|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。. L4 K3 {* b6 y0 j$ B# c( t- q
9 B( g' H* r" I; Q* y! R% x
一.准备工作
& J2 J4 S* s+ t7 C
6 [2 O; f7 O# M! e; m系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0( [% ^; Y, a J- x
$ Y% Y4 G& a! l- D2 `" Y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
' b/ {, q# v( c3 G, j
# i! b; j! Y( ]: p$ M. l1 p omodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz" ?, D8 ]* P1 P1 u+ ^
, ]9 }3 @; s. d" s" S4 e2 [
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs( M) ?( m3 h! v, |/ u
; @) T+ L" ?' y' k% F+ o1 |& k
依赖关系:- t6 Q% \7 q" L
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 Z, z6 A( I+ o) e) d2 [! A9 s4 x
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
8 z F, d! ?) E' a: a6 a; f% h% }modsecurty依赖的包:pcre httpd-devel libxml2 apr
r& E4 p0 O# L5 C% T9 L2 X; z) l0 Q: W: W2 q- R
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
2 T3 i3 H+ ~; ~二.启用standalone模块并编译" Z1 G: b9 o- }
/ i% @3 u" b, W4 {$ w下载modsecurity for nginx 解压,进入解压后目录执行:& h N/ K, n+ p$ z! T
: T0 z+ R8 u; J/ @3 e) ]./autogen.sh3 F" s3 k; M( A& J5 |2 Z
./configure --enable-standalone-module --disable-mlogc+ p! X" i: {% q% ^' ]: G# }4 {1 E
make / y& L {5 D/ t: P- l# S+ H% ^
三.nginx添加modsecurity模块
" E/ J" S) `7 [6 T
6 x6 d% r. F5 W! Z! N在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
- U. E5 k3 b8 k( z9 s q, V
4 g/ e F6 S# @- \6 U( W7 [./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% [+ v7 l0 _6 t; d1 `5 x4 g* o& |make && make install
3 Q# c m; o6 L: j& ~" I四.添加规则
2 m5 n' {5 |& h1 X) C
: m2 R/ } Y: O7 ]4 c7 [, emodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
P) d" R* [- a2 O6 u' j$ O0 E7 `' H* D% H* G
1.下载OWASP规则:( L+ Z1 O, M9 q( h9 H+ F
" @& v5 w+ X" P' C
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs* ~ R6 ~$ t1 v* S
4 [% n6 g4 i! xmv owasp-modsecurity-crs /opt/tengine/conf/
( S2 ~* \9 u6 [" Z; R" _. h
, T$ u3 B5 e$ _% l3 T* f( c" u5 pcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
& P; b8 F2 K0 b6 C) h" c2.启用OWASP规则:8 L$ l7 H9 @8 ~/ G
8 T5 f8 W* B, u
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。1 @2 j/ c; p7 ^/ o
+ o8 O( B N0 Y2 k6 ]
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: J3 C! x' m1 ]. h2 l( w, ]( P* j# T9 C% m7 M9 W
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* O' g, f4 t3 `! \* i( s
) ~( C" c& c* \
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf+ i1 Q, {/ E; J# E; m0 m6 k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf) w7 t7 y+ O. n& l, d- X& {( r
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
7 t3 e% I T, Z0 I6 |8 fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf+ i ~ d& j' p' r L
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
$ P7 h- S. b1 V6 f% {Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; t! n1 K( Q# W2 B9 G7 J0 N4 y
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf d. s6 _% f6 D" T! m
五.配置nginx
. L2 u9 p5 g0 C& a, d! ~* M6 I* w5 A( m5 |/ b# f
在需要启用modsecurity的主机的location下面加入下面两行即可:; _8 R& ]* K: K* Y7 n
1 f4 `' ^# c% v" @6 t* Z
ModSecurityEnabled on; % V6 b" M8 W+ K* `# d$ s( |: B J
ModSecurityConfig modsecurity.conf;
/ `+ R) p: c9 x" y下面是两个示例配置,php虚拟主机:% c8 ~! q; g! H' t/ U8 \2 x
9 ~ j- l' g) @1 s" T1 |& u* mserver {8 w3 v# m$ x; a$ |% U) e
listen 80;
" N6 e* c) v ^8 C+ [9 t" \ server_name 52os.net www.52os.net;
% @$ r) V8 L& O0 M: x- E3 p , U) l1 X5 d3 x6 y* b7 \2 j" R" I F! q
location ~ \.php$ {7 d* U( E9 h- D$ O4 w# M
ModSecurityEnabled on; + _/ Y* _; v1 O
ModSecurityConfig modsecurity.conf;
& |3 L% [% E3 n+ {2 T" Z ^/ |! K' [- y9 }2 \& `7 t
root /web/wordpress;
1 ]6 z! T$ @& {2 ?! s index index.php index.html index.htm;
( _0 z, n, a( C & F A) `( z4 @) A7 |% z
fastcgi_pass 127.0.0.1:9000;/ k3 [& X+ F& c
fastcgi_index index.php;
* c7 G1 F3 J- Z" I @ H* _: T# V& T fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
' w6 u* h- j0 L$ ? include fastcgi_params;4 P# M: g5 I) P3 @. [/ p9 G& m$ Q
}: U7 K" G6 D. \2 a( \
}
: b3 Z' h* e9 y) e3 kupstream负载均衡:+ ]1 R) d6 Q* C5 U. i
) e' x/ P- L6 H. u, x+ L1 N- ~7 {' Bupstream 52os.net {
: x9 Q+ G5 `2 r' [/ V [( X9 S# @ server 192.168.1.100:8080;" Q& u1 i9 r+ F% \" E# Z: j
server 192.168.1.101:8080 backup;$ q. {4 K# k1 q0 k
}$ n4 T4 ]# g5 e
" q: q/ B1 \" x3 }' M
server {
& @7 f1 V0 L% P+ {; G$ [listen 80;
2 e! c O# d4 Q+ B3 [/ ^server_name 52os.net www.52os.net;2 R6 N6 G# M& ]0 M: j. i
$ q; C' a5 H# T* X" Nlocation / {6 y' y6 Y2 R! G) e
ModSecurityEnabled on; ! ?* N9 Z! ~6 Y- x( ]- D% N: z' [. T6 K
ModSecurityConfig modsecurity.conf;
5 G- O# S% S; {; R6 u, O$ j- a+ n0 |5 Y. v1 L" \* o- J: I; }
proxy_pass http://online;
" d+ r' @* O( Y1 ? proxy_redirect off;
$ N1 E% [% c( C proxy_set_header Host $host;
: u9 `" h- g; Y4 i( ~8 h proxy_set_header X-Real-IP $remote_addr;
J, B5 B$ B# O proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6 n$ L. x- ^4 `) u, j. A }. O' y$ d. A+ S' O( b; J
}0 M0 K2 G6 h- v& d$ }& i6 W
六.测试
* h4 c0 S/ u7 `6 v) k! ~ q: p" f7 _4 F. W+ ~# \* C
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; F I! a4 S' ?2 S6 H; Z, A2 f7 x& V$ P1 E0 O, F8 W
<?php
! y: B* y+ m) S( D" A' w phpinfo();
9 a# l) N F- J# P; l?>1 v4 _0 u: K* U) i- [' w
在浏览器中访问:8 R+ j: c6 J) U
* U' ^; Q( X/ _' ghttp://www.52os.net/phpinfo.php?id=1 正常显示。* Z3 G$ L# {) p
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
2 H! z5 u; J2 O- i! m4 thttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' N5 C$ ]+ O/ [) g
说明sql注入和xss已经被过滤了( `8 M" `: j" F, Z/ K
# `; P7 b$ \1 ]# V8 p
七、安装过程中排错
$ n. C" r' K4 C5 s. N% s( G4 J+ N5 {) L1 v
1.缺少APXS会报错0 v* m- i' G8 A9 N7 D
: z, c! R, o$ f2 ?7 `+ h/ E* uconfigure: looking for Apache module support via DSO through APXS7 T- o& v# k4 l" X& P7 E
configure: error: couldn't find APXS
1 o: _4 r4 N* c- J; f3 E. iapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
. o( Y( ^3 r) k" u* [7 ^" V2 y解决方法:
0 F4 Q0 I) R8 g: w( E+ s0 \5 C3 @) w* _! f. r
yum install httpd-devel
" {8 J% u8 Z* ^: v' z3 c2.没有pcre
: X y( I/ f$ c8 L5 \: @: h" b* V
configure: *** pcre library not found., F0 T& m8 h! a7 ?% v
configure: error: pcre library is required
2 @ z/ Z( _9 | o: t- F解决方法:' y% p0 a. e. }: H: P& @
H& q6 B. h% f. f4 o
yum install pcre pcre-devel
9 V; H) W2 n% m: v3.没有libxml2
+ k2 k5 ]! W; j% ^) H5 \. I
1 [: G% i$ w& ]+ _7 ^ L4 O! _0 q6 Q% R7 `) h
configure: *** xml library not found.
" [: N6 _# m r: D+ R( ~) Bconfigure: error: libxml2 is required
x. _, q" n6 `1 ~* @! a解决方法:! n9 T$ ^/ y. G0 d4 T- G( a
! `. b- b0 q% V5 pyum install libxml2 libxml2-devel
% X; |7 |# z) T! [$ T6 `. v) S4.执行 /opt/tengine/sbin/nginx -m 时有警告( ~( r' k* l. s5 G* O* Y, f+ I/ m
8 c2 a7 ?( N, y$ O+ ?6 k, s
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
. s" ^7 u, q( } u# wnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
3 u. @. O, u2 b% `! V- {+ D原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
@2 z. R! C- s6 \7 N
9 _0 `. m) g4 g- M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.1 ?5 c: R# w: ^% h, {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
8 k8 M) U- \' }6 V. f: [2 D2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!) w5 U9 v; K |2 [/ t+ L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* C9 C% m& S( _# ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
$ _0 q( b) [- R2 w/ U2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" W" c" G" c( Y* N h# d+ p解决方法,移除低版本的APR (1.3.9)
' ?4 Q, G- m. x, O. A0 U
! r& `0 M& y1 P1 c' qyum remove apr
% l' V4 r" f4 x0 Q5 s1 X$ b5.Error.log中有: Audit log: Failed to lock global mutex
0 K. H& Q. p2 }' P) w" ~/ Y( h6 e* v& Q7 e3 O
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
5 q( \$ n: Q7 ~* }" {( ^) Oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
4 I+ x! o, `' C4 q1 I解决方法:
$ J; O2 `: `* `& D( H编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. `. }. r# O! U9 } J% Z" \! R% E' J5 n) y( u/ q' V7 E
SecAuditLogDirMode 0777! H. k$ f @& J( H& p: h4 y
SecAuditLogFileMode 0550. p( \2 {* g ~
SecAuditLogStorageDir /var/log/modsecurity
1 g" O7 P0 { g9 Z0 {SecAuditLogType Concurrent9 x9 B& O- e3 Y/ S& {3 N, _+ k
参考文章:
6 E5 f2 u: t" B# q0 p: f4 nhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+ p) g+ `. K/ N' e; v& M5 ]3 nhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡