|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。: ~& o8 ~9 D. c! ?% ~! Q; ~8 j
5 O3 @" h5 T6 ?) K K一.准备工作4 ?) v' M, Q! n. |' u
/ _3 Z4 {6 z. a h9 M) ]系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
! k: n: S f) ?3 U- ?6 Y1 b5 C+ U# Q9 q6 N$ V3 e2 y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, ]6 s9 f- s* E' {
$ ]- Q* N- `" ~. i* }6 W# X2 R0 imodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 }) ^$ x' h& m; B2 w+ d
9 A* R6 M& F" S# [( _ V4 I' NOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ e) n: d, K7 b9 W# i, i# `: X l
依赖关系:
' i) z3 J" H* c2 I K; S" Dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:4 Y0 h- W. G0 T7 Q/ O
# ~+ Y% p( k @/ x4 I1 t# uyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
. f9 Z2 y7 G0 q$ ]modsecurty依赖的包:pcre httpd-devel libxml2 apr/ Z2 _; a) l& H; \4 Q9 L) P# o
7 f/ B6 _, ]# Y# |# M' ?' j3 P
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: L7 Z7 N9 g8 w
二.启用standalone模块并编译
0 Q+ ?! U% [7 w; k5 R% b' B/ V& @0 U9 D# v
下载modsecurity for nginx 解压,进入解压后目录执行:, b! H- O$ R! ?- L& ]1 X+ ^# E
7 d7 A9 z$ n0 @% J4 s4 ?& N./autogen.sh
( o/ V: A3 C: _2 p/ J./configure --enable-standalone-module --disable-mlogc F5 b: w2 C3 S
make 8 I- T$ w0 a3 X# V3 J j+ y
三.nginx添加modsecurity模块3 x4 P7 E! P- J' K; c' x: E
- ^; o- t4 G! E/ t" E8 m" t在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:0 i: R% ?& q% \2 q9 W) w
4 r6 k V& N) p
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine! K4 ]1 n+ g1 y5 ]* ?4 Y, _; j5 l
make && make install, R- ]9 f5 \# j& |) H
四.添加规则% b4 [6 L" b( a1 ~$ [
9 |# [% T4 N3 i& \2 \- amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) D) `# s, l7 {- R
8 Z Y6 ?& ^6 [$ @1.下载OWASP规则:6 R: n4 t3 h1 h& S7 u
4 j+ J/ z- v* W) p* E
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs! P2 C1 l( f5 r) _% ~' V# q' U
$ Z: b/ f2 M; r; @- a! T( S
mv owasp-modsecurity-crs /opt/tengine/conf/
) w% a3 g: ^" R/ u" k: @. w, e& Q6 o" C4 ?
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# Q6 S5 ]& w2 V
2.启用OWASP规则:
, G! G- o, \5 C' D: i- K+ K& @/ P! I! k
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。8 C9 `9 k6 z8 K5 [; O8 O* D
% h3 ?$ u' |% |. a5 Q9 K编辑modsecurity.conf 文件,将SecRuleEngine设置为 on, K/ }3 J1 |* B
. |; k& }/ G% j0 m7 F+ b6 w& }owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。9 O. N! b' S: G# n( l
% x \/ N1 \3 HInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' R+ P" I8 k7 ]2 k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf' p$ t7 b v/ ]% l4 V$ w: `" u( o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf* F5 A' _* M/ q' B- k3 m; R' g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
# d' r3 \9 Z C" R9 X) D2 eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
) R( Z! x% c. Z/ V( pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
* E" I" t/ K; u; ^( r" m: ]Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
$ J+ S% t9 {1 u$ q4 q) ?1 \1 }五.配置nginx
# K, R+ i, X+ H8 R- n8 p& T& i3 c
$ n) s# H, `6 Q" R) M在需要启用modsecurity的主机的location下面加入下面两行即可:: K [ Q7 o7 X& R7 O4 w
* F6 X* h2 u0 e4 g+ d" @ModSecurityEnabled on;
9 y5 |- P# ~5 fModSecurityConfig modsecurity.conf;
) t& m3 N8 Q. {& I. S1 T7 L% A# ?下面是两个示例配置,php虚拟主机:
' s# t% ^% q0 u# M# ^& `$ r$ l! _
y2 B* q, l" |1 d! S8 g _server {0 l5 Q D" b& A/ f! n) L
listen 80;
_' O; B4 h) }% q server_name 52os.net www.52os.net;
# \+ c6 p5 w8 b' [, I( s3 ]6 ^0 ` 7 l0 z) K9 t, H1 y4 k" I. s/ O, X
location ~ \.php$ {1 e8 p9 j# s+ {
ModSecurityEnabled on;
9 |6 M+ o+ U3 ] ModSecurityConfig modsecurity.conf;
0 B9 d+ \5 ^+ `. y: q( @, w* U9 |$ N. {
+ a6 a2 w& a$ v$ R2 I+ _ root /web/wordpress;
2 L2 z9 R9 r- ]/ g index index.php index.html index.htm;/ Q3 c" ~: h. y% z4 t9 z1 o& X
, x6 q9 H @5 n6 G; U7 o; N1 l
fastcgi_pass 127.0.0.1:9000;. u7 e" {, h3 s4 h% Z$ ~. z
fastcgi_index index.php;8 A8 S; \+ N( l3 s* Q: g
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;! g9 G/ \# g4 z* Z2 ~
include fastcgi_params;
: E/ C% R7 q. b( p& H2 S }
H: [9 W3 z& ^, O, P, [$ E }) e& \- f2 n c4 t# r ?5 P
upstream负载均衡:
% ?8 M0 B" F% `' e# \0 v, w" A7 S) u& O) a, q
upstream 52os.net {
5 L; c$ c/ Z8 ^/ H: W server 192.168.1.100:8080;- U# s7 V7 N" i I
server 192.168.1.101:8080 backup;' V$ J4 F( s1 Y8 i- b: i' ~
}
/ }( d4 H% N' H' E- K" N& Z# V6 c
server {
' |1 Y# E2 o; ^0 W2 ~ k1 jlisten 80;
0 W1 H* j3 I: vserver_name 52os.net www.52os.net;$ F2 G6 w0 S( T$ ^; D
. I: j- p' m/ w; flocation / {
9 E5 p! ~' y0 \ ModSecurityEnabled on; 0 z3 Q/ F# `3 T1 B2 W7 ~
ModSecurityConfig modsecurity.conf; " L( m+ @$ t5 h6 S" Q
" m& U1 P' E5 X; N9 h5 t# i
proxy_pass http://online;7 \7 q, c4 ~" g- A' [0 b
proxy_redirect off;) [+ \' t2 s# Q
proxy_set_header Host $host;# A9 {" ^% E; n8 ^
proxy_set_header X-Real-IP $remote_addr;( d# N& I2 v7 y5 f3 s5 @
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;5 J, |6 P. M( B6 F: l7 ?9 {: M
}
' c$ D! `* z$ i K}
9 |/ }, u, [; l' x0 Z( ^六.测试
/ ~. }; ]3 l4 d4 K/ R* b' ~
% G3 k0 h" [3 s9 Q: I9 W我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& M$ N' {: }: n" d1 O; Q3 \/ X
2 d) B; e$ e' S) E1 d& }# r
<?php
& }. C7 A, `. m phpinfo();
( W9 D3 C" K" _, G$ J- g- S7 c7 {# C/ M?>
" c/ F0 [& ]# m; h7 _. P3 u6 Z在浏览器中访问:
; k0 r5 r, Z: Z! R9 O- v: J4 o6 f4 ^( A' s2 k' y" S5 G5 N
http://www.52os.net/phpinfo.php?id=1 正常显示。- h7 Q# x& i) m# d( U
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ m3 X9 x& W4 @http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
/ R4 O$ E* _4 Z. Z, g$ b说明sql注入和xss已经被过滤了& s" d5 |) c! c( p t
( z/ f- n* t4 e0 c& `3 x+ k
七、安装过程中排错$ C" R5 Z) f/ ~# L
: c8 h8 L" }, N6 b) d \ n
1.缺少APXS会报错9 W% {6 R- f; V+ V7 `
" T3 ~8 c- }1 i
configure: looking for Apache module support via DSO through APXS; J8 R1 x$ p" ^
configure: error: couldn't find APXS& M2 s) S' f3 T2 u
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。. u$ }0 J% x3 Y7 {% P1 h. X
解决方法:
$ L' g: s- I& g# C5 \2 o
* f- X7 Q# t, t# U8 r/ C; U, V3 Cyum install httpd-devel! _$ p8 Y1 l: U8 r G- u8 i$ Q
2.没有pcre
" j$ J9 w) B/ F( a1 x8 ]6 Y/ j% T) p! o$ {& A
configure: *** pcre library not found.
9 p+ l: Y/ [8 g% M8 R' P) y1 W, Dconfigure: error: pcre library is required
! O/ E- m; `1 `9 V% a" r解决方法:
8 P. j( c! G7 N9 a! b7 x% b( b/ y; }8 p( K/ g
yum install pcre pcre-devel
% D6 T" {, K/ o+ e3.没有libxml2
5 y' ?6 V; M& V3 s. L1 u& Q: X8 Q- c3 j, A
# [ u6 c5 U( X; u. jconfigure: *** xml library not found.
) a& J" A, s6 @ ^$ W# oconfigure: error: libxml2 is required
; I' l/ {6 Q s2 |3 P( h解决方法:
+ [2 ?; r* I+ j0 x
- ^! Z: u0 W$ b# Oyum install libxml2 libxml2-devel
1 P% V* u) _$ t3 h6 B4.执行 /opt/tengine/sbin/nginx -m 时有警告
. w6 [! c/ w3 G8 x+ W8 y$ z/ p3 b
8 w7 ~) Q) W, b6 dTengine version: Tengine/2.1.0 (nginx/1.6.2), [$ T, j C# i+ N
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
* Q o1 d& s' P3 T/ `! l5 b' s原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 H1 R6 Y! K7 J: \$ j6 R
: Q' Q1 \- b$ S9 i7 a/ e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.( c1 h* X' s4 u& E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
H6 c- K- T. V3 n; k& _2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( e+ |8 J( v. N4 z) u" Q1 A9 @2 l7 W# G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* n# V# t# q- z& z: k r+ ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
' E% Y1 b" {' X' b' \- L0 _) M- L2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.( C. P+ w. P1 i( v2 _4 ?
解决方法,移除低版本的APR (1.3.9): p4 ?* b2 [3 h/ y8 n
9 ^% [: P" O# v; R" Qyum remove apr, R7 s$ Z$ [& V. i) L( {+ ~, U
5.Error.log中有: Audit log: Failed to lock global mutex5 e3 V( S+ A- m: k
! |5 b; d% v9 h! r) l9 a
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 q- E! k: p0 pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
, ]# S" g2 k, r- V. ~解决方法:
6 x7 Z( @0 Y# z; q编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:8 X& s6 n6 H$ q, S
2 ~ {1 G; q! a9 P8 ]1 f8 T& Q
SecAuditLogDirMode 07776 e M( v$ n3 C2 _7 K2 y; ^
SecAuditLogFileMode 0550
) P& S6 C3 C9 ?SecAuditLogStorageDir /var/log/modsecurity
, J" a" q% @% K5 ?7 mSecAuditLogType Concurrent
# s0 _/ Y c! r; v, {! R& k' f( u参考文章:+ \8 h C6 w# y6 M) f4 _+ \
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ _. Q- X8 g3 b- b7 ]. h
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡