|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。+ ?9 s) u+ ~0 ^
" Z/ F- z3 p; r, `& j一.准备工作7 N/ b: }, [+ ^
" O0 f" O F' l0 [+ x0 t" \% x
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.03 M$ j) |/ ]6 Y! {9 p( Z) }
! x2 v' q: v: xtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 a }2 h0 h5 ]5 V% b! g/ x9 F
9 t0 b ~1 v2 x9 Smodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz5 i& H8 @, o3 q* Z4 F
' t* _$ @6 _7 KOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
( |" _( y& T! A( n
! F. C$ g8 G9 V4 \1 S/ z4 J: _依赖关系:
5 E* p5 B. i: ~% a5 S1 v7 x2 Q' W, htengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
& [. ~- O6 [% m! t4 @7 U; A6 C4 u1 f! z) L! q+ t% [
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* A* ~5 \: H! t; r) T: H0 Hmodsecurty依赖的包:pcre httpd-devel libxml2 apr" ?$ K* H8 d' y" l, G* e9 R1 X- N
]( z8 Y8 q% G* f/ S3 l
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ r- W7 D7 A2 V
二.启用standalone模块并编译+ M$ b B9 ?) ^& j! B2 r
1 [. U0 A2 z# z: M7 s9 X
下载modsecurity for nginx 解压,进入解压后目录执行:
( f/ T& f. o! L. y( n' r. s+ ~+ Q$ s/ k8 Q3 G ?0 R
./autogen.sh
- G! |% ?! D! Q# S, T ^1 J U./configure --enable-standalone-module --disable-mlogc+ U0 \& ?3 w. U3 t: B8 A# O. t+ x
make
' M2 Z0 }. S9 `' q三.nginx添加modsecurity模块. h/ ^5 U4 g: `; @ X( @7 ?) c" w: P
5 q, B* p) S, J! G3 N0 x- `在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
: j2 `1 ~ w/ d0 i. e! V. r* z
& B6 f$ F9 c% T! ^./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine% D7 L* K% P2 @6 ^: e. C8 e
make && make install8 |+ f7 o7 N% @$ T7 i+ G) ~
四.添加规则
+ E; I7 l: R9 P, O/ z" k
3 _- l5 d6 i h) A( a* Nmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。. ~* B( m; ~+ C: {8 A
( j- I/ I4 D- f, L' k5 V9 z# y
1.下载OWASP规则:
5 z+ S+ }$ X3 A$ A6 }0 O
$ v" C% M9 R# q* Y0 v; bgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; F+ f; H- k; T# m0 ]& G+ Y. l
a8 T1 s# R; P5 ]- @4 p# Y) S! Bmv owasp-modsecurity-crs /opt/tengine/conf/
4 X: k0 F0 h; F$ I3 A8 i' G4 b! Q# c6 l' d. v, R+ {$ S$ H
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf: o& \6 c% u, Y
2.启用OWASP规则:; W3 p0 x- F* J
, w& A* Y7 z7 Z& o, J
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
! b% Q. f9 j& M5 P- R3 x" f
& b( x9 S" f/ U& s/ F编辑modsecurity.conf 文件,将SecRuleEngine设置为 on4 v1 P- L/ Z( R* n% a
# C; k. d3 m8 m f0 f# G( r( V. P
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
# Q6 S- P4 T& `( k% J q2 {; M, y& j Z5 F
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
4 l0 r, b3 Z: L+ u2 i: nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
" k% |9 G% O9 K8 ?! MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf. a4 y. R7 F( f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 _8 U0 Y6 P3 ~# s# E/ a" M1 oInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
6 ~( }1 }0 y( m) E8 Q6 w. G+ U5 Y, ]Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
" ?/ W+ v; h0 X2 |9 FInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
3 |: o4 w0 W1 L* p% U8 S五.配置nginx* C1 v8 B+ R6 O, {
* x {+ U/ r' L( M) _' {在需要启用modsecurity的主机的location下面加入下面两行即可:/ H3 j+ ^& ?4 `7 Z3 Q U" v
. k( w( s" p5 a. Y7 C
ModSecurityEnabled on;
: O* v4 n; R% v/ s/ F6 @ModSecurityConfig modsecurity.conf;* T: K% N7 M; H
下面是两个示例配置,php虚拟主机:
0 G1 i* B% d* c
+ U8 [* W2 I9 v# Mserver {( r4 z7 P% I* e
listen 80;! s$ R9 v! g. |1 [
server_name 52os.net www.52os.net;2 y# a) z, u. _# T
3 u- f5 |) h( j! ?0 ]9 { location ~ \.php$ {
2 `$ O5 k$ S7 t9 A ModSecurityEnabled on; 7 _& M0 `: E) E5 S5 ?0 @' c* f7 ~
ModSecurityConfig modsecurity.conf;
" [' `, N; h6 h, V' C
/ @+ e! L- m& p& |; j root /web/wordpress;, G2 F& R7 o: [( F/ R
index index.php index.html index.htm; T) S% n" C4 |& V
5 W2 h' a: {/ ?# T' A
fastcgi_pass 127.0.0.1:9000;' R( m) M3 E0 i( [2 G* U
fastcgi_index index.php;$ B" b% h. f( `: s( |2 {
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
2 q( g+ ^$ T9 E include fastcgi_params;& |3 f3 G; t4 \, ?: F% S" d
}% Q5 b% `! h4 r
}
7 D$ z5 ^5 Z9 X8 q0 h) lupstream负载均衡:( U0 V9 r8 Q0 }6 K* s
8 l5 S$ `& j4 ]4 |upstream 52os.net {
% p9 m- [- r. v$ r* F, @: G6 d5 B- b4 t server 192.168.1.100:8080; a# n! I5 H9 e/ O
server 192.168.1.101:8080 backup;; D0 o! i9 r, [
}
6 |8 V: r5 M, @$ |, Y. y
; H8 k$ E4 u4 v9 Gserver {8 N# `" B) c2 x% G2 j
listen 80;$ T2 T; k& W: n" i% Q. A! N) R
server_name 52os.net www.52os.net;% f- F2 K" \# R$ t5 \2 |+ \& A/ G
- [0 \" }5 W# Y _
location / {
, D \6 s5 p4 N* E6 k8 i1 J/ F ModSecurityEnabled on;
! G* {+ h& k; l' F ModSecurityConfig modsecurity.conf;
8 M, O$ k2 z" C. C( _& d- H" B2 \, M7 u8 G' w) X; u: i
proxy_pass http://online;
" [0 \2 `, ^0 b% f/ R" o proxy_redirect off;
! k* O6 d/ ~& }' U# z proxy_set_header Host $host;
/ N0 X4 p9 K" ^8 Z S" w proxy_set_header X-Real-IP $remote_addr;
" X/ V. e$ c- O( J" {& L proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;6 ?( s b: y O
}! I/ C# l% {* ^7 c" D+ u. s
}% k* r/ O' M8 U! V8 }% l
六.测试8 M6 Y- @. x& o% N/ G
: D4 v2 @! ?, r2 ~( j) f
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:* P# d0 [, ?0 n) Z9 }
* Z- E X; m, R q6 B<?php
! C- ^2 w0 t7 n% Z phpinfo(); 7 c& a0 H# j& e' n& j
?>* w9 k0 H, E. Z+ K( Z5 m
在浏览器中访问:- O4 L3 N ?7 g
" f& i# J0 x; H( j- l+ nhttp://www.52os.net/phpinfo.php?id=1 正常显示。+ M: C& j7 h t- C5 d
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 x9 l+ s6 a( @# P4 Ehttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。 H& j3 j' [ {) ]
说明sql注入和xss已经被过滤了
* Z# U) Z1 r# N$ }% s1 ~; |9 T$ f7 m* E/ F- G' S
七、安装过程中排错2 e3 n- _! V! Z2 h: X8 ]
( `/ X g5 V1 K; {/ t6 r. s
1.缺少APXS会报错
+ U7 W& w: W3 o% d8 ~; M) ]
+ V" R- ]1 Y/ w* I. O0 fconfigure: looking for Apache module support via DSO through APXS
' S" Z4 s( j6 @" m. g7 @: Lconfigure: error: couldn't find APXS( L0 z: j* Y3 _# m: u* h6 B7 a7 `
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。1 ^: R( o0 M5 }+ d" o6 D5 k
解决方法:; o" ]& [7 H8 y% _: P
4 l8 l. a' J+ w9 ?" c8 lyum install httpd-devel* f, l8 O# @7 V4 ?
2.没有pcre
# a @* D- k0 p- ~$ P' [, b
: h j9 P* N1 n+ \: P5 q) P7 {configure: *** pcre library not found." x7 T) Y; C) @7 G
configure: error: pcre library is required/ D, n, n# y- R$ M5 |
解决方法:: L2 ^6 H. F4 W( V2 _
' K6 h) ~9 X. T6 ~yum install pcre pcre-devel [* `- P- i0 a7 F
3.没有libxml21 G/ P8 T' i6 T0 y! \
4 H* V% }1 i, E
+ G% K! p, f: g0 A7 Fconfigure: *** xml library not found.' U% c' J( ~6 G2 p
configure: error: libxml2 is required+ F/ R; }$ D2 B' u# W+ R
解决方法:( A8 g0 q! D3 ~5 t
0 A8 T4 H& a: v; n2 T$ y! C. j3 U
yum install libxml2 libxml2-devel) T, a: ]- f8 c( D+ x+ J- j
4.执行 /opt/tengine/sbin/nginx -m 时有警告+ p5 J8 e3 \9 N
2 c8 A4 E0 N0 p# V) M5 }! x# S4 I
Tengine version: Tengine/2.1.0 (nginx/1.6.2)- o2 J4 C9 \) @+ ^
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 x% L7 v& N T+ r1 Y; [/ U原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 V3 ^. A2 A- J& @7 P; N
7 M& F- [$ b9 g, A' Q8 X+ ~. H) C; H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.% {2 {: q0 f9 B/ w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"9 K7 T. |5 `- o6 Y( p( a8 G$ z
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
) }4 L) Y1 \2 B- J4 _; g3 c5 R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"8 J. o, y& c" w! X% s$ b5 J3 `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"# {% P: I$ n; t! E& l- W$ s
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! q5 U4 l6 w( O5 b3 A1 p5 ~
解决方法,移除低版本的APR (1.3.9)6 D! p8 g& f1 p: N& U% `: g
5 W L+ i* w% I
yum remove apr5 @' |1 `8 F8 } }) s. U
5.Error.log中有: Audit log: Failed to lock global mutex. G* }9 r5 h7 a( [; p& k P0 f/ g+ D
1 `7 X/ }$ j2 W& ^4 [' {2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock l& I u$ x* d
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ i" i- _/ N8 Q* [解决方法:
- N5 l" L1 e( _% X7 A% v编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
4 I( }8 c# w# c4 W8 Q! y J0 v! C* }
# l& r- ]& w6 [( PSecAuditLogDirMode 0777$ N. T. Y- H3 c. B
SecAuditLogFileMode 0550
M, x/ h0 h2 ~* x3 n! a3 BSecAuditLogStorageDir /var/log/modsecurity
; ~$ \ J6 ^$ n+ }SecAuditLogType Concurrent
" v6 }8 }8 `, `7 ^6 D参考文章:
& i9 m e6 y' @( F% q0 O# l3 n2 u, Xhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
% r/ k* N! l2 Q9 [. phttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡