|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
3 r7 @5 D1 j/ h0 l* |- T
1 k. V% { C8 l, G一.准备工作$ K8 H2 z! [. a. @! G5 q# s
" }& F* I+ K' Z: P9 p系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0% ?, G: n0 o7 U1 n1 N
4 c5 P1 U# j8 A/ g# A$ {) o/ V: a8 [tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
5 w; E# x4 z, b2 N7 ~7 k* M A2 Y. c& E# x) Q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz' P' b1 ^* ]. o0 A
# Y& ]/ ]% L9 w7 I+ `
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
! M- B' `/ S" R1 L3 }8 V+ y. {4 u0 D9 ^/ V5 b. M
依赖关系:) F$ B. I z4 M! [' J
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:/ k ~: f- |- z4 c7 _% o9 Q
2 Q" p. N% J, M0 ~
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) U" m; g; b+ n" r4 E/ T0 v+ Ymodsecurty依赖的包:pcre httpd-devel libxml2 apr1 a8 \6 g+ u& Q1 H$ c3 x# ^
" [0 \5 p/ m& ~0 r, h' r$ `) Xyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel. \2 K# \9 y$ G1 X1 Q7 a# ^
二.启用standalone模块并编译
0 G* P+ {; m) G5 ^
6 Q! [( o" q( `5 A% A& n1 z5 E下载modsecurity for nginx 解压,进入解压后目录执行:
2 ?- L; ~. T3 }- b
9 {3 Q, @* [# Q* ~; h./autogen.sh% J/ G, t& [7 ?/ ^% Y$ X
./configure --enable-standalone-module --disable-mlogc
: O; r3 i" [. y4 z2 gmake
* f$ A( m! k- [" T1 u5 `三.nginx添加modsecurity模块
: Z, z0 p; k9 ~2 T
! X2 G* l* P3 B( ?6 e# M- H在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:& I: f: R; I2 x8 K6 j* e
% R% }" H8 T6 l3 v
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine/ w: T* X# `8 i9 J0 R/ \3 F
make && make install
+ F* Z+ D0 s( ~& L+ R1 W四.添加规则: @9 [, G$ t$ V# o* N8 c A
" j: A& b5 B# x4 ymodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。8 A1 t$ s) t+ p* C, ?. i' x$ U
5 R. B5 i4 s* h% P: s( z
1.下载OWASP规则:
: _+ r. I" b% J, [# [. s6 W. u# R, j1 b7 |2 B& T0 Y6 D
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 O5 b9 }* o- z- G) m) W4 T6 W$ }; Q' P3 X n
mv owasp-modsecurity-crs /opt/tengine/conf/
- c4 o9 t0 L! B$ C: k- U
8 ?; t5 C5 r6 Q- l5 q# E! A8 h9 ^- Vcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, o% B: R/ p9 Z, x3 A6 G8 [' ]2.启用OWASP规则:% W y" |% j/ j* Q) i' Q, |: K5 i
6 s* m1 M+ n/ }6 I9 k4 e. z0 u
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。3 p' \! `7 R2 t* P6 C
1 a9 I. {# O0 d* T
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
7 }% J& v# N" g1 b, K5 O0 V' V1 C+ h S; y- [/ a4 S1 `! I
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ K' }5 a1 r" Z# R* _( R( j# I2 `
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 E' ]3 b! x. L( x" Z, G' o4 C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- M8 \/ R v+ @/ \; D- ~! MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf& j, X! e4 ^6 K# R* O0 |" G h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf7 @' g: t! W6 N a# ~
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf1 b( S$ M1 d" [% ]7 @: t$ K- s
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf3 O7 H. r3 T% ~1 X* `2 f
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
3 R/ @' s( L( E, Q1 ?0 b, ]五.配置nginx
/ d" e* b8 P$ e' G- c$ p
2 B! g! @" u* W. Y2 U6 \9 X5 F4 c在需要启用modsecurity的主机的location下面加入下面两行即可:" Q! k- K; m3 b$ m
7 v: U) g; i0 c% e, y
ModSecurityEnabled on;
, w3 D; c; h( H5 F# p: ^0 [4 q8 @ModSecurityConfig modsecurity.conf;. @: m4 A, Y2 q' |( y- t: O& H! W
下面是两个示例配置,php虚拟主机:: Y# r3 `/ b( I, i4 H8 R6 O$ Y
3 y8 Q6 p. Q5 |/ J- o$ Cserver {0 _8 T/ @; J" E: \+ U9 n5 ?
listen 80;
* I& x h4 \% T) G2 Y3 B server_name 52os.net www.52os.net;
Q" i, E1 f$ B: Y v8 N% I# w+ R
location ~ \.php$ {0 r- u) t; A; l
ModSecurityEnabled on; - Q# [5 K& B2 ^$ a# b& \, x
ModSecurityConfig modsecurity.conf;8 b# l' t6 F# S$ p, k" D# m
+ \7 u( ]& g# n, q# j root /web/wordpress;0 o$ c2 P. [' S8 D- ^8 c0 u
index index.php index.html index.htm;
r; Y0 f9 p! b& A l
/ Q) b( `3 `: @- G+ K; A fastcgi_pass 127.0.0.1:9000;
( }! m7 l. l* ? r. c fastcgi_index index.php;$ z: z3 {# U: k6 }+ l. G2 ?
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;6 a, _. x- c. e0 ?+ E! Z9 R
include fastcgi_params;* _# W3 W6 ?( I a3 f' c0 u" ]+ w; T
}# C% R" H: Y0 f x! c6 @1 _
}
3 M2 [& y* a; P8 Y% R9 r7 L h; h# qupstream负载均衡:2 g- G) [0 r! H
% K: r) {& f( y! H8 e- i
upstream 52os.net {: [. O4 [2 i# G0 n
server 192.168.1.100:8080;
G0 D9 f2 o5 z/ x( | server 192.168.1.101:8080 backup;
4 h- y; y7 A1 t6 v}: ]( g5 N5 d7 P! n6 O* k0 d
+ z; x0 T, Y- g4 r
server {2 A/ ?( s9 W) @: |: R( A
listen 80;
, c! [; o# m' l- U8 {6 v' rserver_name 52os.net www.52os.net;
' T& c) F7 z* M9 M& d4 b: N- N$ C v+ F
location / {! R/ _5 T4 ~2 v+ Z, I
ModSecurityEnabled on; 9 j" C% z' W/ u. ?6 M/ r
ModSecurityConfig modsecurity.conf; & A( S5 L y+ u2 g3 ^" u
* I& q* ^% `/ ^7 e8 x proxy_pass http://online;
3 J: V8 c8 E N$ L, Q3 ~ proxy_redirect off;
' }6 q2 L0 f& N* K0 C proxy_set_header Host $host;
0 L, L1 N( S) U5 r3 k proxy_set_header X-Real-IP $remote_addr;/ `' C4 Z3 E2 Q6 ^/ D
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;. U" ?' \0 U! j' S% m0 V# ]% O& B" D
}
! f) K# L0 E8 E6 q0 H}
; r X, D: t, }% w6 W1 n六.测试, |0 s/ d7 x$ [+ I W
]) b+ ?4 b% c
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; }. b+ G7 {& w! `9 i- k: k/ u1 z( a- V
<?php4 h/ B" p" f2 x! x7 k. y3 k
phpinfo();
4 ?# |/ X* ?' \4 q% F?>
3 |! c6 R; q9 ]* v# D在浏览器中访问:: N& z4 m8 g/ J! l, C5 I0 f! n$ d. M
7 {& F7 v$ d. x1 {7 Dhttp://www.52os.net/phpinfo.php?id=1 正常显示。4 |* ~7 g0 z' O8 B
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* c& U3 V0 [, u/ Q% z) Chttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。8 A: ?2 r% E# |4 A/ A
说明sql注入和xss已经被过滤了
- h0 Y) c8 ?6 M0 D8 @5 m9 e
) C" |9 v& h6 Q4 ~- Z3 a七、安装过程中排错
4 t1 ]; w0 b. B, w/ o& ]+ x" r% `# Y4 p5 _% g
1.缺少APXS会报错
( R$ W# c% _: \4 x$ D
+ i4 x5 ]: I' X4 D5 k! wconfigure: looking for Apache module support via DSO through APXS
4 {) e, a3 H% v6 g) qconfigure: error: couldn't find APXS
# W9 }) P, Y% N& n5 Z: F2 t2 wapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。, T) A1 r) N5 e6 l3 D
解决方法:1 _( e4 R5 n+ g9 ]0 n) u
0 M/ ?& @! ~4 a% H) |& F9 K
yum install httpd-devel
' e* I& R- K/ `4 E) p2.没有pcre
/ |" f& U: E! I0 L+ F2 C, K& D. N: j+ n5 m3 {4 }
configure: *** pcre library not found.* q+ u9 p7 G. x0 c
configure: error: pcre library is required
4 `# y0 U& T# H* j7 S解决方法:
7 e, W( e! v, ~. F: i% c9 a; ~
' y- a# D& l* w2 n) {9 ~yum install pcre pcre-devel. C& o: s/ O* x# F6 I+ d' z
3.没有libxml2& s0 a" p4 u1 n. }3 D/ X: \& D
Z$ N8 o! n3 N; d5 R
5 q/ D& Q8 ~ a8 A4 rconfigure: *** xml library not found.( ^" S! X0 w' L$ t2 s
configure: error: libxml2 is required) }9 K& f w9 {- N& N
解决方法:
, E: K. i4 D: _$ ?0 w; o$ j
& l9 U0 y$ P* V" } tyum install libxml2 libxml2-devel
$ ]5 n- S( B/ U" g3 p4.执行 /opt/tengine/sbin/nginx -m 时有警告
9 ^, P" m# W0 j( A0 e( k" {* T9 n* R1 q
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
. j3 U8 i# N5 V1 ?. Unginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 j7 I) Z! v) h4 c# ~+ E/ l8 `
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log8 L& J! x! y1 q- p1 Q' Z$ Y
3 [6 J- u: B8 U' b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.$ P( @5 O$ @1 B Q7 y0 e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"! [) g4 Z! Q0 S7 a/ M0 ^
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! s& O. W/ y \) R# C' i" m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
" H4 ]( {. `( F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
+ w1 L# p }/ P) J2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On." a& G. T4 j. b
解决方法,移除低版本的APR (1.3.9)% j! }7 I! Y( L& j/ ~5 ^$ \8 b
6 }# K$ R% ?, W9 X9 N: U$ M, {yum remove apr/ ]' e* Y0 l+ P! Z2 @' O7 \& H, Q8 i
5.Error.log中有: Audit log: Failed to lock global mutex9 u/ G; R+ w2 o: m0 A' A; ?( F" v, T0 a
' p" C6 [) g; G" K. y
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ! E4 g8 a3 a& Y* i# w
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# X( O% L+ l' W, a0 Z" p* S5 e
解决方法: P& ], u5 U3 o5 Q0 w
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
( E* t7 Y6 h; H* w, S
* @ g% {: u) q7 }" ZSecAuditLogDirMode 07777 E! \! A; i+ X; V
SecAuditLogFileMode 0550# h7 `3 i' h6 e/ c
SecAuditLogStorageDir /var/log/modsecurity# I, d5 m/ _7 z. F; m7 i& l
SecAuditLogType Concurrent
5 r9 K/ }- z4 A' I( @参考文章: U4 W& O* ~/ z" n# ?
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX4 c# p1 N0 r8 S5 Y1 ]6 F& C0 ~+ O# I
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡