|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( Y3 [3 R3 V3 g* f' T0 E G
0 M9 g9 u' C( u( g+ ~" R; V一.准备工作
* |+ T* w. ?) \( {
4 y$ r$ Q3 y* K6 H5 Q: ^系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, L- o. ]5 I5 H, g& `/ x9 {( }4 ]7 c4 u
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 R4 G# J& s% {4 x2 P# v8 {, }: X1 ]1 t0 u, Z! f" T6 B
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz" }' x5 j' ^5 E( Z
9 G$ e- |5 M- n5 U7 I* N6 [' q8 n3 t
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs4 @1 V6 o# v$ `. q; }
X! b, Q% X; l
依赖关系:" f5 w, q3 f8 Z' x
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
5 _1 g- K9 x& x) F/ h$ u' `! [6 R1 L* y5 H, _6 O6 t' y: ^+ d6 e. W
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* F" e; v; J: ?modsecurty依赖的包:pcre httpd-devel libxml2 apr/ L- i z, S% o5 Z& ]" o) m' @
5 ^/ R- G! N, F2 f3 Q' M, j% Oyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: w( n$ T/ n y$ O9 v: Z
二.启用standalone模块并编译
0 a& C/ |& e0 h, b
0 z! W$ L$ Y4 c x6 V3 D4 x下载modsecurity for nginx 解压,进入解压后目录执行:
/ \1 m" b0 v$ ~$ }
9 o3 S2 T5 Z2 J. }8 }./autogen.sh
& z: x$ m" g& z- [8 x./configure --enable-standalone-module --disable-mlogc
! E1 N* C3 R7 s5 g' xmake ; l* ], y. Z5 N+ {2 `' s2 H7 A( i+ g
三.nginx添加modsecurity模块: u- s. a6 c7 a& ]0 @
( F, E6 v' l7 i5 J
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块: u( a- r& `) q
* {% A7 m- }, F, r./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine j. p, _. t$ {
make && make install
$ F9 d# {3 ~2 z& J四.添加规则! F9 b' X J1 u& K) z/ N
# ?- ^% h. v/ ~: n! Z
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。2 O' d- p8 h5 W- }4 V1 O3 i4 g
1 C- T9 \/ j% p7 ^9 I \1 _# N7 `
1.下载OWASP规则:. R! f# O9 j- I6 ^
9 r" ~% Z7 E3 Q- a. Ugit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 j5 A- X& J- Z3 f; l1 l4 |8 _$ U1 t0 w4 M# ^1 `, h
mv owasp-modsecurity-crs /opt/tengine/conf/5 @* _/ b. o# R9 B! ~2 i
" P- b i) _8 [: m- d7 x) P
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf& S* }6 C+ S" ?. Z3 w$ }4 i
2.启用OWASP规则:
4 `4 L8 }# K! t; Q* C8 l$ R) J' {1 `) J X Z) y; O
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。7 ~ v3 M9 J; z! _; V% N; a
2 Z4 a& W) M/ f6 G! O
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
) m2 \ M2 j' [% f6 i- w
6 J; J0 f+ `6 L1 P$ iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。# T) ]9 P Y* N# x1 C' {* B
% C# F. u+ D! k1 W/ g. FInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
6 `4 c' E8 c- d* ?Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf% ]3 r6 L0 k8 f5 J" Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" }+ V& I2 O7 \8 Y: e7 B5 K! pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 W4 B! s% ^8 ~7 b$ BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
9 o/ o$ L2 I: wInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf3 q8 G; M3 p# l( M+ a
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
1 _) o J9 d( i! R+ h( `/ A五.配置nginx
* ?' v% D: {, @8 O; ^: L: e0 \5 D7 c* j+ f6 ^1 m
在需要启用modsecurity的主机的location下面加入下面两行即可:
; N9 o; u+ O- s N# y4 _
- H9 G3 a- N2 x/ R8 e# d) [ModSecurityEnabled on;
) A @7 }+ R6 J5 j. G- L) I( zModSecurityConfig modsecurity.conf;
+ {2 N( h2 g( P4 C下面是两个示例配置,php虚拟主机:
0 H( b* E7 a( h0 G7 P' X
/ _, p8 V' g% n" b" ] y( eserver {
O* l& W3 v' Z7 Y1 h1 k/ p listen 80;( _* P" {4 v% S7 u7 c6 V2 d
server_name 52os.net www.52os.net;& \' V2 d4 L, N
% x. V+ Z( f: w E+ i5 i+ _- e3 p
location ~ \.php$ {6 S, _: z0 _. `- G6 `
ModSecurityEnabled on; + m1 I) b8 a2 R3 v* W3 k m
ModSecurityConfig modsecurity.conf;: g- K9 r9 v" W6 d5 D. Y4 Z: u7 i
2 c& N% u2 O" Q; l# S. C) W6 P
root /web/wordpress;
0 Y4 @2 P6 a9 ?+ N index index.php index.html index.htm;
% j- D+ k1 v& J! J3 ^% L; ]( }
1 i% ]( C4 p. Z. U' y fastcgi_pass 127.0.0.1:9000;& Q. P1 T7 x$ w# y
fastcgi_index index.php;
+ ?) e' d) q8 w7 d8 F6 M4 @ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* U/ d6 m5 ^0 u2 x
include fastcgi_params;
, P+ ~/ |2 a, ~; n% n: R }+ q+ L/ p$ o' [2 ]
}
. z( Q/ A' J6 s1 R- \upstream负载均衡:7 v; u' H$ p$ T! x0 O9 ?# Q) X
! J; K& e l& Q1 b& f7 ]4 P1 i5 {upstream 52os.net {
' `( B. j# g. F4 k server 192.168.1.100:8080;
: T' U v8 p0 q% C a" B server 192.168.1.101:8080 backup;; A5 G( X% p3 U7 I
}( b- j G$ g. p7 z4 v
# x) z: Q- `8 l& g4 l. F
server {
2 W! n" g* t! d; M6 Z* Slisten 80;# j4 s1 F, A/ f G+ I8 u1 h
server_name 52os.net www.52os.net;! n5 s8 y1 m/ J7 }2 f# D6 y+ ^& W6 m
. [* m+ r `& X+ L, `5 Slocation / {
/ Z% }: h, i3 j! M3 v2 Z! A2 g ModSecurityEnabled on;
) _! ?& c. Z0 f) S5 H+ ]( s ModSecurityConfig modsecurity.conf;
! ~& s# K2 Q" p2 y4 }( }) o' q; e9 y2 z
proxy_pass http://online;
" h0 d3 Y* [: E8 Q, M6 ?$ X* C6 o proxy_redirect off;$ L* k( l6 F5 V- Q/ `* I5 Z9 n) ~
proxy_set_header Host $host;: z, @: m/ R$ a" h F( z( E
proxy_set_header X-Real-IP $remote_addr;
2 F9 T" h" e* V9 L proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# z9 t9 a- t3 S8 D4 Y* Q
}' h$ P( U- @6 r8 [9 t/ X
}
6 v& H. j9 b7 e5 t9 V; I( R六.测试
5 i$ [/ w: Z, O- u& N3 X4 D
2 ^7 k% }+ Q) j9 [0 Z我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 I" N* u5 O# }% H. P# _
. A/ x- ^/ y$ G4 Z# k4 u<?php
( z' L( @' G$ h! n" A) D- q phpinfo(); ) c9 L# a# m$ O3 ~& `- M
?>! y- F% Y( u4 v5 H9 y/ s
在浏览器中访问:$ @: d& U. ~. U7 I0 F& a1 p
' _% V1 E# t& |
http://www.52os.net/phpinfo.php?id=1 正常显示。4 x- m I! X( Y4 ]) N
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ Z7 |( @7 L6 ], Chttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。: Z/ z4 R" q4 c, Q- a+ z3 B2 @
说明sql注入和xss已经被过滤了4 F% h0 j% r X1 d# T+ `
! f. v7 ?; t; g$ h4 i七、安装过程中排错4 ]6 [0 L3 C2 L2 W! j* C7 l8 T
. T' O5 X& X: O* ^3 m1.缺少APXS会报错1 v4 ?( ~( ?: b7 \: E: |0 X
w+ {$ Y' v! P% X7 G5 O d# V# _0 X5 sconfigure: looking for Apache module support via DSO through APXS
! N+ }* h, I7 x0 B3 L, nconfigure: error: couldn't find APXS
' ?4 X* }7 B9 e2 B sapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
7 j" {# P9 N% z* |8 N3 ^8 |解决方法:
) e: G/ e0 I# z. b. i. b K1 x7 f5 V( `
- ^; I' C: o6 `6 k/ Xyum install httpd-devel9 p9 m& l* p6 z# D& H
2.没有pcre
* g- T9 d! k/ D3 f$ L! f. ?4 x8 v# g% p3 S( m. I
configure: *** pcre library not found.
4 Q- ]! X, Z" v9 Q$ S6 t6 z; tconfigure: error: pcre library is required8 }7 g: C8 [2 H) }( q+ b
解决方法:
, _4 x7 \4 Z% Y! W+ U
z1 M+ {6 G) Z. x; U5 ayum install pcre pcre-devel$ E6 I5 m2 j+ m" }) S% O
3.没有libxml2
% R6 G! t4 D0 K2 v3 X/ U7 s. ^4 e! a X. g; u
9 n7 ]! a ]# a; q& L$ P v. Q ^+ }configure: *** xml library not found.; g- b1 S x1 y+ L7 `- b3 s4 I
configure: error: libxml2 is required: v/ r6 T8 s9 F! {3 e
解决方法:2 w- \# O$ p r/ h Z
M+ X3 g0 t' c' F
yum install libxml2 libxml2-devel
- _3 u/ w& E1 \4.执行 /opt/tengine/sbin/nginx -m 时有警告& M6 O" l& {- y; l% K5 g5 P
7 T* Z v8 Q9 C: s6 ]
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
% N) W, x% r: Q4 jnginx: [warn] ModSecurity: Loaded APR do not match with compiled!; e+ a! w9 y3 y, I& Z
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 Q; J8 N! J5 {% }1 k/ P
3 L* V! I* j/ A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.) d9 p! ]7 u% R: a0 x3 a; I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 P7 i5 r0 R7 [' h2 e/ E1 }2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! N* j! X9 f' A1 A( k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"; f! _- {9 D/ z, G( V6 R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"" F. I! e! `- R! L: Z- N, u6 Z
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
& a6 d' V+ K) r, h; s解决方法,移除低版本的APR (1.3.9)
( [' P5 s# T' x9 B
9 D: b* ~- d& d, Ryum remove apr
" g! d! q5 O4 w+ _2 z7 K8 i3 {, E5.Error.log中有: Audit log: Failed to lock global mutex
; S4 r& r9 ?$ n, j3 S+ D& ^7 s5 P. a9 F6 f q8 c. D% [
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% J( Z2 f) V' o) D" @* Nglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 G; ?& `" w8 `解决方法:
. T$ y: Z% V3 N: A编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
2 L# z9 }: c: H' N y) }1 a6 g4 w' O& z
y N( d- t+ m8 Z" c% Q9 TSecAuditLogDirMode 0777
$ R$ ^& D: m* W, u3 KSecAuditLogFileMode 0550; g5 E: }, j& q
SecAuditLogStorageDir /var/log/modsecurity5 g* Q: g+ f: H" k- Q+ Z* \
SecAuditLogType Concurrent, F6 H% r6 z# ?$ ?
参考文章:9 v2 T4 N" c/ n U3 y
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
1 R# P( X4 q6 B& f) Q6 h! y- R0 rhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡