|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
0 f9 X* Y5 n, D9 Z% I! l9 ]8 K% R
j' x, J+ V# Q1 q5 I' B一.准备工作
6 y k! T4 W g$ C7 Y
- _9 R5 S# B2 N+ Y% F3 s: T系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.03 @- P/ i2 ?. ^6 W9 t0 ?& _
, c9 h1 B2 b& x" p$ i. X& H
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
7 Q7 N: s p6 `# H
; Y9 d9 @# a+ zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz% D7 ?7 ~1 T, A; q; h# d8 ~4 c
& R3 I& k9 c7 l# S- Z+ dOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 a8 h3 n3 P/ b: t& M
6 n! K+ }% b+ p3 ~依赖关系:8 R# k; P1 }4 U8 d* @
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:* M' h5 C# b2 o$ h* H
* B5 ?2 A! `- a' l6 K# x( u, C' jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* P2 O% J* t* X2 X* ^* {
modsecurty依赖的包:pcre httpd-devel libxml2 apr) R- k2 \ Q5 c/ H
7 T: Q/ ~* S% C1 i: J
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel1 y4 u/ t$ u% d4 Q S3 t
二.启用standalone模块并编译
1 w1 z( d" K- ~: c
+ ]2 T4 T! W3 ?下载modsecurity for nginx 解压,进入解压后目录执行:
2 y5 z; [( M" i% D+ h- F+ G. X: m1 @6 T" J! w
./autogen.sh5 ?& f9 e5 w0 X+ z$ X
./configure --enable-standalone-module --disable-mlogc! x, ?$ N: d. w
make % b( R, g. C6 H- G' q
三.nginx添加modsecurity模块
l6 i0 V& c/ o9 T: Q$ S2 A$ z) Q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
, _+ X; o) }9 D, l
' ^) z$ P* q( {6 T6 Q, i./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine: F$ o$ K7 g7 a U5 l
make && make install' H1 V: x' d+ `, s6 N- B
四.添加规则
' i6 _$ S# X% U5 F
. j5 T: q3 d% ~. ~modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。+ I5 F ^. z, a. R
2 M" ?6 M2 @0 _( O1 J
1.下载OWASP规则:" V4 O, g- K; j) I
2 V; T+ k; H5 x; l: f
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
9 l! h% _- c6 t* s. q- f( h' {! p& ~: m% x
mv owasp-modsecurity-crs /opt/tengine/conf/
5 i' A2 f# E. |7 e- l# U8 c \3 u8 J/ g# D* U
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: B$ L0 u/ k' i& t1 y2 W. k" k. H- Q2.启用OWASP规则:2 ^- F3 g! B6 f* t, J! q7 N
+ H, i3 v4 |% b I$ L% \) _" v2 R
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
_, I v$ ^$ n% l" i, `
- E2 U" D& u2 d- M3 L编辑modsecurity.conf 文件,将SecRuleEngine设置为 on$ f u2 Y* F4 p3 b* f& b
, c8 U a! W; L7 h1 I
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" G0 l& D* |# E& b" A( Z7 {
& |1 P5 k# ~6 r" g; I% O- N: V. l7 }
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" }0 s( v1 O o+ k2 D4 C( LInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
$ \0 Y- E8 w7 Z/ A* cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ @3 L* K6 @* y3 zInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" T6 O6 q& o. Z, |8 ]/ bInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 `1 N7 V4 k4 p uInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; `' q3 _ O E8 g
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' }: z, p, O+ T9 t: \五.配置nginx7 }' ]8 i* W5 c. R) Q) n
& K r; T( g8 N- g6 X/ P, L在需要启用modsecurity的主机的location下面加入下面两行即可:
/ c) g! {3 c3 c& W8 Z
# f" R; p/ ^, M7 }) U% ^6 z: }( EModSecurityEnabled on;
5 M9 ?. e/ X. v- K8 J9 T# FModSecurityConfig modsecurity.conf;* p7 `& N# S& D& s, D
下面是两个示例配置,php虚拟主机:6 n9 a) K, h$ ?+ ~# P ~. t! m
( {/ c) Z8 ` Fserver {& v% t/ _( {% ?5 h2 e$ n0 X
listen 80;
" ]8 i) x8 x7 M" @ server_name 52os.net www.52os.net;
8 q9 t R$ _1 B- w8 U, M7 M/ ? + m1 n P6 [, I. i7 {. H
location ~ \.php$ {
, f; a% V) L2 q' L9 J4 S; G+ w9 s ModSecurityEnabled on; & _' n. }) r# a7 a$ t# l
ModSecurityConfig modsecurity.conf;
% _) o4 s1 ~5 U
9 W1 e5 W* I, ? root /web/wordpress;" g3 u z3 W# I; N
index index.php index.html index.htm;" D1 [% P) }+ A5 \2 f
4 u6 F! L+ x9 @2 Y; O fastcgi_pass 127.0.0.1:9000;
+ T: ?$ U6 P, _- ?' b: C fastcgi_index index.php;; u/ b" D$ i7 J6 O) a2 S
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;6 S% D5 N: o& @# l4 k' E* ~: K% }
include fastcgi_params;
8 X, S6 `+ w) Z: ~( i) M2 W! N }
) J1 j- r$ H7 {. U }8 M# r. q& t( Q
upstream负载均衡:
0 g5 L' V2 f% I" x, s. r$ W9 k! y- u# A( z# J- w9 U: {
upstream 52os.net {
4 }- n d/ K' K. F server 192.168.1.100:8080;1 {$ J0 r5 K+ X# h& X" I2 S: ?
server 192.168.1.101:8080 backup;6 f; ~! G9 U+ J% v4 \
}
. r- F9 i; B& L. N& Z; B& F; c1 Y1 R# `( F9 [5 g2 u ?
server {% u+ y5 d+ y, N% C
listen 80;. P9 O/ j- i. E7 _
server_name 52os.net www.52os.net;+ G" x( ^' _( u& s- z; M8 s
2 r$ E) s8 j. u% k. V+ r/ T7 @. [, q
location / {
5 f9 G o, S. d2 y ModSecurityEnabled on; 8 n! |: ^; L5 C3 d
ModSecurityConfig modsecurity.conf; : e/ m' L5 J7 E, L3 c% [
* B+ m8 Y Q+ }6 s proxy_pass http://online;- K3 K) C4 v, n3 B7 A
proxy_redirect off;4 V+ D; _: ^$ i8 U% J u
proxy_set_header Host $host;; l. P) @, I- R( g4 J
proxy_set_header X-Real-IP $remote_addr;
# i) I8 ]7 K* o/ R proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 C% n3 Q3 b. }4 b* p N
}# P0 U2 @6 `3 _. H; H
}* ~* C: ~0 C2 S9 j, t7 o8 o
六.测试" ~1 H6 Z: Z7 g0 w' V
+ _6 E: c8 s$ R; D2 P* L8 T% H我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:* n; s2 ?- k8 T; r
+ n% a5 U* R1 v6 N5 w<?php
L* `6 r* M% `; {* I L phpinfo(); . b Z+ k2 y/ |; e* A9 k
?>
7 i8 g% P9 H* S- I. I7 p/ Z' v在浏览器中访问:0 @% G, |, g( x7 T* n3 T
7 E) V+ ]' s! l0 D' |3 Z9 ^1 J& H
http://www.52os.net/phpinfo.php?id=1 正常显示。
. y& O9 h: G6 H; h' C! G3 Ghttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。6 q! C* c4 t- t' ?7 I% ` a
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。2 p9 {& n' e" [* `5 L' y# N
说明sql注入和xss已经被过滤了
: a" E% v {6 g: V+ W% b3 O/ H# ^5 ^6 y/ r
七、安装过程中排错/ }% v% a% }& r0 l; g, d4 E0 P! a5 i
) K; x. d% o- d$ ]2 {
1.缺少APXS会报错
" A2 W: M% X0 G8 A1 m6 g& U- Y+ H* L* u$ P' {3 W+ z
configure: looking for Apache module support via DSO through APXS
: K/ s# l3 o" b4 E% D) Jconfigure: error: couldn't find APXS
9 I; I2 P8 y$ }2 k: f) D5 O( s; bapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
- P1 x1 e9 q7 Z: v0 o5 _解决方法:
$ Q/ ^8 p3 [' g: s% Q7 O3 K
, d+ r, c6 F1 Y9 Dyum install httpd-devel
' `- L6 U4 G7 U0 _7 f& Q2.没有pcre" H: }7 x x% {9 B& R# F& u
- L3 v8 f1 G9 b" I4 W
configure: *** pcre library not found.! x9 F' t b/ o# j' F
configure: error: pcre library is required6 v; h$ Z& {: z( k
解决方法:- S+ w* m, D8 ^/ ]
9 t+ _: X7 `% D6 c S9 N8 ~0 l( Vyum install pcre pcre-devel8 e! P. d! A: A9 X3 U
3.没有libxml2
$ }+ W! U% B/ n9 k: \: U9 S) U, z, a7 ]# k2 I2 t0 K0 t) o
( ?) C+ _3 M8 W0 p5 Aconfigure: *** xml library not found.
5 l, N3 B0 E7 h4 C% P3 V+ F& Nconfigure: error: libxml2 is required5 v. \, k: O% A
解决方法:6 M- B- B/ f2 M% `' G- Q; U+ v
: V/ d7 H Y6 t/ y
yum install libxml2 libxml2-devel
! e: w' L) x0 y7 i) l/ G7 }* ~4.执行 /opt/tengine/sbin/nginx -m 时有警告
. H6 N/ C5 Z' H1 G9 B: {7 I9 G* J* |, E4 i. j, |
Tengine version: Tengine/2.1.0 (nginx/1.6.2)( G q4 ^( @2 p6 [0 e3 _7 b0 {* |
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
' z/ p# G& v" ?$ R4 C2 F$ |( f原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
: ^: ~2 B* k+ D. R6 M X3 }4 T( [+ d* r/ g
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 D4 Y6 m% w+ f8 F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 ^$ W' ^# S, C! ~
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 ] P ^. S( p' R) g4 d5 O2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 x+ i2 O$ `* i" H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"4 D- c0 D) J* I& v
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
4 r0 C6 G) @; Q/ l' z解决方法,移除低版本的APR (1.3.9)# M& I9 T q6 @# e& C+ q1 I/ M
: e- \3 k# [+ o# V6 H, k1 zyum remove apr
0 Z( A9 Z/ O' e3 \- i2 I, `( R5.Error.log中有: Audit log: Failed to lock global mutex
0 V& [) X' o2 R+ F2 R( U- x7 @- m5 }0 ^) n& ]/ D. Y, ]
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock & }5 Z1 u9 D+ N( P' j/ d3 r
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
( D( h1 G8 F+ \, f7 z; s( o解决方法:1 B4 Q6 N) S) x8 Z/ W2 n& Z
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- j% I8 ]) `4 U1 D$ s+ ~0 W% N& \3 Y% ?, V) O& g" W5 C" A
SecAuditLogDirMode 0777
: ~/ C% x1 u W. eSecAuditLogFileMode 0550
+ H1 G: g' I% u3 j: t5 VSecAuditLogStorageDir /var/log/modsecurity
/ `) F' c& u8 ?2 A7 H* Y+ R3 o9 _SecAuditLogType Concurrent
! `# v. H; A5 o4 f$ X参考文章:1 v0 `7 x3 t ]$ K' i
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
. m+ k3 n' e3 {, M" g% zhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡