|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。# q" |) s, n* F% `- a/ @" \3 W/ ]
. l1 h" M! S, F# h一.准备工作
]$ p* z) q1 u7 m" x- B
0 l- j0 [ X; R( L系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0( M0 f, S1 P: k% H
: X" b: b. u& K( h9 U: G
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
* [% x- j) l, Y# S+ ^" ?2 [$ L. l7 ?1 s* B+ y j
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz7 f) B, i' s& J/ l4 @9 ?0 I" ~
. c" h" t7 c- o' BOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs% W) h0 ^3 W! m/ T, ~* S* ~
; O' c* H& S5 T5 H9 l
依赖关系:
2 B' Q: \$ l1 t% ptengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 W5 F- K" s# H
5 v [+ `8 W2 c2 N9 a( P
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
5 M A3 A4 S; s, D. ~$ ^modsecurty依赖的包:pcre httpd-devel libxml2 apr( b" R+ x- o) f# v! R$ }
8 U* Z# W& c# ], q4 Lyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ S6 P- i7 T4 i: ?5 }& L& B1 S
二.启用standalone模块并编译
4 v/ w. C% g# H: J- p& I1 W7 `1 ^- ~# L, f5 z* o+ H
下载modsecurity for nginx 解压,进入解压后目录执行:
3 _7 D8 a. u2 s! L, ]$ @1 I: P$ {4 \% ^* A
./autogen.sh2 ]2 l# R9 S4 {6 _+ O0 o% }7 g
./configure --enable-standalone-module --disable-mlogc* p+ B8 W' G' \5 v" ]2 u h. w3 c
make
7 N! R( W7 [) o+ G! N! a1 b: e三.nginx添加modsecurity模块
* ~" z/ v2 Q2 a
4 M P4 _/ e0 s0 o2 h在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:: Z. P4 x, i* d3 \$ H# B# \
5 M) Z" K' v, w+ S6 c: W) y- ~! E./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine+ ^! v; n) C7 r# B
make && make install
; X% T3 Z* p2 g0 K) z四.添加规则( ?, T9 U1 f! U. Z( @
, v% h& N# M5 nmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 f- C. f: @) Z
2 c! o* A- M+ A% H/ `: X1 _1.下载OWASP规则:
- A3 G' s; h4 U) U+ K) e& J7 N, u
! g1 X5 L. h: q, K5 I( _git clone https://github.com/SpiderLabs/owasp-modsecurity-crs I$ v0 e+ t: J1 d
' b1 I4 ~6 W$ ]! m+ A9 {5 w, Imv owasp-modsecurity-crs /opt/tengine/conf/% U1 H& C: N3 B& I
9 t5 j/ G, h: T, `5 p2 A
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
?; f. o- G3 A$ Y8 u2.启用OWASP规则:
) O. |# {0 y/ r/ y9 b' J
0 I* c. n C2 \& d: f/ ~% }复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。' F' x" U% `( O5 C% Z) U* W
: U. e0 A7 k/ a. ?4 c+ f( \# ?
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on( `! i) Y0 {, K) q! K0 K
/ [0 \& ~" N# a4 i4 eowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
; d: v+ _1 U% T4 Z" c1 z9 D$ D' g! a& Y% `. s
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
& E0 u" ~0 D' C+ I% C; _Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf" ?; ~3 Y, d6 h# W p! D( K5 O* w( K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf- {: F9 L* T8 c& g9 _8 Z# d, r* I, Z" V
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
g8 y, }2 A9 b" l" m9 u7 v8 GInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
4 z- u: P ?5 @4 a! D+ k% X, h5 qInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
0 s2 s' j z" k8 WInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf) w! R G" o+ K
五.配置nginx, r7 F3 Y1 s3 ~
) z i! l5 u$ K' [- r) R
在需要启用modsecurity的主机的location下面加入下面两行即可:( r$ @. E% X7 |# B7 j' M2 D
/ @1 _. |9 {; h9 p! ^$ \ModSecurityEnabled on; * |* m1 ^) F o- S, p5 d! d
ModSecurityConfig modsecurity.conf;
9 x8 _" v. b F* d$ p# n下面是两个示例配置,php虚拟主机:( C I- V2 ]) d6 _- K q
( o& }. T* S8 S: t8 o: b# N6 b
server {
6 v' u0 w% b1 D% |4 M) H- v0 m6 n listen 80;- u, @2 ~& s+ ?, w0 `# O( _
server_name 52os.net www.52os.net;
5 D! m5 P, g5 R% T1 s
( S4 H# J) K( D5 v! l/ c1 ~ location ~ \.php$ {
3 c6 x8 _2 L3 U3 @- M8 @ [( p ModSecurityEnabled on; W4 y2 U8 g" {- A
ModSecurityConfig modsecurity.conf;
; x( X, V( z' F$ j9 W4 ]- h
$ L: D0 g% B- q$ N root /web/wordpress;3 W4 [ O4 a; Y6 x( u8 q* j$ A
index index.php index.html index.htm;
8 J) t, [# P, p) o& J8 V2 V Y! h; V J+ r% O7 k2 x
fastcgi_pass 127.0.0.1:9000;8 n! |9 Z: J! H) d5 G& T% P
fastcgi_index index.php;
" }9 C) |5 Z |' Q4 U) \ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
" ?+ D( a8 ~1 k! F& M. k% U include fastcgi_params;+ l5 Q- |1 n. R2 X4 r
}
M# I1 e# F) U& P5 ]) U }
" V/ ]8 l+ k/ c7 W& x- hupstream负载均衡:- {- X8 n1 g, i
3 E. G3 d( U" ]6 i& s
upstream 52os.net {2 E1 x, m0 @$ G: C! d9 n3 m
server 192.168.1.100:8080;
! k L- k0 E- m9 } c server 192.168.1.101:8080 backup;( `+ h9 g3 _, f. u( k
}& B6 T. _3 a) u. U: D2 X0 c8 y p2 [; G
5 U$ ^* P% p+ J8 Z, Nserver {: N+ { P! l; l# D$ N+ v, N2 ~
listen 80;' L; {2 z( I7 F; I' K& k$ W/ q
server_name 52os.net www.52os.net;* i, @! g5 _& e! v9 P9 b
5 q9 W P" @* _- Dlocation / {$ b5 W' K1 a- n$ L4 V
ModSecurityEnabled on; # R7 |, a" B3 n# R5 z; e5 i
ModSecurityConfig modsecurity.conf;
1 D4 S; d$ Y; y( r) h
; m; U/ o# y4 k% @ proxy_pass http://online;
( ?3 w* G3 X$ s+ F9 i6 k; W proxy_redirect off;
. |9 v, v2 _" c- s0 _) O, [% ` proxy_set_header Host $host;
" D+ ?) a* P% m8 } proxy_set_header X-Real-IP $remote_addr;
2 w3 j: Q6 u( b proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
! D+ i7 B; A! `6 i' R4 P1 V }
0 }5 B" x# b: f3 Y& Y3 Y/ M}
% P& A9 d' U: z% C5 L- b六.测试- R) P X# }9 m9 w
* \& ^4 D! U% d- _; X5 E" K/ p3 Y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! Z, ^$ f d" V; P5 ` v9 t5 L
( Y% [$ e7 F7 d! N<?php
' T* X. n( R! x# t phpinfo(); $ X7 s' r1 f6 V0 Q
?>6 Y; F( _4 _% \) r% c
在浏览器中访问:1 o) U0 } p$ h _6 L- g
4 ?/ Y1 d3 i0 _& E
http://www.52os.net/phpinfo.php?id=1 正常显示。
! f6 Z ?/ o& u8 _; N6 Nhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。4 ]' ~1 O1 [0 b
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. d5 ]" k$ [; f7 _. P# x
说明sql注入和xss已经被过滤了
/ ]* l: q& s8 S3 R5 U( c, M9 Q: B9 `! T5 i- \9 A% f' Q
七、安装过程中排错' _, `4 z1 T3 ^7 c" }1 R
" d& v% @3 B. n/ J# s( A0 S1.缺少APXS会报错1 Y' F$ O y0 h# o
h$ Q P2 L; a3 b/ f* \/ Fconfigure: looking for Apache module support via DSO through APXS6 j4 D% w3 m( p% Y+ l
configure: error: couldn't find APXS" N& m: J. S3 G3 R- V4 f3 ]& d
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
L' \2 |+ _2 m0 e4 N3 Y; b- d解决方法:% D5 E5 [$ E) g8 u8 r, V' a
* ]1 O! g. H F
yum install httpd-devel- ]8 {7 L ]+ y% Q
2.没有pcre
$ o' {, u8 X) B3 ]" _
+ s1 G/ v9 ]$ u ` o2 w$ Oconfigure: *** pcre library not found.+ d6 o1 _% i9 T& W/ z4 T( ?
configure: error: pcre library is required
5 Z. U' ] ]9 @- b解决方法:
: g5 J) O" V P+ i0 \& L
, j& n& T* P" _yum install pcre pcre-devel
/ f* |8 X- k5 [7 G0 J3.没有libxml2
\* J& G6 b' G; @9 p& d
& R5 }4 g. }/ b- d" ?8 f3 G# C
configure: *** xml library not found.
8 e% s' Q/ h/ t# Vconfigure: error: libxml2 is required! P5 u* z+ f# M4 y( m& v& w. D# r
解决方法:
2 U" `, E8 X: u% w: M `3 i f, n+ {& ~' \) L$ h+ E7 \
yum install libxml2 libxml2-devel
9 k& r$ P2 j) {0 m! ?( ]4 J/ J4.执行 /opt/tengine/sbin/nginx -m 时有警告7 O& y6 X3 u& C
$ m: w7 b6 s: b7 {2 v4 U
Tengine version: Tengine/2.1.0 (nginx/1.6.2)5 s; j: {* {# E! |; A* V/ D
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!) n( o- Q" t/ ?$ G8 f5 N: G
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
2 P+ q# P* F9 U/ [6 q" k, F7 V1 D5 }8 q% g: i; a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 K9 F* o5 E! H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
4 u3 t6 k% [$ G4 a/ c k2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 q) C9 Z% V6 S7 R( B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 A4 b+ S% w) s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* s/ S5 P0 F! p Q0 z2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 T/ S6 c' A8 D# c解决方法,移除低版本的APR (1.3.9)
5 t5 M" ]$ S* T2 R+ D O$ A0 K% L- u- H
yum remove apr! I- `, f1 k7 o6 c4 ~2 k+ [
5.Error.log中有: Audit log: Failed to lock global mutex
) e/ T* `; t9 N8 q
7 g; L1 n. _5 g+ d: F0 @8 w7 H! O2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 x, L$ O# f0 P3 v) j+ p
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
4 y# N! O: E) {8 A( N! C, u解决方法:
, U% D& j, ?* Z8 O/ }7 ?( R9 C编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
0 U4 C; W( T4 f. L6 z0 y
+ ]/ n- t% s; \ S& t) BSecAuditLogDirMode 0777' d# Y2 z: {8 Q8 O) `! L
SecAuditLogFileMode 0550. I5 d6 T& P N; w9 x( U
SecAuditLogStorageDir /var/log/modsecurity4 g; z. N0 S7 W* w, Z
SecAuditLogType Concurrent
1 W: Q J0 l5 ~& U: f f, I- h参考文章:
3 ~1 k9 c7 `. K1 b- b' x4 O# _https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
: l9 c2 W8 B3 k1 g9 {; c% r* Fhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡