|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) Y' Z3 C% g* T E5 x. H' F
: w& n- C6 I. }+ n/ v; v* ]一.准备工作1 _" ~! z/ }! ?! V q
$ C% d% }! W ?7 a s1 U2 X; H
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.04 a$ L) l* q( Y: Y# B: Z
1 K4 C8 X' y- h% O7 o3 @2 `tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 U( ?) _, t/ p3 ^& Z( ]( s# I( \) ?$ R
: I2 M+ ]8 `3 x( xmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
' C8 E" K+ _3 N$ N' m6 M3 D/ W9 a: w
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
7 ?) K+ X1 \' }$ Q( u4 A
# ~3 v8 @% w4 _+ N5 v; Y. d9 O依赖关系:
: T- C: e+ x/ f# `5 e* Ttengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; h5 h% ?% w G- d' K
5 d" a: b' `( `+ a* [
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel2 j- N" o) b1 p2 G1 ?2 ?
modsecurty依赖的包:pcre httpd-devel libxml2 apr3 S' U: z! H" G) q/ O7 f: o
5 w/ L* r# H. R: Tyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( r9 V1 s% C+ M/ q. l' \* n
二.启用standalone模块并编译
: ^$ [: u3 e* A3 I+ e1 T1 _
! k* V" v% F3 ?' T下载modsecurity for nginx 解压,进入解压后目录执行:3 s% G7 x8 Y* @) y+ C
& w9 P5 N$ k7 q7 A. c./autogen.sh
/ C {( L& I% V4 `+ \ u0 t./configure --enable-standalone-module --disable-mlogc
! S& J/ y+ s4 f5 Y q" ^' }make 2 l, V0 G Q+ }2 a+ J6 I$ X! {
三.nginx添加modsecurity模块1 z4 G- q5 Q& i8 l
$ u, V& x/ M* c/ ~, o1 Z
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:5 m- ~& X( T L2 s+ ?7 H, f9 e
+ [( [; h3 F$ e" D8 W( O6 U./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine) _. `7 O k7 S+ p; G' V
make && make install/ T" Q9 v9 \' N/ r! x( o
四.添加规则$ S* k* F& _1 t) [! @
5 t/ d$ a. g& S; n
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
1 a ]- e, W( l% p6 a- D$ L! h7 L% K- b: m9 u3 O1 {6 P. F
1.下载OWASP规则:9 L6 z. K6 G* h$ y
2 g4 P6 W- l& x7 i9 D$ u- c: w
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' f2 i! R' C3 X1 [0 p/ O. x
/ c2 `4 i0 W+ Y2 b; X( m0 Amv owasp-modsecurity-crs /opt/tengine/conf/
/ @6 u# T( }8 p' I2 Y% r8 b6 h# S7 [8 @. H8 A: r; g) c+ t
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
1 M3 r. a5 ~) b" d2.启用OWASP规则:! f( ^+ ?1 A4 B" U
% p( c+ }7 m7 C3 x2 }4 `复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。6 j- i! D6 R4 B; Y$ ?
2 M( Y' k3 C! ?, j+ \( i
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on! C4 r0 D) ^9 |- ~4 F* [+ c
: M8 i. c; U, v* S3 n7 r% H/ Bowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
$ [4 e/ F4 X8 n# y* m( f' u5 s Z& w; v/ Z0 z+ ^! C
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf, U ~+ O8 d& b; A, M( z, U
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
9 m' c, J) B% j8 ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 m+ u+ |* O6 v: |- g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" q4 V' n! U9 oInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 {# d) T+ k7 m! bInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
V/ m/ H: t9 i' s' E# n' TInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf( H3 X- I# T- p3 `" |6 Z
五.配置nginx/ i; Y, T+ i4 j% v* E" ^7 v
3 I6 C9 J& T& Z- J+ L9 U5 z在需要启用modsecurity的主机的location下面加入下面两行即可:
& I6 C/ s+ g5 v. C. l2 G+ w: q9 p% H* C8 b/ L% |# Z
ModSecurityEnabled on; ; e) l- r% ?; P
ModSecurityConfig modsecurity.conf;
! X W! w- F- @+ m% P下面是两个示例配置,php虚拟主机:- y P$ B- {7 H: m4 o5 a6 b
9 m2 }( F( a0 B' L [
server {& _. ^/ [0 L8 o1 j: w2 n1 r% g
listen 80;4 C5 ^! q0 p P) ^4 ]
server_name 52os.net www.52os.net;$ Q! R, |) e1 F, z& \" G
6 I6 d4 J. [% ^7 u N location ~ \.php$ {" G" {, ], z( P# @. a5 ? R
ModSecurityEnabled on; % V S' R; x+ n6 F( M
ModSecurityConfig modsecurity.conf;$ V( S* d0 T0 |0 q
: Z8 L1 J' c% g8 `% D4 L root /web/wordpress;4 x( [8 s5 l8 u
index index.php index.html index.htm;8 D' I J% |; B* E. D* h5 [ u- r$ |
5 b3 k! g' L2 n* M {5 d
fastcgi_pass 127.0.0.1:9000;
' L6 l) a; F8 x; n4 ], P+ X. ` fastcgi_index index.php;
6 p6 C7 \0 n% ]. m fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name; A! m" ^* h" \* V1 b
include fastcgi_params;/ `$ P! f C& ] T$ t
}
4 ]# j v4 J& d }
- U; j0 k5 t. `upstream负载均衡:9 r) H3 F8 n) |0 `) `8 V' G3 P
; s0 B$ f( M4 J9 pupstream 52os.net {" C" |3 \$ ^" o2 G) N8 e
server 192.168.1.100:8080;: E% E) }0 ^' k4 w3 y, w8 B% r
server 192.168.1.101:8080 backup;; S% |) Z1 K( U
}8 D$ ?8 {( t, V. N2 M2 s
1 U# _. Y/ k" @7 g" S Y; u% U3 tserver {
& J, c4 Z' A# R5 i+ J4 ilisten 80;
/ R6 F5 k; f5 c- ~/ x) zserver_name 52os.net www.52os.net;
' T! ~) n% }# r! M: H1 G; X% D# |; \1 u% b4 Z# s ?$ r
location / {
) q% ~& H2 q# d* V# m( I ModSecurityEnabled on;
?9 b/ c6 p; a1 T2 I# n. n ModSecurityConfig modsecurity.conf;
3 \7 B3 c8 J t- S$ h" } a/ K3 g$ Y5 v
proxy_pass http://online;
! p/ T, i* f! q; Q8 i5 l8 ^1 ] proxy_redirect off;) W4 \/ h( H" n8 X8 B7 Z: {
proxy_set_header Host $host;7 V) b1 z: l* }; `/ Z5 o
proxy_set_header X-Real-IP $remote_addr;; j g5 `: g5 H. ~
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 s4 Y7 _0 ?8 D. H7 p7 A }+ M5 t$ r, n x9 I! R- g* e4 C
}9 w+ P& U6 g% v+ S _/ @. B1 h
六.测试' M- N+ I) M4 p! I! s9 Y
5 w6 }3 d, e. n$ o我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:( a7 m/ u2 u8 p1 P& r6 W
- Q7 y3 o- E5 I6 Y
<?php
' k8 U, Q3 U3 C6 f, s l3 ~ phpinfo();
; Z# Y0 u7 @4 k5 T, h9 J- x?>, P$ l8 A" {" s8 {' ~6 @$ i2 Y
在浏览器中访问:0 w5 u" }4 U6 F; K r
) w" [9 V: O8 W. X
http://www.52os.net/phpinfo.php?id=1 正常显示。 o! B. Z# j8 \8 n# m, T
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* d, c' h6 A. ]. I- _! b- Q8 ahttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。$ \- `4 G) h- ~ K2 Y
说明sql注入和xss已经被过滤了2 _7 u" J0 k7 A( {' |2 V0 B
; R5 @1 h+ m% ]# S k% P0 q5 c: J
七、安装过程中排错
' F Q* z0 W% l4 o( W& H1 `0 Q
; q, p. B5 x3 ?% y7 V1.缺少APXS会报错
1 t5 G% r' q. n# V% K1 _5 E
. z! L& S* f7 I. B' Mconfigure: looking for Apache module support via DSO through APXS
& q. U- H5 E; L6 P3 \/ t" [configure: error: couldn't find APXS$ _! g u) h/ X6 K1 O; N# m
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。3 L/ M+ t3 C) |& v$ X. D# D
解决方法:! W* i" [$ l6 d0 i! e2 E
) f4 k" ?' M' W3 Y7 X
yum install httpd-devel
( T1 T/ l, D4 ~7 b, i* Y2.没有pcre
( L9 \3 q; w, t, `3 T# {4 d4 j5 t% U, W3 y
configure: *** pcre library not found.
# N# }: Q" m7 x* H& zconfigure: error: pcre library is required
: k* X( o( N p6 p9 W* f: ]解决方法:) r6 V0 O- q# A/ [" Q
! p6 p% D) p ~' ]& J7 ?3 [# O7 dyum install pcre pcre-devel
% O( s' H9 \ d8 n& X& X- h( Z3.没有libxml2; I1 v! A) ^; d
9 | j1 I5 {9 x$ W* j$ W Q3 D7 o+ N% l& q: v# m' P4 o
configure: *** xml library not found.+ D8 V0 e: ~' F) z, ^6 x
configure: error: libxml2 is required
# E! e" }- M# s+ \- y解决方法:
! c- @1 a) y- o2 V" q( A. {7 u$ u- K* j2 f0 U2 y# [8 N" E5 h4 g1 W$ H% E
yum install libxml2 libxml2-devel
! f; v6 K$ {, d& ]3 j+ |4.执行 /opt/tengine/sbin/nginx -m 时有警告
& D: s$ E& Z+ M/ [; x4 O1 O+ p" |/ j6 E
Tengine version: Tengine/2.1.0 (nginx/1.6.2)# C% O* N2 p& u
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!* Z4 y* j2 G [! T! n
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log; `7 Z3 B& @8 J+ M
q7 s) t+ r( G4 E0 Z6 ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
: b/ Q s1 I6 h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
/ _+ S2 f9 l1 @3 K. `6 l2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!! O E0 V6 O5 Q3 Q$ z3 v3 i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
, _/ C8 e& E; m: d$ V+ E! C* w0 j2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
- H6 I! v5 f; C2 p2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.& K9 ]" C, |8 M+ S# a' Q
解决方法,移除低版本的APR (1.3.9)# z$ F5 J& d( Y# q4 l& r
* K; t' D) Y# k/ }yum remove apr! v d( }; N. e" [; d" P
5.Error.log中有: Audit log: Failed to lock global mutex
: x# x" Q0 I* i% c s' j% q/ B4 n- w: m9 Y1 ?2 r
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock * a* M. e) ?* p' ~' j8 {) [9 c
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
4 f5 y& Z# _% Y0 U) H& E- @ I解决方法:
8 u* B z8 U$ A; ]0 c8 v编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) c: J$ l4 k% L# M) b0 l% B4 q" S1 @; ]( [7 j8 _" R) j2 X# o
SecAuditLogDirMode 0777
/ E9 K$ G, A( C& Z% i, s: aSecAuditLogFileMode 0550( e3 j- h+ {1 j) q1 O* W/ d& _$ L( ~+ o
SecAuditLogStorageDir /var/log/modsecurity
( U5 S( S! S. gSecAuditLogType Concurrent# J0 f' i8 A# k0 w3 g4 Q g
参考文章:
0 J0 E& Y- e/ Phttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX; m5 H: M8 `8 V" s( q8 ?
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡