|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 _3 Q0 o g) `* Y$ B- ^
3 m, W, y; `+ R; O# O9 i3 x一.准备工作/ L1 R. a' [2 c$ j8 l7 E
3 s& W( c! v D$ f- H; |, o! c系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% E$ ^9 \2 h' l9 E9 G0 M3 C: j" p' c. `
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
) Q; ~ T( r( i, T2 Y V. V" H, ^5 P% `: C! w4 Q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
* }* y! L5 ~, ?6 d+ A) {. S' f* l" i7 `4 \' n5 k( [3 I$ J# L
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs( `* {9 K. K1 n3 w
4 p! f9 a0 E% m, _依赖关系:
( i9 n5 u" x5 {! Etengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
6 F# x0 Y: X K& @8 w+ z3 O2 @
_! j: M8 B! a1 N. L; J# r. t' vyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel6 h& Q1 ]' ]3 p% E8 l7 q
modsecurty依赖的包:pcre httpd-devel libxml2 apr
) y5 U0 d; E: ]6 g Q7 {5 N
6 P( j( W' v7 myum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
9 w* ^. ^% ~$ v! F8 Z二.启用standalone模块并编译
" E% T8 u r0 [" X# S* ?9 p2 p5 A8 f% B* P$ M7 y3 a
下载modsecurity for nginx 解压,进入解压后目录执行:
4 L8 E$ U" a3 |" l+ ~1 J
! ^5 a% q$ M( Q./autogen.sh
" ~5 |- C" u) s./configure --enable-standalone-module --disable-mlogc
~1 `- F6 V, y3 z) A% b2 F* M! xmake
/ O$ m/ O: i9 W4 q/ L1 i3 x8 ~3 ^三.nginx添加modsecurity模块
9 ^6 Z* F% ~$ y+ q0 G/ J
* R5 ?( [& `2 T i( `; Q: ]在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' C; g( m1 P. q9 S* U
% p2 D) s8 J1 L, v. W./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- r# ?9 F5 _( c- x; o
make && make install
7 _1 ?- E- j# h" M" e& a, ]; m四.添加规则- r0 T, [5 v' ]8 i z5 |
+ u9 n6 t0 ^7 r- Tmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
+ \% b" s8 C% \; K' U6 R2 ]3 S( m0 X$ u3 h1 b7 N
1.下载OWASP规则:2 [# D; H) v* f! m6 E" |5 p2 n1 [4 J
9 u. } A( x# Y- Y. n/ \& |4 m% B7 k( o0 vgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
* S/ l7 D; f+ I( y4 `. N; s
0 V. d: i& R' s4 P- x6 y0 Cmv owasp-modsecurity-crs /opt/tengine/conf/# `1 h# g# u* o6 i8 N6 M
; E- _2 Z( _3 c( Y5 B9 [" _
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
- {0 J+ Y7 T# I0 t- Q1 T! c6 f) D2.启用OWASP规则:
+ A9 g0 g4 o0 p4 X; E# ^8 B, ~" U& v) v9 }9 n! V' M
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ c* l. ~: w$ |, G1 o; n, I: T1 |% w$ t. u5 c }6 @
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; o/ D' O0 q8 Y5 x
8 [6 Y; H) K J6 ]/ L# Yowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
+ ~( _6 `* n! K' c
6 r% s( @( ~! {6 y9 V. jInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 C* `# A8 d( D
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
. ~+ e$ d+ v! eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf. D' P2 [/ `" P8 a1 R/ p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf4 t* t: E/ ]! ?# o
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 d5 G7 g0 G5 E2 K8 HInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf! V/ x& k# O6 P
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
, i" B- t- C. s, x6 g5 N% v# k2 D五.配置nginx
6 {$ c" u. {8 e1 N2 P" Q; _. P# S& Z5 c" ?1 Y2 v% e _/ w2 G
在需要启用modsecurity的主机的location下面加入下面两行即可:
0 W# D$ C% h) u1 c6 R( s9 u. d: I$ p: u6 R/ u3 o; j, W {1 w
ModSecurityEnabled on;
+ K4 }) }0 n1 I2 E; N# E$ V" `3 FModSecurityConfig modsecurity.conf;( C+ m9 e7 i$ y8 X
下面是两个示例配置,php虚拟主机:7 P1 x) U& J4 V; E: ^" p
" w- y% L( \0 S% Dserver {
V# g( a8 R' {+ n( X listen 80;) v# }9 g$ A. @8 Y9 r" o7 E- F: y
server_name 52os.net www.52os.net;0 G. h# h! y/ ~/ Z9 C) G
2 T( x5 u/ V. k/ b7 b% Q, A; F8 E" L location ~ \.php$ {8 U$ g9 y, V* R8 y7 A6 J
ModSecurityEnabled on; 9 M( ~; Z6 s4 K8 |2 Q& C) V9 Q! r
ModSecurityConfig modsecurity.conf;
% G( p" n% o% B T
4 b: F# f& G: w+ k; z' W root /web/wordpress;
" L6 Z8 p+ B6 ]# z- p- J" D index index.php index.html index.htm;
! l( I) L% d( H2 `9 Q& K
. ]0 o- K& j& O/ g7 b fastcgi_pass 127.0.0.1:9000;
d" B( U# }( ?* T f# s fastcgi_index index.php;( z0 y* i2 Z( F! h# u2 d
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;/ ~: N2 k+ J8 Z1 O) h
include fastcgi_params;% Y- k& q. p y$ f V5 \. h* _
}. Z# M2 j& K! d% O6 m
}
7 @5 y3 W; w, m& X8 F9 aupstream负载均衡:
1 ? H: t( C6 t: L; w( P; z- L& w# a* F) I; W; {% P
upstream 52os.net {
/ `: J6 A8 L' n* {- ?! m1 N server 192.168.1.100:8080;6 P/ N1 V% O9 D5 ?6 a; x R
server 192.168.1.101:8080 backup;. m: m8 P. B1 o
}
5 ^. v3 L) H4 ]6 J$ F/ U3 W$ Q6 C
server {; b0 z3 i% _, P2 G" j
listen 80;
5 g! t6 ~9 W7 {- S7 r$ L" t" ^- Yserver_name 52os.net www.52os.net;
- L+ [4 w7 I w" U2 U
0 m9 Q2 }4 P7 o8 c) Rlocation / {
$ V5 l! \! g7 k$ I, e ModSecurityEnabled on;
* @2 O- o+ e2 Y+ n3 r" h+ } ModSecurityConfig modsecurity.conf;
a8 d I) n7 |) a1 o8 p8 ?2 W" I; ^/ Q# c
proxy_pass http://online;
: N7 V2 K2 v [3 h1 F4 P proxy_redirect off;2 Y) W9 P% f0 |7 i: _+ d3 z5 h
proxy_set_header Host $host;; E/ \5 R$ [" s' p
proxy_set_header X-Real-IP $remote_addr;' x! X: w b4 D3 M9 R7 L
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 g1 F! L% s' \# W8 |$ x9 u1 f8 Z }7 p0 @; q$ e0 L1 l* ?1 H7 T
}: W0 L; B w1 n/ j! Y4 y* o
六.测试
3 x; c5 H! z" S3 }; y0 C" K! {5 L: F
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! `% x5 c, M! C) J' K7 ~2 B8 a: o# `* r/ E
<?php
7 G6 H% [1 }9 A phpinfo(); / k+ m; ^0 |) |& Q
?>
0 Q$ F( O; a" Q' L$ ^在浏览器中访问:" B3 n- ]2 A5 b- p2 V9 x9 Q6 ^4 p
- w- o; K: y+ ?9 c. f, }
http://www.52os.net/phpinfo.php?id=1 正常显示。" b8 ]( U8 d3 g* e9 c: Y* ~
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
+ g" ?- J/ a5 J3 p# ^0 _, Yhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( J$ X- m" L l% E& ?说明sql注入和xss已经被过滤了
0 Q; e8 z7 u/ D: x+ X( N. v5 ~- [2 P1 u; E6 m, d
七、安装过程中排错4 q' i/ ]' x3 V4 X& F7 K
) F0 i+ l3 }: f4 t [( }
1.缺少APXS会报错% p9 i- X9 p. l0 ~& o) S
9 \" _/ I5 J- E% A8 F
configure: looking for Apache module support via DSO through APXS* S0 p6 z6 W' m6 ]: }1 e
configure: error: couldn't find APXS
6 r1 o, w1 C1 }5 f9 kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
5 }4 u8 d* s, K4 n4 y+ f解决方法:/ h8 U5 `* C9 i9 L2 }! K
6 f. d* _1 [0 ]0 M# Xyum install httpd-devel. s& J- u2 `% _2 W0 a, t
2.没有pcre& B) N: V/ J" \- p8 a! ^. r% ]0 @) D
& T/ j+ {$ W2 n d1 L; R* `- [6 hconfigure: *** pcre library not found.
# S- z, d: b8 }# ]# B! U- Jconfigure: error: pcre library is required, ~) X! r# L9 u/ h7 D: ]
解决方法:+ R3 a3 W8 E6 ^5 R% p/ _0 M
+ Q9 d' ^ S( pyum install pcre pcre-devel
C5 v5 ]. _: n* z# J3.没有libxml2
7 g0 k( z6 n# V* R# l
/ {$ S2 g; Y' z' C, W K* T. T$ z0 i' J( k. W9 H5 D2 ]% d. t |
configure: *** xml library not found.
! ^' U. u* C+ ~: I9 n1 cconfigure: error: libxml2 is required
a* L) ]+ ~% g解决方法:
. C K* |- t' b3 @, Z' S
% a& Z" x3 `0 [, b& n* Xyum install libxml2 libxml2-devel
1 j f+ c* { ?' Q0 O/ T O4.执行 /opt/tengine/sbin/nginx -m 时有警告
- j' T- A: y" Y/ K" y" F' ]/ x T: p1 V3 ~
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
2 I; L, a& j6 S( H' tnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
7 `+ Z2 Q7 ~# n5 J$ \+ o! F原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
, u7 S3 y3 a L, p. }$ ?
4 m0 ^8 U2 C% ~% Q; ~- _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.$ i j0 W# }9 J- e q) W* i$ J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
+ s- ?3 r2 c: q+ j. ]2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ v! I+ e( n: J; [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
7 d* J6 s j, v5 D V2 s- S K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"! G3 C! T1 L+ F' o. o, W
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) z s- @9 e) t4 |* {0 ], r
解决方法,移除低版本的APR (1.3.9)2 K+ y$ X8 C F$ @
) l# |6 N, T* [; y4 B
yum remove apr
! j3 W0 ^- x* e) @3 s5.Error.log中有: Audit log: Failed to lock global mutex Z+ M ~. \8 P3 C8 C+ A
* B K5 g& F+ h/ @) f2 X5 I! g7 p
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
8 a! ]/ u+ h, }5 ~, c5 U# |4 Y. vglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
) P! o. f) c( f; v! { |# e S# e# v解决方法:$ F9 E- d9 q$ P% {1 I ~
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 _/ x+ m: f5 J' `. H+ q
2 |4 ~$ K+ X1 W# w) c2 z% B+ B
SecAuditLogDirMode 0777; X5 E; X, o2 f. o' o7 M e# @( u
SecAuditLogFileMode 05508 g3 A1 H* J' }0 }6 S
SecAuditLogStorageDir /var/log/modsecurity
" K3 w6 g7 `/ v1 ^SecAuditLogType Concurrent9 B) }# P- \$ b. _" X- I5 v
参考文章:8 I: m* |+ \* u
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ ^( K' { w0 }8 }
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡