|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
7 w" q# B3 [) m# i+ B! \6 E1 l4 x- ], C1 p& t+ v, e r/ u7 L; l
一.准备工作
/ t2 w- l: r+ ]% L5 ~: j2 _
8 v" R' z3 Q! h系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
4 y4 C6 j1 R# t g% l3 u$ Z1 k! E" r% B( k) g+ [
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz! }4 B7 [& t! j% h$ }
. L* r L, N5 \1 ^- Omodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 O8 _$ A, a9 f) A0 u
6 Q0 q [ p& |1 E+ T# L0 N
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs& N7 Q- w. M. t% Y# q
& J5 g% E9 M0 |% R/ n* R. q
依赖关系:
* \7 `' N: v5 Y$ h1 K! z2 I5 d( a3 `tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:4 W; P! |- S2 c3 b6 X# H+ ^
* K$ J7 m7 k1 [" i3 @% R9 F/ Pyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
- K* V& i# C1 f4 \% Z5 C ~+ ?' @modsecurty依赖的包:pcre httpd-devel libxml2 apr# `* \ u, |9 I. q% k, G
+ V$ a" ?: B* jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
& m- R' P. l$ T7 J: {3 [7 o二.启用standalone模块并编译
& L$ x6 n* h4 S# S0 R* Z7 M9 n4 L0 i2 K9 L( B
下载modsecurity for nginx 解压,进入解压后目录执行:
3 a& H9 Z& I( W- L. M7 D* ~6 \7 v, O" |* |: l& o- X$ r; `& u" `
./autogen.sh7 H/ e. V% P" G
./configure --enable-standalone-module --disable-mlogc; c# r- W! U$ n2 R
make
. d8 a2 \4 [1 r. A9 I. s( e三.nginx添加modsecurity模块
: H8 g V: K1 S8 X1 O! n
/ P2 L& ?) a T( y) K* I1 r在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 D5 ] p* [' O; P$ U( v- ^: L8 Z# t
4 [/ L( Q2 Q2 \0 s./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ c0 f! m) h! M, c, A4 @) \- _
make && make install
' J, @3 @6 f9 d$ B: a; }四.添加规则4 Z; P5 M+ Q- _; Z6 I9 o( _. F
: V1 P' Z7 w; Y5 j7 Y$ `$ f
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: y9 Z6 J( }) Z
+ ~5 ?8 Z7 C7 P# {) [1.下载OWASP规则:
! e/ l" t$ W: O; \0 t" Y& D$ d( ^$ h, p. b7 n. w, b
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs' m) B0 T$ f+ G, u2 b
' s d" Z! S9 h7 z' r4 k: V9 `! Y8 G" R) emv owasp-modsecurity-crs /opt/tengine/conf/5 T _% r' T% V
' y, d9 l/ O* r G: p
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# H9 |; Q& c+ \7 N2.启用OWASP规则:
- a% @$ J( K5 O/ ]
4 |; A4 I; v+ }! j( t: F复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。" S7 L. o! a$ Y
2 g6 H6 N8 t7 h" A9 i8 _, c( A编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
' h" p9 W2 ~3 A# x9 R: r3 F# f$ K" m4 W, T8 k5 A+ [
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。- U4 ~4 \# ~ ]$ k5 L
* p2 V3 c1 N0 _& d( U0 gInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf7 D/ [# ?& }/ T1 x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- K6 e- a3 M' A) r4 T
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% h1 ]$ X% T. D4 j, WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 @3 X" Q! ~( @: W% E: n& PInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 V+ s* I' ^* ]* e! \
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
. g# a2 A2 D7 y) g$ |Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& ^7 X& L6 ?" I4 C1 S: J五.配置nginx6 D6 O3 J5 R3 ?# s/ o
, \5 Y# C$ F/ `" L6 D/ {4 S在需要启用modsecurity的主机的location下面加入下面两行即可:! U5 d7 r, \' Y' X
5 ? r& |: w9 mModSecurityEnabled on; ( a* r* s8 k3 n1 V
ModSecurityConfig modsecurity.conf;
$ L& o) E: X* z% {下面是两个示例配置,php虚拟主机:' j" N9 o, z" q0 e; c
+ h# R2 ]' i. m* d) }server {
$ A: E4 U6 A5 |/ B* ` listen 80;: I0 _& O- o* S: F+ i7 P
server_name 52os.net www.52os.net;; b0 Q! w/ d, G- i; I4 o/ r0 h
2 X, G4 A( M; z: h' L8 H* X
location ~ \.php$ {/ a" c2 H! ^- a2 G0 d3 w
ModSecurityEnabled on;
* G! i! K( f/ { ^7 j ModSecurityConfig modsecurity.conf;
6 p8 D6 w, S0 o2 J5 N& O {, j1 ^5 T5 p" T- I
root /web/wordpress;8 d7 F$ K/ ^2 q* A- G4 b1 b
index index.php index.html index.htm;9 V! i. ]% Q! p9 r% N
. @/ v* T- t! X. d2 E" u! Z fastcgi_pass 127.0.0.1:9000;
& x! l+ V. q7 g+ j fastcgi_index index.php;/ z+ T8 {8 J `/ M+ S
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;" c7 N0 l9 o+ _# ~* o. [6 t
include fastcgi_params;
7 }- Y# [8 [$ L7 U5 A( v }+ \! G2 B/ l5 I$ Q Z |: b7 B9 ]
}6 i1 E3 ?, t$ D. x
upstream负载均衡:1 g$ Q8 l5 y: u. G- x
5 v" f$ o( C% v1 k& ~upstream 52os.net {1 I! O2 ^( \# Z0 m8 c3 z) n1 P
server 192.168.1.100:8080;- o. m; t/ r# j
server 192.168.1.101:8080 backup;1 e8 {& H( _, {3 O, W# o
}* a' r; ]8 ]; E$ X* M( i2 S7 @
2 l* g# u$ A* E/ b% q# {, Z+ q
server {
& u/ Y' o5 j0 s: J+ ?8 D0 Ylisten 80;4 U4 b* ]. w: [% S- C* T- M1 _" a
server_name 52os.net www.52os.net;/ q7 L' @5 t8 ?8 O! T9 O2 @
2 O7 \) w j( u8 j/ d
location / {1 ^' V0 g' Y' Y: q+ k2 v
ModSecurityEnabled on;
W: P8 t9 K8 q' ]6 z. r ModSecurityConfig modsecurity.conf;
- o# G; p: f- ~$ E* F8 a$ E% U' r# s1 H
proxy_pass http://online;
- l9 c d. p K2 N3 H, I proxy_redirect off;7 Q! k( O1 S0 j, s& N N
proxy_set_header Host $host;
( A" c; F: @1 C- c! F. I/ C proxy_set_header X-Real-IP $remote_addr;
% V) y4 J& k( f& @- R- c proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
: y K! }8 c. F' f3 a }& g5 r0 S; Y7 T7 v4 ^3 Q
}, X: [3 F3 u" [: Z2 J
六.测试7 a- p! x! f9 L# A& K
_' U2 o1 n1 I8 h: ]我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
% ~. d$ c+ s- T% A" k0 ]% ?* c8 ^* w3 c- J
<?php
4 z/ m# \: g# w. }" Y1 o7 E phpinfo();
7 g7 g+ p* e+ ]" `?>% K# C, D; Z7 E; {. A
在浏览器中访问:
2 Q3 f7 K1 g" y/ z
+ c9 @( C- E4 ]http://www.52os.net/phpinfo.php?id=1 正常显示。. I) w( i; Y6 ?( R
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
' x2 i7 c3 _7 I; ^, @http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, p O6 k2 f7 `7 V% j7 N
说明sql注入和xss已经被过滤了: l e' H; Z& o9 `" J
( O/ r' K: Z4 G- [ Z, f7 ~七、安装过程中排错( l' E) I0 m9 v
9 `7 u2 N m* D/ S
1.缺少APXS会报错' }+ k- |* D& \8 r8 Y* c
b4 F; h. p, y8 T8 N u2 G
configure: looking for Apache module support via DSO through APXS
0 G# ^3 c1 D. b7 E9 p, tconfigure: error: couldn't find APXS1 k/ h) a/ s7 x
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。1 n. @/ K8 a5 h) z% u5 t1 q
解决方法:& I. @# A6 e) c. t* T4 Z: w
& \* t( m: {7 i# r4 L
yum install httpd-devel6 P2 m' E) u! L5 ^. u
2.没有pcre
1 A9 W5 Q9 n8 Y* y. J0 r$ o3 u" a/ y' J9 O# ~1 `1 }6 P# V$ i# `, M" y
configure: *** pcre library not found.7 e4 _3 j e) q. P" y9 t i1 n; U
configure: error: pcre library is required
( X: u: @9 R: z解决方法:, ^, d- h" ]2 s- l% v- d
; `* o# J% C7 myum install pcre pcre-devel
6 B$ E% f# l$ {3.没有libxml2
% F" Y8 a+ v: |9 L& ^/ [, \3 W4 t& z6 u9 h
3 \7 U) n% [1 ?& h$ c; Mconfigure: *** xml library not found.
# O F0 W* z1 J! U" U/ a/ vconfigure: error: libxml2 is required
: C' Q$ D" q8 v/ X/ w解决方法:
) z* U" W7 ?* ]
/ B3 J6 R# ^2 Wyum install libxml2 libxml2-devel1 w0 c8 u# ]& q' _
4.执行 /opt/tengine/sbin/nginx -m 时有警告4 ]8 M" H! K+ ?; H2 p7 r
2 H. s2 q6 Q; L; Z. F4 K1 ]. tTengine version: Tengine/2.1.0 (nginx/1.6.2)
$ O, f: H, t. `7 G" S9 S7 Xnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
. x; R4 T4 H) C) k4 P原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log7 {! O# c) s# @/ q) ~' K
2 ]9 V5 Y1 O# N" t! H/ r0 _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.( K9 R6 h( A. {- l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"1 J6 n/ l7 b. |& T
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 J/ D$ \* D6 D( Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 E( v$ _- x4 G( V9 u9 v8 c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
4 ?+ x# h8 k; ?1 T' J2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 ?6 d: I- Q7 O9 }- D6 E7 S解决方法,移除低版本的APR (1.3.9)
8 S [; m. z! X! m) r' y
& W0 g1 t& b( i3 l# |! S# Xyum remove apr8 S+ f) J; Z4 A" h: o4 j
5.Error.log中有: Audit log: Failed to lock global mutex
; ?3 p; n0 S3 ?" x% z8 {1 W1 N7 z0 F+ E7 H
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 0 b R7 p$ x V3 }/ C5 _8 s
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ U5 [! U% H! S1 }; S9 p$ r5 @" _. E解决方法:9 L. J2 F0 [5 G/ m. i2 _
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:! z5 S% {- j1 A4 V
. Y) C' j) B# N7 w/ y9 I) E
SecAuditLogDirMode 0777( q: M8 c- @( k+ h
SecAuditLogFileMode 0550
3 r5 d; [, S$ FSecAuditLogStorageDir /var/log/modsecurity
, G9 `# x/ I4 cSecAuditLogType Concurrent
8 ?3 ?! c& Y- A参考文章:
' k5 {# m: }" X0 [1 D9 W: w9 l3 @https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX! P- C8 ~# I) \4 o# Z
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡