|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。* I8 E+ u# s! w6 Z3 E/ n" f
7 p' n7 u' w- v- N3 z一.准备工作2 g3 r6 ^; Y8 h7 L" Z4 h/ W3 G8 H
5 s6 K! A- d' I6 j, {7 q系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ v# b5 |/ v9 @; }. O4 B9 @9 j0 [7 v9 G ?
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( F. n. o- b& E: ^
& G" `# _4 F4 G- @
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz" m! D- ]( R0 H/ U$ I
% J; n- u9 M2 k2 X3 m4 `OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
" I5 V8 [' R8 V# ]' D' q1 Y/ M9 `
9 _( H) r4 B: t; b依赖关系:
- @& T5 r2 U! k0 I* Utengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
. t8 C0 ]7 _& }' T
4 b" z2 s+ E6 h, w: Y% vyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
- C: l, `. R( M! ~% t+ s3 kmodsecurty依赖的包:pcre httpd-devel libxml2 apr+ S H' ^+ R5 J |. k: u$ o
" O; P% r3 i* D
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
0 |. p: W- W9 w% F! F$ Z% c二.启用standalone模块并编译
1 S3 i* o3 O. n A: o: ^4 X3 m y& v3 Z4 J" U+ w
下载modsecurity for nginx 解压,进入解压后目录执行:
0 n) Z& \: V8 C8 \1 u# K3 u
& e& @. O y) e& [./autogen.sh
' n$ D% u) e) J4 |./configure --enable-standalone-module --disable-mlogc
" b d% M1 o# x2 e: k# J- y( gmake . ?6 _8 ]9 z4 k" D/ g( X' U
三.nginx添加modsecurity模块" W1 d# }+ \/ \) B4 `
/ v" b' P0 q: l$ M% n# |
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:# j# a! |5 y% ~% m, m5 I
, L2 x6 }, V: H3 h8 d1 B' F% R
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
6 k2 O: n+ y. n) Rmake && make install
2 w4 f/ i0 W7 D) D5 O四.添加规则
" ~0 S; @0 h, ]0 T! B5 u
1 z+ l6 h9 a j i1 n! Dmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 V/ u1 \. x7 m. V
6 b& I) f2 O, a: t* p. @1.下载OWASP规则:8 Q) f2 x" n! h: w+ E
; D% K- ~4 D/ `) \- b% Z; f
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
9 e1 y( }2 B& U: D; I$ t( d8 l z/ r
mv owasp-modsecurity-crs /opt/tengine/conf/
' R$ A4 I) B6 n k; y. U0 Z- G' y+ u' l* z7 B3 [5 @# S# o
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
! Q% P+ u: ?" _2 Y2.启用OWASP规则:4 F/ `! o# K. m7 m3 D
3 \; s$ f* x, f D
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
& _$ J! m6 R6 ~ e& T+ k" E' S3 u$ r9 J2 X G# i8 a. ?0 S) S! ]
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
$ X6 {8 T! V, S L
, b5 ^! c1 s& G( Nowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
5 u" P- ^. h, s6 g# o8 ^8 Q- Q: z" w
: \7 a! N7 z/ l% b8 ZInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 e: P# r" w% M5 j
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* H* S, \ e# A! ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
1 O* u4 J& Z7 aInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
0 N& W8 j. \6 u5 C8 MInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf4 D: O2 b2 t! q3 M( ? {- W g ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& ?9 l4 o+ A$ m" e+ j
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* K* w. u, R" C- C9 m0 @
五.配置nginx
* @, C- }* R' |5 {( I1 [6 o* F3 z+ W) j! p$ p9 S
在需要启用modsecurity的主机的location下面加入下面两行即可:
6 r ]4 C( W' T( H- ]- d
) ^- o% }: h" o, k2 a; p* S* X+ R( @5 PModSecurityEnabled on;
' |# ?& @" ^( R$ t! O! [) f1 @( MModSecurityConfig modsecurity.conf;
, f" @9 g' Q. J+ x! R下面是两个示例配置,php虚拟主机:
; ~! D0 h. l/ d' F( e
. P6 N6 p5 f+ X$ p- a$ }# eserver {
$ i$ K j0 w$ P4 x, i listen 80;' F. M% m% d; x" D3 p
server_name 52os.net www.52os.net;# P3 q; K6 z. V
1 ?& n; G& y8 G7 f s0 t( v location ~ \.php$ {% w8 o( y, B M- b8 w
ModSecurityEnabled on;
( z3 C/ n$ }2 N1 n. C+ a ModSecurityConfig modsecurity.conf;5 B. {. b" s, A2 v0 i0 A& G7 ]
9 o( v' Q: ^8 G+ a. I root /web/wordpress;9 @' h% n* |6 w8 u; Z
index index.php index.html index.htm;
0 E1 y" M! }5 P. W + J+ d. L3 K$ ]+ ]1 u2 T
fastcgi_pass 127.0.0.1:9000;. b: x1 ?! d( ~8 [ v5 B3 l4 I
fastcgi_index index.php;
0 j/ Y+ h+ h4 `9 ^8 R/ _; N- H fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& ^& `* h: r- y9 D3 C1 _. f# d
include fastcgi_params;+ \8 N& \1 O0 X" A: `4 Y- ?
}
G; u8 U0 x8 V3 p# U }+ v5 ?/ `/ L7 x2 s9 _
upstream负载均衡:) a* S* t1 o9 n! `- _+ U
% O! _, T5 Q+ H7 J! `upstream 52os.net {
- \% H$ C) J9 x server 192.168.1.100:8080;
5 n! z- h- N% B" B- O2 H n! _! k server 192.168.1.101:8080 backup;
# ^& {* H A+ L6 i; `}
& d# [% G3 F+ m/ F& H c+ g! g0 F
1 ]5 A4 Q, g; Vserver {
# d( @( Q+ E! H- g p3 `) Elisten 80;* G! ^1 ~! g7 C' K, A+ E! G$ h# \9 Y
server_name 52os.net www.52os.net;
1 e4 c) H! Y% O
3 T* r- L. I( M# f0 Flocation / {' |: m: x4 P7 I, f: s2 k" ~
ModSecurityEnabled on; 0 u; ] [0 _- C: U# }" b
ModSecurityConfig modsecurity.conf;
- `* {7 W, [; e8 c% d) c% a
6 D" F7 X* [0 B' I proxy_pass http://online;
3 M c5 c% g& s/ m3 `1 A, C proxy_redirect off;4 D8 K" ~* U2 e/ O3 S: ~
proxy_set_header Host $host;( {! V* z6 e. T9 S9 F
proxy_set_header X-Real-IP $remote_addr;) c1 N0 U: U( o* M0 }
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;7 _. j' ^# D8 ^! c
}+ j, G9 [# Y* J; q" |
}" s5 V( N' }- \+ _4 Y. G/ E6 u) T! @6 }
六.测试& a! R( h. n( O' o7 c
" z8 ?5 h" g* f% v3 m" F0 [
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
+ W8 M( q: j1 r3 t- ?
: C9 s; t2 X! ~1 @; A<?php( g: k4 l$ I% E L4 I
phpinfo();
2 y( x! [ O$ B: ~( ?& Y1 \?>$ j9 h: e5 f- } ^+ G' ^) F
在浏览器中访问:' _$ `1 `8 L8 i6 B! b1 f
& m4 q, H5 ?8 E, g0 [5 L0 k" P' |http://www.52os.net/phpinfo.php?id=1 正常显示。
! L3 x, Q: Q* @! k& q# Vhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。' B: C" b q( q) L6 ]2 T# Z
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% ]3 o. P3 j) ^/ N, E说明sql注入和xss已经被过滤了
& C7 e- q0 j( d8 o. q; C ]% g# G9 p" T
七、安装过程中排错
/ g# e3 L% i. l: a( D: X
$ m# d2 u, L3 ?2 E1.缺少APXS会报错6 _: C8 l) E* u/ @+ o
; ]4 x( i4 C! K0 P% \; }
configure: looking for Apache module support via DSO through APXS
2 b9 E7 {1 _7 R/ Vconfigure: error: couldn't find APXS
% ], _% J; R) Fapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
, H# @ P; _/ H# c+ b$ G* i解决方法:
' b9 C- `( A% _% H, w- Z2 E7 W5 U# ]4 c# w: {" ] v
yum install httpd-devel
7 ~) v: b' u6 ?* y2.没有pcre
. X; i+ z. U6 m
5 c% d/ u; p0 [7 r% Nconfigure: *** pcre library not found. G4 V7 [6 A+ m9 Z
configure: error: pcre library is required* w4 W* ~5 m$ M: T* i0 F# m
解决方法:8 j! ?# G6 x1 e- a, B/ w
1 v. h2 S6 r L- m) tyum install pcre pcre-devel
( O7 V/ B! O0 b! d) {* s$ c3.没有libxml2
2 m( ^9 t1 l( n; c
2 X' s; n( c, o" Z% `* s+ z1 f: Z* G+ s2 ?6 C; u. C' }0 G
configure: *** xml library not found.* [/ G7 B) w( X1 G, n- E
configure: error: libxml2 is required
" u' Q- ^9 J- O. E2 p3 Z解决方法:
: {- Y( k3 [+ C/ d8 O
* ?* @$ Z. E# |! J# G' C5 nyum install libxml2 libxml2-devel% U) u9 ]5 {( F+ q+ k g' G+ a2 O
4.执行 /opt/tengine/sbin/nginx -m 时有警告
) F, U% `9 k6 @
% m3 ]( \$ P# ]7 I: E0 }" ?2 ETengine version: Tengine/2.1.0 (nginx/1.6.2)8 I$ q& W9 v8 A% C! U4 e
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
5 L% F1 V; \) [" G# \原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
* N. O: D: x& q0 o/ |8 s' N- T* k$ `3 L3 v" z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
6 @5 y' `. h- L M# V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"! D. T& Z8 z& B2 k) f) y
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 X+ I8 a0 F% X5 d$ V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"8 V Y% T1 x: U7 A0 R2 _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6". A1 r# X( O: r: w
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
( L7 h/ d5 r' e# l8 X1 ]解决方法,移除低版本的APR (1.3.9). D& `$ l6 N* Q. ?3 C% M B% Y! Z
6 q* T1 M% C$ F7 L4 p+ ^; M7 ^
yum remove apr- d& Q* r) A7 r
5.Error.log中有: Audit log: Failed to lock global mutex
& R* N( `' i4 v
! h( g# K. V7 C; l+ ~: i2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
4 y3 u0 s8 m7 y# Cglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]: t. g/ o, C+ p; p) o& J# X I
解决方法:3 n9 U& x9 r. d. F7 s3 ^9 R
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
% j. \5 C& P, f( b4 W! d# y+ s9 D2 }4 w, e3 Z/ U' G1 U6 N E
SecAuditLogDirMode 0777 m- B, g2 e; y. u' P
SecAuditLogFileMode 0550
$ V4 t. L* A, J/ U" y# USecAuditLogStorageDir /var/log/modsecurity, _6 G+ u' m! m/ H
SecAuditLogType Concurrent
% H' c& n" E/ [1 T1 Z参考文章:
, L3 z1 m$ D. ^/ ?, S: Rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 @4 l. Y. U3 j( K6 d
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡