|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 h& B7 M d. J: b: M0 C
. P3 `- _, f& y g' i% y* s- U
一.准备工作2 h' t; `0 U. @2 F4 N6 n. \. f
1 E+ ~, I m2 s0 ?
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% j3 E& C( l# M. K! L8 Q9 u% `
7 L) M2 a. l; S! h8 j4 `tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz8 X! f7 A5 g8 l, v+ z, H7 h
' w, u$ f% @& k l( `" A0 |
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
p+ ~2 i7 J# L1 |
: N6 ?/ w2 q. Q6 r6 hOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs" f7 a* u( N# L$ ]. J2 s
$ `. p) m0 c2 y- d, G
依赖关系:, @7 ?+ t/ K4 g8 o5 Q
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:/ j0 V, }' k3 ]' S1 X
( a3 d2 f9 p* @6 L4 }yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel1 g7 ]( z; S1 b6 b2 z
modsecurty依赖的包:pcre httpd-devel libxml2 apr
7 E3 z6 a9 Q4 ~- S0 N
- \! Y5 ]. Q- V4 iyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( j& u+ ~8 b* e8 m- G3 w( p0 d4 a Q
二.启用standalone模块并编译
5 p8 q4 U; S* m/ O- y e' i$ p( C; C5 _" z# t1 Z
下载modsecurity for nginx 解压,进入解压后目录执行:. U |& c; l" [; F+ s* N
- s: A4 o3 Z9 h8 c& i8 O% C# n4 G./autogen.sh
0 L. {( u% |( f# D5 k" j./configure --enable-standalone-module --disable-mlogc
( M& ?( b6 F, F4 k6 g) |make ' S: q$ W9 T9 i# }- {0 e+ ~
三.nginx添加modsecurity模块
* i4 z% u3 W2 U1 D; x8 C+ P# ?& x# o& |1 t7 y" L# E# ~- a, ?
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:. @' u8 H( N9 k4 c
/ f1 K- a$ g! g4 X' {
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
$ g; @8 V; B1 Y- X% g. Amake && make install, J6 H6 }5 n; o o. y; U
四.添加规则
6 h1 R9 p' v3 v, T, _9 Y( p Z5 n0 H' f
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
_/ d+ g S3 h' r2 a& W( c& v1 B# U M: m5 l0 K7 y
1.下载OWASP规则:6 C2 ~/ Q. a2 ?+ b0 |! j
P6 h5 z3 v! s/ }. ?3 m7 wgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
9 E* t# X# h1 C% B2 [* u4 R& Z4 M; E1 I
mv owasp-modsecurity-crs /opt/tengine/conf/
! C+ |/ {9 O; h7 D
0 L3 z, d- E, ?1 q5 J( _cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf w6 ?- r. Z' j) @
2.启用OWASP规则:0 W( \, H1 w) V! O2 F
4 ]2 ^# F1 }+ @0 @8 y" Y复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
; [6 h; i g& j
# _# b& o" D9 I% G) W- |, A- j! C e编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& o# }/ _2 _: }1 i/ d9 J
0 B: Y* `# t8 L$ F, o9 J0 @6 A8 Oowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
0 M- @/ B: y8 V, {# X/ ]$ K' [. N- K5 @( c2 v! {1 B2 b
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" u+ p) X5 v8 r6 S4 Y/ sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 L3 T: n1 n: a- U
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
: c1 h( g* K1 T: u( QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf9 a; l2 m( y1 s: |0 e7 [
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 o2 I. {$ {6 B6 v' S/ B
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf4 u+ Z" }( }% p& r
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
$ T4 T- Y, y; k G7 M# x. n五.配置nginx
2 s9 h B+ h' G% \1 K! L2 D3 d9 @- M$ I2 J1 s$ r5 @2 l
在需要启用modsecurity的主机的location下面加入下面两行即可:. d' ~2 e4 O" [
5 F: [4 z; E1 YModSecurityEnabled on; 8 J G" @/ }& V! x1 K& R5 m
ModSecurityConfig modsecurity.conf;
. i$ J. S- U& P+ g4 o% Q下面是两个示例配置,php虚拟主机:
0 g+ \; X/ O8 A# l7 C) }& J6 j d# c- f; o
server {* \/ o& J' L0 l# h; Y6 L# i% a
listen 80;2 i( n( t7 a# N o: u
server_name 52os.net www.52os.net;% k/ z6 K* g9 ~- O
" x% {. X0 T0 b; Y3 S- u location ~ \.php$ {+ w" A' G4 ] N
ModSecurityEnabled on;
$ W1 a0 g3 o) G9 N ModSecurityConfig modsecurity.conf;
$ g% |0 b0 z! ]/ C+ c: g# @9 R- r6 U1 k
root /web/wordpress;( N' h! `3 l6 }1 Y9 L
index index.php index.html index.htm;6 l* \: ~ |1 r: E% k, q( t
+ Z4 P; W2 X- `$ r/ K
fastcgi_pass 127.0.0.1:9000;0 q. @% e" M* @7 {$ W7 h
fastcgi_index index.php;4 M1 p& |/ @/ I4 l ^9 l( I' ^
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;5 @8 O( `- L, q3 ^% _8 v# n
include fastcgi_params;
8 P! H) M* v& t. c4 f8 Q6 z% V }+ Q# Y1 J2 O6 \4 I4 a
}
" e7 W7 a) x9 D/ y$ n! Mupstream负载均衡:( M; D8 W$ w3 o# @
( H6 g+ L# q( _; \1 ?
upstream 52os.net {
l- R$ n- ]2 o9 p' K: J: L" ~( ~ server 192.168.1.100:8080;
+ b7 c" J4 ]5 g. } server 192.168.1.101:8080 backup;
5 F2 { d( [/ P+ g% v/ p" Z$ [! N}
- [, v: L2 D. R, w' f V$ _3 h! u1 b; p
server {
2 w) y- J& _8 @3 Y0 g% s& G( tlisten 80;
; {' _7 ]0 ?0 nserver_name 52os.net www.52os.net;2 y+ A. }" o. }" M8 w6 X
& Q8 O: z5 x N. Z% o1 d
location / {1 P' Z$ ~6 T8 P2 t% l
ModSecurityEnabled on; $ e! v, c/ m) G9 [! l* ~ J
ModSecurityConfig modsecurity.conf; ) F- i D8 m0 y1 e+ p
; D: @$ w H3 [. Q# m* J/ w proxy_pass http://online;7 {8 {" s! O/ Y; Y( ]+ l: j" h
proxy_redirect off;/ o% J: G0 e5 o& y Q6 ~
proxy_set_header Host $host;
) ~3 x# M+ V i1 K7 g$ ]( {4 W proxy_set_header X-Real-IP $remote_addr;9 x" c; d8 H; V' V
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;6 M1 v- s2 ~1 D5 Q+ y
}- l0 t# R2 Q$ p6 ~
}. X% ]/ A% F" G3 c
六.测试% ]5 _8 e7 w& D
* j; e; ~$ B7 \
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
- N- j: @) d! R4 ^8 w1 V" D! p. Z, I" x$ s& @) a
<?php
( B. z! h4 d* v( N# n `9 l! ^' f phpinfo();
* g7 `0 t3 o9 t' X& m) q0 t7 E?>/ O+ [9 V: \: Q2 P/ e8 \
在浏览器中访问:' H6 ] b2 h$ {$ {6 \# ~) A; B \
" R9 A( ^( Q9 D4 c! Rhttp://www.52os.net/phpinfo.php?id=1 正常显示。: I9 U$ A( r; [
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。. \! d B; \2 z7 ]& e
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
2 k) E7 p" z; u5 Y9 Q6 y' G说明sql注入和xss已经被过滤了
' e9 r" W$ H: n* d; D3 G+ s; B& E9 b, R p s3 b% `1 g
七、安装过程中排错) G5 K5 h! d! A
# S) D( J. R0 v5 Y
1.缺少APXS会报错
v; X1 |2 C% h6 C( O2 u
4 t8 b% N- U4 m' ^# Lconfigure: looking for Apache module support via DSO through APXS( K. D: Z) t; p; o9 C( k
configure: error: couldn't find APXS* z9 h& x# Y, E1 }
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
H7 U/ B# X8 \2 r- O; C1 t3 p0 z解决方法:8 D- {/ L$ k2 d
6 P$ @ j; g6 b3 X) V8 ?9 v. {
yum install httpd-devel& t) ]% M3 y5 ?1 W
2.没有pcre
6 \0 a; r4 m9 |; _" A) N0 K3 k7 y, P
configure: *** pcre library not found.
$ ^9 _/ I4 e: ?3 Y/ q# Xconfigure: error: pcre library is required
# x0 S8 T7 ]1 z/ N' [' a! W解决方法:
6 Y9 M' s, z2 d% P6 x) f6 C
, O( I- T' e2 w" F1 m/ b! I' }) kyum install pcre pcre-devel% ^5 d* d9 G: K4 {
3.没有libxml21 f F7 g2 B( o) m- |" H
" V9 p3 k# H1 C8 ?) Q+ k
; V) P7 ?5 F6 b; X+ n
configure: *** xml library not found.
) C p8 u+ G% }( aconfigure: error: libxml2 is required
. l4 X$ S5 z5 ]& T4 J t解决方法:
" o" o7 O) ^/ V8 o- M3 A- k+ |2 R( w( C. u; E
yum install libxml2 libxml2-devel$ C& w7 u& X/ g7 P4 ?) ]
4.执行 /opt/tengine/sbin/nginx -m 时有警告 p% X A9 t2 K7 K3 R
9 N3 r u5 d1 n5 jTengine version: Tengine/2.1.0 (nginx/1.6.2)3 y- P3 [9 s' \. H
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 a5 r5 m- }4 Y* f9 K9 E
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 f8 a7 K0 I6 X" A
$ D( t6 z* I& L% c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 R& M# Y4 R2 v2 f; ^6 g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"" k3 W2 r1 `4 W- Y0 L
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!3 C) }5 Y l% A& f9 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
* U5 f4 [: t$ Q* R& ]5 G% a) M0 I3 x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ I$ k2 p! I8 W7 q, Q5 w/ q
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.* q$ ^* z- x/ b/ V+ j- R% t' k
解决方法,移除低版本的APR (1.3.9)5 Q3 p" p6 Q) D# B8 A4 W1 e' @
! w% d4 n; _. G4 S+ f
yum remove apr t0 }8 I$ O- u& F: f/ N
5.Error.log中有: Audit log: Failed to lock global mutex1 c( P. D! ~4 q: Q5 K9 a- e
1 S, X( V7 `- S3 J- @, o! ~: k2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 2 F* s1 k; {# f
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
- k1 X# w( y8 u* f+ V: L解决方法:
% l0 N( q$ B# Q3 e2 `/ l编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:6 Y, q$ S. `& q: A% E; l" e/ s
; \" V+ Y3 D) b V" tSecAuditLogDirMode 0777
3 c; k4 _4 X) {* q/ `SecAuditLogFileMode 0550- S5 j' v$ r* ^; @1 f* u7 [6 U
SecAuditLogStorageDir /var/log/modsecurity& K, o; w" e! R' B% t
SecAuditLogType Concurrent8 `( j4 i1 J T/ Q0 t
参考文章:
$ u1 s) G X5 M& Y2 W8 Shttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX% |% N7 [* z. v4 w* D! J
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡