|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。; R" S( _* u+ M% }7 l. h
6 j% z" [( f/ m; h8 G% l/ `. P
一.准备工作. i5 e, H) h) T. u
+ \0 k! p; [5 C. I! z
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0. `8 y; v) I! }% T0 @, H
/ f( Q$ a7 q) T H3 o; utengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz5 k! R3 {- R g- Q
. N+ r4 I) v4 g* T( Pmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
" G" J1 v/ z. \( v" i3 }. F5 a" R! t) ~: E- E% k Z' ?
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- G/ S& V9 `1 o2 a$ {$ G3 F+ |' R: J; J9 U7 M) w! U$ f# n5 G2 e. H
依赖关系:
# P0 t. s4 b- Y' X3 b+ u4 I6 p+ x# ytengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:. \& v2 R$ H3 s" V2 q1 y
4 @* x. A1 y. |. _# u6 A1 U, K$ k
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' F! I9 w0 `" x; p. S
modsecurty依赖的包:pcre httpd-devel libxml2 apr7 ^" w1 e1 l7 r2 Y3 I9 g
* Z& `8 l: g* x/ A gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 C* |) o. ~* l' n2 g8 M+ q二.启用standalone模块并编译
$ ]1 c$ O6 I; R6 ^2 | g& V+ X1 ~ ^ K$ I7 f
下载modsecurity for nginx 解压,进入解压后目录执行:
0 W p) G/ E8 ]4 Z& J$ X3 E( S& i
1 B, P9 G4 M2 I4 Z' p( ~ S./autogen.sh1 B$ }9 b* [! J
./configure --enable-standalone-module --disable-mlogc) G% b0 y" W7 d, t; Y
make , w+ X" [" E7 y7 a. w1 [
三.nginx添加modsecurity模块
C! N( c1 \8 k! C- v
# I* s+ ^2 s1 ^. X" y, H- m在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:2 x7 d# U2 e( C7 X" ~& r5 z/ z
: M0 s! ~7 |8 k4 ]& v0 D& v; f, L
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
( l* a: {, E/ _3 [: |" g, kmake && make install* d$ z% f" z& w
四.添加规则1 g( m% V+ k; T4 l4 u/ c
8 X, }. ]. W @9 V5 ^6 i
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。0 z0 _' M# e7 g5 Y
& i+ W: x/ w5 k( O3 o& `1.下载OWASP规则:" z0 k# `1 O5 ?' p
7 j1 s- I! P! M7 [
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 |2 D" \2 i' s2 t# z' @* Z4 H6 ~! T5 S% r
mv owasp-modsecurity-crs /opt/tengine/conf/
0 D5 S& u; i2 G4 y8 O) I9 i4 @. q
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf9 x# O0 w7 n- }- L( m9 H4 `
2.启用OWASP规则:
& z2 S( S* u, e, {1 u& [: ~6 i9 J) H& r7 S/ W
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
1 U/ T: i2 O; }' ]4 W- l" [6 o( \
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
. r& q4 H+ |8 i3 M
% A, W) H/ i$ q& K, ?! {owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; o! U) Z7 m7 J, ^$ P
, x% G( @5 s0 _, K+ Q1 K/ pInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 g3 r9 P4 K' j4 Y& w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& B, u* w4 C1 }) E$ cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! H% p, I; u0 e: w0 K0 w3 W
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
/ d9 s7 W* O' ?$ A, W) q; wInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf4 N) z1 {8 J: E e0 Y( J4 L b
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
- x, I! `0 `3 B8 N% o- c$ Q: xInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
4 z6 c" e7 l# r( [$ G" u: {2 [五.配置nginx
, w0 J1 _" _& Y, U1 w- [) M0 C* Q, Z: O( V0 @6 B
在需要启用modsecurity的主机的location下面加入下面两行即可:
* a4 [& z0 L7 B/ H/ ~
8 z3 m: a: \0 NModSecurityEnabled on;
3 @: i3 |# X1 \. @! h: WModSecurityConfig modsecurity.conf;
, ]2 U( h; i" ]3 t" a下面是两个示例配置,php虚拟主机:
$ J+ U- l% W' c% B7 c, `) c# L1 l, B3 M# r
server {
# l; R/ O# }4 P9 |0 Z listen 80;
3 ~9 u: [, \1 a8 g9 U6 e4 \ server_name 52os.net www.52os.net;$ L8 u$ U: ]& Y/ x& J3 w4 F
& ^- w* f; d' c4 D& ^+ O i
location ~ \.php$ {* w0 N! `; Y% g+ ?$ }# D
ModSecurityEnabled on; $ | Z, r. o3 F3 F- T) t# K
ModSecurityConfig modsecurity.conf;# t. a: @% B' V& F) |% @* w
" `- z) y7 S4 v root /web/wordpress;- o8 u8 w c' `# ^8 [) D+ h. Z0 V
index index.php index.html index.htm;. _! ^ V, g! l. t: k/ m! p
* V0 m2 Z1 O- j1 {1 q fastcgi_pass 127.0.0.1:9000;: \* z4 c. n# \ F5 t, F
fastcgi_index index.php;
* `. `8 V) ?' j( K fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; V$ L3 M, d( |: D& q3 } include fastcgi_params;
7 I& t7 _; O) N( r }8 U& L2 d, w- E) M
}) n5 B0 R+ b& d, {! E* Z
upstream负载均衡:( ~6 j# \& W+ x N7 i
# `. k3 X, q% Q& F }upstream 52os.net {
5 s+ ]+ A' _* r/ B2 ?# v server 192.168.1.100:8080;
. f2 [+ x' H9 |% y" N server 192.168.1.101:8080 backup;
0 q% J7 N9 G* [4 ?3 e' q9 n( O}
# l+ `( I1 z8 i6 K6 N' Z& I9 P
2 B0 ?& r# l R* userver {
, `2 j8 @; \9 Ilisten 80;
2 w+ ]; V" N) ~server_name 52os.net www.52os.net; X/ D! o+ w3 p2 S
$ d+ g5 f$ O) w/ B3 K8 jlocation / {
: V- N/ v0 G! n ModSecurityEnabled on; + z! r$ ~- m9 f, |' x
ModSecurityConfig modsecurity.conf; , K7 e) G x: D
, g* A1 a4 k8 l proxy_pass http://online;1 G9 T6 d! X' E5 Q: \
proxy_redirect off;+ o5 Y0 p3 \8 r) z
proxy_set_header Host $host;7 L# K+ c* {6 K3 I) P
proxy_set_header X-Real-IP $remote_addr;
/ \4 d4 l; W9 t4 v proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% u g. P: ^7 |7 E }! q+ p6 n( Y2 A2 S2 i
}
) \/ m+ C& E J% f- B六.测试
/ E% q% T" D* w2 y6 \0 p1 f5 ~5 w$ a I |7 X4 ^
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
9 g1 m. `: L" b, y- _3 [% \3 Z+ o! `7 }3 I" L
<?php
! }9 c: r1 q4 J8 ]$ g7 n7 U phpinfo();
3 y: u2 _+ Z6 D8 ?- D8 C?>. V k8 }7 j8 Z4 j& ^7 p+ A. @
在浏览器中访问:/ R: d7 n8 o; E; D( Q, j& y
" @9 N* g, G( h+ P' e
http://www.52os.net/phpinfo.php?id=1 正常显示。
7 q4 u% X/ J8 b* w. G6 A( N( Yhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。& b6 f. C6 D- E% G: H
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
8 g1 t. V/ `6 R- U说明sql注入和xss已经被过滤了
" A5 D* K* w* R' s5 P3 q- ^9 D- H* T- r. u1 P
七、安装过程中排错9 O9 {2 u! } R* i
8 M' W4 U. |( y7 ?. g [
1.缺少APXS会报错4 K! n" B$ e" i% l8 r
3 z' S4 M: M9 d: G( Z* m
configure: looking for Apache module support via DSO through APXS- `) {% g. X* k' W' a1 M
configure: error: couldn't find APXS) D5 Z" r v6 f- O) N7 c
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
+ ^0 _1 r" W) q) \/ g( M7 g解决方法:
' o. I- b3 a2 i
! z* D |, n/ n! z+ v- A) hyum install httpd-devel8 K- i: K# d3 g! h- t; F. n
2.没有pcre
) O0 K. M( y! M5 S2 d
: t4 c' K0 D( b* A" [: v0 ]& [) E; S8 Kconfigure: *** pcre library not found.
# U7 V+ T+ g0 |& }! A7 R+ i7 Bconfigure: error: pcre library is required- h; R0 M2 G" l. h
解决方法:8 \2 j8 B# C1 ]. K/ {7 P
3 |# _2 i5 _6 o% m! | R6 T) E
yum install pcre pcre-devel
$ V( q7 g3 n4 ?' b0 [. [) P |% K3.没有libxml2& m. L' K# R$ N! N
" g7 G! n m" o! x* w' J1 y9 ~ V# X, L9 l, d- b9 o
configure: *** xml library not found.% ~( T6 F7 b! H7 j3 ^* u+ }
configure: error: libxml2 is required
+ I/ f& ~4 H" z" F/ p- R解决方法:/ m/ G. i7 w* o8 k4 E2 `& _4 T
- ?" p9 G/ c5 d/ J- |
yum install libxml2 libxml2-devel1 V) n5 \) G/ P9 U; V
4.执行 /opt/tengine/sbin/nginx -m 时有警告% W7 E# w r/ j
. F9 H0 K$ A* k9 b! o. ~. rTengine version: Tengine/2.1.0 (nginx/1.6.2)
9 K: R- [# A$ I1 R9 anginx: [warn] ModSecurity: Loaded APR do not match with compiled! O; M! W8 _; n
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ T4 r# a N5 B5 P8 C7 L' ]$ E
; B2 U1 z/ ~& |8 @& }2 S9 s% m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
( S) z; ?9 n: K/ N, y- V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"% K- f$ L7 X. C# g; v+ F0 Z# r
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
2 m* t u; k# H* ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"7 k, T& n. m' b$ X c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
9 u" A' A5 X5 z5 x2 Y7 h7 x3 v# |" G2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ s4 F& n2 I. x+ N解决方法,移除低版本的APR (1.3.9)
2 l" c4 d: w& K5 q
0 N5 f! d5 K! i# ryum remove apr
+ n0 ~$ d9 Y$ y6 d5.Error.log中有: Audit log: Failed to lock global mutex9 k# T5 _/ ~! W& D# o
# m1 D- K2 t5 E9 ~9 w% S+ O0 n6 P
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 5 I, W' @ ?8 X, r
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 s/ X+ t H Q7 M. [& R
解决方法:. ~) ~3 w* [! H4 }" L
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( m3 g8 h# T! W3 f
* f; K- K) r% X8 z
SecAuditLogDirMode 0777
% B& d, O" a# v7 W v. @& j; b( MSecAuditLogFileMode 0550
; Z) d; R6 g" CSecAuditLogStorageDir /var/log/modsecurity# e/ M; ~$ O" ~) W2 M
SecAuditLogType Concurrent
" ^/ ^) X O f5 J4 o* W8 U$ h$ I1 q7 j参考文章:
8 v" M9 g. t$ E whttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
$ @0 P; z# a* @! B. Q7 ]http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡