|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。( m) e/ N8 e* H, s2 x1 w- x* M
$ C/ @6 r7 }) ]6 z* M7 c一.准备工作+ x! b9 ?( M4 q6 D- t# [; q: W& z
) y( \" k+ b `. i/ y) y
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0+ Q6 I1 E) Y: D4 U/ V' K
% Q$ ~1 J( o# A+ s) p$ T, }
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
4 m5 S+ \# r7 z" T
' X2 d C) ^! N' g* ?2 a% F) I2 Umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
2 H, ]; W7 H# {7 h k0 I/ ~: t/ G0 v4 l& R; w
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs/ [6 P: ?4 N5 r I& t
+ u' @" ?. @/ R C4 P# _) ]5 p依赖关系:
+ m" a$ ]5 F0 U" Ctengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:, f- A" ~0 @" t3 K, A' E
/ f) T" U% a) P5 S, w1 l: ryum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* G/ A/ _7 F( j* v0 |modsecurty依赖的包:pcre httpd-devel libxml2 apr
) f# L n2 R* A% A. w/ q; |* x
+ I, @' |# K1 ?7 M7 wyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel2 O9 f- q; y0 F& P% j, Y
二.启用standalone模块并编译( S! }& f3 d0 l0 u6 }5 O
9 W# [! L2 b* |" W, v6 i下载modsecurity for nginx 解压,进入解压后目录执行:
, L: {1 W4 e3 N# U. t3 b8 A/ O& E8 u" m7 b% c% M
./autogen.sh+ U( n% B: x6 Q, m" @, r
./configure --enable-standalone-module --disable-mlogc7 X5 `4 \* `, a3 ~3 T" T1 i# x
make
+ G( ^, K5 n0 k* w% v" o7 n三.nginx添加modsecurity模块
6 \( n4 }$ w! P9 u& ~
( B: ?* w5 j1 y! _/ _9 Y3 G; _在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:9 Z+ V1 g2 y: [3 j; y
3 i0 N5 d* p! A* Y, l./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# v" g: {( s- amake && make install) G4 w) x; d; \# ^7 ^7 N
四.添加规则4 `, e8 b5 P8 U! B
, x8 J9 w0 a$ M% X$ ~8 v" Cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。7 o7 w5 k, G; X( F" E
3 G( i2 Y6 B" S ^" U& R- z* x, p% Q
1.下载OWASP规则:7 X! g. X: w& s; b- F
5 u" N: K' o M/ l6 N: e1 Z$ Bgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 L* u! O7 r7 m3 k
" X6 [0 x# L/ y- K
mv owasp-modsecurity-crs /opt/tengine/conf/
% h# f c! `# L; y/ T& t0 r, {
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, i' \+ O( Y0 |6 r# w& W2.启用OWASP规则:
* a! y" s) @# u3 t; G, @) |' g
1 Q6 x% w8 l; P1 E! _4 x复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 Y+ |2 s/ `* k3 {( ?2 I8 V
9 T- }) f+ t L4 ]编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; W E" ]* p( k9 b+ M$ u& \0 l
5 b, y, M& o$ |9 a2 rowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。3 A1 U1 s) a8 F( u' ] u# Y4 n
9 C. a4 @5 b2 ~Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf% W# [* u2 s6 }: o( t( I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf$ f& B. E& O) y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
9 s1 f- D5 A+ D1 OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf% T' i# b; A/ k; k( D% t" X! S
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf, I9 @4 `5 f: U2 Z- E, D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 o3 m! \! k: \# m1 kInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
! E0 f2 ^4 v& D- x! Q2 Q五.配置nginx$ O2 H; D8 ]. o: ~' H* L0 U! s& {
# B/ i# `0 e9 `( ~2 f( F在需要启用modsecurity的主机的location下面加入下面两行即可:
. _6 H9 y; u' A7 R& b3 y% e+ E/ z: K! E+ Y* j
ModSecurityEnabled on; & d" M6 W7 n, O: m0 @; M. R, I
ModSecurityConfig modsecurity.conf;6 @4 b' v0 m0 w9 u& }9 l) }
下面是两个示例配置,php虚拟主机:
& r% G& [% {$ Z" q; B: v
: s: }# A# V. K: Nserver {3 I# e$ S5 w" L
listen 80;2 g# t. v1 d+ |* s
server_name 52os.net www.52os.net;) _( g- K% V0 ^; Z, T, p! m
4 ^7 ~2 p; B+ E* o5 t- P
location ~ \.php$ {- M6 j0 @- v5 n+ h) J
ModSecurityEnabled on;
) |8 w/ ~! h+ A! t* Z+ ] I2 Z ModSecurityConfig modsecurity.conf;
6 d3 ^ N- [+ p+ z* A" u, X% G1 |/ p4 z3 ?, L' ~: ^' ]% L
root /web/wordpress;1 s- k$ G, ]2 e
index index.php index.html index.htm;2 U( r; [4 r% ?
$ z0 o3 T' z1 q0 } c
fastcgi_pass 127.0.0.1:9000;
# R! c! ^- l" m% @( j3 C fastcgi_index index.php;
6 f4 z& U d1 i. `4 P) @ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* o' q9 X" e& j; Z3 C
include fastcgi_params;) m* h1 t3 O7 }$ ^/ W c
}
8 L( x, B- ^ s9 g) i# F: G+ h1 P }6 Z% B+ I' W; W7 ^7 t' z" l/ o
upstream负载均衡:
- t& q9 [) f( N$ \. g& r. i4 I" J' E, z2 E' }* _" S( W
upstream 52os.net {* Y+ p# c' e0 l8 i; ~% q
server 192.168.1.100:8080;1 H9 F0 v" O% i* L5 k' o2 I. N6 t
server 192.168.1.101:8080 backup;* p2 S- w+ }- r( z( S
}
) W. r% `$ i6 F
% c a$ z1 C1 S& E& |8 Tserver {+ {* u7 f- X. N
listen 80;* m( g+ P$ S1 V1 A
server_name 52os.net www.52os.net;, ^- ` r/ v, _( {$ i }3 ?; R9 m* ?
' K, ?$ d/ b( A2 h2 f8 A5 {, _
location / {: z, ?' o r* E$ T; N& G" b5 }
ModSecurityEnabled on; . V2 A( ]5 z7 N+ f) p: _4 _
ModSecurityConfig modsecurity.conf; & G$ x, D& p) h0 m7 B/ D5 H
! j6 O$ U% f2 D7 S: l# P& V
proxy_pass http://online;# m; h4 ^ }( Y4 p
proxy_redirect off;; @4 d* X3 E( \1 \
proxy_set_header Host $host;
9 q m* O: R* w! d: U' L: w proxy_set_header X-Real-IP $remote_addr;5 b D, J/ c) ^' f* U3 d& g
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;: V* H- [! {% Y/ {1 I0 W, I
}
5 H, B' e: `8 z& u4 V1 p}$ l, `( L* ?, C, j$ e
六.测试
4 p7 Z% N% {, N2 Y- [! m: v) O. a) b+ K* ]
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
& z$ m* q, k# Z$ S" P( L8 C0 l' {( l5 S
<?php
- C8 [; f' u5 h) U, T phpinfo(); 2 Z! q' O ]9 T5 Z: o2 u+ t
?>3 N8 |5 ~. S2 ?+ b5 P8 k7 j+ N
在浏览器中访问:
% ?- I) S/ Z+ R! X& y2 g7 v# ^4 v& }( X) Y: W4 l' c
http://www.52os.net/phpinfo.php?id=1 正常显示。
^% Q6 T1 \4 @8 d- A7 Whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
I/ u' |( |, g z% Ahttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。- ~3 e5 T1 T5 n
说明sql注入和xss已经被过滤了+ ]1 p9 A8 ]/ y) b
, ^( z( t" L& @4 J- T9 w: M" k七、安装过程中排错
`/ O2 U; o* \1 z+ S4 ~3 L8 s, _
1.缺少APXS会报错
! T- C) l# w7 i: c/ B/ A+ S* b7 e
configure: looking for Apache module support via DSO through APXS
4 b4 L; |" a+ a# p4 Oconfigure: error: couldn't find APXS" k) f3 B: [, b/ j% s& z$ i; I) m* N
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 V" s8 k, K2 q6 k解决方法:3 N: o( a- S/ y2 F) G' e
, L4 p: X2 d1 e& d/ C: J- j
yum install httpd-devel# H1 B5 k, f% |; w( X
2.没有pcre
, s2 w' F( V7 v( B9 ?2 @; F# |
9 H& \3 ?. p O( l# N& dconfigure: *** pcre library not found.
* f" n3 V$ _$ q$ E6 \configure: error: pcre library is required
9 V0 s! a Z' s* L解决方法:
5 g: n1 l& J# }0 w+ [
4 n3 p8 ] j8 {8 h! Z' qyum install pcre pcre-devel, O. N0 Z4 m$ Q
3.没有libxml2) M9 A$ R' z' J2 u% }
/ c) v0 k$ g0 z9 {1 I3 P Y
# n2 P5 A8 `' `/ r$ J: a
configure: *** xml library not found.! i" G* P: f$ C: t* R/ w) @
configure: error: libxml2 is required
9 ^. G4 {) g# s1 o4 d3 H解决方法:
$ I1 X) w# i' f+ Y8 i5 e
. q+ B3 p, v+ E5 b+ K# `1 A/ W- M4 [. r: Xyum install libxml2 libxml2-devel
6 m7 a$ _3 H$ Y* }4.执行 /opt/tengine/sbin/nginx -m 时有警告0 ~( B% X( V. p. n* a
8 I* R! S. P2 g: e5 I4 m* c6 z
Tengine version: Tengine/2.1.0 (nginx/1.6.2), s1 F1 |0 }' _( v2 @: [# z
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!) L% q0 X; O. x2 @1 h6 I
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
0 ?9 ?! T: V( t) \1 y
2 b0 r/ h0 e( \( M$ t: h7 ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
- ?9 r$ n( G' ?( z/ q, Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
4 k5 z# S- r4 ^2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!8 z2 j7 B3 e! R( R/ n a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
& Y! i4 Z8 V: `# e! D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
4 _- D8 i& z) l2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# o8 f( H/ [+ x( g. n3 d1 X
解决方法,移除低版本的APR (1.3.9)* B) q) I6 i4 R$ |5 r, X; c
6 a" [) h- S8 t6 z* E8 s
yum remove apr' p9 r/ m4 {) o, Q; O; I
5.Error.log中有: Audit log: Failed to lock global mutex, ~; U H& P# u6 O4 _4 v
f% D% u: E, j" i1 `. W
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
" h; J1 ^6 M- {! T$ P* X" sglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
" P$ M7 M3 S0 O; w解决方法:
2 ]% l% t7 O Y3 D, a2 G; C编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:" R: `9 p7 E% J4 t
0 n: K7 p2 d8 K- T. e, G7 d; `SecAuditLogDirMode 0777
% E: [7 C, w/ h3 t4 {, K8 ~6 [3 u! ESecAuditLogFileMode 05501 d0 V1 ?6 b& ~5 u; P/ a2 A7 Y. ]
SecAuditLogStorageDir /var/log/modsecurity) s/ W L) E! t% W% ]
SecAuditLogType Concurrent2 ?+ g6 B: }0 ^
参考文章:
) O5 g5 M! ~% lhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
: ?: T2 \2 v! ~7 Mhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡