|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 j0 C* f% P |
7 A- U- _ P. t- v) p7 ?一.准备工作
; W" A& ]) n* n& h x3 w; e: v: ^, Q/ T. Z& F3 @4 m( z8 c5 j( a1 ]/ n. e
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ P* {9 [! E2 N$ N/ x, X
. c, s6 o* u+ I+ t/ wtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz! f- ?' J( w2 q1 T8 D7 o3 N/ I
M* ?% E1 Z* L1 Emodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. `: f9 Z) Z" c6 B7 ?+ c
. n' O* ~; f# COWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
8 c. y( u$ n: u4 r/ p; U6 O1 |9 t: J! O T. W' n; T
依赖关系:& K% E3 J' A; m! Z7 d
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:4 O+ j5 a) j' g" C) E9 p% c3 m! n
, ?- }2 Z( t+ A" M9 F1 K3 R2 h* m( |yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
: ]3 V( B% T* l. t4 Qmodsecurty依赖的包:pcre httpd-devel libxml2 apr3 |1 ~' n# u' `- a X0 j
# p3 ?% h! o/ m. |* Uyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
2 ?( _7 {+ L! w- x4 K二.启用standalone模块并编译/ K& X' J8 K) p
2 A5 G. n8 n$ `' e1 i# g( v0 T下载modsecurity for nginx 解压,进入解压后目录执行:
$ @+ u* W g# D2 u; Q" r# D3 \8 ?
0 r- s. m- i" S+ n* e- v4 w7 x./autogen.sh
7 L) g4 Z* K: ]9 ?# G' w% u y8 y./configure --enable-standalone-module --disable-mlogc
, O( K) ]3 t% A0 cmake
( U, m1 b- N G0 Q* d2 D三.nginx添加modsecurity模块
5 u/ p$ e" M" @4 m
2 P" v5 ]( Y( O0 n+ V在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:! N! g, \" z/ X& _, c
+ `/ N" I+ p- j2 W; f4 K1 t5 M./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine% E6 ?7 F; O. W
make && make install
9 U% R- {, E' Z2 Q' o) x, [四.添加规则- e3 e" O! ?9 [/ T4 q- Z6 l
/ u4 B1 Z- g1 N2 v$ @
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* j# u1 B/ Q& B/ w8 E- i
; B' P, ~( m( M) U7 v1.下载OWASP规则:
, T K7 ^9 U2 F$ P& x4 e% i- X
3 n" `* Y% ?' T5 q2 A& W6 Hgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs: U/ ?5 o4 A% D7 @3 I
: E/ y( [( ^3 Y8 k" z9 D# Z
mv owasp-modsecurity-crs /opt/tengine/conf/
% Y( v F1 ]! \' V0 _" _' d+ z) ]
8 l: }- x( G) P8 R4 L# jcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# b) [ ?' @1 P0 d& J& i, D2.启用OWASP规则:
* b- Z' k0 z( l6 J, x" o- B# k
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
6 G5 Y4 {! Z4 I @8 f
. q$ \' k* V, U/ b8 J2 J/ }编辑modsecurity.conf 文件,将SecRuleEngine设置为 on& m0 G3 t6 i4 Z5 q. ^ h+ L& `, n
- w) O. B" k& f7 {" T! S' f- zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ S7 ]" J6 t% {% T: w; _% P/ w2 ?. ^6 B: @3 g
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf1 ?2 p2 ]7 ^1 |' \$ S/ I! l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
8 o2 `& J3 F4 ]$ ~- {$ \Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 a4 z4 {4 {3 l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf3 ~8 f# \% e# U0 r& U8 ~ V/ {
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
. R9 l: F0 S T0 I- SInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf- Q( T- _. S# _: O4 R
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
; ^' t1 j# Q- i( K% w五.配置nginx4 r* f- H, ` C; R- B$ J
7 X5 C- C C. ~
在需要启用modsecurity的主机的location下面加入下面两行即可:: b3 X; W0 N1 c' X$ [8 M2 z" N
: R( b: O( \* |+ d: RModSecurityEnabled on;
# X) C2 H x. @) uModSecurityConfig modsecurity.conf;1 [. _7 N/ b( L" v+ p5 d
下面是两个示例配置,php虚拟主机:
( |6 T/ o+ K4 i3 b+ {- w1 u2 }* H6 [! Y4 x7 r8 ]/ X% ?
server {
+ Y5 D2 O! u. j! |" J) }1 r, p5 H listen 80;4 s f" h( t; O ~
server_name 52os.net www.52os.net;
! W! f- X) w! H% G& g, Y ! F; J# T2 C% X5 N) a
location ~ \.php$ {# @1 n' n) s, u. v
ModSecurityEnabled on; 3 K" Q6 t5 A) U+ w+ R% G
ModSecurityConfig modsecurity.conf;
/ W: _. A+ q$ i) ~ x5 f0 k7 R# `2 d- m3 P% L6 U& H
root /web/wordpress;4 Y# \9 m' J" B5 [9 q3 D
index index.php index.html index.htm;
6 K v/ } ], ]! o5 }
+ Y5 R6 [: v, t+ H% U" h fastcgi_pass 127.0.0.1:9000;5 _3 X% y2 o4 Q# O4 x6 ]6 W3 k
fastcgi_index index.php;9 a3 S3 v, i8 K% w, b
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 u$ o0 @5 c7 k! m$ |; z8 l- l include fastcgi_params;7 G) d& V' q7 t. O( Z+ n
}3 X" W2 ?* M1 E- F3 \
}
Q* z; U$ `* d: V- K! L" g8 a2 y* Zupstream负载均衡:
8 A ?/ ]4 l/ j+ y$ @
" j+ L1 N2 |2 Y. G3 C1 y9 nupstream 52os.net {
5 a5 m$ J2 ~! x4 l0 J# t server 192.168.1.100:8080;( ] u& Y0 p9 ?3 A# U8 O# m% ]. a
server 192.168.1.101:8080 backup;
7 Q+ E. Z" t) G# @2 k}
* Y. ?) j- ~' M, @$ ?3 x- I: U% R" J; _" U
server {% E0 l! _( W7 N% s& T% E4 Q
listen 80;
7 Z R1 ]: y! C! r7 |server_name 52os.net www.52os.net;, ~% d2 B7 R: | }7 z1 U9 S
+ F2 \0 J" ^! U4 ~7 ]- Y+ Slocation / {
0 h! h% k2 J! k5 f ModSecurityEnabled on;
) X# J5 l' a7 f! P' I+ G9 o& y ModSecurityConfig modsecurity.conf;
9 h, R- {" M+ g# s+ V: h; c' D$ H/ P" S6 F, x5 _% [
proxy_pass http://online;
! J# i1 \1 J1 X# Q proxy_redirect off;, N, Y" \6 Y }% L7 W, V
proxy_set_header Host $host;
6 w. D+ Z/ R) W' M5 y proxy_set_header X-Real-IP $remote_addr;
+ \/ O0 \- y. x) v# L8 L+ @3 J5 Z1 h proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;7 C/ ]/ B8 B D6 r0 {
}- B2 V* X; o0 A& }* s
}( ^8 `; C: v& G" z7 m
六.测试 V% a, R) D% }1 d# F- m1 J
1 y) n; q( g% c1 s; {! i1 z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:# K4 b4 x# U0 Z3 R j: O5 B
7 j& A- ?, [& T
<?php% ?. \1 L" ^$ S Z5 f1 A
phpinfo(); 8 Z. Y8 J0 L. {; X, l
?>
5 I+ z" K" [; ]2 O( w! |& E# [8 K在浏览器中访问:
: f2 q. o0 J. q- |3 Q* E* n& ^( ?% R$ n$ u. F+ d4 `( @* O6 P& Z
http://www.52os.net/phpinfo.php?id=1 正常显示。
9 v4 e6 [: v% p) j" }http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
/ c, P) y# [+ P2 Q" g4 dhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。- T8 a9 K( k6 B% }$ a
说明sql注入和xss已经被过滤了! |4 ]. R6 a: @$ C, E! g
. m( R$ O4 d8 N. j& b4 z
七、安装过程中排错. |6 a$ j7 l( }. f
( J8 R+ a2 I! m8 x( {
1.缺少APXS会报错
. d- Y3 M/ N( d# b# N. q% W r; j8 E# A! @) l* m8 X+ V
configure: looking for Apache module support via DSO through APXS: {! R! C; L; h# a
configure: error: couldn't find APXS, f4 R! }% L* a' n
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。& }& \. o7 N) D
解决方法:# h6 s n- q# D# l' T! x2 r
5 l0 `# m) R9 b; O# ` _
yum install httpd-devel2 Z+ n+ y3 m0 ^# M
2.没有pcre1 [2 z1 S% x( {) G- q, k
# C; }& Z8 i# w4 e+ T6 W/ Y
configure: *** pcre library not found.
! \7 [" b3 V' a. W1 S9 oconfigure: error: pcre library is required
" D7 B# @7 i, T解决方法:
% \2 v) l; h, b% F: l' S* D$ ^
yum install pcre pcre-devel: S, J1 A) n6 y
3.没有libxml2
3 z9 Z1 M9 B( _# n2 P$ y t8 D p' C( V0 p! k$ N6 ^ [/ B* X
1 l" y2 X! g: l/ c0 Sconfigure: *** xml library not found.
5 `* o: _" N: B1 L0 Hconfigure: error: libxml2 is required
+ O0 h( I: c& e9 J6 z G2 G解决方法:1 {- E9 Y/ g. h; N. W# w6 [
0 E: |3 k; N. g" |1 o5 O
yum install libxml2 libxml2-devel8 Z( F% F- G' A# h
4.执行 /opt/tengine/sbin/nginx -m 时有警告
" Z3 ^; Q; ^3 T) J) C0 L6 r1 c' a- s& \4 N0 E" }$ r; p7 o+ k
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
0 ]; c7 U" q7 ?* u, u. p2 pnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ E8 [# e6 f' i& B$ `" p/ a. B原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 P. j, \* c% A3 | ~0 P
8 C; j |& ]+ m# X9 W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* a6 ]" B; k7 i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
$ k- `* W) i7 @* C2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!+ k# S0 t8 [& o- ]9 q' m) n3 k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* w1 f$ {* u' H2 Q) r5 `. ?
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" A) S9 }, Y- p, F8 ]8 E |0 I2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 ?* v; H" Y, R) O) B( x
解决方法,移除低版本的APR (1.3.9)
+ e6 \0 B" |7 P
, s# }* o+ H1 w6 H7 `2 ^# K) @yum remove apr
% @0 X/ A& R$ g7 c) t" e4 t5.Error.log中有: Audit log: Failed to lock global mutex
4 P6 u4 [" C8 M
7 E) t7 ]/ C3 ^ I, r2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
' p# M* C" x* ], e; H. E. \global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 f* f: V* ?8 g. t解决方法:
) ]' \( i P: [( w# C; d编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 j! ~1 Y* U8 `
% O; H' X+ \" R# f4 cSecAuditLogDirMode 0777. o+ i, U( C9 W3 O% A
SecAuditLogFileMode 0550
% d `5 g0 I1 v5 ?SecAuditLogStorageDir /var/log/modsecurity2 ^' S% N1 f7 P& W8 u! {) K/ I
SecAuditLogType Concurrent
; P: u9 h% S8 ?$ n3 W- }参考文章:
5 O* M& n/ H/ L# Phttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX* w# H/ ?! g9 {, `
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡