|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。 B8 E- X2 o5 g4 r1 v8 ?+ b% n' U
; s1 |5 y: D: r3 ?3 m. b
一.准备工作# Z+ ~4 i' E: h( J) @1 B, U2 o
& p1 F5 r; g3 L- _. W. Y0 S
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0; |% P5 f/ M1 B1 R6 p! i) w
, L( d4 h' }1 F, L6 f( {# j Xtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
4 I8 X/ m I, } }9 b* `& ?7 v5 n7 K |. e7 N0 s1 w% q8 G
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 Y- x7 L4 \9 w7 `$ F% D7 u" G3 k4 y5 o- y3 g2 x0 Z
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs4 `; k0 I! } ^3 @: b8 v0 C
/ r. i' _1 T7 j) i( B
依赖关系:. b- i# g) R* | i$ l
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
# m, M I/ c, ] @& `) S
3 w# a' v0 i3 M# X1 ? Jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( y6 _% s4 `# i4 G4 S2 G) k
modsecurty依赖的包:pcre httpd-devel libxml2 apr
& N# K0 R5 P3 o Y
0 t+ r& }. `) C; hyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel5 t. S2 S$ ^ h& l) ?0 W
二.启用standalone模块并编译
/ t1 h6 Y7 J _" o! I
) L/ l- U6 E9 H' f, S1 Y, k& R下载modsecurity for nginx 解压,进入解压后目录执行:0 y7 i+ R' ~1 R& ^5 Z, G0 s
- y/ x9 q: c8 l7 B& p9 s* @./autogen.sh5 a3 \# g+ f! l
./configure --enable-standalone-module --disable-mlogc9 D: q# M% V( M, s* R! ^* U
make * s. j4 J$ F5 N+ M& [
三.nginx添加modsecurity模块
- y& i. Q2 m5 A# o6 e! D7 r2 q/ r' Q8 k0 h+ O; x
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" _/ Q1 T8 @3 R. o
; D) g: h: A, [) w: u+ z& f./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 L& d: Y# C1 R7 v/ o. h
make && make install g1 F) u$ E% ]0 K
四.添加规则
0 O& E6 F. o J( g& |: e4 c n6 N) Z7 }
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。2 n! g7 J# Z4 Y- G3 M ^
' A! E5 G4 Q" ?9 N, ^
1.下载OWASP规则: v' @$ Y/ [5 z2 n0 B
8 Z2 O( U* R6 F% @* X
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
6 @% X. |8 D3 P! O1 K. }- d. d! g" s' [" d5 u& ?9 E' C+ `
mv owasp-modsecurity-crs /opt/tengine/conf/
3 r+ U1 Q$ Z6 e7 ^) f5 l. Z) k8 A, W" C; s i U4 V: Q& O" o6 m
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf6 \1 d F6 B, f9 U4 _" E2 i
2.启用OWASP规则:: Z4 T9 G* g2 x" h, m
. M! [ ?4 H7 D# m复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。: c. x: L" \/ B/ t/ C; x
! `% Q8 p! M+ `2 T; [编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; i9 n& m! w& K$ s( Q: `3 O. [4 B- w7 E* u" ]; v
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
$ L) s2 c7 e' |% o h, ?2 u' t0 [ x: S- X, j2 M K
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 h6 o0 a# @- k; p z( ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf% G n5 C. w# J: B# u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
& F V* P* y- @ J$ JInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! j9 F* m* R, {6 _' U, Y& I+ j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, e# r7 `5 g% E: X5 W: X2 uInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' w8 P3 C, U+ SInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 \, T: U3 l3 P9 X/ e五.配置nginx( } @ M9 K. U1 a& \
) o+ u" X. ^( H1 ?在需要启用modsecurity的主机的location下面加入下面两行即可:% V% R1 I, b( o2 M v
. |; M; S% x& [1 L" L
ModSecurityEnabled on; $ e; q) v% ~" e
ModSecurityConfig modsecurity.conf;
' [2 `. c; \* H5 d* p' V, O' t7 U下面是两个示例配置,php虚拟主机:
) o) g0 l- D4 @# b6 f5 Z
8 ]) [: M6 {& e' userver {% ~% H4 O% i4 B( \! r0 m
listen 80;
5 [( V2 Q/ W+ y server_name 52os.net www.52os.net;
3 \* c; k; L- ?# h4 R7 k t. N
% d3 i( H, U: o6 E location ~ \.php$ {4 X U9 f, ?8 i$ r
ModSecurityEnabled on; ; B: a( Q; K9 ?# k* H7 y# x# s
ModSecurityConfig modsecurity.conf;
: E9 J' B, U2 I1 N9 H
5 o7 f+ t+ z/ D, l3 I root /web/wordpress;9 Y8 {. i& y8 n" t: G; Y$ S
index index.php index.html index.htm;8 C( J8 S9 q6 t7 i$ O" h
2 n# A# u& K0 [5 M3 Q9 f6 A fastcgi_pass 127.0.0.1:9000;3 F+ O3 D6 x! m$ M: K) Z0 ?: F: g
fastcgi_index index.php;6 y" \8 ^9 h7 x9 Y& ^1 r& H9 Y+ j2 d
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;- q6 X1 B; n0 |3 c$ _
include fastcgi_params;% ` M2 E. d+ d% M2 j
}! S, Y s' e, r, M- @! ^
}
5 r/ I0 P2 F" S4 Xupstream负载均衡:/ E' p. \1 ?' `- y% j0 I7 ^
. q4 l' y* v$ Z5 b3 p5 m
upstream 52os.net { W- K( C: p! D! P" O
server 192.168.1.100:8080;
k( d% k! p' ^# E! Y( R* e server 192.168.1.101:8080 backup; F% _+ H' f# i+ K3 j9 S; K
} h- f# d9 n! }" U! u! x7 f2 H
. r% K+ w( w7 Y
server {7 g' D5 {0 R- f& S$ j! q
listen 80;5 ~$ M" Y3 S# n
server_name 52os.net www.52os.net;
& ~' H; t; F* Z! q' x5 S* @/ R% |' s# R) V+ K0 v" l: `' o
location / {7 w1 J( T+ [/ Z. ]7 C q- ~- S+ r
ModSecurityEnabled on; * X. m' F2 Y8 n' R7 Y/ A
ModSecurityConfig modsecurity.conf;
. ~, E! n* _6 N( u; w5 E9 d
4 q" V/ T x& f0 \ proxy_pass http://online;3 G5 E3 [4 j) `5 p( T
proxy_redirect off;
" ]0 s+ S/ j9 I2 u$ U) G D proxy_set_header Host $host;: o! M* k; E1 G9 e0 X" n/ \
proxy_set_header X-Real-IP $remote_addr;
1 H& G$ D% k s$ y, A# d proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;% K! |! m* E k1 T7 ^. b% ]
}6 h: P2 J$ c- U. J: p
}
: Z" m! g, D( a. Q! X7 A* s! k! K六.测试6 i; c# i$ V5 l! r8 q2 Q
; X# V# K7 Y4 i( Z5 a. H我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
6 K5 b3 b( S! V( J8 B3 z: ?% {; m" @' C I
<?php2 Q. r x* q. u
phpinfo(); - L, n* H5 A: i: M$ w( Y& s d
?>
8 l! W1 O1 f; T1 E1 {7 T7 ^7 o, Q在浏览器中访问:
6 y8 E1 r6 r5 s& @8 B% J B7 T6 y% z5 z. y2 T# W( F- X+ ]
http://www.52os.net/phpinfo.php?id=1 正常显示。. A$ \- ^' _' G n$ v. `4 J7 D( N6 T
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 {: u w6 G1 u/ qhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( j+ ^5 ?% h x* i+ f2 \说明sql注入和xss已经被过滤了9 Z \( P6 x2 a5 Q9 r! L
6 q1 Z3 S% H8 Z: f
七、安装过程中排错
+ n7 Z+ o& @6 @* C. O
" `- ~6 p$ b b8 u) N; ]1.缺少APXS会报错" K, Q8 r- Q1 h. z1 `$ O+ [
* B4 o! z- P1 k9 A
configure: looking for Apache module support via DSO through APXS/ B2 @. l1 H/ \4 w; K
configure: error: couldn't find APXS
1 V9 w% ], E, {apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
; Q4 u/ A+ l, i' t/ ^' P* G( Z解决方法:" V6 q, p' \ O2 }- G( g9 d
! k0 X0 ~9 i) M6 \, s q9 p
yum install httpd-devel
: H7 o) R d$ s8 x+ z, \3 M) K; u2.没有pcre/ H: F; n0 {5 j! {
* v2 a6 @+ g/ |4 Z$ }. W# Iconfigure: *** pcre library not found.
& ^7 R7 Q: ^/ Rconfigure: error: pcre library is required% W, D9 S; W* d9 T' Y& k+ p
解决方法:: ]7 }4 q' B: ] _ t
2 j( J2 ~) i4 c# w' _$ N9 ^
yum install pcre pcre-devel
8 T: H, T: g6 v) w/ n8 T3.没有libxml2
0 p7 G- Y1 i* x6 E s
i+ d4 }- x# ^2 A4 V- @& w; B0 f5 e' E
configure: *** xml library not found.5 |' _# I! O9 V, ]% c
configure: error: libxml2 is required
% {, \" u% \$ z4 N B) v解决方法:
' f Z: i) ^2 Y& k2 y
0 l9 A$ @* G8 l) ^yum install libxml2 libxml2-devel m0 ^% F1 b% y: W, n1 U, S# c
4.执行 /opt/tengine/sbin/nginx -m 时有警告
- O( _8 n1 c. Q3 A2 `
( i3 b Q# Z! }, e+ WTengine version: Tengine/2.1.0 (nginx/1.6.2)" u: w+ T7 `' Q! G# G% o: ^/ C
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
! d( s ]2 n, ?原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log3 C9 ?( F' h( d. u6 u, ?- ?
% d" Q+ V% ]$ X- N8 b: |& u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 o+ m# Q) F7 }/ j" `# \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"9 w4 Y5 Y) I9 m8 o$ Z) ^! y* b; |( o
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
- v6 a7 x6 F4 S/ Z6 A7 G# s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
$ _! R1 |# q- k: p4 N& R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% Q# o. o, g1 M* t U0 m5 y2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.8 Z/ W) m' c0 x/ d
解决方法,移除低版本的APR (1.3.9)5 ?1 o1 F" a( W6 R2 v, r* n% ]5 q
/ d+ W/ N( F5 U9 D0 w1 G+ N2 nyum remove apr
$ S5 n/ a+ y# g0 f# {5.Error.log中有: Audit log: Failed to lock global mutex- y9 p, o% ^' S1 Q
- P2 h. n$ l" S* ^+ w& l! {3 R/ K
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock % K+ x; _# P9 t3 [
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]& R) m( I d. S2 [! J
解决方法:/ d4 K4 {5 \% t3 J/ H
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
0 \" i7 U( ?- N; w7 h' I9 a$ W: h$ V2 ~+ [
SecAuditLogDirMode 0777. H$ k0 ]! x+ N- L$ M3 U0 w
SecAuditLogFileMode 0550
3 B7 B# i7 g- Q, c+ H* Q- c- ISecAuditLogStorageDir /var/log/modsecurity9 Y% X& U* U& u, G* s$ s
SecAuditLogType Concurrent. W: j3 s8 Z1 E# ^1 m3 M- E' H
参考文章:5 `$ f/ i( Y8 [6 H ]% a& ^
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
' o, S3 I) x6 F7 \! o" thttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡