|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% y5 |* a. {2 e6 n6 B. }7 j
$ n, u) r# {7 Z" k/ T
一.准备工作
0 U. k( ~- \, k/ R2 T; C: U; j m/ n5 @. l) M; o
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0" v- U0 b/ s' Q# Y6 O6 p5 m+ k
3 X& A& T+ D8 x Y- u7 [( dtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz" ?- q8 E4 d7 |
. F8 F/ _7 s( u9 `" Y1 |" v9 ?modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. }0 X C8 d+ o+ b' S
( t+ `, m: {" `3 z) `OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! I+ o* [, N; P& Z' z
! R) k5 ^6 W1 u6 N: f- ^5 z7 T' ^依赖关系:
- ]0 h/ S( c5 ?2 l2 V7 xtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- c( a' y- v" _: n$ B) O! p! E
. ~/ Q3 v& k P7 x+ f2 xyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ C* D+ E: k* B* Vmodsecurty依赖的包:pcre httpd-devel libxml2 apr- w% G9 ?* J) A* y
) |8 {7 X4 z# M' hyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
4 R8 Z. P9 f5 R, d& ^二.启用standalone模块并编译
z) c& }2 c7 {* ^3 C* E2 b
9 N/ k" O2 ] I9 q d$ Q. N6 q: f8 s# Q下载modsecurity for nginx 解压,进入解压后目录执行:4 {1 m& P s% a4 }0 O! ^
$ Z% |4 N7 ]& ?$ F# \ |7 @./autogen.sh; ?; ?6 `0 O& @* t% W6 i/ C7 R
./configure --enable-standalone-module --disable-mlogc
4 `- j7 }! P' xmake . m9 J3 l" n4 h+ k6 E
三.nginx添加modsecurity模块
|! ~3 @! E9 i! d" k6 j/ v# w9 n' @, F4 n1 {
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:% o2 r+ P8 w5 W6 x7 f" J
% m+ k \/ m2 }- w, n./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
2 T9 E6 p9 g1 F$ Vmake && make install
& d7 r2 q+ n$ i7 Z* E p1 p% ^四.添加规则
" w& q* l5 a3 N5 d" @. K
8 i; Y9 W1 w4 ~modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。+ Y. c$ ~/ L: K& a6 x
& ?1 |* a6 D3 `$ h5 j4 P
1.下载OWASP规则:0 F9 ]/ J Q8 L, l, i0 U
[) i/ [/ S8 @% Lgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' E- E9 F5 f2 _/ c: T' m& }
; Z- H2 w4 m: [) | Cmv owasp-modsecurity-crs /opt/tengine/conf/( d( y/ O" o9 D. t6 G5 ?
5 k7 Y( |0 B9 h( c/ }cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ A0 `6 ]1 X8 \3 q* m5 ]
2.启用OWASP规则:! d o$ \4 r( t0 d4 v) T, M. A' r
0 D, t! k E7 G+ D S- N
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
' u; K3 e& Y8 F2 l9 R
+ \/ w, @) Q- [) `* p% x4 N m编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 D9 o' x D( w$ z% o
1 u9 W( S+ I1 J5 ]' _: c2 C% W
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ A5 T$ ]6 B4 p3 ?5 Q1 u6 D2 m+ \( k
6 J% U& g: F4 J: O. T& ~* U
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf% P& m- k6 D% H5 I' z! N3 x \. P
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf1 V( ^1 x" ]0 D7 w( Q1 V2 G4 t' N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
, }* s& p$ \1 iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf: f# @! A" p$ l- T* U
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
- F$ |) [" U5 j4 Z0 aInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf4 s) _# I5 T4 f8 l
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf: }7 K2 g6 A8 ^0 |& k0 X# S, N8 g
五.配置nginx% R! e0 i" z" V, r! F. k
2 f4 W6 Q Z* P
在需要启用modsecurity的主机的location下面加入下面两行即可:" m2 b+ n7 ]' L$ i2 ?/ R1 k
3 T2 M% v/ ?8 [+ a9 jModSecurityEnabled on;
: `, G8 }. J9 k. E: r! YModSecurityConfig modsecurity.conf; q4 R7 W. [# m, F$ I ~
下面是两个示例配置,php虚拟主机:
# c% F: ?6 e9 v/ g
; p: j9 E) z' k i) nserver {6 x; ?' ~6 n- @0 O& a$ t3 ^% N
listen 80;
( [& `0 n5 G% R7 ^7 M- [% C server_name 52os.net www.52os.net;
3 l! A! b7 `) @0 ^- p! R! C7 Q - S/ X* e8 o4 H$ A. q! R6 L
location ~ \.php$ {! e" F8 Z6 ]* o& j8 z) z! W
ModSecurityEnabled on;
# I# m5 }$ h R ModSecurityConfig modsecurity.conf;8 J# D4 c/ |+ x z' m2 B
b; K H. |0 A7 a# ~
root /web/wordpress;
; C8 y) h" u0 e0 B F w index index.php index.html index.htm;
6 C& `# Z Y6 e1 ?" K 4 K( Z! ^6 l1 j8 ^6 p
fastcgi_pass 127.0.0.1:9000;4 L) d/ Q! c* O, Z& a
fastcgi_index index.php;/ }: _ Q: U; V; J
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
+ D( s) X+ r4 R' Y: V. N# p include fastcgi_params;
( L/ s6 a) n9 }" H8 [9 j, K8 V3 d }) q0 o! F' a" ~: r; t9 W' {/ {5 {
}
/ |3 q. E: ~8 X; r* F% a aupstream负载均衡:
2 A: w/ V8 {: z* _' H9 }5 q
3 @$ ^4 Q! R) m- S3 ^5 uupstream 52os.net {# h. y9 G$ A; |7 w; [& ]- m/ V
server 192.168.1.100:8080;! Q- H7 O8 c# \6 q# v+ s; Q
server 192.168.1.101:8080 backup;
# \% t( R( r( d# }8 q' `}! ~6 {0 ~$ c E1 b
6 O$ Q9 q" `) t. F
server {- [0 U4 x! ]0 {, p, E
listen 80;2 [. p& R% t1 M% N: n: W
server_name 52os.net www.52os.net;
. \0 c# m: Q c! \! g
: ]1 e/ @. e2 u" I0 Qlocation / {& c. Y) q0 a: c9 v7 {8 n! f
ModSecurityEnabled on;
/ v1 g# @" f& I" k8 ` ModSecurityConfig modsecurity.conf; 7 f& g: K# ] q2 Y& p: K6 A% u; ?
2 p1 W7 r" H s4 E3 A6 J
proxy_pass http://online;
- o' v' C* J+ Q$ f proxy_redirect off;8 F9 m9 h2 s, j" V' t- e
proxy_set_header Host $host;; i, V8 E8 l6 J$ g
proxy_set_header X-Real-IP $remote_addr;# f6 F% f. `0 S5 L( w( x' A
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/ Q, k6 z) V) w( t% C# v }. D1 |5 W: f3 x; H5 \# \
}
. ~6 X9 ~8 g+ c0 I六.测试' z5 y4 T% g! D" e. @6 C
: `8 q+ q3 m: {' s7 r我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:( ^4 ~. ~3 w" [) h0 s! ^
8 S9 D, F& s$ E# F
<?php
. b) E- h2 H6 r. y phpinfo();
9 x# A2 X) w* p) l+ p6 [?># D0 E0 v+ w% _9 T2 J* I
在浏览器中访问:4 u7 f7 t: \3 Z) [1 h
9 t' r9 f" O4 n4 w% r, F% vhttp://www.52os.net/phpinfo.php?id=1 正常显示。
8 h6 l0 g# U) {% ahttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。: @, _; _3 W/ G& k. W6 v) P0 a
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
7 S: Y* C# q; `9 m: Y6 n" j& p9 r3 u说明sql注入和xss已经被过滤了
/ e$ Z: _' \. e* `6 U
! L0 c) m9 A1 i0 X# p/ S! S七、安装过程中排错
4 y, l4 v F1 h) ?2 w3 _7 P( K3 G4 e7 g
1.缺少APXS会报错% ]$ u$ V: v$ L/ | z9 w
& h8 ]" m% \% R' Y' J
configure: looking for Apache module support via DSO through APXS p, ]8 Q3 u; \% Y" r
configure: error: couldn't find APXS/ z1 ?' e! U4 N( s9 _; |
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
4 e# S+ G. `+ N$ @: @ L8 o解决方法:) O d! D/ C$ j; y. x! a" D
. r7 R9 h1 i. g" |yum install httpd-devel4 F" D2 l5 u: h W1 `
2.没有pcre
& N( W+ }" b0 E+ W! i% E' i9 h2 S5 Y+ d
configure: *** pcre library not found.$ x( X0 V% Y. T. p0 z8 T; s
configure: error: pcre library is required
- r# ^7 g: x0 H+ p2 w解决方法:0 h1 M8 d4 r( \! s
$ u! r& {+ k: ^9 q! X8 X( Ayum install pcre pcre-devel
: X4 {9 Y" r& k4 X; j3.没有libxml2% W0 o* b# `1 v9 J/ Q1 b
! m! x6 ^9 _% u2 z. f; V- s2 V- _
. \" k% I5 l7 l- Pconfigure: *** xml library not found." e$ f" } n9 @
configure: error: libxml2 is required/ Z% w& X- O* a- F
解决方法:
' O5 d! k+ G) P; G3 e$ k4 B5 b& v+ ^, T
yum install libxml2 libxml2-devel( v- E3 l" V5 C7 U* r3 l3 F: d
4.执行 /opt/tengine/sbin/nginx -m 时有警告
' \. U! Q0 A/ Y m& l1 g+ p9 i3 x9 T# W/ K5 y+ o
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
% ^# E# U2 u5 O# a! F( nnginx: [warn] ModSecurity: Loaded APR do not match with compiled!* l$ E; A9 m# ~/ T. K
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
! j/ s* \3 U8 c6 @: v) G% N+ ]2 y* Q; A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
* U* T: W2 T7 [% j& w* I: g+ m* s4 m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ n, ]; m' a- { ~ h
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 A# Z) Y+ ]9 G' U$ m$ t) U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
) C$ G# R% E& e2 W1 e! k L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": m' c' B7 _7 ~% z. Y6 ^/ e) r
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# M; h& t) A3 W' s0 b& U
解决方法,移除低版本的APR (1.3.9)
/ ]) E% }( D! C3 t% F2 `' }
9 {+ i! `" Q9 s; t" D0 U$ h7 T6 f" }yum remove apr
/ l9 T1 ?5 i9 x& [ g4 \ K2 @4 Z; F5.Error.log中有: Audit log: Failed to lock global mutex" v- w) c0 j2 U2 G: a% I `5 R$ G( c
; B. h* Y# Y( F* s: J+ U( N# [2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 X# ~* X# N( g. r4 a9 qglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]+ H/ w0 K9 k4 A) i# @
解决方法:
1 q. c* y3 k: a7 _8 K2 |( _编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& g" T' X5 h3 F
; @4 p; W: V& Q E
SecAuditLogDirMode 0777) |7 Z; E6 H# [; y2 ^* G* K, M7 a
SecAuditLogFileMode 05509 P; o \% a; `, m/ R
SecAuditLogStorageDir /var/log/modsecurity6 s V+ s0 N: M/ a
SecAuditLogType Concurrent
2 }2 R5 a- {) j2 {% A [. Y参考文章:
6 Z0 K1 s2 a: M' C/ d. hhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX I: _2 ? Y5 I6 [
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡