|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
* W! p* u1 |$ [( U% q; z3 o& J" J
一.准备工作
$ h- C5 D( @2 ^) F' O3 H/ q: J2 _1 U' m# f K1 a) o# A
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.06 n( m' L5 h- q' i! m% S$ v
$ `4 _% j& J' V# `* s6 n
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz8 _% O- a" ]$ }3 h; e! o
: v9 B, [/ p" z4 ~3 S3 o
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
2 z0 @0 C( p/ L* Z/ `6 \
6 |8 w4 ^5 D+ q) u4 Z2 |: ]OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs4 G V8 H4 {% ]1 X/ K0 S
: O k- ^* ~3 J d1 y: n依赖关系:
; Q9 J) H1 R9 \, rtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
/ y4 f" Q. ^& `3 Q, s: G
+ a5 y- ~ X k! Syum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 c, B! r( ?) ?- a, r3 `modsecurty依赖的包:pcre httpd-devel libxml2 apr
/ U7 A7 J* @, s
; Q; ^: X% H2 B1 M/ ]1 y( |yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
5 o! a: f) I/ ]5 O2 @& O* J二.启用standalone模块并编译
! g v& v" x' O
/ ^. Z) k" N9 D0 G& N( I7 Y下载modsecurity for nginx 解压,进入解压后目录执行:
- C% w& T4 f) r& ]4 E
2 R/ A1 P8 O6 W1 G! E./autogen.sh
4 d& i# Z: S6 a! U./configure --enable-standalone-module --disable-mlogc
- \. C5 a8 R1 g! n2 _5 K8 e# Cmake
3 p5 A Q9 {1 \8 q6 g+ Z三.nginx添加modsecurity模块
8 `5 {; f# H( x& U; e8 B w# X$ G; P/ f5 ]4 U( n7 ]
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
?7 e _8 h1 H: |
& L8 a) N' w& ?4 x./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
' n. m. ]3 O+ g3 k- w5 ^+ pmake && make install0 |, T( e# U6 x) B" C
四.添加规则0 j$ S9 }3 Q% K; Y9 u
/ b: U2 p8 X: n' \, n0 O: x
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, I% \" k0 S3 T3 s3 v' R; D! o" K ]8 Y: I; n B$ O+ c
1.下载OWASP规则:9 m: c7 V; h, w) v+ Q
& P/ D. T- U6 h6 _5 v6 E9 M
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
# g# ~% N* q7 t$ E7 o) J% [, t: B7 n
mv owasp-modsecurity-crs /opt/tengine/conf/
- T* b) D/ O7 }
8 f, i+ y* |7 K, h# mcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf z( C: ~* S% X& F% W7 p/ d6 m
2.启用OWASP规则:* _$ E. }; F$ d B- K) \ H
8 a8 n8 @4 ]9 y5 I: X5 ~复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
% i3 h& z3 H; c- ]: [/ K2 A: f" d6 X/ A: q3 k! x
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
1 S4 V+ e7 f \- I0 Z
' R T1 R% ^% Wowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。, Z4 u- ]) r: p; D* H6 L) i! T2 H# n
" F5 O1 p0 ~0 L% }
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* `8 M3 b0 P) Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
) a0 ]( h: Z1 T+ @. x; CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! n- _# c# p2 [! c
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
{7 t6 t/ O4 `) L' ]6 F% K' EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ Q8 d' o9 h& Q. f1 L
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf- f6 _% a6 F6 {, H$ z `- V7 x! Q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
; W9 _; v1 ]- E9 G8 w$ A q五.配置nginx6 T$ J+ k0 `) c- _. A+ v' Q; p
) d0 h8 @5 w2 Y在需要启用modsecurity的主机的location下面加入下面两行即可:
8 q, v) t0 {- |" e$ ]8 h
5 k: h) Q8 a0 cModSecurityEnabled on; / b% M0 p& ~, _( G, T: W5 D
ModSecurityConfig modsecurity.conf;
3 | }7 u T* B: q7 {1 Y下面是两个示例配置,php虚拟主机:
8 n n" P( D0 X! h4 {& g5 h) s* r9 v
8 W, k4 d b b$ s7 pserver {4 |& }& C& i- z1 f' b& _& M
listen 80;4 a+ O9 i0 y+ T, m6 ^8 f1 J! K
server_name 52os.net www.52os.net;
) p9 k$ W3 k2 ? x # P) _# |5 X# N) V8 {
location ~ \.php$ {
^7 {1 j9 ?+ p m! P } ModSecurityEnabled on;
# I, Q$ o! E: U1 d ModSecurityConfig modsecurity.conf;
/ d, G2 k, L2 j' W
7 k9 w) _9 H% I$ a5 s4 a root /web/wordpress;
) `. Q S3 ^9 f! S6 I6 s/ A index index.php index.html index.htm;: Y1 y7 z5 t8 ]7 U$ T: Y: L
; R( r! x& |0 n. f, [
fastcgi_pass 127.0.0.1:9000; s6 ]2 G, ?3 n- o0 K% M% c$ k
fastcgi_index index.php;1 k6 S0 E8 O- j; ]% x* t
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
/ A' G7 c2 b& K& V: @) K# @ include fastcgi_params;
7 k' \: {% [; v' t: K2 h }
) t7 D$ o- Y, K8 V, L9 S }
/ x8 W# b" V; B" xupstream负载均衡:( @0 u) `7 w/ l
1 Q5 @) n2 H L2 M% dupstream 52os.net {: V4 g$ T! X7 f9 B! J
server 192.168.1.100:8080;( H+ o. _2 k: `6 W/ d4 H
server 192.168.1.101:8080 backup;
p8 a/ c9 ]3 [9 a; f3 ]}
/ U/ u6 S! Y4 V9 I$ @, z: o7 K$ {5 v" S
server {" s: Z0 ?5 n! d4 q( \4 C
listen 80;
$ I l. J) U& b( J( b0 _% ~2 x9 Wserver_name 52os.net www.52os.net;. [' ~6 t) a! Q _
1 J( ?9 Y$ |9 ~7 u( ^7 \location / {
0 g/ B5 x5 ?# }- R. |3 s; [$ z ModSecurityEnabled on;
7 q' c& |9 ~/ u m+ Q4 P ModSecurityConfig modsecurity.conf;
# _5 ]: i8 @2 P8 @: e' W1 y# t
; F g, S. s7 }- ?; e proxy_pass http://online;7 s* E* p2 o( Z6 D* r- x
proxy_redirect off;
. Y( _: ]* r) {- Q/ I! @% z8 F proxy_set_header Host $host;3 u* {8 j3 r; t( D/ `+ W
proxy_set_header X-Real-IP $remote_addr;
7 G5 s0 E& }; }# E, T proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" |# m }& q# W- R( x" ^
}- I* O1 ~$ r" q/ s
}
) x- V2 e$ X0 ?8 b0 l$ O( g- ?六.测试
: f0 v, i% a4 f) m, o% x! F) N7 A4 `# i
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& h6 H: O8 s6 J/ A
& F8 | l" p; @6 O, f' X<?php
+ i$ e5 E0 Y- K/ Y S8 C) P/ Y phpinfo(); 8 J) `) I9 g+ E" l I
?>
3 V: j$ `/ M2 k5 t ?* q5 C6 ~在浏览器中访问:
. I9 L: j% Q" z% D! n0 W9 ^, p5 C: L0 ?
http://www.52os.net/phpinfo.php?id=1 正常显示。8 b+ J1 L7 g) `( A) c
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。% `; N. D, d! O+ c' z3 H
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
5 O5 l, F( i4 _0 j' }1 z说明sql注入和xss已经被过滤了% H0 g8 W n& g# e- T' a) I
, {) {( K' |' m3 @ c V# L0 n
七、安装过程中排错/ V9 g! S) l' O
0 F: f! g; L- e9 W, u/ }1 E3 A8 }
1.缺少APXS会报错
& {1 [* h. r0 @- w! H' q3 j1 }- d( g2 r' d0 l& X+ c
configure: looking for Apache module support via DSO through APXS
6 K2 j. ], a6 ]3 u- a7 @! q. Jconfigure: error: couldn't find APXS) f- ~2 E7 `$ e! |
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 _$ \- U) P$ ~# S3 n解决方法:" T0 a! q g( X. f7 R
% J" x' f/ C7 D9 }& Gyum install httpd-devel- f, Y7 f2 v g) }
2.没有pcre
; x+ d1 h% r/ d4 O E/ l0 w Z- k: Z: y( C% U& v
configure: *** pcre library not found.
/ P e6 x# J% @, ?( B, Cconfigure: error: pcre library is required
7 F+ c$ _% v( _解决方法:+ v5 H9 \5 U* J. J2 f3 N) p
+ V& ?. X2 |9 k. \ X+ K' J- O B5 dyum install pcre pcre-devel
9 @3 R) X7 v, V) }3.没有libxml2
0 V# R; M7 Z0 X- d4 ^5 h$ ]3 a; U- O! A/ d1 k2 I
# P: i+ T1 B4 m% f4 E. D. Jconfigure: *** xml library not found.
5 j! G5 `- [2 {, Y: Uconfigure: error: libxml2 is required
* f' T+ R# t% Y) U解决方法:
# ], _* H% z# D6 L) {
4 S8 i+ ~* ^' o. ?0 Hyum install libxml2 libxml2-devel
% ^! @' W1 f4 i$ `4.执行 /opt/tengine/sbin/nginx -m 时有警告
& N, p$ Y# e5 x9 C0 ^* [- D* F+ R. r; m
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
/ y9 z+ x8 Y7 M% F p5 z( a8 R, `! Lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
" H" {/ G) T9 K2 L' {$ u: |6 w( \原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
" S3 C& r* Z9 O& r$ B) z ~ S+ }% v
' N; F1 z! J9 ^& C2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 I- H# X9 f. r9 \- y R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
) ~3 j' {! f" n6 \; c( i& s9 ]( m, Z2 z2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!1 n/ l2 w1 h0 d+ U, v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"# }! X" v1 P; \8 t; G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! V6 w* R1 L# E8 [- t2 C" j2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' z8 D! w7 T+ f1 { l6 q/ q解决方法,移除低版本的APR (1.3.9)
6 Q4 F+ N. t6 t b/ M! G
$ ~" n$ U3 z) `* nyum remove apr6 F' H0 \( q3 i
5.Error.log中有: Audit log: Failed to lock global mutex% i0 x i, _6 ^/ h! d# `* k
* E, {4 Z% N- c; g
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 S0 I' c( E) [: A6 p
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' H5 G5 u$ o0 Z' a/ M解决方法:1 }4 A/ M& ^. @. Q: c* M
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) g& _ t0 p ?- `4 Z$ h- j+ C0 P& u K
SecAuditLogDirMode 07771 _* z& I' Q' ?1 h( R
SecAuditLogFileMode 0550$ G# F' Q1 j. J: I: V
SecAuditLogStorageDir /var/log/modsecurity( z( \: _# Z1 U- a/ d6 o$ ~4 z/ D1 N
SecAuditLogType Concurrent
: M, f0 [1 m" h$ V8 V参考文章:2 |0 R0 o8 d# C# V7 {
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX. O. @% y6 o2 S: t8 `
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡