|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
+ n! j: R4 [. _+ A; L5 r% h q# `% U$ O5 h
一.准备工作$ I" b, W( o8 ]& N/ I4 @
( R3 {. ~5 W m
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ h& r! O: g, [0 U+ f
% k c' n! N/ Q4 \tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz9 c5 g* ^! @" I2 Q* @
2 _% r: n6 Y: g& V% r8 h3 }, ~modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz0 w1 Q6 }7 P/ _$ g- A% r
, F) B3 Y6 y7 D; `2 K; v. A# W
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs$ ^9 y) k% G" Y; b3 Y! g& A: ?
' ~1 P7 G& j3 O6 E( u+ H7 |
依赖关系:
8 f& }% }- z2 Atengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有: p- W4 R( J( V8 \' y" s% o
+ Z) U* j8 z Lyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel6 A* q( d$ J& B# _) b
modsecurty依赖的包:pcre httpd-devel libxml2 apr% ^) U/ Y9 F) o, u! _
o0 v3 G$ h) `9 ]8 eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel0 u& Q5 C! `1 ], a v i7 b; [
二.启用standalone模块并编译8 K5 E$ _ {- n# V: v' d
: S. a9 w" m* K& Q+ F. R! e
下载modsecurity for nginx 解压,进入解压后目录执行:
8 ~' e! ^: {) B) e
D4 ?: M5 n) D' \' p7 e# C, M./autogen.sh
8 s/ ?' l0 k: l: o: Q% `./configure --enable-standalone-module --disable-mlogc: o) s2 a3 v. U, j |1 l% @- Q+ z
make
( M7 d) l6 \$ G. ^) B' s; \2 X0 W三.nginx添加modsecurity模块. p: D9 W3 k+ Y( P4 p% D
* y, B' a9 `: U a1 Q: T. v+ F- w
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:2 w* O) @4 _$ k2 C% m/ r0 ?
, ^8 j. r; @6 N M* C5 n0 G
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine9 m2 n" u; P5 u( w0 \" @
make && make install. s2 T- U4 B" H/ L' m. Z
四.添加规则! `; x& i0 j4 C; b" Y. Z! W4 @5 H
# V2 `6 b. l" j. J/ }' ~modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。! [# Z- _8 J. f/ F( J
# y; ^' a8 X6 G! f) Y- y* g8 i
1.下载OWASP规则: j- `" Q3 g- _6 O
* u. Z6 x0 V& l# y9 _: v F5 X& x5 B' B
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs' M! H3 A8 S3 l) E/ J! z% L
( L0 g, b, g$ O- u$ f- K2 H: D
mv owasp-modsecurity-crs /opt/tengine/conf/
; ]: h8 k* z/ g' \) b
% N4 F. G3 J- ~cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
5 E @* P1 Y% M4 |2.启用OWASP规则:6 W5 R' P% ?# H4 _6 I, J
+ b0 [% ^$ ]3 b' l0 o复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。5 [( E0 o: H4 b, ]5 A/ ?6 A5 q* ^* x
( M+ d4 I8 y# R: ]1 U3 [
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% `& z z- {4 D* ~+ o% u, f4 `
. P/ t2 V0 \- M0 P& Sowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 ]. _3 x+ \6 E" u4 M
+ }( t9 W& q8 c* Z5 G: NInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ ^" c1 y9 K) p9 O* Y) K2 F
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf3 G: N6 c9 e4 r. R* u3 S: [
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 w P6 M8 J' E* {
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf; [6 s' [8 `5 J3 G$ T" c" B
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf1 r! v- Z, w' r0 W$ y
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
7 l4 U, m/ k, {+ u5 I. F' a$ YInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf6 P2 U; l; T v5 w
五.配置nginx
|& `( k0 e: e; C, g2 z4 t' |; ~. ?6 Q! `( F& ^
在需要启用modsecurity的主机的location下面加入下面两行即可:! G8 B5 [% L9 t( d/ B! \
( Z# {: x2 c& K2 e
ModSecurityEnabled on;
5 i% \9 f/ i7 q- `4 BModSecurityConfig modsecurity.conf;
4 W! o7 _/ y* m; z* k下面是两个示例配置,php虚拟主机:6 V! i7 `( e( M& F& W! _6 m9 e
6 X1 q+ O+ M% O% g+ e
server {
8 V# }8 o0 s+ r listen 80;$ _9 @9 W: r* {: o$ Q
server_name 52os.net www.52os.net;
9 ?/ ]4 E1 F2 y) T3 }4 I 2 u1 C& k. v5 ~0 P5 x& @
location ~ \.php$ {
- P- W) m' _4 t' g ModSecurityEnabled on; p, J. a1 n0 `" n
ModSecurityConfig modsecurity.conf;
9 `5 E( ^0 F/ H3 ` l
3 L. P6 l* f6 \: h root /web/wordpress;
! L6 o0 A; e2 M/ m c index index.php index.html index.htm;
8 B+ s8 G5 \. h9 h" i
+ Z5 L8 {9 g0 x7 b# \3 z- Q fastcgi_pass 127.0.0.1:9000;
% v* y) ^: e% ~; @/ \! q! | fastcgi_index index.php;) w4 M- f+ H) i- O- {
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;. ?/ J" N2 ^+ J, h: T# U
include fastcgi_params;( _0 N$ Y. _6 m' R) F
}" C7 }# F O# D, u
}
+ O" q1 O& O- W7 l3 J6 X* nupstream负载均衡:
- S) H/ F/ Z9 l) M
% Y: D) o% S2 Dupstream 52os.net {7 J: b) c# g1 ?
server 192.168.1.100:8080;
0 r' O( u+ o9 E' G H' P1 _$ i server 192.168.1.101:8080 backup;
/ Q1 c2 ~+ B5 U9 R0 G+ w}* F E/ o6 `& `9 `
: t4 n, R" }; V$ ~/ v9 pserver {0 `8 M4 E) p+ R, [; a2 B
listen 80;' k( r. g# ?. v0 `
server_name 52os.net www.52os.net;
+ b& G* w! k! I$ ? T- o6 D. s. \6 W' }$ q
location / {
$ S P- Y8 | A ModSecurityEnabled on;
; V0 H7 S* u2 D5 c ModSecurityConfig modsecurity.conf; . k, r: Q" Y; m5 J9 i; j3 U' {
. p8 ^7 |# e# Z: |7 z
proxy_pass http://online;
8 u/ X* H2 Y7 S4 _9 v5 e: T% I0 R3 T proxy_redirect off;) W' @! O$ x" i6 L# F4 S
proxy_set_header Host $host;
% c; f" y+ N2 r+ S7 c/ O proxy_set_header X-Real-IP $remote_addr;
4 y) L a5 f1 v: d2 w proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;2 T% T/ i F3 l6 v' o
}4 K9 V1 f5 F7 V, J/ Z
}! D$ Q, b2 g: q3 Z! F h
六.测试
' C) L4 M" Q7 u" M2 ?( j
7 Q- D' w9 b4 o' o/ |8 I) R5 @我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& Q: q$ `5 W( H" b% B5 b9 ^
# s; Y6 |: _8 H
<?php3 @3 E0 I. {* o8 p* y! C
phpinfo(); ; T, ~+ \7 k3 w+ {
?>( h6 P) n( b+ U1 }" E
在浏览器中访问:% `# M! P' e0 n q/ I+ @6 W' I
+ L7 A( w& x1 V( thttp://www.52os.net/phpinfo.php?id=1 正常显示。! y+ J8 y3 O, f5 m; R0 z
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
" M% Y2 H) p. n8 vhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
A% R K% n% e, g说明sql注入和xss已经被过滤了
& _+ Y F) c z& m. F& M+ @% ^" Y3 J$ }9 I
七、安装过程中排错. K$ g$ l* m" V9 l+ Z' _- N
3 T! r- f; A$ K7 B
1.缺少APXS会报错+ [: r" }+ W3 y4 w3 G
* v( p) A3 J- X# Q5 E
configure: looking for Apache module support via DSO through APXS; W. F) ]7 z3 b4 W: `
configure: error: couldn't find APXS% S# ]5 s8 Y5 U: ?5 g
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。8 `' @) h: V! f( D- r& p2 X6 C
解决方法:; g3 b5 F7 W* ]2 a/ n! B
& w6 n+ [) k; |2 X6 u& N U8 Xyum install httpd-devel
C8 y, n: W; n2.没有pcre
8 X" v; @" f1 N% e2 Y" z/ V, V& A' }
configure: *** pcre library not found.6 x+ Z! Z9 d# A* a4 ?5 }) m
configure: error: pcre library is required
t t3 E" R" Q5 z& ~. o' J" ?+ E解决方法: l, M/ n/ _, R
8 ]5 c2 v0 u% `0 K. k; Qyum install pcre pcre-devel
0 k! X6 M3 G3 J1 g! r' j* N3.没有libxml2
0 e. E) u. k7 P& f1 p% z: N0 A( a& [; T" h
6 u+ D$ t6 {0 a1 ^% G/ W
configure: *** xml library not found.
' m+ P# }+ n) lconfigure: error: libxml2 is required4 |8 Z2 K" W: L9 X
解决方法:- R. B- m) j+ [
( o4 }: c4 d0 M" V7 _ B+ h# J4 c2 Z2 U
yum install libxml2 libxml2-devel* [- x0 b* ~8 p
4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 v5 N. g. ~7 I, l
) |% Q7 C8 f7 ZTengine version: Tengine/2.1.0 (nginx/1.6.2)" B5 n& P; y& Y! _* F
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
' L; c/ q A/ I& z' E/ k$ C9 @原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
. B% @9 F- F: S& W5 ^/ M" Z
8 A# r! p! q! t+ A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 V Q8 c; L7 v3 Y7 k; G4 I9 ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
: _% X( B* R+ R9 J; ^& A$ O2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 v2 p9 O' o" s3 J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
) r( p/ F$ c& s& C1 a# [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
- w8 n/ w- ^2 }8 V. l$ X2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
& ?( T& a/ T( u4 ]解决方法,移除低版本的APR (1.3.9)
' Q) R# s. H( y% L+ ]. S0 M) V7 F( |7 P# m1 ]* D
yum remove apr
* x! r4 L5 {8 R- D7 l3 A5.Error.log中有: Audit log: Failed to lock global mutex
2 ]! w3 m* i9 ~: D; B
6 B- n& {3 o2 T0 d5 U- N. t; O5 s2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock + n7 |: C' F |7 q7 ]1 o' R8 k) l
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]5 \5 H& u; `, E+ P
解决方法:
f) G- d( L3 O( ]7 W* D编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
; B, c8 t" m: C2 S% E, x
( O L8 l3 k i; N1 x: o6 aSecAuditLogDirMode 0777
0 \+ ~3 R: g% _. i0 h& D2 NSecAuditLogFileMode 0550
7 a" m7 [/ Y5 W2 \3 m' dSecAuditLogStorageDir /var/log/modsecurity
$ f+ o7 I0 C% o1 x$ @SecAuditLogType Concurrent
0 i) u- n2 m$ p- ~参考文章:& F# y+ w+ m- E" C" V. K
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX- B+ U& @' B8 ]* w/ W J
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡