|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( A. \0 H- t; x* y- \7 p7 g6 I0 c5 e4 T# t# S" V% n
一.准备工作
7 V3 E3 ~: n+ p+ |. G) l' `8 K8 @/ Q# o+ p/ p: U% V) t, q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
& h3 _0 B) l! U7 [
$ @, M0 S. C6 `. u4 Wtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz1 B1 `3 x0 a3 R: y: t/ K
% T2 Z+ t/ U8 Y& s
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz* v. d# C5 i: J+ b
5 a3 D+ @! W, V' r) S) l6 O/ A% eOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* G" B. i- r: I* u; u+ s
( Q* q# T( ]( L! ]+ H. z* v依赖关系:
, R0 v: _1 h% \6 |tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:: e! E, H9 y/ N
1 [% |: @+ G$ F: S2 O) I* |yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( t' J, `7 g1 F/ t
modsecurty依赖的包:pcre httpd-devel libxml2 apr
/ P; L' q/ c8 p* @; }' i b; f5 p* D5 V
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- h/ T G8 s: l
二.启用standalone模块并编译
/ _, g8 `/ x6 h1 p# q- B" S4 Y& r/ { x5 X9 Y) V
下载modsecurity for nginx 解压,进入解压后目录执行:
2 g1 F. K, \2 E4 M
2 x. ~ u1 b6 B' a- b./autogen.sh" B& o$ `1 j0 U. B9 F+ K' l
./configure --enable-standalone-module --disable-mlogc
5 ?1 F: o1 E* m. amake , k9 ^' L# M; b. R; V7 K1 C$ V
三.nginx添加modsecurity模块; ~; @0 L% C( n7 g% I
8 k: r' t; c( U( E) `! b
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:! {* Q( Q H6 y: x4 l; I
4 f1 s0 V' c1 [+ x& b
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
1 ?( I# N# p7 i5 S6 q9 E. \* xmake && make install
+ s9 s% r2 r$ v0 X, n. E四.添加规则
2 f) L; a, Q6 G6 W! z2 I [4 R$ u
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
2 X' x, F+ V( G; t+ u* G# I
( _% w8 T* z5 u8 ?* S1.下载OWASP规则:! L, y/ e3 @+ F4 Z
+ ]. ]" M5 `# r3 U) E! Xgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ N) h% ^ L, h/ v, Y* U
. i( c* V, m ^, n8 I3 y3 kmv owasp-modsecurity-crs /opt/tengine/conf/6 M- T o, H( Y( c9 I/ Q' S( G
% c |5 }. L: n; o% E Y" F. Pcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# E j( o9 w; L9 Y6 w$ k2.启用OWASP规则:# j. Q# j$ l1 h8 s! H
) v0 P3 ?% U* K e! |" {
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
" ]1 d8 C0 @) {( }! g0 I, U/ j) C3 y4 P
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on: O$ G* T6 a4 n+ z
3 `$ C; E- d6 b, x+ jowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
6 [8 Y+ _$ Q) k1 F6 K2 Q. c9 s4 R$ G6 b# J! _
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
% i8 `1 y/ P2 [+ H' @) a, bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf) `3 x) P$ j+ P D+ r; Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
& d/ d( e" `6 H6 u) t; {: {Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf6 c9 E& c- H2 B: t* b0 A
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
3 n2 g" ~! h/ k# L3 IInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
5 \6 C2 P Z# y( h% n3 r: uInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' F7 a9 }9 N# I* x [& ^0 b五.配置nginx! f8 w4 t7 e5 v4 D# f) N
/ \0 w/ m9 n* S% W
在需要启用modsecurity的主机的location下面加入下面两行即可:
. F) U4 r- C, Y1 X' W7 [" G
1 s0 b! N8 S) u( yModSecurityEnabled on;
' T' J2 V% W& s4 J* H- ~5 M1 T2 xModSecurityConfig modsecurity.conf;
8 A2 H5 Y$ \- k7 \下面是两个示例配置,php虚拟主机:2 t8 @2 x' m. i* O M
% S$ Z0 \: M0 X. s5 @% Y6 b
server {
: Z+ i/ ?2 {' a; i9 x+ S listen 80;9 n5 h$ w* d' P, a- d8 n8 H+ g
server_name 52os.net www.52os.net;. e% x# X4 L" A( h# R2 T; N
. _* t2 r1 i- V1 T V location ~ \.php$ {
1 I1 y% c0 |* ^" s4 v ModSecurityEnabled on; $ g; y% d3 F% M& r1 @0 y/ ?2 e
ModSecurityConfig modsecurity.conf;4 Q8 P; H# i9 S6 @7 s6 ]
! r# u6 ?: _, j) j1 E
root /web/wordpress;
* E u- {* J+ q) } index index.php index.html index.htm;
8 L: M. G# P( ? r, J( Y ; |- q5 R/ D& Q. }# O
fastcgi_pass 127.0.0.1:9000;# }, o% ?9 `- h; D$ O9 \' V, s
fastcgi_index index.php;
5 S1 b g. J( w' ~! K fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;! ~' g' S! G5 h# H. o5 ?* Z) T
include fastcgi_params;
8 B6 _; F+ A0 U6 y5 h# N }
( N, q2 Z- o: ~' u9 d }7 \+ Q. O4 L2 W5 M/ D0 w" V8 J; H
upstream负载均衡:
8 l, ^9 | x7 A8 ?# s0 p' U; P+ [/ m1 D0 ^! A! G' k) s
upstream 52os.net {+ E P% y. H% f) o! j3 W3 \
server 192.168.1.100:8080;
( _5 {& s/ d1 |2 a6 s server 192.168.1.101:8080 backup;. n1 m9 K6 A+ {/ j; C* {, B% [
}8 C4 z4 v4 Z; E8 D2 [8 \
3 L4 G" {% L* o5 O9 [server {, G( a6 E( @% S& V8 _
listen 80;
% F( F* I% V9 s8 e Wserver_name 52os.net www.52os.net;8 s7 N }/ A3 L
) F+ C# B7 Z$ H& m
location / {
8 G" |. d3 o! Y( q8 y7 u ModSecurityEnabled on; : c+ F% |& l- b& M4 k: e
ModSecurityConfig modsecurity.conf; k/ G! c& \/ k. D9 o
0 f2 f9 v2 s+ P8 R7 o, T- D+ h
proxy_pass http://online;
5 H6 y, R, l, O proxy_redirect off;
7 X* p( A8 G# ^5 _8 n: E: X proxy_set_header Host $host;9 y! }3 M+ X1 P1 G. T6 T# s
proxy_set_header X-Real-IP $remote_addr;
" ]: a1 F! N4 ~) H proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
. h x! r6 B1 m4 }* b% x- f }0 g) R9 v2 L/ j% A* X
}! o& K1 C/ _: k; H5 q5 I8 d7 W; S
六.测试' {( k' q+ _. ?
' h5 j) Z; _- E3 W9 B* q/ Q! u
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
9 o3 Y9 D& W' o0 T0 h$ s! K6 h, i7 L2 @4 H
<?php- N, a: o3 y4 C! E* F3 B
phpinfo(); ]& x l" o/ o8 d" s
?>
3 w5 C& ^5 P( O! X$ U7 T6 E在浏览器中访问:) M! @4 H2 ^# j- M& U8 Z) C
" A, j/ S) f3 j# z( y `$ N( \, h
http://www.52os.net/phpinfo.php?id=1 正常显示。
5 u( p" w$ v+ l S+ \" ghttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。+ s% @! w& [5 _2 J% r
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。6 c$ v7 r: _5 z7 D2 J4 }) T, M
说明sql注入和xss已经被过滤了
9 r; B ]. q! [4 r6 e7 v* i2 i Z* E5 P3 ]
七、安装过程中排错: c/ @9 a6 I6 k" |- e0 h' X0 D, O1 v
s. y- V$ d( E! n
1.缺少APXS会报错; x: ^- `% r5 ]9 e
! U+ F. [! h Rconfigure: looking for Apache module support via DSO through APXS
, t3 Y7 L8 p; g9 S& Mconfigure: error: couldn't find APXS( P- p7 U! c+ z" O$ `
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
; Q d$ m" n/ Z k; Q @解决方法:
/ @. E* I1 e1 }, a9 r! Q- D O5 ?1 I1 Q0 g3 _) @2 V; h& d
yum install httpd-devel6 \0 c1 x. B4 W* j
2.没有pcre+ `& Y9 o9 G4 K( q4 C
: D- n! I8 a9 O1 P/ m& s: D$ J \
configure: *** pcre library not found.
( X5 }/ g. ~( V6 h1 }configure: error: pcre library is required
* \6 V% T* r/ d9 @' g解决方法:* z( p/ p [$ ~8 E6 u: E4 V
0 _1 D( m$ g" H
yum install pcre pcre-devel4 U0 w+ ^2 D; T( ]
3.没有libxml26 H$ W3 X/ p2 C0 O+ Z
8 m/ @! I, ]. O0 s' }8 [
5 X! \" G: `" x- t! k! @
configure: *** xml library not found.+ \- @4 t; M& x1 S' y% y
configure: error: libxml2 is required0 O8 ^: L# E2 }; _- _! i
解决方法:4 z6 F$ J W' y# ~
9 Z; p9 g( p2 m# v$ c) |- C
yum install libxml2 libxml2-devel
A0 ~5 `) U. R/ v/ c6 ]9 V4.执行 /opt/tengine/sbin/nginx -m 时有警告
) Y$ ~- q& c4 K3 k, R. V8 J3 X+ Q D) l1 q& u- g
Tengine version: Tengine/2.1.0 (nginx/1.6.2)7 S6 R- ?0 \2 ^0 |6 p& R
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 i1 k1 ?9 _& B2 S+ m. f6 A! g原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 I( c# u- Q6 ?6 e
0 H1 @" a; H! `$ |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.3 C" R5 m8 I, l' e9 B, B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
F! ]8 ]& y- p2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!( h8 C- o w7 |& n' M% U5 M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
q( y) m8 }+ a: y* Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"8 e8 N2 D% V, t, c8 v, ^0 c- P
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.- c: _6 u% |4 [* ]8 T! L; E: v
解决方法,移除低版本的APR (1.3.9)
* s1 {9 ^& w3 S+ r# ]# x4 S% o$ I" q' Y5 h4 W. J
yum remove apr
: n% \5 ^' U& j) }4 n8 s5.Error.log中有: Audit log: Failed to lock global mutex) h' q9 Z+ T. h3 `1 p: s
: P9 X7 ~8 F% n _2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
' Z+ L5 o& a. ]) i4 |) q- C. r% S* ~global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]$ ` t* C0 x5 e. U: g7 D' e/ q
解决方法:+ E, S6 t# g2 B W" W- i
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:. t0 c( V6 I) T& K) x0 g# X
# C2 w! s6 F8 y+ SSecAuditLogDirMode 07771 i& J P0 ~6 L+ p" W( _1 z6 ]
SecAuditLogFileMode 0550) }# f+ s& ], Y9 Z7 ^* r4 d2 O
SecAuditLogStorageDir /var/log/modsecurity
8 X5 P; a: K6 ]$ o" Y, s6 M- KSecAuditLogType Concurrent# ^ \% k9 o2 H# H7 f
参考文章:* ^6 ]6 G& Y" O, \# w4 s$ H
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
7 l3 ^+ h H' h: yhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡