|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, o! ], ]. g: h6 I
: N; v. Q# t2 S% {. I9 L一.准备工作- C( D) _- q( X+ B& k) f
1 r1 |) l1 X$ l- o: c* W系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
+ r$ {5 o: N' w2 M, h# }6 K7 m8 ^+ ]- E9 q# H$ O
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz2 [' S" R% k3 Z% t8 M( d2 ]
$ R4 M7 w8 j. E9 D# V* p! L
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( A+ s# t6 D2 x; m5 Q9 E- O
, d5 F' V1 p. ^( Y3 {$ s
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 S3 V$ K/ ^8 ~8 X- L$ o' y7 B d
6 S% w: G/ Z7 ^7 s9 f; e
依赖关系:5 M3 {7 Q s: ?7 K
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 G G* ~5 Z4 P# l, g
' Y1 N: }8 [1 @& W& W; K9 P$ vyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
: a6 O2 b5 j) V: J& {% v' H1 lmodsecurty依赖的包:pcre httpd-devel libxml2 apr
! c1 w% z; M( \: p' @# e+ r) b+ o, g0 K4 v9 p2 H ?0 B
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel% s; T" o! D, n$ H; `
二.启用standalone模块并编译
* n2 I& y8 ~, P" y" C9 M
6 ?# {7 H3 C, B2 {下载modsecurity for nginx 解压,进入解压后目录执行:
4 P! d2 A/ v( _* C$ F% E0 I
# N; C% n, f& K* m) J5 T2 S./autogen.sh" G0 e# Q( G' d
./configure --enable-standalone-module --disable-mlogc3 {0 y1 h( l/ o9 L( S. B2 v8 ]
make
. {% t1 Y& |: X" D5 ]7 q) K三.nginx添加modsecurity模块
' h: z% ? H8 ]0 j. J$ _+ H+ ?7 k& J# t
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:3 g/ w, R9 j+ l* g- h1 \+ r9 M* J9 e
5 N$ ?8 G5 F5 y
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine# A( \. ?- e6 \+ s3 o# [" I4 j7 I
make && make install; c4 G: t$ ]7 d4 P
四.添加规则 Y0 O7 T H; p; A
# Q# t0 l& u5 i6 Fmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。. Q' R- w% q& H7 u+ U6 c
9 B1 j0 d! ^* G: D
1.下载OWASP规则:3 P% q5 q u) J9 D
8 \4 c+ q4 L! K. j
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs& W' d& P0 m; N
! @' Y/ {6 I( b' `! Z" mmv owasp-modsecurity-crs /opt/tengine/conf/. O9 G8 b S/ {( Y- x
! t" @& i% f: k4 H. D
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
9 s. m/ N: p( b z# E! y. d2 k2.启用OWASP规则: Y- }0 O+ Z: V9 J* [( Z1 ^6 n
2 }) ^+ R9 o. T$ { D7 g% H- N! D. k1 R
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。3 B1 o0 m8 k, @" ~
/ [+ k6 I. b4 {1 y6 [( |+ H7 `7 [编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
* ~9 z" j4 C1 i" K; ~; O+ u. x. X+ f& [) V& E
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。0 f4 S p' e# D
% R7 f3 q, `' {- { G& yInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
. }3 ^1 l4 V0 V% y& M0 mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- U6 ^/ c' o$ w9 l4 x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) R# i* a9 J4 P) H# x+ V# O3 IInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf/ L" i% Y' p* u; m# o/ I* j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf; O! B- x) a5 S
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& S; A/ J. t! i* C' ]: t( C3 i
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, V8 t* @ t' w+ j
五.配置nginx
" H2 m& h8 F; W4 _# {! x# _ W4 ~. v! P' r7 Y8 n$ x2 t
在需要启用modsecurity的主机的location下面加入下面两行即可:
1 g' n0 _: a3 s1 F7 {5 k5 }3 e
* J+ E2 j5 k# j: r' BModSecurityEnabled on;
# U3 f- s. k6 ~& N4 I% oModSecurityConfig modsecurity.conf;' a; O0 r, y4 i/ n* D
下面是两个示例配置,php虚拟主机:
) y0 j& o* E1 G
3 h! n/ Y( ? M& Pserver {( a" \$ `$ F( X% ~7 B! N
listen 80;
! \4 z" O! s0 J% R% t server_name 52os.net www.52os.net;/ _9 T$ q& ?, I9 ]( W7 y
3 C6 X8 G7 C2 m
location ~ \.php$ {, r, }1 G' }* G6 |
ModSecurityEnabled on; - t, e* g1 x& A4 i/ A0 p
ModSecurityConfig modsecurity.conf;4 K1 l! ~. r v0 N6 [! `1 k$ @) Q
% M. U" p( |- q$ w$ l0 K
root /web/wordpress;
% Y; W! h! f+ A. u+ G! n index index.php index.html index.htm;
2 b) d' O& G6 n7 O* C
b& B2 l1 D2 e0 h3 \ fastcgi_pass 127.0.0.1:9000;) f) |4 u! D0 L) V/ [! a9 S0 j( U
fastcgi_index index.php;
$ A( K( [& W' I fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;8 t) C& |2 o4 r) O& f$ w' I/ R
include fastcgi_params;
+ _, y: S) p) O' D- D/ ] }
$ t2 R1 u6 T: H z9 {% x }
" g5 [% [9 x9 v" mupstream负载均衡:4 o! e. W& W4 \$ U
- l7 d# M& z/ U1 R
upstream 52os.net {
. ^. B9 ^' l8 M, V- {2 } server 192.168.1.100:8080;
5 @ C0 ]% ?: n" U% n server 192.168.1.101:8080 backup;
" X, F* e# P6 t8 ?; h}; ~: j, `( r! e- k- w$ \, x+ B+ h
) n' U( A# Q* i, ^5 lserver {
! t' Q8 @) V# l0 N3 alisten 80;7 U2 J. ?% W& T" u
server_name 52os.net www.52os.net;+ X9 W! f0 _ U7 x m2 h0 D# P
4 \& s0 F/ D# H, {) ]( G$ z
location / {
$ j8 s) d: a. s/ |9 b4 Z/ {( ~ ModSecurityEnabled on;
) Q e6 S9 T/ V; k1 b/ S ModSecurityConfig modsecurity.conf; 6 F9 E& S9 O, r: B- p- z1 P" t
1 a% d7 S2 e' M4 \1 V- n! s proxy_pass http://online;2 ?/ ]3 A. T: A; C P
proxy_redirect off;. x; m! s3 l, d8 D, D. O$ F
proxy_set_header Host $host;
1 Q( s+ a) O D# z& R Z proxy_set_header X-Real-IP $remote_addr;
$ s, ]$ r0 r3 Q3 n' \ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ Q) H' ^ J' i; {! B }
- f2 @1 {) V. ]: o& c% r}$ C5 B& e3 C' ^7 x# A* z+ n7 w
六.测试
% k8 Y" n7 v2 O& b2 ^3 Z9 U4 L$ M& U* D* F" }; H6 P3 g3 ]
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
7 ?$ v' F) T. i" i) q7 i! e; B4 {0 ]
<?php* y$ l, ^" x; U! N' H; r
phpinfo(); 9 u3 T* `; x! @5 h/ t! O
?>5 f* i$ i2 A* y8 D
在浏览器中访问:
& j2 p% g+ j; a* G+ F; M F1 H4 [
http://www.52os.net/phpinfo.php?id=1 正常显示。' i1 k: Z2 Y3 k1 T. t
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" y, q1 B4 K1 L! r j! U
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
1 V6 U2 |1 |4 a$ X说明sql注入和xss已经被过滤了5 K w5 v# ?* H5 f0 U
9 I7 n) K+ {& C, K& S七、安装过程中排错
2 z, u& I; K1 \. b8 x
0 P! T- G. e! ^( A, l3 u" f1.缺少APXS会报错
* {) [4 }% L7 r6 k# u- p
5 J8 M1 p! F( tconfigure: looking for Apache module support via DSO through APXS
% H/ n$ H8 u; q2 m* Z' t1 P5 Mconfigure: error: couldn't find APXS& Y( ~6 P% K) [( U0 _: N) m
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# b- b& G4 q4 `8 {4 m6 N" [解决方法:3 r4 O9 Q$ R J- m
. H( s6 c! g3 gyum install httpd-devel: q( h5 E* b! s( g# Z5 G5 [
2.没有pcre8 R/ d$ T* e4 _
; z( o7 u( X r. F6 Q
configure: *** pcre library not found.
8 C! t. y9 `6 P6 B; bconfigure: error: pcre library is required
8 [& ~% U4 y5 K y5 b, }解决方法:
: K& x O# N3 o# ?
+ T* _# M8 p: @: J0 Myum install pcre pcre-devel
3 Y( m! u. `0 L& R3.没有libxml2
' d# Q) _0 R: g" N
+ s3 n! v* s1 g5 a, Y! H6 r* u2 Y# f. G* G
configure: *** xml library not found.5 S6 J7 H& S0 U, t1 |* g/ \5 |
configure: error: libxml2 is required/ X' a0 |" _/ U ~) b: b$ A
解决方法:
; A7 v' N2 j( y+ Q
9 P1 o, t& x% g7 u6 W( ]yum install libxml2 libxml2-devel9 s, T! Q" ~& [/ `* B5 {2 u
4.执行 /opt/tengine/sbin/nginx -m 时有警告
0 \0 c. L5 x1 }
$ @7 U0 T* A* aTengine version: Tengine/2.1.0 (nginx/1.6.2)7 [6 g# |4 g$ |6 i" V4 O- m0 [
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
- D$ k& q' g" g3 D原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
3 {3 m7 T' y) F. L5 i* s. }& N
- S0 F$ ]6 N1 G& a; a; @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.8 F: [8 F" {5 g/ a4 S4 w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9" n3 |1 I' V. I+ W8 V. b
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!- B! y' N4 R1 y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"3 W- u* i4 ?0 a" m3 G" P1 n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"0 L2 n' ~1 ?* r7 C& ?$ ^
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.2 i/ x' l4 E* B1 R
解决方法,移除低版本的APR (1.3.9)
9 D5 K# \. d& Q: [3 k
8 G/ Y: |$ ^# l0 A: i' l9 Jyum remove apr
# C5 ]$ b8 I) u9 P8 E$ z. g: q! y, P' i5.Error.log中有: Audit log: Failed to lock global mutex, o- h, m+ n/ C( n' c8 N! G
6 O/ }' e& g/ F5 P4 F. \2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 3 B% n! R/ w7 u% U9 e
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]+ I8 B6 Y6 a" Z7 O
解决方法:
4 q* W0 H, m3 h0 l3 ]2 ^) C编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:* M7 T" z w" ~! u; x
0 Y+ }) R# E5 S E
SecAuditLogDirMode 0777
4 x- L' i! B3 t, o3 jSecAuditLogFileMode 0550
4 A/ ?1 v1 m* A& ~" a# LSecAuditLogStorageDir /var/log/modsecurity. K# J. x. m; w5 p3 T% {# z# p6 B: Y$ I
SecAuditLogType Concurrent& y: y/ b$ |4 J! j+ E& R/ h
参考文章:
1 A* ^( F$ ]2 n. Ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX/ Z, {' y, w& s3 x) Q8 W! A0 ~" b
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡