|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
, s# V% G( f p: {0 \, C% Q7 G; ?3 S1 r/ q5 Q) t+ k
一.准备工作
- E( K# a# o5 G: U2 d) J4 L& J9 O b: y1 h3 Z/ M- T0 ]$ F" m7 {
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
! F, }1 T/ d/ U; L+ b4 q8 E
" f4 R, i6 W" }* l4 Y4 atengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
4 ~) a% v2 B, t7 p9 I8 x, W
6 g1 O& c& W. E1 @8 q1 O0 amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
, g) h1 A5 B2 [2 |5 `9 K' M9 p: K# G% q7 _6 f5 H6 c: i+ P; {! u
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 T5 [! e$ T$ C4 H
' @; p) S6 q- p5 Q1 p' ?1 [依赖关系:
# Y w6 N' M! m; \tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
% z, x4 P# \/ |4 e: y* x& Q) g. n0 N0 G$ J
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
- i1 y2 o$ n+ Fmodsecurty依赖的包:pcre httpd-devel libxml2 apr
' M+ G( C0 z$ g; p a) b6 W$ v, e, G0 B; I
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel6 S* E2 f3 R7 ^* x4 U
二.启用standalone模块并编译
# U Q6 B0 s- f7 t$ k/ ^. T( l7 @& q2 R: m* {5 `
下载modsecurity for nginx 解压,进入解压后目录执行:2 D+ k- B# l: Y- [: A2 Z1 \
" u: Y; C0 [" }* m& F" \2 z! `, w& a./autogen.sh
( w1 d, B/ O' x o* N# |, A; T./configure --enable-standalone-module --disable-mlogc
% A* s0 S9 s) h; Kmake ) s& b9 q( m. V! `7 C
三.nginx添加modsecurity模块
1 }/ T) F0 A% k2 D9 c7 w+ r8 F# ]0 ~ y. k u; G
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:0 a' R8 ]' h% ?* N7 U6 [: F: b; u
2 G- I# R, p& ~6 K# o
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
! s7 C0 r6 D) \' |# Amake && make install1 d" _. A% @- K; `4 @' o
四.添加规则$ g" C/ \# K! \' A7 T/ T( [
1 o4 E; A2 z6 y R& d1 o
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
+ G0 i- z5 J" }- U' a
2 K' F( h+ B! }5 }; F0 M- [1 I1.下载OWASP规则:
' A7 ^# T6 Z1 g5 C2 E8 ?- @
9 e2 r9 B- s b7 ^git clone https://github.com/SpiderLabs/owasp-modsecurity-crs) _) \' ~5 N8 U% i, ~; b
2 |. }( a- m. l" u y' l3 T/ j
mv owasp-modsecurity-crs /opt/tengine/conf/" A# t- j5 ~# C
' X1 u0 M7 X# ?, |, O- O
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ g X; n% ]% u" k7 C
2.启用OWASP规则:) E# x% q; a, j% ~
' E y: W j8 _" ~复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
# u" i& v6 b+ q" q* p) v7 T+ s% G5 G- Y0 p4 O
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on8 \* a' m0 w, d$ d( F" ?* n, T j+ @
6 [6 X. _5 B' j' U1 W0 s3 W6 {owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ C; E4 ~( g$ A6 F y8 _/ O' k
! R) U+ `4 k' Q4 V+ |9 n& b$ f
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
# v! W+ i6 R7 [. _3 n. J, lInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; B J4 v! _* k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf$ B; P9 ~% y6 b, A
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 ?+ s( J! `& g0 S9 b- s3 F! r& KInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
. \5 e1 N o2 ~Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
5 D& e S, f& ~0 zInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
3 ^- n& g1 X. y五.配置nginx! |) Y& }* o& G7 M7 K
) G, G6 e/ ^- G+ _在需要启用modsecurity的主机的location下面加入下面两行即可:
, r1 Q) }- G& D3 \- {6 \4 x
6 \. A: I; G3 B; Z8 k, m* U1 H3 hModSecurityEnabled on; 7 V9 O5 G& p Q3 n
ModSecurityConfig modsecurity.conf;5 X8 I9 m, a( ^) q, S6 ~ D
下面是两个示例配置,php虚拟主机:4 m3 k) V4 V+ S+ e! a3 e0 ^1 t
/ n8 t4 e; X( H% ?: D
server {
7 E' X& c/ u6 W listen 80;
$ P/ g6 l! T7 \, B server_name 52os.net www.52os.net;8 D% _& [. {6 h u& D! ^2 i3 X
+ h$ i* E* U: ?4 Y
location ~ \.php$ {
/ A7 ]" k, K3 z ModSecurityEnabled on; 9 }% N# j) f' Z+ S' }9 I
ModSecurityConfig modsecurity.conf;
: R+ E5 s9 c0 B0 L8 O1 n
' R5 ?+ B+ i4 [3 p root /web/wordpress;
# \* {+ U) Z3 T index index.php index.html index.htm;
: Z0 U' T: d- G; k+ Z# ^
$ K! x" M8 l1 T' ]6 [1 t& q fastcgi_pass 127.0.0.1:9000;- ?! N/ l" x: ^, I' t8 D
fastcgi_index index.php;
+ z, @( L5 Y- {# M fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;. `& ?: U- B, Z7 l8 _# g
include fastcgi_params;: {; Z2 k" g6 u0 I& r
}# ?" _6 v0 _3 x; I7 }3 f, r
}
* b9 e7 [& A) E0 f0 ]+ Nupstream负载均衡: h3 N9 P. P/ _+ t9 Y$ t" J5 `
, j3 z! U8 j; A. ?- a8 p7 w
upstream 52os.net {
/ Q& k8 C: H& v server 192.168.1.100:8080;9 @/ k H! v& r4 P* d v
server 192.168.1.101:8080 backup;( `+ d( F1 ~; p1 g
}* K7 T6 k: z* i8 m/ x8 B
1 x- _. I# |3 d2 t4 V5 E, v9 U$ vserver {
- l+ c; ]5 B- ?# r2 q3 ]! P# Clisten 80;- P) C( @3 Y' R$ a' D/ b" i7 \
server_name 52os.net www.52os.net;; [1 P& S4 R6 r5 i7 }4 A# ?2 f
. d n+ ]) }3 T5 B/ E% @
location / {0 o1 N5 u& c9 c. x0 ~! I' C
ModSecurityEnabled on;
" F1 n" _! Z1 y* L4 l/ k ModSecurityConfig modsecurity.conf; 1 E) y5 X/ G# }! k7 n( Q# t [+ O
' F+ {9 H% g* G4 q3 _) ~
proxy_pass http://online;
0 v. ~& V& I0 ?- f% x proxy_redirect off;. D# F5 S4 O7 A5 q8 v, h: t
proxy_set_header Host $host;8 G( V% W/ \$ y. m
proxy_set_header X-Real-IP $remote_addr;& f% A- r) _" a4 {9 M! P; G
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
8 c' X& \) c, C$ Q }
3 f8 b2 ]) t( l6 x, ^}
7 \4 L4 d& W0 n' H# P" F9 o1 Q7 Z六.测试
' K5 P3 s9 \$ _: y% P5 M; R( R9 [: z! G* Y" y9 f" S
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:4 U* K/ F1 g1 q$ L. [% D, _
* X2 e+ Q1 [0 E0 E, c
<?php" |$ f' k1 r* Y, k4 Q
phpinfo(); Z5 g6 J- e( f" O( c8 c t% U
?>7 Q: e( s5 F! ^' `- d
在浏览器中访问:+ G8 f$ P |5 z( p" O: L
& h/ P( f8 H$ O$ e* `http://www.52os.net/phpinfo.php?id=1 正常显示。
: E7 J! H0 {& v1 X+ R9 {5 g. Whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。 Z3 s+ h) C: \3 ]
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
+ A. Q m0 A& n; M) S0 }说明sql注入和xss已经被过滤了
0 R r( @' w% q+ ^! W* }% ^$ }2 T5 E; F
七、安装过程中排错
# Q: `2 I6 w6 z3 o9 }" p
6 _6 x; Y0 @. {3 D$ [1.缺少APXS会报错! s: M5 ^5 d5 m4 n
* ?8 b* C9 H2 G( U' z# Rconfigure: looking for Apache module support via DSO through APXS
/ [% M2 N( K) `' e8 y) ~) cconfigure: error: couldn't find APXS
# E- L$ K7 J$ U% Aapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
: p4 H* t# s+ }% [- x' ^1 F解决方法:
$ s. h$ i' c G
' ?0 s% Y5 p' s- D6 T( ?yum install httpd-devel" C& {7 F# b0 A4 }; ^
2.没有pcre1 q% B1 _& P1 c8 |
; I6 ] M3 B, w. v$ M
configure: *** pcre library not found.
6 F5 y% k! `; e, I9 {- Nconfigure: error: pcre library is required6 t5 d& B+ n% [4 C$ c
解决方法:
4 @' e5 q3 }( j6 F% W
7 D' N" G5 m% U: S9 e0 y! U2 B1 gyum install pcre pcre-devel& N3 G+ m% q& J6 R# V
3.没有libxml2: Z, Z4 s: `3 J7 R
+ W0 @: B, D3 H, J/ d
$ g. V$ ~5 |; @ r! O
configure: *** xml library not found.
/ q- h3 e& l; H" _# Q7 sconfigure: error: libxml2 is required" F0 ^$ g+ m" O3 U( m! y% ~
解决方法:5 u- F a$ x* p6 v4 p" k' C5 u
# S+ L% U; j! h- R- e, Z# L
yum install libxml2 libxml2-devel3 `; Q; z' }* d- F/ `
4.执行 /opt/tengine/sbin/nginx -m 时有警告
! X6 t* R4 b- L& H# F# |" M7 p
3 F2 K4 H* U4 J( w2 qTengine version: Tengine/2.1.0 (nginx/1.6.2)
: Z8 [1 [9 C `) E hnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
9 G* G$ O4 e$ a- W' e; s5 y, D" P原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
- j/ J2 p; P! [9 | c
, z8 ?3 O. k5 z2 E+ D0 L% N( u/ M2 j2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.3 Q" H$ ]' ^: V9 G8 j g, \7 W
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
- Q% h m+ p/ N5 _+ R6 e, h2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
: c; `3 M& W; p6 [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
! s0 o0 O9 U( U# {& A1 s9 ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 |# D/ q8 O* H+ |0 a- b5 @
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 Q: j( c+ S5 o+ D+ k解决方法,移除低版本的APR (1.3.9)9 P7 y8 P! b0 d3 `! u# G3 i
0 ?4 t6 h. a+ c4 u# Y) c" {
yum remove apr& s4 @' e& x6 k0 h2 f
5.Error.log中有: Audit log: Failed to lock global mutex
1 o, W* R @4 ? o. T' V- m2 b# `; c$ T. [% F! B
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock & Q( h- b% `& u5 {
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
. [5 D6 y/ t6 S% u* ?" D9 I解决方法:
% R/ R9 ~$ ]9 I编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:! m1 ?; M+ o2 S+ }* G
. Q( s* A1 s3 Z. y+ i2 g
SecAuditLogDirMode 0777
$ y y, G# Q: }: I; H: r( q: VSecAuditLogFileMode 0550
* L F; y3 U, ?SecAuditLogStorageDir /var/log/modsecurity4 z2 z7 \1 q1 Q
SecAuditLogType Concurrent
0 c8 W) u" P/ @" x& n6 P, |参考文章:
, G) o9 Q; z6 f6 phttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX9 C$ D; o/ D1 d- q" C3 O) N
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡