|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
% [# Q7 g% P: F6 u+ \7 L
6 |0 `5 H0 m! Q3 Q# w8 B一.准备工作1 E. |( x% S8 k+ G/ o: ?
0 V9 L8 T) g/ O* {& F; t系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 ~; g" g, b. W7 k1 z
4 h4 P! [. @, Z, ?tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, C* {/ b9 Z, h- `" g
7 z, J- n# U& q% jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 w8 W" l1 J0 C/ [3 n
/ A; K! i. q' F; B/ {8 o4 bOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ {" L' ~0 G, s- s/ R8 ~& n! E
: g, a$ m! [) D( \/ \# Y$ p& P依赖关系:+ u# h% s( o( D3 J
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:- Q' A3 ` [' \% U& P6 y- N
$ o. i3 U1 q$ c& r+ Ryum install zlib zlib-devel openssl openssl-devel pcre pcre-devel2 O9 Y% l. d) d0 p& F m6 |$ E1 F' U4 ?
modsecurty依赖的包:pcre httpd-devel libxml2 apr
. Y# r7 i6 I+ Q9 j$ ] g+ d1 E9 S
4 O' F4 O" M6 E0 B7 q4 g( yyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" e( d: u9 K9 P+ |+ q4 ], f2 q2 @. ?
二.启用standalone模块并编译
9 t% K4 _' D8 W( `" D9 }' d" `6 p! L( C
下载modsecurity for nginx 解压,进入解压后目录执行:
8 ?; W# x; h( X5 w d# k$ b
* g& O5 `5 A& F4 z./autogen.sh
' O/ [, M Q, U* \ N; {' k7 x+ f./configure --enable-standalone-module --disable-mlogc( C6 A5 M/ R/ {
make 0 G% w; F! ^2 l+ q1 I
三.nginx添加modsecurity模块
' J1 r; q$ G1 x: g
9 e6 p! b l% T; b4 }) z8 \在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
. a; S- m) ~& B4 O9 d# B, H$ u' q0 ?2 O) |5 }
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. _8 l* k/ ?) w! U7 x. kmake && make install
2 {8 Y+ A @! ]" ?7 _0 _2 K n3 G四.添加规则5 p# p4 M% Z/ }. `$ u2 L J0 b
4 Q" ]0 n/ d4 \0 a* y( ~* J( Wmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 I9 j2 M/ P' j( D3 p8 F a8 I$ a! _
; k. H8 E) ^9 g1.下载OWASP规则:
) c. q& }! T2 z- q5 d1 |3 Y3 P5 ^' p$ S* o
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs/ x1 ]* ^7 R. Z2 C5 ]4 o% Y0 l
. Y( L; }. A0 v9 v$ s& j9 b
mv owasp-modsecurity-crs /opt/tengine/conf/
3 O# i% ~, w2 X$ X* Q! i% I0 g/ `$ L7 ?2 {- i$ V& Z& \1 \# x- G
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
4 S4 q- t. i! c" m" D: B2.启用OWASP规则:9 o1 h) g7 ~/ }' v/ t9 H! J
. d7 ]. A; p% z! J+ j+ P; d
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。: F7 L9 u5 ]$ U: ?% w
& a, S; n$ V) z1 \编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
0 ~( S! ?+ F6 v- R
! ?- A0 q; Q5 q' V" R/ `0 h; vowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' O+ ~3 y, L/ Q9 s
& C* B/ N8 l, j9 d& ~3 a, Z. z1 DInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 H. z" `' M$ p' c! i* OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf% x2 W* [' G, v) Z! r% T. v1 M% L9 t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) f/ w2 \! t, GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
. [& g- t9 D2 Z. J$ ~Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf: m- {1 F5 [+ `
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; `: Q) G8 Z; J) b8 p, VInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
" o e" Y! b) {1 V' {五.配置nginx
7 |( Z# }. v$ i0 h+ {
+ C6 u7 g) ]7 J0 r6 J在需要启用modsecurity的主机的location下面加入下面两行即可:) o% T v- N( c( F' ^
, h! p+ ]1 ?8 W) A5 @
ModSecurityEnabled on; / U. L) k% o% W, W `$ V4 k
ModSecurityConfig modsecurity.conf;( F6 n+ o; t/ e7 }" F$ K
下面是两个示例配置,php虚拟主机:
/ e `; o3 h# M q( C7 x% M3 d/ @7 y6 v
server {; _, w i: P- O( K( |# l; v
listen 80;/ M7 i- ?! O" [& H# V
server_name 52os.net www.52os.net;- d# e5 U* Y& r2 e8 I3 z; v6 M b
, `; B7 U6 ]2 `0 n% T
location ~ \.php$ {. U: ^, V+ n f$ k/ G( B
ModSecurityEnabled on;
' }) @8 s. R3 P' K ModSecurityConfig modsecurity.conf;6 q& Y; C" }% f+ E8 B$ X
, D( t/ T' P- }+ x- s6 [. _
root /web/wordpress;
, U1 k: G* p8 E3 o8 {9 W3 Q index index.php index.html index.htm;
$ S6 i T3 c9 G6 G8 O9 P7 J h + i0 t0 K5 N* ?2 x
fastcgi_pass 127.0.0.1:9000;
+ v+ ?! C% P3 Z0 B" J fastcgi_index index.php;+ R" R6 e1 Q# \$ ^* x
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;# q+ A' O8 Z4 R0 ]
include fastcgi_params;$ W+ ]* J, K* {# M( ]5 h
}4 @$ q- L1 H( O2 _9 o0 h: q8 b. r
}' v" S i5 [% V( Z- q. T
upstream负载均衡:8 D* s v4 t' E6 ?
! M$ `/ \& X( q) Y0 ]: f- k! x0 j
upstream 52os.net {
& o' C3 y5 g1 p, o$ w server 192.168.1.100:8080;# |- v5 w: D; B' A; n
server 192.168.1.101:8080 backup;) Q* F! J- _: e' l6 v8 b# N
}
9 r- G5 }- Y" V' G
* Q6 p2 u$ F8 X, \& X Lserver {
4 B8 G% B$ b( r5 f4 E" @( r1 J2 Dlisten 80;% m& w+ {/ }: R& n$ t# F
server_name 52os.net www.52os.net;
O9 f2 v5 ~( |' p4 a& S
0 V$ t* p B) k+ ]* L$ ?location / {2 [! y6 o+ Y: M6 @* T& E; H
ModSecurityEnabled on;
6 h5 B- g. s) f ModSecurityConfig modsecurity.conf; $ X; W2 w+ H# S* b) t6 G
) y5 v4 s% P- A0 `& Q+ H0 g. { proxy_pass http://online;! V, r; ?) Z( i+ L! f% z; p' H
proxy_redirect off;: O+ O4 s; {& B z* l( m
proxy_set_header Host $host;
3 ?, p2 Q4 G7 h' f | \ proxy_set_header X-Real-IP $remote_addr;
$ I9 j4 ^7 m5 W" h. K proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;2 I [" y: g: C$ [
}
( L* m" W+ n/ c0 u3 A! ~}
% ]% @6 @) R+ f& Y六.测试
/ ]+ s3 d4 C0 N% }! Z1 j1 l; _: Z/ p2 E
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
6 Q+ N \: ?) r, U( N
2 k0 p5 s; k; ]7 A<?php( a) w- z, y( o. w- T0 q7 h
phpinfo(); ; X( Z5 G& H0 Q i ~ K9 A" h! i! Y
?>
# c' y3 |3 D8 }9 I, F, E$ H9 p/ D: c在浏览器中访问:
* W6 B4 V' m4 X
! I, b1 o( K7 ^3 V+ K8 h vhttp://www.52os.net/phpinfo.php?id=1 正常显示。
+ \+ {- j. \' _1 ehttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
. w. t. X/ C4 K, Z" \ e: z# E# xhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。6 N: | ]" U- j7 P/ z
说明sql注入和xss已经被过滤了1 I9 U' j. B% p/ ?/ X* x# M
5 q2 N7 W2 d8 d, Q七、安装过程中排错
1 y2 k* g) ?* H
. g5 t" n& d, Y4 n. ]+ o, x1.缺少APXS会报错
+ n! T# H2 G' t8 H1 `+ C
0 X9 v6 L* T6 b; Wconfigure: looking for Apache module support via DSO through APXS
0 Z/ ~4 i# Y3 W% X. m) Yconfigure: error: couldn't find APXS. [0 |; z" ]( A' J% F
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
) M9 A9 p, S& z% I A0 r. n6 c解决方法:
! K6 E: q% x3 o& V0 c, O7 ?; L# v4 q
yum install httpd-devel% [0 i0 O1 B! M$ i. |
2.没有pcre
& B. z4 y( |0 Y- y1 t6 T
7 ~# h% I) s/ C5 R) T4 Z/ z$ Xconfigure: *** pcre library not found.7 d1 ?# m0 k2 Y8 C H! F
configure: error: pcre library is required
% C- W1 Y3 C2 L. H9 g解决方法:
' o7 |% Q3 d; e D7 L6 k
4 w1 T. w4 e5 O7 y0 |yum install pcre pcre-devel
6 ]% h9 M6 t" p8 d/ K9 S/ ^3.没有libxml23 C# ?! d6 X/ @) P/ w
; E7 v, B7 Y0 P
7 M, z# p( L; Q/ m. K% e* d" Aconfigure: *** xml library not found.; C3 j: X: A' S
configure: error: libxml2 is required
9 x% e/ U% y% P* \! C解决方法:, x3 ~% r5 Y) F7 R9 Y' Y8 j
0 I; @; W2 n8 s1 f9 J; \yum install libxml2 libxml2-devel- p t& p" T( N; }7 t# M
4.执行 /opt/tengine/sbin/nginx -m 时有警告
0 J) z1 J5 e* Z. t/ o
( n1 H4 l& Q8 TTengine version: Tengine/2.1.0 (nginx/1.6.2)" k* e" C) I1 j2 Y3 W8 z
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
. R! z0 e* o% X( L原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ _1 [8 E' Y. o& h& s
n$ P$ A9 C1 i% i7 t6 g# T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 _4 i5 G% H# j- d3 T* Q1 `) c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"% Z! k; ^8 [5 A
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 l; e6 f0 t7 e5 i7 [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
) I1 \- V+ q- S' S8 b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
9 i% c, V" u! [" F8 Z o2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.' w/ M& ^/ c8 K& y0 M
解决方法,移除低版本的APR (1.3.9)
9 F0 k3 k- t. t! A% ^, |/ X* G- X$ L+ ]" I* B# p& g
yum remove apr
9 a+ g3 y+ m0 A- |9 B5.Error.log中有: Audit log: Failed to lock global mutex _- l& x! v' ^1 J1 k1 M- Y0 l
- @& A" r1 a/ |3 s) V* j
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
q K# w( _4 K" Y8 A; gglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
~: A6 L2 A( f- X0 S解决方法:
4 ~% d! v* v1 S$ l; {- t( a1 I4 K4 H编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:4 e: u# L# d/ l& p5 [* L7 {
- O; R& G, R& @% }" B+ S, B" ]) {SecAuditLogDirMode 0777: T1 E. R- Y. F) J/ G0 w
SecAuditLogFileMode 05508 Y" b9 A& a# @& R$ K
SecAuditLogStorageDir /var/log/modsecurity
7 e8 s, S3 Y5 ~: f0 `% }* \1 MSecAuditLogType Concurrent
: v4 k; }; r- y$ K' a) e参考文章:: M, ~4 N! z0 S. W O
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX5 U& }% W9 A+ n0 G' r$ T1 L# f7 c6 B/ e
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡