|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 D, L! N8 p( a* e
8 B% q( h* t2 j
一.准备工作' ?/ ^3 ~# V) U
5 c% R, g5 h. d* F- g
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.06 R& y G, m5 R
0 S- X' G/ a9 H9 o9 |; ?3 z
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
N4 I) _- D. ?! l, \; y3 d
, b% S5 z0 f, nmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( M3 `; `$ W2 W7 W9 t7 l; t
! n9 u) P. q# _ tOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
4 i- s4 G4 g- G
: |8 `# j+ P% s. Q依赖关系:
- `: S( `/ l+ c+ I1 g# f# a9 Y, _tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:: V& k+ t$ m5 I2 @" A* r
; k! E0 b/ n D( H2 pyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel$ g" I( n2 o7 u% i
modsecurty依赖的包:pcre httpd-devel libxml2 apr
, ?) D8 Y% q5 e; Q, D6 o0 T& R* n) ?9 G
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
8 P3 ^/ u) f8 t( T0 a8 w" s8 n& Y二.启用standalone模块并编译
' c6 X% F2 P( b, U8 q" S+ A. G, ^, G1 S
下载modsecurity for nginx 解压,进入解压后目录执行:
5 A5 a2 k; q; }/ C, Q l R- T' r$ F4 A& D ~: T- G' A
./autogen.sh1 f9 R1 e9 P) n! @! U8 X* d
./configure --enable-standalone-module --disable-mlogc
+ d9 I3 x0 {. Smake
+ {+ _! F1 R/ z" b9 W0 A三.nginx添加modsecurity模块+ `% k ^) d' z, S5 u
; {* R) o4 u X/ f" T$ @$ O在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
$ _) r% b- s) B S* }% s, \6 C+ |
" t2 ^0 E! R8 ~8 g/ F8 Z) x- F./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 p8 u4 t. l* A7 Smake && make install
' t: b7 _" v( {/ p, W) N四.添加规则
7 o& b1 b4 Q1 c9 a) j3 s
5 B/ T, Y- ^3 Y1 Mmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。7 T+ s: j! V1 {8 C/ H
7 {) F3 X6 u! U8 i9 @0 J1 U
1.下载OWASP规则:
& \* s6 ^+ Z) D, N2 o/ F5 c4 @8 L7 K0 h
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs u3 \/ n" K- X) I9 x
' n/ T& L2 e7 E/ c
mv owasp-modsecurity-crs /opt/tengine/conf/# G2 x# ?' N5 \$ h U; ]
* q* k5 _, ^9 m
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf9 x4 H" Y: X9 u0 W6 Y& n: }
2.启用OWASP规则:) i9 i/ q3 e$ s" a+ D
$ f, W' d3 F* @5 X. [' h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
9 m1 j9 m. F; f. N: I
% [& G/ R% T, Z编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 |% C5 [; }# k0 \. R9 C
- G1 Y6 i( ^* l+ Lowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。, j/ L" A9 b v
5 s2 c) L4 ^' V: g( RInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ d! c; ?" U& oInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
1 E% m3 y7 r f: g, iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" Z( Q# y- C6 N: T8 K3 I1 ZInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
) F5 Y$ ? N) S7 e/ mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 |+ z0 _ i7 _7 X1 g
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
* K# w: N& ?: K% HInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf: o" D3 K& _3 A' o# ~4 |1 i7 g8 g
五.配置nginx7 G: h+ w3 N$ G3 g7 I/ _& f" j
5 l8 Q5 h# K2 B. I4 C% r$ ^ P在需要启用modsecurity的主机的location下面加入下面两行即可:
4 b5 l+ m- @5 L- s! t) I* V+ S) G! F- O3 S# g$ q2 _
ModSecurityEnabled on; 0 \9 U5 f& e! J( U
ModSecurityConfig modsecurity.conf;" E4 L# c b* G2 z' m3 T4 x
下面是两个示例配置,php虚拟主机:
* k1 c: Q1 H# ?/ F7 V1 p! E' m7 a% f& O8 p! ^* e0 Q
server {
' {( _ P" ]& J7 ?3 `# F: D listen 80;( G4 E$ H" S& Z6 q: s1 Q, \
server_name 52os.net www.52os.net;# y- ~* \. ~% P6 h \# {" ^
+ S2 Q. n1 S. v+ v9 Q
location ~ \.php$ {
5 n, j! c( I, ]6 L A, U ModSecurityEnabled on;
& ^4 U D% `; n: Z& d' \ ModSecurityConfig modsecurity.conf;0 M/ v$ ?$ E. R& W6 T/ C- V
% V9 g F5 [: s& v; L root /web/wordpress;5 C1 `2 ^4 D4 ^- P' p
index index.php index.html index.htm;
' W9 \8 \3 B# s1 U! d9 J H. n4 n
" N# c4 ~8 c) p fastcgi_pass 127.0.0.1:9000;( O8 C4 q2 D0 s# j' D& n! n: J2 W" y
fastcgi_index index.php;
3 i3 Z4 g3 v( |5 d0 E2 s, M fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;0 Y6 \4 w- X$ v) k5 `5 |
include fastcgi_params;
: |' s5 V* @9 w: A [8 \ }- K) a' |5 d3 Y3 j
}- ]+ _+ _$ @7 }0 y4 p/ B1 z
upstream负载均衡:$ t0 g1 C6 l- s- C% v. G! g
/ F! c' U2 q. qupstream 52os.net {
8 y. @% k* F1 K* K server 192.168.1.100:8080;
& C3 @" ^! F' ?$ X server 192.168.1.101:8080 backup;
( b; I# [5 A1 I) f3 w}
! a6 H# ]0 |9 ~& _8 [4 h$ X5 S- v2 N, x5 f% [ u$ V
server {( O, H* o4 a4 M' G: D
listen 80;
5 |' z* d) t. z9 lserver_name 52os.net www.52os.net;$ l( `$ R7 q' `4 y" } W9 L
+ m5 ~! i1 v9 g" A7 N1 G
location / {
$ Q6 _6 k& \5 Y4 N8 U6 J- l ModSecurityEnabled on;
" Y; O1 I; f4 P2 D ModSecurityConfig modsecurity.conf; ' c( z2 O2 }! D; \5 w$ a
# @5 X7 h: Y) l# W& V
proxy_pass http://online;
r% b2 K8 L$ R+ l' k0 B4 H proxy_redirect off;
5 N; h1 N n5 Y7 l5 a proxy_set_header Host $host;- x$ U, D8 R" L% v `' y
proxy_set_header X-Real-IP $remote_addr;7 E9 i2 _. _+ M5 t) |8 o
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
* t: W4 i8 y& r) F, l. B }$ X. ^9 |+ S8 B* J
}
6 r3 t- w! S9 q6 P( t六.测试8 x2 o6 k/ G; A& X! V; s
# l8 G/ H% M+ o9 k9 S8 t
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:" b% Y: s: }" @, B* |$ Q
2 @- G; h }+ F" S. _
<?php
- w3 O$ S# {5 n# l4 E3 n phpinfo();
. G7 \9 x7 e: n?>2 N, M4 n* Y m% |2 X4 {
在浏览器中访问:
8 {3 k* B& F! V& T( v. b
+ E }+ A. y1 c! Y) t& `http://www.52os.net/phpinfo.php?id=1 正常显示。7 @" Z5 w* ~$ m( X
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。* d8 Y5 [5 y9 ^) d8 [1 ~. S+ p. {
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. ~ I! v5 E; i9 P
说明sql注入和xss已经被过滤了9 T8 N, J# v) g7 m- i& E5 C) R
4 D) j* W- F" w% Z0 q七、安装过程中排错: P3 q8 x8 j2 @, @) L( o o& d3 V# @* e
6 `8 v& X# `+ h, M( S! k% x' g# m
1.缺少APXS会报错4 ]. a4 v# ]% X F2 I
' s, t7 b2 x+ p; V+ h' I* C& Oconfigure: looking for Apache module support via DSO through APXS8 P! \9 h: i" l. A( ~! X/ n6 Y
configure: error: couldn't find APXS
5 M4 _1 ?# z* Rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
* f' `2 X" a, Y- p解决方法:
- z1 S2 w4 Z4 j% t) T$ }) q7 w- {3 O
yum install httpd-devel
( m5 r7 g: g1 Y! n- ?5 O2.没有pcre! u) k( e9 K9 f9 H1 ~2 c
5 T* c0 [6 `, ?6 x2 {* ]configure: *** pcre library not found.
: H8 W& z8 L1 R: @configure: error: pcre library is required4 y; i( @" Y6 {2 e( E4 `8 J
解决方法:
8 h" W( `* ~" u9 o( v$ V1 o. [! R! V
yum install pcre pcre-devel# E. t$ r! S4 c. Y. \4 h
3.没有libxml2! Q$ s- I+ f& h8 v% N# X3 k9 }
% Q$ C7 r, x/ y: t( `: o& [5 T; u, R3 L
configure: *** xml library not found.* O5 K, ~, n( _: b b' f" i
configure: error: libxml2 is required( w3 u! p9 K8 ^: } `/ c
解决方法:
* C- V- ?/ s5 K) s9 K6 g3 v5 C' {* r- W) y! m
yum install libxml2 libxml2-devel( r8 O# p3 ~: g* }7 ]( C. w$ u1 U
4.执行 /opt/tengine/sbin/nginx -m 时有警告# l- F5 g" j& @+ G
( l) D0 U7 g8 m& @7 o
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
5 v( F5 N6 A. \. i1 K* D3 Cnginx: [warn] ModSecurity: Loaded APR do not match with compiled!- E& J4 v. d) B1 u- }
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
' A2 Y% D, Y3 n1 {& X( M9 y$ c7 r$ Z# x1 o) e% N! J9 _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.( t$ v3 n& ?9 y7 }3 r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
# d9 E' o) l3 q0 L2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!2 m, @- u; U" \, G+ G) Q% ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 ]( r! `2 s& l9 i) A a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ S; B8 L& `4 u# E: y( x% o
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.* k! @; Z6 }9 v# {4 T6 m
解决方法,移除低版本的APR (1.3.9)
4 E" p, u7 J0 E: W% j: \
" ]% j( I& r! M, Vyum remove apr
. F* v1 q1 Y; N5.Error.log中有: Audit log: Failed to lock global mutex9 k. b2 ?+ B" i0 z- c+ F; I
9 E' f- R b1 l/ ?" j3 R8 ?2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock % L m. y3 d7 u6 k
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]$ ?7 Q% ]+ M t# W/ R* K7 W
解决方法:
- I3 z) I3 m, |; |& b3 e# l9 v编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& a9 K D+ Z0 Q7 t& V; N" W
& X- J. Y# b. K& |1 n
SecAuditLogDirMode 0777
2 t9 g! C# s3 T: E* kSecAuditLogFileMode 0550
4 H5 N" q$ I! O8 v) b+ LSecAuditLogStorageDir /var/log/modsecurity
. j) \) e7 t8 v/ Z# I3 ]* ZSecAuditLogType Concurrent" V' H4 M5 p7 ]& {$ c' S# x& c
参考文章:
* e1 o+ h2 a2 W( Q6 @4 bhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
8 p* l- z- o& b! N$ m$ n+ A) @http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡