|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
+ A% x3 g2 f+ {7 t7 I* R
& K0 H' ]. f. e* U- V( x1 k一.准备工作
! t3 a' s+ d' r5 f ]$ Z8 }" G! V5 a) n- N( ?- h: s8 K
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, R' T1 R8 v1 X% x" x% D: U( x2 p# J8 s+ I f
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
* S. ?& r( C* _5 V' Y* r8 x
: H- ^' p; W; nmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz0 k0 C7 B4 F' N# ~) F7 @0 s8 v$ c
1 i2 g" a% L, v6 q, n9 AOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
' P9 j2 f, x9 K l; I6 @
' d$ X0 y7 |5 Q& r9 v" L* c a依赖关系:
* K: v* M9 o+ @" v/ h3 Ctengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& U1 ~! ?9 [9 i; N r; q
# b5 L- A) j1 h8 w% t* R' [yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel b+ u% j8 n" i$ C% V& x
modsecurty依赖的包:pcre httpd-devel libxml2 apr( w6 p5 k m! H, g: @
! a* `0 n+ K( X+ I) N" ]* nyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" o- m4 Q, Q" P% d6 y
二.启用standalone模块并编译# G2 W! A4 a% {1 m& ]- Z
4 Z0 w# O- b' y: q) b1 S下载modsecurity for nginx 解压,进入解压后目录执行:
$ w2 x2 U! K% ^, ] w$ q- b
% R4 n& U% ]8 O9 |5 ^ w./autogen.sh, Z* I% y2 w, B7 a- z) F/ P
./configure --enable-standalone-module --disable-mlogc Q }5 X7 b2 F
make 3 [/ u, Q/ w6 ^" [$ `
三.nginx添加modsecurity模块
! }* z& {. A+ f
& r2 s) L% u5 g9 |在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 _2 G4 b1 Y( D0 s$ G/ a# i" P7 ^, U0 J
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine# z5 K2 U4 n2 l: d' i# e
make && make install
& ~; o1 x" d$ @3 C$ Y7 u四.添加规则' h+ O) p8 \6 ^: M
5 B S8 {; V! A1 C$ c8 i5 i$ Dmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
" K; D& v }% I! R7 H" L. I. L, _' l l8 O, P; T" h' w
1.下载OWASP规则:7 G& ~! u# F$ `
( \0 }+ H+ \) J7 m! sgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 f- p2 i$ E: f+ R0 R9 J- ~/ v0 I
mv owasp-modsecurity-crs /opt/tengine/conf/
# B, j& H: r, |9 W3 x8 _2 q. R! _7 T9 O; v% M+ @- J# x
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 y4 @8 e' S; i
2.启用OWASP规则:( x# T$ ~3 L5 T" d6 o) f1 m
" p2 t% y9 M+ U+ |
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。; ^* _. I7 _9 D
; Q1 f) L3 [. G/ a9 I: k# U编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
7 F' Y* H( J' Z* {. M2 y6 E. y" D: Z j$ i1 Z; W4 D
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 x4 h, G! r7 U
+ Q2 h# q3 F1 f7 p/ s+ I2 O. _Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf5 ]& s' i: x/ Y8 D; q6 ^7 Q. F
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ B" O* ~$ S2 g! w3 H+ p8 C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% ~, A, r' ^% s( w$ y6 k5 n! B( ^ EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf( u! J. g7 a; [% r: L" B
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf& E7 r s7 X, [+ [9 d# X. U) B4 W
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
4 J/ l% r) `7 ?9 J. H) O* A' k4 c7 jInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
. T& C9 l1 r) B+ Z7 G9 |. s8 L6 `五.配置nginx
; Y8 a% D8 S; R
3 @, _, W: p1 ^# u6 d) ^在需要启用modsecurity的主机的location下面加入下面两行即可:
& I; \7 ]4 H% B7 [8 P- d$ f% V* A9 U1 k
ModSecurityEnabled on; 4 b: K9 q n6 `+ j$ M$ O* D' z
ModSecurityConfig modsecurity.conf;
3 B, x- n4 T5 q4 `. ]' _下面是两个示例配置,php虚拟主机:/ ?6 r0 U& J) q: y" ~& A7 w. v! s1 p' y
' F8 J+ z/ i/ b2 C& _# J/ n+ N
server {0 V4 f0 [9 r) V2 g5 `" q$ x
listen 80;; W/ C; J4 r. w% }" S4 y6 ^$ z
server_name 52os.net www.52os.net;7 i1 m4 ?! o+ w$ m% C
3 t- c4 H) W! v5 q$ I. i
location ~ \.php$ {" e9 P6 K: n5 o: J7 q7 |: Z
ModSecurityEnabled on; 3 E5 N! A: q# C' ^
ModSecurityConfig modsecurity.conf;$ y$ e8 E, b# V( {
6 n' t& x; X( d, K% q
root /web/wordpress;3 O" v0 a; F- q! P! h* K
index index.php index.html index.htm;
4 a$ X2 H" I* _ a ' @% E; w2 R& H2 B6 O# e
fastcgi_pass 127.0.0.1:9000;. `* V* q7 k0 E8 F/ W
fastcgi_index index.php;- l0 w3 [; w: W8 f
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;' [8 S3 s" D/ T( N2 g _
include fastcgi_params;' B* ?" h% T/ D* e1 W4 z+ ]+ P
}
# s s$ i& F# F+ y- m4 q# z$ x }
% q% l- S. I8 ~4 F/ R" supstream负载均衡:; x% T8 G8 F, U% G$ S2 B
3 \- c* q. z+ g1 tupstream 52os.net {( Q& ~* B# N& Y/ V4 G- _$ }& d
server 192.168.1.100:8080;& H/ _8 Y( s& a0 V8 J# r( c+ M
server 192.168.1.101:8080 backup;3 s+ \/ m' E/ J: _8 B( c
}' t, Q4 k# y$ R- t
- `! ]! j5 H$ h% mserver {
; [4 Z a% M1 `" hlisten 80;
9 e- v7 W3 O* |' `server_name 52os.net www.52os.net;5 e b9 R9 V6 s3 \" K
$ K1 u N) F3 [; y2 y2 mlocation / {1 k3 o+ o/ ^$ f' r( p
ModSecurityEnabled on;
8 R- o& C' D2 E3 @/ N4 u$ @ ModSecurityConfig modsecurity.conf; + Y( z6 ] Z( U( @4 M/ d
* U$ D% M' w% ~
proxy_pass http://online;. f- g- N6 Y1 V5 ^! q
proxy_redirect off;7 K. g* I5 Z/ i& n' @. N
proxy_set_header Host $host;1 {. p) D( M) N5 p& [
proxy_set_header X-Real-IP $remote_addr;
4 U9 `" o9 Q; n8 a: D proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;/ y) X" t" \2 K2 s2 b, v
}/ U- X: L) d# a7 q
}" y' n2 |; U1 X( c3 j% [6 a
六.测试
( I% X ?' B" }' ?8 T
6 Q7 l! S3 ~/ S+ x2 `% D我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
A4 P- _# k5 C8 |! ]5 P
% p5 b/ I& m/ r8 y<?php# k, m L$ G X5 S) i4 j2 h- H F
phpinfo(); ! t! p- X ~; A( j
?>! e. K( u. z. x
在浏览器中访问:
9 }+ Z* V3 r* w& v# N- ^2 [8 L+ _
$ M! O, k) h8 f+ e3 v6 q) Ehttp://www.52os.net/phpinfo.php?id=1 正常显示。
G9 G8 L: G6 \6 ^% `9 @http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。+ U3 W: R; Q! g6 r
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
5 K$ ^5 O- ?* k说明sql注入和xss已经被过滤了
, F V7 Q. w/ |; U( B" k: G0 h9 h0 m1 K- ?* W1 N
七、安装过程中排错
7 u0 X8 |6 L& M( d# J2 D' e' S$ i
: _; c7 H9 P/ o' G1.缺少APXS会报错
* y* X6 G, \ R" }, L5 c5 U
, A" L$ X# d6 e) m3 }configure: looking for Apache module support via DSO through APXS
: ?! Z" ~8 D6 L! Z8 c/ econfigure: error: couldn't find APXS
1 s1 i3 h2 R& Aapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" ]1 m2 x% ~. k f0 o解决方法:0 |7 W8 [$ p5 i' W0 l
1 Q l/ G' y# ]
yum install httpd-devel0 O% @ k2 F4 n: Y$ Q- A
2.没有pcre
. L' d& K5 m' Q" x% @ `& O; [: M9 q9 \" ^ ^
configure: *** pcre library not found. H+ C8 D( B( Q& q) ~4 s- d
configure: error: pcre library is required$ |2 F0 \! g5 U
解决方法:6 L# ~5 @$ S! ?6 J/ l; {8 M" ^
s' X7 {- j' N6 h- Y( q- P7 h( X6 J
yum install pcre pcre-devel5 J- P f4 i. ?
3.没有libxml2
; Q' _1 S) s" O5 c& F- m6 w- I, v5 u8 t
i% d3 _+ v6 O6 Jconfigure: *** xml library not found.% h* g' h( q! x4 }6 x
configure: error: libxml2 is required
( t* `8 P2 |1 Z解决方法:
, R* H, z+ |% y+ E) \" \0 F8 G, \& J: A; w8 f- |7 x' B! R
yum install libxml2 libxml2-devel
: b9 P b$ C t; G$ y9 X5 G, D# ~0 ?: F4.执行 /opt/tengine/sbin/nginx -m 时有警告0 A6 n9 i) ~4 J* W0 Q) C
% H% Z2 \ Z% _9 a4 P, eTengine version: Tengine/2.1.0 (nginx/1.6.2)( b8 A% D6 I, r u( N
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
; W8 l1 z1 ^# S% w原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
" L. `5 h# @1 x( }* a3 N/ K& u6 E Q8 q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
% |8 q6 ^( P7 ^, N, P* O4 C+ t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", R0 p8 U7 |, H& Q4 \$ ?
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
% F. E" ~5 E0 q: ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"2 A& ]9 G) A) y0 G. r$ O+ z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 t8 V1 h5 O+ v- A; a5 V2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
; o, h0 B- m7 _7 `& N4 ?4 f" Z# z/ o解决方法,移除低版本的APR (1.3.9)
! c4 M9 t- j3 ^* O9 i" E$ l, ^. f! f' W" l, T
yum remove apr
G6 j5 I' ^1 A3 Y' Y7 B+ q5.Error.log中有: Audit log: Failed to lock global mutex1 {. Z% O$ H% a8 r3 z, h5 z
5 D S2 t3 M8 [% ~' p+ a
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
! |: N) w% |8 I; j( Y" w S/ sglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
, S E' Y* H3 f* s解决方法:
8 T. q' G# l! S# g: i' |编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
, j* \6 E% f3 Y1 g9 l/ _, l# {. a# b6 K( ]% @; o& k
SecAuditLogDirMode 0777, Y- e* t; L( L c, d1 R- U
SecAuditLogFileMode 0550, _ N3 h' |, p+ L
SecAuditLogStorageDir /var/log/modsecurity6 W1 u* j* O$ \6 w
SecAuditLogType Concurrent* Z! _& I+ j4 }( c6 A1 x6 E% g
参考文章:
/ c( t# O$ j' u/ p2 Bhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX9 k$ T1 y$ f9 N# z
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡