|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- q) X$ e' x/ ]8 F) i; k7 `
7 n, J" N/ L, t- r9 X一.准备工作
, O3 \+ \" i# ^0 P
2 g4 d; T# w. \7 B2 Q: w系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; e- |& K1 H& E* W' K
1 r/ O( ^0 r* a1 q) Ltengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz5 U# N0 E) d; p( z% F2 C
, T* G9 o8 ]5 a
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. ?2 P, d5 e5 Y* y" Z+ V4 \, d! I# [! \1 r) S
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
' _+ P m9 z6 S- b6 I( |3 \9 f* P8 ~- u) b, {# W
依赖关系:& R1 M: S& @; m( o* K% j
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:* h, Q2 p0 P4 U0 U; c" z- D. h
% r/ R* {: R; ^% }1 d" Y% z3 x! Y
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel: F- T, C" B+ W. @9 \( |6 g
modsecurty依赖的包:pcre httpd-devel libxml2 apr
. I! D, @1 O% l/ `, N; P! @1 e- b& n' A" C. T
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ U3 f3 U" d v
二.启用standalone模块并编译1 [: V4 P* h' A; y
" d) S7 ^! q- M7 ~: g, L3 E! r4 l
下载modsecurity for nginx 解压,进入解压后目录执行:
7 l& K8 \- t8 p/ E- u. w3 Z! |" X s8 ]* @: }9 B" n9 t5 a1 c
./autogen.sh
* Y1 J& i. p1 J- k- ~ X: X./configure --enable-standalone-module --disable-mlogc
( N+ E& H$ P) ^8 \8 U, K8 wmake ) w8 y1 O0 H( ] t# u; @( F+ x
三.nginx添加modsecurity模块
) i+ N2 U+ H9 Q/ E, R% S
' T$ U+ c) Y. v! y- U在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 `6 o% R: r( h/ y g' o' a& F: N% C; x" t9 S& [ N
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine5 o. X! o1 a" z ]
make && make install
5 g% X* u/ q- j% }# d: i四.添加规则
6 Q' d* e0 o+ i0 l
# C1 Q& K* `. e+ Dmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
& }/ ]* R* ~6 I- g3 F' v# _' D% o) y. G. t
1.下载OWASP规则:
$ P8 M# f, j$ d. X* [& c$ H7 J3 T; n3 A9 g& P
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs% A# T3 Y1 Y1 P& G# E4 }6 d7 _. {( A
3 H8 }$ T& Z$ J3 ?) |8 d) N2 c
mv owasp-modsecurity-crs /opt/tengine/conf/
6 f/ z2 t/ S+ G5 l d
. w, D! u2 ], `% C6 tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf) D8 C0 K6 @: r/ t$ Z) f
2.启用OWASP规则:
8 ]; T& P3 m$ Z
! N u: j( } g复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。$ O6 j- v3 ?- G2 i
- ?, s2 v/ S, p6 Z' I* ?; N) |7 U' Y
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on+ H' |8 k) n* A1 w- p/ Z- j# a
0 m( `. T/ `. g/ r" i Y: \
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
8 z4 N& U# n- y; n
" _4 d) V1 q. t" C0 x. lInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
& T: ^9 o9 [ A' t9 @$ H KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& D$ a8 ^; f; j# I2 ^& D% U; xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
J5 K3 `4 a6 `: O" QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
h4 k3 [- H4 Y0 a& Z, G* WInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
/ V; F }# I. l8 u0 e rInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf0 @- d! f5 |; w6 M( b) e) S
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf3 {+ R7 }5 t( _, D$ a2 H, `) Q
五.配置nginx
) z- s, Z( ^( r
% x* U) _& `2 B" F在需要启用modsecurity的主机的location下面加入下面两行即可:( D/ j# c6 u. f) q3 [$ ]! L9 b2 c
6 M, {: o( a+ N; h2 }; n& g; R
ModSecurityEnabled on; 8 U2 b& Q/ f+ {6 r8 w4 G, a
ModSecurityConfig modsecurity.conf;% ^6 ?4 T9 b. B9 h# d7 p
下面是两个示例配置,php虚拟主机:
+ N% C) v s5 r' N7 i
+ ]- ~1 F" l; Z3 R# iserver {
. D( l2 v% i# D0 Z7 C# v) X listen 80;
. Y3 Z" G! d$ A* B server_name 52os.net www.52os.net;
! ~8 x M# b0 ^3 a. Y5 H* {7 @" K) o
! ?* \8 `! }) G4 k location ~ \.php$ {; O0 s p5 N& u8 s5 V# [9 g2 Y# `
ModSecurityEnabled on;
- n8 H9 p a) V ModSecurityConfig modsecurity.conf;* }( z' B; B; k3 B
) q- q4 Q& {- }3 m/ F root /web/wordpress;/ G6 {8 s% n+ {* ~- j0 t
index index.php index.html index.htm;
0 b) A9 }0 o# q! F 6 P$ J) S- w: L) P/ g/ O5 `
fastcgi_pass 127.0.0.1:9000;
- c' {- W2 Q f% B, E6 u8 ^$ v' m fastcgi_index index.php;$ F6 f) l2 `8 p& @: E! ]) ^' m
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* w4 L8 d) b) ]/ x+ t# A
include fastcgi_params;* j7 H0 F$ ?) }! z
}
+ Y! u# ?7 U. J } {8 C0 A+ q* \% f/ h" o( t2 S2 D
upstream负载均衡:
% R. c5 \4 g3 s. Q+ h: M7 ?. U8 {4 T$ s* O9 A) F6 ?
upstream 52os.net {* e& l+ k9 t& N* w! h0 y' Z4 T: U
server 192.168.1.100:8080;! r; X; ~) n$ N1 i9 l+ E- r$ `: @
server 192.168.1.101:8080 backup;
: s" R! P( u$ h}
8 }/ q: Q8 [' b# |, I9 h4 s7 I( O: G5 e& y% m K' S3 y% k4 n! g6 n- }
server {3 \6 ^8 q9 W4 _4 @& |9 O" ` s6 ]
listen 80;/ i; |' `% _& @- q% t2 V3 N9 N
server_name 52os.net www.52os.net;
* s7 t# [8 `7 G% g
5 X: ]& V2 Q! H! p: X5 N3 K( `location / {# ~! T! S) I) ~1 t) B
ModSecurityEnabled on;
& ~' S) |0 }# ]( O. M ModSecurityConfig modsecurity.conf;
; j3 U1 q5 K, @7 O+ n1 |# r. N3 Q( j$ L& w* M5 L2 K. m" L6 l$ \
proxy_pass http://online;8 z1 B" K- j5 |
proxy_redirect off;
- W. A& [, I& m proxy_set_header Host $host;0 Y; K: s; F5 O) |+ O' u
proxy_set_header X-Real-IP $remote_addr;
* a6 Z: T; F8 L; f/ C proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
! u6 X+ _) b" b r3 f }4 R, F; R& }# J% W. o
}2 G# P& X; t+ p" Z7 \3 z5 t1 p
六.测试
4 u8 S# ]2 \- o: m4 I/ z* b. o% \+ |1 }" `9 ^1 T. ]
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
. I/ d& f m' c4 B* z
& {+ `: O6 x) O( A. f1 v<?php1 }. `' p" n' S- e5 s- _* \, T" v
phpinfo();
- V' W6 A- \% s# |/ N! j?>; M. V0 E9 l7 T$ O
在浏览器中访问:# |4 `' \! f& C# d! [2 ]: n
0 e1 T% p8 s# {
http://www.52os.net/phpinfo.php?id=1 正常显示。- A; j' G; q9 k/ i
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 K* _6 }' m! v$ ]0 C8 O/ ?! C% khttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
- V7 b& q4 k3 v说明sql注入和xss已经被过滤了& q0 U3 O0 @$ Y4 ?& e8 Z1 U5 `7 U
0 S% L) F$ H/ K" D; t# @七、安装过程中排错
# v/ C, P4 b1 |9 J+ Z" C( R- l3 g# `1 `+ G
1.缺少APXS会报错
. ?( _' R$ | x0 r& k* x- {3 y: { \
configure: looking for Apache module support via DSO through APXS5 W- m+ s- c2 X* G0 E
configure: error: couldn't find APXS
5 u* U3 @& ~+ a+ \% q5 Xapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ ?7 {: f3 W8 |3 \5 j解决方法:; L- J9 T& e6 y
' ~. x V1 Q' Uyum install httpd-devel
0 y' M. \2 s3 w1 W1 D2.没有pcre
- d5 X; b" c) Q8 }, @
% u- h W! G# A8 ]% j. |configure: *** pcre library not found.& q) w+ W7 P0 Z+ N/ _0 f( R5 a4 n
configure: error: pcre library is required
1 ?% p6 M. B' m: m解决方法:
$ b. a! ^) x0 u* s
y1 t2 W3 a6 Z4 T7 \$ Ayum install pcre pcre-devel
( E6 `% z8 A% i# \3.没有libxml2
( x* K2 U6 K( a7 E5 G V' R/ R* i0 J
% i e1 x# _7 M' {7 O$ dconfigure: *** xml library not found.
. A8 Y) | P, [6 _5 Cconfigure: error: libxml2 is required- d$ E0 G$ m0 m
解决方法:
. J# ^! V$ ]! n+ k' p' K
. A# d4 }4 a* N" @7 jyum install libxml2 libxml2-devel/ f* Z t) s# i
4.执行 /opt/tengine/sbin/nginx -m 时有警告
, W; m( ]' k4 n
& @+ H/ ~( S7 L5 JTengine version: Tengine/2.1.0 (nginx/1.6.2)
5 ^, y' I. m- v' l3 a1 inginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ s3 c7 L& V, h. V9 ]0 q% a原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log! m% h, }1 @/ H9 D8 L: e9 X$ l
, f, y# O/ X' M' x- R( C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.+ |- A0 f. t# L) u
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
2 l9 d8 C9 w8 A0 Q" w) B6 \2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!8 X/ b3 B9 R. G, \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
, ~. ?' k; p0 A# \8 |( G. g4 _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! J" G0 c$ m( u3 S2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 @8 v0 |+ l" S1 W; M9 B+ @# w, y
解决方法,移除低版本的APR (1.3.9)" P7 \6 p# _& r
1 [7 K( P- \. kyum remove apr
' ?6 b% i, |& q+ W2 K* v5.Error.log中有: Audit log: Failed to lock global mutex. P; c0 ?# I2 D+ P8 |( I
; T7 @4 R& }7 O- x$ L5 l0 i2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock $ F3 J$ d& Y% R: M. r, r1 O9 N
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]. g G: p9 p; | I$ M1 M9 i7 i, o
解决方法:
- x: o! p w" m s; N R' o编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
1 z! a' D4 G: n( }+ Y* U& n+ ?2 Z% ^) @+ o% \
SecAuditLogDirMode 0777
* ?9 x u' `7 wSecAuditLogFileMode 0550
! W g4 n: b* o$ OSecAuditLogStorageDir /var/log/modsecurity) {& M3 Q% l7 C
SecAuditLogType Concurrent
: `" V! d) _% y( i7 r参考文章:& D9 b3 a3 V( B3 B5 O
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX% z+ b7 f4 |& L! n; J. D
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡