|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 n! F. x& ]+ T M$ E0 v- P5 G# v
! |4 v6 E/ J) L1 y
一.准备工作4 t* X" L3 X) z
* _4 b3 C& y& }8 X; O$ T0 Q2 K0 Y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
- a: F! [2 u8 ?5 R: \( Z4 c0 m% n" ~) P# e+ T( O, U7 ^5 }
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. N7 f( o. p. U
5 W) f& Y: t0 b2 f2 j8 ^; @modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz. q' k5 D2 Y1 W, y8 t* y3 Z
( @( ]9 D% {4 B" b7 ^& X/ l" ~OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 w- _: _4 u! U3 W
( v4 X1 h- K( Y8 R- S, M) b' g依赖关系:6 K& ? s3 N, [2 B) @% x; Z. v
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
! q# f q7 y' @8 _$ U, m2 k# v- o
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( Z: e9 G! t; C1 [! }
modsecurty依赖的包:pcre httpd-devel libxml2 apr
4 K1 ?7 }) b3 Z, I" {' I
$ k/ w# u/ ^5 _3 s( cyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- K: h4 u; h' D |4 z
二.启用standalone模块并编译
7 [" W" ~/ t6 C1 @; m
* y- g4 k- L3 T. m+ {& K下载modsecurity for nginx 解压,进入解压后目录执行:
, N* ^- X" ?5 Q* L8 X
- @. e1 ]& P+ g0 t, p./autogen.sh
\8 s& e+ t1 G./configure --enable-standalone-module --disable-mlogc! A$ n F& S5 E) ^1 h, B
make
# F! q$ I- |8 Q1 Y- Q e三.nginx添加modsecurity模块
6 J- [3 j* i3 E& e- I- I
0 w9 h+ w" N" p在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 D# A, C3 L% t. L! `
) Z. P% I% f# u1 E, S; ~" X
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine* g6 x) n' j* N8 Y/ C
make && make install
0 E6 ]( c% o5 d2 I四.添加规则
! a( Q& v$ e: o: z) N% _1 k/ O" l/ h, C0 ?
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* a0 I. V, g9 D, e5 x" \) |
2 R5 B( E- O C5 A: b7 k2 D5 M
1.下载OWASP规则:* \, E; o$ o6 u. R; Q
9 P9 z7 W& A V6 c9 t
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 Q- o5 V% ^7 y3 h6 i% n. i
& X" r0 W) l( C) Fmv owasp-modsecurity-crs /opt/tengine/conf/
7 N6 P6 z7 [ k/ c. N& H1 e# t, b/ A" R, ?; @3 K* \) C; v- J
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
$ C) w+ _ m9 o# g2.启用OWASP规则:
6 x" p( }3 e% \ \
, o& h) u5 K! {8 D" I5 U$ Z5 u2 [复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
& H; D* D& X2 i8 [! K
( l* P. R+ E1 ?, }& |编辑modsecurity.conf 文件,将SecRuleEngine设置为 on. } W# N! v) a+ ]9 n
! O' |( k# a t& F$ C
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" p1 c2 L/ i( T+ W3 w
* s! w+ _! X" r$ |! v+ s0 BInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 y0 V2 K$ b4 D8 W5 r
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: U7 h! l2 T) O; C% d
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf* j+ R' `3 m8 ^( w8 b& y% X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
! h* G( U5 t8 K- K& FInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* W1 ~5 _$ E9 \, a2 JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
) N! }0 p# r5 V# M$ c, F/ o, wInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! W( H( `# E; o8 t4 J- S
五.配置nginx5 Q1 _ d" D9 ]. m
$ ^) H) k0 s" J" ~5 T9 B1 l在需要启用modsecurity的主机的location下面加入下面两行即可:
, P! U+ N1 T* N! @, `$ B1 R: R) S% }+ j
ModSecurityEnabled on; N, f* m* E1 U2 C$ N- x' }
ModSecurityConfig modsecurity.conf;: d8 Q/ z8 F9 n
下面是两个示例配置,php虚拟主机:
! j& L) e* p h+ g5 b/ [+ W& G! |& e) _0 c4 S1 F" U
server {
4 @# K8 e+ K v3 H listen 80;
$ o8 S; r: G& K9 W$ R server_name 52os.net www.52os.net;# |+ V! [# j* I7 o
" O$ x% I. e) f5 b
location ~ \.php$ {
& ^7 l9 s+ c$ m( [& f# p ModSecurityEnabled on;
& i5 o/ [. g6 t' B( O4 W9 T+ h ModSecurityConfig modsecurity.conf;
# t. {% p, R$ W9 d. Z( Y. m& c
2 ? M! I7 j8 B4 ~2 X2 k% G+ B root /web/wordpress;
1 Y7 i# H @- H3 s1 G, ` index index.php index.html index.htm;3 _! O. c' i) `1 t, o% i! [0 x
3 N, B% z) w, W1 b6 ?
fastcgi_pass 127.0.0.1:9000;1 _/ j7 R+ H9 N, U3 n+ @
fastcgi_index index.php;: z3 A9 w, L& z2 W& {+ ?6 v! O
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
- O4 ~+ D5 g! S5 h" W" Z! Q+ Y: ~* w include fastcgi_params;9 M- P+ E2 a% P5 [0 K+ P
}' Y( ~ d# p T0 U
}5 J8 @. {1 _$ U! ]3 ~9 N3 Z
upstream负载均衡:: n/ C; t9 o' h' d6 o$ \6 ^) O. g, a
! u+ f; x5 `7 N* g3 D5 U% a1 }upstream 52os.net {
9 c8 @) o! d# }/ i7 P e1 | server 192.168.1.100:8080;0 U. O8 I5 F* B: V2 F$ e" L
server 192.168.1.101:8080 backup;& k- w5 G2 f! d$ h0 M+ e, A
}& @+ z1 A; A y! R, X* W; f
9 D8 N: \2 X- j! E* r, q7 Nserver {, W* a; b" D! ~0 d- X7 J
listen 80;4 i4 [& J, l% p2 C6 A
server_name 52os.net www.52os.net;
* }: [" T) B" j, g( g% C2 `8 `; M& i& ]0 P
location / {( [5 J! u! G. g$ n7 G4 V$ o( S
ModSecurityEnabled on;
! B" m' J' \4 E$ C; x1 j5 [& T6 c ModSecurityConfig modsecurity.conf;
% a3 \6 b4 J; A8 [9 ^( i" [& B$ D0 q) C% V2 S
proxy_pass http://online;: b2 L: h$ _% Q2 ^3 I# ]* c
proxy_redirect off;. C' x# w1 P. W8 W
proxy_set_header Host $host;% a, c- [. r% r, F& {# q
proxy_set_header X-Real-IP $remote_addr;
5 v) [$ S5 ~' T4 F- S5 E& w* Y proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' [! `3 L6 g' R }( u3 P7 Y4 i+ D1 o0 \1 r
}* b" A( ?& t& X3 J9 ?
六.测试 j3 I$ Q8 u! M; {+ S& k* ^# b
4 y5 i8 x0 \4 a5 n4 d, j
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
* j4 Y4 V. A/ C$ Q5 \, a! w, U
& u# ^+ b& f) N4 w- \) s; t6 H<?php
" H" _$ Y! J% L1 e# f phpinfo(); ' b7 i) E# O, S2 a) g
?>/ C& J$ {, Y' M9 |7 e
在浏览器中访问:
/ p. `! ~ P/ {
2 C$ D1 x$ U6 k" _. v0 M; nhttp://www.52os.net/phpinfo.php?id=1 正常显示。
4 ~: x( \$ ?2 N; ?6 Rhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: m" m5 p) L5 ~* vhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。/ R" X% _" T1 T
说明sql注入和xss已经被过滤了
$ |( S/ c F) z
4 S" U, P H" L+ T七、安装过程中排错
& z3 O7 z+ w) m+ M( u' U
- f* |2 Z9 J* z9 Z1 _% ~# I$ S1.缺少APXS会报错
& d8 w |" j8 M0 q8 b& v6 p6 [2 D* e3 a% i' e+ F! t) e# c
configure: looking for Apache module support via DSO through APXS l3 Q3 R7 n5 f4 ]7 O* k$ ?0 |
configure: error: couldn't find APXS; V$ o# W: r8 |6 L; b/ U; Z1 |2 S
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
- x( G; a; X! J# t解决方法:. h7 y8 X! M5 ?; a; ?. m
# z0 y: B; W( [' v3 syum install httpd-devel0 X/ t/ v3 }9 b: ?7 p3 u& y
2.没有pcre- @4 A# y. G& B, z
4 |- |" s7 f" y* zconfigure: *** pcre library not found.
" U! |0 O# q% P2 n8 o: M! h+ K+ kconfigure: error: pcre library is required
$ p& X( w7 s6 [) I3 L! m解决方法:
^ ~4 `: o& y0 f
: X8 K6 n( ]0 h4 M7 f( a) Cyum install pcre pcre-devel* G+ ]" p! s, Y3 j* t% C
3.没有libxml2
0 j% f! C9 j) D& z6 N3 P
, Q, G, V% r6 C* n+ c4 M4 A3 G. ?& I5 l9 v" Y* j' o: P
configure: *** xml library not found.
' h, J; d# `7 s1 L( @9 Kconfigure: error: libxml2 is required: N, X* a, T& r# u6 J! Y" \/ j
解决方法:
5 V6 g! S. ^1 Y1 g) ~/ U- r$ \5 c2 i. p! `
' w3 F1 z) a0 n# ], Q' t$ G/ `yum install libxml2 libxml2-devel" w' A: G$ G4 J# v, l1 ~
4.执行 /opt/tengine/sbin/nginx -m 时有警告
7 R) G& C% z) e* Q* q$ E( F1 g+ q3 C* u" v( ^
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
l: }0 C5 q1 q7 u# n( _' qnginx: [warn] ModSecurity: Loaded APR do not match with compiled!& |6 t, f3 ^5 p$ F7 t
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 o4 z5 a9 Z; a- F. d0 e7 N
4 ]3 d* ? i$ P' c. K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.% d. W6 C* W- }$ e$ x6 {' P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
* U# X) p* u' W2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
c3 f1 D. \! |0 I/ i, t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"2 L; y5 s9 p% ^8 L |: J1 z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6") i5 r# S0 Y& j7 ^" M
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
, A% T0 ~ g3 V解决方法,移除低版本的APR (1.3.9)
+ I, k- {( S. h# l! N+ m8 U1 W0 j" G% O+ X: {7 K1 V
yum remove apr* T) i2 K6 ^$ I: \4 P$ @" L2 D7 O2 \
5.Error.log中有: Audit log: Failed to lock global mutex
0 A* r* F2 A+ i7 A4 N% U1 P4 n1 E( q9 y
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock % P9 m( c% a3 m: e( z1 J: w
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]$ C- U- G! o$ B0 k5 Z
解决方法:
% f3 V3 a/ I3 q. T6 _" u( n编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
: d3 w6 g( k. G- G
% O2 O7 d+ R9 q x4 vSecAuditLogDirMode 0777! R+ n" J* B6 O# ?$ D; s, `* p
SecAuditLogFileMode 0550
4 r" r/ |: `& U: DSecAuditLogStorageDir /var/log/modsecurity
7 J) ^! P- Z4 SSecAuditLogType Concurrent
* x% R7 a8 Q* s4 N+ I; }/ i参考文章:7 u* b: o2 i8 d" H t
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
- d5 c7 e' n4 j. } \9 _http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡