|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
B, w& i' @+ U' G X
4 n2 q$ f3 y7 k# i7 ?一.准备工作
6 U) P1 |% F5 c# ?. }8 F4 }. D1 F- _4 \ [9 I; |+ A
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
. I8 s& [8 W7 F9 o" }0 j5 S# m! y; U+ `9 k k3 l
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz# D4 g8 i+ {& n0 y3 e1 P1 _/ a5 T
* s6 {. Y7 P/ X3 ~, [modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz* Y* s& ^% }' Q" {( ^$ I3 U
& d6 y# w2 J- Z* X7 N
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 F" ]! ^+ j9 l ~2 ]) z! ^
$ n5 N+ t3 b1 e- s# o; e依赖关系:8 m' e! |+ t8 X6 E( E) U+ V
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:+ q/ b% A" |) h/ j
8 R7 q8 g! M: G
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel/ r- e w" f: \% s8 u, g
modsecurty依赖的包:pcre httpd-devel libxml2 apr
! V1 D# K& R G H8 D- ?1 p# `/ k4 P3 o; o2 a( y. o
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel# T% Y! R5 Z* n% l& T; z7 I& S/ @
二.启用standalone模块并编译
; r, w+ D0 _. m3 C; L1 h# p c3 A3 g
/ n1 g: _# T3 X$ A! o1 y下载modsecurity for nginx 解压,进入解压后目录执行:" h6 u6 B4 I- J+ V" i) o$ H3 m1 o
x3 L) n: z1 j5 V. M+ C
./autogen.sh; F1 e" d6 A- [8 W
./configure --enable-standalone-module --disable-mlogc3 r: E5 g2 f5 r0 ]) }# v7 U2 F
make $ U6 x( I' _4 H# W8 ?
三.nginx添加modsecurity模块4 d( C& X3 R5 x" d6 p
1 A% G# y; |: e8 Y" D0 ^在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' c& z8 n* D+ k. ~+ S7 a1 ]( ?4 V* {$ n! d/ x
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; z! b) Z. y8 ^( P8 }3 Wmake && make install4 `; C5 L$ J- |2 l
四.添加规则: }% s* _ A1 J4 V. Y
8 |) F# Z7 \, A' umodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。0 c% D" Z' U$ D/ r$ n) k! g
" b8 D2 Z* u4 W7 B1 j! N# k/ y# \+ L1.下载OWASP规则:! y: c4 O! l% ]& L6 K
* q2 R) t1 n: q5 T- K) egit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ Q: V1 w! X3 C4 K! |$ O+ f! u2 Z! X, I3 ^! g0 I$ t
mv owasp-modsecurity-crs /opt/tengine/conf/
( K t* q7 R3 {& S: K3 O4 D( c
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf8 C+ N0 E, `2 B) ]+ s; X. v' e
2.启用OWASP规则:2 i# Y6 Q4 F/ S7 H. O0 _- l
: A) P2 F7 {2 K6 O, O: z! P; W
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。7 r+ M2 c |1 E$ m! @
! L5 z: |0 A2 t) M2 ^. Y- `编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% \% C, ~: F3 \; g% {& ?6 `3 i8 h C4 F/ K
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 o& x7 @, E8 q% W/ D- g
* O( h( w, k6 a) F; d8 V2 S2 |Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' j' n- Y% S8 @# O1 FInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* `0 L9 V w6 @/ Q$ G9 V$ aInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) C6 s4 t, K% k' Q5 R6 `8 Y% Z2 l* fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" ^* I8 b# I1 R0 M' hInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
- s/ a& _2 v3 q0 _" T/ D! \5 P, QInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ b! d) F2 `( G; {Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
! }" q* A8 T3 w$ r五.配置nginx
& _. T/ k+ x2 F: |( l# z5 |1 K6 {. S) g* S( x1 S7 D
在需要启用modsecurity的主机的location下面加入下面两行即可:; P8 p& B* p3 ]. H2 t0 Q
8 Q: x5 [) y5 h8 {
ModSecurityEnabled on;
6 K3 S9 y1 Q( \) uModSecurityConfig modsecurity.conf;
# ~, q& U' R' Y2 Q7 v' x下面是两个示例配置,php虚拟主机:+ G3 c; b/ k1 s
6 G* V9 q! N' o/ q u' k8 k lserver {
: G" i! H+ x3 Y, Q) I listen 80;9 ^% f& Y8 o* F5 |5 c. s8 t
server_name 52os.net www.52os.net;" `4 M# t" L: s
# c' d" }' r# g9 z! |7 V3 U) Z0 R7 K location ~ \.php$ {
N2 M* e2 d' H. I$ u9 o; }' H" L! k ModSecurityEnabled on;
- x+ L% [( S6 ?" `, t0 @" M ModSecurityConfig modsecurity.conf;% R N9 R6 C0 G
* G6 h% x+ k# G. a" Q1 s& a
root /web/wordpress;
# V7 s- j/ C1 c) ~# N0 j) {$ R1 d% \ index index.php index.html index.htm;3 a* Y# u5 {8 }7 ^+ s' I7 h, o- N5 q
- }" y% }3 S* k5 J+ l fastcgi_pass 127.0.0.1:9000;
8 E/ D$ Y4 L; D8 [, o9 b9 M. H fastcgi_index index.php;
$ S8 q T! d8 Q; j: R fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 d5 Q! S: }7 Z+ \& N) r; [; k0 G
include fastcgi_params;
% ~: ^! o6 R ]1 @$ h }
& O$ V0 ]0 h) @) `6 I5 I8 b; K }/ W- S7 S# {* R# _
upstream负载均衡:
/ Y/ l3 m( i/ T: r0 `
x3 ^% d: X3 d1 J3 o1 C6 k; [upstream 52os.net {
2 P/ [% h) F. h- v- h server 192.168.1.100:8080;
. P1 Z3 P( E4 O; A1 H D3 _ server 192.168.1.101:8080 backup;0 E' R4 b8 {5 H# q( @( [8 y! z1 @" S& s
}* Z$ `) I( H8 o* I) W
) p4 B6 e- A: L. a4 |) \3 v5 ?server {
- X& |. J! }# V% O8 K, J* U3 Ilisten 80;
! ~+ E5 @4 J; `" Z# Tserver_name 52os.net www.52os.net;. { U+ \7 g9 X4 q$ j/ {
* ]% P& a7 F: ?) i: K$ }5 Hlocation / {& p' U2 G9 j6 D: a. t! q& c
ModSecurityEnabled on; - t$ ?0 s* X( q0 ]- w# \: _5 m
ModSecurityConfig modsecurity.conf;
9 C# _ b1 [) \6 s( h* g, e
% q, @1 o) v5 |6 s* h l proxy_pass http://online;( E/ }* e& L7 w. q; f Y
proxy_redirect off;
$ j' H- S, G& O% l% C" A proxy_set_header Host $host;
* ?. r ~& `4 U: u4 `7 G proxy_set_header X-Real-IP $remote_addr;
+ f7 S0 b; u# X! N; V1 i7 Q/ C proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;+ X1 X- A7 n6 f( y1 ]2 m- f
}6 d9 u: W$ C2 Y2 F7 A) n! S4 }: h6 f
}, F( J. P+ ~ p& w, v! t! j: J
六.测试
4 f- t! ^2 x1 t( w
, x6 d3 v$ y- h) a我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:8 N- @! n! I, Q% {
: W. h3 }) L- M<?php6 m- I9 R6 m2 R
phpinfo();
1 `) ~0 m$ Z$ E, b?>0 ^! p2 @" C1 D |" C; h( {( q! \
在浏览器中访问:, F" c4 f, K3 R# V. s9 T
2 h5 E b- ~, Z5 _http://www.52os.net/phpinfo.php?id=1 正常显示。
) t0 x$ X3 q+ P9 E1 N" E. Bhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
5 `$ Q8 ^- F' r, ] K4 Vhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。* Q% u5 Z+ e- B- P7 S
说明sql注入和xss已经被过滤了
2 u' @% L2 D. R$ s7 P5 H! `, _; T+ v# n% K& {
七、安装过程中排错6 K8 W9 B5 E) {" \5 H" `6 G, S) Y; q
) p! o7 ~# v0 |( U+ _3 ]1.缺少APXS会报错
3 c- x4 @# a) K+ v8 P+ i% w0 I3 f
. [+ p9 X5 m+ R/ O+ u; g& Hconfigure: looking for Apache module support via DSO through APXS1 T+ t) o% W1 k. [" H
configure: error: couldn't find APXS7 x% ]% N6 [- m# D
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
8 p( K: u2 M! W3 S/ Q2 F解决方法:
+ n% f. |6 ]) x8 q7 C) @6 u- q9 L* r7 F9 I
yum install httpd-devel# m V& g1 d0 D; C; T
2.没有pcre
& }/ S( o8 \4 F! D% a) u+ S5 t5 C: t) ^9 Z: e8 W; H3 z) K
configure: *** pcre library not found.
% G( Z# l5 l& V* P9 Mconfigure: error: pcre library is required
8 t/ r. f" d0 }# d5 b6 X4 {解决方法:4 {( H! H; ^! s/ ~6 U& f0 c
/ n! ?4 G7 S' L2 t
yum install pcre pcre-devel
. C; C* n! W" m, l# L3.没有libxml2" m5 u6 z& m4 T0 i3 C" b: F
6 d i) Z' U3 |- S
+ S' @. x3 r6 L6 [" Mconfigure: *** xml library not found.' z- n& Z* K* j7 c
configure: error: libxml2 is required
- t" X% t& C1 p解决方法:
) ?* C" B" I( z" V& x" d/ N( M* A4 E1 [8 `5 I' z( l
yum install libxml2 libxml2-devel
. W3 D: @- x% G, C4.执行 /opt/tengine/sbin/nginx -m 时有警告1 q% H7 X5 j8 K! K5 J
4 _+ n+ `4 g! s" P$ p7 }+ j( [# |7 ?8 }Tengine version: Tengine/2.1.0 (nginx/1.6.2)
6 N# ~4 V+ y( \4 K* Lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!% d! a4 u [) i# {
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% F0 p7 k+ ]/ w& O9 R4 B+ L
6 v! T- H5 ^; h F7 C+ x Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
% P2 p1 Y0 g7 P4 T9 R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
- a* H) G0 C( K P9 x2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% h: w; J4 B0 X& v* M* K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% h' @+ f' w! `' q6 D( j% X0 M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6" _, F: f4 v: V# a
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.6 ^ M% Y1 h" X5 E
解决方法,移除低版本的APR (1.3.9)0 s- ^4 W- I; T) \7 E
# S( M6 r* o, V1 d
yum remove apr
+ S; j9 c4 i0 C& Q5.Error.log中有: Audit log: Failed to lock global mutex9 z% e% u8 U I# B- |
8 r. ^7 {0 H4 L
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock & h/ O0 O l9 n% @ i1 d
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]/ N# d( S& P! @+ m; ~" M; F
解决方法:( f; I9 }3 U' F0 h [5 t4 E
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:% e z1 o4 U% G! z
0 G+ G3 }& _# A* r! M) aSecAuditLogDirMode 0777
7 \! J6 Q8 r8 vSecAuditLogFileMode 0550) F9 f2 p0 m5 o8 c
SecAuditLogStorageDir /var/log/modsecurity
2 D/ K; Y; l+ uSecAuditLogType Concurrent3 g, l2 r4 Z* `0 O8 t [* T( U
参考文章:
+ l: Z$ U; S9 V0 ahttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+ ?. l- e0 k# H# I2 k( Phttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡