|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, G8 ]( U) T' Y' ?$ G2 ^9 E, }' T
% J5 ]5 f: [$ `& F5 B/ W
一.准备工作
$ j9 p6 ~1 X6 @$ P9 O
. [7 q5 y r1 `系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0( M, v: k( n3 m$ {, G
7 X% ~' W1 y& K, O! I0 f/ C+ t' q. L
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz @" J% M2 A7 R6 ~& C5 {7 i: q
5 V5 @- J, D. F$ G8 l1 F
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
: Q W3 b J) ]: t, {1 ?* d. a' \/ j; J( p$ r) c
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
( C' d& j7 {; Q* x* h2 {
- _4 C# G! ?1 g( b, \% |依赖关系:# M: u+ |; m+ B7 t5 E! H" w& R
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 {3 I8 L! ]0 S. P5 Y( j
" K5 R$ n$ D) F* r0 z
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% _; A- B+ v+ Z/ R0 |
modsecurty依赖的包:pcre httpd-devel libxml2 apr, x: ?4 T6 k/ Q2 [) J% h8 [8 e* n$ Q2 o
4 u2 b& m- b# [( Gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
; K$ F1 X0 W3 g! a& Q二.启用standalone模块并编译
% ?2 L, G5 X' _7 a0 s% [# V
x% _ t* [! t" P: v+ v下载modsecurity for nginx 解压,进入解压后目录执行:
3 W8 U2 o; x! T' @. N# ~7 ^ y4 T' _, k# b1 `) _
./autogen.sh
" Z/ N; `* e1 h./configure --enable-standalone-module --disable-mlogc- u! b' A4 H x) T5 Q7 B
make " ^* M: b: C$ U7 B
三.nginx添加modsecurity模块
! U1 P2 B3 Z! c3 L7 o0 Q, ^8 F
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
5 H8 E& V/ [6 p! _% D
3 f `1 g$ A- a./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine6 u, `* j( Q* e
make && make install
; X9 J2 o/ t+ ~四.添加规则
1 U' D- u& N, _) A& H0 h7 N" |0 f _7 q1 j1 S8 b% _8 [. `7 k, }
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
?# b$ ?$ |8 F( w( i
; _) D' `8 t" y# W2 R: r1.下载OWASP规则:% g$ `: f5 w; l4 `, s; n8 \1 V, {
) I5 e; B6 `; a% f+ Ogit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
6 o: q9 V1 ]% F
2 B4 K& A8 c9 r, o( h: gmv owasp-modsecurity-crs /opt/tengine/conf/1 a$ Q* Q6 h: n
# o% ?. A0 b* Ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf4 ~+ F& _1 O* _1 ], ^/ s
2.启用OWASP规则: e. e: E$ g% {- |( N
4 s# w& Q i0 c1 p9 i9 m复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。1 F* U* Z* X# K
" B! A5 i* v- r" b# X- V$ K
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on/ | \6 p6 b# G- ^4 a
$ m N7 e* C" B5 Y$ t' Q! h9 ]
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
8 H! c' N/ N9 f3 `' H/ J% y) o+ I# c4 y0 r. V0 |1 F6 ?
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
/ ` E: ]2 s* J% u. t T* sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 {7 d, X. D# w5 e. m7 G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf: E( E% y( n4 }' p7 R9 j
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
8 d3 T# A! E j- [ b% r9 yInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf. Y; l" T: E# P" L( f+ p
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
X& C4 E2 v/ N! qInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
, S5 h& F8 }& i8 R( ~+ D/ D五.配置nginx
+ A# X* m, ]- T9 ~( b1 Q
6 A, M6 ] }9 z( j7 d* e% J0 w( X在需要启用modsecurity的主机的location下面加入下面两行即可:
/ V3 s: b8 x& [! P$ R8 i9 w) ?( N: I, j* U7 N. F
ModSecurityEnabled on;
4 C& {& ^8 F4 f- n7 }ModSecurityConfig modsecurity.conf;
+ m J% D3 d) q3 m* A下面是两个示例配置,php虚拟主机:
6 ?7 }+ ?, _" _' L& j' Z0 Y
7 {# r: t7 ~/ f$ V5 r; cserver {
, R0 f1 E: w0 N+ @* u listen 80;0 u& r8 f5 L8 D- D
server_name 52os.net www.52os.net;
! t/ J# q5 A$ c6 }0 B
( a; l \7 E) E. ^; G2 W& { location ~ \.php$ {5 D1 T, t6 Z. x# k: F: X4 o! w% b' {$ j
ModSecurityEnabled on;
9 O- }2 j5 ?; Y S: B ModSecurityConfig modsecurity.conf;
8 K# a% n" E+ A0 A( e3 `3 {. _$ o0 f& a; g; L8 Q' {0 H3 d
root /web/wordpress;2 t6 i, M5 K2 N8 l9 i% b6 K
index index.php index.html index.htm;- Y$ V5 ^. I+ u7 t3 C
' m; d8 H& m# e7 e& @ fastcgi_pass 127.0.0.1:9000;
9 j& d4 n J0 c+ p9 @& W: i/ U9 m' M1 J fastcgi_index index.php; j; W+ `! r! L/ I0 [
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;0 @$ m' F3 N0 e6 V: a" d
include fastcgi_params;
t* c/ X3 h1 f0 z }' w9 k7 j$ O- ?$ E' z: L8 W) F
}
3 P" h0 t! C# b1 Bupstream负载均衡:9 q4 J5 s+ ~, K* c; S% z6 u
/ ^. \2 F5 J+ @) Iupstream 52os.net {
! z2 ]& n8 P" v, { server 192.168.1.100:8080;
) U6 _" @: j2 _2 u server 192.168.1.101:8080 backup;
$ {9 m6 u# s' o+ H5 H0 L2 H I}
+ F1 c& c) j* S. N1 [6 ^ X% Z' I7 b1 o( o
server {
. C% A) G9 U( x# z/ Alisten 80;8 L5 ?# {) r3 ?9 }: h
server_name 52os.net www.52os.net;& F6 p+ C% p' |* n- `& L/ H
" |7 v4 ?" Q5 }' E6 y+ S9 z
location / {
1 h: A9 B' h J$ h2 I6 { ModSecurityEnabled on;
; \, H7 z! r- L2 T5 ]; @ ModSecurityConfig modsecurity.conf; ; o8 t7 i0 O6 v' X X- z
8 [& u! ]2 d9 O
proxy_pass http://online;. Z9 Y4 I* \$ Z! ^+ y: h' D
proxy_redirect off;
4 k2 A [# P5 z, x proxy_set_header Host $host;
' d: W0 N' L5 g0 L proxy_set_header X-Real-IP $remote_addr;
& Z$ \% B6 R/ O3 T# o# b6 E) \ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
( c. X5 G9 X; r( C }
. ?0 P: n1 U) a1 k B) J: A$ ~}
& ~2 O& C( N7 Z# u0 N- D六.测试
0 @) m0 C! n5 T* L5 g5 B; Y i$ h( W9 [; I9 K! I
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:* I5 F2 X9 J8 Z
6 D4 k; b* Q2 x2 N# q( k<?php
& d r" c1 ^2 X7 z" @ phpinfo(); y: Y4 U6 R8 J6 [
?>* I) d x- y4 d3 ]4 Y
在浏览器中访问:& a6 ~: V7 S% @; v% w
& p* Q0 Z% v) ~6 t! q
http://www.52os.net/phpinfo.php?id=1 正常显示。
) A; [3 M3 m8 L) b. K6 R) G( ]http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
' i9 k/ {7 y5 W0 ?7 |http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。1 N% m8 Y6 v2 w- y
说明sql注入和xss已经被过滤了% G' Q9 F/ w) E6 Q2 |
$ w- ^* Y' ~3 t) z4 r* {! d( ^
七、安装过程中排错
; ]- Q/ C- i( v5 X
6 L0 z; U' R& o5 B r0 Q& a1 Y, n) X1.缺少APXS会报错8 ?1 ~7 U$ @2 B2 }% O9 t* u
. H( B$ v+ j5 F* gconfigure: looking for Apache module support via DSO through APXS
9 Z6 ?' v1 X" ?$ X0 R/ ?8 }configure: error: couldn't find APXS
7 b; o; n: V6 @# H6 n8 W/ J% g Z vapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。0 `% {* s+ a2 C8 K y' I! ]# r
解决方法:( g$ q" C3 I& [. p2 Y; `' k- f
* o. o n4 @6 ^3 D" w; Zyum install httpd-devel
% o' c. [0 I* L) C! d& _% ^2.没有pcre y) I+ v3 x! j/ k( Q3 Z) @* B# s
1 u0 x/ C& i+ M4 s# B
configure: *** pcre library not found.
4 s: c) v# G. o0 @' Oconfigure: error: pcre library is required; L! }: _; d7 a) H7 S, r0 `
解决方法:
; h6 k8 E& _) [0 j0 a+ b1 c& s/ v
' O% B3 [# z4 C4 m+ \* D U( G* e/ ]yum install pcre pcre-devel
" s" Z- L) }+ C' t. Z* R3.没有libxml2
. ?( ~& e! o" m( L9 A: W% W
4 N, C! Q" l$ J+ m3 k( y$ ~ s6 E' P* u: L) k2 g: n: E
configure: *** xml library not found.
5 c7 ^; x% T3 b- X/ wconfigure: error: libxml2 is required
/ h4 `+ }6 ]* e# i& S解决方法:
# `: S( h, I7 M- C- A4 i2 M3 R* L5 e9 p+ J. K$ @. {+ H9 W7 v
yum install libxml2 libxml2-devel
5 H3 x$ e+ @7 [. @5 M4.执行 /opt/tengine/sbin/nginx -m 时有警告' ~) Q8 O/ t- Z
+ F# h) z4 E' B& }) V Q- nTengine version: Tengine/2.1.0 (nginx/1.6.2)# f0 |8 w& H% x/ U
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
' B( }+ i$ [7 c7 w) T q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
; C5 ^: E# o' G' R7 x0 q8 @) D1 E$ C; S! @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 _. M) I W* z4 w( e, e. }) b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"5 D& _& o/ S( G2 N' p4 N5 g
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
5 P9 j1 ]+ g: l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
# x* |- K ~1 B. R" Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6", \2 \! d& v2 ~9 d1 |" T
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
: P4 v- W0 p$ \; O9 E' f0 `解决方法,移除低版本的APR (1.3.9)+ I# j1 X6 q5 c% b
& Y0 C1 q/ a- g) x6 @: @yum remove apr9 b i7 r) {" I# P3 M
5.Error.log中有: Audit log: Failed to lock global mutex
+ U# m; r; u; D/ L0 o% [: G' E2 S" N3 B$ H' e8 j3 p
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
7 O& k2 @$ p$ [6 W2 z9 R' Y3 {global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 q9 _2 m! J0 `$ S+ U/ \
解决方法:
/ I$ {$ n/ S' b, G. @( c- V编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
; H# [) [- L3 z" i! v( x
3 W A6 W0 l' _ lSecAuditLogDirMode 0777
6 L8 }6 @. M RSecAuditLogFileMode 05503 d2 P- D5 P) A1 o" b; m& M
SecAuditLogStorageDir /var/log/modsecurity# h* R/ i+ l3 o1 n& I! L3 v( a
SecAuditLogType Concurrent/ j% X, M) i2 d8 |! ]0 r
参考文章:) W' A* {5 V& {" Y: J
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
; |& b. A/ C7 t+ t8 Y2 Whttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡