|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。1 |" g/ e7 ?$ k8 e0 h
; i& g- L( N7 s8 t; ~: U/ Z F$ [
一.准备工作5 m6 b( |2 [$ T5 R) [/ \
/ Q, {& X/ Y, l- J& ~3 M% Z" L系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0 i# j/ i+ K! a5 {
8 I X$ k8 U4 @$ \2 Ftengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz" r1 L+ c+ f0 ~& R
: j5 |+ R5 a+ w4 R2 r' S0 i/ u. }modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ a. C: m& ]6 I+ i0 e6 [( b8 d9 J8 w
! K( r$ Z5 m3 @5 R1 T" i3 R" ?
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, i; r1 H! D+ l B2 T( A" x$ ^3 C( i( E4 [7 [# }
依赖关系:
) v$ X0 O; h, _% q0 _7 f( Itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 e8 G; ]- s. R
# w! F* b5 }' d* eyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 Z' D( x+ z0 a& ?1 n) u! q* |6 v
modsecurty依赖的包:pcre httpd-devel libxml2 apr; L& u! U" I5 ~& c7 ^! @0 X; y8 ]
. W" {, z0 n3 q2 @, N' u2 s
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
3 [7 S& x: L; m) W, h二.启用standalone模块并编译
4 L3 ^1 z% Z9 n+ E- ~8 I0 J! @( Y- c1 z% H6 ~. V
下载modsecurity for nginx 解压,进入解压后目录执行:
( L5 q/ D# R0 `. I& V( U4 d% O) D# O: B$ J" [3 B
./autogen.sh
+ F( T- z. ^1 ]3 C./configure --enable-standalone-module --disable-mlogc* j' ?; V: V' h3 S, K' A8 o1 b
make $ d0 U4 z9 }. j! P" i8 ^
三.nginx添加modsecurity模块1 C1 x, ]* Q) W8 t7 B9 R
9 e! \/ X$ |1 b! ~- j7 H
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 f" H' ?3 I+ e& q' Y
4 S; N$ j. ]& F, ^./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine7 x4 r, `/ u3 i* t
make && make install: L W8 M6 D r& C+ d
四.添加规则
# J9 _ k' j4 `& B; a1 S( D: h6 c# \" \
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' |1 C% q1 Y+ H8 C/ U
- E. {& l7 D. c1.下载OWASP规则:
' w, b$ N2 W* f- N' o
. \& A0 B$ \& n) H0 Bgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs9 v9 m7 p/ z/ P: D/ n. ^
( c5 D2 ]2 `6 k* V
mv owasp-modsecurity-crs /opt/tengine/conf/, [$ l. s6 M. v6 [
- v5 l: E& J8 Q% Q+ Scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ e: o# ]5 S# O2.启用OWASP规则:& p$ A& ^/ O3 V; z2 j$ Q% G
0 B G, e( q( L3 Z4 b
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* A5 i1 `" D( I) r2 z
$ @" A! E* ~; e. d* q6 n编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: m- Z0 g+ H+ s1 C4 t" s1 B' e+ @4 R" J; ?: g/ i
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: p( Y1 t% c+ y1 g" v5 @/ K
; O* g" d5 V2 z4 j. m; q6 h& qInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf" P, ~3 p: L3 }. V$ o5 A4 C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
, j- U/ ], X( B8 E1 f- Z; wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
9 S. q2 [1 v7 P, A6 y' wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
% X. v6 b- X; m8 E) bInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
n }! P d: @! X5 WInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf) ^/ y7 g D V; U; y% W% y
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf# f$ e- I3 K/ U5 t% q$ c+ W
五.配置nginx
4 r# M: D1 Z; J- I6 n1 Y k) X
8 n! k7 K5 B% a5 j在需要启用modsecurity的主机的location下面加入下面两行即可:( u8 [% @. r2 n: j0 D
/ c& v5 y/ b$ T( I! i- k9 T4 E
ModSecurityEnabled on;
, V1 C( u6 _& ?. e, MModSecurityConfig modsecurity.conf;; c& {% P j% W i$ m' P
下面是两个示例配置,php虚拟主机:. P7 `5 [% f4 N9 H; {6 Q
1 h& {8 g2 ?( j
server {% m+ l; s ]% {
listen 80;/ H) K. h1 i6 P; c
server_name 52os.net www.52os.net;
/ K% O) }# o R t+ \ : X5 ^( e1 F: \3 `4 t# g7 U' L
location ~ \.php$ {
6 {: v' f, t/ @# P ModSecurityEnabled on; ; R$ R/ `9 q, L) s* f4 F
ModSecurityConfig modsecurity.conf;
1 t- l; s8 f i- g$ H
3 r; [, i0 T. U) P" k4 E7 R root /web/wordpress;
& q5 h) `& e( E* T6 F index index.php index.html index.htm;. o1 T* V6 X+ u6 R
/ }2 k. c6 h2 N: C' ^6 s5 h fastcgi_pass 127.0.0.1:9000;
/ x1 |% c: Y1 ~& L/ a0 L9 J3 P fastcgi_index index.php;
# w+ M5 _( \& @ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& i: }' U# F# n% q2 X6 { F
include fastcgi_params;" x* I) Z* ` P7 f ~/ p" d
}. p, {0 ?" B0 o* F
}- D2 i) n1 z. q8 b5 J1 H
upstream负载均衡:! u& R. Y, V$ b
4 X: F: w. W% q) j# oupstream 52os.net {3 ^( n- a6 Z$ ?3 W
server 192.168.1.100:8080;
* m. m$ R' G) Z3 V" k server 192.168.1.101:8080 backup;
]7 t4 B5 [8 m% S8 I}6 \9 ^! S9 K1 z3 ~( ?) s) d
1 }, i n- \" j% K. Zserver {; z" Y- t0 g4 ~: W' g0 I( ^% J) R
listen 80;1 i2 A3 A& ]# H' i6 @5 z
server_name 52os.net www.52os.net;" o! }3 s7 O& g" \2 S
9 q! w5 H4 R* i8 Zlocation / {5 q! ]5 ~* X- H. D
ModSecurityEnabled on; 4 q8 B6 \3 U: \+ I d
ModSecurityConfig modsecurity.conf; + {# P2 _( V6 k% ~9 b4 w
3 b+ i0 { @) y V6 y
proxy_pass http://online;3 R6 k( P3 r g }, N3 [ r8 U; n
proxy_redirect off;9 Z% T9 `* ~" b# ]+ H
proxy_set_header Host $host;
?/ @( R! y& w# ?( p& n; j proxy_set_header X-Real-IP $remote_addr;
2 ?8 E3 s3 r5 [/ k proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; U/ E( {# @$ ]8 ^" J# i4 Z
}
) s# J1 V5 f/ e/ e}. B: z4 S9 O! y; u3 i; n' V
六.测试
* P+ q% D& _* v) g* O) q0 U$ K6 t- \ |2 E
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:4 O0 g& h ? @. u
, d% \* v5 O4 G# K% Y# K
<?php
. J A0 F" C" x1 m- n phpinfo();
1 k$ w4 I) @. A( [: I?>* g, y; q8 Y. B5 s- Q4 w
在浏览器中访问:/ U! m2 F w* @' j
3 u- K6 g) \" {0 @6 S1 j ^http://www.52os.net/phpinfo.php?id=1 正常显示。
: v( _- k8 e, f# Uhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。$ F( |9 }$ ?3 ^
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 Y1 a) M, Z/ R+ r! c7 A说明sql注入和xss已经被过滤了, d' {+ B+ s" B4 x9 d
0 {5 R- T+ W' u% k" ? Z3 C2 l
七、安装过程中排错1 r6 u9 m+ x- T+ g
* `# O$ q, Z% b8 A5 p' }% O `5 _
1.缺少APXS会报错3 G! l: P) R0 D- C: O1 ]- A
% s8 x8 y% t5 x+ k
configure: looking for Apache module support via DSO through APXS
2 s, d! n7 Y$ K7 q$ d B0 \ Fconfigure: error: couldn't find APXS
- |8 y. W- p8 Q, [% \3 ?apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。0 M- b, {6 a! d) P* X
解决方法:8 g: O7 |; r% j1 w/ c
1 I, | v# ]3 X0 ^" v6 nyum install httpd-devel
) X2 ?. U. c7 t/ e! Z* |2.没有pcre7 C% k% H& R& R3 x# m- k! v% e7 Z
6 V: ~4 i9 p; U* g- y2 j8 Mconfigure: *** pcre library not found.: ?+ c# R# i! X7 c& f) p$ R
configure: error: pcre library is required
5 {/ g$ ^% Z0 h2 y4 z* j解决方法:
" n) s1 }8 t# Q. L8 J" s$ x0 Q6 W3 [8 g2 Y& ` V5 Z& D0 S
yum install pcre pcre-devel/ U( c" a8 `- W# S" Y! S
3.没有libxml2
. j: _" H! _5 Q, [% ?3 A
5 ~2 A. x6 ]% T* Y2 q: Z
9 i' N6 ^' r5 m- `8 r) [configure: *** xml library not found.9 ?2 `$ q; ? Q% _. x2 h# V
configure: error: libxml2 is required4 L) k. e3 |! f9 p$ i
解决方法:5 M1 R/ w; Q D0 m1 p9 A7 k8 Q
/ P! l- b( q$ B1 i+ `8 yyum install libxml2 libxml2-devel$ h5 }& B# h2 `% y9 n9 u) U
4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 W S: j! I+ }4 p+ {' Y5 `% l
1 b. V7 L) d, Y) a6 mTengine version: Tengine/2.1.0 (nginx/1.6.2) G, v; R! b% n% E5 O8 e9 L
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
: Z$ C, K$ A! p% E- R: c' k5 Y原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
, y3 T- V8 s7 H' }! L4 s# G/ s" ~+ v7 D- T6 a& k2 z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; e: H' d: @$ I( {9 N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"$ s. f; p' M8 p
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( K/ N4 b7 S0 `% d+ u, E/ `' A/ y n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 Z% w6 B. e; [. @) n1 S# R3 S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
3 O, l4 ` B9 ]' Z! o2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
& s0 L. z8 Y8 s# P, \解决方法,移除低版本的APR (1.3.9): T& O% b& s# J, T7 `) S6 R
! M- [# U! r% p7 l; q- w( y( r3 \
yum remove apr
) R" W& f, r0 w5 I, S. M( e7 U5.Error.log中有: Audit log: Failed to lock global mutex
) x8 e o1 E ~- w+ T) G, D4 y" y( N4 U2 [7 K" }; @
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock , @& b) S/ U. |# a8 } t
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 O+ s4 C" X" M7 S4 G; t解决方法:
+ r5 m$ o5 b7 L5 `编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- U% Q$ ~: _ V* X, U. A# ?) ~& C2 y1 I m# \6 u
SecAuditLogDirMode 0777
% T+ Y- T* }: W2 K+ @SecAuditLogFileMode 0550
' z, r* T* {5 I% K% X$ J% ~! USecAuditLogStorageDir /var/log/modsecurity5 |( f3 F7 b: R. v: \
SecAuditLogType Concurrent" w6 I5 F- Z' f% {% M' }
参考文章:1 Z% l, C% s1 }2 W
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 o z: X ~' f/ q) N A' U
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡