|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( Z6 z6 [6 i' c* l
7 x, S }3 E0 {% c: `一.准备工作: q y- R3 O3 C# _
& Y3 M5 l8 K; j3 y# g4 e
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 M; }9 J3 z5 g& d0 L, X- X" D4 b t# R% z
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
, p# Q! p7 H s* d) V! q$ c5 O# c3 M
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
x' D& c. S( h# q+ ]
( d I( W8 I% p" x7 s UOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! C+ k- a0 O* h. X0 M
; N, } W0 l5 }3 x/ g+ ^依赖关系:
" w: A3 P9 X8 z# ~; C8 K4 }9 Y% Ktengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
: C9 R$ ~ [8 h1 @" Q
9 N {* F7 j& c. ?4 F( Wyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel4 o$ j: @0 K+ l9 g; m2 K; o/ K
modsecurty依赖的包:pcre httpd-devel libxml2 apr ?. o7 k* Z" R8 J: ]" L4 [) R0 C" _
: G4 o4 y: j. {yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel1 c5 M0 \* y- b/ W2 k
二.启用standalone模块并编译
9 @) ]3 n! L3 C- i, e9 q
L: X+ \) K/ f7 w下载modsecurity for nginx 解压,进入解压后目录执行:
7 ?4 @# U7 D' B9 x" P1 H2 n: u" n% s) A3 E( I2 H
./autogen.sh
6 Q3 _; k/ [+ j8 B./configure --enable-standalone-module --disable-mlogc
8 V: l! R% o" ]# z. o) h/ G# Tmake 3 M" l- o3 U6 P: [+ `' i
三.nginx添加modsecurity模块
( a# S! {$ F8 R) }$ h" N
2 @1 L: o- L4 @) M8 o在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
8 v3 z) V& w* U( \8 K
% K0 N# t+ H" }3 m$ Z2 f, K./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
$ w7 w, S, y: ]4 p3 v" ?make && make install' p; D! R: ~' _. g, n4 M2 _
四.添加规则
/ D* ?3 y. ~& @/ ` V+ p. `4 Y) A3 \" y' y, j
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* H+ Q2 j& U' j) i9 h- E
# M( w1 z ]1 Y9 Z1 r( F& w
1.下载OWASP规则:
. i) E: K5 a4 f- N% y
p3 H: F" Q6 Y _1 [git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
& u5 b6 _+ }( f. h& U5 ]+ q/ B+ t9 y2 N6 x
mv owasp-modsecurity-crs /opt/tengine/conf/& V6 P: i. Z2 o# W0 B
( L/ K7 {2 u3 Pcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: v' t2 S& j; r2 z2 b7 y2.启用OWASP规则:' M, B0 a6 O/ ~0 K$ \ q" I: {
, d) ^- l0 s5 v5 i4 ^复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。' B$ E, ]# G3 D
; E9 Y# k8 N# S9 i) W
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: T/ y+ N: y+ e' ]) T1 h9 b/ r; d0 S' p
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* C! _- J9 i9 b! _; w) w' ^
& F, }) i- Q+ u5 O9 d" gInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ s+ B$ v1 T$ Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
4 b' q( g5 V: O* `+ `3 \9 iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
. p) o- C5 o$ e/ L* EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf* J1 S7 f5 ^0 i# w- O( d& b8 o
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* X, q* d) l. RInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
- t& |+ x' F5 o, ~Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& a4 n1 }! P/ p
五.配置nginx3 k/ M0 t, d# t2 E
0 k$ A! P) Y' ]) ], O在需要启用modsecurity的主机的location下面加入下面两行即可:+ x7 K; [& S `9 a
5 m" `- y& l5 l' [; ^- w- I
ModSecurityEnabled on;
; h# u+ n( L! {9 UModSecurityConfig modsecurity.conf;
0 o% O6 d: w: c: c9 t. L! o' L: W下面是两个示例配置,php虚拟主机:
* N$ O$ I: k1 } S6 L! F4 I9 c6 b" o( r( }6 }1 ^% j$ m
server {: T; \" _* G8 s0 i+ D7 z( I! G) n
listen 80;
; v7 b1 g% ?7 h# q b server_name 52os.net www.52os.net;5 Z; d, ~9 z$ s( A% U4 a
9 m; b6 F" }& r$ ~. x
location ~ \.php$ {
5 q: a) T" ~. i7 ^+ ^, e6 Q ModSecurityEnabled on;
/ o1 [3 s2 W3 `3 F& }' H, m ModSecurityConfig modsecurity.conf;
* m2 `/ m+ _8 z5 {0 Y7 Z0 w/ [: @
" t9 Z$ u3 x9 R; ] root /web/wordpress;$ ~' ~. i! L$ x8 h: O4 P
index index.php index.html index.htm;9 I( n! L ]1 h% l8 ~
2 R" O5 N" j. U1 d# ]9 {2 M fastcgi_pass 127.0.0.1:9000;" j) W* N- V: b
fastcgi_index index.php;4 T( [% O6 O! m* ?
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 [5 U% S' A6 ]) M. A
include fastcgi_params;
5 x' G" T. P) i% E3 Q }4 s2 e0 x) s: m
}0 j& m) B' J" _/ l8 u3 F
upstream负载均衡:
( d4 u$ R" S6 T9 |2 n/ u+ ^$ _5 K- X" [
upstream 52os.net {* Y! J$ y- ]( y0 L3 x1 u3 N2 }
server 192.168.1.100:8080;
: \( H2 c& }9 |/ w server 192.168.1.101:8080 backup;
: |6 ], y! G$ m}9 _; `8 }) y" ^, p1 |! {! H1 {2 C- g; V& l
7 h, c& v: F/ r1 s" Vserver {
$ P9 R; W' ]: E% A, u3 a! vlisten 80;' Y$ R" e9 u7 D% y$ v. T8 l
server_name 52os.net www.52os.net;
9 x. |5 M6 ?- y3 v! D! v5 O5 ]4 ~0 l4 a! R
location / {
) \' B5 _- X. t5 u ModSecurityEnabled on;
~) |. M; k" e _! k" \. A ModSecurityConfig modsecurity.conf; 7 ^9 y' h; t: }3 u
7 d7 `) ]; [' b+ q$ h8 J# w5 o proxy_pass http://online;
6 o( T6 s5 H I4 b1 H proxy_redirect off;
j. a# C" B! [" E. J' ]# h9 x proxy_set_header Host $host;
% ~8 Z2 o+ c' T" e proxy_set_header X-Real-IP $remote_addr;
. P7 t: l* a% ~0 v9 \& c proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;7 H! {9 Y/ N9 e$ I: D
}
( j0 u) o- f( g# Z3 C( V- z# {. p}
( l# `. b/ _& `; [/ S9 I六.测试
/ ]' i+ N; F0 |$ m7 T% o o6 ?& o3 n/ W ^5 _
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:+ m* _" h& t, \1 F
% M% t3 s8 _' F9 i3 x- X
<?php1 c/ h7 [8 W% b% d A
phpinfo();
. H% x0 }1 z: g& P+ w u K?>
" }! H- b5 F$ R' {: V& b在浏览器中访问:
5 t3 j5 m5 y' W5 u6 z$ l, Q/ U/ M) b9 N d
http://www.52os.net/phpinfo.php?id=1 正常显示。
0 a7 P0 ~* T% z9 `8 N1 B* Z4 Jhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。+ f8 r0 V& P; f
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' V+ y3 e3 b" C
说明sql注入和xss已经被过滤了" k2 v/ J+ `! K4 N$ c6 V6 E& K
. W9 H) ~ r: _$ z& N# Q
七、安装过程中排错
R3 m# ~3 [: e6 p( O
" A$ H1 H& c% L8 Q- ]( B1.缺少APXS会报错
# O- R! v3 B# B6 Y: W1 V/ B6 r6 u J/ q: |
configure: looking for Apache module support via DSO through APXS, e% G! w5 A1 E k, a
configure: error: couldn't find APXS
1 m% B) c& N( D) p% v4 o1 ]apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ b7 h5 I4 k6 q9 P1 J; S* |: O2 {解决方法:! z" ^" M% ?4 Y7 `
4 \ W" Z/ g o H" Q
yum install httpd-devel. J. K& m2 ?7 X, S) F6 v. T% F! Q
2.没有pcre
; q# x" Q& e% A8 ?4 W J& S7 G. x8 M) h. r" Y7 {/ v3 A$ `
configure: *** pcre library not found.
# m: @! t6 e* F# pconfigure: error: pcre library is required; X* |3 d1 S: l" c
解决方法:
: F# [1 L6 S3 m. V( \# u0 W0 D/ r1 O8 F7 c
yum install pcre pcre-devel" E4 ~/ z4 n% k+ t& J. r- k+ ]
3.没有libxml2) m ^- {2 f9 n& W- @) f/ l
" d5 `! k$ j0 W0 X+ ^: j3 |0 v' R& @
configure: *** xml library not found." N5 L; g- w$ Y; P) G
configure: error: libxml2 is required
0 q" o* o# x* S+ r% Z7 M8 h% G解决方法:1 N* @4 q* r8 i; Q5 _
0 p" Y- O; M: A! h+ Ayum install libxml2 libxml2-devel
3 d- @2 ?2 V3 d8 w f: m' c) n' U* X6 R4.执行 /opt/tengine/sbin/nginx -m 时有警告 p6 y V4 M2 L2 v5 h. u
( @! o7 M3 V: w3 fTengine version: Tengine/2.1.0 (nginx/1.6.2)
! ?, f2 D, r3 q8 [5 f7 @# G, Knginx: [warn] ModSecurity: Loaded APR do not match with compiled!
# _' L4 n _# k7 p, P. }原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log! H' \3 b8 Z2 ?: @* |
) u+ |3 Q, N3 u4 l: O. f% e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
- u. n, m: x9 t7 A0 [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 ^5 u0 X0 S* K7 [9 q
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
+ L( z3 x q( |' Q# F1 i% \* X% [$ e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
' J% v5 _, J/ @* P5 }6 h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! K: d/ i j' D7 f) a2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 \$ V: w7 n0 U. W解决方法,移除低版本的APR (1.3.9)+ b J x8 u/ ~/ e- Z$ Q' t5 t
) K+ V/ w- N8 I5 ayum remove apr1 b0 k. Q6 l, l3 q' C
5.Error.log中有: Audit log: Failed to lock global mutex
) D, t% ?. e1 A- A0 G6 a
7 f1 H- h5 c6 s s2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
' G$ z" y7 b2 E8 w( h$ V& r3 Sglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]9 l' Q5 v: R4 N& T. \
解决方法:: H' B" S3 a2 ~$ }/ H. w# e0 T6 `; q \
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 Y8 v# N7 f* ?+ l1 d
2 D5 F1 e$ j6 @# p" j& L/ e: Z, jSecAuditLogDirMode 0777& N& O1 ~" Z- D5 X' W- g3 S
SecAuditLogFileMode 05501 [% q0 D# N+ ~- f- L! g4 R: W
SecAuditLogStorageDir /var/log/modsecurity. L# H! G o$ I+ u
SecAuditLogType Concurrent% R- z5 q0 v' b( Y. T* [* k: o7 }9 R
参考文章:
! [/ O$ x5 o& I/ M5 Xhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
9 F) G! q* ~4 S& d- ~ Ahttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡