|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- q! n/ z( M; U; J
& w7 K. Y; ^& Q3 Q, }
一.准备工作 Q2 k& w& U. h9 P4 B8 H
8 X' G* x5 E: F+ I% y8 A& Z
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
V$ u2 ]9 W8 j4 R; o) t1 d& V4 k7 D; {4 f) W# I2 k, i/ p) L, \
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz% H3 U+ k; d) E5 Q
# |" \1 _- G3 ^/ J/ ]7 Y
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
3 _+ u n( T/ {/ |) X
& T( p. P5 r/ v" y4 cOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; S1 u. {/ t6 T C1 @# a
+ ]5 ?# A: e7 E5 U {依赖关系:' i% `, } {/ Y/ R* `* ~: s
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:5 j: l# ~ @8 y; u# ^
/ \: _6 N% Q! S- ^; W. S$ X8 }" x0 O+ z
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# w0 _9 J5 B/ g1 d7 f3 a* Lmodsecurty依赖的包:pcre httpd-devel libxml2 apr
# f/ ]/ z& H8 ~) z5 P; }: ~6 X$ n! A$ T/ S$ @% m* ?" M. ]! h
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: e$ a8 j& s, w0 ^3 U+ b2 r
二.启用standalone模块并编译
' q5 Z' N' J2 o9 u/ H* w' e2 A I, O$ ]9 ]* `, ?
下载modsecurity for nginx 解压,进入解压后目录执行:
* i2 o. f2 w9 J8 W' X: x' p
% a0 @. b, l& l! A k! l$ H9 H& I" B: t./autogen.sh
6 R/ Y( G U& Z! [./configure --enable-standalone-module --disable-mlogc
* d! k. |% }+ w7 qmake
" P) \2 u! V2 P8 s( `三.nginx添加modsecurity模块5 H! _! d' V P# w# k6 X5 M% X
2 _( Y* l! l1 u8 i% {在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
# r8 ]# \: {' N( S! }- x8 p
1 v4 {* Y) a# y; ]# q./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
2 r; v% g& R& ymake && make install% N; c$ v* R7 V8 @" D8 \+ G/ ]
四.添加规则7 _ j: D, ?. `" ]0 E& C. R
6 I1 q* f( K2 B% [- M. e* ]modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( n- e( G& @, s
4 b+ a" ]0 ^6 Q: E' @6 A0 Q ?1.下载OWASP规则:
5 r3 O8 {; r- r4 P6 a+ i& x0 w5 T6 t; |3 _; u
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs/ U+ C; i2 h9 C" I% g5 n/ h
% q. o5 g0 A# L; h9 L: z! j' J) F
mv owasp-modsecurity-crs /opt/tengine/conf/
" p5 ?1 _$ N! G6 c4 z
7 a( o2 R' x* b6 s( fcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf @& h' F( _0 c5 v! K, z: |0 M
2.启用OWASP规则:
# m" B& r" _& S @
8 |, {2 w C. e9 y复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。8 Q$ ~- C! |1 t
# t1 n! G5 e! d- r( Y+ \编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: z z% c" t N9 ]+ \& ~+ c6 D& s" e9 b, T
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。5 N* @3 E8 ?& R: C
- `4 U. q+ C) f) M: U% Q, QInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
3 @7 R$ G4 A# @5 h! QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ d* A4 E; d# C* @' T2 y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf* V1 p. U2 y- ~: Z$ ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# t4 l* g* r" W0 q2 v
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf. `0 o2 _8 }; Y4 b4 \+ @( | }: C
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; A- G* x6 v8 N3 }! B, IInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
- G, s- X( q3 p& H五.配置nginx& x; J/ v- K0 p6 g F! j) R" t
9 @* H( t* Q& i. W" n9 t在需要启用modsecurity的主机的location下面加入下面两行即可:- G2 c( q4 w5 T8 C8 n2 e8 S$ Q
' }* Q& D. \# fModSecurityEnabled on; 0 s* |5 d2 x/ t+ d# y
ModSecurityConfig modsecurity.conf; m* C7 U/ l0 `, u# h# I
下面是两个示例配置,php虚拟主机:9 g( d% @: ?2 B$ I& \) J; M
- J. `6 Y9 c2 t$ f# w& o4 ]server {) H0 D4 l+ p, b/ W
listen 80;
! X" w& H* ]% B! j. Y& r server_name 52os.net www.52os.net;
) n2 X9 }; }' G D1 M. G# X. @ / _$ q- v, m# D; G
location ~ \.php$ {2 P$ n5 p D7 T) d! l2 O% C
ModSecurityEnabled on;
$ x- I6 M. m6 X3 [ ModSecurityConfig modsecurity.conf; J4 c3 ]% u* @" x, _3 a7 \
3 S: S) ^7 x3 v/ B
root /web/wordpress;
; d( z4 A9 \- L! K index index.php index.html index.htm;
/ X w9 U- S7 V- C0 { J
7 n$ U: P6 c z0 X. u% r9 P fastcgi_pass 127.0.0.1:9000;
! C4 a( k6 f' ?" m fastcgi_index index.php;
' i. O$ p/ J$ q: W/ H fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ N" T6 O9 k; \
include fastcgi_params;
8 q# n) N, I" l$ B* ]$ o) I( v }0 p( m, \- N/ h
} g; E9 N4 @" Y1 `
upstream负载均衡:4 \4 A, [! X1 a8 ?
f. {" F$ O! y* k# vupstream 52os.net {
* L( n7 {8 z- x5 Z server 192.168.1.100:8080;
! Q# j1 H" G) x; a f4 D server 192.168.1.101:8080 backup;
: X) c5 K$ G8 B n, u; t}
, F' S8 d* A3 A- c
- y% X# D- o% S- e6 Userver {
, ?2 t9 J/ G! U! \3 o* L: d6 rlisten 80;5 z+ ^! o# v. D D$ |1 d& _' l7 ~( b
server_name 52os.net www.52os.net;7 E, W- t7 W8 Q# s- ~$ V* _
5 y5 r' O$ i% j# blocation / {) k m4 l! }% e4 \) ]0 l
ModSecurityEnabled on; $ M1 ]- T9 o4 ^$ C N0 M; K9 c+ I1 O. c
ModSecurityConfig modsecurity.conf; 4 P% N2 R' `3 P F8 m4 r5 ?! o
5 N$ Y& {* S* a: r8 t' j6 X5 S proxy_pass http://online;
' p1 D" J, t/ f: W proxy_redirect off;
. q7 Q9 \- {/ p. J proxy_set_header Host $host;3 T. l* D0 `9 S1 n! W' z
proxy_set_header X-Real-IP $remote_addr;
4 S! E o: ~6 R2 b q2 u6 z5 h proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;9 d5 `9 B5 E- A( a$ C* c
}
3 z" G( @) U) a9 ]# t' y}
2 Z6 j3 H% v& {$ M3 f y' d1 B+ _六.测试( p; u8 d: C" O) b6 N& S1 K
3 @3 g1 `6 M; S3 m
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:+ c. J B& N4 B% j. @& ?/ O
3 ?* T1 a- d5 C+ y$ x$ C% l5 R$ ?<?php
8 Z. _( S% Y3 S- G phpinfo(); 3 V3 T4 J7 _7 L; U' Y3 }
?>
$ |! Z+ J' L* t在浏览器中访问:5 V9 S) x) r1 G& \7 }! m- V# d
' q" J! h% \+ c1 `0 }. U" w# D8 Yhttp://www.52os.net/phpinfo.php?id=1 正常显示。
0 ]1 H$ K; m& n& h& Zhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。% c/ |. w# r! ~' |* h2 X$ ^
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。1 I: v( J( H, ]
说明sql注入和xss已经被过滤了9 q i3 Q2 T3 d2 a+ j8 m
/ ~+ @, `. v3 k( X2 E! |; M
七、安装过程中排错
" k9 z0 D9 c( j Z) `: z) T/ K
5 W" M% X! P4 f- ~! b; p' E% n1.缺少APXS会报错6 I- ~2 D0 [+ w- A3 R0 t0 e
& P. y; V& Z2 i- H# Gconfigure: looking for Apache module support via DSO through APXS1 A, v; W+ D F& ~
configure: error: couldn't find APXS" S; J' h# t; d3 Y
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" |6 X- _0 k# g, S& q解决方法:
$ x: a2 b3 n# C
" K6 \$ p& U" k" q' u& O, a: x3 V5 w8 hyum install httpd-devel
# z! q- s. h, e9 ~8 H2.没有pcre5 R2 [: m. v5 {, [! y2 {- B
+ u& F+ B4 s; Y8 f( w( jconfigure: *** pcre library not found.
3 o: G3 W8 l$ g2 F6 oconfigure: error: pcre library is required- f0 v' b3 d0 G. z( J
解决方法:
" }" w, L4 [- w/ P6 C
; X; z% s- Q0 s) a; A1 M% | xyum install pcre pcre-devel7 W- v& A$ }$ [9 C) S: E6 z- |/ }# t
3.没有libxml2
" F7 D9 c4 ?% s' @( |5 h4 Y* ]8 T8 j3 Y
# o+ f; `5 B6 I8 {% k1 g0 Fconfigure: *** xml library not found.
& e, e1 U; P: g( U1 v4 zconfigure: error: libxml2 is required
& `1 i. Q$ C6 q7 K; k5 d解决方法:
1 u+ J5 n: ?! b. B2 A- c) ^6 H' k. ^2 [! U, o L0 A
yum install libxml2 libxml2-devel! I/ t1 c1 z5 P2 t& G }
4.执行 /opt/tengine/sbin/nginx -m 时有警告4 t$ M# k% d6 l t; f% S) x3 M4 ^
- F1 B: @! d( W% x( w- {8 q- B* O8 MTengine version: Tengine/2.1.0 (nginx/1.6.2)* X: a: u+ r8 y: C4 n$ W& H
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 l1 w; Q8 Z, R
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log' H$ \( d9 o1 W, J- j( J
" i7 R& x% W, J7 M6 n, [; K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.) W2 B C2 A |5 D% E4 X" G! d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"; O' J7 {* [4 c/ H
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
* |; D6 G; t& I( }8 g$ Q W7 F" {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
6 ?2 Y+ F6 q8 ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 C9 [6 b) w- a# } I
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
/ o. a3 D% D3 Q$ ]' O解决方法,移除低版本的APR (1.3.9)% r- S4 L7 C9 J2 j
2 y; Y& [, x! i f8 Byum remove apr
% x. ?- I: y: D! J. z$ }' O5.Error.log中有: Audit log: Failed to lock global mutex
9 U$ o. @3 U9 X" H( v+ P- h; W/ E9 g+ N- U
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 6 J# w* K& u9 v9 @" v+ k J( G
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]+ j6 ^9 l5 k# B0 z9 \. y% p
解决方法:3 A5 G5 c; f: S5 B" V, U4 ^
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 ^) i" a. k* _0 q5 O) k, l8 l2 X
0 f* G% T ]0 D* |SecAuditLogDirMode 0777' A$ M' A0 y( B3 z
SecAuditLogFileMode 0550! d6 C* \5 E0 r- ~# p
SecAuditLogStorageDir /var/log/modsecurity0 R7 o2 @- p1 `" v
SecAuditLogType Concurrent
2 H7 j2 x. T" ]% I4 Y参考文章:# T7 v5 f& K: C3 x' t8 H2 G
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
( U6 q4 m' S; p1 K/ b, k0 xhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡