|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
9 W# Y+ Y& Z2 q y1 Q1 r
) T/ z; B) b K. y% F B一.准备工作
2 R8 v. g% m2 z' P9 Q0 T
( D$ }' y' e% s' Q# |- m( ~系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.03 L0 Y' M4 J' P9 i+ ?
: e" s) b7 c2 Z+ E) ptengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
) u B( s5 Y) u% C# M: ~& g! z7 y1 N1 ?; l( [& |& E
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ K+ ?4 x6 D& H" U% S
& I& b1 N0 ?& I8 eOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ J% }2 V, [8 R& i% e
1 [0 t6 n8 e x8 P& e依赖关系:
) v" f" T* E! I; {0 F) @tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:2 `; w7 P5 r6 Q. K4 I
2 M: W* D% P: F& x2 Z; b& b" \) @yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel/ x( B1 h/ _: q _) V
modsecurty依赖的包:pcre httpd-devel libxml2 apr- w, M% @8 k7 Z" ?* n
- H1 J2 w2 D# _2 G0 Ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel) }9 ?6 Y4 o! g- |; K) ~# B. _8 |. W
二.启用standalone模块并编译+ Y! z+ z8 R j4 b9 y) p [: `" @
2 e, Q3 U: @! L2 j p/ n; x
下载modsecurity for nginx 解压,进入解压后目录执行:
% i J, i" N* n. n( A# d
1 O- o5 u" U$ n5 `./autogen.sh: I, l( ^# u4 g0 P: @# s
./configure --enable-standalone-module --disable-mlogc6 J5 A( |& V% ~' q$ b, I
make " @2 S; {- H, |2 X9 Y
三.nginx添加modsecurity模块
, t% ] X3 j' j6 a/ ^' @! j/ r7 m* x4 c# Q$ e0 u2 i7 M) K- Q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
x+ k' W: m! K3 {& X3 E+ x1 F7 p5 L
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
/ L4 V1 z" `9 }. L% Nmake && make install
# X, Y* `5 |6 ]5 M/ q* D" e四.添加规则
+ Y. [6 A' s# P5 l1 ?& d v+ \. D4 x
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
" Y* {* K; ]# E% S) y9 y4 f
7 h1 Z7 [) r# d, |/ s1.下载OWASP规则:
( T- y$ V5 U1 s0 c4 B
$ C7 s9 s; A% u% Ngit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
: N8 d/ V% r0 z m7 t# }/ v8 \2 Z- s* S( y5 d
mv owasp-modsecurity-crs /opt/tengine/conf/
" F; u, y" o- u3 @
; ~& V1 U9 ]+ _7 Ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf- o" k, S; z+ e9 d& j
2.启用OWASP规则:/ L* I) B: Y3 o6 L) i+ Y8 g0 s2 i2 j
' \9 [. {( c/ s: o7 s% w复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
4 a, y) n; ^: ~1 O4 `2 y' n8 k" f: E+ N
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on. ?4 r+ E# k+ U; v F
. h, _* e+ R& a0 [. e4 Sowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。( r9 G+ x$ R. N' a* ^
* ~9 S4 X; Q# p6 {- ~7 k! X2 G; S0 i( ^Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' C {( }# N6 y: zInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ ?6 _9 r/ x/ K7 ^3 ~9 Z3 z0 p. i2 d
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
, E5 g- _3 ^, f; u0 s! B1 B9 w: CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf9 B0 Z5 h, y0 {- F1 Y8 T- Q, @
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf5 N3 W" H, E0 s2 M& G4 P
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf/ [8 a, \8 q. E3 B2 O1 W
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf5 m4 U* M# p' ~" d
五.配置nginx
% f; S) e! R r( {- t, h/ q( L$ P! N3 Q: ~5 ?/ ~( K0 i
在需要启用modsecurity的主机的location下面加入下面两行即可:
* R5 p6 q+ m$ y/ j2 o4 F: P' W F& X" Z7 I2 o ~
ModSecurityEnabled on;
7 G5 i1 X; x7 K- _ v- g x/ {$ s5 eModSecurityConfig modsecurity.conf;/ j/ O% l0 K2 N$ G; Q2 ]. ^
下面是两个示例配置,php虚拟主机:& k! v# m/ H# W* {9 v# [- Y9 x
/ o( M% H4 O. X4 h& O h+ p" B7 v5 T, l
server {$ R5 y. @. o( {: S( J
listen 80;
1 u$ l) P6 m, u7 \ server_name 52os.net www.52os.net;0 W" {% t; V- ]1 D3 }) [9 {! M
: \2 u: F; N; g' V9 U
location ~ \.php$ {
5 B1 |" z5 \8 }4 J! S0 Y ModSecurityEnabled on;
/ \1 z( Z+ P- Q! U# E* V ModSecurityConfig modsecurity.conf;
: c$ P" W; ~+ C' N# f2 p$ }* G1 d$ @* ^
root /web/wordpress;
6 T/ i w! z* K index index.php index.html index.htm;" o: i6 u7 l' ~* p
6 w- L7 O; r6 w- I: M9 ^6 g fastcgi_pass 127.0.0.1:9000;' R! D1 e* T: b, z2 q
fastcgi_index index.php;% r- _0 H6 B0 J% y$ n/ h( P
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ P2 Y" f: ?% Y( @) {
include fastcgi_params;: C) ~! d0 H4 }" m
}
& b# l U$ v6 H3 d$ y }, j& L% ?& H6 d! v
upstream负载均衡:" x; r2 a0 A" ^0 U1 t
! f2 g5 a9 n; ]upstream 52os.net { K* y' Q/ B' n r; X
server 192.168.1.100:8080;1 ~% Y, C$ F6 D+ H) R
server 192.168.1.101:8080 backup;
( V; a3 F5 P7 i2 n3 c5 D$ O}! ]$ K$ w9 H. t- k7 Q
% ]5 M/ m5 D. r1 T' p. S. Dserver {
6 y. K' a& `7 q& g" u9 A8 dlisten 80;& \2 ?- Y! o. l. n. h
server_name 52os.net www.52os.net;7 ] W) _/ v; }
1 w5 ]; Z1 E$ b \location / {
; g% {5 u3 U7 F+ S u) @ ModSecurityEnabled on;
8 X& d2 c3 s" L& E2 Y# u, v ModSecurityConfig modsecurity.conf; 1 K: n6 _' f6 g0 g1 u% X+ R! |' V
: s5 j3 p& E' }0 t) y proxy_pass http://online;
% w4 }( {+ |3 I$ O# _$ G# `$ E proxy_redirect off;$ e0 r. ~2 v) n; K8 t
proxy_set_header Host $host;0 N# s. |5 _0 H$ A- a' W- d: f3 |% e
proxy_set_header X-Real-IP $remote_addr;
5 Z! [2 y& A% U! |! D" h' P proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;0 S2 z* x% U* m+ f
}
; i @" P4 r9 @9 p9 T}* U+ j) H# N* |7 t$ l! _$ w5 F
六.测试) D0 E) h0 H. [, y' W
! ?" m2 t# @4 w
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:! k5 t, N$ B7 r) ~
0 s; K' Q' }9 v+ g4 ~<?php; c9 u7 ~5 l/ s0 [" N
phpinfo();
! P* }5 `) X& J0 s?>/ d. E9 x q7 i: y1 M- K) |9 @
在浏览器中访问:
# ]+ F2 [& S7 m8 a# L0 ?) M& M/ e" H
http://www.52os.net/phpinfo.php?id=1 正常显示。
# a m" l: G4 t4 Mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
I6 l% n) Y6 Zhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。 o( N5 O8 e0 S/ b
说明sql注入和xss已经被过滤了) E- [- z# z7 E
" E- f& q; N8 l! S七、安装过程中排错
6 Z/ _0 }) u0 A; @! H1 B
1 C( U6 p4 S" y1.缺少APXS会报错3 O) |* d( }% F- U" U
6 `5 \" F: A" }( `
configure: looking for Apache module support via DSO through APXS7 z* l4 h: K2 `0 z4 X0 n
configure: error: couldn't find APXS/ E! L7 Q3 ~0 c) G3 ~% P! u6 X
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 u4 d1 V, W) d- R& Z" Q0 j7 c解决方法:( A2 L, R6 Y/ y; ~
6 m0 q" [5 k+ s) D. }# K7 j& Y2 Uyum install httpd-devel
$ p. y [3 I4 r/ k& u: d" Q2.没有pcre
4 p! Q) I% E4 h, Y( S* l1 f1 P. |' l. i+ { W5 T$ D, J8 {
configure: *** pcre library not found.- }) l& `( w) U# Z$ Q5 @1 @: D. |
configure: error: pcre library is required
+ _5 v( ~, L$ }: Z! s! b6 @7 ~解决方法:
/ j$ S$ K' F- E
4 B, ?/ \' g# i' ~* g: lyum install pcre pcre-devel
- w. C n7 {) z& j; F3.没有libxml2
% ~2 e4 n J) @7 S$ X( }. c& I0 f! d
Z x* w% @! Q. \* g+ _( L: Yconfigure: *** xml library not found.
' v6 h6 [& D' |configure: error: libxml2 is required
5 b0 \/ b8 Z3 C3 P4 ~解决方法:4 V" f" A* b) q. V6 W
7 ]# F! j- }: }7 J/ S$ G$ J
yum install libxml2 libxml2-devel
9 g( }) R) }) n8 F9 F8 [/ v4.执行 /opt/tengine/sbin/nginx -m 时有警告
~. h6 }) r9 T& V/ _# ~, P/ A; T" K* a: k
Tengine version: Tengine/2.1.0 (nginx/1.6.2)7 I- a' }+ m+ ]$ D+ y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
x5 P7 s4 p4 q) j原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
7 y6 J: b) p$ {) w- |) K0 w$ t7 h9 [- F! R$ H7 _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
/ e9 [( v k/ k7 R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"0 f+ G+ \. P8 C" D& R
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!' F" {/ D' v8 {# l( T0 G$ Z0 b; N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 v$ U! S9 l. R! d+ e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
) l9 y; Y& @. Y: X5 e2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 V" O, |' h7 ]7 ^解决方法,移除低版本的APR (1.3.9)
! e& x7 r4 F% C3 v' L% X0 m6 e& J& H% W1 Y9 z+ P9 Z/ Z
yum remove apr
' ?6 `. h" ]' ?' W0 }8 Y& r5.Error.log中有: Audit log: Failed to lock global mutex. ]% a. r M6 u
g( A: E4 }/ X3 a d
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock % e- `1 x2 a1 V9 p; ]% Y* Y
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
4 ^" N- M. V* H% x解决方法:0 l: b- T) o" d
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:. v# [. Q1 B5 ~
# ^! p" [2 {; a- y) c' m
SecAuditLogDirMode 0777
4 i% k u# r. \* d; SSecAuditLogFileMode 0550; l2 `. B$ @* q2 [8 z* x" H9 J
SecAuditLogStorageDir /var/log/modsecurity" s P+ H. ]" N% f+ n
SecAuditLogType Concurrent
, q4 x0 m5 p7 e0 V {. t参考文章:6 X$ x% J: s% ]- j* L1 l
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX: }0 L$ h( ~0 X
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡