|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 ^4 d" q: U- V2 ~9 E2 t
8 k$ Z9 Z: n4 v1 E5 b一.准备工作( W3 j7 k2 M3 n
: F0 o$ a* c1 X" x( C系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
' E2 K; r$ I2 g. w1 c4 Q7 M3 x8 }$ h; h: t8 m
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 c: b+ y1 Z0 x5 `) \5 d* I
& R0 |5 s6 E8 I9 G: Vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
$ R: z. v8 ?9 M( ]* z, c0 e
' E4 p( \7 G! _( ?+ F* w" ROWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs) E! N0 N( ^4 D: z: C
3 c% f5 o$ B8 O5 S6 C6 B# a
依赖关系:5 j* u9 N C3 a, }
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 K9 T3 _! T# C1 z6 R8 l1 r4 N
A1 {. J' ~& _8 w
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel; k3 z! e* X5 W
modsecurty依赖的包:pcre httpd-devel libxml2 apr
2 i4 H2 m4 |, `
7 `+ _2 t; [7 D/ ]4 D Qyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
" ]$ \- O( d1 e: t. U8 D9 a二.启用standalone模块并编译0 R5 ?$ O$ A, j
% F0 D: L1 f# k8 x8 V2 E2 d6 T8 `
下载modsecurity for nginx 解压,进入解压后目录执行: r6 S6 M; { J7 O
: k8 E4 x: a4 v./autogen.sh
$ i) S+ F- z5 e! j, H" T3 A./configure --enable-standalone-module --disable-mlogc
, ~8 x# e$ M: T2 H7 z& o" Q1 k; jmake : X! J, u+ r2 T( M
三.nginx添加modsecurity模块
: _& j" _6 {$ y( d5 r8 |) N% c5 i
8 V& I. K6 O5 h在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 v- d* p) T# s2 R$ E: s& f# K0 H8 Z$ E& y; Q% n8 F
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
( [* E+ D2 N: B8 O/ m; omake && make install. e0 ?8 ^: u8 o- }0 X) Z, j8 K
四.添加规则/ S7 j9 i" Z/ k. U7 O4 l
- }4 ]: O' |/ {% G4 V5 F) w0 v4 amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
5 I6 o/ A1 A! L! A2 H% ~ {5 ]# y5 L9 ]) p/ h
1.下载OWASP规则:" S: f J7 q' \
( z4 w" d4 i2 O
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 N: N3 a' h0 a; R: s( A
4 H5 t S' T }. [9 z6 j" \( ?# omv owasp-modsecurity-crs /opt/tengine/conf/2 r1 w! n( w% |: m: }
4 a! I5 E( w8 e3 U/ p
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' \7 o1 Y" J$ R- `- h* D2.启用OWASP规则:, m8 Y) U/ Q$ {! q% k6 m
: D' r1 G U4 o+ G复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* i. N% l% p1 F1 H7 Z8 \ p
5 o1 G& ]4 O/ `/ u. V4 \. \
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; D/ i& O" \0 e) Q, y+ ^8 ^# j+ ] N% P4 V
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
# k; c9 k1 a5 _0 d; D' J( h# D1 k! o$ c; R
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
6 {2 n. @, v0 \+ b" X H! XInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
( s+ @: I& `5 w0 p" wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf& B- ] C7 m* v/ E) Z& ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf; v, V" D! e$ f. p: g1 r
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf" a1 p! ^4 C6 v) o. ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf" ~6 M: q8 p5 s; z3 g
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; N- U7 f! K- P+ N
五.配置nginx
& W. ?. g8 {! n% Z% n* W' f$ u8 x# S) ]. U2 l$ r3 d& @6 b0 @
在需要启用modsecurity的主机的location下面加入下面两行即可:2 H& |3 {+ n$ D) |* i* ~. |7 K
' i' E7 j( G% H( w/ x$ vModSecurityEnabled on; + l- k! V# ]% S8 |; D9 L
ModSecurityConfig modsecurity.conf;& ~6 N% I! i/ m" t
下面是两个示例配置,php虚拟主机:4 L1 r; L! H- N- U g, i
# r- X n7 n+ w$ @; zserver {
3 S5 u; o( [( T& X( Y listen 80;1 i4 [& [; W+ ]4 v8 R
server_name 52os.net www.52os.net;2 N) _) P8 t& j( E1 g3 t
4 M5 f: R. J; Q& B1 a) S* ?. x
location ~ \.php$ {
. H7 }/ J# M3 L! t0 n; e4 |. c* R ModSecurityEnabled on; C) f- O$ r+ Y& D0 Q
ModSecurityConfig modsecurity.conf;
4 M7 D2 x( ^. @5 {+ H1 d2 N& Q/ o2 M8 l
root /web/wordpress;8 l2 K+ k3 v# H4 R
index index.php index.html index.htm;
( u0 [& }0 C+ P3 _( i, D( I/ h% e4 Y / H o: O+ p' ], k0 n
fastcgi_pass 127.0.0.1:9000;
" ]$ r$ C* C2 t- o+ W! N9 B fastcgi_index index.php;
$ g6 a' c' b; \; S# a( u: R& n fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;! {7 o) ~4 g# z) }
include fastcgi_params;" V: U' E }! ]) c6 h$ G3 ?
}
, h0 T1 H, U# k2 \$ Z4 L3 h }8 m, y7 Y% Z X, r$ s/ K
upstream负载均衡:. z2 d; V b! X, ^% Q! ?" @8 e
# s0 b4 c% k1 H0 b3 N5 y' a2 supstream 52os.net {; [, F/ l, Q ~7 ~& Y( ?7 e
server 192.168.1.100:8080;/ {0 r5 D# f1 \6 E2 O N2 u
server 192.168.1.101:8080 backup;
" m0 ]; ?9 r: l5 V# H}( }" B) }/ ^$ k+ N
" i& f0 w: \& E
server {
' v9 d E( F$ `2 D# T: Elisten 80;4 W' [/ V3 s/ y, w
server_name 52os.net www.52os.net;
. B7 d9 P/ q- f+ |0 O4 B' g) L; p8 @# A9 r' ?) ?( q) y9 `4 ^1 i; X) k# j
location / {
8 A) d# f0 n4 m U/ b/ z ModSecurityEnabled on; # m4 V0 z1 w1 v; h, G% W
ModSecurityConfig modsecurity.conf;
, g& B' ~2 v- A' V* [: r+ y' G6 M1 B' L7 l- s5 \% }5 J+ d7 A# A
proxy_pass http://online;: H( \; [2 ?3 @+ `% ]9 _
proxy_redirect off;
, j! ~; X2 t5 j proxy_set_header Host $host;6 R: m7 O/ _5 R# p; ]- D' S/ }$ M- g7 c
proxy_set_header X-Real-IP $remote_addr;
" k2 [5 y9 Y4 c l0 J) P$ f proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;& U4 i2 P$ m! _8 c2 g7 v% V
}
6 ~' c/ [( i# \4 U+ Q Z5 Z}; v. D' N2 {( T7 m# ^4 |- F5 p2 t, P
六.测试
. E* _) Y4 U& I: C$ p( b
& o2 v/ F% R. h我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, o# q/ A; q+ v& z. i% z" D+ p( s, r# ^) _3 b: H5 V
<?php
5 _# m4 i3 _" N4 G phpinfo();
& y1 V0 o3 e1 v* P4 u?>
1 U2 t4 ^$ R3 Y( ]! E7 o在浏览器中访问:
# B5 v- m2 a6 O" t; M9 Y4 d$ B
9 |; n% {: x7 w8 Qhttp://www.52os.net/phpinfo.php?id=1 正常显示。( U4 N$ Y. A/ N( ~
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
2 F; D% b+ G+ R) rhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。$ X: W& {0 L: |3 p6 p2 k
说明sql注入和xss已经被过滤了
" K! R) R9 b* n. c/ E. M* M+ X& N2 H& B( u
七、安装过程中排错7 Y! B" F! J" n. y) D! a% f
" q. H" v7 Q! z
1.缺少APXS会报错& O3 ?4 j/ \1 X3 |& N
0 D# P/ F% s" J0 kconfigure: looking for Apache module support via DSO through APXS
+ g2 {# u! G( O% h6 o8 l+ T3 u& vconfigure: error: couldn't find APXS
* J# {1 a; d9 k; j& K9 \- E2 @. Papxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& w: ]) @! t" c1 `1 B5 D解决方法:4 D0 P# x3 k/ p; W. p8 K6 P9 m. Y
1 M ]2 A: n" \yum install httpd-devel
9 Q2 N2 ]( S6 S3 h5 F6 y2 j2.没有pcre& J9 T! f6 O) A: o$ M* {6 a
) w/ w' G5 V8 l2 L) U1 u. G
configure: *** pcre library not found.
! F. O' g/ m& tconfigure: error: pcre library is required. i. M- h/ {0 m! A# v+ z$ Z
解决方法:
9 l$ Y$ m( `' _7 z3 n; [7 O/ q7 V& W- |, e, Y
yum install pcre pcre-devel
2 o" ^. o- ^/ ^+ ~3.没有libxml2
! q' @6 C/ u4 d( u( ]# J& C, T; |' w8 {: g. X- q+ ^
- ]+ p, }; W9 b1 s, pconfigure: *** xml library not found.0 y# ^6 c9 A9 ?+ A
configure: error: libxml2 is required
. m5 `+ ]8 B/ R2 e2 V# {解决方法:% n4 R! T8 W; m3 Q( k) Y5 E: `
* J( g7 p; f4 i, @( x% _
yum install libxml2 libxml2-devel
% I8 S4 x" W. `; }4.执行 /opt/tengine/sbin/nginx -m 时有警告
5 E9 g6 K' x: w, _2 ?+ Q$ }' N; {) `8 _
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
* A; s' l, K% p0 Pnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ V% R" @6 W+ f0 i# @原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 e2 [& p5 W# k4 Z2 |* J4 [# ~
/ ~, k M' q/ H: e4 A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 A! n( o) B3 w" u5 J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" z/ x7 N9 U4 O6 Z4 D2 @6 t0 p. i8 ?2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 \0 N4 q \8 u1 C' `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
7 f; B: ~0 g2 |! r' q# Y( p2 }0 h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"( D) H' @% {0 Q: H
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# { E6 C6 ?# U6 V% \% M* W
解决方法,移除低版本的APR (1.3.9)
' p- k! f9 q/ [5 O2 [2 s! [) A8 A9 B/ C# D& r7 k5 \
yum remove apr
+ y( g! k7 ^/ f% ?: o& ~5.Error.log中有: Audit log: Failed to lock global mutex% F+ ]6 O+ K& S9 e8 h4 n
" ^) u: Z1 Z3 }: x7 q
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 2 b/ {5 h( \+ G1 Q4 j: s i
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
- @2 O- h: G. x* ^& G1 W1 a& a1 d解决方法:8 r! ~, M% M t/ m! |3 B3 p
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" J: I7 v6 r! p, Q# U; a" F* y% G1 ^" W I
SecAuditLogDirMode 0777
6 n9 w5 S1 u# f2 R5 Q( BSecAuditLogFileMode 05504 n7 _* B: Z+ I0 r; d
SecAuditLogStorageDir /var/log/modsecurity
. v: {( i+ ^; |8 U* ESecAuditLogType Concurrent" t: ^/ O- e9 {+ {2 j
参考文章:
. h% p0 ]# I: _ ^https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX* c# S W! R2 Q' W( ?9 ^* R( c0 U4 J
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡