|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, t+ V4 ?& H( {0 h) O4 |
/ `# a. l; v, X6 e7 w+ Z( ]一.准备工作
0 R: T+ e! y1 m, T
2 z2 r- L; l3 H5 b- t9 U" A9 K系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.01 D. ~2 x9 R9 |4 C! j
8 B5 \* @$ D' p. X) y, d0 g! O* c; g$ q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ C F$ A$ Y) k9 Y) c( I8 r7 L0 t' \5 Y) b; Y H
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
+ {0 Q5 e; m- s; X
% R8 V' y% `* |1 ^2 H, iOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 g9 q8 N1 o3 ]! {2 W* S) c/ M/ T) V
* k+ ] C3 C' R9 e8 h9 @$ {( K) f依赖关系:
0 H- E! X1 |- t% {' _1 {& Qtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; f, N2 c0 `) Z5 s
6 U% P& V# @1 A3 _& v4 B& ^
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) @) p7 P7 P, u' cmodsecurty依赖的包:pcre httpd-devel libxml2 apr
% q3 F% B+ ?, x4 [/ Q# M
) ?, ?/ i$ i' @& Hyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
2 l3 c6 E; j: W8 @' K# S二.启用standalone模块并编译
! Z7 B# |, c( y# n2 _5 E" a! l. B+ Q- X- R* ^* s
下载modsecurity for nginx 解压,进入解压后目录执行:
* d3 r: K1 m0 I; v' [- [
; \9 S* c+ `/ Z' D./autogen.sh* D0 N& N+ L$ C
./configure --enable-standalone-module --disable-mlogc) k" C: u* c+ I, X$ P
make
R5 p! l! ?* p; e) V9 L$ d: `三.nginx添加modsecurity模块
5 X$ m/ D& [& J( U9 n
# O# U2 r+ a# m3 S* f# N在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
) B# g) _* l% R/ f; D. Q
D5 L' I- k9 r& u* G./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine/ {0 Y( r- K; m; q
make && make install& Z; N/ ?& J6 T/ E$ N1 h7 b4 @
四.添加规则
" R- O* L% f- t$ A
* i; y r$ Y, X" x xmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
4 T3 [5 G; j! a# u
- [ `+ Q0 e: `1.下载OWASP规则:
6 c$ x: H: [) o1 P9 P/ ~# M7 Y. b
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs) T! F2 _# L$ s/ B# G: K
7 ?# q! j( Z# ^4 b/ ~' K7 R0 u
mv owasp-modsecurity-crs /opt/tengine/conf/
+ ~0 [ p! D8 A( l
; M( y# {' e( `cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf& Y+ @+ p+ S) k* p7 f
2.启用OWASP规则:
8 I& `2 A. a2 {7 y- }+ {* U: u/ h+ B/ F* z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% e! L9 k* _ l
, u4 D- r$ B2 H; j' T4 g7 |
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on1 e1 Y' G7 O/ \3 `: Y7 h
- ~/ D5 p! q l! V5 \2 g" |- Towasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. ^) H8 U A/ k1 |5 s, @7 S
$ j* V& S5 g7 m5 S6 G. I( x+ GInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( q8 |. Q x# z1 ?& |Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- \- N, u' X H0 n2 \# I6 MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% ?. ^0 {& O6 t9 a" PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# r+ V. k8 I1 N
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf5 N' M9 f- a/ m) Q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf' E* D( K: C- f, _% p1 |+ P( q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* }) Y! n" j7 x4 p/ [( H
五.配置nginx/ e+ |7 j" z9 A8 z" ^
! c6 e1 W+ v+ q3 O& ]9 M! F' h在需要启用modsecurity的主机的location下面加入下面两行即可:
# W3 a# o c2 x/ M1 S3 _, q! a" L* ?& U' ~; G9 }( f, l( Z8 q3 G
ModSecurityEnabled on; ( G& t8 s+ K* O: Y. v
ModSecurityConfig modsecurity.conf;
0 D3 N2 ] P9 f: e; `下面是两个示例配置,php虚拟主机:
' n* K7 ]1 z7 k9 U1 s# l1 s
" C) ]$ l* A& m& x6 `+ T& k$ _server {
- w* N0 \8 |3 |. {- ~4 \9 f$ ^ listen 80;
3 i) o& \* z* c: c; l! {) c server_name 52os.net www.52os.net;- G6 p, r8 ~* g8 G5 w
4 ?$ z9 f7 M6 k6 q% c7 v
location ~ \.php$ {
( P8 r& r5 U |, C- a+ i6 f ModSecurityEnabled on;
% @5 y7 c# ^1 o) z6 U1 | ModSecurityConfig modsecurity.conf;
& b0 B* n* N' a8 S$ n, ]3 }$ ^9 T" e4 p: u
root /web/wordpress;
$ u9 Z4 Q8 W# y# q index index.php index.html index.htm;% h( \% j/ y+ e! I; r6 S
# k G' n& o: V1 C/ L
fastcgi_pass 127.0.0.1:9000;: l: A, z" e3 F$ P* S
fastcgi_index index.php;
/ a/ X; L; v. E9 G& \. D0 d3 } fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
- r. O& h# v# Q include fastcgi_params;, o, ~2 N1 A P* w+ G2 ?
}
; F3 V C9 w& R' y4 E/ u }
( g$ |! ~; [6 B2 z; {upstream负载均衡:( S v5 H* w3 E0 a! J j5 `
9 D' p& c0 B: N4 Z( a" t O
upstream 52os.net {
! F3 C9 x) y' J: J9 l3 m server 192.168.1.100:8080;
* H! _1 L1 I4 l server 192.168.1.101:8080 backup;
4 [2 S% L8 |; R* U}- U9 j; y3 I) Y. b
) ]( A8 B% j0 {" e; X3 x( ]1 `
server {
' R$ S- m* B; x/ b( `& w8 [0 B/ Zlisten 80;
0 L& Q/ W: D1 I, ?/ }# Z/ Jserver_name 52os.net www.52os.net;/ I. o+ G5 _6 U: f
7 V W+ |% I6 h& ?$ Q. k" `
location / {
x( h( c% D/ @! n' G ModSecurityEnabled on;
: X7 i9 x! o8 j3 ?/ m ModSecurityConfig modsecurity.conf;
8 v! _+ t1 C3 F1 f* }# w% x& d; {, c0 z
proxy_pass http://online;1 G7 j" x# z$ [$ N& n
proxy_redirect off;
s, u# g2 q' M( V1 T proxy_set_header Host $host;
0 ^% J7 ^8 I! H e0 H proxy_set_header X-Real-IP $remote_addr;
$ X3 P8 g6 P5 _# M. p proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
! Q9 S2 q- v6 s) D- _4 _" u7 ?+ w }7 d7 k+ U$ Q' T/ e. B } v% S
}2 f, w0 v# u" R; e) a7 U' o
六.测试
* c0 @! e& F+ U6 G6 k$ E5 v r
2 Q M. G( i9 B- i6 o5 `% Q" W我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
& z% s/ N% I' |) M; F5 ~, I" q4 c, N+ m! \. r& O& L
<?php
( U E7 ^5 A. N! k/ u phpinfo(); ) ]( R+ c1 V5 B; A7 t
?>' B% ~" ~5 c7 ]. I m
在浏览器中访问:5 m! A6 R+ d7 y! D% p
( v, Q. K) v8 e1 n5 j4 E
http://www.52os.net/phpinfo.php?id=1 正常显示。
3 n% r' W5 M6 N i& a, `http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。) _8 Y8 y3 _( `( E2 O
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
& L* n; C, J" H# O# f. _4 F& d' c说明sql注入和xss已经被过滤了! K5 U {! S& [& W1 S% P5 d
8 v, a7 i% e: u2 S. O7 P七、安装过程中排错4 A, s' n2 k+ U; y, ]
# W! |; A, q! \4 y: j! Z1.缺少APXS会报错3 M% a" Y) B- J* O
9 o# K6 I3 q$ s& Z
configure: looking for Apache module support via DSO through APXS% Z- W7 O9 W l: W( J4 V
configure: error: couldn't find APXS6 n* k& I) P0 ^/ f. n0 R
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
+ D3 g: q6 }4 s X: Z2 _* L; x解决方法:
; q3 A; D0 k2 x
8 @7 M- X( L4 @- i+ C8 gyum install httpd-devel4 r+ v4 O' C) u1 v* U2 M
2.没有pcre
# Z7 x/ c: {1 m5 I8 u
% d$ y5 p7 B1 z% E0 Aconfigure: *** pcre library not found.
{7 C' T, L% l! V* sconfigure: error: pcre library is required
" w p& B- N1 x解决方法:0 M b% J0 d8 @% i( W& Q1 `- _# n- b
/ W, O6 c: p% c
yum install pcre pcre-devel
6 @- Y l( T# `4 O; z3.没有libxml2
- P3 {1 [3 F* S" \* g* Z7 G R2 c, ]" ~! E& _
& K B. b% r3 z, H) u# Y
configure: *** xml library not found.! L3 V9 \" J: Q0 Q: P8 Q
configure: error: libxml2 is required
. n$ {0 A4 N- u3 Z8 Z解决方法:2 L3 l9 H {8 c& D6 u" f
" i( r+ z9 K1 J/ L5 h
yum install libxml2 libxml2-devel* K$ J, U2 H/ ~! X2 J) d. D* H3 L
4.执行 /opt/tengine/sbin/nginx -m 时有警告) u- _5 K8 S1 I: w' N+ U+ U7 U
( _/ `6 E( J0 V& E! d0 z: w
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
' f# _) A' s6 b/ M* c8 Mnginx: [warn] ModSecurity: Loaded APR do not match with compiled!& v/ `% [% K2 o5 S/ e. Z# L
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log. P$ {3 |6 g7 }' Z
" j" m7 v/ Q+ P. |: @- n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) A! M$ }$ {* G: i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"* _7 U' q, u" e+ h7 i+ R
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!3 ?/ |2 h( a4 b t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: M. q+ H& t* m+ i0 `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": ^, V- ]3 a7 v" A8 S5 J' s' n
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.+ v) A! |9 q0 F5 ]' M0 A1 M
解决方法,移除低版本的APR (1.3.9); ~+ w. ^) m# T7 a
/ c$ l5 |3 Q* K7 v- a1 c! U! `0 Yyum remove apr
6 S- A2 {( F5 K$ N& H# k5.Error.log中有: Audit log: Failed to lock global mutex% D) h8 |! r. t# ^( n2 g
& Y6 B9 K# E7 N! Z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% F7 `# X a( a% ?& H4 Q' }global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]2 R9 Q5 a7 K8 f, H7 B/ Z! v/ B) r; I. j
解决方法:
; h4 }$ O! c) A/ V+ y2 p. `编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: z# F9 s( T/ v$ L
9 @; z8 P% b8 r# B# b6 j6 Y; ]
SecAuditLogDirMode 0777
! E" L. Z9 _0 t# oSecAuditLogFileMode 05505 M) m, P7 V+ [6 J- X1 P
SecAuditLogStorageDir /var/log/modsecurity7 [6 o3 w& }3 o4 ~1 X5 I
SecAuditLogType Concurrent: B' ^# j% ?0 w1 G& B
参考文章:
7 L. k; _5 |0 ~' T( rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
( U) b* n) w2 N5 ^ G' [, c. Bhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡