|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( W* j. D' [+ i; N- ^, D- p0 h' P$ X K6 j& \
一.准备工作
; l) T. K( A% `9 f: e% v$ h0 t+ e, A( Y( c! G3 p4 c5 @
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
! x5 k# ^, Z( } P& ?- c6 ~( n
# r: \& `+ y5 `8 w" m6 ]tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
- G! E* ^5 M9 E9 `+ W5 c; U7 r/ S/ |& I0 P! l4 X$ ]0 M% M: w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
" u3 s- V: k: C s7 ]2 I
* W' d: n/ Y4 G$ Y8 e9 KOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
# Q. [8 p0 y9 X3 H
1 p/ m! M" ~8 J3 O" C! b2 e5 Y0 S ~依赖关系:
* U3 ~) X9 o/ K7 X8 V. ]tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 u& A ^5 O7 l& @2 N
6 G% D' s; g3 ~& G5 t/ uyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel7 J8 j' L2 w- k! p1 D
modsecurty依赖的包:pcre httpd-devel libxml2 apr' `, R+ l" ^% I8 Y, v8 d
/ x) L$ S/ [, B6 S5 L3 U& Fyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel5 W! w& Q! {. x0 r
二.启用standalone模块并编译
; f8 L# \8 P/ K( c2 R5 b& r# q. W, T2 l Y
下载modsecurity for nginx 解压,进入解压后目录执行:% D- ^+ E0 B8 R5 M& n9 l
7 ?: q5 d7 W1 ^4 E/ Z! A. W5 D5 Q
./autogen.sh
; v1 C; D! h* }& j6 O7 `, w) s./configure --enable-standalone-module --disable-mlogc/ w ^1 [* C- m0 k Q- S
make # a! R8 s2 M5 p: |+ m3 J4 f: P& J
三.nginx添加modsecurity模块2 [/ k4 K! Z( t1 T2 h) k# H1 [/ _
8 g! E# M( K% z3 u5 B0 g5 V% q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:% J) g8 h4 U& v# O7 h3 K0 B
8 `1 b; c. D: A+ B2 C, y
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
X1 f" u8 _! a- H: Imake && make install$ n' V. o5 ^+ s9 Y9 J2 g+ Q
四.添加规则
5 R0 O: }) o0 {) z$ [4 F2 L( C: U6 [, ?
, t1 K4 H4 G' `. C0 R/ cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, A4 x, t4 [ A$ I- M5 \4 Q
) {% Q9 H$ v# U2 z1.下载OWASP规则:
6 V7 c6 ~- c( H* e
6 F5 X0 G, [% d1 ugit clone https://github.com/SpiderLabs/owasp-modsecurity-crs: K2 E1 R1 T2 P/ }' Y5 ?( Z
. q" [0 G4 [8 N, ~ T8 ?
mv owasp-modsecurity-crs /opt/tengine/conf/+ s* r" u5 \0 z
( `' t4 k3 `; H0 D7 P
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
7 d- ]0 j* S7 T, p7 v* U+ O2.启用OWASP规则:; [" z. m; m' Z/ x
0 f# o1 a3 N) E: T! u
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. [6 c# }5 F2 }! R6 ^8 R2 F( j8 C4 @& J
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on& K3 O+ W/ `4 I4 {2 Y& Q
# r1 p& Q9 a) Q: Z' s
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。 }4 T4 W1 ~5 l
@" P: I6 R2 n% n Q( h5 }2 K( XInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
1 ~; O* `/ O5 @/ `% p8 s; nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf4 I; V/ u: K. l& a
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
- y ^) P$ B, aInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" i5 {8 y! O; F( w% a+ j7 L; {
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# B( ~& o( J' m) m+ i; H% tInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; N2 l( O. g @( EInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
Z3 i5 r( y. H. P4 j五.配置nginx
4 F0 _/ K% I I+ |* E! }- d
: Q& c, h$ c$ J/ M在需要启用modsecurity的主机的location下面加入下面两行即可:9 i) } R0 X1 g
- N) ]3 P! _9 W1 \; }ModSecurityEnabled on; ( B3 j( c- @) S4 j/ Z
ModSecurityConfig modsecurity.conf;$ G- G& C2 d% S/ B
下面是两个示例配置,php虚拟主机:+ @1 z( Y( o8 z- V! A
; a% X2 r/ E, h+ i9 s1 {
server {: |: G! l- N% }3 {. D
listen 80;
1 V4 W- f& T. i9 ]& `' I server_name 52os.net www.52os.net;
' W4 I0 p9 A2 }8 q h1 s
6 d+ A$ e. P( w) p; V) _ location ~ \.php$ {' ^) q3 E0 V' |! ^9 F0 Q( q
ModSecurityEnabled on;
1 R6 ~% C4 Q2 d G ModSecurityConfig modsecurity.conf;- r, u w7 Z: J# [: x
+ J/ M# z* ^1 C: u
root /web/wordpress;
7 K5 D1 v* p; R W# c index index.php index.html index.htm;! w2 W: f3 u# t" L' \
( v1 m9 e" Z# r9 s fastcgi_pass 127.0.0.1:9000;4 D/ k. `. }0 l; z$ Q
fastcgi_index index.php;
- e8 \: A& M- F a: j$ [* Q fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;; N. R& {' z4 j p: ?8 A: L
include fastcgi_params;
1 X O* D* _2 G- J: A }
3 y; d; O& I1 M4 w }
/ B, U5 R8 e; h& G0 o$ kupstream负载均衡:
' k" w6 H! I9 `1 O# V) L) `6 z8 u* W8 E; H8 Z# n
upstream 52os.net {- Z2 D7 Q% K& ?' X% Q5 I
server 192.168.1.100:8080;7 k* w* k0 [, A! W# ] A+ _% S
server 192.168.1.101:8080 backup;( `; R; E4 ~$ \& D# I% x! O
}& {/ _( T- z, q* \; c
, E# p. b6 P, k. ~( f- Fserver {
: d) x y/ Y% i0 R# }listen 80;+ `( n3 J+ q& H+ ?4 |/ U
server_name 52os.net www.52os.net;1 t% _& d) Y% U- l: x
0 T9 C" p0 l* p) p+ W) tlocation / {
& y' b) ]5 d% l5 ]' f. b# e ModSecurityEnabled on; 1 q5 O3 L8 A; N' |( C6 N+ C$ Z; j6 e) a
ModSecurityConfig modsecurity.conf; . [% ~4 V X4 D! b# X. v0 [
5 u3 ^" j# D" Q5 s
proxy_pass http://online;- O/ B! r3 d; V
proxy_redirect off;1 K. y6 z6 }8 Q" t( {* u$ h
proxy_set_header Host $host;5 ^6 W4 N% u: A* _5 N
proxy_set_header X-Real-IP $remote_addr;
. w# s6 U3 L0 ^2 [6 P) m3 d$ [ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' N. V5 a9 d. I0 o }6 R+ L* P9 h) s" S
}
7 {1 H( J8 V' G- J& E8 u! V六.测试3 b/ i+ X3 {/ K4 e8 E
( o3 ?2 ~1 T W W5 Z" y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 V3 T7 ?3 b6 v& }2 I2 Q. d0 V, G
' i& T) F" o, L" k
<?php4 B6 F; g0 k0 S# g% n) p
phpinfo();
- g0 j6 L* [8 t( e?>' c2 a6 D" M3 v
在浏览器中访问:
8 z+ @# I4 e5 M/ b6 S+ K" n4 M1 q( N6 z4 Z% p
http://www.52os.net/phpinfo.php?id=1 正常显示。$ ~2 O! @; z" T# |- W! v6 c
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 P- Y. m" R, ^4 m( }, {# @
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。& Y6 ]/ p- Y! W
说明sql注入和xss已经被过滤了6 n( |2 S5 y* ^9 }# k/ _
( O- @/ v: {) @2 l
七、安装过程中排错& _+ W# d# V' E
$ N4 U/ m# o" M- ?( O& V. f: u- P1.缺少APXS会报错
- u' H! v# ~9 T" ^. h6 J0 y! Z* i7 S0 g/ A8 T
configure: looking for Apache module support via DSO through APXS
" y. J( h8 v. M9 O' N- W/ Vconfigure: error: couldn't find APXS
1 `) t1 ]' t& ~! A Oapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。+ T, w% z" Q9 Z1 v5 o
解决方法:" e4 x7 S; T5 Y5 ?6 o. P! f, J" M- y
- l# n. G0 b1 L: F& W9 [! b5 zyum install httpd-devel# B6 X- b5 X) z e5 G U
2.没有pcre
6 N6 ]) e# R0 T( ?# R7 C7 M7 D- D0 y2 }8 h
configure: *** pcre library not found.
6 ~) E4 Y2 r$ O) [* F& cconfigure: error: pcre library is required4 g `1 T. y7 [' L
解决方法:5 k9 p1 _( s& g# v' U" I- a
" r# u0 k8 K0 C& J6 i1 n
yum install pcre pcre-devel, V! g, [; ~2 _5 S& O- w% n P
3.没有libxml2
) I! Y$ F% P! J$ q4 r9 V4 @& ` \, A% d" P3 A5 }: s9 o9 S
. t' y) ~6 K( e& J# F
configure: *** xml library not found.
& C7 w; L, V4 H/ X& `configure: error: libxml2 is required: l3 W8 m6 Y2 _, T
解决方法:
$ U& f: c8 v% n) U1 p- Z5 O# b* o4 ]
yum install libxml2 libxml2-devel& Y; A# w6 h" ^# u0 R. ~. H
4.执行 /opt/tengine/sbin/nginx -m 时有警告6 n6 }% J: R" Z# w9 E
2 ~- ^" D9 D" F* M! ^, a
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
- |8 C8 Z" O& m+ P- \. s: ]9 ~nginx: [warn] ModSecurity: Loaded APR do not match with compiled!( I) Q# {- b1 S
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log% H$ k# Z1 z9 Z' I
2 h6 X) E9 S* J" `3 ^) F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, d- _7 i6 b! _1 P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
3 E5 f8 o6 @; p0 t( l0 g2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!) H, n8 y$ P3 Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 W& w) k* e7 n$ R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ e Q% D/ M' o v9 \. ?7 B. ]
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" S, @, e3 x1 f- |" h. A( i解决方法,移除低版本的APR (1.3.9)) @0 o3 l- `4 C9 T
: j/ \2 A" p2 P. b7 U2 Vyum remove apr
3 S6 G# S% {# w7 ~+ n- y) E1 o5.Error.log中有: Audit log: Failed to lock global mutex
3 D! G) G5 Y0 ~* M+ F( M! t1 U+ \3 N9 V4 _5 j6 F3 W2 D
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
. N7 I3 W+ s# v" ? Kglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
1 F7 B+ r6 q ?7 @) _5 B# i5 W解决方法:( a7 v. J! m2 K0 T
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:% S5 f; S: L$ b0 G4 n2 o
# ?+ u) U: f7 A) ]# TSecAuditLogDirMode 0777
0 t0 g. b% S' PSecAuditLogFileMode 0550$ l! O# i* @" E5 }% m
SecAuditLogStorageDir /var/log/modsecurity
! g* x" ^; n: ~7 rSecAuditLogType Concurrent- |' }9 V9 R, x4 @5 T( D
参考文章: S' e! p, z+ T: e3 z
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX" k. v3 I A7 {* G! f& V
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡