|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 l& u1 j$ q. T3 O
; q0 M1 K: P! L6 o; B' a! I F一.准备工作; K/ F2 G$ `4 N) d$ Y
! X9 s# ]( E$ t1 a
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, Q1 d9 O/ m7 H9 ]: Q! \
& q/ E Q0 G# ~& y5 |7 mtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
/ B y8 k8 t: I* m# ^' O0 M. N. g
: Y$ d: z; p _4 i. M' c8 ~' Nmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
2 c+ @6 N1 ^0 o! A* ?
5 z& M" e3 e; z! G4 C! e4 AOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
5 u. h% N& h7 K& W2 K/ D- O3 A m" I1 @, e- R
依赖关系:* F# B- U+ }5 i4 @8 c
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:1 X& G, c' \9 B
; F1 ?. p2 j7 f. p( K8 F
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
8 s) N: C* X/ T- g% T* [modsecurty依赖的包:pcre httpd-devel libxml2 apr
/ j. B: j* j9 p+ m' S b6 }; L9 R0 a8 E" P7 m% {
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
+ H# z; M' C- j4 j二.启用standalone模块并编译
- U' [# [9 r- H" i% g/ o- c& q1 P; A+ @6 B6 n ]! l& E
下载modsecurity for nginx 解压,进入解压后目录执行:$ U0 L0 h$ \: b% E' |
( ^1 O# j. M9 B& [
./autogen.sh8 r5 i5 T( _" G. K; ^0 s& Y
./configure --enable-standalone-module --disable-mlogc# ?6 ]3 f9 S) a$ p' W& v0 e
make . Z& I$ v9 |: J
三.nginx添加modsecurity模块
) V+ e p% ]; ~. N8 O
& l0 J4 W2 P, S3 @* c. m) f' K在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
8 r7 x& r1 ^; r t) ~8 W+ c) {4 {0 V$ ] f* p
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine# Y/ L8 `; @7 X5 D* ~* i- y+ P
make && make install9 C+ ]. Z8 M- o
四.添加规则# L- B( [& U% ?) S9 d6 C6 V
$ s, a8 `7 q! K0 W- \* Tmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
b) V+ h9 g' c, F& F* @* N7 u5 f
, T1 K& O: z r! {1.下载OWASP规则:% J; J0 W! Z( C% M9 \9 `$ t
( q! j: g6 O1 N' O# Q' Rgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
q* ]* r% h) l6 c, v; ?% C+ x3 L% V# H; P6 |0 J
mv owasp-modsecurity-crs /opt/tengine/conf/$ Y& ?2 s- J4 L: l/ ?; t' l
/ G* B: [9 C/ N( V; I# Scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
* r/ B( w! D4 R3 N# j, u% D% O( U/ R7 r6 |2.启用OWASP规则:- w9 z* p+ c9 R# |
/ L# F! d4 m8 p7 g3 \, Y复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
5 D+ W6 h4 n9 H7 y1 m$ t* Z8 f/ D. c* W* P
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 }( g# a5 Q8 v! r
6 `3 b2 _' w8 E
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 e' o, x" p1 w* C9 F2 c
5 e4 j6 l2 y, }% R1 BInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
- B( \$ a( ^1 N8 |% yInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+ v1 p+ S B) E" u2 uInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 `, f, {) i; Q0 qInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
( y: H# z/ G3 Q5 X$ a. fInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf& b7 m z( B/ @. R0 j( H3 |
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf, p0 N; B c! O+ ^7 j
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
# g& q& @( u$ t五.配置nginx' ~1 z% S8 q. s k5 A8 ^/ A2 K; I
/ J7 p0 v3 n: ^; L5 m5 f( }
在需要启用modsecurity的主机的location下面加入下面两行即可:
+ w3 ?9 L A0 S+ O7 f9 Q& u
% D% f {- X1 ~- a. [; ZModSecurityEnabled on;
( H4 {* Y" |& x& U6 c, j: hModSecurityConfig modsecurity.conf;
' y0 y+ T! L0 @/ X% W9 ?下面是两个示例配置,php虚拟主机:# V% ~3 G+ d" C- D# S2 ^
7 B1 x3 V8 B, O: ~8 U# Rserver {
% |# I, ~% T4 K listen 80;
0 w" I# I2 e; |5 P server_name 52os.net www.52os.net;
8 y% f6 o% N }, H
* v/ _$ h' d2 @! y' o7 Y1 a location ~ \.php$ {: c( s4 ? a& r0 d- m# _9 q% C
ModSecurityEnabled on; 9 ~( Q9 ^- q6 D; x: Y( j
ModSecurityConfig modsecurity.conf;
. }* K0 a1 n! [2 c4 K- Q a7 b% A! z$ F7 B# q
root /web/wordpress;
: w0 m2 P L% U g9 J index index.php index.html index.htm;( E$ q5 j! s5 J" m/ I, ?8 p# n8 T
. B+ ]; k4 B, s$ ^; [3 X
fastcgi_pass 127.0.0.1:9000;
* b9 i. [9 N% n5 a8 j: X fastcgi_index index.php;
3 y l# C0 c( R" p, E9 l fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 }0 }/ O8 s2 G' r* K include fastcgi_params;6 g7 T& M3 n+ S+ ?
}
6 r0 Q+ L O; |; H2 f& P$ U }+ `; |8 g+ R3 D4 h( S9 E" `! K3 i$ z
upstream负载均衡:
% w, W& e9 \ ]
- r7 S. C6 U# i4 E/ u1 }upstream 52os.net {
( P' t0 K- Y: v4 z8 X5 w server 192.168.1.100:8080;0 N L* K& K0 b) }2 ~5 x3 U
server 192.168.1.101:8080 backup;# @" y+ A# b3 X
}) B5 ^* n2 w6 u
5 f% M5 S3 g0 s( L; X8 u, Oserver {$ l% W, n- I$ B7 B& T+ V
listen 80;
5 c/ z3 b# G$ i4 }4 x b" `server_name 52os.net www.52os.net;2 }0 D7 e5 S! a, @( ^0 x
2 E9 V5 m8 e2 v3 Dlocation / {# }& f: X) T& e7 G
ModSecurityEnabled on; ' | f9 e9 W9 o" E& l
ModSecurityConfig modsecurity.conf; % b" o* B; z# `" b! N
* T1 K: f7 ?2 @' W) Y1 k- G
proxy_pass http://online;) |6 F6 q8 n( H- B% }' M
proxy_redirect off;
1 z2 `+ w/ _+ T3 t7 g4 J* [4 j+ z proxy_set_header Host $host;
* B, h, O K/ h* ~9 h( \ proxy_set_header X-Real-IP $remote_addr;, ^' J4 t/ {5 q' q- d3 h
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
2 ^5 f( G& v/ N$ L, f$ U6 f4 i! V }" m# e8 H8 A# c
}
1 \) l% x, S; Y" B六.测试4 ]# t2 g" q/ C2 @
) m2 a1 i. d2 f) q
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
1 E& _+ i0 V R
3 P* O. Y0 f$ E( S6 Q<?php
+ f) Z; S* `9 f2 S6 h) Q phpinfo();
1 r& |0 z" w7 A% c?>
- t3 O8 o( K5 _& K' U% @, i在浏览器中访问:
* D, P9 J( J( h* b- y& z, V" g; y d* d* K( E
http://www.52os.net/phpinfo.php?id=1 正常显示。
. u6 ?& T; Q) R0 ]3 _http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
b' c9 [% \& c, A9 U8 Shttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
/ T. H& t! c& f2 z说明sql注入和xss已经被过滤了 \9 ]/ b u* ]* k; g! r- J0 Y: G+ Q+ Y
: F! t& i/ Z! j5 K7 F E
七、安装过程中排错
. E: z, A9 ?4 N) I7 J
2 o, f0 }6 D( \7 v1 t* Y1.缺少APXS会报错8 s/ |# m# j. ?0 p0 L+ p) c/ s% `' v
2 C0 o+ _0 `1 `& n
configure: looking for Apache module support via DSO through APXS6 [$ S: w% u7 j) D
configure: error: couldn't find APXS: z% p8 |3 n1 u$ n% D1 ]
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。4 f5 D; a8 E0 I0 T4 b: ^+ d* x7 m! x
解决方法:
# u# U% E2 Z2 N3 l, [4 L& [$ b* N# |9 y4 H+ a% v( s
yum install httpd-devel
5 C3 k' {9 ^7 B& A8 g2.没有pcre h- ~, W( L/ Y8 K5 ^: u
! y0 ^0 Q6 p7 d7 }' l5 pconfigure: *** pcre library not found.% p+ i0 @1 x3 l. v q
configure: error: pcre library is required
. ?) u, m8 T; k# W9 W2 a解决方法:0 y0 k( U/ {4 R' ~, \- p. o+ k
+ E7 p6 `( v6 `8 |
yum install pcre pcre-devel9 D) Y" R7 H/ m: S/ H b) t9 S
3.没有libxml2
, I8 I4 D. Z" E6 Z4 J
5 S3 u( K; d* D) R% f! r
& \( u( e- l$ ]. i7 Cconfigure: *** xml library not found.
& K8 z- Z6 Q% T" T- Pconfigure: error: libxml2 is required
) @$ Q$ i7 z/ k, [0 m解决方法:
}2 P5 B8 [" [0 Y; N. t: b7 W' E: b, G% i
yum install libxml2 libxml2-devel+ l8 p* D3 t: x; q; u7 u
4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ v4 }# h O U! v, j& j5 y
$ L' D; K4 P% g, DTengine version: Tengine/2.1.0 (nginx/1.6.2)
+ H( R+ J' Q1 A; W8 i+ s$ B- C" x/ Xnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& e5 y" m; w' L# [ s' s原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log n( p- f7 x$ b! E: j
* c8 r: K& ^4 B% Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
$ E" Q! c$ w+ b; c" t9 i$ S' V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"0 X, Z% c/ j* Q' g3 p" t7 T& L
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!" @6 p' e! G( M6 H0 V
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"( a: m7 ]- C3 ^3 |5 R j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
: n7 U& ^- ~2 }! z5 m2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' r' [. C/ X, [0 C* `解决方法,移除低版本的APR (1.3.9)/ z, q1 ^" X. }7 W. e% S
+ q' y' |4 U1 V' R* Y! ^yum remove apr" S) G U0 b& a
5.Error.log中有: Audit log: Failed to lock global mutex) D7 Q% r: \( H) z& l
. t1 m; f( \% `5 L% A% _0 l3 ~2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 H# v, G9 f6 ]' h7 b: j3 v: b) t
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 @( W. [+ O1 _$ l3 y+ [
解决方法:
$ Z5 T2 J) `( D$ b( B+ T4 }, H编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:8 d' c8 f9 v( A( u
2 e" E0 G) A% i5 Q9 }
SecAuditLogDirMode 0777
( |7 s( e7 [1 _' n/ \, BSecAuditLogFileMode 0550
4 ^6 ]! K7 @$ ^9 U MSecAuditLogStorageDir /var/log/modsecurity( X- @" s( S4 `# P7 ^8 j& S
SecAuditLogType Concurrent
& l; z1 v+ d M/ u4 l" p' ?参考文章:! I8 F2 ~: h& w4 u9 r
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX$ t) c: S: \1 y! s, u
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡