|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。# T) O1 W$ ^ e" }; Q
/ D2 X3 B( ^3 D8 R; T一.准备工作" ]* q, U4 K5 A! T5 D( M
& f' A3 \" O* I; g5 V+ L" a' O系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% F& ]5 ]' _) X$ L+ S4 x2 E, {8 i% x+ X4 G
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz1 Y _, e/ q2 ?+ q* m
; a- E- G ~- {1 a. w4 G
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
$ N i$ k7 B" t3 L5 s
1 Z! i5 c: a: fOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 ~: i: O! I7 h3 K7 i
" G: ~& |: p6 _8 H' d依赖关系:8 e1 q5 g; I# j
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:1 k8 N9 W9 |# H/ L+ O7 c7 \* {
9 O0 a/ d" `& U" W4 Z
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
0 R, c) k5 x- _. i. kmodsecurty依赖的包:pcre httpd-devel libxml2 apr
7 u. { y' j4 s2 ~) t; r: o1 [# G
+ M3 R" W* N F7 X4 p; jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
4 ^# S8 K" |4 R% z3 w8 V二.启用standalone模块并编译
j" V( {, _$ T+ D( g q) O2 t" Q( E# P5 ]3 y K. ~
下载modsecurity for nginx 解压,进入解压后目录执行:0 `4 A$ `! O0 @3 J0 E4 p% y9 K( R
' ^, ~, f" ?7 w% c% ]* u) H
./autogen.sh, C9 B4 Z# A# ~7 ^5 c
./configure --enable-standalone-module --disable-mlogc
6 g$ O! h" t8 @7 D2 Pmake 6 _- x1 o5 d" ?6 ~! y4 x
三.nginx添加modsecurity模块 Z5 d) C! J f
& @0 P4 i* N/ ^8 F
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:6 ?" S. Q/ ]( i' d9 b% f( o
* E+ e* m! R& n, |/ t1 q./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% Y# p( I% E4 a; |" _* C& a0 I& m( f6 ymake && make install
3 i' l% J! G( y8 `9 r9 F四.添加规则
/ r/ k, u0 X# y( C: {! ]$ W1 w H5 B+ Q1 @8 U% R
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
* o o' ]+ J( x/ I/ I' Z
; ]1 u2 @# N U7 D# }3 c9 B1.下载OWASP规则:: I9 h# ]+ T7 i |- E
# ]# {. F) S8 ?. U: ^; K0 Wgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' E' _7 E7 ^$ R% c' @+ \, J
4 N* o: I3 X$ L6 kmv owasp-modsecurity-crs /opt/tengine/conf/
! ~: {1 s: ?) B% o
6 X3 v$ Z( @1 U' kcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 g! k& {' @& K& w) O1 o ]% k
2.启用OWASP规则:3 G3 ~! s p# E X( |4 V
7 p3 x7 [: M/ j7 h# O
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% e. O* J, c, c g
1 a) ^8 s0 _* J4 j N7 Q: t
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on F) w/ f# T* A: {( h# P8 |, \
5 N1 ~! Z/ a0 T" M! X" D6 c8 bowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; c! k$ c4 z1 l9 u
; {! P1 h3 s, n% A8 P% z
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
) Z: I" U3 Z4 hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
3 x5 Y$ z8 b7 b$ d' r- c6 bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 g7 Z) C7 U2 T5 Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# g5 p, [! ?# g" R
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf* h1 c5 ~( X7 x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
" m1 c& d4 E3 g9 B# dInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
h* V! i7 S' F五.配置nginx
: \3 H! U7 c8 M+ \( E6 L6 h# U5 M7 h- X; L7 T
在需要启用modsecurity的主机的location下面加入下面两行即可:* C+ l* r6 p$ N+ [, k5 |1 B
- l0 V% u2 a8 r0 |9 K* J! MModSecurityEnabled on;
5 n: L4 f2 A+ H$ J6 PModSecurityConfig modsecurity.conf;
1 N3 @* @$ m0 C下面是两个示例配置,php虚拟主机:: Z' |% l7 Z6 _5 j$ Q2 s
- o9 }0 J! I, Z3 g, p' Xserver {
/ K/ n9 V# f# {; S1 R listen 80;
- t3 H4 O7 b Z. C1 n; s% n; l server_name 52os.net www.52os.net;
1 H$ @" b6 y, s; G. k& H 5 _" @. j* ~: Z- X8 b* a4 B
location ~ \.php$ {2 S; f* l& g, K! Y2 K! _
ModSecurityEnabled on;
# |8 r# u" A0 n: o8 S, Q; y% a ModSecurityConfig modsecurity.conf;+ V$ `/ O$ N- k9 J
- r' |- D3 P, [ root /web/wordpress;
8 t, Y) D6 h4 w- @; Q. Q index index.php index.html index.htm;0 x S; R9 I- Z
9 d" v! Z+ h6 H
fastcgi_pass 127.0.0.1:9000;7 |6 w$ i. ^3 R' `
fastcgi_index index.php;: l' n* O$ p2 n3 ~
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;. `+ |4 F. q0 w
include fastcgi_params;
) y) H. k4 `0 J9 g }' Y2 l. B" q( C- w7 `
}. K+ G# w6 w; V2 }# j- }% Q4 N' `
upstream负载均衡:/ q1 o( D+ g8 T
& a) Y) ^$ {7 n6 Z. r5 v
upstream 52os.net {$ g2 ]) f# m" P
server 192.168.1.100:8080;. _. J2 D& J: x* N" O2 m
server 192.168.1.101:8080 backup;' P( _/ t7 G$ m' Q Q
}
8 W0 w, @1 ~" [# R& R/ y0 \5 h9 O: P. ^" }0 [3 i, V9 w
server {) s# G; A5 Q7 E; b+ e" |5 f! d
listen 80;
) B9 @+ S7 Y; H! K. iserver_name 52os.net www.52os.net;0 x+ L( ^6 W7 s1 V5 b/ ] {0 Z
. N* O% n$ K& r$ I: F2 R4 M W
location / {2 V$ Z3 k; Z6 |" n
ModSecurityEnabled on; 0 ^' J+ f' q7 Z4 n; U/ D
ModSecurityConfig modsecurity.conf; 1 K/ g, O! R* |* a" A) n5 H
5 \! u% j- Y0 l, j3 Q- V: M proxy_pass http://online;
& v/ Z( A# Y2 ]/ L3 I proxy_redirect off;$ Q6 t, \% }- e$ ?) ^3 A/ A; `
proxy_set_header Host $host;! C; c; W6 O. h$ v0 G/ d% z6 W5 d/ G
proxy_set_header X-Real-IP $remote_addr;) j+ c- R/ S" _. _( i8 t0 E
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;2 o, k( w6 H& [* O1 w. q
}( @% {" I' j# ?5 \
}
: X$ _% V% L9 T U& A8 c0 ?六.测试& o5 w! R- s* b6 G, M. d# M7 a+ y
/ g' p w2 W/ y8 L2 G5 \* {3 K我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:8 c2 X9 A( p1 \7 U6 C4 E( @+ \
! P/ ~( Y5 m; {" O5 w
<?php. ^3 l& [) u# S p. x
phpinfo(); - ?+ D/ V- G7 T
?>
& O {' u* d" N3 t8 |在浏览器中访问:
C& e) U3 A/ s3 [: S* m+ c) `0 Y! M8 n7 o2 F+ @5 S" `
http://www.52os.net/phpinfo.php?id=1 正常显示。
% ~5 ^2 O& m0 g+ _- v! bhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。1 A! L/ O" v4 {9 v- v9 g
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
- g' Y0 [$ \+ l: K3 `说明sql注入和xss已经被过滤了+ X- Z5 p: w! W" e
: M. J3 y6 b$ @7 M2 D! d1 y
七、安装过程中排错+ ]* l! o- L7 N- y$ h- j( o6 s
. }) v$ o; F4 x9 u. s
1.缺少APXS会报错
2 I1 c+ v6 I* i& f" S' F& a. \, v
( ~/ R% w8 F0 |- |) O1 @configure: looking for Apache module support via DSO through APXS- @: U; b4 I- V& f+ i7 m6 [" C
configure: error: couldn't find APXS
) X. z/ `% t9 F p$ v- Mapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* M' I3 J M* Z. i8 v
解决方法:
5 `, o( }2 ]8 Y- P9 Z# ~( p2 S) F6 B& C+ o, D c
yum install httpd-devel
' C* |6 @) n. g7 |: Q2.没有pcre
3 _0 n" J: t$ B; e
, b* S: J% p9 Q( m- P* sconfigure: *** pcre library not found.
0 p$ t% c/ h7 [configure: error: pcre library is required& t% F' z- r2 t1 f& e' n' p
解决方法:# I' k4 B+ x9 W/ @) R6 @
* k' _1 x, O( w6 c; r" W& f; R8 R
yum install pcre pcre-devel' R2 C H5 w7 ?: h
3.没有libxml2: k" X9 ^; v! j. a7 n2 O
! N5 n( V8 }$ a7 X% f2 {0 l
4 H4 e& p4 h2 aconfigure: *** xml library not found.
4 r8 x; _3 X& M! Q5 Dconfigure: error: libxml2 is required
* ]' L* Q7 U: X/ F+ u6 B解决方法:/ d8 L1 @' ?7 E( s% [8 T5 E0 R
' R3 e1 Y e: pyum install libxml2 libxml2-devel
: m* _% h) ]* a, r6 U4.执行 /opt/tengine/sbin/nginx -m 时有警告6 @) H& \6 e% E" q. f0 \
8 c3 K. n* _. W4 Y! U* STengine version: Tengine/2.1.0 (nginx/1.6.2)
9 ]& e) N, u* M5 z0 a8 Xnginx: [warn] ModSecurity: Loaded APR do not match with compiled!* ]+ M X* s& A8 X/ K. @* _; H
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log8 _& e9 [+ y, J6 R
; @% r. X$ l+ q7 h. C3 \8 e2 A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.& N- }1 U5 X9 F* o( B/ }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 @- V0 c1 V# J! q) y2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 b+ I: x* ^6 D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
+ c* o, _: V5 X/ C- {, S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"- o. W$ z9 A$ ]% {4 c
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 J/ O9 c# I: L' d E6 k解决方法,移除低版本的APR (1.3.9)+ S4 a- M' S# J9 R3 j; X9 \! b* u6 `
{ Y8 H" E7 d- f# d
yum remove apr# [( n; Q7 h: l. q. {" v
5.Error.log中有: Audit log: Failed to lock global mutex3 x! Z; e; v+ }! F. l
- i% t3 p5 s7 a* h& d0 n; l2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
& t6 N* o( j% }global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
1 s3 h9 v1 s" }' Z2 I" _解决方法:
3 e/ z; N! } i' L编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
1 \- y3 d* \) Y5 |+ Z" H
& ]1 w) p5 X" l/ |SecAuditLogDirMode 0777
% W0 v. p: L6 i4 p7 E' YSecAuditLogFileMode 0550
( w( _4 B" H+ g8 D' e8 HSecAuditLogStorageDir /var/log/modsecurity
! W3 c) ?" I1 t- q7 cSecAuditLogType Concurrent4 X# g) u6 p/ O* `" z* P2 r
参考文章:
6 `1 l$ t2 _* ~, `6 ~. }; ^https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 b: O) n j; |
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡