|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。6 d( t2 `# \+ N" W
' c( L) B5 P Z* [一.准备工作5 P2 r9 w/ p8 F; b
; y' C8 [4 b2 t: k, N$ \
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.03 P) m, S+ D/ {( O. l g2 i
- W9 Y; w; ?: {; d5 ?tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
' c$ A5 z& A3 P) `2 I" V( X! j" y
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz8 r( @' ^ f. Z6 l7 P
9 g( c ?' A) ]8 Q; g/ ]
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* n7 k7 Y+ F7 d( q" R" C( B6 o" z' q1 a5 k* F: l
依赖关系:, N5 |# ^# E U; U
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 P5 d+ V/ j3 _4 E i. N& O
4 c6 v" W; f' ~3 H- J
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% `' q$ @4 X+ H8 Z) ~
modsecurty依赖的包:pcre httpd-devel libxml2 apr- _1 s7 M7 t; n* H9 R
; f1 l& _6 j! V* Z
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel; m: S4 S" d# f* U7 R
二.启用standalone模块并编译# {3 a5 j+ H9 ?/ M4 u
( Y' s+ [4 K! J4 j0 Q1 @
下载modsecurity for nginx 解压,进入解压后目录执行:! C: m0 j f x$ o, S9 _
1 ^& _9 @5 i8 n% ~2 S$ H./autogen.sh4 J0 O$ M) o8 n& ]# N+ b! t
./configure --enable-standalone-module --disable-mlogc
" o0 L- ^, ~" _- ymake
" C4 e( Z( b# l. m三.nginx添加modsecurity模块( k) ?& u8 k# b
* K& O/ J% U9 H1 n$ o1 {在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:+ R3 B2 O" C0 R3 q
6 o' @1 m/ h1 Y6 A, b$ Y./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; D- y, _) B! {# h( d( C0 `make && make install! Z9 J# n3 j+ e/ d
四.添加规则' g) @, I) N- u5 D" Y
: s6 A1 t8 H( ?* umodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
4 R. |# _3 G. Z/ B
0 ?) V; z5 [5 O. I/ b1.下载OWASP规则:+ h0 y4 E6 a; ^/ ]
: b+ L9 I8 O7 R# @) y$ d
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; d4 m+ Q- s8 M/ F2 F' m5 K$ O+ @$ \8 H& X
mv owasp-modsecurity-crs /opt/tengine/conf/5 \8 a: I, Y6 Y0 g1 I8 T7 w# O
: y( T; l. M& t: h$ V
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
% Y3 _' ^0 R' I4 Y3 H2.启用OWASP规则:
% s* _. a- A0 a0 |! e
* V. u- O2 f/ K复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。$ [, O5 t8 y& C. D( k
$ Z" O* V, g$ J. y. ^编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
. d! K! ~+ \. @* I5 i9 f
8 G- R* ~2 P" u( f! N# fowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
4 e) j- p" a7 M& b2 ^& ^8 F/ N3 h3 k& a
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* C V7 m+ m6 b' r( y' m, z. iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& K j. P. |2 j' ZInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 Q9 {- C: j; J& h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf2 p& x( N: ^7 x0 g- L2 d% l' X4 N
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf, K, k* `% d" N8 ^: Y- B6 e2 n
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. `0 o) P2 T9 J7 {' y# t1 C+ y
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf: u* p1 W8 r3 G, W% _$ j$ a' w
五.配置nginx! } ^( b# L) i, B3 a' ^
& A/ _# {, c! E7 y在需要启用modsecurity的主机的location下面加入下面两行即可:
% l3 @% ]) p& v+ r1 n. H9 G( X8 j. o e8 R3 A, c
ModSecurityEnabled on; : x+ S' o2 y) W. @7 Y9 R, ^5 P! a! y
ModSecurityConfig modsecurity.conf;1 b( o2 r. i* k3 M+ z5 _+ \
下面是两个示例配置,php虚拟主机:5 o) C. v- u+ h
/ Q" o' [2 `8 W% }5 O% ^, ?server {. w3 z# m% \8 u* v
listen 80;9 }. A, k4 ], s5 N. |; {4 Z7 h6 n9 @
server_name 52os.net www.52os.net;
* |0 G* E( }: Y q# n6 }* U+ a# M
/ c k4 |* ?9 m8 Z; V# b location ~ \.php$ {4 Y% y9 C* F4 P" J" e
ModSecurityEnabled on;
$ k" |- X1 t2 Q ModSecurityConfig modsecurity.conf;" B* D2 J$ l( a3 }0 y
% l) ^8 H8 Y% f6 Q0 U* b/ N6 H% ^
root /web/wordpress;
& N! Y. t' G7 X4 w9 R index index.php index.html index.htm;6 i- q) M% X' f; k' o
7 k3 a) F5 y9 y" s0 e" c, x) L
fastcgi_pass 127.0.0.1:9000;
8 B! a! ~. {. e# Y) S O. V fastcgi_index index.php;
4 |# U4 f. ~3 I fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* ]' R( i/ {4 ^( _
include fastcgi_params;
! d( m. \$ n7 ?. t9 P5 L }
# S( {% O8 B" y$ N# t, B* A) k$ z }
. i9 b: t+ G0 l5 \upstream负载均衡:
3 E1 X5 S* g' r {% A7 j8 n$ P( l5 X `2 D. d4 _/ ]
upstream 52os.net {
( U9 i0 l! o6 n server 192.168.1.100:8080;/ ^% Q2 e8 ^ ?0 Z3 z6 Y
server 192.168.1.101:8080 backup;
+ k/ H+ S3 _6 G% ~) I: r! A, v}6 ^; [5 z- w9 k0 w
; E6 [/ T2 o! i
server {
6 E# d8 }% A) ~ W" Xlisten 80;
) W- J0 \# K9 w$ U* Mserver_name 52os.net www.52os.net;
$ w. m. F1 K( h3 ?* A
' e. O) Y! D8 q4 n+ Elocation / {
- ?5 A, A* H- [( Z* {" L ModSecurityEnabled on;
- ^0 U! I8 z. q/ e, l- k ModSecurityConfig modsecurity.conf;
/ N* o* d) M) L
. f2 A4 p* m0 _3 G1 H+ D proxy_pass http://online;% X7 T s( ^- o0 L' A# Z
proxy_redirect off;
6 r9 O) C5 p! P$ x$ H& e7 l# Y proxy_set_header Host $host;- a" F! g3 R* m! Y6 V1 D
proxy_set_header X-Real-IP $remote_addr;# }' O( d% S( R/ O! }' m
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 |! n! u ~" o+ N$ e }8 j/ w- R5 P) |2 P
}
' k+ A" ^% z, X2 l0 _7 ?六.测试9 A% M+ v5 ?! ]% _: e
+ r/ \1 W o k& C6 j我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
& J' I$ a/ f: {5 w$ z4 B. x( I3 P4 T2 K4 f5 Y O8 I
<?php5 D+ K/ t* L J. `; J
phpinfo();
) E0 R( \: Y+ U$ ^. f [?>
! n6 v" \: C* j8 a2 Y0 [在浏览器中访问:
7 @; u5 h3 T9 k+ ~" A7 N l: U
! ^ Y1 i4 g M( vhttp://www.52os.net/phpinfo.php?id=1 正常显示。
; [2 b4 w. O- f3 u; ?& |http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。0 o5 x: C S( e+ P( T: _- q
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。5 N+ `- _* x+ \
说明sql注入和xss已经被过滤了
1 Q% Z8 i( v- D, g% j8 @& p7 N
七、安装过程中排错, U1 ^8 J" Y! t! o5 E' J0 t! _' D
: C9 G" l; e% ?2 E) m0 \8 g1.缺少APXS会报错
1 j0 m# n$ X1 ~9 Z* T+ a! O! m0 W& `
configure: looking for Apache module support via DSO through APXS
. _0 o( R3 H% i4 }0 h/ ]) oconfigure: error: couldn't find APXS. z- S. u: `8 A) ~
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
2 a7 O% O B; M/ o0 ]解决方法:3 _8 m9 v+ Z/ Q: c8 }+ j" O4 D" j
- e! z: T0 [5 p. x- {yum install httpd-devel
+ s: @, h' R1 p; B- u! m0 L9 T2.没有pcre
4 B; j/ n: O G9 }9 b/ m2 y. f! l
3 j& |# P+ j- Z- G- qconfigure: *** pcre library not found.3 Q$ ^0 a7 k6 T& X) O
configure: error: pcre library is required
|& ]$ y7 f* [' g3 a2 V解决方法:' x% r# g5 i7 {; L
. F/ L$ c$ f3 Syum install pcre pcre-devel# ~% O3 A. e$ Z6 z3 m& B o: {
3.没有libxml2
2 A$ o; O" F/ l* y5 ]$ K0 v$ w. n7 B/ h# Z. F! y! K% p) C2 R/ p& d
! F. V8 ]- _# q* ]) Oconfigure: *** xml library not found.
8 C9 E( k1 a- {4 u# ~& _configure: error: libxml2 is required
1 b/ r, @; a$ K# [2 O& X4 v解决方法:
+ q: Q" K) @5 D- I% M
' J0 v" w2 i7 o/ o [# B% \9 qyum install libxml2 libxml2-devel
7 Z2 v% M5 H! ]4 ~& C4.执行 /opt/tengine/sbin/nginx -m 时有警告
0 n1 V. f9 s7 d* ]: Y4 G( c
8 i; `. R8 a: P* gTengine version: Tengine/2.1.0 (nginx/1.6.2)
/ R* Z) ?% K. J9 G+ J) Rnginx: [warn] ModSecurity: Loaded APR do not match with compiled!+ D8 O' r. [1 f8 \
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log: Q8 ~: e( w, Q- N
" A! X$ X1 M$ _/ o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
0 W/ i8 _3 r5 t5 U$ c" D+ r1 }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
' X# b& h6 A3 @2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!7 \$ q9 V. u. |, o4 O/ e/ A$ ?9 v5 z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
7 m: w* g) ^ i5 w! `+ L) d4 p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
) A: c( ~/ P* } Q2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.1 x% o) ]1 p, b0 s0 o7 g! _$ o9 T
解决方法,移除低版本的APR (1.3.9); v, Y3 f A. T5 ]. m! ^
+ j4 }8 y1 Z8 t! O4 @0 t$ D+ s
yum remove apr! d( j2 W+ Q4 U# v
5.Error.log中有: Audit log: Failed to lock global mutex- ?+ o9 s3 V! w* @
6 W0 P# c/ R$ n5 N7 _$ Q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
# Z7 l! j8 a* _6 q4 Yglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]0 y: r4 {( ?0 w; d$ P) Y
解决方法:
* x4 G/ L8 a9 d( L7 S编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 G* l+ D$ f! R5 _% V; Z7 }
* {" \3 z# \3 \SecAuditLogDirMode 0777# k0 d' E8 P1 ~; Y, G
SecAuditLogFileMode 0550
& P) D2 H# K m/ P9 L' n6 T, tSecAuditLogStorageDir /var/log/modsecurity, A. a' k8 ^9 ~6 a0 V2 E
SecAuditLogType Concurrent- x! h" S# l4 ~" r
参考文章:
' T/ ~; @. z4 a; O9 k) h/ @https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX J8 L/ Y; E8 A1 `# w+ c) A8 a
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡