|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
% s; b! @( A0 C/ R' x9 j* S1 b! {; k0 ?1 g2 G4 m k" X; b; k6 `
一.准备工作
: r- q$ _4 F& r$ L1 G9 ^- k
/ M6 E& G7 ^- ^6 F2 I系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: R; E; B2 b' f# E( q7 ?5 V
" C+ s% W# l5 c6 l2 Z
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ v! g' M( A- `# R
& r# |: [9 |0 }! o3 M$ Bmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz% {5 `$ k `% }0 g. c0 o
$ a2 s) A! a( ?+ E3 @
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs/ B6 \9 f6 G- L* D0 {
4 l$ @1 \) T0 @
依赖关系:* Z, |9 a- Z: w. }
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:! F7 b, F5 {$ c/ _
* B: s3 K( T& H- [# W* |3 ?yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel/ ?' ~! z4 L- q; o/ ^
modsecurty依赖的包:pcre httpd-devel libxml2 apr
9 c- O) F% f0 i6 R6 q6 r! N4 ?- C3 V; e& u- w! e+ L
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
5 T# K2 S9 p2 K二.启用standalone模块并编译
5 o+ G+ w% N7 u0 L, w( l& [3 B3 k
下载modsecurity for nginx 解压,进入解压后目录执行:
1 G8 t3 i+ }' W5 T; F ]+ G7 I4 j
# u, V/ b, J: E./autogen.sh- k7 t" D' j2 x
./configure --enable-standalone-module --disable-mlogc
3 h& ?* P- |2 o# W. B" Bmake
/ H p, F8 _7 L$ Z5 }9 ^" W$ } ?9 R$ ~三.nginx添加modsecurity模块
- \& Q1 I+ i( b" E6 e% T; D$ g) w* I: s
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:: D( U) P3 z" j8 M* c* \, m; ]' p
5 ?1 [7 n0 L8 C* U5 I! r* k./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
' Z8 `* ?. C; n) J" c e7 \ vmake && make install- M' c0 `) q1 O" Z( P
四.添加规则
: K# }( T- c& H: g+ |1 J7 Y D5 M6 J
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: B% y; x# y$ M7 N9 L* Q: d
M d7 ^0 N- x5 n1.下载OWASP规则:" M( K3 d' W& F6 ^( I1 f
; `2 S# h& f, V3 K9 \git clone https://github.com/SpiderLabs/owasp-modsecurity-crs2 ?5 k7 @6 T! i$ U8 z; d
6 s/ g# a3 s% l+ Q' n, n
mv owasp-modsecurity-crs /opt/tengine/conf/- f% {# ^% W5 [8 J/ s
/ z7 T5 I9 g1 Icd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf5 d& \' K* ~* ^# R$ O* \; {
2.启用OWASP规则:
5 x/ ~& N. D% b* W
8 a' W, k$ s" X0 z' o: u! ]* q复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
6 T( B, n Q V' V, X t, U! g# W* c, X, {% v2 A" A# C$ U
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on" V4 S& f+ K& H0 z$ T
! H4 J. v* c. c
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。, S# N9 }4 c, f- ]4 P
: @4 J3 ^: ?3 F' ~2 p6 P
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf1 Y4 ]: d: C! M: R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- Z q$ z) _5 ^/ T9 kInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
7 I' N$ k6 G, L: i! ]Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# X( I- j; V0 | s$ S: B1 j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 a0 t. c7 t/ JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 i1 I. M' w" L" q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf- ~# e: |/ }8 I" o+ @7 q
五.配置nginx \# v7 X0 Z3 f9 A& r
& @4 G9 N8 p6 l4 u! o0 l& g, I在需要启用modsecurity的主机的location下面加入下面两行即可:( o+ H) F# w; w+ ^/ k
* r, n& {9 ?9 N: m1 I' S9 p, k" b
ModSecurityEnabled on; / k+ F0 d1 r3 g" D/ G5 K
ModSecurityConfig modsecurity.conf;
+ `1 A2 {# Q/ U! E0 T2 q9 D! B0 |下面是两个示例配置,php虚拟主机:% R* g) ^2 i9 X$ o% h3 V
6 E; I& Y# v) K4 V* vserver {, r& Y2 n Z" Y
listen 80;
( e4 Y6 l7 a! Y1 J2 W$ L) l* y( w server_name 52os.net www.52os.net;
5 Q/ x* @* L7 A" c 9 ~4 ]0 @& j a4 R; X. u
location ~ \.php$ {' ~8 i8 k: I# ?5 T, ~" X
ModSecurityEnabled on; ) [. w" O+ X' j4 k* U, y
ModSecurityConfig modsecurity.conf;, H$ J4 G+ c q3 {6 k
8 _+ D. T3 e. r( U9 p0 [2 h
root /web/wordpress; P+ U+ z& _7 m$ u$ H0 K; @
index index.php index.html index.htm;$ S/ L) g; p- a9 O4 t8 Q; ^
: J, ^* _4 I( m& \1 ?) W+ h1 m
fastcgi_pass 127.0.0.1:9000;- K! [8 {% A; I$ }7 ?9 ]" u
fastcgi_index index.php;" a r5 b5 w: [, V% p* W
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
0 S* L* o/ S( j- Q include fastcgi_params;1 {7 F' T$ `, `0 g1 m0 o
}3 }0 ]9 S/ t# o1 V2 ]9 o) L& a
}' Y# X& n. M7 O( J0 w+ t$ z
upstream负载均衡:3 G3 D; r: x% R% i% H: @
8 k6 X* L, o$ E& ~% Lupstream 52os.net {
! X2 @8 z2 q3 b; M server 192.168.1.100:8080;
/ f, I, c5 e+ s5 M x$ U server 192.168.1.101:8080 backup;- u* c7 G+ ^% G) S2 y6 p; ?
}
) ~0 U( s6 u# Z/ K, C8 S, A0 u* N! M! I- [& {& G1 r
server {* G2 _6 b( ]8 F) |& X
listen 80;
2 l7 a p2 E, w. t5 g. a0 v4 ^, {server_name 52os.net www.52os.net;
/ g% M- E$ Q+ @6 G
0 m" ?8 c g3 O/ h- R2 |( Olocation / {
: `/ x+ g7 K) } ModSecurityEnabled on;
! O6 Y( I! Z& q* U4 s( W# a. L% w ModSecurityConfig modsecurity.conf; " a, L' m1 Q( x
, }5 Q X( l! e, ~ ~ proxy_pass http://online;0 j# M% t, @( x: g$ c# A. L0 w
proxy_redirect off;
4 H! i5 W% D8 c) Y7 f. Y proxy_set_header Host $host;" d# k7 |3 ]1 Q5 {
proxy_set_header X-Real-IP $remote_addr;
; V& N% S C8 h( u0 v; q& @- Q) x proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# H' V% ?; @, ^) |, j }
& i0 d8 p2 c/ a}6 S7 D8 ^5 S& y7 l7 }
六.测试
1 e! }# t+ F" S3 d; F- e0 f" a/ D9 }+ p+ r0 A
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:/ d6 I% r- s, k
+ n+ b, K$ \9 r) g9 }
<?php
3 K( e+ ^5 A. K% m) |9 Y' D phpinfo();
/ \0 {4 \% W; c' f?>
: S0 g7 | x$ N: B在浏览器中访问:
5 Y8 [! x" t" J* `9 G# w
& l" n5 X( e/ @http://www.52os.net/phpinfo.php?id=1 正常显示。
' e9 ^) E& F8 N$ D' phttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。: l2 |' }. ?1 K: z/ D$ [
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
4 ~/ D2 t% Y3 d说明sql注入和xss已经被过滤了. o4 \6 w/ e' s8 J
2 X/ F( e# z1 ]+ S* h" A
七、安装过程中排错
Y- m" m: R% k N! o7 F' l/ {' S& N: v" l- ?
1.缺少APXS会报错) y' n% K( G5 s
4 ?3 A+ V0 z1 S% d/ |# h; a0 Xconfigure: looking for Apache module support via DSO through APXS1 s* W' e* p& ]" ~* b1 }( B ?
configure: error: couldn't find APXS0 v: `6 C5 i, u
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
) _) t9 I! y* K解决方法:- a0 \* E; U7 K5 T! L
" r7 _5 @3 x# G" t) ]* u# S7 C
yum install httpd-devel
/ J+ w! {/ R2 m7 e* _8 b) q8 v# K2 {2.没有pcre! g% i, P: A7 j8 v- X
3 q5 K$ Y. ]7 O5 Jconfigure: *** pcre library not found.
. r0 D, R1 _; ]6 kconfigure: error: pcre library is required. L* t- h& H0 p
解决方法:4 e4 q+ s' `% X" a& [
* z! _9 g" F* U. ?& Uyum install pcre pcre-devel
& `6 f8 {+ F# E/ W$ c3 f3.没有libxml2& f" |% c" t3 f8 c+ t
4 \! c- J* n( W3 N) _
% E( {; Q) e2 `configure: *** xml library not found.' C$ t& i! A: C7 V
configure: error: libxml2 is required9 |" C) E/ n2 g. I; l6 k
解决方法:
M9 ?& ~6 i' z4 y+ n* h; v
" t. B/ l% ]& }! kyum install libxml2 libxml2-devel$ C: \+ b& ^' n6 d6 ?3 e
4.执行 /opt/tengine/sbin/nginx -m 时有警告
" y/ j7 S5 E$ F' J5 K7 x( E. j" H% ]; P8 y; _7 W3 R: W
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
3 I, i4 Q9 c$ I& ]) v$ Vnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
- M8 X; b6 i8 N0 R; o: g原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ ^! x: ^( P, m9 u6 C
# k; C% S% B# F/ z7 U) D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
! e+ Y3 Z* f8 B' H* ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 K' h: Y, s, I5 K2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
7 w' a2 W8 z. E4 ^/ `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"( E' P5 L: E \3 D) I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 \ Q m# _7 ?5 ?. D+ K
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
E" ~- x/ j: M7 b+ F解决方法,移除低版本的APR (1.3.9)
0 b1 G1 {+ C9 g2 ]" q# l6 m2 K @9 s0 ~" Q& T$ x. i) V* H* n
yum remove apr2 \9 j$ x( V; W5 X' Y( t
5.Error.log中有: Audit log: Failed to lock global mutex
$ Z+ p9 ?6 C& {( }
- G+ ]; m2 a3 N) H6 w, L2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 8 G9 R" M) M$ o- Y7 O
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
! N& C/ S: |% w) T5 ?8 x解决方法:( u/ f: e& d B" U/ E& F' I
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:4 ^; U6 | Q! i: {5 v+ Z
. S. ]- V! k" T; VSecAuditLogDirMode 0777
/ D4 ^3 Y, L4 ^8 A$ }6 ^3 ASecAuditLogFileMode 0550
3 z" d9 P, ?% k, v' a1 \SecAuditLogStorageDir /var/log/modsecurity
2 [ y/ g8 Z7 HSecAuditLogType Concurrent; h; q. ]5 Y5 w
参考文章:# |- m0 k {+ M4 m7 e( W- ]7 M
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
2 G# \5 K" Q8 h5 o7 rhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡