|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% ~- p5 s/ y9 |
% x$ T! o3 _4 J6 k6 m% A* f一.准备工作
5 d& b8 t( C" Q& A2 \
2 p8 b7 k) P" F系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
6 h3 h% S$ L/ l3 ?7 T" f6 C! q$ u% g: n
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
" f3 V( J' Z2 k8 e, {+ ]# h; V
2 s7 z# ~3 j, F2 A1 f4 P1 zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. Q4 {" }. p% n0 O P9 }; D
* k% S) K+ R0 s2 _, j. pOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs5 h* y# J3 x2 k* J% D# P
/ Q$ \) {) Q" o6 V/ x% T
依赖关系: T( ^! E0 D7 z- ]+ O
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
0 P2 n5 n4 V. ~7 n# D: |7 t2 o. F7 R7 l {! q: w5 {6 ?/ S1 g0 X# A
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel9 B; a3 k' K' d* l% [2 M' Q, r
modsecurty依赖的包:pcre httpd-devel libxml2 apr$ B5 ~, l* f. o* h, ^
$ o3 i( b, o$ G2 g3 T. Dyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* q. Q9 u5 |) H5 y9 r1 e! x% A二.启用standalone模块并编译
! Y Q3 P0 ^1 K1 W s& {9 Y7 V; _: m2 m: u5 t/ E
下载modsecurity for nginx 解压,进入解压后目录执行:% b1 t$ R, w) y% M6 |3 \; X
! Y/ ^7 z, a! n' t. T
./autogen.sh/ s& E9 A J( P( B& g
./configure --enable-standalone-module --disable-mlogc
. a" o4 V- w, |5 K. K" X/ B6 Bmake
/ m. V! Q7 e& I( r2 e7 H三.nginx添加modsecurity模块( f7 e8 F% V, H0 F8 d' y
8 M1 P3 G5 W) I) B w: w
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:2 q% E/ w3 x- w. ~! y" C% @; X/ N& U
! x4 Y, l3 P5 W) E5 K4 ^$ v./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine. `6 R/ z0 m. X1 P0 _' K
make && make install# R0 W* y2 S* v5 ^
四.添加规则
$ @# A% e; s% G) v8 T% }
D5 q* i: s9 s9 `8 Amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
9 J/ `$ r! W0 `7 _4 Y, Y9 s# a) P
+ u* r4 V! [4 K, S1.下载OWASP规则:
, w. T) c2 z8 b1 w' P7 A; D8 Q
$ d8 }* u( G$ i: jgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs. _6 z/ n) y- n( L/ J
3 ^5 g) ?$ H5 h6 Vmv owasp-modsecurity-crs /opt/tengine/conf/
* v/ d% f5 b0 u& n8 a, I3 Q# p- H$ _ u7 Z8 Z9 g$ j' x" K q) z
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ O/ ^; O# W# e6 x& o
2.启用OWASP规则:2 V U; x4 r( l5 f9 s5 ]
$ J+ X- _0 y/ t1 V! B! T; T. T复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。9 c- k; d1 N5 u8 r4 P3 d/ Y
7 @' v0 a: u; q1 X8 n! H
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
! ?& z1 ^) }1 l6 F; L" z2 _/ M# o f+ U
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
( T c# F; O$ |
- D: }" t7 I0 M/ v" w E$ `Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
% v6 l1 J- r: `! N8 a& qInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ v$ d+ N8 D; ~! L% |
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" P7 Y, w$ m: o KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 z; [, T1 w0 W& DInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf s( z- h6 j" s j7 m c) j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf3 P9 [$ P3 U% V1 A6 n$ Q1 x
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
* D) E1 x8 R5 Z6 `0 K; |五.配置nginx
3 i1 X1 q0 t' `, G3 d7 H" c! q0 S* t, C0 `! T) ?1 H% h% z1 K
在需要启用modsecurity的主机的location下面加入下面两行即可:
/ S& c8 p* L5 G. L+ m1 V' ]
: Q# G; Q; X) ^4 p4 q. B4 c; y$ V2 ~ModSecurityEnabled on; 5 U4 q% b# r _1 Z/ t N) {
ModSecurityConfig modsecurity.conf;+ j4 Z# P) k% H; m5 R6 p- a
下面是两个示例配置,php虚拟主机:, s5 E7 A1 |2 p# P" A4 z5 `
. P" d, ?- }$ V; h: |2 C0 y7 Rserver {
9 F9 y9 u. C% P1 P listen 80;
( X' A _$ L: \* m: b# Y server_name 52os.net www.52os.net;
( s0 v! M C4 X8 x% ?9 l0 v; z
. x' \. q$ e3 ?3 F location ~ \.php$ {/ k$ _- p4 `# T' w1 f
ModSecurityEnabled on;
" `0 ?9 v- O) C6 o- u/ J1 B ModSecurityConfig modsecurity.conf;
6 L3 s# n" z& y& q [& }: s4 S9 K9 R+ l2 u9 ?) o# C
root /web/wordpress;
/ K8 V/ `: A& w; W" J1 S index index.php index.html index.htm;
" Z$ H6 U& v$ e) v9 r$ w 9 ]: E% H8 y5 p/ n% P
fastcgi_pass 127.0.0.1:9000;
1 B9 w! L8 H3 f, D6 X7 h) | I9 O fastcgi_index index.php;
% v+ `5 y2 l/ [ W# P fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;1 ~; h9 ?0 R$ d6 P
include fastcgi_params;
% Q+ g- I P$ @8 a, W/ L. i. H }
6 }7 T. `9 w6 d$ f }
$ G3 E/ D4 b1 U* O; y w' u4 G* \upstream负载均衡:* l, D9 h. r* H' F% P
) q8 y# e8 B( e/ H: a! c& |3 d7 fupstream 52os.net {
- u/ |2 s: ~, Z1 n$ j server 192.168.1.100:8080;- t" @- ]0 |' j$ @- S5 q2 Z
server 192.168.1.101:8080 backup;3 G8 K6 @5 ]/ Y8 p
}
9 h. ^" k* @) H$ F, x1 T x3 D) W/ G% w; v0 e& J# }6 P+ l
server {
- X* X p [! ~# Plisten 80;
! F$ b1 [; b5 d1 W/ F! Jserver_name 52os.net www.52os.net;5 a( @) I: n1 I& V- s
0 X+ }3 H3 E( d" o6 U/ `
location / {
% X/ t% X6 W' v3 @( G& D, ` z/ b. ] ModSecurityEnabled on; * Q- S' i& v+ `* l
ModSecurityConfig modsecurity.conf; ( `" ]5 m4 @2 ^% [: |' W# Q
2 ~ R4 Q# b7 i9 \, r
proxy_pass http://online;
|) f. v( {9 v+ x% k7 D1 h1 I proxy_redirect off;
; N! b( r5 a" n$ }5 A; L proxy_set_header Host $host;
5 A% j# E4 P% z1 h y) g proxy_set_header X-Real-IP $remote_addr;
% Q+ {' t1 d% h4 J) ]& l- F proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;7 B+ P7 l5 i. c6 D1 S) D
}
$ m. j( @0 j; E/ V8 F0 |: M}
& e, D5 O% F! Q六.测试
, s6 y/ i) l/ ?; ]) E% T8 v/ g F) h# n3 `
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: \- r2 [" ^2 R+ |2 e, o4 T$ R& q m
9 t) n) p2 q, Q# S# a1 W8 o<?php5 p' p, ^1 U/ C8 c& z
phpinfo(); 4 L$ t- b8 R) v+ B
?>: l2 p6 g C% P! p8 \* h
在浏览器中访问:
7 K+ B# W7 {! L; Z; L3 A# g* J. k% `. R- F# P
http://www.52os.net/phpinfo.php?id=1 正常显示。
! ~+ C, j) ?& m+ m& Z! M" [; Q3 [0 V- Thttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
. [; e" u U& h' N3 S3 k* ^http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 I6 q. R) h6 @4 f4 z! F' m# j6 R说明sql注入和xss已经被过滤了# W; F+ q3 d, j1 l& K4 f9 v# Z
* O& L0 Q9 c9 R4 x/ X
七、安装过程中排错+ g$ J& F5 K6 g' p
/ J2 \! ], _# ]% `
1.缺少APXS会报错
8 ~9 f, w7 r" N# b
& M. n6 t( w, w7 l! Oconfigure: looking for Apache module support via DSO through APXS
; C3 G" y) }% ~3 K$ d) V+ b7 w1 }configure: error: couldn't find APXS
$ q) ~3 s+ z: y: T0 aapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。& D( t' e9 [; ]) R) y$ @
解决方法:7 s5 `' F7 ]+ i+ X k
_+ [/ [& p+ zyum install httpd-devel
2 @, T) H7 ?8 V- {. @- c# J2.没有pcre8 Z( P: p$ k9 X4 l& o K, o
* j" v0 k$ R# j3 |+ F: R# s, ]
configure: *** pcre library not found.* L: u5 w* T) u% h. @: z9 E$ k
configure: error: pcre library is required
$ x- g+ Q1 v" u$ L2 Q) Z* O解决方法:+ N4 U& C! I: g( p4 P! q/ k5 M9 `- P
' A' x( n8 f0 b" w9 i8 }9 l& m- u
yum install pcre pcre-devel- `# d# y7 S; l o
3.没有libxml22 u! p8 h0 F! Q' o$ P) k# _/ q( B1 [
6 B1 l p0 ` ~4 E
; E1 i! Z3 M8 O+ V6 e8 _
configure: *** xml library not found.
8 ~: B* z$ E% Z8 i( V# A6 M4 D* [configure: error: libxml2 is required1 M) R! [/ p ~3 S0 d
解决方法:9 ? f/ L$ H. P- c' ~, k! A$ N: ^
9 [6 R$ G- R7 H# L0 N
yum install libxml2 libxml2-devel
( J6 {1 d1 a6 |8 P: }) ~1 g4.执行 /opt/tengine/sbin/nginx -m 时有警告
" P2 D4 O1 y9 f$ f! `' C8 H# M4 i4 C! c" D/ T
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
: v: { f! y, `: u* v3 nnginx: [warn] ModSecurity: Loaded APR do not match with compiled!3 g. W9 ^+ s. |5 [) v6 U6 O
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& e: e5 Y5 H6 ]8 h
( `3 O7 ^/ y0 [6 B0 Q5 B: k) N& W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) y {; O' A+ @& J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 l L& }4 H) S0 `# E; F2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
, r! L m0 n: R9 C' i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"4 q: }% U: |3 I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
) k1 e! G4 H* M' f: c. p8 B7 I2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ R- X! {# j; r解决方法,移除低版本的APR (1.3.9)
2 D6 m/ U: a, o: |2 {3 ?3 G, i% i% b$ b6 B
yum remove apr
8 j6 y; `9 d0 F5.Error.log中有: Audit log: Failed to lock global mutex
- D. Y Z! N: G. Q* l) G) b/ M2 V! [& i1 s5 }7 S
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock $ A3 ], g$ s; S9 k& t, u/ d9 a
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
?/ y& I7 z% p. I! b解决方法:8 {! B# q' h2 ^/ o0 p" A
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:. P7 s) s* v5 |) s# V
' I, w! S% |4 V9 k+ y
SecAuditLogDirMode 0777, W4 \+ Z5 x4 V3 c2 e1 _1 f& a5 b
SecAuditLogFileMode 0550# `1 n0 V! Z0 N$ n
SecAuditLogStorageDir /var/log/modsecurity$ b+ H" V j2 Z" X- e
SecAuditLogType Concurrent
% _# P( W" ~, W3 M& \参考文章:+ j* k6 O1 ]7 v7 k
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX( c' {; I* f& q9 T5 P |) K; Z
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡