|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
0 j5 E2 K# X l d% H! u6 e# ~6 y6 ~8 G& Q$ ?
一.准备工作
9 Q, b: R4 o3 h& l6 w: b" Q: ~. K, _# y6 }$ K2 m& `- p
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
0 @4 p* j& z5 C, o9 ?8 n2 s; K$ u! K$ M
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
/ ?" W4 f2 ^: Y% e
/ @3 q+ a2 s2 Imodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz+ \' Z0 n! ~3 ?9 r9 V
) {/ q" s! f" R3 a# [" SOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
# {1 O) Y4 T4 x6 h; ~- z9 r. g# e$ t; j& o' N' ?# d: ^
依赖关系:
& g) @8 M- K% q+ gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
7 @7 D- }# x5 Y
; B5 N6 r; p6 @7 ~/ [, `yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
0 l1 S! E7 }* Rmodsecurty依赖的包:pcre httpd-devel libxml2 apr( Y6 t Z: X5 d
0 M% a2 K) p8 G# \. l$ yyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel t+ I; b- h1 g/ M: F. z% [0 h
二.启用standalone模块并编译; b E, C, O# t. \, W6 ?5 @
4 Z0 H+ s' b; E
下载modsecurity for nginx 解压,进入解压后目录执行:
: z% x+ R' P5 y* g6 d, D+ ^3 C7 Q/ H( S
./autogen.sh0 z# |4 D* I% e( ^: H* t/ w
./configure --enable-standalone-module --disable-mlogc
. J: S! }3 v0 T5 }8 N8 z! ^make - A B+ B& b0 P4 {. J9 v& |
三.nginx添加modsecurity模块8 r' v; g0 G. }: f% g2 H: d7 i* ?
# D$ ^! E t) A/ \
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:8 p6 `# w5 `! } O& C+ m/ o. H
+ U% H# Y. D0 a9 G9 I% n8 _./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine* d8 ^& P7 i+ n1 m% q4 {9 T
make && make install
* ~; e. n( t; ^. @8 B/ `! D0 L四.添加规则
6 K: s2 _6 S% ?$ @& {
4 j6 v5 w, S( | }5 Rmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。8 G5 H3 u" q4 m$ G4 \" W K$ I
: {4 Y' q5 W o2 P0 e1.下载OWASP规则:
" z4 P; i' H! |
4 M. R5 x7 V6 c) r/ h2 l/ D" }git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' c$ _; c( O3 X/ Q6 m
. f7 l3 q8 K' O6 S6 K8 M* S3 Vmv owasp-modsecurity-crs /opt/tengine/conf/
" m' G3 t8 ~: L
0 A. @; n# D3 O: k& ~cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ [" {6 J. |4 o2.启用OWASP规则:
- H5 e4 }. \% V
- j, U o6 u7 u; y% m3 r复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。5 I! Q" U( F: {( f/ ^
" ], C/ P$ E/ i- \* x8 s- O4 I编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
7 W: ~! I( q7 Q9 R: L! w$ S, j" t3 @) i% I j
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ d) U( a6 V& T1 W
8 x: ~5 N. I5 _- f! p$ b" z' G q
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
. H" E/ r- v1 a* l! GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf2 k g1 m6 p* C% a# q5 C; O8 E6 M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
; b( x: _- B" d/ l1 w: A+ y9 TInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
* k- b; o. }0 R* ]) j1 `Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
T1 [" G) K5 ?Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
- e+ ^ x5 f' x" `* BInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
% N1 j; }. e. r+ ~ a五.配置nginx
0 J' G1 P$ m6 u8 O$ r( v$ R# r/ M6 T" J U; _
在需要启用modsecurity的主机的location下面加入下面两行即可:4 _1 l6 A, b) \4 m3 \1 n
% ~" @; x# s p: D5 W+ MModSecurityEnabled on; - r6 D' P1 Q4 j4 o1 R4 w+ M2 e
ModSecurityConfig modsecurity.conf;
2 v9 s! i+ o# G g1 O4 T* B9 K下面是两个示例配置,php虚拟主机:1 i3 c1 L; B" X& P6 e' ]' O* S9 b
9 i2 T3 C* s* b8 v+ u
server {
, _1 |; L3 q) g+ [7 H* K$ U listen 80;
" F& Z0 z/ J6 b* |, e+ T1 ] server_name 52os.net www.52os.net;1 O+ {; ~/ {( q, P4 f& r
4 G3 ?7 i ^/ E' E m0 r
location ~ \.php$ {
0 E5 }% g z; D- V' t6 `, k) c ModSecurityEnabled on; 9 r0 p$ E: a/ x( a) V/ G
ModSecurityConfig modsecurity.conf;
9 \* A) G5 q8 [. O0 }" g9 Y# z) F" V1 h: h( a9 B6 _, V
root /web/wordpress;' i/ M d4 p; [. |& @# R5 F
index index.php index.html index.htm;
& ~. z$ {2 L, o3 C: A' T + r# G4 j. \" k$ [8 O9 \! R
fastcgi_pass 127.0.0.1:9000;# \1 `+ [/ W2 }6 l
fastcgi_index index.php;
! n- m2 V$ V% J; s7 i1 B S, Z fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;) H$ e/ t/ j: F+ f' n
include fastcgi_params;3 i, T3 g. V) T, X3 l1 J S
}) e( ?% n& ]3 U# M) O+ r, R, v- C
}
! m) C' u' S& Q% Tupstream负载均衡:
5 T' i) }- _, R+ C; ~; E+ f" N0 b( b7 c8 B. O, }
upstream 52os.net {
" E# U/ Y" K1 G0 i9 K+ ? server 192.168.1.100:8080;
. k3 F% v$ G$ N% p ^; `4 W7 R$ p server 192.168.1.101:8080 backup;
( }- t1 n; I9 {" Q# E6 [3 [4 _}9 U% B; w9 r$ c# r: s
2 W! ~- Q2 i. r X
server {
0 A" M' L! ~+ Y3 Rlisten 80;% f( {: O- e# }8 j1 {4 y; ^
server_name 52os.net www.52os.net;
" y( f. Y/ Z- i3 f$ F
; q3 r0 [& w+ Q4 }5 Olocation / {
: F* s1 N/ B9 F, N ModSecurityEnabled on; 1 y. @7 _" ?( C& V7 Z
ModSecurityConfig modsecurity.conf; " P8 ?! B5 e9 n# B' N
, h4 w0 r# }/ P, j2 l9 A
proxy_pass http://online;
E9 T* d6 @+ V6 e6 j) b proxy_redirect off;2 M2 V" z8 u9 z7 G
proxy_set_header Host $host;" ~ `8 o7 h; W6 V4 x \5 S! w
proxy_set_header X-Real-IP $remote_addr;6 O+ Y* g# I# ]% O0 D
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 i8 N. }! ^# [; I" u }" i* o2 G6 [7 |( s& |
}% {- _3 o8 u2 o& v
六.测试
: h. p+ z' N( L& r( ~
# I& \# [1 V, R% A3 N我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:; M7 c! y) [9 G: t) C
" s6 w! h, i0 N2 Y9 t5 J! D$ f
<?php
! ~. i4 s+ f1 G; z; E* p1 A" A phpinfo();
+ K/ {4 y" G5 m% R?>
2 b8 |1 }& z; L0 a: i- G2 C7 O+ R在浏览器中访问:
% A8 q8 `( o" m X
. S: ?( F2 h5 L% k, zhttp://www.52os.net/phpinfo.php?id=1 正常显示。5 t9 M- a2 n8 A
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。* u3 l- N+ C I5 J# |
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
: ?. ~1 m! w# e说明sql注入和xss已经被过滤了
4 q# w: r t" ^5 b2 K, X& Z# m; M) u. c
七、安装过程中排错/ R$ E+ O2 M5 c( j) W
9 U" ?$ t7 r# M, w/ W6 J
1.缺少APXS会报错
) `1 b+ b. S# Y1 e7 x r
- t4 x. a) m) ~1 yconfigure: looking for Apache module support via DSO through APXS2 K- t- t2 g6 E) Q" }1 A: ~
configure: error: couldn't find APXS
8 z* r* e9 \3 P9 z. ~apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。: m, D$ Z( d6 Z2 _0 G8 ^
解决方法:
! p* m6 Z z# c* c0 B2 i p7 {) s- S( b0 S
yum install httpd-devel
. m7 L9 H4 K$ J# I) y) u2.没有pcre6 y2 Z. H, h' c* m2 g
' v, D b& F* `- l, p
configure: *** pcre library not found.2 W" U* Y5 l3 @& W( D
configure: error: pcre library is required" y' F# N$ r+ u5 c- I
解决方法:$ \* c( ^1 v; D; O
9 M- N2 z. Z" b x$ A3 |$ m$ vyum install pcre pcre-devel/ ^' ~# j1 g; K6 E/ X$ S) C
3.没有libxml22 S3 a/ T! X2 r5 t8 |* C
% b; X/ m7 i6 y6 y$ t- |- ^3 }9 J* \8 q# [6 k
configure: *** xml library not found.+ A2 w, F/ _5 B/ E& Q
configure: error: libxml2 is required
, F+ @3 b7 k1 }: }8 D) f解决方法:) o& I$ F8 |7 r9 E
/ p# [5 u4 M0 ]
yum install libxml2 libxml2-devel
) p* c1 ~* z' b6 l4.执行 /opt/tengine/sbin/nginx -m 时有警告1 [ r" a+ S5 P1 i- c
! d! `! C6 f# u9 J
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
4 G4 {+ s' o9 Hnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
( ~5 _4 q0 q9 h; k原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
& L2 u: Z4 {! ~# ~- }+ n: k6 E5 r2 n$ Z' f; `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured./ C L5 S0 c+ _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"9 ^( ? `0 l* ]) C" n
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
% A+ F* m1 i2 Y! c0 V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
+ }4 y# H/ G( v% z, S( x, b w4 W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
4 B; D4 w. X3 e/ v Z# n5 i% {2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
: R# h" X+ @, t; q: g- R6 ]# D8 C解决方法,移除低版本的APR (1.3.9)/ M/ Y5 O1 i# @! g
5 s) L2 N. o/ p4 N" P/ Gyum remove apr
4 ^/ \% T8 ]! m6 N3 W( f5.Error.log中有: Audit log: Failed to lock global mutex& ^5 k) b( I$ n1 P
' n4 I" Q2 _0 P& m# V7 m
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 3 S' X" t9 W4 ~ Z
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]6 ?5 W/ b+ X; G8 q
解决方法:
; v4 G' k# O7 ?$ V' W0 `0 u编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
: b* _; O# ?9 V5 [7 I$ J( s4 A# K" V/ V3 W0 e$ r) \
SecAuditLogDirMode 0777
: M- i$ u6 t0 aSecAuditLogFileMode 0550
7 _& X7 b* O' f( m0 ]6 r! j, WSecAuditLogStorageDir /var/log/modsecurity
x5 ]# Y2 b3 u/ M& u% v- tSecAuditLogType Concurrent
* @. r# Y& Z5 ]# T# Z参考文章:
& M; J, `0 W2 D1 C; ?0 C6 Ahttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
4 W8 \4 Z$ U6 L- \- jhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡