|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。 G% K" v3 a3 W C' _/ ~# X* f, m
" t% _9 }& }) J/ G一.准备工作5 J/ @# E+ i. I3 m: Y }
6 q# R6 b6 g7 Z* A$ o K
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
" u' [, U. z6 n
# z1 h# C; l4 Q; W# R& ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz# S9 P# H) M* p! o6 }
) ~8 o8 ~( \4 G% }. t% _
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
% s/ I- Y0 Q7 w) X9 {; P* s! F0 V% _7 ]
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! q. W% J# `$ L3 H; n( D7 T
" w) n% D1 k5 F0 _+ {依赖关系:
( c/ {( N7 v1 ?3 `0 Q& F& P2 l" dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
0 {3 V6 q7 r% W9 E+ u$ ^4 }- m7 U$ J, f9 b$ J A3 E
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% R. e& l9 T" a1 lmodsecurty依赖的包:pcre httpd-devel libxml2 apr
( v# N0 |! x: X, X; w' ^
7 V* N$ r) H# k* qyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
, v) H6 m8 E/ j/ o% v二.启用standalone模块并编译! W5 c) i9 E) y* m- u
, n4 q @2 `, S" Q8 t" ]$ I J
下载modsecurity for nginx 解压,进入解压后目录执行:) C# m. A: d3 G) f% N% c$ {" p; J. \
/ _6 I/ L+ g8 ~
./autogen.sh2 X/ b5 C& Y- d; J
./configure --enable-standalone-module --disable-mlogc
7 H6 f8 J5 ^1 P8 i! omake
; S/ u! ?6 [+ X; N0 f/ v三.nginx添加modsecurity模块
- C! ~8 h9 x. M
, z) S/ @- z' i* r3 A: `在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 B; r( I- b- `! W
4 E a% X) f [3 X./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
8 j1 D1 L# q9 ~6 `* ]make && make install1 [9 \* W+ v2 \1 [9 X
四.添加规则
7 |% n5 V6 p: ^9 E& m( P9 ?
2 z5 n3 E! U T/ G' e6 N: wmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) R( D6 ?& s5 x; z2 M9 ~) C1 A
$ b+ K: [! s* P. B
1.下载OWASP规则:
1 u) S5 _) ]5 X; k# M4 P; {: V& [+ I4 Z+ z# A
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs% z& T$ O2 w7 \. D' q
0 P6 h1 c* v" `3 a# h7 P$ y8 wmv owasp-modsecurity-crs /opt/tengine/conf/
, p3 J5 l1 ]7 @: S" @6 t$ t
3 R0 H7 K1 p7 Ocd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
" ~8 I( U" f4 f K* \- r2.启用OWASP规则:
! n S6 n% u* }% v1 s; p E, S) X ?* T
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ r/ }) Q/ w/ v. q# z5 h! S4 d1 y+ N# _
9 T7 O& ^* D H) ?编辑modsecurity.conf 文件,将SecRuleEngine设置为 on1 v; e( z; j, H D' L1 v' d3 o; b
8 X( W7 T5 W6 @8 E- lowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。' ^1 v3 b' o/ I- i( u. ?# \
8 X5 c, s2 Y; H6 ZInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
5 Y/ e1 F6 v) _5 e H8 h( nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf9 n6 l K7 [) K2 k5 b
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
' |6 V, W ]' z- W1 b7 wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
! ?* O# [3 R, C, k8 p, eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf: U6 W$ L) `& N6 y! J9 K
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
: t- F2 v: |6 J* ], pInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
/ v& A' y$ I! D; M. U五.配置nginx- k7 n/ u$ X! k0 R+ B
) v! r3 W7 H) u8 F* \& t. V
在需要启用modsecurity的主机的location下面加入下面两行即可:# q" w; {7 c1 k g* ]+ {
( B4 l* |' `! t& A$ t# I* B" `6 i2 s0 i4 I
ModSecurityEnabled on; 4 G. C% y- }6 Y( T. ?
ModSecurityConfig modsecurity.conf;
1 c2 s0 Y) h1 B; y# |下面是两个示例配置,php虚拟主机:% D/ @5 H- Y, l8 B0 P* L# G* Z
% o3 \, T) C; @) Z2 Z( g- dserver {
1 a" ]7 @. P. h listen 80;9 P: C, r* Y0 ?& \8 }4 L
server_name 52os.net www.52os.net;
. ~! ^- I/ w4 t4 B3 J( d + W% {" T8 \) M; L7 T) T4 r$ T
location ~ \.php$ {
! m& p, p: N/ T ModSecurityEnabled on; ! \! y; J2 H. V7 X8 e. K( R0 s7 v
ModSecurityConfig modsecurity.conf;
+ a* g* ~7 o6 K& L6 u q% C* h2 _1 z6 `5 _
root /web/wordpress;+ |2 d% d, Y1 m) Z( D& o
index index.php index.html index.htm;+ A" r* v* q9 S$ N5 U, V; S: P
6 E: {, i$ E. ? fastcgi_pass 127.0.0.1:9000;7 L# C: m6 B/ W; r
fastcgi_index index.php;
0 D3 G& ?8 n' d | fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
?8 [; w3 S/ |6 t3 i include fastcgi_params;
" F9 ~2 J8 {1 ?# F! Z! @% J P }
! J0 f. J/ j+ t. P }9 |; o9 T: I6 d1 P# z5 h
upstream负载均衡:- i4 }2 ?, h, s) j
# @9 D* o4 e- }; ~9 Y
upstream 52os.net {1 }5 q+ C, A" d4 `) a
server 192.168.1.100:8080;
# c3 ^% @: ?+ l server 192.168.1.101:8080 backup;3 v O4 g8 A/ ~; _ R4 z
}
2 f# g6 [# x1 J e q2 d/ v8 G8 a- G6 \$ U8 L
server {8 k7 l2 \$ V. R8 d" D/ u
listen 80;
/ o7 W( r; w% g( j! L* qserver_name 52os.net www.52os.net;. g1 c3 \: e& T; O; S7 g
* S* R6 q p& Z: a/ |& b
location / {# Q8 i9 ?% E% [: A2 w
ModSecurityEnabled on;
$ y9 j/ a& C- c2 P6 Q ModSecurityConfig modsecurity.conf;
. f$ k* q! w7 l+ }: Q' b% i, i# m( Z) ]/ d3 C+ h* q1 X6 m
proxy_pass http://online;) E {. S9 T; f& H% L z P. C! M
proxy_redirect off; b7 j( _2 P& s7 Q: f
proxy_set_header Host $host;
( I" ~/ {' u0 j. l proxy_set_header X-Real-IP $remote_addr;$ C- H- ~5 E. H3 v- G) n$ z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
! {3 h& ?! u+ m }" f$ r0 m$ p3 {5 M8 S4 T- m
}
+ ? C1 M, J& S9 p六.测试) R& m, a, A' j8 _: V& E, K- {
3 l/ J- I: i; }( U) O4 p7 G z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
- N1 u( ?, e# [; c
( C" R% F9 d. y: q<?php; o; c1 p% a+ q) i( u4 n* I0 z
phpinfo();
, Y' W) b' D |?>& E/ Q3 F* g, S
在浏览器中访问:" b$ G4 E' ~, H: ]( m8 p
9 [, u6 q+ N2 O; \5 O
http://www.52os.net/phpinfo.php?id=1 正常显示。
) |/ B Y. t. B$ I W' A4 thttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。3 `' Y, @ H3 M0 O% M o4 f: N
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。% o3 G1 x1 [; G% A. H! e6 c" W) c
说明sql注入和xss已经被过滤了
M" |$ S7 {) Z; {# v/ w3 `# G3 M+ d
七、安装过程中排错
: Q$ N, d1 R3 X/ S: z5 s( M6 ?* s7 L0 \ F6 g1 ^
1.缺少APXS会报错% z: \- d) |3 T) B/ r2 D1 d
! X1 B- X7 S9 U3 Z
configure: looking for Apache module support via DSO through APXS0 ]( U h+ N* z% q5 T$ r/ e
configure: error: couldn't find APXS
+ o" ~* s+ Q2 k# Xapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
. p0 E2 V9 t% ?2 A+ F, s8 ]. U解决方法:) n* G' z4 Y2 E
8 I5 f, l [) l: {yum install httpd-devel
7 o5 S' z( }4 H& ^( ^5 {5 D9 S2.没有pcre( D/ P8 W; I2 R/ |8 X0 X3 p
; a/ r; y' ]5 X. l) `8 R2 C
configure: *** pcre library not found.8 c. G) W* s, n! o) z' K% K1 `8 Z
configure: error: pcre library is required
$ T+ \+ h: {$ h1 y/ R; k, U( {解决方法:/ e" {& k8 `* U) H& [- }& a
K' ~% H, v" u3 I* }
yum install pcre pcre-devel
" p3 A! `4 U1 l+ t3.没有libxml2
) b. X- V0 t: d3 @6 M3 P8 q$ U1 M5 K& I; a& x
]$ v; f) h- ]3 ~& }6 Kconfigure: *** xml library not found.
: C! }2 c2 }' H2 y; tconfigure: error: libxml2 is required7 Q$ ~$ B" w/ n% s$ z! I
解决方法:
; T3 S' J @# T! d) j* ?
! {' e, ]" B, M1 Lyum install libxml2 libxml2-devel
6 D5 c: I3 u) h) ` Z6 b4.执行 /opt/tengine/sbin/nginx -m 时有警告) X6 D1 b" k2 K& M: U' S; W$ ]
8 z+ C/ q' o0 ]: z# a
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
, i! P2 Q9 s9 z! O0 `nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
( i {% f% G2 O原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& ~; g) z& J- H+ N" H2 q0 ^
0 X7 p5 Q8 N* N9 L0 V
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2 @9 ~2 U/ r5 |# G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
& t# L9 x9 |- i9 C2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!5 x8 H1 T9 }' ~+ ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"$ g: A- ^6 B5 C5 i; H9 D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"8 v. s' {2 m$ A5 g) X
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 [9 o" y6 E" O9 U# [1 t解决方法,移除低版本的APR (1.3.9)# ^2 M c. P F& A% Y5 i7 X
4 |: X) u# C+ j0 C
yum remove apr5 }& x S- Y2 F" ^- V. ] X0 ^! z7 N
5.Error.log中有: Audit log: Failed to lock global mutex# l" f. V. Z. Q& l* j2 `
9 w" f/ j. \% m! c2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock $ o( B. X: C& |& V3 w
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
* F6 p3 T# j# Q+ ?9 R解决方法:+ e; B2 E7 B3 {5 T
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( r5 f) l" E; j' I
2 Z% g% n& \5 H# [4 u1 D
SecAuditLogDirMode 0777
- V8 K7 b( `( p4 E: X0 SSecAuditLogFileMode 0550, t% |0 z" e$ D- C) _
SecAuditLogStorageDir /var/log/modsecurity
2 }# ^# q3 W f! s) z8 WSecAuditLogType Concurrent- z# E4 q( s: y! U; M
参考文章:
v9 B. K$ n9 h) }/ H* o V3 whttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
8 |* {# L7 c) T6 nhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡