|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
3 j% \, I' `3 ?3 |; @6 K( w' U' C
# O I7 \+ u* J4 {6 Y7 K9 Q1 \# q8 o一.准备工作7 X7 I9 U2 p7 m# _
, f3 C$ Q* f( z G4 U* p n系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
# U B3 x+ W3 n; n! d: B
. C/ k2 o6 c& Y; utengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz& f$ o6 M9 W5 O5 v6 N0 s# S
4 a$ B% n1 F' A. H4 A$ f9 Nmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz5 i0 I9 b3 }1 w! n+ M& v& k( c
. t; Y/ m. O( Y6 vOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ u& B5 V+ X. r. F7 Y7 T) x
8 R7 k9 m7 Q6 v/ X7 K" Y依赖关系:' O2 U1 ]7 x$ w0 ?8 Q: j( Y
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:+ M# @: ^$ O1 T4 c7 \
8 w ?4 u o: v& W3 O8 k/ o* byum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 h0 G% n2 H; b6 z) b! hmodsecurty依赖的包:pcre httpd-devel libxml2 apr
! c% B# M8 a9 `6 }
/ F0 o7 P( P' w4 n; Ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
# X( _: T0 T5 ~8 @# g( q& f二.启用standalone模块并编译
; h% F. h9 H7 l% @* J' q( A6 t
" F; u$ p+ b7 ` c( L- B9 _2 E下载modsecurity for nginx 解压,进入解压后目录执行:- m6 L, m7 I* z9 v, M9 y Y. d
7 T- A( K6 ~+ Q) N/ c/ M/ h
./autogen.sh
& r7 \0 v9 P+ \2 x4 u9 v; m; Q./configure --enable-standalone-module --disable-mlogc
/ Q- g- L$ O, R* c0 tmake , [+ B" @1 O2 J
三.nginx添加modsecurity模块" _+ f0 m' y' k2 L0 d- H) @
* F2 B2 T/ _4 R+ @& R
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
5 k5 }: w9 y( S8 R# R( R3 W8 u N, S% G
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
8 Z" p/ D8 d$ |; Q6 L( u$ tmake && make install$ R! n4 q) s, f0 f* _7 j
四.添加规则
) n- q5 ?$ D' X# [6 m' m9 l1 D& S1 z+ K7 U+ B: R% Z4 O, w8 e
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
! Q+ C8 X/ `, w% I7 B' b( x% l+ F# @6 M
1.下载OWASP规则:3 o4 [# S y1 s' o6 {# Q
7 s# B' s5 L' E& @; _4 b
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' ]+ w+ [( j) n9 W* ~5 d# u5 ~
% {5 w/ @, D) d4 n$ Nmv owasp-modsecurity-crs /opt/tengine/conf/
! [! [, P$ G, R/ s
5 x% Q6 @) [" z3 d) h5 D0 Xcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# q& k* M* ^' N! `! V
2.启用OWASP规则:9 v H7 J g' k. Z+ m2 n U
( H) ~( t; l1 e% E! w( M% S7 {
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
1 M7 o$ C u, ]) X9 R6 W$ F* F$ J1 l2 }# P; t+ ~; E) F! G
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
8 B, Y5 |( @7 H, R( f- x" ?5 j6 m2 ]8 n' B
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。8 H; Q) ]% M2 }* T0 F' K. d# w
6 F. z( x) Y- u3 s/ o3 z; ]) c0 bInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
: l$ q( [; S& Z7 ]$ o$ `Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
; \) F. [/ r6 j6 SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
; f% @, q: i6 ^9 @5 x5 u, D! EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
* ?+ D8 N+ l0 p5 C1 I$ RInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf* i: ~) Q: Y: H
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
( `1 r1 o$ {/ @* KInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
, x, @2 H" Z% J& T, D$ P五.配置nginx
/ j+ J! R5 _. D* ~$ S$ u3 D+ v
' }9 m4 P, t; O" r在需要启用modsecurity的主机的location下面加入下面两行即可:
8 q. p+ i/ r2 l* ^& B, X' u* n/ Z0 j, z0 O0 }- E* i1 \
ModSecurityEnabled on;
6 ]+ d, y: U& d" n7 X, N5 yModSecurityConfig modsecurity.conf;
+ d2 z- Q# s/ }; I' D下面是两个示例配置,php虚拟主机:
/ M' s& S5 C K) Y/ I2 m! q0 U' [6 b
server {# f% j7 \$ A, g
listen 80;
( J8 L* z; F5 g4 J2 Q- p server_name 52os.net www.52os.net;
/ r+ f( B! n1 \9 _; O; M9 c3 O: c 8 Z! N. Z* K% v
location ~ \.php$ {
+ A1 ]7 n! T0 G, e& Y, Z# O1 A ModSecurityEnabled on; L! v, I% }" c- x6 @: n/ t, F
ModSecurityConfig modsecurity.conf;
a& c1 i- g) e2 F+ H) P; ^0 T0 Y, } t- J2 G( S
root /web/wordpress;
0 k; b/ y/ |& C index index.php index.html index.htm;5 o$ O0 c5 ^" L, e8 t
4 B# y$ V" o; v, z
fastcgi_pass 127.0.0.1:9000;
3 x; K' [: K0 F8 { fastcgi_index index.php;
$ q8 P, v0 H' P+ ~ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;% S9 p( x1 G6 K8 f
include fastcgi_params;
0 \/ _( a2 s3 m9 i7 } }
9 _7 I. s/ Q) |" X0 B+ R N, k9 ? }
+ p' V' ?* ?" u5 @8 j/ Kupstream负载均衡:
! I4 Z4 A' M3 y0 u3 e5 ~' `/ ]8 @3 _: u( r% k. I: v
upstream 52os.net {+ N) E* y( z" T) I+ l" m
server 192.168.1.100:8080;, l+ L( G6 R3 k- S
server 192.168.1.101:8080 backup;
( X( u% o7 @. \}/ }, I9 u1 Z7 J* l6 d
) d7 S( s U; Q( N" Vserver {, _. ^( y: u& o, F
listen 80; n5 X0 ^9 E6 G% Y7 [/ J
server_name 52os.net www.52os.net;
( O0 P6 ] n& t6 M5 G. ~6 y
8 O# `0 y: i8 I8 d7 Rlocation / {* X/ T( j% v# B
ModSecurityEnabled on; . R2 k: P2 L) m$ V; `% s2 M- A8 h
ModSecurityConfig modsecurity.conf; . O1 o% U T* X/ {+ R; X
' R- m6 c2 h7 l& V5 B1 ^6 o6 ~& q proxy_pass http://online;
( {7 D @" K& t( C/ b3 ]) r7 a proxy_redirect off;
! v5 |7 D" N5 I8 F proxy_set_header Host $host;
) `: ]4 z' ~* u8 U: k, ^2 x8 c proxy_set_header X-Real-IP $remote_addr;5 U8 o- O r7 \7 |9 p5 N3 N
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' L7 O' c' k7 W/ b) r
}
1 {' s5 C4 U5 S) @- w, N8 M$ D}
; ~& ^6 F, M A1 m六.测试
( r4 J! N9 ~- x2 ^: y
7 y' z# A4 r1 f我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
3 O. p7 p+ O3 c- h% y- X6 D6 u" K
<?php
! F5 v6 o9 d* D E, y phpinfo(); . _4 I/ N, B- y2 T' i
?>! R) T, b/ v; m* g4 T
在浏览器中访问:. L2 ?) K; V) `9 U! K: }+ B4 E9 O
8 i+ A: u& N' g+ X! w* K5 J5 ahttp://www.52os.net/phpinfo.php?id=1 正常显示。
! S: Z; a4 h* z% b: y, Lhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
( i: c1 I8 E3 }. h9 _# m/ \2 t: ^http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% J- Y* S4 \+ {说明sql注入和xss已经被过滤了/ o+ f& t* ~& S) P
" v2 x2 w; f' \" N8 y7 h: M
七、安装过程中排错( e2 z Z n6 g, E
/ U9 c9 I) ?, e) w# u2 n* a* y1.缺少APXS会报错) R4 ^. @ Z9 [+ g/ M* `
# y9 j2 K$ c8 b
configure: looking for Apache module support via DSO through APXS7 s3 N4 E; R- j3 b
configure: error: couldn't find APXS
# {% o# Z* @3 {6 ]' Y2 T# S3 a& D6 Wapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。% o: p$ s3 h7 l( D
解决方法:
* S7 v7 v4 u% p7 a
( r6 {5 x$ f9 L1 ^' A7 Ryum install httpd-devel
4 z; k& u9 W& ]) k, @$ D2.没有pcre, h, W7 Y- z! E# C- u
! g1 a3 |3 r( O l/ m2 jconfigure: *** pcre library not found.
. V6 ?/ V! x4 K8 D: e$ G, Qconfigure: error: pcre library is required; x8 M( o6 A& k1 G0 x
解决方法:1 d7 a+ |/ @; S; D) ~5 S/ R2 W& p0 t4 o
4 m) r6 g1 l, _8 a4 P1 O' ryum install pcre pcre-devel
- u" \' @" b6 Z; i9 }; I3.没有libxml2
' d$ F) ?; r1 n# L" n& J% `' q7 D8 t6 o
* i6 N7 ]; p8 J* ~configure: *** xml library not found., t; L% b6 G8 u+ K
configure: error: libxml2 is required/ Y$ U% d' f# \! s9 e6 O4 Y
解决方法:
2 |7 H# D2 N" m2 s. ?$ f# Y+ B
) \# G- w; |( P" y. F1 Gyum install libxml2 libxml2-devel
( Q& F9 v f- v7 S; U4.执行 /opt/tengine/sbin/nginx -m 时有警告9 C( m& Y7 J: N) `1 b+ o
4 F7 Y! }, O2 A) F9 \ d" Z9 ^Tengine version: Tengine/2.1.0 (nginx/1.6.2)% ] y5 j- N- C$ [( Z
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
; P' ~4 ?7 K; ~* Y原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log7 R2 b; O. C4 b9 n
+ D' l4 U& t4 p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.4 u5 Q7 [# ~1 z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 L# C( j1 D9 ]& N/ Y! {3 D
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!+ X$ A* }4 E2 E5 ]5 C; O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
- w f$ M+ J$ o# ~- l0 O5 U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"4 l# y/ _& M3 v$ G1 W- {
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
( Z5 @5 B: d& s( g5 r+ N* ~解决方法,移除低版本的APR (1.3.9)+ d: [2 C5 I, J) b5 M
5 I8 {( [$ Q$ { V+ h5 E
yum remove apr1 k7 ` k5 L: ?' G0 n
5.Error.log中有: Audit log: Failed to lock global mutex N) t6 m1 u7 B+ A9 \8 A
; y7 Q" i$ F% c2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
0 s u5 \2 h7 H. s# nglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# s4 e( Z( Z4 [( z; N: u
解决方法:
2 S( J* u4 W/ C' u7 ?0 D编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:# [: z k$ A- F/ w! _
& ^/ X+ G0 ~; h4 z0 O, U. V0 W
SecAuditLogDirMode 0777
0 c- ^3 u. }* g! S0 F/ ~SecAuditLogFileMode 0550
, ~$ v1 t' ?- X" U! @9 ASecAuditLogStorageDir /var/log/modsecurity* Z1 e2 B8 P* X0 T3 x/ v v
SecAuditLogType Concurrent
' n# G8 P9 C `3 Q参考文章:: ?; T) b. d8 K+ w' d5 O: O% q+ d
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX* Z6 s8 T ?% \1 j; `9 }% K
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡