|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" j1 |( Q! r* y; v( n* U& G
2 J0 j- X: q+ n: q, H; ]- b一.准备工作- E9 c6 C' Q6 I3 l; W) B2 |
. i$ O+ D6 c- Z5 b0 N- s
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.00 f$ R7 ]8 f1 y t& Y X7 @1 S# U
) V- j3 K5 }& L- e9 f5 u+ Btengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz- W }6 ]8 S7 i* L$ y
]+ ]' T# b. z' X6 R4 }
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz. [, j! s1 K8 R" q8 o6 O
T$ G( b f" n9 u4 B- E- ~8 v% S
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! C; _( G7 G( U$ I
1 j. m6 p; h! f- X! W8 J
依赖关系:: O$ d2 k1 t, T0 G4 ~" X
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 v& e# ?* }: A% O( b7 S6 E3 I
) T8 P9 _7 Z0 I. q! s/ l6 @yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel, a t2 B7 _* Y' u; Z$ ^% c6 D& n
modsecurty依赖的包:pcre httpd-devel libxml2 apr% b! L! P2 G8 y9 k* c
& Q" Y( E& P4 e! q$ w! V+ _9 @
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
l3 L4 [. f4 Y* G3 ~" x二.启用standalone模块并编译7 F- ~; }; X4 E) k' y
9 g# Q& E5 P5 q3 U
下载modsecurity for nginx 解压,进入解压后目录执行:" t9 ^6 R/ h2 A" G
0 P5 H* K( ]9 s _./autogen.sh
% c- ]+ O/ d, s$ v6 c./configure --enable-standalone-module --disable-mlogc
2 P( i8 N4 t6 c* Q' w7 vmake
3 b" C0 }' a& b7 `/ a$ v三.nginx添加modsecurity模块6 |1 R B. U& ~0 l. S
( N+ X N- g5 X4 m3 l# T在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 c2 w" o3 r( O5 p# I+ E5 Z2 J) g
! W' ?. g- S3 h1 u' J. a4 Y
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
* @4 b3 j& B& _+ A6 J+ H' r" a( ?make && make install
; j1 P2 [" _$ Q! n四.添加规则8 s) p+ x0 t4 G4 ~9 o( x% z
' u/ r& g! o1 Y6 D9 mmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
5 Z$ a) ^' B! k: N# d( R- u0 j% B/ t# m8 X+ y m1 r. b1 j
1.下载OWASP规则:
. w; ]# A9 a1 j# L- G; s
& P- s1 `5 t& N* n7 Q9 n' w) bgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
. N$ i: a6 Z7 \: c. A: T( }+ I5 O: `: T! h# I" z& N0 Y
mv owasp-modsecurity-crs /opt/tengine/conf/2 @4 X: m0 h" l" ~" Y. R/ Z( l
# v( x. Q4 D+ \! w+ g) y
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
( S1 d) o% b6 N6 S7 I/ F3 y6 X2.启用OWASP规则:
: y; ]; c# a/ G$ \2 G' ~+ D) [- {4 N6 ^* d; ?- f# R
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
* S$ \7 j! m0 ~$ j/ U5 C
7 S7 ^" Z1 }' l& [3 l编辑modsecurity.conf 文件,将SecRuleEngine设置为 on0 t" R! e! m1 i4 `3 Q3 G3 ]' y* c9 q
! H( x7 r _7 K9 Xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
( A* y! O* w" F2 O F
+ @8 C2 N) C& o Y1 @9 d* B \Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" `( }/ G% @6 x8 G2 c, vInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- H) U0 O: J$ ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf+ j7 P l9 O0 L, Y% j' i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf- [' K2 V$ b% a( S* e
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
9 y! y' o" \8 X) q; `, LInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf+ B" @, {+ m. N, b
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
+ d, {1 }3 _) \- v9 `! a$ O五.配置nginx/ Z( ]( J3 n+ x- ?
6 i- D# r! v1 a9 m在需要启用modsecurity的主机的location下面加入下面两行即可:
/ Q: m. p. [- s' C# l
" I; |6 I, u2 v' r0 k* A# q9 U9 YModSecurityEnabled on;
3 s8 }' M( n* l8 X' }ModSecurityConfig modsecurity.conf;
. K4 I- {6 K; v9 D3 [, R$ \下面是两个示例配置,php虚拟主机:
& Q# z, ^# R1 b9 t1 u. m* z) V5 w% o# G: n. x1 u
server {5 f, E' N9 g! w0 J
listen 80;
' O8 d8 |, z8 P E- d( _! V server_name 52os.net www.52os.net;* F1 `( E" H- u+ t. O2 N/ D
' q' }& c% x) v0 }7 d9 y9 ^ location ~ \.php$ {
3 ?' }9 [3 u4 A* ^% G( j7 Y ModSecurityEnabled on;
! @# C: G: V f4 [ ModSecurityConfig modsecurity.conf;% Y1 b) u" J% R
/ b) V$ \5 Y f- M4 w root /web/wordpress;
% B1 C( d# {. _5 u1 O% }1 K. p index index.php index.html index.htm;
% ~, R' w2 p! O# A5 R4 f
2 n. s; O) v" I S0 ] fastcgi_pass 127.0.0.1:9000;
; u$ u4 z1 n: u# t Z% C. _ fastcgi_index index.php;
. H5 g3 r2 d( U+ y fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
$ s% T: I+ r+ e include fastcgi_params;. H3 D3 b$ k- t* i' g3 U" I
}
9 q5 f; C2 P- i% R+ l, K" P# C }0 _6 e* \5 u" I5 B% a
upstream负载均衡:5 z+ R1 j5 l; k- t: q
& ]! I' Y4 R2 n! d% n9 a6 l$ D
upstream 52os.net {
/ n/ t1 U( g! h* z1 k+ U server 192.168.1.100:8080;, f% O% m+ x6 o7 U
server 192.168.1.101:8080 backup;
* O3 y2 `' X: U}
# ~* m9 O/ q7 s- K) w
8 o! D% H5 e& C1 a2 yserver {
' q# ?! r S1 R6 f& T# _$ Plisten 80;
9 W x3 j4 x) f9 ^ |" Dserver_name 52os.net www.52os.net;
. P b: ^: r+ ^7 u, C5 g& P% j
2 ~4 d M! R6 h& _location / {! ]% O" T# q$ Z( v6 k+ f0 O
ModSecurityEnabled on; 8 T& f! ~; u. V
ModSecurityConfig modsecurity.conf; " v3 l H+ [" |$ h
\2 I6 `( S; u( x5 { proxy_pass http://online;
- K/ O; G5 C7 L3 y8 `6 r$ u& B5 { G( i proxy_redirect off;
9 O& A( T8 R6 E; Q6 u4 Y proxy_set_header Host $host;9 q3 y/ H3 U# W5 E/ \- Y$ z
proxy_set_header X-Real-IP $remote_addr;% I) P& r! k& D7 a
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% C/ f: U" o0 }' k }
3 }& q# I* n& v$ D8 W% i6 C}/ F% N; d- ^: D& z, J8 k- a
六.测试9 t. j: p% B$ b1 O% B5 `% J" D* T
- ]9 Z! C' e/ O' E我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
) O5 D, b7 I" R' k, M, P
# z" x& q9 s$ Y4 z<?php: F- h5 o$ p2 K1 _5 S. W* A
phpinfo();
T. s- g9 V5 v?>% J) R% {7 F% x7 |" }% i }
在浏览器中访问:
& y5 I2 Y; w7 N* C+ ]) {* v( j% y! W+ X3 _- d: X9 _+ E
http://www.52os.net/phpinfo.php?id=1 正常显示。
% g7 o; r9 `6 c! O5 J2 a( xhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。. f8 y9 O5 }$ m" u( U# y
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。$ p) l1 l' j! o4 g# F- Q: r8 G
说明sql注入和xss已经被过滤了
1 W9 o p: h/ R. x+ B$ j- G6 R- d: P5 a
七、安装过程中排错2 E6 V X( b, F. j4 T* n5 t# e! H3 L
2 Q0 K" B% _+ D- m6 f. m3 M# K) Q1.缺少APXS会报错) H! G2 p1 h! A1 a
3 w+ M0 v/ J9 Q: \: a( M$ S7 ]configure: looking for Apache module support via DSO through APXS
* r7 C6 m- n9 j- ]2 X; T' mconfigure: error: couldn't find APXS, D2 |7 g7 E8 U' y7 n3 {; s
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 M }+ D0 |/ \+ _) `
解决方法:
0 _9 W3 A/ l# l/ J F: m- y* U" n% p2 y( O/ ]7 P
yum install httpd-devel, @7 s6 Y4 }' [/ u9 m8 C' X
2.没有pcre
" e9 Z/ A: {, O" Q7 N, g! T! V, u1 s2 R1 {. I0 b$ T$ F
configure: *** pcre library not found.
, [1 m& b; H5 L! C2 Kconfigure: error: pcre library is required
/ a9 }, Y/ I( \& z4 \% T }解决方法:7 ?$ l- p! n! q. t8 ?
+ }+ Q" U. k/ F9 ~
yum install pcre pcre-devel
' P1 O! q5 C7 A1 Z3.没有libxml2
6 [6 O8 v+ ]- u4 q+ G: K* |1 S2 Y5 y2 L* U- a6 u1 M/ b
' p4 ?7 Z' m0 u$ g6 h
configure: *** xml library not found.
' A7 F& D0 R$ E# K) q0 qconfigure: error: libxml2 is required
* U! {3 R7 s8 j$ w$ {( U$ C* T0 ]解决方法:4 n: p% Y: j" q4 S
* `0 m& V5 S! S1 i: K. l7 N) Nyum install libxml2 libxml2-devel( V/ }5 {% B+ f0 O u& y
4.执行 /opt/tengine/sbin/nginx -m 时有警告* i$ `! B5 ~3 w2 F/ |
- A6 X8 W% n) F3 S5 X
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
9 H0 U3 x2 M. p1 M* unginx: [warn] ModSecurity: Loaded APR do not match with compiled!
: m D: T7 a/ z* n. L6 Y4 N0 A, |原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log' n O* t, D2 Q
; U( x; K+ @0 x9 S! S* K( X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.% {$ N; q6 B) m7 B- {! h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"0 Y b4 {7 j) G1 o0 C5 ~
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 m) m6 ?2 W! z$ e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 _! m) q) ?1 z/ z/ \7 [( ?5 l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
. N7 W2 Q& a8 R' b6 a" ^. X) m% U2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
3 W( C) s' u6 Y* z2 ` a解决方法,移除低版本的APR (1.3.9)3 d1 I6 I0 z+ `
% c' B! w N# C# }, B) p* ryum remove apr
# p. H! d/ h; V, ^ F, H5.Error.log中有: Audit log: Failed to lock global mutex/ {" l; P/ s! L6 g1 r) Y
" M* k% u, y! ]# ?. C2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock e C& C7 f% ?" E
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"], M' L; y* ^1 c; Q u! ^8 I$ @# g
解决方法:; \2 f( E- Q" i( s5 ^& Q; n$ R1 u4 p
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& c2 _0 A8 ?0 ?) R' f7 @# `+ e% ?5 u. x `
SecAuditLogDirMode 0777$ m' h3 s) B; v
SecAuditLogFileMode 05501 Q8 @3 I! y- d
SecAuditLogStorageDir /var/log/modsecurity
2 q; p0 r/ C+ j* _2 QSecAuditLogType Concurrent5 S4 {; L; W3 H5 \7 n
参考文章:+ s- m) C! _# e l) B2 F8 T/ Z
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
i) Y- i+ S$ v+ H/ w" S6 yhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡