|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
+ v6 [' c4 M0 Z* p+ A0 ]# D, }, Y' v4 i* {; d
一.准备工作2 W9 X% N5 z% I7 ]; b6 z
, L9 e& c$ f1 j0 N- N1 w% i
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
. l* S# N2 [) T2 W, T* Y# y# J
/ g$ m$ ?5 Y& ]$ f- Dtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 @# @3 z) t- D2 \: y! H+ Z7 v# L
- }% Z# B% |7 T( w5 j9 fmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz" W, o8 ^& C2 Q+ k
( U% v* E& W) O0 v) KOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs9 I1 V* O" e4 M" H
' @% O ?# X! I ?4 h
依赖关系:: g$ |7 F; o6 P3 X
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:7 ~& G& d) l7 ?0 j/ k! |( r
1 r. k2 U1 i, a+ r; N& B
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* i: ` D- j' @modsecurty依赖的包:pcre httpd-devel libxml2 apr
, v4 g0 G! b: s5 Q4 A9 G
N9 a' g1 u4 Syum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
B( N9 H: J, G v/ D; C' o二.启用standalone模块并编译. u0 d S) F) n \' e6 K0 y
) o- i# \# x+ R4 ^8 K: i下载modsecurity for nginx 解压,进入解压后目录执行:
0 `# }% l+ F6 M# G% R m1 \! S
6 X( y; R1 w K3 |./autogen.sh
. C- p& H V4 e3 k' v3 c& J./configure --enable-standalone-module --disable-mlogc
) f+ ^2 s) L+ C3 P$ s& d& t- \0 `make
7 n) B3 C8 `$ E三.nginx添加modsecurity模块
3 S9 J1 J( \' B: A H" S* L2 T$ M8 X( L! \. y; L
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:; s; L/ x! I9 J" _* E4 X
- B) y1 ^! T& O5 ` N7 p1 v
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine& u& X" v U9 z
make && make install
; R3 q3 H8 L5 y/ H四.添加规则
1 c1 @) G/ Y0 w: G% h( _% x. D0 y6 t4 m) w
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
7 T( M' o( a/ g# R5 ?2 ~1 J( ^1 K! ^" R+ _; H1 I# F6 |
1.下载OWASP规则:/ q$ J9 O h2 u4 ]3 G$ L3 ?& p" P
) H! P9 U% A5 t1 N; Agit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
, ?' ?2 _0 x. _, T9 G3 _$ C( k, k, v6 ^; s7 ]* q" w2 y4 J
mv owasp-modsecurity-crs /opt/tengine/conf/3 |% E1 I' Z! a0 o$ P
6 F4 M7 r0 p$ W k' i
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
0 A7 B/ j, b3 `" L9 {2.启用OWASP规则:
) I* m/ L6 v/ B5 u0 N. M8 o" x" L1 s: G
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 D# [- m, X7 c9 |7 X, z& n6 g, |0 C2 Z! X2 T
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
B7 @( P Y! z6 _* O# z5 A8 ~) s
( A0 A; s8 {5 `, n" Wowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
) o5 {4 x+ y9 n1 l# E; q, j5 R* |% W: |& ?, n
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf: {+ _# i) `. ~1 R/ a4 J# l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
1 D) M7 I/ Z/ T6 v- r5 _- j( XInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
7 @$ V9 W1 {: o' M" r, }, ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
0 K5 {1 { G) n0 w7 z8 @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
6 w" [' O. ~; v- K) V& v5 dInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf4 s6 r3 d+ S5 Q* |+ a" n; l6 k1 l
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
! R# f# C1 b- ]% m五.配置nginx
, x% Q7 j5 ^( L8 N: R4 H7 I
( p" r3 z9 V: W1 m: @1 V# v在需要启用modsecurity的主机的location下面加入下面两行即可:
/ A! Y+ E6 r% {3 Q: v( h
1 k! S7 [: V3 z/ XModSecurityEnabled on; 9 F; T8 [& ~9 Z }' z
ModSecurityConfig modsecurity.conf;- j2 _* b5 b" F
下面是两个示例配置,php虚拟主机:! V! w& Q8 P4 i0 `9 \8 d
5 v# z: W7 t& ^+ Y$ zserver {" g6 A: L l4 S
listen 80;: z0 s& W/ {2 w5 I
server_name 52os.net www.52os.net;
6 b; P' K$ K" q/ O+ V1 d. T q , u& s! w. n" s# h4 Z! J. s* }
location ~ \.php$ {
d: d9 Z: |' D4 j2 V* x ModSecurityEnabled on; ) l" G9 a5 {8 M: | n+ s
ModSecurityConfig modsecurity.conf;& t) k9 e5 F$ M3 B4 t1 |5 u
. v5 m" X Z0 k( X$ s9 F root /web/wordpress;- {& G; t' T. @3 @2 O+ U6 w6 W/ E6 X- T
index index.php index.html index.htm;
! H$ ^/ a- O6 o4 {0 s9 e: m t ; t# N8 l5 P6 |) Y% C$ l7 I, Z
fastcgi_pass 127.0.0.1:9000;, m4 U5 U0 i7 d+ [; A4 M) P
fastcgi_index index.php;) W) B2 z: f% E! c
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 X4 [! e' }5 p* y$ e; { include fastcgi_params;' Z m5 \1 l& A5 m
}
2 l) C4 ^( ~1 R" v) c }
: ~7 u# K. s( t. `8 m! kupstream负载均衡:: U' }, f6 N2 I# _: ]9 F; x
% d9 j; L6 x r9 s. J! b! m/ r: W" _
upstream 52os.net {
1 i S8 e( v- g9 S server 192.168.1.100:8080;
4 S7 [$ m' q4 s. ]- z+ w, w server 192.168.1.101:8080 backup;( V1 B$ e0 z6 X6 J
}
0 ?1 H; A% P0 ?
] |) T% Q# M4 O! G& ^* y% hserver {7 `8 Z& r) ~4 i0 J: V; m, L( n
listen 80;/ G2 }: j! v" x1 w- }
server_name 52os.net www.52os.net;
* m8 O$ Y6 K/ {: V5 N
7 {# q$ H% @: I9 }8 E5 j+ e- g ?7 vlocation / {
) O- x; D! b# o6 _" `% _9 d, } ModSecurityEnabled on; / v6 R4 R7 k1 H+ t' M. e
ModSecurityConfig modsecurity.conf; M5 ~. o7 i1 j. ^! O1 l
* ]' t! X$ q9 v# m% F. C
proxy_pass http://online; v# W) j8 h0 D0 ]8 Y, S
proxy_redirect off;; a% @4 |7 |/ [: I6 J5 O: }
proxy_set_header Host $host;
, n3 n, ` h4 e- d2 X- l) w proxy_set_header X-Real-IP $remote_addr;
2 @1 k" _1 X0 o proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;0 X9 U2 y& j4 \3 O& O
}
$ S& p% v, }: j4 ?) [' @- ^}: \2 P9 N0 q2 n; A
六.测试! e% c" V" L% ?5 X7 F
+ ~6 g! K" \3 R
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 y3 R' S& w7 O% G& `' B3 w. o
: z% \, Q; j% ^8 T* u" W<?php2 l# T0 E4 l5 A. y* u
phpinfo(); $ ^6 U) g- N& K `
?>1 e/ o) }/ H* h& J& o
在浏览器中访问:
& [# T E% ^; M; U% k2 q: n5 i! O( Q3 O, v. q1 d
http://www.52os.net/phpinfo.php?id=1 正常显示。; X6 A3 [ `0 ?( g) m; s4 o6 Q8 p
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
, ^* r( B' N. a8 i4 O( ]4 shttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
& d* a( ]% j9 _说明sql注入和xss已经被过滤了
# b3 g( j, B3 j
' k* u* |- l1 I七、安装过程中排错& i* H# r0 Z2 c% d4 m
9 U9 {1 N* `# _* s+ w, y1.缺少APXS会报错0 m: w% J5 t6 S, h( f4 N/ ^9 Q a: j- j
6 s i8 [! t2 @2 a: y
configure: looking for Apache module support via DSO through APXS: y! O$ O( f# F0 m, Y& o' h1 ]3 X6 A
configure: error: couldn't find APXS! p, g' U- s7 r1 S2 R
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ |0 q5 q4 l& f4 L' p. d解决方法:- O+ d* Q$ Q7 \4 F2 B: @
; \& S/ f" y1 p+ ]# r( c) kyum install httpd-devel& b& l) L9 }! b9 S
2.没有pcre/ ^' Q9 p& |! Y- ~7 x- X
2 x( O1 n2 ~) q* _" ^. E- V: fconfigure: *** pcre library not found.( g2 U5 P) y% i9 @
configure: error: pcre library is required
' w) L1 H% U1 W0 i3 D8 W解决方法:7 A' s5 N: _7 D$ h! I! t! T
/ U: |# M! i: S6 k* k
yum install pcre pcre-devel
4 y0 `3 C% I7 x8 d3.没有libxml2$ z0 l! A: G$ Z6 v( D4 ]
$ e( c' U! `- z" f+ G7 u* k$ q& B X/ u
configure: *** xml library not found.
% y- W7 m& s: Vconfigure: error: libxml2 is required
, l+ I! E2 }% J! M( a解决方法:1 q( A2 T3 w k# u6 G( {5 `
$ H% O' @/ _$ [) w/ F/ S. h, @1 cyum install libxml2 libxml2-devel2 C- u4 K1 V0 C
4.执行 /opt/tengine/sbin/nginx -m 时有警告
& g+ ?' A) h+ n, B3 M1 N
6 G0 C1 M0 }" c$ T9 ^Tengine version: Tengine/2.1.0 (nginx/1.6.2)$ V" f7 |! I& `4 |
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!! f4 c N9 N3 a2 D( t5 B# J! s
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& D/ q8 l$ p6 _3 ~; d% e. r" C
, e' t `# ] s$ J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
- w; m) R- g( J3 _# i" P! T5 m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
( l: W% [4 ?2 j( B- p: l2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 [1 L. R5 F! |6 ~' G( t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"/ `) X3 g$ p* ^' j$ O& D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"% o- S- t6 J+ A. f1 Y
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On. z3 V9 }2 w* ]0 m8 x# N7 r( ?
解决方法,移除低版本的APR (1.3.9)% r* t# t& H) i
5 J1 h( P) w2 Y8 r/ X" O3 w+ v9 R
yum remove apr
; B% c* \: ?8 R9 `" b# E" G5.Error.log中有: Audit log: Failed to lock global mutex
0 N* }. K7 I( H
0 e! v* G* g' A5 F$ Y7 a2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
) I0 A* X2 |% V5 w% Gglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
0 |1 O9 H" ^$ H" o: Y. |解决方法:
* H, {3 d: x+ r1 m, ^编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
6 w4 f" g# t+ q- K4 F6 R% q4 Z; l: v
SecAuditLogDirMode 0777
& X5 K( f7 }3 F6 u& N! DSecAuditLogFileMode 0550' _2 w4 ]: \( H5 ~ C. y$ [ |/ L
SecAuditLogStorageDir /var/log/modsecurity
7 u5 ? r* c) v0 j: sSecAuditLogType Concurrent
l8 P0 w% \( h3 \- |参考文章:
4 f1 @9 V* N5 g( T6 ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX% d. T2 E E% F+ |* p, Q( s
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡