|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。 l9 N" j# E7 l$ Y0 |( ?5 g4 `# ?) U
3 x. V4 @5 j* y5 w一.准备工作7 S8 J, \8 M* x( W; a7 ~; H/ C
$ _% e. Z1 F# h/ ^, O" I5 K+ K- H, W
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
' Z& [9 f- ]6 I2 B+ L! |7 ?: z1 D4 p, E2 O
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' E7 I6 C0 C# `+ d) I0 I
; }. ?! c- N1 O0 S& h) N8 X
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
" Z3 m# g& L! S( n
+ B! Q2 j8 U \OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs: v3 i- |9 u# @ b B7 u4 V/ g1 y$ J
$ Z0 T0 j9 ]. H- |3 B' m5 }8 e依赖关系:
5 z4 o' Y v9 ~3 i. N5 H& s+ f6 v$ }( ^tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; O I! Q% L* m: _& _+ K- b7 J$ i7 P
& P6 @; v! ~4 s+ M5 v5 Jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel$ k% ?9 h- c7 |2 m+ i
modsecurty依赖的包:pcre httpd-devel libxml2 apr
' |- T; ^( Q! I. R6 H& R/ ^
' u& X# F+ v, @: ~8 K3 v3 Dyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
! u% z7 N% K# J% [2 V8 l, z; q二.启用standalone模块并编译
: T k g- O* f. g5 f. q+ @( l
3 `( ?- Q! p/ v% b: @下载modsecurity for nginx 解压,进入解压后目录执行: a& p3 _+ ~4 u) R. k
2 x- J: h% Z5 D8 j, c./autogen.sh
4 d$ K: A3 M- }* F. Y./configure --enable-standalone-module --disable-mlogc. n7 v9 e! ]2 s, B- S2 i
make
. J! j# P% A' M. M2 Y! X: T. S三.nginx添加modsecurity模块: U- T4 m* z0 w9 z7 |$ G& y
$ I: R5 J7 u' w# }5 g9 U在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' l! [/ S* ?% t1 ~$ A7 D& o, g. [& k" B }2 e
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
4 O9 B3 l$ J. I& p7 I# emake && make install& T1 T8 U7 c" x
四.添加规则
' a, J+ g- N* g, a
( f8 x4 b. L" q5 }# nmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。7 L0 g" R. S! u3 W2 N# s
7 n8 k- F$ J8 \1.下载OWASP规则:4 \/ L, |& O$ R( A7 f) ]9 A: {
# H, i# G# L( @, Xgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs' w, X, x% p/ C1 |- f G0 X3 H" p
" n; W$ `; d$ T. l; O( w, ?$ L
mv owasp-modsecurity-crs /opt/tengine/conf/
! d: _; H, w8 `$ H& j7 ^8 I
& _# a) B/ O9 U: ^8 V' hcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf8 Q1 H9 K0 s1 U3 @9 y
2.启用OWASP规则:2 H _; c6 [$ o o4 `4 Y e
- l' [; s8 L/ J3 k1 v7 e( r复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
; H3 |. C r* L1 }9 |' A8 ~2 A
5 \8 f6 z6 ~& S }% `' k& {( B编辑modsecurity.conf 文件,将SecRuleEngine设置为 on1 l# K/ z$ K% n( M7 }9 m" n( |
; T5 K6 \, y5 D& @, b7 Nowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
4 F' {8 n# S* @. K' Q
: P' Q/ }7 W1 K- b jInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 o% {* |' O, S
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 b8 _9 k) `' o- E a: ?/ DInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
: P+ e1 K! t0 a1 x, YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" p" K4 m$ ^( l! O- yInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf8 b4 r7 h+ J, N" b$ e
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ ~6 ?; y; _" C' ZInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
! b* t2 T8 s1 f' t+ i五.配置nginx! u& S. M5 M: ?" J3 ~% [; V( }
, C+ P: b3 M/ F# ?3 M1 o t7 `0 ~在需要启用modsecurity的主机的location下面加入下面两行即可: T5 [2 s0 p- B+ i: a# G' S4 o
; I8 z* @) Q3 @" o' @5 BModSecurityEnabled on;
* _! ^2 O( u" _4 z7 H8 CModSecurityConfig modsecurity.conf;
5 b1 P# H) U4 T下面是两个示例配置,php虚拟主机:0 v; @( J, k; ~5 F( F
" g3 |# {7 l+ W/ x* o* L3 a. }
server {
9 [. }. b6 Y# D* e; ~2 P% A listen 80;
9 ^% D o s$ \7 e6 T' q( Z server_name 52os.net www.52os.net;
8 p( U5 `0 A! @9 o! H : ^9 P: ^, E& A7 l! A
location ~ \.php$ {
2 s+ N7 U" n9 N3 u/ s8 R' m3 J ModSecurityEnabled on; . V4 i+ x8 I$ D
ModSecurityConfig modsecurity.conf;0 w* ?" Z8 E! ~0 f4 i* m
0 X, l1 P' }9 f9 w! n* j root /web/wordpress;) |; }8 k/ {- B5 [! g
index index.php index.html index.htm;% k, M# j5 \$ I2 p* U/ e4 I3 v" X
6 ~' F- M- o. S D fastcgi_pass 127.0.0.1:9000;, n, t. o+ X2 j
fastcgi_index index.php;
) R E; l; `! c& V fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
/ d8 I" j- K& j- ? include fastcgi_params;- w- V+ a1 ]8 |. u+ S; L1 D
}
0 `& v+ j" @4 C6 l3 O }
' t+ J' D% u; N! @+ R" J# lupstream负载均衡:
0 Y3 K' T @+ `+ q5 G; c2 W2 i% M! b3 j5 O. d @
upstream 52os.net {
$ B, e# A$ J5 Y( d1 R+ ]# O6 L server 192.168.1.100:8080;* @$ b8 ]' n: V8 y3 P* _8 z+ J
server 192.168.1.101:8080 backup;, A5 Z# H% h8 S5 u1 o1 h
}$ l$ [3 h+ W( v, |0 b; t
4 [# R7 N: r4 M. `7 m
server {" F8 f% y o. P( r
listen 80;" K" O) N) f! i- f# g) @: [6 k- E
server_name 52os.net www.52os.net;
- S( E4 y+ i$ d
" B. _* c& w: f/ S/ llocation / {* k6 i$ h) p1 H6 p( O
ModSecurityEnabled on; * W0 G$ r/ B8 L$ F" Y, X
ModSecurityConfig modsecurity.conf; # E. F0 l7 s' V3 r+ v( q; E
' _2 N. ^% O* e3 m9 j* l& W8 ]: m proxy_pass http://online;4 B& n$ N1 l; W0 J5 H) A
proxy_redirect off; t8 M" A. J! ^2 w c
proxy_set_header Host $host;
" p/ H4 L5 h* i5 k+ v( B, G2 z# ^1 I proxy_set_header X-Real-IP $remote_addr;
4 P. F t' L5 ? proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;8 ?9 ~+ P- _, p/ J
}
& j# _* Z6 x$ M2 Z1 f$ H& X8 E}
- |# c A& |: m六.测试
5 q- r* `; A; ?" h; Y& C9 Y q3 [$ n( M) [' u+ j
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
( o! V& h/ J' ]6 H1 R# o6 W9 t# L5 k* F' b$ z2 B
<?php
! m( }( j. G# x4 {( e! o phpinfo();
2 k; }7 r7 F8 P" V a3 Q?>
5 {: }8 N9 V" ~# A9 a( A3 t在浏览器中访问:! Y; i" z: h. O: ?! _, j& C
* q6 U7 I9 O* ~& [: Chttp://www.52os.net/phpinfo.php?id=1 正常显示。
8 L+ J- p( Q( A) _6 |http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
( u' i" ]0 {' K1 ohttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。5 E8 B: s; c% D5 `
说明sql注入和xss已经被过滤了
0 {! h( D1 Q5 N
* j+ F2 y; }, I3 R, _七、安装过程中排错
$ g- y8 @/ ? U( \) Q9 k" r1 a! m4 K9 H! g2 k
1.缺少APXS会报错8 c% t0 w9 f" n! q! G! L* p
4 Z1 \/ a1 M9 r" I
configure: looking for Apache module support via DSO through APXS' V9 o- C& ]. y5 R1 x! v* p4 n
configure: error: couldn't find APXS
* i4 x9 s1 q4 T8 Napxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。1 j1 H6 l) V. z* ?
解决方法:
9 \+ o; {4 y! }% ]# d) g* _1 r1 b9 U$ {7 |0 w/ i
yum install httpd-devel/ W" n& p/ w9 j0 W8 P/ \
2.没有pcre( v; `: S }, b8 J. b% u& K1 W. n
* F: `; ]8 q& z3 K6 rconfigure: *** pcre library not found.
6 Z- [7 ~* x y6 jconfigure: error: pcre library is required0 ]0 A7 X* c( Z0 @2 k7 Z+ K
解决方法:
$ ^9 g) S% I8 B) m* ]) s- R) d6 I0 X( x
yum install pcre pcre-devel
6 L. K0 e. \, g9 F3.没有libxml2
! {" D6 J( s: P5 M& _9 p
6 h3 o8 Y$ Z9 z# o" u( R: T) }) `9 v/ k: O
configure: *** xml library not found.; P `& i1 Z$ J9 k$ e
configure: error: libxml2 is required& k7 f# k [# M; S
解决方法:: C% S) F" y9 X% N, ~( d. |
* b }# I0 N" Oyum install libxml2 libxml2-devel
' d; w" k" ]0 P$ d4.执行 /opt/tengine/sbin/nginx -m 时有警告; ~8 F. _4 j( y
7 c1 \4 Y/ @( K) N7 _. T j9 v/ }
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
- T3 O0 B+ K+ y$ S/ gnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
: ]# u4 ?# f5 o; F) Z5 h9 g8 I原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 k! {# {+ `( J' h: y* J
0 L: q* X! I4 O0 o d$ J9 x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, \! D* Q5 k. B% J' f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
% `/ {, {2 d3 Z7 j2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, M9 q( M# Y2 ^+ c) M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"% @# N' V4 W: }& k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 \ ? G9 x& M8 O) z. G" p L) G2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' E5 g( s7 ^# m, E* L解决方法,移除低版本的APR (1.3.9)
% `/ C4 V. K6 \: a7 ?* m) R# t7 y6 p- ^/ L
yum remove apr
. P/ W6 t1 U" _5.Error.log中有: Audit log: Failed to lock global mutex' F7 U! M$ e6 v Q: F6 V R
7 i/ }. W& f' _" C) k) e$ S2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
5 I- M0 v" f9 G6 q9 Q% }global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
, O7 u9 u: c7 _, Z2 P' g, D解决方法:
$ R. K# I, k& W; H( r0 h. Z编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
! z( p& a, a f, ?. t0 w* O8 r
! B. I, `" V2 GSecAuditLogDirMode 0777
# U" R1 j- {& R, pSecAuditLogFileMode 05509 B) L A2 ~" J$ [* v
SecAuditLogStorageDir /var/log/modsecurity2 [) c* H. g# l2 H, R) T" k8 K1 r
SecAuditLogType Concurrent
$ {; B0 d L8 v6 b' b4 }/ U" H参考文章:1 S8 }6 P7 b1 r. i. D& i6 m0 a
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
$ {" P1 X8 N7 `' Ohttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡