|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
& p- x" ]7 [' {8 @/ g
K ? w/ V, J* |' c一.准备工作
+ {7 ^( b2 h+ O3 Z; [# a
" T% j5 V3 ^4 C+ v9 N系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
/ ]3 H- Z3 }0 h3 n- H- P; k+ @0 p
( I' t3 X! k3 f. N, z9 btengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
9 \- u$ A& o* S E, \: `/ T% B) g [6 V# c4 P4 R6 H. L
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
+ m8 d! X. r- t$ {9 C: g
- {. t$ _4 f7 C; y0 D' JOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
2 T) }/ O+ x4 F) g( |1 U# u6 C) O9 ~" M. U
依赖关系:
0 k( C* Y; h- b+ ]1 `) Z9 O+ J$ ytengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 t6 o& w5 O" g4 }3 w$ q& d$ Y, f; V; c3 G
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel- U( F7 S& t& D. ?
modsecurty依赖的包:pcre httpd-devel libxml2 apr$ L$ _/ J8 K$ E$ |
! @/ ?+ G+ o& I( ]! Y! S* N# i
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
; Q2 c: C% d& R3 h9 S) ]& A二.启用standalone模块并编译
9 l+ U* A' H) Y. B; Q+ h# H$ B
% v0 c h) W/ b* J下载modsecurity for nginx 解压,进入解压后目录执行:% \9 ~' [1 ^+ M
3 H# b# l! Q! }: L./autogen.sh
( ~( B/ `6 r7 w9 S./configure --enable-standalone-module --disable-mlogc
. |$ U. v( \6 [/ N6 c) u7 T) qmake
) b& c* ~; `9 v% K7 N# g三.nginx添加modsecurity模块
& j: Q2 o2 k# q9 L% E( I$ e0 R D9 e1 u. I2 `: T5 s8 l
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" w' v1 N7 [1 S& k
" |- g+ V( C \& \4 t3 f6 R
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ W2 T: W" h x0 w9 k) E
make && make install
1 e1 {* Z1 g! s T7 r0 M- M四.添加规则
( a$ ]4 N6 f. c' ?. U8 N
1 o6 v6 a- S7 N4 N; u# }modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
% g0 u9 T+ l1 G( x) l1 m
5 [7 H( d# A$ D" @/ {/ u6 p8 I/ Q1.下载OWASP规则:
; _* I& r" Z$ Q2 j2 ^3 y7 D( X
. Y; Q2 w2 g( H) Bgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 F/ a* M! z) E! N; F
+ C9 k1 H5 |9 e' r! p) b7 q ~
mv owasp-modsecurity-crs /opt/tengine/conf/
+ G& R, y. ]% a# Z: ~! @9 Y
: E* v: b* z% _& a* L4 Tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
! x% x% Z; [% }7 J( f& i2.启用OWASP规则:
4 _" P* h, l0 Q. N, @( p2 [
+ o* s; J+ x d7 o# q1 ^7 J, _: ]复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
5 i) f; R& X+ |( @7 M; R- b# }+ i4 X% |
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
$ t9 D `( A% c& H h1 @0 |# g. N1 D0 [
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。5 k* a' q% U _
/ ]+ L. }* E- H% b, OInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
5 r8 |' ~+ Z3 z8 xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
6 ^' |. j. O7 t& T) {; cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% f; P" K$ I) n0 l8 y) ?Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf+ q/ r5 o7 S0 B0 G
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
2 W8 C1 A: \, L# JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
. `/ c5 A0 ~0 d. E* r5 ZInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
. S2 y) N# y* `; E; ^' W. v. ?五.配置nginx
, A" o# {- C4 @5 a/ c0 T
m2 s, @0 V) l6 x在需要启用modsecurity的主机的location下面加入下面两行即可:% Q8 D5 ~1 R& Q; B( {
1 X3 G, l( b# p; sModSecurityEnabled on; + e- Q6 s* p5 z2 }# X
ModSecurityConfig modsecurity.conf;
! x9 ~1 \8 g1 \0 H7 c# k下面是两个示例配置,php虚拟主机:
, S6 C. j% x# V/ f+ m7 d; ?1 J/ Z/ x) V
server {% T, J- h" F6 Z2 Z* j" t
listen 80;2 H! n6 U9 Y7 o7 ?7 }
server_name 52os.net www.52os.net;
0 `: c8 x7 H6 O: w9 i
; v$ W. E9 B5 s" c# A( } K/ q location ~ \.php$ {- N5 V. v" r `4 L- N
ModSecurityEnabled on;
) N" o& @" \' S3 \ ModSecurityConfig modsecurity.conf;1 u0 ?& N& m; n! n; Y
1 l6 V0 n0 q- Q root /web/wordpress;6 ?! e ]2 T5 W! `$ W M, Q8 s$ l
index index.php index.html index.htm;
& R$ k, G( `0 d/ _7 S
( \" R- |" P3 q* F0 ^ fastcgi_pass 127.0.0.1:9000; ^6 l! w: G. y; q1 l/ |
fastcgi_index index.php;/ _% N% h4 L7 o' w, a
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
$ D" r$ v: N) h. D( S6 z5 T! s. f! n include fastcgi_params;
6 `7 K+ `- R9 n! S h$ K- h }9 `( [0 p5 _) K0 A5 g
}
1 E0 r: Q3 _5 F& ?" kupstream负载均衡:
+ h* p+ M' p( n/ ~0 G# f% L, p3 ? W& l+ m$ x2 }
upstream 52os.net {
: B8 i$ G; o1 {6 o server 192.168.1.100:8080;0 \( Z5 ]1 }8 W1 ^" f
server 192.168.1.101:8080 backup;
* K, n6 k# n- T/ U/ {; j}
) N3 z4 i1 m. t/ \: z6 v% {
0 J, ~! R! J' g) z7 E/ B! qserver {8 K' N" \; q. Q# o1 }
listen 80;
; U; l$ T4 _# ~server_name 52os.net www.52os.net;
7 {# Q$ H- o5 f7 d* ?1 ~& x8 U1 B% q' w6 w9 y6 u; |
location / {% \% E3 k, E. `3 f3 K- ?
ModSecurityEnabled on; % j9 g- h9 a2 t0 y: S) t4 A
ModSecurityConfig modsecurity.conf; # E& q; w: f2 ?: D
. s$ L5 a& C# @0 ~6 f7 \( p2 S
proxy_pass http://online;
# a5 H X4 B" p( W9 ^5 i9 X, G proxy_redirect off;
$ X) E" `% c5 X6 b* c proxy_set_header Host $host;+ S, y- Y. m4 m0 i. o4 Z1 W
proxy_set_header X-Real-IP $remote_addr;6 ~* o& H" Z5 \- P) N! Z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;9 K# V. P1 F& |) x+ T
}" ]6 }" m6 M5 n" P
}8 H3 p' u( T, {6 k* e# G! m
六.测试. v' Y& B! l% y- v2 _
- Z- z; w; `$ M4 b2 u8 v2 ?) v
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) c& X! z/ R# s o% s' ^, k" ]
9 o% d2 M, E6 L3 B6 p<?php5 Y; g, H4 F% X4 e2 B, q0 ~# ]# ]
phpinfo(); * K* L' \: y1 H
?>
0 _2 C$ X' n* I J+ k- J在浏览器中访问:
3 [1 `, F! }6 ~1 ?
" R) o8 I9 N1 a$ s9 N- i. y+ `http://www.52os.net/phpinfo.php?id=1 正常显示。
/ Y) J" y; a# V9 ]9 a$ {http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* T5 N/ e* k r% S; i1 {/ vhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。1 A$ l/ c* v3 k* Y. g! b; V
说明sql注入和xss已经被过滤了
0 @: K; O) V2 J( e0 @" Z- Q+ U& `$ P( Q2 u
七、安装过程中排错6 v0 ^) R, P( G9 d8 `
0 {3 d P O1 y/ x @1.缺少APXS会报错8 ]* ]1 w( S* U2 _) @) ?
3 t/ e, _! [8 Zconfigure: looking for Apache module support via DSO through APXS
" U2 B+ o1 \! g C6 q" Uconfigure: error: couldn't find APXS0 N5 N* k2 Q; F8 ^; H
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# t9 x# M4 a0 G9 }5 h解决方法:1 \, b1 y9 P7 l
1 k# T. N* L h7 i* u/ A8 q
yum install httpd-devel& ]1 A: ~# j/ s/ t
2.没有pcre
3 x0 {/ e) u. H0 l T
2 N, Q) [* T; xconfigure: *** pcre library not found.
5 [' h5 _% h$ j& Pconfigure: error: pcre library is required
" w N$ U- I' `. e8 C7 O7 q# d" d解决方法:0 C" w8 Y J! ~! [$ ?3 O
7 V4 W0 m5 l5 d, _( [yum install pcre pcre-devel) X6 r# ?; k- n3 j# t7 K
3.没有libxml2+ G3 X) [' D/ F' B0 B1 M8 D0 d
! ^, B) w, v G+ C! G: y3 w
: M# T' F7 i/ ?8 W( N4 o9 m$ J
configure: *** xml library not found.+ s8 d. O8 {! R: s& k
configure: error: libxml2 is required
! n& h6 y2 r) K" R4 p. N解决方法:
2 g, ~ W% k: T! W& O. _3 M1 r! P* ^4 {
yum install libxml2 libxml2-devel- o# E. l+ W! p1 L/ F s# v
4.执行 /opt/tengine/sbin/nginx -m 时有警告
" e, u8 G9 i: N/ [6 [; i. H9 |7 f; D0 c# S4 C9 L7 L1 b
Tengine version: Tengine/2.1.0 (nginx/1.6.2)& j2 e! p" ^( T9 B. L% L. _
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!$ @) _; s# f- u
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% e) @1 R" n+ F& z( A# D) Z# v' g! w. K# N7 m7 h: d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
3 |$ X$ f( A: [% k$ w7 B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
( u p0 ?# H8 {0 j2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
' {/ L& g4 L; n9 C( F% m' J0 J5 I- ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
& T7 d$ P1 a4 e6 G9 b* n( Q9 f3 J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
, Z. @7 {8 X. I, U- i: L! r: Q m2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 i5 L r$ I+ w& |+ ~7 m% a
解决方法,移除低版本的APR (1.3.9)4 ~/ j0 l$ I' N) S6 n4 ?- ~% G) n$ l
: V4 X6 g- B7 j8 d8 {
yum remove apr1 n; @9 ]; g# |/ S! ]
5.Error.log中有: Audit log: Failed to lock global mutex
# D7 z* C* }3 U. H( ^3 M2 O( o, W! {
+ A8 ?- R, g( t/ Z' I2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 Q+ g1 |3 I4 B+ \" Xglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
3 L& i5 @) B4 q& p1 x. I解决方法:( O2 Y# N6 ]% o9 J' J( K
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
9 v' D) K! x4 H; O6 i7 t9 _/ n. N$ _4 n$ R; S/ F' B9 i/ i V
SecAuditLogDirMode 0777- n1 B8 r' }5 ^8 y" M5 ^. p3 H+ D
SecAuditLogFileMode 0550! l# r% p/ w! `" n' T
SecAuditLogStorageDir /var/log/modsecurity
' P3 I$ M5 e! L7 \5 P' f2 {7 P: zSecAuditLogType Concurrent
4 c' \8 |5 I" R& }参考文章:
0 \" q; e3 c5 i3 W2 k* \/ Ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
0 e8 X- p7 B5 ]! j- K! _http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡