|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
- ^& I; m9 l" V: v5 x# W! m
' F1 E+ @2 f5 O# K u2 _一.准备工作
" Z3 e$ C) g: E* u6 u: w( u. R+ R! n% p7 s9 z
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0/ \2 O# z. _9 J5 Z6 f) h
" \+ y3 I$ G7 Z$ l# J
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
5 r3 X3 N; E l" n6 @# {3 C0 w& ^
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz1 e4 S4 X# L! M# U+ U4 g0 w
3 d# E5 O) s( R
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ Y# t/ b/ c d
+ c% _) M9 L1 l3 Q
依赖关系:+ O4 `" r+ j* @+ D2 L; B
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:: Z& f7 S1 D( H8 ^. e8 P
. G8 h* Z' ^* m8 Kyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 |' h! E/ J0 v; M; d6 W# W. t& Tmodsecurty依赖的包:pcre httpd-devel libxml2 apr
: W# S D1 r4 R" o Q
5 l7 `* Y" h# n9 w [6 ?/ R: n* }) vyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ H& E: g* @( O! T% b
二.启用standalone模块并编译0 z1 ]/ E! A! V: i2 W" \
7 R. f/ T9 A8 {& Z8 m( Z
下载modsecurity for nginx 解压,进入解压后目录执行:
; J d3 m/ N* v; r5 W6 l/ P9 A. E1 [$ `; G0 H: y) H/ n+ [3 P
./autogen.sh
8 I# R. z# k5 B V) \./configure --enable-standalone-module --disable-mlogc1 {9 I7 e8 M% s; H6 i4 T/ Q
make 1 {" X# Z5 _4 j3 h4 J8 q
三.nginx添加modsecurity模块- P- ^3 n4 y& y) v
7 P4 `$ \. H$ @- o6 i5 @2 F* h在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:! I- z& G- z" D/ ]# E
0 m, m. k5 V2 H% g/ d' v( L
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
- Q* W( h' A$ B( e! l8 amake && make install& c7 c/ H0 ^ J4 Q0 p# O
四.添加规则5 s8 x9 h7 i. f( N
4 ^4 J% P0 P/ I! N# O, Bmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。9 h2 U- f' p: a
p7 {" F" F% E) f& q. Q: T9 n
1.下载OWASP规则:2 c9 B' x, V3 K$ @' M
. {4 O( A& f9 v4 r
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
: A9 H$ @; F3 t9 r, R" U9 ^( K% @2 j; B- O: @ |
mv owasp-modsecurity-crs /opt/tengine/conf/
) W1 S# i# f; |. ^# U! V/ ?( c) ?
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
- m+ C) U- }6 T; S4 ]1 C! m2.启用OWASP规则:: S" ?0 F: S: P+ H, J0 u) r
4 o }: w) g9 G8 h% a4 w$ J; k6 y
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* U7 W9 {8 c4 d( I
% m2 _# b0 o, ^' a编辑modsecurity.conf 文件,将SecRuleEngine设置为 on* ?3 ]2 Q; c3 X- g- ], w1 e
; ]9 M; L. o6 o
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: Y- v$ x1 U) F( [& {
$ j9 K% `5 B! m: j, e1 E" _( R( PInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf. M3 o/ l6 Y- V) g3 b: Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf3 N! Z7 T# X) y) b2 P. T" X" t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf- K. [) t4 f6 }5 N: d+ s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf* s4 X& E" A& T- U1 _4 o( U* o( q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
+ H: n% o6 w* z7 c( o, z% KInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf1 F6 Y/ E3 E; ^5 l
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
O; k) b, b3 Z6 y7 C1 L五.配置nginx
; U5 g ? K) E! E
! x! g$ }4 e r在需要启用modsecurity的主机的location下面加入下面两行即可:( T5 M+ w- |# [' `$ M
5 j; T+ y2 w3 U) e& Y& lModSecurityEnabled on; - y$ T% S2 V" y, o7 O5 |
ModSecurityConfig modsecurity.conf;0 N: D4 M6 ?- l3 u3 b
下面是两个示例配置,php虚拟主机:
; v4 V `4 c- P' _6 m- w/ y- P+ ^9 y5 x5 c
server {& _0 V7 \' v# k) c. M9 `+ p) T2 J
listen 80;
+ Y1 X0 E+ z( `3 t! G server_name 52os.net www.52os.net;
4 u# P2 r5 e& i$ T# A- p 4 ], [3 n7 E, j' {5 C
location ~ \.php$ {" ~0 p# ^8 l) p5 t; o* j' D
ModSecurityEnabled on;
+ D% y: Z* I* x8 p; L. t ModSecurityConfig modsecurity.conf;
9 p8 |" R7 g% A [) K/ I3 G2 C( s4 Y8 |+ E ^
root /web/wordpress;' d+ q3 B6 h- m( Y* R
index index.php index.html index.htm;: l% S3 h! l; p: P2 o$ Z: o
* @2 t$ X3 a! U3 t3 R
fastcgi_pass 127.0.0.1:9000;6 t% E; \( m/ \0 s2 x% Z# l/ p2 M5 W
fastcgi_index index.php;
0 @ `3 i! o! t) ]8 T G fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& _, @* m0 r. ?/ d$ }9 B
include fastcgi_params;
- a g6 u( w: k. E6 q; h }8 C, i/ p( ~/ ^" c$ u1 p9 c
}
6 P: T5 X) D0 l# G' V, r# Eupstream负载均衡:
: R9 s! A% p* Q8 }4 K A
% J" B' [$ j5 J; f% L, L- t* _upstream 52os.net {; h4 G4 B0 }; g7 a0 Y! n) |; E0 G
server 192.168.1.100:8080;
0 _1 l; l4 h+ X" c server 192.168.1.101:8080 backup;
8 R; [4 k' h8 e1 T) r3 Y}
* |( S8 F) c+ i5 k+ V3 p$ k, c. M/ w* v1 X+ y3 p6 c- |% I
server {
6 k% b3 y. A* _0 ^listen 80;- C7 S* ?6 i% l* b6 h: \+ R; S
server_name 52os.net www.52os.net;2 L [& E' t; o
" \ C& J9 C( `( N H
location / {
% v" d a/ v/ m1 h# h5 U ModSecurityEnabled on;
6 w6 F& l! ^- p; r u- ]+ K ModSecurityConfig modsecurity.conf; 7 u/ m# f: ?- l+ |! Q% _ S4 @/ ^
4 h% `: g9 u7 S' E s X proxy_pass http://online;& M: q+ ]* ^" \% m
proxy_redirect off;; T/ F+ }, ]9 M" ~
proxy_set_header Host $host;
9 m+ z/ @8 ? e; |% A+ S$ r1 h proxy_set_header X-Real-IP $remote_addr;
0 y# o$ [. Q! j+ k proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' x2 g, G( [8 V- u ?* A }
$ p5 ^7 H- P4 a- J' t s/ r* ]7 q}" F3 m. h1 H- D3 J
六.测试
# y! b/ \4 V& X" e' l# f5 t
0 W8 m9 @1 @6 E- S4 H我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
+ }; S ~, O' I( Y" |1 ^ B3 S3 U5 d0 z; v' O
<?php: K# |" l T# {/ ?
phpinfo(); 6 L9 y2 z; p+ u4 R! k
?>: H8 q1 b+ |9 }! s7 K6 U6 [
在浏览器中访问:$ N" M( O& ?# K3 P3 w
! J) f% O) T% |9 U+ ?$ Hhttp://www.52os.net/phpinfo.php?id=1 正常显示。) S, S+ s L* O) z9 N2 d
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。. h" ^( ?! G6 t- g, k! h, U6 S/ y
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
" Q6 d9 p O4 \! B* M9 K1 A说明sql注入和xss已经被过滤了% z# [; Q8 ~7 f0 w, ^8 X6 F
* N" x3 M. G1 X5 w! S$ B ]七、安装过程中排错
% R9 Q2 b# t% q2 v |+ H( W2 G$ ?; J p8 @
1.缺少APXS会报错; u1 m s( j+ @7 [) y3 U
2 J& a; v; `9 r. r% ?- a% B
configure: looking for Apache module support via DSO through APXS
2 W$ {0 H% t* j/ dconfigure: error: couldn't find APXS o4 w. |, B/ F# N7 B
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& ~# `; P2 P, R( F解决方法:
* I" K" c! G$ H, q# ]! J" w- M5 a) X$ u" F& u
yum install httpd-devel) Q. v) v3 v( x
2.没有pcre; x6 T ]" |. I
' e4 B3 v$ y6 T; `
configure: *** pcre library not found.0 t- N$ {8 Q! ]/ J2 q
configure: error: pcre library is required
$ D( {. S3 B& J2 c5 y解决方法:3 R; {% }+ M- u
5 d3 A \" b1 S! H5 L
yum install pcre pcre-devel
1 z f9 @5 f! ]8 S+ q/ J3.没有libxml2+ O- |5 {+ j& V: x
% b+ ~& r8 e9 x4 u* i6 t% k. R/ E" d" w0 }
configure: *** xml library not found.9 R5 K9 \0 f4 V: X* |1 {( q
configure: error: libxml2 is required7 U3 j. k! Y5 o: j
解决方法:
D8 w7 U' e* y9 F2 K
1 |, k w4 |# w, }2 @6 M4 Q& |yum install libxml2 libxml2-devel
) ~ |& j" Q/ x+ E; q$ S1 m4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 I# a! I: c3 W I9 o( e
) K: x# }6 W! O# L. TTengine version: Tengine/2.1.0 (nginx/1.6.2)
* o7 J0 }0 H# ]1 }$ ]1 Inginx: [warn] ModSecurity: Loaded APR do not match with compiled!
3 W' p0 D3 l S9 z0 ~5 l3 m& m s x2 |; e原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log8 g$ t" b4 ~) |. q" H! M
2 l* e) s5 L. Q3 ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.2 F) J0 D3 J; D7 T' O# q. h2 \ I7 }! p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"$ Q7 j. l& @. o' h! _0 g/ @
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!( y( I3 Q4 r; q0 z% U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 [' R- T( H5 h" q# D7 l$ g5 _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
0 m- \4 A$ G1 x4 }2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 J, \3 A1 a% v% z, j
解决方法,移除低版本的APR (1.3.9)
: j/ E3 m2 o# w z0 G5 G8 `2 c, d$ v. {! N+ y& h0 D# |9 r
yum remove apr
- A! }, e, ?4 G5.Error.log中有: Audit log: Failed to lock global mutex
6 I/ [ q. _2 b+ ]; E' Z# h# n3 B# k, C6 ^! S8 d d* ?2 z3 G
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 y; u: a) y3 ~1 f F. }
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
b% i8 x8 R7 |: N7 ?: u解决方法:
2 ?! u$ `5 i% Y9 I; G" j! k% Y" f; [编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
0 E; V) a1 j" ?6 m& {6 i ?2 e9 S& J6 E6 u4 F
SecAuditLogDirMode 0777
2 Y2 t! h- }+ K' g: `: b; HSecAuditLogFileMode 0550; o# W5 r) A: o- M) c Y
SecAuditLogStorageDir /var/log/modsecurity
% @4 E" F$ h( H" {2 @7 pSecAuditLogType Concurrent ?1 J, `! x0 L. a' ?; c- s0 K
参考文章:9 n& r( C1 ?- C
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX, J6 V/ e, _' E) g% G
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡