|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
# O" I" W# j5 s. O0 @6 ?6 P
7 C. a5 ^2 t$ {' v& g* K' m9 p: s! @一.准备工作
9 ]; a6 p: f3 O6 h Q7 N: E' K& x; M% X
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.06 z5 T. S; `2 T/ V
1 A: g) w, B5 ^- Y: j* h: Ftengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( c& @, o" a! [
" P& s: H* @8 J5 o3 Bmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz, V' {0 h$ }' n0 U. s {
; H1 l+ e9 i8 u% m9 g7 \1 P! w& IOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 @6 ^6 x$ b. P" d$ G
. j! u# y) X T# z+ S
依赖关系:5 }# n( U7 K4 P9 f. Z/ `
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 k9 U3 y, M% d0 ^7 k" u3 u+ H2 J' S0 |. u* W
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
, D' n& |- h; w1 v1 w( Amodsecurty依赖的包:pcre httpd-devel libxml2 apr
8 A# @ o0 }. c& Y8 o* B
, Z- }! v S, H3 \; V4 `7 iyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel+ G) [, y: a7 w$ W, T# k/ A. Y- p
二.启用standalone模块并编译7 l& ?/ \) Y1 U9 S6 Z, O! o
: k- F6 O7 Z, P Z( ^6 R
下载modsecurity for nginx 解压,进入解压后目录执行:+ Y0 F, d0 v0 z$ I' @+ Z/ F& E: E
0 Z% ?# o0 [5 e0 b/ _! g' W./autogen.sh
* ~! T: C9 T) Q2 O6 J/ M$ a8 k./configure --enable-standalone-module --disable-mlogc
! B; x5 X5 p' n! Wmake
6 K& b! T$ |; c+ m/ h0 P: e! E三.nginx添加modsecurity模块
9 U- ^- Z0 J& g$ ^, x0 ^
3 O: {8 B. g& ?' s5 `) \/ s3 g在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
2 y$ {2 P5 C4 d! o0 P1 D. u6 C1 \
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
( ?7 r1 d/ u2 D" E+ q) zmake && make install
4 l* I U# C2 n四.添加规则
& }) c. N) V, z
7 o6 k) {% r; j5 k8 R2 v( Z4 _modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 u4 K) O+ a# Y$ N
* Y5 v9 ~% V# u- d2 p1.下载OWASP规则:
9 r5 u1 V$ ^0 X$ H$ `- l; O3 C( g' _, J ?1 O7 F7 F ?. w3 y0 _
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs) y o+ q: R% D
8 a- l, ?3 |1 q' P. |; ?
mv owasp-modsecurity-crs /opt/tengine/conf/; h8 H- M4 P+ S1 u9 ~. ?
% C3 v- C2 }6 k) K' _* ^
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf6 G+ j: ~. k/ w0 D+ C
2.启用OWASP规则:
' K1 T; _4 T2 m# j7 h8 [: {
4 g# ^, h. I6 @+ y* o复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。- R0 ] {% x! i) M i9 a
0 ~( s! Y% I0 P编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
, [9 _: _! F! y, @0 |3 e" U6 l) M
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; g) z8 D+ s0 G; j
" ?# O1 W* W+ u0 Q$ RInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf3 }; \) t$ i5 {( A: u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf2 K8 @- }! U- M C0 Q% T
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 \9 w6 f8 o) H4 B6 n/ Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
! ^7 E, R( _5 r, |Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
4 u) a' U- q. I3 ]Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf1 K6 H; Q3 {9 B0 p! d$ B! v G
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
5 b6 T e5 l5 }1 B" v7 w' Q五.配置nginx: V' B8 X& R! k# b2 z
( A# |2 y- v2 T5 o4 h. [
在需要启用modsecurity的主机的location下面加入下面两行即可:
4 }' n3 ~/ I6 D# E
# y! j& ] ~' PModSecurityEnabled on; * X3 ~* I t) b8 A1 N( }) S
ModSecurityConfig modsecurity.conf;4 m3 g" Z: n7 L0 \
下面是两个示例配置,php虚拟主机:
+ e, I( K) H# |6 `3 @ s& ]4 y2 Z7 i/ ~1 l" D
server {
4 S F' b! a. ]" A _6 Y listen 80;! j/ g* c: m3 n" j9 V3 P, Z& ~7 i
server_name 52os.net www.52os.net;
8 h0 x a6 Z8 W( s3 P. }! \6 N
1 p! J# Z0 u- ^3 t! C/ h5 m location ~ \.php$ {3 q8 O, v$ U* _+ H7 @% Z1 ]
ModSecurityEnabled on; / U4 `' `! Q% E
ModSecurityConfig modsecurity.conf;
) F E' m n4 h1 M! s
9 [" k; E; c% _/ x8 J# Z4 ^6 _# Y+ H root /web/wordpress;( ^1 i$ z8 m& J0 h. W @
index index.php index.html index.htm;
% y3 E% k0 P* Y$ L+ m& ]
' d/ v6 [5 Z4 }' ]- O2 e" x% j' P fastcgi_pass 127.0.0.1:9000;
0 H5 a @, a$ U2 m. o5 | fastcgi_index index.php;% b+ ?- b3 c _2 H; M7 D
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;9 S5 U% j. r. E( D2 a
include fastcgi_params;9 n- l* q* w, L& o: r" Y3 Y/ V
}' J3 [# v! _* |" H2 |2 f1 q
}5 n: H" d* Y4 g* i+ ~0 B2 {
upstream负载均衡:. j! B; }, x7 i/ x' V" G5 Z
# ?" V' Z7 k; C8 P6 y3 Yupstream 52os.net {5 K: ?+ e( I) \7 g
server 192.168.1.100:8080;: ?2 K9 b- @! q; M6 e y% U
server 192.168.1.101:8080 backup;# E& G* q4 r8 q3 `
}
, v# v! v& |6 O* j* M: u( ^& K! l' D) s) S
server {
: R7 T/ j9 Y0 t9 |, k0 v) v% blisten 80;
9 w; s3 z# M% E- p( Y; Q7 N0 ~server_name 52os.net www.52os.net;7 }; e( X; O2 ], t8 G
( r; ?; Q$ N+ E8 olocation / {
$ e1 }, C: c/ Y ModSecurityEnabled on; , ~1 N$ B. k" O& N4 R( f3 m, f
ModSecurityConfig modsecurity.conf; / l' [% r7 ?$ _3 `, I& t5 c8 E
+ ~! q. y8 V9 P% |! f8 |: Q0 x proxy_pass http://online;
6 p$ S) P0 e$ I# s; w" g proxy_redirect off;
4 M6 g8 |+ N- H8 _9 }# P proxy_set_header Host $host;
+ Q G5 k9 z4 u8 e% \, G2 P6 u proxy_set_header X-Real-IP $remote_addr;8 Y1 e0 w$ A" U1 j/ O( |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;% x4 r" o4 u, T: Q
}
4 B. T) J: v% A! Z' b}0 \5 H+ ^/ W6 E
六.测试
" r, o, u) C% V6 B& o4 V
o4 K0 S4 }; `: c+ S我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
' H' j2 L, l' ~' L8 k2 p
# f0 a. Y! P! f7 k' G" M<?php+ W3 x/ s0 L) r- V
phpinfo();
. R( b& ~5 z( i, G- A0 j?>
9 B8 a6 S9 u4 x8 i% f在浏览器中访问:
7 k' } i( E* @; A# e4 b
) c- |' C b& O. B) e3 ~4 c6 ~http://www.52os.net/phpinfo.php?id=1 正常显示。4 E' e9 W$ w. a, O# e
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。4 Z" y4 g% m) i' Y/ ]4 v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
2 Z' X3 w6 ]! D9 _3 x/ t说明sql注入和xss已经被过滤了1 X# A7 }4 P# Z4 a
4 s3 t8 \ B3 A& _" a2 N七、安装过程中排错5 i# x6 R6 w+ f1 v4 X0 x9 t
2 c- D) I; [( z: v: |) ], D
1.缺少APXS会报错
) T: C8 Q) g4 i
/ l% P* K( X' t, {* a3 S+ b/ B& Pconfigure: looking for Apache module support via DSO through APXS
! o8 x+ K. k8 \, rconfigure: error: couldn't find APXS
/ T7 _ q+ Q) i/ fapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
) Y1 U8 {, }. r# u2 E& J& I$ z) Z解决方法:: s4 [8 t1 M# b y2 U! _1 v' ]
* h6 a e0 ]- e2 @ m" q: x0 tyum install httpd-devel
; o5 u8 ]2 z6 o1 I7 P5 s2.没有pcre
" {6 d3 F% g# w2 H' C
! d/ j4 f1 N( U7 cconfigure: *** pcre library not found.9 W3 ]3 }. h# k$ j) T
configure: error: pcre library is required+ F: m: m$ |8 X# `& d
解决方法:
/ c/ k' f. W$ h: ]" {7 O+ ]4 g% }) g2 o, }- D* L8 I
yum install pcre pcre-devel* x3 y$ Q% H( ~/ Z2 y& z
3.没有libxml2
) b# e) Y% {) t2 Q: B( b- a6 p" [4 T" Q3 V$ u
: F" n) `7 ^* K: {9 r p# O hconfigure: *** xml library not found.# l$ X( O' R0 d$ l0 ^5 `
configure: error: libxml2 is required3 s1 m9 j' M( U9 M! x7 [
解决方法:
! Z6 _ _+ S* C# b+ Z, _7 A
9 N! P* @1 T$ d- K" E$ i+ Cyum install libxml2 libxml2-devel4 _+ W5 C; d9 v& @5 }0 h
4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 O+ \+ X* L+ \" Q. B& c U8 V9 M+ W; J' k6 B& ~& j
Tengine version: Tengine/2.1.0 (nginx/1.6.2)8 Q4 D- C; I1 o* B, m5 V* o
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
; w r' C6 Y3 U2 Q5 W% |& u原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log/ o& q5 I( ] u- ^: D; V8 m4 u
) T# o* E, u5 T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.3 a0 f' {4 m1 r' y6 V- W' G M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
3 O ~1 t% C4 n3 o3 O2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
V$ W5 V/ r* Z# M) `' S0 O+ Y0 }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"% C' }0 s- J0 f/ u2 Z% i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6") ^7 C$ ^; {/ o& a+ ^% G! N) w& ~) M
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
7 m |5 s+ w7 t4 ?' h解决方法,移除低版本的APR (1.3.9)! B5 U$ @' h& ^/ S* I
- @' C* J3 n5 _7 h( @
yum remove apr
* P A* A1 @. |5 a1 P/ Y; m5.Error.log中有: Audit log: Failed to lock global mutex
* E' ]+ u! ~9 B* u7 x- D t
; o D) P9 [3 F/ i6 R5 `; R2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
# u, e2 o# G8 M3 A1 c$ ^6 f. Dglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]) _, F6 y0 _& A3 r
解决方法:
}9 N% s4 r( s# W" s, v( \* H编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" ?; j3 P$ P8 S6 o3 j" ]
; ~; t8 R0 S2 M: ?! L0 I( NSecAuditLogDirMode 0777
3 t z& g# n8 _- t, j: y: H4 hSecAuditLogFileMode 0550; x5 U$ j+ G5 S: D K
SecAuditLogStorageDir /var/log/modsecurity
) X8 V# y: b8 i: s7 O* s- o7 ?SecAuditLogType Concurrent
9 L- X: c8 c, B) K! T$ ]6 Q" V参考文章:& U( o- H! [6 q' Y# C0 E+ E
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 N5 k. x4 N" }7 N9 T+ k
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡