|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。' a; T* {- M) `) V
$ S W, K; @% G: o% H
一.准备工作
8 \% F1 w, X% k3 t4 b, k& d. w/ N9 Z! A4 C' R u H" v q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, t1 Z6 a# U8 _# l \0 e2 e- j9 t
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz7 y% g7 H1 H$ P" `) U1 S- ^
& L. ?9 V+ A) g# p; Rmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz% p0 {7 M; j, f9 x5 ^( Y, W
3 d& l, ~ ~% Z& y4 v% J0 {) b
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs. i0 q# T1 l- r( l- ]% m4 }/ v' U
( W- D/ U0 s( A8 |2 O* h
依赖关系:
! H: n) m% {, j, ]8 Ftengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 `! d8 d: @, B3 v; }9 f
- {7 m9 p: {. h! U6 _* W4 p1 S' Jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
7 y5 e& _' a1 |2 g! Pmodsecurty依赖的包:pcre httpd-devel libxml2 apr0 A7 s8 b0 i/ v4 h0 P* A6 O% U$ @% q
4 C' N+ n) [* W" x9 ]5 ?3 `% F
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
4 b% d. `( r- M8 {3 E Q$ e4 o二.启用standalone模块并编译0 Q8 r2 K# s3 i }4 p2 A' [. G
% Y; u. Q l: x7 O
下载modsecurity for nginx 解压,进入解压后目录执行:
- }9 w Y7 M" F0 @, [$ t% O9 b# u3 f1 G `7 ]5 v
./autogen.sh
- c O* P O- T; ^% ^./configure --enable-standalone-module --disable-mlogc
: t, p a, z8 R& C! bmake
/ p5 B! G: t2 b3 b$ e) K三.nginx添加modsecurity模块
: d. d3 k9 R, ^4 X: F
. f' k0 V' S- s* N F3 s在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( a# Z- j6 V4 m( c2 {: V. C
9 ~2 U5 i9 D: W4 H, ~. ?./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; @) D& ~3 v8 m' g v% g# w$ jmake && make install
6 ~8 E1 O8 ]) j3 D. n- d四.添加规则, l3 L: C6 R3 F. @/ Q) N# U2 F
+ f, q7 M( _# c1 n) ], q
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
. K: o# D& H* k& r. E1 j
6 J+ M) t8 a0 p7 Z3 ]( L6 f6 n1.下载OWASP规则:
5 e; K9 m2 o" y. I7 |- F' \2 W; I! c$ s$ X+ c5 T8 ^
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs# Z, ]* K G) d0 [: `. j
9 i) Z" d! i% Z
mv owasp-modsecurity-crs /opt/tengine/conf/
: M8 I& V2 F) [! V" a. j
4 l3 q5 T5 V( N4 G- t$ lcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf; W8 s# p0 m: Q2 m8 q5 \2 }
2.启用OWASP规则:; ?: l' ?2 L2 y$ w* s3 B( \
. J* u' O" p/ o+ F
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
1 v7 }* E2 u( }6 v" s% y: r- ?# T& i y, c0 r! z& P
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
- v: L/ K( J& s9 o5 a, c1 L9 x* d0 M# ? c. O: _! n- W
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。, J8 @7 M W4 o: h% ^( ]# Q1 ?
4 I( }# O2 r, O5 k) U1 K+ c
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* B* a& y$ [. F, b$ X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf2 X" [2 A$ y" b) E! t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf* j) j$ q, f( Z, L/ w; ~& W. {
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
/ t6 A7 [& L7 RInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) @6 A8 s$ D* M$ T: Z; ?( l
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf: r: c+ O' g' x5 B0 E
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) I5 H2 D, N1 W/ q" T五.配置nginx7 h6 v$ U( D- f4 _) n
( p6 l6 F" N* i7 T7 z
在需要启用modsecurity的主机的location下面加入下面两行即可:
& a0 a S) R" W8 a9 ?0 w! a. A' A3 ^8 t
ModSecurityEnabled on; J# H3 O% W. ]5 ]# ^: t
ModSecurityConfig modsecurity.conf;
2 R* ?& }! I; k: W. z+ h下面是两个示例配置,php虚拟主机:
5 K7 ]# `2 I p5 d1 x# H) C* |7 z# y0 K, W5 G D% o
server {
. z$ N9 O6 R. U) |# W# D listen 80;! }5 L* m. c; K/ O# C( p
server_name 52os.net www.52os.net;5 q I. d3 k8 _; l5 W
0 T" J! q* Y1 |' ^ location ~ \.php$ {7 h( q! l) U6 X0 ]
ModSecurityEnabled on;
' i6 C- i( R; y& u ModSecurityConfig modsecurity.conf;
9 F8 M: y9 F/ X$ A0 W) D+ F7 U# x
root /web/wordpress;
& w6 B: w$ C7 ^ index index.php index.html index.htm;
. a% \0 p1 [ E0 H9 C; M . k1 `6 K+ [0 t
fastcgi_pass 127.0.0.1:9000;9 {: H A$ l5 @7 [0 C' v
fastcgi_index index.php;/ B' D; V7 w: p" k% n( {, o: m
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;' c) ^, ]2 }8 H0 C+ a1 e8 D
include fastcgi_params;
# |5 V8 a+ b" r: \8 w4 ]! ?; i$ @; t }$ ?, F; [8 G( G% f
}% @% j( `5 p1 h: t
upstream负载均衡:. D- s" `. |9 l6 b2 T( `; ^
' H: k& V7 x7 d" W0 D. t
upstream 52os.net {
! h! W& E" k( c# p% g$ W- Z3 K& L server 192.168.1.100:8080;1 D6 d r4 U, D; i
server 192.168.1.101:8080 backup;
( r* A9 b' s- f/ E$ |/ d; ~7 Y5 N}
: B4 m5 ] G' V/ @& j$ y+ t5 h2 C5 g
server {
. C4 i) m$ X% ^, y8 mlisten 80;
. U) f3 g: A8 j& I# Eserver_name 52os.net www.52os.net;* D$ b) x7 ~! \( |
$ V. o; g1 u: d* [% \! E* @. w, q
location / {2 v. v6 V: t1 ?) e
ModSecurityEnabled on; : z) g- g6 Y M1 i! y
ModSecurityConfig modsecurity.conf; z+ G& L2 N1 h1 G: {1 ~- q
7 B2 @% s p @! q- Z/ Z6 @9 Y& w) b X# i proxy_pass http://online;
3 m. Y8 J% G5 o) G7 s proxy_redirect off;
1 ? N$ J1 n! M- V: J& m proxy_set_header Host $host;
' a# A4 I& [1 \2 C9 o; V proxy_set_header X-Real-IP $remote_addr;
- j* @8 ^( b4 P9 o. ? proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) h, Q: i* @; J7 w }' V9 u3 |3 i \0 X- g
}! P8 e4 a! C4 V- ^0 w
六.测试" F. N5 { Y' q& A. {5 ~
0 z$ r/ p" N. o n y* Z我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:- I' |; j- [1 C
2 l+ n$ t& K6 O, G# Y f7 p
<?php/ c1 f1 K% t6 k9 E
phpinfo();
+ @+ X, h& C9 n% Z?>9 z+ Q& y- `) H# l# y6 L: @3 k
在浏览器中访问:
+ ^' O# k3 {; ^5 c6 f2 Y* U
2 O% \8 A/ U. z4 Y: Fhttp://www.52os.net/phpinfo.php?id=1 正常显示。 o1 T8 ]- I5 i
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: a! Q2 w! }3 K+ g8 Z8 `' Rhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。% l5 |( j/ x1 }8 G$ d
说明sql注入和xss已经被过滤了' \# \" E% u! o, D1 O$ u0 V& @* R
$ ~6 O1 g4 L, ]: v* r& {& E七、安装过程中排错 Z$ W, ?! z, s x
$ H9 w' I$ B4 y3 O' f, C3 o1.缺少APXS会报错1 V$ H- o0 C: D8 v* F' Y
|$ E% Y1 H8 r1 W9 g8 E
configure: looking for Apache module support via DSO through APXS4 k N+ ^2 ?) s( Y
configure: error: couldn't find APXS
6 ?2 | d& g! Capxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 Q0 S2 W6 d' ^7 y1 h# z1 U2 C解决方法:, E; e' l9 p0 H4 B: R
+ S t9 c, s+ M, a% O9 zyum install httpd-devel( Z. F# D. b' a l6 [* T
2.没有pcre
# l/ J t; @4 o" d! U/ o; Z
$ Q2 V: z2 [1 z+ r, zconfigure: *** pcre library not found.4 W" z. d0 e9 W$ X1 X9 F9 u; @
configure: error: pcre library is required
& f4 b7 j1 W% l' z5 S& v$ [解决方法:' p" k' Q# Y8 }/ M1 ?( I
+ g+ y7 f- b2 L cyum install pcre pcre-devel
5 a+ f6 Y0 ?6 O8 V- _3.没有libxml2$ x1 F- p3 Q" O$ D! x( a
8 D. B2 Q2 s; A, r( q8 z5 y- B$ q+ O3 u0 a5 \5 E9 h
configure: *** xml library not found.1 ~! J$ }' D1 l: I( t
configure: error: libxml2 is required' T- w, R2 J' F) C6 d
解决方法:
* @- P7 |* c6 ?0 t/ B
6 R# G$ S' d# q( e% G. i9 Vyum install libxml2 libxml2-devel
8 }" P2 H/ `7 S, P M4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 k3 B8 y3 x& h& J/ o0 f$ m/ b
G6 r! ^7 |4 B8 H1 } x. c' O& cTengine version: Tengine/2.1.0 (nginx/1.6.2)' }7 E5 J4 t% k/ F
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 H+ l* p/ d- U Z) \) ~原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
$ U7 i( u2 a- n: i S. o9 \# _& L+ \+ H: O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.- ]9 k2 x% i. k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
4 D9 e6 Q, K5 T% @; O$ G2 D2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!8 z) T$ ?9 u6 z4 u0 m! ^* B" q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"+ O+ L, z$ e1 [" d- g
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"; y7 ~6 f4 J) \4 {" J8 p
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
% q* _( m& @* L解决方法,移除低版本的APR (1.3.9)
6 C3 d# C2 l, K) m5 Z- a' n7 f3 V! i' R. _) S T' \$ W3 G
yum remove apr% z$ |" X, a2 {9 `
5.Error.log中有: Audit log: Failed to lock global mutex1 W7 k& W$ }! s( g1 l, V& c
' o" C9 L* }$ F9 k0 {0 [
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
6 J1 T/ N/ T& O- H& j+ X6 A+ Oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]3 z0 Q% y; d' j7 K
解决方法:
* E0 u$ D) ]' t3 ^编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:. d5 e( G; c' c( E, o! v+ O* H
* T7 ?. [% C4 O' ISecAuditLogDirMode 07776 y3 x! N$ V5 A4 I
SecAuditLogFileMode 0550
Q* }# I. ~0 _ Z% F9 h0 zSecAuditLogStorageDir /var/log/modsecurity
4 |" Z- S: P) ]. y& V8 T) V7 @SecAuditLogType Concurrent) M+ P3 h6 X, w! i& W0 v
参考文章:& u- B2 ^* B" D+ V! K
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX6 R+ s% j3 ~8 m4 j' b% c7 T
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡