|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
: C3 S- c# q) ?( k
0 r: h* G3 g9 R7 x; }' q T一.准备工作
% I0 q* k1 o$ M3 P- O# f: Z& n0 F: X
" Y: A' n# M1 X* s系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# y" @: @# b. K
- X8 R: ~' n( d; t3 x, Q, ?tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
% }* q- s9 s4 `
5 L5 g2 m1 q" |' Nmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
* ]0 i+ I( k/ T+ _2 C
; R0 K3 x( w7 \ S, W2 JOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs/ r9 D+ l: Y2 X. s
$ z- N+ c- K, {0 }( w; s7 }# J
依赖关系:- a& E" I c- w( ?5 h
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
8 |) u' E k% L7 B# @
: g9 P% H7 o- L/ ?yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
3 p3 E) L0 k3 D8 q. _. D" @modsecurty依赖的包:pcre httpd-devel libxml2 apr
% c+ X8 S; @( _' ]1 c* m
/ C; j& Z$ C* ?' ^yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel8 T7 P. u1 f+ M8 n4 Q ]! _
二.启用standalone模块并编译
& H8 E/ d+ `+ M: S& L5 }( E
9 u. D! ^' p+ ~. o/ J下载modsecurity for nginx 解压,进入解压后目录执行:
( N" k9 U, Y3 x7 `& Q' Y
$ ^: ]$ d5 E2 P! R7 d+ {8 D( R./autogen.sh: v. N2 l& M: t8 \& A5 L
./configure --enable-standalone-module --disable-mlogc
" C* D* r: G- p2 Emake
) k: v6 T8 [7 G( U6 {+ l三.nginx添加modsecurity模块
- e% ~ X2 ~) M' U) X
, M9 ^$ V) f8 d4 V# W7 w" Q, a: d在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:* ?) a! }6 P9 k- r9 [
( k/ F) i5 d! s* `1 g7 F, z1 N./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
2 q# p2 t8 Z( o# ~: G2 Kmake && make install
1 K% g0 |% v0 W3 d& ^四.添加规则
6 a/ K, B$ ~: u
) L' l% g+ N" U# Jmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。$ P' Y& f: k) L- R9 `6 s9 g
3 z8 r0 _. b X2 r3 ]
1.下载OWASP规则:7 d, I i4 `0 ?
% T- P) k0 q; Y' ]# Q, k& p7 J
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 g+ O" V& E* k. Y
/ [) M5 U( a A) G, r7 ?7 o8 e. `mv owasp-modsecurity-crs /opt/tengine/conf/
! h7 V1 | {( u0 o+ F. B; S3 j
" S |" |: l% l8 gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
P/ I' m @" D+ I! B7 e2.启用OWASP规则:
: j$ L- w' `$ K0 s. r% a0 W
* k3 j6 P! W6 O8 Q* `复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ M. Q5 i/ ?7 a" q l8 \) z
. R/ `. ~8 u' _( @' I0 t编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% i/ Q2 s+ Z' @% q
# s' O6 p+ B. ?. `) \1 v. r" U6 _( xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。6 c* j4 }4 F. K- u: m+ m% g2 G
$ X- |- C7 v) V& ZInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf" p8 k+ ?+ G6 P
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf h$ C: g$ r/ K) I6 d, S
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
. N% p8 M8 G' X: N: OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# U; h# Y$ t, A8 T- E' F4 R0 {
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) h7 Q5 [$ \0 g2 ^! n
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ C& T" i2 t7 R" SInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
9 E" N. I f! r4 i; a五.配置nginx
! @% {( f; g3 ?# ^7 K) g: w3 O
) q w$ n! Z4 B/ s! x9 _在需要启用modsecurity的主机的location下面加入下面两行即可:1 A1 F" Q1 F+ X! f$ i3 p; B
# p' O0 {0 o2 i+ l: IModSecurityEnabled on; . N9 {! K7 h4 `. ^
ModSecurityConfig modsecurity.conf;
/ R, W8 A% c/ K; W' n3 h" A下面是两个示例配置,php虚拟主机:
! i j) A4 X" Z% m' `- C2 U, V! P% l' \) N
server {
5 E5 G4 ~/ [6 x% F7 [ listen 80;, P' {$ ^3 F+ T, {: V+ z; o- K4 J
server_name 52os.net www.52os.net;5 \7 u. E0 r4 e6 L
% ]3 i8 }0 r6 G) \3 G' c U
location ~ \.php$ {
! u7 J: `3 @$ }* j0 b, e ModSecurityEnabled on;
* {) Y& b/ A- ?) t ModSecurityConfig modsecurity.conf;# S* o3 S& c# u+ B
" a! G! p+ C& O5 e root /web/wordpress;! S, d9 Q& x$ V: q
index index.php index.html index.htm;
4 Q. p9 ~& V" t
% |" }5 n0 f* |+ k: |" ] fastcgi_pass 127.0.0.1:9000;
$ g; v! C% `+ O* S3 o+ X fastcgi_index index.php;
% _- j- Y1 ]: B0 H6 a" J fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 g& }9 b: X8 [ include fastcgi_params;) I/ r# y0 G, [2 @
}) v8 X' q7 m+ q O
}1 f7 {3 u9 y0 n4 Z
upstream负载均衡:- j8 p0 l( W# H: m7 ]* J: l3 X
3 L) g G5 I% s7 O! t3 U! Lupstream 52os.net {8 s% t1 B8 u- Z4 u+ @
server 192.168.1.100:8080;) z; u2 ~+ Z' B* F, r1 {# E& ~* F( R
server 192.168.1.101:8080 backup;/ y) \/ _+ b& M- i% p
}
* K% `/ W- @6 Q) X7 G8 Q) V8 b& L. W2 T* W1 W
server {
) x. F4 h2 ?) k8 wlisten 80;
# G1 m% |( Z" `: |5 Qserver_name 52os.net www.52os.net;; a# W7 U! n. c- z% w& {
; Z H! Z" d; T6 z+ b. A
location / {" H& q. T" R) b
ModSecurityEnabled on;
& i, |" _& t! G6 E$ _# _) q ModSecurityConfig modsecurity.conf; : F; S b' B6 u
2 A' R5 P( l, E5 e, [ proxy_pass http://online;
9 {6 P/ z- f% ] s- f( w proxy_redirect off;
# _: k" f2 Z5 \8 ]1 `9 ] proxy_set_header Host $host;- s+ U1 J. L6 k
proxy_set_header X-Real-IP $remote_addr;9 ?% I: W# E4 W( n* t% i' f/ V
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 z0 j" u( N+ r- d7 s4 h }
* m3 {5 T8 i: ~}" A# A8 @1 Q+ @3 [, A
六.测试$ N) r! G D, }3 p. l8 ` J9 [* D
( o0 S* y2 m) H2 S8 p* T
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
4 ]+ y. K& P) W
9 L+ r. J/ x* p" C8 Y2 A4 h% A<?php. K& G8 t! `' l5 I! h( f
phpinfo();
' S" k" @% i3 c, A?>
, Q! ^* M3 U9 U- G2 s5 y在浏览器中访问:
. @' _$ S( d( Q1 i/ W% S! I; y
2 ^/ S: J' R. b6 X1 whttp://www.52os.net/phpinfo.php?id=1 正常显示。" e* o: h* f: P. f
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) K5 ]8 z: x/ R. T7 x whttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
0 X; S$ h5 H% K说明sql注入和xss已经被过滤了0 \% ?6 B5 Z8 f& _) b# o) n
& S6 k6 o% y+ m, e( [" {5 W9 o: n1 q, {
七、安装过程中排错
7 g4 z1 W* G" {, F5 {, g q" C" y' g @/ J5 }: ]3 |8 E
1.缺少APXS会报错
1 M2 }9 A I9 U- i. T( \0 o' m5 S% k8 h* c" C/ X6 `
configure: looking for Apache module support via DSO through APXS# ~7 R4 O2 M3 B1 n" X
configure: error: couldn't find APXS
$ ^3 C3 I8 Y1 D; [apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
, A4 L7 P- I! B解决方法:: p- M: p1 }4 y x3 c* z3 V
: i) f& ]9 R" t
yum install httpd-devel( P8 n( j! O0 j% i) O( b
2.没有pcre
. W/ U1 s' A9 t R
1 _8 x2 K5 t: D/ A/ k" f* y( Gconfigure: *** pcre library not found.; L, Y9 @ Z8 J# M
configure: error: pcre library is required3 L! e/ F# W4 L W- z
解决方法:
2 l! j( X- U6 ~
* e) S o3 Z6 }yum install pcre pcre-devel
$ |5 S! ^, B$ c# L( D4 d6 F1 @! I9 h3.没有libxml2
) g+ B0 r4 { V, ?& j7 P' _* P
" G k5 F* V! }! M( U5 S2 i$ B+ q* }
configure: *** xml library not found.
% r: p( X* ^; i5 P7 H& K5 Mconfigure: error: libxml2 is required
$ K" K8 K$ m3 L解决方法:; A' k0 @% P8 M3 O
; A" V* ~& h9 E# k5 [$ q1 I6 L& Jyum install libxml2 libxml2-devel
" J- I2 M. }7 `0 v1 w4.执行 /opt/tengine/sbin/nginx -m 时有警告; f( T, }& @; i% E# j& b4 }/ Q
2 p2 I1 L9 K6 L- DTengine version: Tengine/2.1.0 (nginx/1.6.2)
* ]8 e# V' ?# r Snginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ p( |: s5 j6 {( g' R# K3 T3 i原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log/ K8 T, T8 A. A; Z1 p0 ?% ]
1 f/ q4 P8 \6 N' [% Q1 V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
3 j. ]- f$ ]! g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
, C" m4 _' X- \2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
' t/ E9 J' |# s- A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ \' U4 ^' f3 {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 V/ F0 n N0 \& H2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
* d; |# k# C; Q9 o2 h& v( Q+ t; q, }解决方法,移除低版本的APR (1.3.9)
/ X- D# p9 A& d0 ?3 _8 C' f% s0 g/ I- F4 i) C) ~0 p4 O' }# H
yum remove apr
0 p, i& H& \. G* ^: T, Z$ b5.Error.log中有: Audit log: Failed to lock global mutex
9 i3 }! P! M- C2 e9 L4 [
. f0 N$ V: ^% a, I3 e, h2 e, r4 i2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 b+ o7 C$ |- ~/ E: q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- X6 ~4 v: R% V$ Z% q- z1 S
解决方法:: d* o5 F5 j# e2 A! ^# N5 x
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:" c' r! l, u. v7 V- C
) f- h2 _2 a1 h6 w5 C2 _
SecAuditLogDirMode 0777- M) C8 P6 a$ T: c& h8 n0 a
SecAuditLogFileMode 0550
1 i( R3 S7 t+ rSecAuditLogStorageDir /var/log/modsecurity" ~/ f: s, \' N; b
SecAuditLogType Concurrent% r; `$ ?2 i+ c1 a" W
参考文章:
" S7 Z1 ?( M; Rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
7 D, \; W' W8 h8 e8 Hhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡