|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
9 m5 n& e. T% ^3 v& j; N
0 i; W& F* r% y, E& F一.准备工作# c6 O; d8 \8 P" b5 ^4 b1 o" H
: V0 X6 J! t) f2 u* ] q! T' g系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.03 U( v4 U4 D1 k. r5 ?, m7 O# b
3 V% E8 k! Z$ ^0 q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
( i; g. K( S2 ^3 n g
$ J. i" v* e8 n0 k9 [/ Lmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz2 A) @) O; W- u
1 v& Y) @3 ^$ Z% o& j/ x
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
2 J+ a/ ^+ N g4 w
: V+ \- y6 l* g9 W依赖关系:
C6 k. \+ P' Y% O" etengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
. d, v. c& n! ?2 v. v7 p1 T- |
% ?4 v& u4 s- z3 H+ q! Iyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 F: u: v$ b# m) s( omodsecurty依赖的包:pcre httpd-devel libxml2 apr
* V }+ Y, o$ N. q) R! ^
+ P. `$ j4 p$ U p$ Q4 K9 gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
; A3 S w7 q" Q5 Q6 r9 {/ w二.启用standalone模块并编译
; V5 B6 W/ J, Q+ I5 I$ {2 N
- ~# R3 [; w J% I下载modsecurity for nginx 解压,进入解压后目录执行:
" \7 [- s A$ p: C! t) a0 u* R" c4 @, }* c" [; b
./autogen.sh
& `$ x* O$ m0 o& A. H0 Y7 f./configure --enable-standalone-module --disable-mlogc2 \, [' l3 F Q. ]; n' w* Q: q
make
3 p W! p3 M2 a8 |/ T v三.nginx添加modsecurity模块
, [ \" p6 }) w1 J2 Z" L$ H4 V. F% J( q# I" y) `9 l1 C$ e+ l
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:4 p6 V8 O# s9 p+ x% Y
( p+ D' g7 h. X* m
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
: [0 R4 a5 K! ~* xmake && make install) n/ ?% ]6 {# o) g5 S
四.添加规则
8 O {' |. W8 N0 \2 Z0 _+ I8 p8 o T+ G( F @% ~
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。# E+ u M% W/ w! Z
% K( k9 \2 a$ G+ X) j, Q: r
1.下载OWASP规则:
7 E1 _* e; m# {3 d/ R
- T. X& J$ b# i" v2 C+ ^5 `! fgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs8 R4 k, w4 N8 u! d1 g' v( x1 K: f
# ^2 j6 |3 `7 M) C$ h9 P9 K4 w' amv owasp-modsecurity-crs /opt/tengine/conf/
: p: y+ D; x4 O/ {% B6 z0 J I* s/ A8 \1 }; I$ A. ^# U& c/ N) Y
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf: C/ I- ?# ]* ^& r
2.启用OWASP规则:
/ K! X( Y- m1 w4 J. d0 M, _! C9 P0 ]. Q4 _* O" x5 Z& q
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
# O+ \6 C1 O" ^0 d! J
7 S4 A3 `! e$ g" T) O2 \4 K5 k编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 M+ D# R) i5 B% E |" e
j$ s; {% v% G2 k+ B! l# q
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ U2 O3 z8 g% k ], n+ g3 G% q4 }/ x* B. @3 h, H3 s2 u- ?% }
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf! @- F3 d7 f1 M2 m6 t# I4 L
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* c. ]9 h. `+ ? N9 R5 h7 W) }! qInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
, u: V7 Q- S: ] x9 mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
V5 n% B6 b u. Y$ oInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf& `9 A- }4 Q+ H" F- I6 w6 |5 J4 o
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf9 q2 v' q& G! A# p) c
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
1 o" e. d: m1 a) i& Z: Q( X) C$ u五.配置nginx4 p+ G( _3 R6 H! x7 j
r7 l# b* D* _% ^$ ]
在需要启用modsecurity的主机的location下面加入下面两行即可:
: ?1 H2 c& n2 z1 K) i8 F% {) t. a- j& g& _( l+ K, Y
ModSecurityEnabled on; 9 _+ j& M" @- k e
ModSecurityConfig modsecurity.conf;8 N: h; K1 o! N% F$ s9 [
下面是两个示例配置,php虚拟主机:; w8 j8 m) ^, h- X
8 C5 O% W: q9 E U% r* J) C$ b& pserver {
; ]" \& E5 _3 M9 s listen 80;' Y& y1 t6 s# B- ~' t2 h
server_name 52os.net www.52os.net;6 b1 V4 s$ H' I
5 U- u# ~7 W5 ], v5 H. T6 \! m location ~ \.php$ {* o: M, z/ e/ F( t
ModSecurityEnabled on;
5 D3 \+ G- j. Y7 \6 B ModSecurityConfig modsecurity.conf;. ~! R; x- {9 ^
2 q& i9 w2 H% |/ b1 q- j4 v root /web/wordpress;* b- q: S# E3 E' d
index index.php index.html index.htm;* h. z, g* g1 T2 T m" J; g
( `+ `6 b G _& g' z
fastcgi_pass 127.0.0.1:9000;
K# Y- c9 Y9 f+ |& s7 q+ a fastcgi_index index.php;
5 N1 z4 G7 K2 i7 W8 v( F+ S fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 C; M7 }5 n8 j p* Y3 P include fastcgi_params;
2 {+ @! D" |6 T }" I8 j* Q( i+ b0 ^, m5 k+ P% r e
}
8 `2 b4 v x Z+ C" q1 [upstream负载均衡:* w9 `) z3 Z9 u# j& B
9 q7 B& ] }1 Y: T: U
upstream 52os.net {
: z( q( c$ B5 z3 Q3 G server 192.168.1.100:8080;
W) x) Q: t/ J( v/ m server 192.168.1.101:8080 backup;
T) r; h1 [" _* F. N" u& z}
- ?9 P. j& v! @" w2 D% L( |* N
server {
$ b+ u+ g% E) M% j# wlisten 80;7 _- T& I' {7 W" p* u. i; Q
server_name 52os.net www.52os.net;* N7 ]! t: W% |6 }4 I5 o& S
& ]. E3 t( ?, N8 G0 o8 L glocation / {5 E- |# }0 }% ~+ J1 s \8 `& ]
ModSecurityEnabled on; ' G9 C$ ~/ \1 |6 F( V; i( u
ModSecurityConfig modsecurity.conf; / d/ N7 X Y* _4 M' \" P# J' j
! H1 P, z6 m" a# o D proxy_pass http://online;7 P) ^! m2 p A" h6 k
proxy_redirect off;. y Y8 `0 j8 j1 W! U& C8 i: N2 Y
proxy_set_header Host $host;+ D2 l$ t% @4 y8 [. t2 O
proxy_set_header X-Real-IP $remote_addr;+ _4 ^! t X1 _& _
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/ j2 n! m/ F! m- ^5 n' Q( M1 a }1 @( ]! x8 G) N& |
}
6 q z$ L3 I; k7 X, }; s' E5 K+ g# i) R6 f六.测试
2 }/ z& N5 F; ]+ Y; ^* c7 O$ a* O) R# ^
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:4 ?" g$ y! o; m J
6 F0 A, U2 O8 I9 L
<?php
+ r: l' {9 p; m% _ phpinfo();
% z- h- W) J! X% A$ D0 S?>6 i8 z9 ^$ k( s& k- ]; Y
在浏览器中访问:( i7 y2 P0 X% Y; a( C
+ \1 E4 r+ g: ^2 O* Y
http://www.52os.net/phpinfo.php?id=1 正常显示。9 O1 b; c9 I+ s! D! A5 ]
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。& Q6 K+ Z/ Q# R& B: j6 p1 d
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
7 s5 N3 _: B4 ~- v说明sql注入和xss已经被过滤了/ s0 B+ \& ^/ {- c1 {
" H7 `( P" i' ^! P/ b七、安装过程中排错
. q/ a% R6 q$ c% _' A5 k6 x! K
4 \4 B3 h* a6 J9 @1.缺少APXS会报错' Y3 ~& Y5 O' j, Q: b0 n
( ?& \. u2 H7 i2 f1 \% x9 Q- |6 K
configure: looking for Apache module support via DSO through APXS* u' Q Z* m, q, f4 D! e& m$ T$ f
configure: error: couldn't find APXS
* x" U3 a2 x6 B4 w, papxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
% s+ y. j) {9 ]! p8 w解决方法:
$ I8 z# D" c- k! `# g5 M
6 z' u9 d5 D8 kyum install httpd-devel1 N# @5 @- f6 l. U4 Z( O
2.没有pcre: K2 [( j4 q1 h$ j7 a
* i0 K. q* ]# v) B( M$ j
configure: *** pcre library not found.6 Q4 _6 O K8 Z4 |% ]
configure: error: pcre library is required
( W4 M1 i1 X; X解决方法:
6 m% n1 I9 x4 ?! i* i+ o+ G R* O, s S
yum install pcre pcre-devel
0 U# J) N1 Y" H/ w) a+ e! e3.没有libxml2
% M0 n% R1 \, C4 y! Q" Z5 d @
1 z0 f, Z5 h/ z4 l+ L- |; G' X( Q3 U( Y7 ^
configure: *** xml library not found.
7 a" Q9 h: u6 Zconfigure: error: libxml2 is required
( K: ?$ @2 r2 l解决方法:
0 g0 o1 w! m! E+ C$ F/ f# Q0 J+ x4 g; g3 d9 V" `2 u
yum install libxml2 libxml2-devel
' D; A5 k5 ]0 n0 C4.执行 /opt/tengine/sbin/nginx -m 时有警告9 l% l) L3 _- c
/ U% e, s. ?0 X0 \+ {
Tengine version: Tengine/2.1.0 (nginx/1.6.2)3 J% F$ h) a: W: q/ Q
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!' G4 _+ R! z- D, j+ L" T7 p0 G
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% Q7 ?) X. }. ~7 v
/ Y) {* I9 t$ C6 e* X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.6 W" a+ p. }/ A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"' T5 n6 b% p+ S
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
$ R5 r3 h2 p, i. P8 |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"; s# ]- X! @9 g5 y" ]( Z* _5 [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
0 C) D2 ~- O" O: O, U2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 q* t4 v7 l* G! L$ G6 A- z解决方法,移除低版本的APR (1.3.9)
/ ]8 X8 n; F# u4 i$ \% t7 l5 [# K, M [
yum remove apr+ Y, M! x g d% o8 b' S4 N
5.Error.log中有: Audit log: Failed to lock global mutex5 h: p8 {$ L% K( l
+ d; M$ O; K- G6 u7 `# z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
r( m" c8 b( z8 c: pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]4 q9 C" U" p- o1 ^
解决方法:& j# G* T7 t: }& a
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
4 k' `6 x. z4 E6 Y
9 e3 S6 ] ?9 ySecAuditLogDirMode 0777
% @0 t2 h, N' CSecAuditLogFileMode 0550) h) u8 R8 K3 i$ k/ C& P$ u# M. Y
SecAuditLogStorageDir /var/log/modsecurity4 G. x4 v( z" [2 W- b3 ~# R
SecAuditLogType Concurrent5 W# g8 ^# z( x. P
参考文章:7 ^# ?. X. f* [* l- v: |0 v
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
1 a' _3 ?3 ]# V0 J% t" {, k- Fhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡