|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。* R( [5 l9 L3 K) } L0 q
8 Y6 Z- ?. H$ g一.准备工作
0 i& w1 T4 ]% j0 \( Q. I7 E
, Q# l4 _% X r8 A$ \- @8 i F系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0" D, c2 u+ `0 k5 o+ b. }+ x
+ C8 b0 J0 `7 T: Z* n* `
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz3 v i" i4 a' i7 [% m) W5 I
) [, H; c @ |# `2 ]5 P/ P
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ E/ z2 {9 ~5 S$ y4 A
7 `% b( n0 x/ W4 h6 ]- \" ~
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* L, T! z# p" S# G: A, }. P3 }. B+ Y: H) G+ {, ]
依赖关系:
4 X- ^3 H. F4 g/ a+ j% A* q/ Ktengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:. T5 l; r6 B# J
+ {. ^: u0 ~5 D! v5 F3 eyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 Y7 x( m3 l M6 F7 R/ ~( B: [2 kmodsecurty依赖的包:pcre httpd-devel libxml2 apr
1 c; K) y$ Y7 A9 y: |% d5 q
2 L% u; m4 W, W# U A! W6 |yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ ^: B" x/ O+ v9 S* J, s二.启用standalone模块并编译' G- c q3 k. |9 i
- j* w- g, G; s# z+ Z5 X* `下载modsecurity for nginx 解压,进入解压后目录执行:
h0 N1 ~& L5 R1 o; g d! }" E% @' Y n* ~
./autogen.sh
( u* l7 B3 m- m# c# ]- q+ }./configure --enable-standalone-module --disable-mlogc
7 g% ~, q" G8 Bmake
0 ^, i$ x7 y! A+ E4 I" B三.nginx添加modsecurity模块
G8 v8 C8 F5 K1 s& W: N
# m/ C' b' V) i7 @3 k9 n2 U0 R在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( d7 J+ l' I1 x) h
2 e: ?7 \/ P! F1 v$ U$ C' c4 K./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- }# q; {: W; {; |
make && make install4 T' P3 o. x- ]) a3 H/ C
四.添加规则3 Z6 C- P. D( \4 k& [! _
" Y& n9 I$ T9 D4 z& _! t6 w: A
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
! e. `$ S( ^! @5 f8 B# X! Y4 {: r3 k6 z6 T$ ]1 {
1.下载OWASP规则:8 J5 Y; {' |6 Q" V
* ]1 a- \3 q* F" X- ogit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 U- [' r# r, h1 `" B2 B& A) M {! }' l0 X G# x Y, R
mv owasp-modsecurity-crs /opt/tengine/conf/
) G/ D% e9 C( t9 o. `
0 S3 Z; q1 `& |( I- L* b% acd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, v0 r% H! I; {* f2.启用OWASP规则:
2 Z$ B% c7 C# v7 c
' q2 Z8 L: f+ P& [' Q. Q复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。0 Z/ p2 `! i; o& C
2 Y9 ~5 m/ t% \+ u. p
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
9 _9 _% a$ H; {' V, b' H% x# j$ {, L+ v5 b
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
Y0 p9 b) `" @0 j' v4 {4 O7 p2 F' u
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 M% M3 d2 N3 e' }8 I1 m% @% p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
$ M' f, D3 ~' s3 s4 x' `Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 F& L' T0 G2 m
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf4 O2 p9 q! B* U& c0 f0 |' s0 F8 ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 w& o) D) I4 X$ v& t
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf4 p, N, W! l0 X% x8 y
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf0 A" G5 e+ p1 m3 @
五.配置nginx
5 @- \! o; Y) i. z1 V( v% C5 ~; w) T; b+ a5 F4 F7 T
在需要启用modsecurity的主机的location下面加入下面两行即可:) I4 i/ n# r' y5 d: Q8 {# i+ C9 I
?" u1 t( c- x* V1 ]ModSecurityEnabled on; 5 M. n, T; U" L5 V: p) H
ModSecurityConfig modsecurity.conf;) k/ P1 C% d+ i+ i3 T7 V0 e/ Q3 W
下面是两个示例配置,php虚拟主机:
( H7 a i* `$ b! L/ Y6 f y. L* R K# S2 {+ w% u! x
server {
. d1 u9 U7 \# S6 }/ O listen 80;+ u* s, ~' B. j5 q$ L
server_name 52os.net www.52os.net;
3 B7 \) |7 \) n3 o' q& K9 v7 s
- m: F X7 T* n* \ location ~ \.php$ {
( Y& w8 }* w/ \0 n6 b. t+ G ModSecurityEnabled on;
( _; E6 L" I- G1 K+ S4 ~ ModSecurityConfig modsecurity.conf;$ y- Y; p8 e# p6 H
4 _& c! ? j+ n" n. p
root /web/wordpress;
; V7 u6 e6 `9 d( s% [+ V2 e+ ^ index index.php index.html index.htm;1 c' l2 a& f- m- q O
; x X& ^# l" Q7 ], w2 w fastcgi_pass 127.0.0.1:9000;7 p. ^4 c. W2 e
fastcgi_index index.php;, e8 d1 p2 k; N3 S9 B2 X8 p0 Q# V
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 Q; M9 U5 d- \2 e# g* O: u' `
include fastcgi_params;. v) p1 i# b e$ Q2 h3 V
}% Q: \7 N/ M# b) q) \! O
}
' k4 A/ L0 E y/ A4 I1 G2 Y; g; aupstream负载均衡:
* q; P+ j* T$ T# h7 H' i$ |
3 }2 M3 l; ]! F% wupstream 52os.net {: W7 y# g/ P$ w# }9 ^1 R
server 192.168.1.100:8080;
6 x% f7 u6 U0 E! H. y8 j server 192.168.1.101:8080 backup;
# r3 A1 Y* [+ B5 p% J}
* E+ M. B8 s1 m3 k# r
+ N) D& | y$ \9 ^5 `) x1 y, Eserver {% i& S& ?0 q, K0 A1 m# [( X
listen 80;
- _0 A' e' r2 tserver_name 52os.net www.52os.net;
% {+ d1 l8 F: P7 |
u- s8 B" H2 M, u0 Z( B7 B% H0 \location / {
) @2 x7 o, H4 N- E7 @ ModSecurityEnabled on;
7 G* i: F. I3 E0 E, f5 A ModSecurityConfig modsecurity.conf;
4 h: K, H/ N1 g+ }' z& s) e/ D0 y, c) m3 x' g/ L/ F2 {) c
proxy_pass http://online;
4 V Z* Z; _1 Z. O# ~+ E9 ]. O2 F proxy_redirect off;( f8 I8 O/ B/ B. ?/ |, S+ C5 G
proxy_set_header Host $host;: Y% J& V% i' O) q6 o2 N% h
proxy_set_header X-Real-IP $remote_addr;
/ b6 U( O% R$ K1 r# z6 F$ n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
. J+ l' v; d6 B) S+ e) m3 O& z+ u }" g+ y9 O% ~. j4 ^
}
4 K0 A. j8 I0 ]5 O. J0 j/ U六.测试
- f4 {) a( G9 v1 p$ l/ W& g3 w) r7 ]+ q+ s* n9 O
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:- W) [! P0 K% |& Q/ y+ [& o/ l
& m1 L. J, x o1 j<?php
, ^. T6 A$ |9 A( F- {0 K( s& T2 z) k phpinfo(); ; J2 O" h- @; t7 p @ C# N
?>8 |, D p; d9 ^" T
在浏览器中访问:( p' F/ ~3 }6 K% Q
+ }$ b" K2 U4 ghttp://www.52os.net/phpinfo.php?id=1 正常显示。
$ E0 M, K# w) i+ G5 P& q6 Vhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。9 f, }( h! B7 E# M8 I
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
: @# [, L: Z7 l2 Z8 ^' r) L# ^说明sql注入和xss已经被过滤了; D( s/ c. j# l$ O6 G/ E
6 g% y0 B9 w3 a! e; j+ E
七、安装过程中排错6 l; k( ]* k% v ?0 A9 N2 P9 j0 F
/ r7 {/ P$ m# J
1.缺少APXS会报错
/ W0 R. x) E0 T2 L2 ]
& @0 d" U8 ^8 J+ N0 o) \5 X$ g: u5 fconfigure: looking for Apache module support via DSO through APXS; E% r8 h7 S0 B
configure: error: couldn't find APXS. @0 f) p( Z3 E% g9 `
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
H; O- M: p! {( S解决方法:
# A+ O Z1 v5 R7 H/ k# D2 S) ~ o+ ~" v) o+ o) N
yum install httpd-devel6 Z7 |2 A3 I* Z+ D6 Y. J1 H
2.没有pcre& O$ O8 K, N2 }7 m; T; X
! G, v, J7 Y5 l" U$ C
configure: *** pcre library not found.
& c, I2 N0 M: tconfigure: error: pcre library is required7 ~2 Y, u* x7 c8 ^' [! M' U& a* _
解决方法:' t% Y; k: E! R# Y2 q
8 `. a6 | N+ ]- Uyum install pcre pcre-devel- r& T7 n2 h9 f- C U
3.没有libxml2 e3 B# s6 S# y6 @; R- H- b
/ [ Q1 I1 v7 U# j
! j2 o6 u; L, y+ ?configure: *** xml library not found.6 c! `7 q" J, [: \! M' |
configure: error: libxml2 is required: t M$ J9 x/ k% P9 M
解决方法:* D$ U7 H4 r. J {
2 {9 u& A$ X2 v, [* qyum install libxml2 libxml2-devel
" c: r, }% a, t2 H9 Z! Q4.执行 /opt/tengine/sbin/nginx -m 时有警告
. z# V$ @; O* _( G- K, |3 Q# l9 R4 y3 q' ~ V- r: A0 }0 ?
Tengine version: Tengine/2.1.0 (nginx/1.6.2)* {; I( G) A- [2 ^7 Y: t
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
6 P0 S& b8 [- A! Y- Z$ S- U) a) M4 Q; m原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
0 R5 M/ ]' X9 n% J, A% w4 ?) X0 z$ d# x9 t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.# e/ Y h9 w1 @" K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
. Y0 g/ p- B; @2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 u2 O2 G4 d1 I% \5 A# B1 \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05". D _0 m2 K# l5 |- N: C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
( \$ x8 _ f3 q2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' V4 W+ _0 n B+ U3 b. x" @解决方法,移除低版本的APR (1.3.9)
: d' { M! u, f* y. J* }; z0 A+ u; ^' l! b L, \7 t
yum remove apr9 y# Q7 E. p' J, b- W
5.Error.log中有: Audit log: Failed to lock global mutex3 H' k5 @" r0 P+ s. ^& i
( V9 |; U0 J7 w) x' v H+ J0 T2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
4 [! I+ e) s" {global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]6 g4 Q8 i9 T* K/ i
解决方法:
3 ~2 x8 V* _4 N% f& n编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& Q" \$ @3 X! Z) w% @1 A! W
, {* h4 e8 v! p0 N9 ]. ^8 oSecAuditLogDirMode 0777
! t- y+ o. \; ~4 {+ | K' rSecAuditLogFileMode 0550- t& n& ]3 x: a' J! z4 T# w
SecAuditLogStorageDir /var/log/modsecurity
" r5 y7 w, ?# YSecAuditLogType Concurrent
6 D+ ]( i& P* C Z参考文章:
9 J& n. f/ |0 s" j2 {( ?https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
% T7 S7 _ j$ u! r, qhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡