|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。; J0 ?" W! g0 X4 r; g
+ `+ F# x% x& G3 Z. o一.准备工作0 g* O2 l; O- l( ~, k1 X
. N1 Q( t; e9 z) F' d- B
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
q' I3 G; N. G* \6 U( P1 _' E1 M9 |! r) [6 e
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz8 T' y/ C- _7 x- ?" K
( k9 z5 c2 u. |7 G9 K* G9 l! ymodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 Y6 V- y. s" J, ^3 d2 z7 N$ P
) i0 V- j5 Y! b( p5 g: c
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- q# p' p4 t' i8 [- `, z! i! M0 X; N9 c" Z* t! H0 b' }
依赖关系:
+ o9 Y+ X- o, Z& @6 W _/ s8 Gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 q# y% I% n* H! F- m* O) z( R8 l! d% w( W/ }, ^! P3 P
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel2 q' P7 H1 V* u% S
modsecurty依赖的包:pcre httpd-devel libxml2 apr+ |% s1 {( w5 h, g8 Y0 `
. w( p- C2 X% V1 U
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: v/ K2 K1 a R
二.启用standalone模块并编译1 \% ]. M9 M* v0 \9 t
$ z# S" f) g3 k) F. |2 s) ~下载modsecurity for nginx 解压,进入解压后目录执行:# _8 j; R" L# _; H1 P+ g. j
( H# B' A/ M5 i* i; [7 G
./autogen.sh# Y2 \% D; T/ j F: U4 q; Y
./configure --enable-standalone-module --disable-mlogc" b- i( ~3 H, x. f
make
' z: A4 |* w$ G7 i! c2 l三.nginx添加modsecurity模块3 Y/ r: k2 W) m; b8 d1 A3 {
% n+ T. \8 C' c1 C" K: A在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:6 Y7 o1 [4 ]" V" {) u
; s5 r7 C4 \" ^8 X1 x- _) W0 S
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. [" m8 f# {0 x# y# J0 j& \/ xmake && make install7 Z! F3 I( X8 e$ i/ r
四.添加规则
4 @: \; P4 U4 a* _: z' `7 ?3 O3 F S& E0 c4 ~; ?0 J) ]& X
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 a' Y, W" c6 p7 E& U# P
9 q" w/ Q4 l. a+ G
1.下载OWASP规则:% n' G: Z# J' Z7 ]8 Y+ o( r
; _# ]$ h1 d, I0 h+ h5 Y2 T
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs0 b( Z* m, G) K6 Y! s7 \$ M7 v
, [# u6 `, H d( }: I
mv owasp-modsecurity-crs /opt/tengine/conf/$ o. m& `! f" c4 i, B6 Q$ l2 P
$ ~0 \# o" h$ @% z6 s+ k
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
4 Z+ k3 A/ t' H9 H2.启用OWASP规则:
5 @' i& ]0 A$ L7 \: f. p" I4 f9 |! L3 D/ o6 m( `& W1 f
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。2 n3 N2 J- a$ P1 C
. N7 s" B& | Z/ |- y* h/ |编辑modsecurity.conf 文件,将SecRuleEngine设置为 on& q0 d) V! d7 [
0 |' U# S% @4 P8 O- j
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
5 B6 s0 S! h4 G. y. ?" R8 e
7 e& y: R. O1 X' L$ @Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
% P# N; R( [0 p9 Q* K* l0 @ PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
0 T. U: P5 u0 ^& K3 r( M- @Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" @) A* R) y; EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
+ q( o9 D" C ?Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
8 C! b: \4 g6 t$ T6 CInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf) y; N5 A! B6 i: {2 C0 e
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
$ K! Z) ~* C; T% }# a# ^五.配置nginx$ b* v) z J/ T/ z9 ~& y" K' e
( a, q. J$ e! ^& k. ^
在需要启用modsecurity的主机的location下面加入下面两行即可:
z3 `3 m% U$ c) Z
6 o! Y. H' M. XModSecurityEnabled on; # K" v0 {8 L0 t7 m$ H& l! ?
ModSecurityConfig modsecurity.conf;0 m4 T+ c+ M# j0 }& s
下面是两个示例配置,php虚拟主机:
4 L* `# p/ d/ M) W0 a) }( W3 L4 Y! O% G3 h, }% R1 S- |# @7 E
server {9 n% U$ y" H8 P% }0 x$ [
listen 80;; W4 ~& f" e5 q- N: C/ [
server_name 52os.net www.52os.net;9 P" [' ?. [! e5 J% g
. T1 K! Z+ P/ ?: m3 u# j! z
location ~ \.php$ {
4 ]& ]6 b7 I. S0 ]0 \1 }, Q0 Z ModSecurityEnabled on;
, ^* a% c# T* i9 M U; @( N ModSecurityConfig modsecurity.conf;
* Q. }( f! E1 O/ ^# C D
% [: e- h3 ?$ M( h) A; E root /web/wordpress;
5 L; }1 H/ {. k" S0 J+ H' V index index.php index.html index.htm;
1 y. x0 b* U( _% Q7 J; x 3 `2 X$ J" A, W$ w; g: I8 T
fastcgi_pass 127.0.0.1:9000;
# O6 E7 D6 D2 ^ fastcgi_index index.php; G; y! `4 [. @0 k, U" g" ]$ `
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;' T2 ~* B1 S/ X1 q) k- y
include fastcgi_params; x, k9 {0 x1 p4 }, q& Y3 V
}
0 v) D6 }- l4 ` }- o: ~( |9 R2 H9 ?7 m+ \- N3 a
upstream负载均衡:6 ?3 e3 A c) t5 |, w' R6 @
& a3 u: r6 R8 I- I# G9 S; Cupstream 52os.net {
1 W! R" b1 P& f4 P* Y server 192.168.1.100:8080;
2 `: q" O6 n* e server 192.168.1.101:8080 backup;( \4 F7 B J- t7 q; [4 ? M7 M& X: I
}
' c7 n, w4 u+ Q8 n n, O% c3 P; H- }3 Q n0 {' ?" \3 |! m' ~
server {. W# b' e" v) T1 [
listen 80;
8 t$ r/ q* p R# M: ?server_name 52os.net www.52os.net;
5 [& S( F" u: Z5 O2 [- P% \, K$ B, m
location / {
+ @. Z7 v* h) X0 b ModSecurityEnabled on; 3 {5 B! o- w! B% V! W
ModSecurityConfig modsecurity.conf; # r* u' P. [" C/ D# j# G
1 @0 [% O: N7 F1 w2 h( j
proxy_pass http://online;& |2 q9 |0 [* p
proxy_redirect off;
# b( c* k8 @ I+ _0 L* u& r proxy_set_header Host $host;" a8 Y* L( F1 J) X( w
proxy_set_header X-Real-IP $remote_addr;
# ]5 k; h4 R) Z9 `: f% B- |! j proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;( y: }/ M; R; R6 ^. k
}0 f1 @2 i6 s5 v( {9 k6 I: l
}
4 s. D4 L& [+ {; N) i* b. n* I六.测试" F5 D7 }0 c, r% X+ F D
& _" j" i p- P我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:, Z; {1 f M( I& h9 t0 Y" Q
1 @1 f) C& z- M% }<?php
; u+ Y! n# L7 _; J phpinfo();
9 v" Z# X8 O H: H6 C?>) U8 y' r) x( ]
在浏览器中访问:5 B$ g/ l! `) u, Y' B
6 @* D+ K" F. D, Yhttp://www.52os.net/phpinfo.php?id=1 正常显示。/ U6 `7 O; v# y L" K, z
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
, {. t: Q* O5 ]6 {& shttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。8 N; H9 |2 N9 W# x- _# p- C/ S# b
说明sql注入和xss已经被过滤了
# w0 V1 w$ |' G( D5 k( R! ^- w) [6 e- L8 C, }& C# `
七、安装过程中排错
, z2 Q: w9 ^) p! T L! u/ `0 F3 O- e D
1.缺少APXS会报错8 r; F( v* m) u9 ?- x) ]; |! y
: M9 N" p1 e" P8 p
configure: looking for Apache module support via DSO through APXS
1 A! U- O/ O8 j' b" R6 s) p9 i3 Nconfigure: error: couldn't find APXS$ s k0 B6 M2 p, E7 t6 I* `2 v
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
1 b! d: v& i& K2 S: @, G解决方法:
" ^8 k% ^6 W( k+ J
% n9 Y0 x" F+ u; M. `yum install httpd-devel
- o' x% Q1 a" q- T2 l5 T N/ b- X2.没有pcre$ d# h" p6 Z3 p# ^5 ]" D- |5 h
& ?* j& [+ |( o/ T
configure: *** pcre library not found.! v* G' I6 D7 K; _' O( O
configure: error: pcre library is required+ q: a6 u1 b4 K
解决方法:6 L, R s4 t& U, s8 U6 a' w. a* s
' B( q7 k2 B+ r4 @/ wyum install pcre pcre-devel
5 H, B5 ]5 Y) m7 N5 [" H, _3.没有libxml2
( K! H. M) c% x$ q
. { l0 r* \/ F/ v; b3 ?; m' I- x4 x& x% O/ Y0 M* A9 \3 m
configure: *** xml library not found.
% _/ V# _& _! }configure: error: libxml2 is required
7 A3 K0 M+ ?" z! G* P解决方法:, I% Q8 }) |! r& t4 g: z
& T, \% L& C3 V5 U% K+ g
yum install libxml2 libxml2-devel2 B7 N+ N) q" N+ ]
4.执行 /opt/tengine/sbin/nginx -m 时有警告; {8 a, ]9 s b" l) D6 `
% l3 Z8 f# N7 x( u( x- @' X
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
) `% D0 o( Z# l5 b: X- y' [nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& `! s+ \% z! j/ i4 _3 k- G4 h原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
7 {* l! h" F+ N$ y/ C' C! y6 c) h* V2 v2 t" n5 r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2 M) W) w6 v- d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
8 y% E4 G$ f' H7 [% Y" x" R( m2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!1 k6 E1 F6 y: x* X$ j6 [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05". X% ], r( x" B z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 {8 K/ { T0 U# s; i
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
, C% [" M$ l9 R解决方法,移除低版本的APR (1.3.9): u+ r Q# y* }0 {% W: \
3 G# e- v, f( M: Uyum remove apr
" s2 ~* n, V4 k- a5.Error.log中有: Audit log: Failed to lock global mutex
5 G& W4 F$ Y9 N& }0 Y0 u; L
1 }# R" A6 H& D- T+ _) u2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 ^( b3 l) J% {! k$ |4 \' t6 r# s! l
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]; D( H* l2 R9 f5 t* s: M3 R
解决方法:
+ O/ f W+ T( X' y编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 D8 W( D6 ?! G+ Z/ y
" O: W7 W( }+ G! e( E8 g' |# S
SecAuditLogDirMode 0777
. C$ b7 X E6 N+ S1 USecAuditLogFileMode 0550; u& E8 c5 L4 u) G& _
SecAuditLogStorageDir /var/log/modsecurity
! r ^& L W+ X9 K. JSecAuditLogType Concurrent/ Y5 Q8 B: \$ A0 g2 a
参考文章:
/ `: ?: ?5 m7 x- W- G# Shttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
" y% o/ ~% \4 t* Y7 I. ohttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡