|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。8 m4 R6 C/ [4 S/ ~
! ^) m+ Z* I$ d. e一.准备工作6 }1 E* ^0 ^% f3 Y2 Z
- F6 H1 x3 \1 R& o+ w, l n% _系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.08 X% o3 j% T1 K! }+ H' |
& B1 [3 S9 I7 Q0 Atengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz% P# L8 I& t4 \: K3 t2 z+ J
# x8 } e$ G) y. Zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( K6 @$ b" g ^8 O$ P, E' I7 U8 D+ ?! B: e1 i# M9 [
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, u6 @5 W% k+ \/ o4 b4 z
7 o3 g. v/ F8 S依赖关系:! D9 q. Q: F- O8 f
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
7 u+ ] G1 `# G e: h1 C
, e( ^ B. Q- {) _5 z3 ~yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel1 P; j' ~, |# N5 U/ K! d
modsecurty依赖的包:pcre httpd-devel libxml2 apr4 D3 E) u |; i4 K7 ], k
" S9 d0 a/ ~6 O1 t$ m& y/ Iyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
; G0 F8 {8 w5 x4 a! L二.启用standalone模块并编译5 Q. s: @ ]! h: H
% ^+ m8 r1 D" M* `
下载modsecurity for nginx 解压,进入解压后目录执行:2 f4 p$ a9 w, Y3 }4 P2 {6 `
, L$ k. ~; y, S! O7 K
./autogen.sh/ Z* m& | F- M9 G' f u
./configure --enable-standalone-module --disable-mlogc' b# [' W! U+ ]# D6 q
make ( T0 @9 H' Q5 i9 k, Z$ H
三.nginx添加modsecurity模块7 J$ X# E( I v
; K5 R, c9 r8 q- y% D5 P/ @
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" E* d h3 l% \* X" j
# O7 G* T: D; [3 f" ?* b( Q
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine P5 y( u% O- |- p; W! h6 @7 E
make && make install6 d+ ]# q, q+ a& n6 w
四.添加规则
/ E' N8 |( V; \7 i6 Q
! S( W# u2 X% ]" j6 B! K1 Tmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
6 p9 n, @6 f4 c8 V" Z2 p: D6 C# i8 b* g) h4 ^
1.下载OWASP规则:" X* |; l+ v. r1 }0 v9 I9 L
: K* D) y( p0 r" k( x6 S. _
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
, h8 C- \2 [# q! `' w/ [3 I8 m3 ~* A3 i4 z( {; N# ~
mv owasp-modsecurity-crs /opt/tengine/conf/. n1 x* L8 g s9 C) @7 Y3 u9 v
% V0 d5 w1 e( G. o
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf, g2 S$ z4 x& N2 A1 |: U
2.启用OWASP规则:
; y8 l/ g; F# r+ p1 B6 B9 a
; T/ s5 q* i6 c7 `& q( a7 m复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
* q! ^5 h# u3 E5 F
$ K2 F/ K) W0 |5 Y" y编辑modsecurity.conf 文件,将SecRuleEngine设置为 on. Q% L1 G3 l* J$ f
9 _4 C; B) t7 ^6 }3 V% wowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ m. O* O$ A% J+ ^; v" j
. G( I2 _+ j1 S! o
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 p& n. o7 Y* y; Z6 c8 U2 d
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf* ~# Z3 a: r4 X1 {
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
' C' D; r% X% X2 ?) a( h6 o3 C7 TInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf0 A- k% P* j% ?/ U
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
9 U' x! N: J O" o. @% o: XInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
6 i+ z9 C- L- h" R! _: ZInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
; v9 Y, a7 v) e9 H' s, l4 l2 \% h五.配置nginx
" W# u" p7 u, a# ^, q( v% f# K0 \/ {0 X/ [
在需要启用modsecurity的主机的location下面加入下面两行即可:0 O. Q+ V0 ]* R# x
" C9 @) v0 Y2 G: aModSecurityEnabled on;
/ K2 I1 K7 Y# a- o+ A! OModSecurityConfig modsecurity.conf;( X1 k& }* e1 d, r/ g
下面是两个示例配置,php虚拟主机:2 ^9 H" L- u# B$ }' K! ]8 c
4 g4 |' F7 k& h" J) Mserver {3 g3 k0 f0 c; F f4 }
listen 80;. o* }- M) g) T* J8 D
server_name 52os.net www.52os.net;
$ [7 N3 o! f' v. B ^5 e
' S; X6 z( b' u/ ]) `. i% E location ~ \.php$ {
7 [) X5 ]% C6 s* { ?( U ModSecurityEnabled on;
8 g: w& A2 h3 n5 q" \9 @ ModSecurityConfig modsecurity.conf;
; z9 e3 i8 b4 d3 B' V; s
; S' M3 t# \, L* u root /web/wordpress;
; e+ d- O; R( S$ c3 \; ^& b1 e index index.php index.html index.htm;" ~8 j0 G0 K' F( Z+ y7 x
9 `6 l& |/ n4 Q, \
fastcgi_pass 127.0.0.1:9000;1 ^1 Q i5 u1 U- c7 T, V# m( |1 a9 P) G9 u
fastcgi_index index.php;
) o' A; T1 j" S) j fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 K. ~1 M" i/ c* U$ H, U% p include fastcgi_params; P) z* K, Q: _
}
4 d# r$ I" d2 [; k }2 R3 A' i9 Y# F5 l; R; V7 _; h! |6 z2 {
upstream负载均衡:
$ v x3 j$ W' u2 {
7 ]! n z+ G1 Fupstream 52os.net {
8 Y( u7 p7 Y+ z* X server 192.168.1.100:8080;) h( g6 t; {8 p
server 192.168.1.101:8080 backup;
) K4 m9 x- {% i4 Y [% B}/ p# x- `) [% i [% o' x5 k
3 S1 q: r& Y! g4 U( } `! Tserver {6 I8 s5 o6 G6 @( A$ A% H& k
listen 80;
% ^- P$ p4 U& K2 c% `0 H `server_name 52os.net www.52os.net;% G$ p6 h4 I3 k9 M- f, j0 I
6 P5 l8 M \8 c6 r" r
location / {& _5 A8 H' s( d7 C+ u/ {
ModSecurityEnabled on;
' d$ a( ~7 i) j6 _$ c6 Z) ] ModSecurityConfig modsecurity.conf; - ?- x' H( L1 y/ y+ _" N8 d
2 Y% b: I1 `5 f; w: l+ h
proxy_pass http://online; R6 o. U! `6 V+ U7 K5 D) g. Z
proxy_redirect off;- L4 O" ^1 r2 _& }) ?8 K4 M
proxy_set_header Host $host;7 j. l- L/ B& p9 ?3 T0 x( x
proxy_set_header X-Real-IP $remote_addr;# T/ ~ p" y4 z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# P- M* X8 i' o3 {/ [4 }: v- T5 u: p }+ z4 y9 n1 q3 n, z
}
* S, s# _/ v+ ^7 h% F六.测试7 O9 X, A% J1 _* `5 e
! @7 u2 a. x% i! C
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 Y" p P. n0 f/ w
5 n5 o3 o. j$ W/ Y4 w' @( U
<?php
7 B+ V1 t) C$ D' U4 g phpinfo();
) O* @( C" e0 t5 p8 B4 ~3 U3 ?0 p?>
% e4 s& I; q4 |3 T" r在浏览器中访问:. P+ F4 [" U4 B8 Q9 m
' Y' f4 L- B& {0 b% a$ a( f0 z ]http://www.52os.net/phpinfo.php?id=1 正常显示。
, G2 V6 j- K+ E0 b4 Dhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ | f& c$ a$ @! n' w0 whttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
- `: o4 E( D1 a" S6 a7 o说明sql注入和xss已经被过滤了
& U2 @+ Q* M( v& R6 b, l1 A' |, n$ t
七、安装过程中排错9 @: Z" @" U! P$ h% J5 F4 j U/ j
) n2 N4 D6 |" C/ L7 {
1.缺少APXS会报错
8 ^( R8 X+ a U
! N/ j* I1 q* R3 I9 \& Zconfigure: looking for Apache module support via DSO through APXS
6 W$ r' d( ]5 B( ^configure: error: couldn't find APXS/ Y: h0 i0 J' ]- X
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。! ]5 R0 I4 Q1 V) P4 Q$ B# L
解决方法:
: {' M- V c" V
4 e2 p0 y% a4 X1 N0 S* Jyum install httpd-devel$ ?# S; G R- N! n; {: A7 q) l
2.没有pcre
& {6 x; e! F, }0 l' J- q
% {+ s8 i3 @, J% Wconfigure: *** pcre library not found.! m( Q$ T) ^, w+ q: }1 R4 L
configure: error: pcre library is required5 E) u, ]- i9 l8 N! ?, q
解决方法:! ~1 i* X" P6 P3 K U+ K
' k& I' T3 }# V. @$ c0 T$ w; ?yum install pcre pcre-devel
& k& N U/ I/ [8 z3.没有libxml23 }1 h- z) U# C! j
' W+ x( \: x) F4 Y% l. y+ T
- Z: z# ?' S5 s# z* {" |configure: *** xml library not found.
, ?7 E; }9 I% W# i% zconfigure: error: libxml2 is required
% W0 T' \+ n/ m2 Y/ a解决方法:
; G2 V! L; E2 d+ `2 H# G, z9 P7 T/ t
g- q' p, }; R T6 J5 T% j$ byum install libxml2 libxml2-devel
3 y" N0 V* \5 h, k4.执行 /opt/tengine/sbin/nginx -m 时有警告
/ } \: u; j a$ y! L# ?, a. e6 p/ q* N
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
8 }1 J, D; c$ r Znginx: [warn] ModSecurity: Loaded APR do not match with compiled!4 _2 b0 s0 p4 Y; D* q0 D
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
7 q- l( ~: J" e* m! @2 H5 K' K: C! [5 o& i: | W6 u. O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.' z P* W. u$ C7 @, ]0 l, K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
! X+ w7 k! h4 k; t$ H' z8 V2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!$ `+ | ?1 w; c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 N- X/ @5 \8 A: _6 ^2 Z% U$ y2 y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
. T. }3 {# J2 ~$ q2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 p; ]+ @- y% {; g2 e
解决方法,移除低版本的APR (1.3.9) b a. U4 E, ?) o. Y/ S
! m( S P0 T, T6 Vyum remove apr/ q% n& c# N& o( E- G2 u9 Y0 M
5.Error.log中有: Audit log: Failed to lock global mutex/ J& ?! F) o: n2 L7 `! w d
8 b6 _5 P# n' C: e$ t( V6 r0 l2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
7 w: c C. e1 w- e/ E# k+ e: Vglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' y& m8 [" n! E1 S( t, t& D
解决方法:5 Z" G5 e/ y: ?( O. |8 \4 {
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. z2 R, a% \% X; | V& h6 @
" f8 u/ h# ]/ I2 \. c' C% b3 mSecAuditLogDirMode 07775 \3 E1 b8 S' [8 d) n) D
SecAuditLogFileMode 05507 U& I# |( H7 i& O. X5 x
SecAuditLogStorageDir /var/log/modsecurity
, H v; G& K$ cSecAuditLogType Concurrent& s) x, v, C" [% `! c
参考文章:# A( Z1 d% B/ I' { L: R
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX8 \) C, D. U! t; l& P- r
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡