|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
5 J, [6 [) Y* |' v
# O6 B( M3 _6 G$ o一.准备工作
0 O; H$ q$ e8 x: G7 c1 f( y" f `' r5 b0 a% Y# M: L, k
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.00 l2 [0 g# Z; m- C
7 r* Z& o7 \/ o) m6 ~6 ?! a5 Mtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz7 P- I3 P7 p* y3 @7 ?" C6 ^
( r3 e: ~: B$ D" E6 m+ R
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 D9 Z! z# V% R8 ], Y; D$ o
8 z) S! `" M4 G' \8 M2 s+ n& LOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 P) P( ^8 F2 i7 I/ Y$ [5 }/ W
' h+ k. R% S: K2 e
依赖关系:( g8 V) m8 Q3 Y9 m4 j0 y* w* P) W
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:. n$ u) o/ l* ^9 H
7 n! ^+ W, x/ O) b# \8 i3 Lyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel4 a) A3 n: Q2 Z
modsecurty依赖的包:pcre httpd-devel libxml2 apr, @2 `* _/ c5 u( V* h4 M0 |$ A
: J& k1 k7 J4 R
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
' C% K! L/ ^+ P# O' x" M二.启用standalone模块并编译$ D* p. Y' @6 r4 ?3 X* U- O
, O! t$ J- o) t0 W, d下载modsecurity for nginx 解压,进入解压后目录执行:3 G1 z# D' q a. ^/ d/ e* m
% G1 _& c1 \/ Y- A( s* U
./autogen.sh
6 ^ J) U/ B0 r./configure --enable-standalone-module --disable-mlogc6 q: H7 Z- d6 [* e0 L
make
7 Z. s; h$ ~, t# \: { F* f. u三.nginx添加modsecurity模块- E8 ^2 ^ E- \/ {" N
8 H, z1 L( I4 Q8 ?$ V+ C2 m9 ]3 E在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
$ f4 ?' p/ u+ G# F
& \8 O, T4 f* @# |+ O5 Q./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
6 k8 B, v. i8 W4 @& T, s& F2 f( Emake && make install
6 ?* b/ ~9 n6 l0 f6 `7 n( b四.添加规则
0 o! x5 ?2 `# e7 ?; t9 G, O4 s7 |$ l- \% Z; c9 g3 s/ s/ g
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。! `! Z2 Y2 c- b+ f* {' f
5 ] @7 ~/ I. C2 i9 i* H5 g& @1.下载OWASP规则:
$ V- |% a1 C% Z# o5 H
. k3 g, {$ Q$ L) M! m0 I& S- l, Ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ @$ S6 E6 z- v" V2 Q
& \& g6 M: o* o6 K* Dmv owasp-modsecurity-crs /opt/tengine/conf/
* e7 Y8 c7 c8 a& W. }. o6 d, @: K' _8 S, @% T' X4 q
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
( r0 Y8 z# v4 H2 p& g0 r5 g2.启用OWASP规则:
$ R5 T3 d, e* f& P/ e
8 U* P( g! M' }. a3 h: c复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( s/ z! @1 `. B2 q) _9 c" v. C
3 ?8 {$ G1 _. T9 c5 x9 Y
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 N+ f* M( u/ n6 T! t7 Y2 \3 j
0 g$ c4 p* p: E* X4 }6 g) E
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 c& ]. I# `, C+ \2 I, d" P; u7 i& T/ u. s- a g% o
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
9 L1 D6 B* }$ ^3 V5 H S, V1 NInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ e# C0 k# k W/ P; P
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
& R- l6 V T/ L2 JInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
0 |' b& F7 s3 |- x2 G& M4 iInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
8 f7 V5 e0 F0 I; z: G" a7 ZInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; K2 I. x1 u+ C$ }Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' F, v% | X7 I五.配置nginx0 c7 z7 j. q* t) M# I/ O& d
/ v* F& a6 N0 R5 k8 V: B在需要启用modsecurity的主机的location下面加入下面两行即可:
) d# m( y# `! ~! x
3 i! F0 H- h' F: tModSecurityEnabled on;
- @. {* Y+ m' ~! k- Q/ ?ModSecurityConfig modsecurity.conf;
% T2 x. T3 a5 O, {; n& P, h下面是两个示例配置,php虚拟主机: s- L* i2 n) R$ n. P( g
5 i4 T: p! I. I, a( Z0 aserver {
1 Y7 B( i% h& ~2 L; ^ listen 80;
* I/ X& b2 ^+ O server_name 52os.net www.52os.net;
( O) A' y- s8 L ( A4 ^- v1 n1 W8 u
location ~ \.php$ {
, L! b* W% i4 J4 q9 F; _$ e ModSecurityEnabled on; 2 e+ g$ ~; Z3 K9 b) I
ModSecurityConfig modsecurity.conf;. j7 G2 v2 X+ x" w0 j
) @; z1 \: f8 }9 [/ H5 x root /web/wordpress;2 o9 e3 {, t1 I: g3 P8 C' T
index index.php index.html index.htm;! G5 W6 l1 r/ K) n/ R) t4 B
+ Y: J! M# w& E! H! r: i fastcgi_pass 127.0.0.1:9000;* H G2 b, F$ @5 y$ g" g- L! w- i
fastcgi_index index.php;
, y# a; [7 S2 F fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 W- a( y7 ]6 B O, h include fastcgi_params;
: X- [) K) {! k* O }
0 |6 m& Y/ A2 E* B" J }
0 F" L* t! [' R/ aupstream负载均衡:8 U. Z' B# }1 h) b5 P
5 c0 h* R! ^$ M
upstream 52os.net {
; ]. D" t2 t( i ?! j F7 c server 192.168.1.100:8080;, g9 R0 O1 n5 P
server 192.168.1.101:8080 backup;
0 r3 ]. ?( D2 B}% U* x. A# C5 W6 g/ W. p
5 C K" W+ B: Z2 T9 i' r* p; Kserver {. ^) } I6 w9 c* K1 }
listen 80; X: H+ X$ W! C, q3 u! W& J
server_name 52os.net www.52os.net;
" \% p9 `0 F! f& n# U" n( {9 r; n3 _( @6 T2 `& [. i
location / {
u! `0 \6 C2 L# Q) V0 O, W5 [" e: ^ ModSecurityEnabled on; % X |3 [1 @- |4 `3 E. E
ModSecurityConfig modsecurity.conf; + @' u0 Y6 r; P# Q6 o& A
1 p- ~6 @' ]2 W7 ?& W0 s
proxy_pass http://online;3 ^. v# q+ P7 S. D
proxy_redirect off;" \3 [0 @# W$ v
proxy_set_header Host $host;8 q9 J5 D3 U6 T% A/ \7 w4 y! W+ |- u% X
proxy_set_header X-Real-IP $remote_addr;
: {4 t3 P2 r4 Y- d5 o9 C% l9 J proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
0 G6 s3 k! G( y* Z9 h* L8 W }: h: M6 ]7 Y# i' I9 z4 a
}
! |' r I K' f( k& ?六.测试3 t2 _( o% v( J# u
% U& Z, L% {- l. G3 g; n我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:. u" I" v+ G6 e$ Q) T9 [: ^
; R0 A6 M/ g/ c<?php
+ k6 |0 G0 p' `% W phpinfo(); ( m! C D9 b& H6 j" n$ ]
?>9 g5 c: t& J. l% A: O$ Y
在浏览器中访问:: p7 C6 e$ V$ _+ S- p
9 O0 ]) x/ G& Z' R4 U+ h
http://www.52os.net/phpinfo.php?id=1 正常显示。
3 f: J: Q( @+ @% H5 d8 k7 t3 bhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。+ T5 `# `) ~: B) Z5 t
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% @8 O! m( E" X" P1 {4 N说明sql注入和xss已经被过滤了+ r' S, n& u+ }% \& t
- u3 Q- W* l7 e- u( {& K% o
七、安装过程中排错
- K$ J! l8 _" d1 D6 u# h
% e" n1 L z' g1.缺少APXS会报错4 Z% `* _) a# I4 I0 u
/ M# w) j0 Z0 J( d ]; m. zconfigure: looking for Apache module support via DSO through APXS' ~9 u" n% K2 ^, m7 o" c
configure: error: couldn't find APXS
) Z* ?" ~; ~: h! f+ rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。. Y) ^' a. S* {- B
解决方法:
- M4 Z) p" O9 E( O9 L8 }$ o/ t
. j' f1 T# {; X; Ryum install httpd-devel+ h" }2 P+ O+ p# W
2.没有pcre" A6 N2 W* H/ @9 P
2 i$ O- L, f1 n. C/ sconfigure: *** pcre library not found.
; g( Q! N3 v( T9 L, k5 ] Mconfigure: error: pcre library is required
$ z4 w L$ F/ ]( x: I# I3 I9 R解决方法:2 P; C3 y; R9 o0 y% d9 j3 ?0 \
. k) {$ Q7 F2 P( j" h# e/ T3 @& Iyum install pcre pcre-devel9 k. }) W8 ~% T* m
3.没有libxml21 ^2 p. c7 P; v! K8 r' y
9 N: Y0 g6 J/ ], u
* }& E$ |1 x5 S
configure: *** xml library not found.* @5 T7 b+ y! a8 g# }7 g
configure: error: libxml2 is required7 E. s* z6 | f. I. ~* l# n1 {
解决方法:) M* i* r. ?, \- D, u/ {- _
* q+ }2 R9 J9 `" f$ ~: Wyum install libxml2 libxml2-devel
$ s* U( N% [8 m- B( Y4.执行 /opt/tengine/sbin/nginx -m 时有警告3 X4 m! r% e: s* a# q# n# W5 f( g
% B: g# w9 W5 J, S) _& T2 ~& yTengine version: Tengine/2.1.0 (nginx/1.6.2); M) e% w( z3 O5 i1 ]/ k& F4 n0 o- F
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ F. \0 w* }2 X) x% r4 Y原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log$ z% ^, p8 O, }
8 X4 R1 c: E# Y" M" z0 C% C" I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
6 X/ b/ ~/ Z2 A5 j' A4 a3 u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
5 R/ ~' V$ g, h# D2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!- ]# r/ P/ X$ K; m6 x* C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 V, \% q d. q& e. L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"( I& Q) R# W8 A
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.% {( ]1 `" K* {# y3 N3 N0 W
解决方法,移除低版本的APR (1.3.9)
2 V: i. C& V6 K9 J1 C' L7 T
* A6 |9 o' [% D- Kyum remove apr
7 o; L+ u. M, X9 n1 X5.Error.log中有: Audit log: Failed to lock global mutex
( y5 z. B- S# M
; ?) ^9 L% |# g; B' N: C2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
' t" t3 c5 y- q2 s0 R o' mglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
+ x" f1 ]% j3 x解决方法:3 k i7 S- B" \! t, ?7 X
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. }8 L- i' t2 T- h% R9 W# u3 E6 p; P) v7 K( {+ F3 Y
SecAuditLogDirMode 0777
0 K4 {+ N A: {; ESecAuditLogFileMode 0550% a1 H9 m8 y1 n: ^0 v
SecAuditLogStorageDir /var/log/modsecurity- H$ p) ], m b6 Q( @
SecAuditLogType Concurrent
$ {* B# e7 V. h! s8 {6 j) k: L. r参考文章:3 G; f, I0 A: e9 s
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
6 u' q v n' }; x) M4 r. O% Ahttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡