|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
% T* W% i8 d8 j
- r+ S& G8 r& C9 d一.准备工作0 x8 }0 f- p3 B' E
% h& C0 l# i/ z0 J1 e" a
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0! e2 e* ~# T! F3 L0 `& I. w
2 j. i( d# z8 X- c( H
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ O# }/ U/ G$ m/ k9 R% D# H0 X
6 R8 z' c Z4 f$ _7 {
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
3 B; K1 l; H: ]
$ M- C0 R5 i+ V6 ?. xOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
1 G6 H1 i6 f/ t
: F( l) W1 \; G& O$ Z: F依赖关系:
4 h; S7 t, t6 O1 qtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
0 [' P+ U ?* Z! e5 j! g1 ^1 h V6 ?" C# g
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
! p+ S5 U8 N0 I: m. Cmodsecurty依赖的包:pcre httpd-devel libxml2 apr
% ]! J3 r4 t$ B: p6 B5 M) v
/ q' c- p/ {4 D/ Y6 t( c( {+ S. \yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel9 Y) p2 g: P/ D* D8 V3 V2 E
二.启用standalone模块并编译( S& H1 M5 N- R; b; t+ L5 [
& J2 r( ]7 k2 G% L下载modsecurity for nginx 解压,进入解压后目录执行:% |% q3 |, X2 L/ s/ o! Z
" {, J/ z# m9 z3 `0 C' l./autogen.sh5 I* y. Q6 a4 p
./configure --enable-standalone-module --disable-mlogc
9 \" b) R% Z; V& H+ Q5 @( `( Nmake 4 o, o- G# b' Z- ^' m0 {: @8 H$ b
三.nginx添加modsecurity模块, {# F1 x6 U( l
9 {- i! w( s2 E( F' H- R在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" q! S' B, p1 ?! W8 \
# \! s% k# y+ F& N* {9 r./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
9 H% f+ B; Z% U- ?. t9 Omake && make install
|7 u: ~, w! ^) d" b四.添加规则
+ ?+ Q* X. E& U+ D. g+ \1 r
$ g3 y( ~. O+ E7 q5 P: Pmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。% K! o ]5 A' }9 H# {& J% W1 s) u
8 c# |# i# c3 A) M& D
1.下载OWASP规则:
( A+ }9 d3 n- p- n& i1 V
" F- Y) K, J& m* [8 \6 `git clone https://github.com/SpiderLabs/owasp-modsecurity-crs! c; n6 U+ M) e( X; {
8 F' B9 E: x5 x; |7 }& f; M' Hmv owasp-modsecurity-crs /opt/tengine/conf/
) L3 C# N. c, J0 Z k
$ A9 l. Q* V+ N+ t# I! Ucd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ d$ {1 U7 D' w$ D# E" _% e
2.启用OWASP规则:
4 n, w7 [3 ^, L+ y* w2 m5 h2 O- @& Z# }7 h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
2 a# c% ~9 m) s& g% t
/ V5 Y# b) o) @9 u9 |# V3 A编辑modsecurity.conf 文件,将SecRuleEngine设置为 on+ L# \9 {- E/ `/ Y) e6 M% |
: m0 P3 |7 ?) p. U) D F
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. g! A( v" h6 B* z
; Y! ?6 }7 d/ B3 V) pInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
0 B' x& h2 }: n8 r M/ E8 g6 GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf. a5 C2 |" H3 H- |2 t+ V J, s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 v! R( Z# t5 R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf$ p* I3 a* ^; m7 J
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 ]. {4 |) p: G8 A) }4 w
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; o4 W5 a, O- B+ E* `& YInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
0 o. k# C2 e* M) p" y$ ]五.配置nginx
7 f# _4 s$ a# X2 |9 F2 N; r- d' M6 _( f+ n3 t3 w: `
在需要启用modsecurity的主机的location下面加入下面两行即可:
* [. l: p: g' H
4 B: o# Q: t# O( X5 B1 z- z M+ bModSecurityEnabled on;
5 R' x+ ~8 u' H# aModSecurityConfig modsecurity.conf;
, z- Y7 F( Q+ X3 w% \( |9 U下面是两个示例配置,php虚拟主机:: o/ c- b( X8 N- E: ?6 R
( ?6 P/ a' B1 Q, h( \/ ]
server {
; o/ @: i0 \/ y listen 80;
3 Z/ s- ]' _4 N0 \5 k; m server_name 52os.net www.52os.net;
3 v+ }- f; H/ I& W
% E, x& T% `; c5 K location ~ \.php$ {1 O1 s5 ]# o8 e& N
ModSecurityEnabled on;
0 G3 b: V8 I6 q0 D. o7 Y3 N ModSecurityConfig modsecurity.conf;
u5 g8 ^% x! |- O6 H! m$ F9 S1 V
1 M" I8 g' f: t+ P root /web/wordpress;
' C, z% V' o# w' _- \9 R index index.php index.html index.htm;& R0 m; j, _ Y; I
4 d) s, o3 F" g$ M7 w
fastcgi_pass 127.0.0.1:9000;
- m8 q2 D5 n5 ]+ \ fastcgi_index index.php;5 E+ _" Z' `/ o2 R& o" z
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
, X5 @. X1 N! p: M# f include fastcgi_params;$ s7 B1 D* l2 e/ e- d
}6 |& m& ^: v, s+ {
}
6 b* x* r% ^7 j6 g6 _* E! [" d# ^% ~upstream负载均衡:& ^8 H( ?" N8 ^
/ A& b @+ S' h6 [" n+ jupstream 52os.net {
, o4 o3 C# i7 g$ [ server 192.168.1.100:8080;. v2 N" p$ U- Y' L( q
server 192.168.1.101:8080 backup;
' {8 o- D7 L8 @( `}, V( `3 c0 z ^% w3 v: Q+ P
0 o, W# _- R1 m5 K% F' @2 o# Zserver {( Y1 ~% k5 H/ a
listen 80;
' h5 ^) g% R7 a' l# ~6 t% aserver_name 52os.net www.52os.net;: U* Z3 c( K) `# g5 f* K
1 k/ ~7 I& t Z) S7 Vlocation / {
; f: s- I0 p8 z3 d ModSecurityEnabled on;
- O3 @ P' L9 p/ X! G' c+ R9 h' v& U ModSecurityConfig modsecurity.conf;
1 y% o* C/ z; Y' w5 I8 g1 E4 @! z
+ K R. X$ {1 C0 C: M proxy_pass http://online; W& \) y7 L$ Z$ g( j
proxy_redirect off;7 Z' H, E3 D! q d4 M* w
proxy_set_header Host $host;# R% o. s+ J: x9 ]/ s* N& q' }
proxy_set_header X-Real-IP $remote_addr;2 Y8 r" B9 z- v- d9 j
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 X0 t+ R2 r& {2 t; x* y5 [! o }0 E6 ]+ [9 q, [- Y: c Z) W/ O4 m& X
}
' r) h$ a7 p/ u. {9 K7 p六.测试
0 C2 _! ^8 ?2 l! Q8 W
9 r a( B: K: X我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:/ P0 m6 S) X6 z" \5 u
+ I+ Z. ]( x" u/ b
<?php
/ b/ Y: Z) ]7 y" e4 J9 x8 ~ phpinfo();
; P5 r' {/ c. j3 U( d- i" p$ Y?>( g8 S; c7 {6 f% D6 v
在浏览器中访问:4 J& \) Z. J7 r) U- L- P
1 ~& ~, U4 S0 y8 d! P D6 d4 Y4 k9 ^http://www.52os.net/phpinfo.php?id=1 正常显示。
' z! T" o# a2 S/ N- jhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
3 ?* o; Z+ I" P) e+ H' jhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。1 Y1 l# [: n" Q, v
说明sql注入和xss已经被过滤了, g' g! C, M; m
) \0 M& p& E# M& u2 Q7 h+ `$ G七、安装过程中排错
$ v- t+ w# ^5 B( h. D( N
0 |0 b2 W2 @$ W, J) O1.缺少APXS会报错3 P( ~4 [& U u0 G
4 z4 L" A0 t' g2 q: k1 Y' q. M- f7 uconfigure: looking for Apache module support via DSO through APXS
9 Q& M, S% c* i5 ~$ a$ U4 `9 _configure: error: couldn't find APXS
7 J* j" W# C) q- s1 |" kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。% U* ^6 [! i/ B; A9 f/ L
解决方法:
0 U% Q' ?' C7 C0 _& M1 Z! \$ b. x+ C6 c! ^( |! |. A& O3 c4 K3 l
yum install httpd-devel
2 A8 N* \9 d* X7 [4 Q. K+ G2.没有pcre
3 q# D1 A0 g" n% x1 r# e. P: A
5 u1 I1 S z: t* `configure: *** pcre library not found.6 b3 G' v( \$ _9 t1 x/ e+ Q3 S
configure: error: pcre library is required
9 b6 f1 V: `3 [5 q$ ^解决方法:
2 |0 z& c" w9 `, z: y
5 g5 p4 O r5 k$ f$ m2 V% Pyum install pcre pcre-devel
* J d6 S& c( o3.没有libxml25 x: z3 n$ {( M$ h( { c% s
$ F$ ]% e0 A3 |5 |) i
" E; ?" l3 \: u, q" i+ w
configure: *** xml library not found.- e' S: G* J, J( Y
configure: error: libxml2 is required
' k8 i$ j! o* Y0 V9 {) P解决方法:
- n- x) K( e4 i0 W( c4 z' O4 \2 M: e& v7 ?+ y
yum install libxml2 libxml2-devel
0 E5 M, t: i/ Y: B4.执行 /opt/tengine/sbin/nginx -m 时有警告$ y) j0 U5 O- H- R9 Y" f
- q" V! X2 o- c
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
3 u! w$ j' U6 i$ D% L" X# fnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
$ _" j3 I5 ~9 V. Z/ }原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
0 e) \9 s! I8 u% ?, f, j/ }3 y% S$ p! ?6 R( o Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 a. W1 {1 \6 r) L: P; n2 Z, M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 R) N" V* ?$ E' u. ]: M: \2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!9 f3 g6 W& D& _" E& p/ v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: X, F- w8 U: R [( a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
4 S% i* L/ j4 Y" {4 V& W5 ~. O+ P2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
, D P" d; h) p- e; ~" u解决方法,移除低版本的APR (1.3.9)1 a" q; W( h& h4 p" R
$ @' o2 `, a# ?% N( q$ W' u
yum remove apr
) H( v% W- R' ]( Q: v5.Error.log中有: Audit log: Failed to lock global mutex; K$ E( K; D; w
. N1 `/ H N" P8 C: _4 B5 ^
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
/ _$ D0 [* p! \+ a4 t6 Aglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
. L* p3 {, @& }! X解决方法:
# X1 Z, R( Y* X6 B( A7 M1 K/ n( ^编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& j, s* G6 j) B9 m: y/ v
; Q: x' b' }0 n# X: O
SecAuditLogDirMode 0777
5 J5 ?" `3 e" S& X; w cSecAuditLogFileMode 0550- @0 i$ y7 t9 w/ h% r9 [4 G
SecAuditLogStorageDir /var/log/modsecurity
7 \# h& L1 I0 j) \* j9 d7 o% Z4 ASecAuditLogType Concurrent, ^& e1 u F6 g# Z
参考文章:
2 o3 L( z+ s- jhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX$ Z# h( O% G; a0 S: D3 G; n
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡