|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, a6 ~: z' q! F# y: Y. s
, I; r! C, J4 K/ k
一.准备工作
u/ |; x& Y1 H; U" [; q! ]6 q$ J3 O; u9 ^' W2 _& M3 F- X2 U( k
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0$ C( {9 z# Q1 K
& Q" [7 L* h- j9 N& ntengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz! d+ ^+ r$ \, |* S6 ^
3 O8 [) }' F( ^; A% G7 o1 Umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
0 [6 ]- y6 C- i; s; O$ d" q& P8 ]: k, }9 T* S
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
K0 f$ ^4 L' W& F" o- T7 M
+ j$ N0 S- n& k( x q6 b! m/ u- V依赖关系:
- W* a, n% G+ ^1 J. |tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:! r8 \. Z2 N3 d
7 ?; _; d! V: T* Jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
: l5 q( m* V( W. Vmodsecurty依赖的包:pcre httpd-devel libxml2 apr
. \( b# T, k# P: r3 o0 X- d
, W( ~1 S0 C4 k8 kyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel+ }4 u3 G: k6 r: ^- b
二.启用standalone模块并编译( Q l) t. E, W
1 `, [) A# n2 D6 c* w1 }9 U6 ^. ~9 I
下载modsecurity for nginx 解压,进入解压后目录执行:* w; U5 e2 u! K1 ^9 q! @$ M2 G1 ?7 {
0 V! @* F0 `! b8 W8 {" d
./autogen.sh. X. \6 ^2 Y1 h! ` b/ I
./configure --enable-standalone-module --disable-mlogc
) O3 {) T7 q, ?+ t8 Rmake 7 r% G$ v) L! A j' N; V
三.nginx添加modsecurity模块
6 z8 }/ ]* r% Q; q9 _- M
# C: h* w0 y& C( F" `% r在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:6 {: Q! s6 L8 X0 H2 Y# j( ?
: q1 C) m9 X/ o7 s. D./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 W/ `9 m! Y' E9 a1 r
make && make install
* \( Z: r! ~2 d* p4 E2 H, \四.添加规则
@" J( ^+ S! x1 Q; f/ [$ Z7 n- d# M% D6 n9 e* p" l1 a5 F
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。/ d- B- `$ B# p1 q
* u" g: D- f, c+ a. N1.下载OWASP规则:( Q! m9 M. [! X9 H1 p3 _
A0 V- w7 I; |, q$ {6 P5 B
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
$ Q$ b3 O$ n. X( p" }" X5 }6 c
* v% z9 D% b! [8 X9 }mv owasp-modsecurity-crs /opt/tengine/conf/
3 A! [3 ]6 V6 q: G5 H$ {2 d: O& J8 Y: O; s3 A3 p
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf: p$ P6 v4 Y, ~. [6 H
2.启用OWASP规则:
1 ?5 B- O B; |6 W- h7 v5 H
$ h2 [8 P/ i) L复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
) q/ l V: t% P3 e# R( I
( Z# V3 o3 N) _) z编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
9 c" M+ u+ j; {5 Q) v2 V) U
+ y. z+ h* D5 o; cowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
* x& x# {4 F; T8 E" B
; B5 d H0 a5 a2 G7 kInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf) r! ], a- U/ x' |1 V
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* S/ n# o# X# i3 tInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 M6 c" i; i( s% B$ Y0 SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf$ T& Q3 C$ F8 B! Q# Y7 }
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 k/ l7 b- G6 a5 s; U @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 ?1 b V, b' R4 i5 b: I
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) m3 Z. \9 T* R# o/ c1 @五.配置nginx
* P! V5 U) L# e& D% a2 `9 d) K# C8 t) v
在需要启用modsecurity的主机的location下面加入下面两行即可:4 Z/ g6 n6 c6 _% c$ W6 O
1 C* k1 x/ z! P0 V) y) c! L* P/ \
ModSecurityEnabled on; 6 R# O: x" e; k) r) k5 N& Y! u
ModSecurityConfig modsecurity.conf;$ x: L& F. m0 N& K8 U6 W
下面是两个示例配置,php虚拟主机:
- _' G6 D' k! A0 v- w
6 g" \5 I9 \. k- A# ?server {
n* s! V- y5 x2 ?1 u' B" w) p listen 80;+ l! m2 X" K% D, z8 `
server_name 52os.net www.52os.net;7 T a# I- h/ Y/ }+ O
) q, J7 T# i/ |( z$ u# g
location ~ \.php$ {; h. Z4 {. u n" V. Q
ModSecurityEnabled on; % v3 \/ {- r' M1 b0 c! |2 }' W4 q
ModSecurityConfig modsecurity.conf;
3 Z( u9 x' [6 v6 r `; U0 E' X! i' Q0 H, t! ]4 U7 y, x6 r
root /web/wordpress;" ] R- p: w c" t
index index.php index.html index.htm;
/ T7 ~$ n' L; v' H
& _ a( X2 g2 T! ~2 u1 l! h4 m" B fastcgi_pass 127.0.0.1:9000;% k, l* [( l. U, _* e# T# {" u
fastcgi_index index.php;- a3 D, P, _$ x. m1 [0 o/ g
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
) T$ P* f+ q+ C: f! @ include fastcgi_params;
7 ^2 W$ d, k/ p: I }- i+ x' U/ r& y, P. j5 w0 l3 g
}+ g p8 e6 m! \
upstream负载均衡:0 J5 Y7 h0 U1 g; c5 d0 m
0 h; h$ n6 {5 I* Q, {( }
upstream 52os.net {
5 ^2 ~* F& V0 a% [( E' p( `6 T" Q7 K server 192.168.1.100:8080;
7 g0 o% J$ [9 N2 q/ e0 S9 @- M server 192.168.1.101:8080 backup;: K6 _3 E3 O/ R. F' H
}9 E6 Z6 `" w. g9 N2 i! |
$ z/ f" G- p( u1 O- w V
server {. H# N% |* V: c8 V8 y9 Z! L
listen 80;. S9 E. N& R4 I6 D* |! B
server_name 52os.net www.52os.net;
4 S& T+ @! @. Z6 L
3 i. E! R3 X9 A0 T+ W, ilocation / { V" J" X; |" z* l- i2 w
ModSecurityEnabled on; $ U- j! ~3 d! T6 j9 F \1 m. H0 Z% p
ModSecurityConfig modsecurity.conf;
& K4 A0 {; B" J2 ?9 h8 Y; d( ^1 i5 P6 r- d' p# U
proxy_pass http://online;$ v/ z4 l; d) R5 |: z9 i
proxy_redirect off;
7 _4 P+ T& ~% w ?5 Y proxy_set_header Host $host;
( B2 b3 i* w: M" I# x' c K) ]3 v4 j proxy_set_header X-Real-IP $remote_addr;
" O( ~0 g3 _; D proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;9 E# k/ x2 K) e* ^
}
7 k3 L& w+ B) t8 }}( o: C/ X' K; N2 I/ `
六.测试! c# I3 H+ K: U
, g8 j7 v3 [, C
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
0 x! D7 n" W* I& [! E. T
& Y' }# u5 v9 A5 n! c$ \% t<?php
/ F# u; F* b+ y* U# ? phpinfo();
. X* s6 D) W; o?>0 K% w1 G, U6 {' q
在浏览器中访问:
4 m" B" R( C \) s/ U+ r# y+ l+ L r1 S! M( s0 i s7 u
http://www.52os.net/phpinfo.php?id=1 正常显示。
5 D1 ]4 ~( o9 P- z2 i5 `3 K& ]http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
6 \) a7 d/ H9 w5 i. lhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
* ?( M" ^9 p" K X6 k说明sql注入和xss已经被过滤了6 w, X* ^6 X) [2 p! z1 a
7 m: k; F! L" N8 o
七、安装过程中排错" u) p& d G. P% K5 l' B
5 B& R+ `% ^9 |) `1.缺少APXS会报错! j2 j" C& A' ~5 l1 Q0 f
7 p7 ^7 H: m* ^# `& xconfigure: looking for Apache module support via DSO through APXS
1 y& b; n2 I6 k1 Econfigure: error: couldn't find APXS
/ c- p! ?! G4 m: h% bapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ J- T% }& d5 i& Y* _% ~ q解决方法:& ^ Z6 {6 R) x- s+ U7 q. h
) `& n% [; x% Z8 J( V
yum install httpd-devel
8 O* ~, y: r0 o9 r/ H) }- a; V! H1 ~2.没有pcre. {& S9 q1 \* B
( G6 J3 N1 `; Z2 }
configure: *** pcre library not found.
+ x, N/ Z4 P5 o' h0 a! l8 _configure: error: pcre library is required$ u, c. B& J. w" y6 g/ r% U! f
解决方法:
# t9 u9 E9 t3 `7 K: N! |
: a1 K" E/ Y8 ~3 M; U- w( }# L9 Myum install pcre pcre-devel
4 \, n* x0 D6 h1 _3.没有libxml2* }0 ?2 ?- H# V F* Z
8 r5 x" C |3 w% A' Y
% P4 `2 w Z; S' K0 e! S; [0 f0 k
configure: *** xml library not found.
. G$ F- m6 {4 R% N6 L! d" sconfigure: error: libxml2 is required" B% G, `" C7 n8 Q
解决方法:
! I( \' w4 g. P- O& r
( A: Y* @: I& q( I) [3 X. L; v4 zyum install libxml2 libxml2-devel
; y4 [4 e( A. s, N" [& w8 Q2 j4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 a e9 ?2 F# c0 m) L
# S q# N. \- ^ Y- @& F1 K% M: aTengine version: Tengine/2.1.0 (nginx/1.6.2)% s, \7 m ]; D6 c% S
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
8 J! t0 S) j) M1 U3 F7 [原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
0 U' E0 `% V f( A& l
, [: L7 z' s) r( j! ^! E/ A+ S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 b9 G) I8 u' t5 s* w% E1 F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9". C: U0 l* Y. @; K% @/ a6 n
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!. t0 C7 A( @2 n$ N$ a$ k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 r2 X9 F. j; ~% [* i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"! ^5 _4 q, @6 j5 W8 q @6 H/ m& U
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
5 [+ h$ v: ~; j- W7 W: V2 n2 j解决方法,移除低版本的APR (1.3.9). J( U# e& d' U! W- ^# o+ F
u1 v- O- l. }5 M0 ~2 fyum remove apr
5 \5 e& v% O Z) Y( p5.Error.log中有: Audit log: Failed to lock global mutex
+ W) d, l1 }2 [3 O: r, p' ~9 W: K
2 a7 e- X! U9 J& C2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock : A: O6 X% k$ @/ u/ k; |
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
) r& {. l) p- r+ w$ H9 s2 w' S解决方法:
$ e# }4 P+ P' n8 i4 C编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 @( L' L- [; Z& ?. z2 o
" ]/ w7 ~3 }* g a& V* w0 }2 ~
SecAuditLogDirMode 0777& ~% h" |, {- F& R8 b- U
SecAuditLogFileMode 0550* Q! K/ y5 g. R0 C# V/ {7 N! h
SecAuditLogStorageDir /var/log/modsecurity w. l. f( n- B6 \/ }2 K
SecAuditLogType Concurrent1 z, \7 b$ R% h. }/ O! N( P
参考文章:
% ] r/ d" @) `https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
7 r2 z3 F& ?, \( `+ {( r- F: x9 chttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡