|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 ]2 Q$ I; [, C) h& r; x
. C8 ]6 H4 t$ t' L; D7 h: f一.准备工作 ]9 R; q& h$ U/ ?% ^7 f1 r
/ M; |7 v2 H! t0 D系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
5 N s+ n& m% O
; ^' o! @( Z: K6 T3 {( }1 Etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz% v: i2 n; T, O/ @* k1 m
# [+ f$ o8 t9 U: w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz: m, @8 E+ C2 R" X
5 ] d u& X1 T! |. z2 o: u$ SOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 a( i3 M6 u* a- C: g
9 O9 v5 {8 ?! D) I( P
依赖关系:" F* L* q0 } F2 c( K4 ^
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
0 [. g: l! z) J5 J6 g, k8 l: V
1 O7 V( I6 f3 L, Eyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel+ `0 _4 F5 V; I5 t5 \
modsecurty依赖的包:pcre httpd-devel libxml2 apr
' y/ a# z$ P# Y. Y/ X* d; _0 Q: N( n# ^) l9 b
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" `- }5 L* f- K# n6 n
二.启用standalone模块并编译7 q6 p2 C# M! P2 _' V3 m% I. ~
5 R. B$ a0 n ]4 s
下载modsecurity for nginx 解压,进入解压后目录执行: j G( o8 C/ p( p5 b, u
4 {6 Q, P! g! p' |, u; S
./autogen.sh6 f) @# ^$ c5 }! v8 b. k
./configure --enable-standalone-module --disable-mlogc
5 M9 v7 Q7 Y9 I8 t8 bmake % G, }* a) L( V6 m6 T5 m
三.nginx添加modsecurity模块+ h0 s% e& S; ~7 J
3 _* a T8 U0 ^# X( J
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! R$ `: _$ e0 Z4 f9 b5 k- n# ]+ E
$ \( T5 ~: `1 n4 W./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
- g% a6 ~/ p) `8 t% n1 cmake && make install! v' U# p! d% ~- l: S& Q* F
四.添加规则" X% t0 g! c: i( Y
; D* H6 M, ]/ ~
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。! C, I% T. q" E
. z+ d0 P. y0 s' I& l8 w1.下载OWASP规则:
5 T* ?! |. y! x$ A9 `' i1 Q9 ~: ~7 V, o3 d
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 u) k% ] Y4 V4 w3 d# z- ?1 X+ m2 W2 }
mv owasp-modsecurity-crs /opt/tengine/conf/% i$ Y8 }; u+ B9 a6 ^8 {* \
2 k# I0 e4 E9 m- M- Q! vcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf- n/ W; D0 }3 u7 F
2.启用OWASP规则:4 L% s) t! q! O T6 Q+ J! _
. R0 ]9 k9 j: W4 W复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 G7 n+ A( ]6 u& |
) ]: h/ V4 G0 S编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
0 @3 }0 z' ?/ E* j8 q* X z% ?& |: T3 W9 i# F/ [4 s
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。 O E! R- M# R( C: F- E% \
$ k8 R: p i0 K, z% M
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
# M+ u( `5 N, u0 b# \( ]# L$ gInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
' @# k3 ?8 D: p) p1 KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf3 T! M$ K# q1 ]3 ~5 r" k: A
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# E) L0 g" ]* y n+ f; _" d
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf+ q# c3 a5 _" A* i
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf/ _5 c8 F y. \
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) X5 x6 L. o4 U( I* u4 I# z五.配置nginx% @8 H( Y. R" b. A3 _* p4 w2 D }
4 g! d: _$ ?- H. a在需要启用modsecurity的主机的location下面加入下面两行即可:
6 S( a! e+ t2 I9 b8 e+ S$ L4 v2 X2 w) ?1 B! z: y2 Y
ModSecurityEnabled on;
! e0 }# w* b {2 V# x2 t1 W1 g* RModSecurityConfig modsecurity.conf;
# h h3 Y2 v) A' M- x) x. b: {下面是两个示例配置,php虚拟主机:6 A1 e! e4 C7 m. ~2 |6 `2 s6 N
; U. C* q5 `& a8 X) Z- G/ d& k, Hserver {8 [6 [7 U0 j$ b7 `1 [, T( W
listen 80;
( f8 y- _2 I% }% E# l6 G; ~ server_name 52os.net www.52os.net;
' I2 c- P$ V' s7 f, M. j* F$ M2 v0 y
2 B0 s, S' a( K( @ location ~ \.php$ {
4 v& c$ L0 @2 U7 q$ t7 K ModSecurityEnabled on; : n/ e8 Z3 H( p: P- S7 R+ F
ModSecurityConfig modsecurity.conf;) V7 a4 U. l, @5 X! P
`9 V h+ K1 p$ V! `
root /web/wordpress;
7 f6 L9 [3 V; K index index.php index.html index.htm;
' U8 q" L8 A5 f% b. D7 f . k( B$ l! @6 w% X8 m
fastcgi_pass 127.0.0.1:9000;
1 [& _# w# l2 w m3 I- x/ P: x5 V fastcgi_index index.php;
+ o) y% d7 N2 c+ { fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 `! P K2 M7 f+ i: k/ _
include fastcgi_params;- z, Y& @) `/ k8 v8 ^0 D i5 \
}$ \" h$ _8 `: j( S
}) c4 q; o; k8 h- D
upstream负载均衡:
8 O: F, X- A: p9 H% M0 F+ Y4 A% ~0 K; f y- I( x8 W
upstream 52os.net {* v* \- }9 L' W
server 192.168.1.100:8080; b% }1 _& O V) C; l$ f/ M
server 192.168.1.101:8080 backup;
0 ~, p+ a2 ]: ^4 P}
2 h) x9 H& h# g: Q" N0 Y p
- s1 t) s8 T7 S, T9 U9 g- oserver {3 |* D" q6 R% F5 A3 v
listen 80;
]! K! [! T- E: s; Q/ x' x% Bserver_name 52os.net www.52os.net;! L; ^. V. I1 z
5 u% @3 k+ G; @1 K4 F/ Q7 [" _$ [* a
location / {" N, ] s+ H( M: ?
ModSecurityEnabled on;
% \. z. s" ^" a: | Q& S b5 x ModSecurityConfig modsecurity.conf; ' u' Z* N' n/ z& H
% G$ `5 d4 }: p8 s$ b proxy_pass http://online;0 H* p* u. n; e3 x
proxy_redirect off;6 N1 o# G _ |4 P* l9 a
proxy_set_header Host $host;
0 U$ f' ~7 }$ {: A3 P2 ^2 {2 Y& D proxy_set_header X-Real-IP $remote_addr;
0 v6 @8 R5 S9 ]0 h2 u proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% p: m- I& l$ ^ }
/ @& f2 S: f3 t9 [& _' O}* ^1 G: y1 [+ t+ |; h/ y: P0 ?
六.测试% f. l" w4 y' x
$ f7 ]( J" I8 j' b' z8 s( V
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
" f+ u; R' P2 m! M" T8 F
; k: y2 R0 X" o$ B<?php
) o( v# Y+ ~) `) f! H0 x, w phpinfo(); x8 J! o: j; N; b/ B9 V$ L
?>1 u8 j) t. X H, C* l r9 ~' |
在浏览器中访问:+ N% c) h; A2 o2 q* t
+ Q8 j# E* [ P+ e1 Vhttp://www.52os.net/phpinfo.php?id=1 正常显示。
0 M# }- ~% h+ J, b7 R. v5 @, Qhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。 z: c4 {; _+ h% v# Q, ^
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。) w' p% q' X ^0 [5 H
说明sql注入和xss已经被过滤了
* T# d3 V8 O! n; @; Z# ` D/ @+ Q4 @
七、安装过程中排错0 y9 g- O" |+ |, B. a
9 s' y8 j3 w1 J
1.缺少APXS会报错
# P" a. }2 X3 M& L+ J% s; i
, o6 E) u: W5 ?9 Y6 G1 j0 E# Mconfigure: looking for Apache module support via DSO through APXS
6 \) ]) n* y# q6 x3 k- L2 Vconfigure: error: couldn't find APXS
" j( f" ~1 v4 I' v2 G) t. K; papxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" N' i* v4 E, r& ?2 r3 {* M解决方法:
" b' h- v/ ^! J: i7 S/ ]6 c: s. z6 f
1 ]: `7 E: B8 v, K6 |; zyum install httpd-devel, O6 _: }1 i5 A5 B
2.没有pcre: o. K, n1 b4 R" G: v4 C& P5 o
) Y/ c- c$ l! K; [2 e
configure: *** pcre library not found.4 y% H2 }# J* _4 z3 D+ l' S9 T
configure: error: pcre library is required
4 q. }/ p3 R- [; m! J# ?解决方法:' K4 ~8 J% U9 l$ G2 a6 ?
# [. p8 w9 t! e% P) Kyum install pcre pcre-devel" i2 T) V h( `: X; _5 @
3.没有libxml2
2 U/ h; e! k3 N8 U$ ?
+ u7 {, s6 h/ Z `* s1 a& f4 m! Y6 J
configure: *** xml library not found.+ v# P& P9 s6 o( _# z: ~+ g+ V
configure: error: libxml2 is required! \; o8 j4 L' y- Y% |, D
解决方法:4 a' U) a. n( ^3 |9 r
& n; ~! w! w7 _) ?yum install libxml2 libxml2-devel/ l6 k+ S- c& @3 K
4.执行 /opt/tengine/sbin/nginx -m 时有警告6 C! X! Q$ h9 Q6 U
+ z; M b$ D2 K' e% @4 dTengine version: Tengine/2.1.0 (nginx/1.6.2)
w# s# M. S% @- |nginx: [warn] ModSecurity: Loaded APR do not match with compiled!7 |1 C* Y) P" c) j- i8 j$ n
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log9 H/ T: q6 N3 V% x6 h. F
" o. |/ S, u9 ~" Y9 {! n3 q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
. C% r. D8 V$ L+ C& @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" B4 M$ k( e4 I+ f% l( E2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!! k6 c' b# E O' G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"+ f* e0 G( V6 ]5 ]: c( z5 v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"! r0 q% p3 o4 X7 q/ D" u
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.* ]5 y' ~& C: e5 H" \
解决方法,移除低版本的APR (1.3.9)/ X6 g' C5 y* A4 v$ Q5 U/ R6 w
1 z* _$ x1 j9 t" c" Y2 Q: a
yum remove apr) x( f) R+ V9 E1 M. v( L" b7 h. a' p
5.Error.log中有: Audit log: Failed to lock global mutex
- T" a$ u/ F! }3 ]
' f& ~4 X' b2 E1 J$ U2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
0 b! X M2 @6 r! `8 J' vglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ P8 a4 l, G" {, s' K* b, M( c" O解决方法:
! F3 f; x' {; j9 E: L编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 T$ i9 J. c8 t+ ]4 b6 l
( K; c1 x6 r5 r& J) G7 s
SecAuditLogDirMode 07777 `! j6 `( j" B4 ^5 A5 T2 E
SecAuditLogFileMode 0550
8 ^" @/ E7 n3 {- H8 q1 }8 GSecAuditLogStorageDir /var/log/modsecurity
, g: Z. }- I% b% N; [- z2 @SecAuditLogType Concurrent# E2 O. @8 z# r; e* p% Y. }
参考文章:
* @' o& K; M$ y, o6 m; B; ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX- r3 \ d, O2 d" I% i, S* p
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡