|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
- {5 q3 l) C4 E# R, b1 l* D W- }/ z5 E/ G
一.准备工作
: @" E' @( H! }+ r: `
5 \+ b+ H) h, l# `3 M8 o2 V' a9 y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
0 U4 {6 n& S' Q' V* a% W9 v: r$ n% r( i& T1 R% Y4 O/ L
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, S( ~; m* Q" | L$ C4 m
`% Y" d+ c- E
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 J" D5 l, \& | H4 i: ^
H: t5 M/ a) g a( XOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! G6 W2 Q. X. U w
3 N5 D+ A3 r' ^
依赖关系:
& C/ f! q# ?1 t3 H& d- L* r- Wtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% @: q, B4 E, g# R3 e1 r
& X2 p. ?, t# ?2 w6 n
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel5 s& w5 p; @& m7 R% M" `5 y
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% N' J6 O h0 c7 @" Z0 `
- p! g1 d4 B. W+ n3 ayum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel9 N* S. R a3 R7 z0 {2 p1 p
二.启用standalone模块并编译
! _4 R8 F+ `! |* i
n" g& d3 }! N$ U. M n1 |' I下载modsecurity for nginx 解压,进入解压后目录执行:# t( C+ S3 }' @
9 F$ P, F2 \" d$ g./autogen.sh
; Q; Y, S5 z- r1 Z+ T./configure --enable-standalone-module --disable-mlogc
. H6 K7 q/ y/ k7 V* i: `make ) z, f) |' z5 n7 L0 i. I1 J
三.nginx添加modsecurity模块: D$ F# [$ \4 @1 q( u+ }
1 V- d! v0 s' U" \& T在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
2 K" G; N' d5 ^( c" ?( B* D: F3 o' ? m
0 X5 v' K5 U0 L./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. q; @$ v& D) o6 m& C$ c0 Tmake && make install. X p8 u" n8 \# V P! ]- A! B
四.添加规则
- [& T, ^& m- J0 C- e$ A7 `! V- R- k2 N9 r
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。% z% ~3 d1 V$ v# ^: ?
' S. Y8 [/ c" E0 E1.下载OWASP规则:1 C* M2 ?8 m9 v8 u! N/ Z: L7 y
5 L' z) c5 p& I% d. Tgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
2 e+ u/ `( z6 Y# A$ n2 J, ^
; o6 r9 S: D7 {/ c1 `mv owasp-modsecurity-crs /opt/tengine/conf/
& @) H. { r/ T- F# f, m- T& ~/ b; z4 ]5 J& P" A
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( D. [7 d( n1 u6 N9 z- A& l
2.启用OWASP规则:2 |: u9 p( ~, q5 u$ w3 {% ^( y
: _8 P, Q; J5 n: w: g+ J复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% q4 @$ a [, B( H; n+ P# f
0 K1 [ g* S7 g( k/ C编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 E5 V7 j! x" } m1 K# y' t3 t
2 V# _: Y5 s) @! a7 C
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. n/ @5 B4 D! g/ t+ O! o1 C! P+ k5 a/ L0 f
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf! |1 g4 `; s; q Y% u. l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf! I0 N. j7 S+ t$ h4 s6 V( l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf* f6 D+ k6 Z+ i# p; Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 h" R2 V) \0 r) G2 t4 gInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf& E- _- O+ Y+ a$ C: C( s6 V
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* Y4 M" A8 c9 d* X i! D8 J
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf- V' o. [& _9 d! L* H* q( p
五.配置nginx4 j( f( K9 F6 W5 x% _3 j% I
- u7 H% U' E' j/ L4 I
在需要启用modsecurity的主机的location下面加入下面两行即可:
) a; Q5 x4 j0 P9 z( S1 [0 \: p" _ v9 o7 ]. e1 ~# e
ModSecurityEnabled on;
$ c# ]! | o' OModSecurityConfig modsecurity.conf;
f) [8 J* k3 I下面是两个示例配置,php虚拟主机:& s$ o- D0 z4 b8 C
2 u( ~3 O- U) m6 ~
server {
# q6 x) v# i/ Y3 N+ ] listen 80;9 [- {3 z' m7 G1 v( e
server_name 52os.net www.52os.net;8 u7 D! X5 X$ q! h7 b
* `& O# i9 }4 ~% y2 J# s- p
location ~ \.php$ {
0 x. ^0 i2 l2 ]$ t( H ModSecurityEnabled on;
( d7 {5 N- m" D* b$ ` ModSecurityConfig modsecurity.conf;4 H7 x! B9 }) j7 e
' Q% R" Y6 J5 u; P/ L7 X
root /web/wordpress;
9 ~+ K3 e8 h9 X2 y; Y7 N8 \, y index index.php index.html index.htm;
/ Z9 u/ E6 X# `& b" x7 ^ 7 h, \% o% Y- x H( O
fastcgi_pass 127.0.0.1:9000;1 O5 E% I3 u! d5 z4 o' m5 ?, G2 V
fastcgi_index index.php;' C) }3 b4 ~( |, \9 b2 l
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;" u. k7 m+ n( m
include fastcgi_params;
. b- d, @" X/ Z4 y j0 R0 ~; J }4 D! G5 h$ s5 \
}
! V: @6 M- S% }0 Supstream负载均衡:) D- N# p! v% V0 @
9 Y: f8 z1 S( ~- {4 h$ e1 aupstream 52os.net {% p5 D+ {7 C. C8 g, ^
server 192.168.1.100:8080;
3 N8 ~* ]% F' z/ t" g server 192.168.1.101:8080 backup;
5 i) L) x+ W! G# }7 M}: w7 B% a& g4 V+ y. D
# G" E, y& n) j& I) g6 O5 userver {% V! i2 h$ L. {) ~- b6 Q& h! {
listen 80;
' a9 x- s& ~. n3 O$ Q: M0 a$ fserver_name 52os.net www.52os.net;
; J( w8 q2 o& t6 J' B. D5 O
4 ?8 o0 v# M- D! L6 a' W Z, v; ylocation / {
, B7 P. r/ Z# w$ A! g ModSecurityEnabled on; 2 d p3 d1 ?, {- N$ L
ModSecurityConfig modsecurity.conf;
4 V. g0 d' t& [) Z/ I' w Y9 G# e3 A% M* p- \: \5 [
proxy_pass http://online;
- b0 m5 h6 i) \2 q0 K proxy_redirect off;" z I' L+ K% u, W5 n- w
proxy_set_header Host $host;/ p8 J8 h% D5 B$ `! o2 H
proxy_set_header X-Real-IP $remote_addr;0 X7 q: y" `. C- l( Q. t- R. Y
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
3 k1 ]" E( |$ g8 E! ` g5 ?/ C }
* m. k: q! \4 h- n}
) m* [, M! z% u4 R- A t六.测试3 t+ N) s! @0 d% F
3 S O; L) {: f) l. h5 Q" P我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:! O, S5 x# }# W
2 V+ S, l% i. r3 x. W
<?php( R2 ^3 V5 O5 d% Q1 E3 _
phpinfo();
" O0 p- D9 N. g2 X U& V?> D2 ~$ u/ }! ~8 g
在浏览器中访问:4 X3 L3 f- U4 Z% A% _1 D5 y- p1 L" e
* ]# H6 R) b: `, W- e" Vhttp://www.52os.net/phpinfo.php?id=1 正常显示。- E% v. b# a6 q/ g/ f" n- f
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 |: Y% e& t/ { N, I2 Mhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。6 a- ^9 D4 l* |4 |, z
说明sql注入和xss已经被过滤了) t0 T) a/ L7 G
' ?( S& ]- D3 v1 D; f七、安装过程中排错7 L& y0 i/ R7 E( D6 i
" ?9 d7 d/ q: N% `
1.缺少APXS会报错
& G& H5 \# ?2 q8 @# I s* Y
9 `8 C: w& a. K4 D% @configure: looking for Apache module support via DSO through APXS
# W" t9 B* A4 M3 J8 }configure: error: couldn't find APXS* O& d. x% E& Y$ q; L. T4 p, @
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。4 O, a3 q7 `, O! U6 M
解决方法:
- ]& v/ X5 h! Q2 q* v% i8 }( ^! w
1 B; R( H8 c% p& xyum install httpd-devel
; `% [- T0 T2 p# Z- o5 S) n% n2.没有pcre
* o: [/ {: V7 T( X% q) L! Y9 x, Q6 ~( l2 a+ K4 D0 h
configure: *** pcre library not found.5 L0 E: l) ]1 T- i/ F D& p
configure: error: pcre library is required
6 c. B/ J; E- f/ Z5 F解决方法:4 C( v3 Q) h7 h9 u* h. T; j
$ T- R4 G( D+ Kyum install pcre pcre-devel6 V6 H: I! m* n) `( q2 u9 i
3.没有libxml22 G- O4 w8 g1 @4 D/ l* C
% z0 N# X5 T/ f4 d8 m- U) C5 i7 Q Q: B( b- g+ \- O) t
configure: *** xml library not found.
& e/ Y8 x8 D2 cconfigure: error: libxml2 is required: k. X6 `% E# g! L% b
解决方法:/ H+ D* R5 b3 L0 U' L
+ ?! _2 J, i o
yum install libxml2 libxml2-devel5 ~; k; d; v1 u- J9 N- t1 ^
4.执行 /opt/tengine/sbin/nginx -m 时有警告 q7 o; I% p4 ]* ^0 `/ v6 u
# X. O6 [) ]& y; qTengine version: Tengine/2.1.0 (nginx/1.6.2) K! w% x& P9 E) L* m1 w3 R
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& B3 @0 u2 ? u: ^& ~3 P; J原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log( p& E" ]) x8 Z
( o) \( S3 Z$ C( }- d( d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) P! M+ I `! I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"( M. b/ D+ e: z9 ], }
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!0 X4 X$ n! ]( V4 Q- ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% ]/ i. }0 ^, b2 Z8 \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
( j% O2 ?# y& n6 k2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
4 A O1 m- A, V解决方法,移除低版本的APR (1.3.9)
! J6 F- V5 s1 Y8 K7 D: g# o) {) ?+ G. u4 R. B& Z
yum remove apr$ ~) h" |6 ^! q. ~
5.Error.log中有: Audit log: Failed to lock global mutex! ]) j: ^6 X5 s1 B) d6 j) G
4 P" a! s3 T: ]$ F2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 6 E! a: ~6 U3 y: N9 A. e/ d8 K
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
6 i/ a. S0 g8 f& u5 P q, U解决方法: r! y, s, x$ V7 }
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
* y+ H, P9 }9 ]; x' P) K2 @5 N q
SecAuditLogDirMode 0777- X4 Z* I( |+ l+ Q3 p; l
SecAuditLogFileMode 0550. p; E' M! a0 c
SecAuditLogStorageDir /var/log/modsecurity. Z9 ]! M, t4 U9 \
SecAuditLogType Concurrent
2 S9 f# y0 y. W7 _参考文章:. A$ L* v$ r" R* Z
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 w o2 ?. X8 |3 q; Y. A
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡