|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 d0 m6 g. `4 K* M, z
# o. i% x' P$ W一.准备工作4 X. |7 W6 f$ U4 T# h
! [$ I2 T# {$ y* v4 w1 O: [- t系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
* i; k' r- h: A$ U/ n' q: D* p" @" v6 Y+ E* T. j; R
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 b7 v3 E6 `% k# U- k
2 r7 O$ P v6 l9 y* l4 H2 `modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 n Q, F& K, K9 k2 r( z/ l+ d
0 ~* I6 K% a6 m: g/ x6 HOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
5 x( q0 x+ \ H# A0 X$ P
& Q7 L* F% o4 R7 O依赖关系:
' @" X F* L7 g6 S% Ttengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 f p- R/ j2 y/ _+ l
( J9 u5 |: E" n+ I
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel) @& b: V& v. W% e# K0 t+ }
modsecurty依赖的包:pcre httpd-devel libxml2 apr
6 }+ a. P9 N4 e9 v2 a, l7 P$ _+ P0 E& y0 B- F& B; a) {' Q# s( v
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel% ^2 z! M4 W4 O! K) v2 F
二.启用standalone模块并编译
; H' K- v. u& z( X5 Q
8 ?, k; z$ _' Z8 E下载modsecurity for nginx 解压,进入解压后目录执行:
9 z' z* e& t: v% Y
. m2 S4 p; C0 v: g* Q! K/ S3 w' h./autogen.sh, d n1 j$ J) o
./configure --enable-standalone-module --disable-mlogc
# m: u1 ^" s! ~( Imake ' j3 Y* ?6 }- g3 { Y
三.nginx添加modsecurity模块
* O& M6 f' Z, ^# _: E5 W- ?6 w( t" \
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
( H5 `; f% @6 w+ g- ~/ M7 j4 K
' E1 D9 C0 D7 x `9 `2 c./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; ^1 H+ C% Z( U, M+ omake && make install
( y- \ p' L0 l7 p: {, D四.添加规则3 g( v0 t8 @" G T; a2 A* l
6 V9 z& `( y/ z7 U0 Y
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
/ _/ Q/ m& [6 n2 Q7 e# a2 F
; @/ c5 U- E- D3 v7 T1.下载OWASP规则:* @ y9 ^" B1 _' w* {6 e) V4 Q5 O
5 M. ?& o2 U1 m/ j- igit clone https://github.com/SpiderLabs/owasp-modsecurity-crs- A. b6 {& Z7 N+ e1 b
+ C6 D" h; G: |3 E: t) h; r2 Y
mv owasp-modsecurity-crs /opt/tengine/conf/- u* p4 k$ C; E% `. T$ Y
2 H, Y5 t; Q4 t( {) R6 k7 T& M. D" F" Vcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf, z# f; M/ T# h* ]) e
2.启用OWASP规则:, Q# A% A L1 z& w$ l0 Z2 a5 j* k6 O* ^
: z1 [: E( i+ ~! h- R+ a3 F- J$ R复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
- n+ M& j# u) n2 O) A+ J+ x9 r
/ B: }% q9 c7 @4 \& p& C8 o+ M编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% C6 i6 j9 g9 F3 e: `! F H W
[: M) f7 R2 A7 q6 B/ O6 howasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' d& `8 M* E! e/ _$ y4 Z
5 K! ]1 c9 N! A( xInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
$ o( z* k7 n9 m. U) z& a+ W4 hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf1 q# |3 W# x6 x7 v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
7 x- [6 t' S: QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf3 C/ _* a3 M! n! s
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ [$ x% _- N7 J- L7 D a; } C
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& x4 A4 S: |3 x3 H: Q- j b& X
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf8 g6 I) z# |* r, c/ H7 L, s8 ^
五.配置nginx
$ b0 u, u. s0 H; i
. b6 U9 d0 }4 O' ~& y c在需要启用modsecurity的主机的location下面加入下面两行即可:& Y+ {; u$ _$ g% L
1 z- g# u4 ?5 |' b2 i+ k
ModSecurityEnabled on; . u/ d4 ]& n' c: b6 w3 L) u
ModSecurityConfig modsecurity.conf;" d `; _$ z; V( V
下面是两个示例配置,php虚拟主机:
" V- z7 B3 {9 a+ O
( j. U. r' z: H! Z+ s- ~3 J+ m" P! e9 Cserver {
1 {( Y1 \5 y: P7 x' h4 @, m: S listen 80;
8 H& Z/ q5 z: o6 F) ~ server_name 52os.net www.52os.net;
1 M2 k+ T8 U6 Q1 K& T5 w' L3 c5 c- m6 p
- ]0 T7 B, N5 r& s' r location ~ \.php$ {. B4 A7 b" x$ u9 v' I5 i# i4 q+ U; t
ModSecurityEnabled on;
. s; z# O. ]7 b# U5 @, |4 U ModSecurityConfig modsecurity.conf;. C3 B: p' G* ?. ]
- g4 q% A- d: P$ }* Q root /web/wordpress;
* J9 U5 R9 |/ }% ~ index index.php index.html index.htm;
4 h4 b" L% F3 Z4 J- [
! a: M% a" g0 S8 {: a) R fastcgi_pass 127.0.0.1:9000;
3 r$ ~$ l1 X6 G+ A' W( A fastcgi_index index.php;( n2 M1 O T5 F$ f& C" | n
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, L& `( U- Q0 B+ X' K5 e
include fastcgi_params;
{6 L, v0 F5 Q" [3 l6 a }
3 V7 W* s/ g" n2 c i3 U( J }$ o- D5 t4 L9 T6 G; |) W! E9 L
upstream负载均衡:5 J) L1 X- g: y F
6 x1 u- D; ^/ [# Eupstream 52os.net {
7 }4 Z& B) @1 l9 Q+ J. l" Q server 192.168.1.100:8080;
; t. |- a' _0 l1 V server 192.168.1.101:8080 backup;0 T0 f' X7 Z: d: q1 q. @
}& `5 Y7 M$ _$ X
/ h, E) m5 f* V9 r$ h* S
server {
3 \$ c; N* O% N& R1 I! i1 |, Glisten 80;) U E! k1 l( D% N v6 ?
server_name 52os.net www.52os.net;; m3 N: V% `( u K; M Q
- k5 q1 V0 G5 m' y9 L) t. u
location / {" ^; s7 `7 h1 S: Z4 J) c
ModSecurityEnabled on; 7 t# P( a7 H4 S; |
ModSecurityConfig modsecurity.conf;
; i; O5 y' S+ i: s* {9 F- l. D* a% U$ I0 Q9 n; s* b
proxy_pass http://online;8 f8 }, P6 c7 e8 \5 m& Q
proxy_redirect off;# A: j* u( B# k3 H
proxy_set_header Host $host;
: A3 S1 B/ M3 _$ [$ X proxy_set_header X-Real-IP $remote_addr;
( u+ E0 n1 }. [$ {* | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;/ i; O# g% u" U7 ?. X+ F9 a
}' V4 y; }: u- e
}
4 e2 Z4 R8 g9 |8 o$ M* L六.测试, X0 n. W% w1 p( L
; R D$ w, S5 W& P* G$ d& h我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:2 e, Q# k4 I' }( Q+ m4 t# V
3 @8 N- w( ~2 j$ u
<?php
5 u1 H9 ?7 K0 H/ W% E: _ phpinfo();
9 l4 m. T" w( h- M& f% k0 n X, F?>
, a& ~! c& s8 C在浏览器中访问:
1 s, M: R! A% b! _
% M! p2 G" i7 {# [: H4 |http://www.52os.net/phpinfo.php?id=1 正常显示。% U4 \& o% `+ ?
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 ^$ k+ d. ]8 e( A; Ohttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
) B* p' Z9 Z. T' M1 y0 `# E* B说明sql注入和xss已经被过滤了
. ?9 n0 f0 \5 t8 `* P' [) [
6 J5 t8 Y- H5 w" O8 L$ {8 c七、安装过程中排错( @' ?9 t1 f) A$ O% C
6 m/ j: K ?+ S3 C* q) a& k7 _1.缺少APXS会报错
8 \" v g" L8 F/ v8 R( U) l+ R' E+ p2 x7 [: Y4 ]5 x
configure: looking for Apache module support via DSO through APXS
9 r2 V& W( G3 N/ l+ Tconfigure: error: couldn't find APXS% k' t q2 \4 n/ M1 k' ?0 C$ {
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。' S- G: O2 I' Z, M5 A- c+ Y7 n
解决方法:
0 x3 M, ?0 r; U% p9 k. M* O3 E: D4 K# n; H; V
yum install httpd-devel% z: S t3 `5 G% _: q
2.没有pcre
7 V: P6 V& m8 J, N+ k
6 P/ a; `$ y% `$ M- U) dconfigure: *** pcre library not found.; y/ d1 p( ^- Z% v, [7 {6 f
configure: error: pcre library is required
& w9 u% ?9 K% ~" s3 Z& L& H0 L解决方法:/ D$ F3 J; A% O8 j) `5 e9 u- p" n
- _1 z, \: Y( v" h/ u5 B! n6 C9 S% I# |
yum install pcre pcre-devel
6 |+ a; [4 L' A' o7 K3.没有libxml2" n; g/ f+ E. s
3 w, [0 S b# |, {2 I" Z9 W r, W" D" C5 D
configure: *** xml library not found.4 X' Y4 s; x) \- Q6 s
configure: error: libxml2 is required
" ~) ?, S% m1 z2 i8 [6 {) q! U* e) h解决方法:% R" y& \0 I* s$ _8 O2 H
, [, X: C7 s0 H4 U& U: \6 Xyum install libxml2 libxml2-devel
% g p4 H* ^2 i4.执行 /opt/tengine/sbin/nginx -m 时有警告! n1 q; t; j2 C' n1 q* Q5 ^9 M& u
3 C' z7 |( T( u) m1 p9 V
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
# B' T9 }( ^' A s- t' G0 onginx: [warn] ModSecurity: Loaded APR do not match with compiled!
* z' x. O6 x5 @ w* d原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
. K% U6 X0 R; H+ A4 c4 X5 z* b0 \2 v- }+ ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured., S2 n" D# r5 i2 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
; K( H6 S1 d+ E; {- b$ z! ~2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 F$ n9 c: a9 G0 c. a$ }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"5 F$ j: ?5 `4 x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
0 M9 O9 b w1 }# R4 p4 ~- G) i: Q2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
9 C) ^% A3 S* K解决方法,移除低版本的APR (1.3.9)
4 X! o( O. Z0 t
' \: _# [7 r% I( Y9 Ryum remove apr
, q8 | Z) k5 d" n5.Error.log中有: Audit log: Failed to lock global mutex
1 X2 X; L, Y& X1 l! D) b( c
- H* g7 Y8 `8 h% e" F2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( s! V% t4 ^6 c, ]: d! `
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]* X8 p! Q+ {" u
解决方法:
( {9 x+ ]/ q* M0 r4 ^' H编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 Z1 G6 D9 o+ y, i+ K! m3 A( e
2 C& T& f2 B4 V9 zSecAuditLogDirMode 0777: H1 ~/ E/ `' \; n# H0 h4 L
SecAuditLogFileMode 0550
' c% l# h; U) f6 [$ c7 qSecAuditLogStorageDir /var/log/modsecurity
" \. \- g# r+ i3 VSecAuditLogType Concurrent
x' z5 G+ T/ _3 _参考文章:0 {( w6 H5 C$ ^
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
2 H; a( k0 x: ~; \( ~; o+ xhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡