|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
1 Y7 A3 T0 K( L: u8 N& |5 a* X, t
; B: e9 ~# R( X# k! r一.准备工作
0 V* |5 E% s$ a% y/ `
% q) \$ H7 N, t) b: X/ _" ~( W系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: ~+ I4 O: ?9 v8 a* i9 q
+ z+ j3 U3 c3 A' q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
6 b5 h0 S W( |! F1 g1 `
# Y- H4 o+ N( |9 Y5 Hmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 a9 x$ P1 s2 G8 s2 z1 ?. r" P
1 ]; D: ~* Y+ ~; W" OOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
7 v/ C9 }6 j- l- o. }- `9 j
- a' M6 ]4 i3 z' g依赖关系:$ \" A4 z/ A( C N- S) `9 ^# J5 z
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:7 p! |5 j% _ c: U+ }
& i6 f2 p0 e' L. myum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
( ~5 U5 R3 c h' [6 w2 q0 Bmodsecurty依赖的包:pcre httpd-devel libxml2 apr
( D! }4 p+ I. |7 H j
/ y7 ]; W, h3 ^8 x) U4 [1 c' R1 _yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel5 ?# x& U9 h4 E9 m( K9 e
二.启用standalone模块并编译
; Q* r1 u5 N5 C; y6 V! |. V1 N7 ~& L, `8 a# w" o1 @0 T4 E
下载modsecurity for nginx 解压,进入解压后目录执行:+ O" E6 Q" k [" U1 ^. t9 d
- P7 }# ~% ~" A" _$ H# A" X+ e
./autogen.sh
( i* q, v; M# T./configure --enable-standalone-module --disable-mlogc- ~+ i% M) o. ]4 v6 g5 c
make
5 W. x8 G: W B G1 o# m三.nginx添加modsecurity模块
- v% m2 z' c& a4 W/ h) G% c
" i0 K. V5 e; `在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:% t* e x/ K4 Z9 V' h9 Y% a
, n+ s6 I# D: R$ q* K+ @
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
* }- [6 n4 H- u. ~make && make install; v5 h. I# ]6 Z3 S
四.添加规则
6 v7 F- C; R9 n$ n0 R
, ^3 M& _' |! v* s$ l7 Bmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
# t0 t$ n) b4 G& Q9 w# r
k* S( Q1 g* Z$ h: q3 b1.下载OWASP规则:
: {) ?1 D6 ?0 O
( J% I* K) ]# s% fgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs# h+ ?, W0 x l4 j; m: }% ?3 ~1 J
% ^9 C% q% d4 ^/ O3 Y8 vmv owasp-modsecurity-crs /opt/tengine/conf/4 Z4 @& O5 _& [6 A, Z5 d/ w, ~
6 X$ ^& ^! Z% i: Z8 Ncd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. y+ }! H- \) x7 A( L
2.启用OWASP规则:0 \" X9 B6 P% r3 W$ f5 g
0 g2 `6 a$ m9 q复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。, d3 i" c' e8 y- Q1 k0 m
# Z* ^: k4 s# A+ `2 o _# b3 ~( Q编辑modsecurity.conf 文件,将SecRuleEngine设置为 on( @- u. Q( d5 B# [
! b# Z3 U+ k7 R8 n! O; H& D
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。# h) T9 m+ Y e& a3 r
1 ~& E3 R$ I! T9 `
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
7 C3 S7 e1 [% W" zInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
4 S$ q2 t" ?4 v$ E3 LInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf3 B: r7 J6 N9 `+ i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
' _. D/ T; p% U) q% AInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
' M9 I8 X# q# K& f- p7 PInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
" P ?0 N- ]* r5 V1 j" qInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf2 |' X* S+ S3 ^
五.配置nginx
# V) h5 ?* Q7 I
2 X$ p% Z6 X; y在需要启用modsecurity的主机的location下面加入下面两行即可:
2 C; N9 N; ]7 l+ K4 u. j
) m+ i j5 f) j7 G; bModSecurityEnabled on;
% e/ X% _& t$ @+ ^ModSecurityConfig modsecurity.conf;
: W: E4 g( J( n( x) l' y. p下面是两个示例配置,php虚拟主机:
' ^; X' @8 @) m1 g, q
7 `, G3 H: ?9 lserver {
. v" z# m: [. ^. Z listen 80;
' s# H! K* i/ h server_name 52os.net www.52os.net;
( P. h# {- Z. t- l! @/ K8 h
: ^/ o- |/ Y7 v; U location ~ \.php$ {. B* }2 \/ @& h! _
ModSecurityEnabled on;
+ z1 T+ q; b' L ModSecurityConfig modsecurity.conf;
* h/ W3 Y6 P9 d: K0 c6 Y1 n
; v' _/ a: _$ w, `* d root /web/wordpress;9 j3 Q5 I( B |( B9 N; T$ {+ |
index index.php index.html index.htm;
/ H7 J; T4 e# M' |
4 e4 K" M: ?8 L3 h7 m4 q1 l fastcgi_pass 127.0.0.1:9000;8 d; F* w' t/ ?+ ?/ F1 a
fastcgi_index index.php;7 ~; T1 @) j! g2 a5 x
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;' R: z8 n& N# F
include fastcgi_params;4 B$ [ _8 I1 ^5 ~5 E
}
7 l [: Y% O! j b }. v0 _* `# m J8 Y; S: C k
upstream负载均衡:
7 q/ c+ g1 m# Q+ [' j0 G2 }3 A! f( }. J5 ]; C( \
upstream 52os.net {4 ?7 d2 a5 v. V9 e
server 192.168.1.100:8080;- S8 a( w# G6 `8 W9 w8 } Z
server 192.168.1.101:8080 backup;
) C3 h: Y% o: L5 e1 @}! Q4 e+ p( @6 N( {% `# K+ t
2 |) L* F; \4 n8 ]9 z* c& S3 z
server {0 S& K3 O) l' x! |
listen 80;
% r4 x+ ?2 m8 b0 q% F% e, ^- Oserver_name 52os.net www.52os.net;
4 h' c; k p4 n. v9 w% x
/ e5 q9 A( B( _ J% I% flocation / {! b, ~5 |$ v/ [2 J3 U: n- b
ModSecurityEnabled on; ' n. Y3 @0 w6 ^4 Y. p" ?
ModSecurityConfig modsecurity.conf; 5 W0 V8 z% l/ A! A% G" S+ W
- e5 W1 |4 u, u8 C, W$ b' z; A6 J# c
proxy_pass http://online;
. O/ n. L% X' U) v/ O# i proxy_redirect off;9 b. ~7 a5 l0 z7 L: U
proxy_set_header Host $host;
" P( q- q9 K. k+ U1 h7 I proxy_set_header X-Real-IP $remote_addr;% N6 |, h: W6 R! J( S0 J5 r
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% }) F- b, t6 O( o }3 |9 I9 S( F4 ~
}6 w& [2 l3 L7 l
六.测试& C5 D r+ G( T4 o# p' w. C9 ^
+ M9 X5 m, {# K3 Y7 r% i我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:. {1 i" z6 V) q% M' G
& B; ?9 R! Z/ o2 q<?php% k3 Z* ]" ~2 I: u7 t4 V' P
phpinfo(); 7 g' \4 c" p. m8 Y+ m& K
?>
! U" g- v; L c, v, K7 g2 s在浏览器中访问:5 x2 |2 X8 I8 |. T* t. R
" T% R! P2 }$ f; [http://www.52os.net/phpinfo.php?id=1 正常显示。8 ]: C2 Z# ^2 |/ S" |, d. P: D3 ]
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* a E' y9 k/ `9 c1 j: Nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。9 N* V1 |7 U" v" b5 _$ w
说明sql注入和xss已经被过滤了
9 {+ `' o0 B! g! ^3 B
" c* _; b& Z3 v, l2 I. V7 v七、安装过程中排错
) H. @, u: X: S5 C& ]5 C4 \
8 P" Y. O6 z" ` a( z1 j1.缺少APXS会报错* [: a$ u# O5 A8 l" W
' w" t4 ~2 g5 K& }$ o; ~configure: looking for Apache module support via DSO through APXS( x4 B" B! \0 W1 [% C& G, R. P
configure: error: couldn't find APXS
, T6 w0 t( G7 c5 I1 Eapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* U8 C9 m6 m2 E; i4 O5 ]! t
解决方法:
: n. i) N+ `# W" L# \0 L4 N8 F; |* V
yum install httpd-devel
( ]2 C( ?/ b& U) _; L7 P2 Z/ f1 }3 N2.没有pcre( `; u4 e' v7 D, v" }- n
) y- m* j0 x8 g/ _
configure: *** pcre library not found.
& T$ D: ^/ f' `configure: error: pcre library is required
+ J# b+ b1 ]- t9 i0 n8 O2 u# G* ~解决方法:
: F( J& y# I4 j3 x' M: S y. P4 W* n
yum install pcre pcre-devel
$ U+ ^3 r' {9 S3.没有libxml2, t: M2 S: Z" \8 E( ]
1 j( q& j3 Z8 p6 `' F
+ A, e7 R) c, u5 Qconfigure: *** xml library not found.* H, P D* C% d! c+ {
configure: error: libxml2 is required
, t/ N, ? g+ w解决方法:- @* R% S4 q6 M% I
+ p5 G/ n9 }: h$ Oyum install libxml2 libxml2-devel5 u" e: v0 W4 M
4.执行 /opt/tengine/sbin/nginx -m 时有警告$ O0 R9 x X- U, {! _6 |8 M
( N5 k6 A! K8 D" N5 T' N6 oTengine version: Tengine/2.1.0 (nginx/1.6.2)
4 [ Y" g- S* _nginx: [warn] ModSecurity: Loaded APR do not match with compiled!8 n+ _+ i- Q8 H" V: f
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 k& e6 u6 y: }7 F) t0 A
; s! ~+ l, G% Z# s6 M# E( p& Q4 q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
6 N2 _+ X$ o' j3 Q* W6 C8 e8 b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", Q& y# n% G" J4 l: N4 i) z9 a
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!& S, L% b# X' D; n1 M, |) c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
, L, a) n E0 B% _9 J$ _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"" [1 G9 `1 A; y
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 D! p9 s- g% Q0 ?0 r- D4 m3 {; |* g解决方法,移除低版本的APR (1.3.9)1 c" B+ U) D6 o% N6 O$ T
0 y. G) t" P% Z# x0 k0 R6 R0 T3 w7 n5 f
yum remove apr$ @ z: u4 [- @( I4 y$ d
5.Error.log中有: Audit log: Failed to lock global mutex4 d f, l6 C1 V' L8 t4 V
' [: ~* _ n1 `; L' \
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ' o4 M1 Z$ s% T$ Z9 z( |
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]6 v9 z: j3 s, D" V; o% y
解决方法:& c" \" \3 N% F! Z/ ~, v
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& E. g; X8 N! u2 T1 ]: H3 Z
; C: O" n) ]- U1 D N4 i$ v" E
SecAuditLogDirMode 0777% X! Q+ d* l5 C$ R# y
SecAuditLogFileMode 0550$ e! Q: ?5 x1 E* c8 C8 R
SecAuditLogStorageDir /var/log/modsecurity
+ H/ H1 D) e1 n- ?' U' U) jSecAuditLogType Concurrent/ X( o2 a" k% V' \( j0 l0 N
参考文章:1 i/ x7 d# B% t7 l! d
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX. w+ o; L0 u8 |( a# y: v! } I* G
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡