `: m
server {
" ^5 }9 H! c8 z listen 80;
9 e- o1 P/ P8 j) ~# Y server_name 52os.net www.52os.net;
% W, W/ C) F4 O( C% \) D+ s2 Y# `
/ Y7 p" X2 b, U3 c location ~ \.php$ {7 y; M3 K9 f: u2 X8 n
ModSecurityEnabled on;
0 Z# T1 u% I9 Y1 w ModSecurityConfig modsecurity.conf;
6 v$ s Q5 {* [6 D- y# K$ h9 }0 s% k9 L5 A
root /web/wordpress;. @! G. b8 `% x# ]
index index.php index.html index.htm;
9 O% ]* a) m7 s( |
$ F/ J; K" _0 [8 N0 v fastcgi_pass 127.0.0.1:9000;! c' p) X2 d7 b* N
fastcgi_index index.php;5 f' M3 P8 m" a' S8 Z* K
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;! K7 G2 i8 Q$ U7 u- _
include fastcgi_params;
6 b( }' Y1 a! E# q* b8 n$ b }
- A0 y8 |; u+ d1 L+ ~& U1 H }
5 {# a% a9 v, P2 I% p( [upstream负载均衡:% C" n1 R' I: v$ r" F* u# C1 D
9 b) K8 f$ |! h& i6 `
upstream 52os.net {
3 m" J0 D* w* d, A t- }: [ server 192.168.1.100:8080;2 G# H/ {3 S4 H$ P* M7 \
server 192.168.1.101:8080 backup;- t$ c p; J% p' Y: J
}; c5 @) h: ~6 A# [8 S7 l$ |* T
( a* T& P/ j! x# _* w
server {& O: V: D T F2 F
listen 80;$ F% S, |& Q7 N6 Z, c
server_name 52os.net www.52os.net;
: [, K5 f* R/ f% ~, P4 }( x" ]7 p/ r2 v8 F2 g: E+ m4 i
location / {$ O, {2 D/ x, k* y" F1 f. }6 F
ModSecurityEnabled on; , t. y2 U$ H) ~7 T5 y& A3 L4 u
ModSecurityConfig modsecurity.conf; " J3 U, ^5 m- q
- p8 [( K6 q2 [" L proxy_pass http://online;, N+ t! z; O, w- ^1 m; T
proxy_redirect off;
7 R, l! @ ]# X! x1 ]7 W proxy_set_header Host $host;, W2 g A1 u/ s+ m+ _8 A) X j4 u
proxy_set_header X-Real-IP $remote_addr;
T R7 _ a0 W proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 O2 k+ q4 k* D }) t5 H( a8 W' u, U
}+ H: k0 m' `0 i5 @3 i
六.测试
O' F4 M) I0 x3 U, A e/ y; J4 @6 `
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
' h a, j# l! {% z( h4 W* u. o/ V4 K2 j+ q1 S0 M( g
<?php0 Z" ?) |+ G" v6 h8 A8 ^- \
phpinfo();
" U7 v* G: q- D& M, _5 P?>$ }9 Z, P4 M2 X. X V+ C9 X6 m! Y3 B
在浏览器中访问:2 B3 N5 ~' w; \* a* ]3 ?4 G
9 l* Z3 x7 |# W: i: m
http://www.52os.net/phpinfo.php?id=1 正常显示。- N: p3 K. X' D X3 }$ ^1 A
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
, |' r" Z7 D( L! {9 M) V# ehttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。) }, ?6 [8 u- {# W& b8 Z
说明sql注入和xss已经被过滤了/ Z4 S5 @6 [6 l3 B3 q9 D
+ x! U2 B' A0 M$ y- `: _$ g3 v七、安装过程中排错/ O5 }) n {* u- s) G" F
# X+ B$ ]/ v' N# o
1.缺少APXS会报错& f/ w4 c% t; F1 e3 m* g: d9 D, n6 @
! _8 Y, ~# V; L! v
configure: looking for Apache module support via DSO through APXS, ]8 a8 e9 I% `+ g" b
configure: error: couldn't find APXS+ _- ?* Q) q0 k9 F
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# L# ^% W/ b6 c# c: \解决方法:- o. K( F" s1 R- r
5 }$ H! W3 u X. u
yum install httpd-devel
* _1 D G7 G. o% Y% ^9 K8 H% y2.没有pcre
$ l* U; a, K* W6 o+ F7 g; f8 ?
) \; [% ?/ m3 X. Q& T8 g/ Q5 }configure: *** pcre library not found.0 K% e9 B/ s9 u% \+ ~) D$ o7 _
configure: error: pcre library is required
0 T K' O$ z: E* g) `解决方法:
- @6 D5 [# w# L1 L c D
' q" F, m- Z* T3 n7 qyum install pcre pcre-devel
) n& {$ A, C* M# |; U3.没有libxml28 ?' j* W7 u( r6 m/ |
0 U2 b; e- ?, m0 T9 X( U7 |- r8 y3 w) G5 a# k& t! u- M2 H
configure: *** xml library not found.0 V4 S# m" \ o+ Y$ n* Q- Z& h
configure: error: libxml2 is required
" ^. K! u5 Z- N; {1 p解决方法:
. R+ b3 T: o1 }% r! _1 U( q+ M9 ]& o* U8 e' ~8 L! V0 N4 t8 J8 h1 a
yum install libxml2 libxml2-devel+ h& h, v$ J1 z& u
4.执行 /opt/tengine/sbin/nginx -m 时有警告
* N" y3 |* e- l) N! N( P# y0 K, M% P# N$ k0 A$ \4 ?. b \. l
Tengine version: Tengine/2.1.0 (nginx/1.6.2)8 Y5 B/ r A# n# l _7 a- J% F: H
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 k, ]9 f! N4 v2 w/ q$ }1 p) @
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
2 n; ?& |5 l6 T2 l, A. I1 C
. j+ U4 k- X2 w _' A( i$ |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
" V5 b4 U9 p4 X' S& W$ Y& D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"& g- H: M) K* ?/ D$ t, ~6 J
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!: J+ _4 [( T" S' g2 K/ y( K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
( y0 j' w* N+ K2 {. f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 p* O- S2 }, p9 a) k* L- I
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# D* L& Z7 O! D: n% j7 H
解决方法,移除低版本的APR (1.3.9)
" u# W9 s+ M: p# O7 k5 n" ?7 b9 E. L: v) k0 q6 P" Y& L9 G( P$ q
yum remove apr
4 R: E- d! u8 ^1 C5.Error.log中有: Audit log: Failed to lock global mutex
7 Y5 N! A1 R& o% g1 X9 I0 V
& L2 a0 P( `+ \2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
) Y2 M1 b4 R; q! Kglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
, D! c6 Q$ G/ o解决方法:
& T. | o% ], i) S9 c1 q编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
2 _# r- {$ t' P4 j) Y- z# Q( T! k) {: g4 ^" w
SecAuditLogDirMode 0777
" }$ j$ g R0 l# YSecAuditLogFileMode 0550& z* m3 q" B: M& o
SecAuditLogStorageDir /var/log/modsecurity
: v) I5 r3 w1 {$ l5 uSecAuditLogType Concurrent1 [: O7 ^# C$ H5 J8 ]! c3 X5 |
参考文章:
7 h7 ~4 `/ f; Uhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
: B; K- J" Q: _7 t* N& Chttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡