|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。. q+ S+ V T& W* _
/ \* P6 U( B- o3 ~* j
一.准备工作
- h) I5 P5 ~' _) g
7 Z' U |2 u: Z系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0, K$ |: p; c9 i9 Y2 M# p
1 U1 n1 ]* U6 v+ `
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
/ j6 r' g* O- j/ J7 j
! r6 N9 Z7 v& F2 ]modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz3 a( K$ ?* V4 n3 w6 K+ v: K
- Y6 i# X' v/ O: eOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
. X' l4 l9 M2 ~4 x5 X* G0 B( U3 t. ^8 B( G2 Q, |
依赖关系:9 ?8 X: @& G- E& l4 C: h$ h
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' j: d6 C) S4 b1 ]! C1 _
3 I- k' R; n2 @ l* oyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel2 w+ ]: |" D) h1 ` x) u( \4 r
modsecurty依赖的包:pcre httpd-devel libxml2 apr2 J/ f4 u o7 y4 L2 G/ `
( i. O0 {6 J, m" l5 `" Pyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" z: u$ \$ }; A% P
二.启用standalone模块并编译
2 M; d7 ], u% K* n
7 i5 I' M O) x$ a1 N n" G! a0 d下载modsecurity for nginx 解压,进入解压后目录执行:
0 B7 M, O! M5 v
- Y& z1 h* j0 [: T./autogen.sh
( G7 L% K# w: p" i1 ?7 C1 [./configure --enable-standalone-module --disable-mlogc
9 {. g# f% }8 R" y& j6 g* N( c, [make
4 W7 V. D9 v' a# o5 P1 x: C三.nginx添加modsecurity模块
: g5 o" ~3 G. s8 j- Z2 k$ T# i$ }, s* u
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! w1 }$ x+ p0 _- q1 J9 Y- C D/ O* L' T& q" m! J3 Z
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine. X* B& k+ K9 ]4 i P
make && make install
+ T9 k- E0 k K! g% O四.添加规则, r9 ~/ D' w) q- X. R# s
6 W6 h7 ~/ v$ j+ y5 z6 gmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
& n, b+ Y0 ]. a0 F
5 c3 k! N" d4 e: W; ^* x$ H1.下载OWASP规则:& v) z+ `, m9 F) m0 o
; S) h7 s# U) |3 ~0 l3 s% [
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
2 U |. O( M2 q* s. k( [4 B% ~3 ~( Y7 q" ^9 B/ i
mv owasp-modsecurity-crs /opt/tengine/conf/
# R7 f' X) d- \" p; T3 _( `5 ?/ x$ F! t) U1 w) j# g* S
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. S" n" _1 P+ ?$ Q8 l2.启用OWASP规则:* q a# W f1 ]5 R/ P& T
$ Z; x. \+ c6 \, v/ S3 K复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. L% C% G' H9 Y
! s- ~2 Z; o t7 b3 w3 q编辑modsecurity.conf 文件,将SecRuleEngine设置为 on7 Y* e6 ^/ ~, k$ Q
: m; S6 Z! f8 D4 d4 Z: k0 u3 `owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。) Z6 ^1 i% O; ~) ~" U
9 C( r4 ^- e7 k# s( k: B) ?: ]
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
1 o4 _( q, M5 Z& P" P: t" T- ?3 ]Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
" G0 i& M7 z1 ~( O: tInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf+ c' F7 M1 r0 m) H! H+ |
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf6 q, G2 V) u$ j L
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
2 {3 w$ n2 Q: e WInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' k0 m% T7 ]) O2 z" p* ~$ ~4 ~Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, |# K' `7 F5 d( Q/ [# ~% a
五.配置nginx
+ a2 u2 I v& n% |# B T( @$ b! X0 e
在需要启用modsecurity的主机的location下面加入下面两行即可:
: q. R/ |" F7 ^1 X
" X; z5 V9 I' C* iModSecurityEnabled on; 5 B! r1 @5 n. g8 S6 C4 ~ a0 C
ModSecurityConfig modsecurity.conf;
8 [- W# v( }' t$ g下面是两个示例配置,php虚拟主机:
% I9 K8 @& L6 q* ^5 y9 j1 j0 o4 y" d+ T2 ]. C9 B$ v- A
server {0 j" [$ g% a2 K N2 ^( t% V9 x
listen 80;
+ f8 i* G, A+ c. l* H server_name 52os.net www.52os.net;
p2 {4 D* s% p+ B ; M5 C: b0 f9 B) D/ L$ {9 Z
location ~ \.php$ {
$ D, C' @) o% V; n- ~* l+ e& L ModSecurityEnabled on; ' A- u0 \# U% V) x5 }# N) q
ModSecurityConfig modsecurity.conf;
; j m2 I- O% s
6 M' f2 {7 \6 O4 h5 F( X. C root /web/wordpress;
1 _, {) L! Z. v9 @8 S' `+ Y2 _ u index index.php index.html index.htm;" q% R$ O8 O7 s% m" [
2 N: j" e% v( u# G* p/ i2 K& w
fastcgi_pass 127.0.0.1:9000;
. V/ T# u' `, s0 E0 Y. f2 j$ K, v fastcgi_index index.php;
/ D+ w4 N F1 C9 ]; Z8 |8 r5 V fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;' N' p5 i7 D) X9 I9 [
include fastcgi_params;7 j5 N2 B; `, ]' q. \9 |/ |
}
. O, H- {4 L4 v. _; W. Z2 D }
) b+ b% o. w- hupstream负载均衡:5 A3 G, N7 |5 k. n# @- A) j7 P
/ E/ O7 o; A6 `upstream 52os.net {
8 U; p" n* Y( S7 N+ K" n server 192.168.1.100:8080;
% P0 n6 F% F! u) W- a1 p- N server 192.168.1.101:8080 backup;" w) X6 ?) I o4 x1 |
}
/ Z+ a2 H* r/ L) M' m$ |0 K6 t5 [& L! T' ?; N0 G E7 G1 u' W
server {. }7 k! C1 d8 Q \) u' U$ h
listen 80;1 `+ A) W! }8 r9 K% f0 m
server_name 52os.net www.52os.net; t4 _4 }6 _) p( X0 Y
0 z1 q, O7 h; {. x/ h+ }location / {
' h/ t+ X- T$ F# | ModSecurityEnabled on; ! q* Y3 U% E1 W' z5 Y7 a5 H
ModSecurityConfig modsecurity.conf; ! o$ n7 k* Q% f' b, w6 P
# R4 W1 x, _- u; T3 m" ]
proxy_pass http://online;
* f8 J; n2 O* B) P proxy_redirect off;
0 _* z; k8 l, d; p' [- k proxy_set_header Host $host;
( \0 C5 z" T& w: J7 Q proxy_set_header X-Real-IP $remote_addr;# l# t" u1 e5 E$ j% O6 W B
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;6 n0 D# @; `4 b/ y! f# S
}2 e* ], Z S; N
}
& q) x2 k+ Y& P8 C& S六.测试6 l& C1 p; u" ~9 M' u! ]# q
" T- z) o: i, p1 w我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:2 W* Y. g% k9 i' f4 A. Q0 v1 B( V
8 R7 l. l# L+ n9 N8 u) [; o<?php
) P* o Z4 S" E# g4 i phpinfo();
2 Y2 ]0 B: D) ]; Z, f3 t4 b$ ~( }?>
$ j1 N, e! Y, \9 ?+ V: V$ S在浏览器中访问:4 h1 e) J' {8 ~) k9 ~, P, R; ~8 W
) ^1 z4 o3 ]9 C0 D) U
http://www.52os.net/phpinfo.php?id=1 正常显示。
8 E# J- h3 v6 D' m3 p4 O$ A' [$ Shttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
/ y/ B9 C7 Z+ D0 Y+ Y. ohttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。) A8 w5 V) T! N/ E
说明sql注入和xss已经被过滤了
* Y& r1 b, `* X( n, A+ Z2 P
8 M1 e; Y( R1 ^$ X七、安装过程中排错
8 X1 l: H9 Y5 x. q/ w2 ]
& R4 X1 I3 c9 L$ S2 K1.缺少APXS会报错1 t: ?3 Q, g$ T# m3 k# S% h
1 Y0 Q# s- {$ t( W
configure: looking for Apache module support via DSO through APXS
3 h% j' R) L7 n! tconfigure: error: couldn't find APXS
; k) A" ~# r7 [" r0 p$ uapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。" N8 G) g; X* u A2 a
解决方法:
/ m# f5 Q* W, b$ v; b, B3 u
6 x% b! m: ~; E5 H6 _, ?* {8 h- {yum install httpd-devel; I1 C3 \+ n/ m7 w4 s/ I: {7 ^$ Y
2.没有pcre
# R9 w. S, {$ ~8 S& |6 c) {8 R. N" P
configure: *** pcre library not found.
2 I. v2 `) |$ A1 I) W6 Jconfigure: error: pcre library is required
! E& \, u- R& W: m' W! D* _# X/ {解决方法:
# h. }6 O9 F) S5 j
7 c$ a+ t0 s" i9 _1 J/ E7 `' myum install pcre pcre-devel
: c ^3 f' K8 u8 C3.没有libxml2: B/ O5 ~6 \, L" H1 ^( G* C) ~
1 q( E2 k0 f* r/ q6 B
* u: t! V4 v6 P5 ^6 pconfigure: *** xml library not found.3 r$ `# Q7 T. e/ P9 |
configure: error: libxml2 is required
) q9 Z2 U! |& @- n) f8 ?解决方法:" _; `( {, U8 _: ~6 ~ M n; f
4 @4 @" v. o/ N6 H
yum install libxml2 libxml2-devel9 D% v) r- J% B# y5 ^- u1 u; r( S
4.执行 /opt/tengine/sbin/nginx -m 时有警告% G- r* |$ s9 e5 n; n0 v& D
% D4 y k3 W& S2 \1 ^5 L- x% QTengine version: Tengine/2.1.0 (nginx/1.6.2)
- z8 m5 G1 A- W6 n6 F d5 h0 wnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
0 M {/ r& ?& H @原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 W2 s4 h+ l( d4 b
. K) T6 O4 ]1 \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
! o' `2 j2 A4 A& y% i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"/ p" f2 D4 N& m1 l F$ v% L! M% a
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!) ~- ?9 W9 Q8 G$ w: t; e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
* @* k; Q$ j6 r6 x( C' L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"8 }" i- N0 ]9 q" D7 a& t% F
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
0 v; k: j. C& w: `/ Z' x解决方法,移除低版本的APR (1.3.9)$ k& A* Z1 \; ^* _, ^
. }0 [4 n- }. \' v7 y6 s
yum remove apr
( n+ _8 Y: b4 a' ]" U0 ?; X5.Error.log中有: Audit log: Failed to lock global mutex
! H/ D2 m* Y0 k" z+ o( q4 D
- {) I1 _9 f+ \# E, K2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock # C6 V0 t$ y, |" Z# G _
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' e/ t- B' r+ f! v解决方法:4 V: Z4 W7 ?) [* n& n& D+ `
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) h' c6 A" a+ D$ R
! D" ~& }* F- } OSecAuditLogDirMode 0777# {, _6 X. J! ?- t" i
SecAuditLogFileMode 0550
, x- o- x+ P- o, C+ GSecAuditLogStorageDir /var/log/modsecurity8 ]2 w$ e& B1 \
SecAuditLogType Concurrent) l3 l: ~& ^" S) [1 I! d6 z
参考文章:! s- m7 z6 D; |; E0 U
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
( e4 v) |/ s7 L" I1 H/ J% xhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡