|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 D, |( W* G+ g8 @' w4 I7 v
0 u& S, P6 t/ N0 q+ ?) g一.准备工作1 G* d/ n5 P* U) B
% v3 B* ?& ~/ j5 J# ^ V
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
" [8 s. M7 r4 b* H9 y# ^1 n9 D; g( s6 c
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 j$ |" C: \/ u2 W# j T. ^4 g# C9 d0 }* y& D
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz% T" a1 z% ~; `# n/ v9 S
# |9 O% t2 Z( }# ~8 t: f
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
5 Y9 s, @' ^& S; W) B6 f1 [' m2 E! \
( \! O7 K0 `1 v( m9 n, `! Z依赖关系:
) s# r1 x* R3 @( H1 F7 ~tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
: m' t" R/ B2 p* C" [% T x
. H {' k8 O# H5 {; |4 }yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) Z+ f5 T1 b' b1 ?: C# Smodsecurty依赖的包:pcre httpd-devel libxml2 apr) D4 g% E; K) x+ B6 L% u: _
8 C4 Q2 T0 d; X. a% ?
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel X1 J V9 j0 r0 U
二.启用standalone模块并编译
0 w; U! K& P1 Z+ ?9 k W! q; o3 y {8 A f$ O; D3 N/ l5 x
下载modsecurity for nginx 解压,进入解压后目录执行:
) y( v- W, Z: ?0 o# L
0 z5 h; E9 c# v./autogen.sh- p. t0 U& g) {/ N6 l
./configure --enable-standalone-module --disable-mlogc* b2 d1 g! ?) [, I/ Q( ~
make . }: i M% K! P/ {4 ?
三.nginx添加modsecurity模块4 ~" R- y' c! ~
5 O6 g0 Q- U! W) b W2 x在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
) O0 `7 N4 q `5 W7 z
5 {, @6 g6 s5 o5 K9 E/ e) `' f! _7 I./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- a5 x* H! j+ c! \! K! M9 O
make && make install/ x$ o* z j/ p( v) x8 d3 E2 W% u
四.添加规则
' p$ T( G# e, q& t5 {3 }, V& A1 E( ~! k
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) i( S4 g+ ]$ C- W9 i. W3 ?
( S* F% i. r2 O
1.下载OWASP规则:
, Y. P% t. K0 F, d1 F+ F3 z( ]; i+ R9 \
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs; t2 f. p3 e. ~* y& g
, [: P- O, j5 s0 U* A9 r4 Xmv owasp-modsecurity-crs /opt/tengine/conf/
& A( ]' l! X0 R1 V
4 x5 M8 H0 i e. w i: gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( a2 u. ^/ V) J. C! l, O
2.启用OWASP规则:
5 A4 b1 e, E* P% L0 H, n8 m/ O9 I2 N) F$ B, O7 I S5 {
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。$ u& D' g2 B* @
4 j( v/ N6 U* p3 U+ B1 Y; Z, u
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on8 `0 d! _. w9 Q& o7 s( w
# K* L+ M( v; I& Howasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
* k F+ _8 [7 P5 b& I
3 x( P% C9 ~0 [, c5 t' J9 YInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 ^# ?0 p- D) ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf H. i6 } O1 N7 ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 |0 R0 ` ]7 G& ]$ c! |
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
4 N: o7 u* h7 ~4 V; q% j) `: qInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
& [8 r8 j' E( _1 BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
8 W$ C# }. s6 x- s" ]" YInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf- Y7 }0 t# d4 M( H, D! C
五.配置nginx
4 A6 P; k6 Z* m, n0 m x) F" P' q) j4 U4 e
在需要启用modsecurity的主机的location下面加入下面两行即可:3 p/ x; y0 R& d
) S# C n2 L; L# {) e4 E" y" f8 U
ModSecurityEnabled on;
8 M% q4 |: w) x3 w( u& j% ?ModSecurityConfig modsecurity.conf;
- _9 W6 n( |1 s z! ?( Z" T下面是两个示例配置,php虚拟主机:
3 G Q- E3 t7 H5 U' ?4 s3 o( Q$ Y$ Z! s, b
server {
! a4 Z9 R! O) V# H3 { listen 80;2 ]3 u& r" S7 i
server_name 52os.net www.52os.net;
6 | y" M( F9 ^ a) X/ e9 D
+ D2 u. F. R: H' Z, U, ~ location ~ \.php$ {6 D# P' ~5 G1 \3 G3 b5 F
ModSecurityEnabled on;
0 N6 x5 r; B0 Q' \0 V) E ModSecurityConfig modsecurity.conf;* S+ h, i# W ~; O2 R: @2 j
% h# }: D1 G! h% ]3 e: r5 [
root /web/wordpress;
& d3 ~0 L0 @9 P9 s) s index index.php index.html index.htm;+ G! D8 g2 f# Y2 V B
8 P) _2 _9 U8 d
fastcgi_pass 127.0.0.1:9000;* f( ]! W9 G! A- z
fastcgi_index index.php;
9 r% A1 H9 @1 Z2 Y& X; S% z7 Y0 e& Y fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;/ ~$ o5 S; K: \5 P
include fastcgi_params; w# J: S( d) N! q/ n
}
0 d+ V( j% u) ~* N: V4 N }. U0 Q; B3 V" U& E! S
upstream负载均衡:
$ T5 s: ~3 P! {( X2 S& n( W& w- y; d
upstream 52os.net {; \# @9 \. u9 u ]9 @- Q5 H9 r$ ]
server 192.168.1.100:8080;
@0 F6 ~( S* v server 192.168.1.101:8080 backup;* Y: y" u9 o. ^" l( j9 T |, v
}( e! _+ `! o, q5 V
9 B P8 D: n& G
server {
$ c2 c. O+ q3 k' llisten 80;
' y3 l( H9 b( \server_name 52os.net www.52os.net;
* O# d9 o% a# d; F2 X- z. O6 T" N6 C# j
7 [5 Z& U/ b( A8 T; s( N ^7 a% Qlocation / {
0 e; S. i$ |) d5 c! s. W9 H ModSecurityEnabled on; & R$ [7 Y! Z( s# S. a4 c; J
ModSecurityConfig modsecurity.conf;
# G8 n$ r. W8 |& `# u* V: U" |) H. Z$ C7 N! T8 z
proxy_pass http://online;
/ t, M# O" @9 F0 P! E0 f& H proxy_redirect off;/ @ _! \, v, A8 M; C) }9 i/ t
proxy_set_header Host $host;: c6 Q7 l7 K& U5 ?
proxy_set_header X-Real-IP $remote_addr;
* _0 e( ^8 B6 Q! f- _ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
& n, P5 a% [0 L$ h }
" U$ y4 d8 P" n: @* p}( m; Y l( x7 K: [* n/ R
六.测试
; ]: A8 V# L3 `* C, s# |: p7 V( @8 n
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
" F d" Z ~3 y/ N% j, C' l& P. K: l7 C: ^2 p1 G" Q. c& ~3 q
<?php' a+ T9 t& }8 p1 M6 t
phpinfo(); 5 Q* I) Z- S8 s) F* ], m5 W
?>
3 m" f' N3 { J* H. A* }在浏览器中访问:
3 x& ^0 n5 R; q5 d0 H: r( S0 j# _+ J8 l8 c
http://www.52os.net/phpinfo.php?id=1 正常显示。, ~# h9 B9 q( |
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
. u3 h; P; `7 Z Whttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
G" Q1 \* w& @: E A; k6 \) s说明sql注入和xss已经被过滤了1 u; Q0 N F7 R, e- K2 `4 ^
0 g, c# `% a3 p( U: u8 G" h
七、安装过程中排错
5 p& Y }1 P4 T/ M# K& R
- N2 O) M- U4 L. A; F' e0 {1.缺少APXS会报错0 D5 p: I. C# G [* l; ]" \5 ~
1 {% |8 r1 y8 o5 c* o. Aconfigure: looking for Apache module support via DSO through APXS( S( O8 F3 |/ P3 l* q3 T t
configure: error: couldn't find APXS' p6 B# m+ I( n1 T& Q
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
( W. x. a7 N4 _3 J& F9 p解决方法:
0 z2 V$ @/ ?6 E$ |; g, M) |: b) T1 a( Y' L9 O
yum install httpd-devel
; M" |) P$ ]0 C6 U/ }; s2.没有pcre" D/ V1 ]( H3 f
4 S' e1 K' i% u1 v8 Iconfigure: *** pcre library not found.# k, l+ J D# z
configure: error: pcre library is required: ~* j: @8 R' |( m) |
解决方法:
. s' W( Q) Q& F, H
! k5 O. w- _9 r! d1 q8 ^: I* u: Zyum install pcre pcre-devel3 B, o; Y; U$ L% f5 G
3.没有libxml2+ h8 g1 m; n T1 I, C, M
2 d5 g" L2 u* c3 q* C
9 F# ^* q2 U) C) E2 M( ^1 P5 y' m2 E
configure: *** xml library not found.
& s* p9 ]1 v4 m; f6 pconfigure: error: libxml2 is required7 F' V V& Z9 J- f
解决方法:$ J" B- S% B9 D% `
" h3 J6 m) _ s/ Z. G' l& o' S$ f
yum install libxml2 libxml2-devel
+ D+ `5 a* a/ \4.执行 /opt/tengine/sbin/nginx -m 时有警告
$ L$ j. {( T; p% Q% Z2 y) v
" o3 g' G W9 n: PTengine version: Tengine/2.1.0 (nginx/1.6.2)6 M, \8 n: X1 ?* C
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 F% f) Z; A, b g" e
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 Y; {0 u j; N: {; t* u3 I9 m5 k
# h% [( F1 I/ i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
. n g% N0 x8 N2 t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": U ?- S" v* U y3 U
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
- x, c- r1 q8 D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 c' T' Q: m8 P3 g! F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
|/ K# s: i1 C( q! Q+ A, D8 M2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
d7 Y9 C# I# y% J/ R, V8 m/ ~1 j解决方法,移除低版本的APR (1.3.9); u5 y9 u+ @) P8 \) U
* e3 ^! ~+ X; B7 }- x. a
yum remove apr9 e6 x; O s c
5.Error.log中有: Audit log: Failed to lock global mutex a/ F7 _8 e* u
h! E, p% G# i, K, q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ! s- \6 u% w5 c: K- }
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]+ S, b O* J* q- m
解决方法:
) ]7 z* v; ?; N! M( t编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 y2 ~" i$ [3 e9 K4 V g
2 a+ @6 _# }0 ISecAuditLogDirMode 0777- c! b* z+ S M9 L1 Z9 K3 l
SecAuditLogFileMode 0550: Q |$ v1 e9 _7 Q# Y- O
SecAuditLogStorageDir /var/log/modsecurity
7 ^ L: u" {9 u3 Q2 N1 X' wSecAuditLogType Concurrent
: A) V `% {" W) f参考文章:# F F0 C$ j3 ^3 |1 B
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# G9 \: |, [7 g3 E
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡