|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
) y8 E) g6 W1 a; |' H* q
: T3 k8 R, i w& k+ P一.准备工作
/ E1 i& C0 V" S0 n
: |$ r9 K* g$ a$ r系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
. Q1 B- ?, L6 [/ w, [6 e! F! X& [6 y8 L- X4 Q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz1 {1 r8 T! y: V/ p) Q. I* F) q
6 D1 K7 Y9 y7 j$ E2 K' c
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
: }! I7 n, ^) c7 w% y2 q. S+ x6 D
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, y# ]/ W( x0 Y( Y% E: D1 ~9 Y3 F8 K3 m6 u6 Z
& y/ f3 J1 z9 H$ k依赖关系:! q8 S; I( i/ z) V0 Q# _
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& a% J; w* ]' m4 f% r
3 e0 x1 X( I' Z! D1 }* R6 Xyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 q( ?5 H4 \$ u% `modsecurty依赖的包:pcre httpd-devel libxml2 apr2 ?# Q/ G+ N- q. ?" k* p) ?) q8 K
" N' E2 t7 c5 k/ t2 \! Gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
9 [- _8 w4 H; m8 n/ }, d二.启用standalone模块并编译" }, P% u$ L0 a' P% m
* _8 I7 C6 T" a. }% g/ E7 q
下载modsecurity for nginx 解压,进入解压后目录执行:
+ @2 x0 Y( C+ ~- Z
& ~. M' N8 O; ^3 W- _./autogen.sh' V4 V, e- F" W
./configure --enable-standalone-module --disable-mlogc4 m6 E; u8 I5 [# p5 Q
make 7 Y, t8 L+ U( M6 ]( D$ J) F
三.nginx添加modsecurity模块. ^8 B8 n3 H3 E3 d* l
: _/ D2 ~4 A5 h/ Z* X% b在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:& x' S2 g$ ?* g2 I1 \% C8 b7 a. c7 a
+ M- N, X) b. ]+ P" J; A
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine) ]& y- |. M0 Y1 g# D& z, A# e5 n4 k
make && make install5 v: v8 D0 @8 [3 L, ]
四.添加规则1 d U# v$ h2 Z2 S4 `( d' R
! }/ ?: C% {/ G+ |9 v: q
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。- O0 Z n% X9 N+ t( x5 A' e* H1 q
/ a7 @; l# e$ {7 J2 e1.下载OWASP规则:! j7 ?" H: p4 W( z8 H$ p
" }5 |% e7 O- c' Ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
) s7 ` Z- F3 q' L) ]- X5 E8 g9 |- F, K' P1 c; B- L; Z {
mv owasp-modsecurity-crs /opt/tengine/conf/
5 G( o2 W6 M6 v3 C! e4 X6 [5 Z3 T! l2 L4 ?, P
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. I6 h( I5 o* [# b! d) q% O i
2.启用OWASP规则:
3 I3 b ~5 v! x: L, d* ^# @: A' N. T2 j. m2 X. A" C: V2 x6 ]4 }. Y
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。) G! v% Q; k. j5 A5 d5 d
1 c$ E: O; Y% a9 o5 C6 n( w" y
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 r5 o7 E& @4 [# c7 X% C l0 B
: ] C6 p" T1 C- k6 H" qowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
+ \' l: ]* B# j% a% {! r8 H6 F, G' a5 ], U8 G
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 P3 S6 @ U2 s* d
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
$ j/ q* w7 {4 b6 QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) j) v. R& u5 m3 ?) a! ^- f) KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf9 G+ C# p% j' z' y' O W* F
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ G5 I2 \9 G R* H8 ?6 V
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ ~) i" x# o2 v4 f rInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
. W/ F$ B9 ]$ o+ n' F; E8 S |9 b五.配置nginx
, E% @! P3 U F6 ?& b; ^( T" J
, L7 \- r; O S% v/ \: `( j在需要启用modsecurity的主机的location下面加入下面两行即可:" z" t0 s* x7 M2 Z. G- k
. C0 e$ G3 }. s0 |, o
ModSecurityEnabled on;
8 F$ H2 K! F# Z$ h- n$ `: hModSecurityConfig modsecurity.conf;
+ |1 E2 Y, j8 P8 h下面是两个示例配置,php虚拟主机:
. ~; m: B/ N% b+ e6 ^ S; l6 H# i' K. M
server {
+ {0 d3 Z6 W' d- r. H listen 80;
, A$ I" b5 Z0 G7 }2 S, G server_name 52os.net www.52os.net;
9 k2 Q& A- P' N# h7 V+ f1 m/ t
5 z* J0 u6 M4 [3 l3 x" ^ location ~ \.php$ {/ h) ~" }8 M' U# l
ModSecurityEnabled on;
* g( _3 W# Z3 d! J- m ModSecurityConfig modsecurity.conf;' q7 A3 T/ T3 O( B! }6 f; M' R
$ ], X( @. G! q6 D9 a' s& C+ [
root /web/wordpress;7 q: V4 ^ p- p$ z' G6 n
index index.php index.html index.htm;
7 h) X6 Z5 ~4 W1 j' ~ o, K% Y# a/ G* }- ?& B; m
fastcgi_pass 127.0.0.1:9000;9 q/ @# {7 L, [! W6 q
fastcgi_index index.php;
7 @' `; w0 a1 r/ y: C fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;' Q' K! E$ B' r, H' V% j" B
include fastcgi_params;
* V- g! I4 ^5 P }
0 ?( G- i9 o$ c }5 m0 o1 y( Z& @, D! {' O9 j
upstream负载均衡:
) s2 v8 w! W' D1 u8 K* E! F
% a: Q0 p2 U0 F' Z5 [upstream 52os.net {8 O& j8 q% V% e6 J
server 192.168.1.100:8080;
, H& Y) [! @: k' P. `7 q3 y server 192.168.1.101:8080 backup;
+ b" c$ C2 t0 J$ S5 C}: j- T# I2 t3 j" ~) v S# M# Y
2 o4 {) h* E( a& j, P! C
server {- y1 I1 L/ N7 ?
listen 80;2 q& C8 F7 Q3 X1 ]
server_name 52os.net www.52os.net;/ D: x) y0 {3 o2 t& a( w
! N5 R8 \5 G5 u' ~( `7 Flocation / {
: y5 w7 l/ M2 r, y3 e% ?7 b9 V ModSecurityEnabled on; ' x+ _0 X, u6 }8 \+ ]
ModSecurityConfig modsecurity.conf; ( T! B& U1 N, o
V( `' L3 ?( g( E* y/ t n proxy_pass http://online;. w2 b3 x+ e: X) @1 ?1 I
proxy_redirect off;
0 Y$ U% M6 W6 O8 v proxy_set_header Host $host;) X# P- d; D G+ J, \
proxy_set_header X-Real-IP $remote_addr;
/ p( \$ c, V3 Y proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, L. s4 f& \: B$ r. E. V
}
3 j; ]2 ~0 W* T( }4 t}
- H+ o. _5 x v- P m六.测试6 ?3 G3 i4 D! s. R: O: E; ?
+ ^ b$ c( F, ]我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 g' l' G( R& x% R' R
/ Y. g; T( i& q4 V# i. k% Z
<?php
: F( D$ u8 l/ C phpinfo(); 6 ?) x% O. k4 _7 u2 t
?>
; w5 Z$ E9 }" Z( Q0 @6 A在浏览器中访问:1 i7 s) L: w- ~+ w' m2 y6 I9 Q
9 t* F: H6 {# V- x t( {
http://www.52os.net/phpinfo.php?id=1 正常显示。1 m8 N, N9 A3 s) T
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。, P1 u& `# p1 e, V2 M& t6 K5 V# x( P
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。) e3 r3 f. J* `* o: \
说明sql注入和xss已经被过滤了
4 f0 G7 K; z" T- p9 l$ l8 o/ L. U! w) y
七、安装过程中排错
" q# h5 C1 J" M8 _7 }# `
" }. G4 |; z/ I& F; v" \9 o z1.缺少APXS会报错 }! Q, l6 y3 L
. `) Z$ u' J9 k! f4 F
configure: looking for Apache module support via DSO through APXS
+ N7 A+ k2 E: Cconfigure: error: couldn't find APXS1 X' }" \7 C# |, s. G. b% |
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。" b8 f' d- B* Q
解决方法:% v1 H2 w6 D* J2 p$ \" F& E8 M3 \
( y. S* j9 L2 x7 p, e3 r
yum install httpd-devel8 x/ m/ R4 a# h. a
2.没有pcre* j' O. d4 ~6 ~8 K0 F6 u0 a
1 `! e, T- h2 [* J
configure: *** pcre library not found.
4 {# B5 u: }9 U9 ?/ {) ~configure: error: pcre library is required1 H* T% g. g f: ?& L9 H1 t
解决方法:+ i3 U: c( E6 y5 j
( g1 _% \" P; o+ J9 ^# T6 }
yum install pcre pcre-devel
$ `: L. d ]3 o1 O3.没有libxml2) R7 H; \/ E9 k6 C+ [
+ D8 H! A" V. E* H% Q' Z% ?; M9 R, p# k' e6 I5 c8 e, w& z2 j
configure: *** xml library not found.
% n; F& _2 E5 }7 r$ N$ }! wconfigure: error: libxml2 is required' B4 o0 g( s% C7 T3 I& f
解决方法:
$ o( d2 F# H6 b5 r" J1 R3 i* M( e) a0 _ W! }7 L
yum install libxml2 libxml2-devel
9 E/ m) ~- S( N* I0 v) }6 ]5 ^ {4.执行 /opt/tengine/sbin/nginx -m 时有警告* U! A5 n" E6 n. T- c6 w
# T: L0 i5 S7 c( Z' }# K% X& t
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
! N8 i6 D2 X ~5 B1 a8 Nnginx: [warn] ModSecurity: Loaded APR do not match with compiled!/ p" ^- G, k* y6 M; h3 ~
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
) {; N2 z" m# o1 ], N
0 u$ R/ g1 ?7 a5 _* B9 ^' x2 y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured./ j2 e# k Y8 p" ]. H4 ^4 N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"; a3 y+ N2 r9 X" p
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 h4 m7 u* L8 F' K7 d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"7 i, ]! [' m' O+ Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
6 J& V$ ^8 p) s6 ?2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On., e# O8 b$ i) g, d1 w/ K* p! J
解决方法,移除低版本的APR (1.3.9)) x9 L( t3 f: k
: C' ]5 r# o7 d4 A' yyum remove apr
, N* g* @/ v) n5.Error.log中有: Audit log: Failed to lock global mutex* r* V( g- F1 f# ]+ K, h' E
- p0 Q: u! p& d2 T( [, i2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock , B: u$ P" c6 e2 i) d) T
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ K/ Y: ?6 R% B1 h! s$ ^: X解决方法:
, b* m' E) N9 a- O* o6 K. ~编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
6 K0 ^- g- M8 ^ z8 v' w/ y2 J- u; P# N! s6 m- K3 v5 y! C
SecAuditLogDirMode 0777# m& p# R; ?1 V) `' e7 r9 ~$ R1 \) A2 j
SecAuditLogFileMode 0550
6 P r* Q% ]% E. O8 d5 p4 KSecAuditLogStorageDir /var/log/modsecurity% a9 K5 t3 g6 W7 m# q
SecAuditLogType Concurrent6 G8 O" z- G8 N: R2 _
参考文章:+ {1 b" O" T6 m+ z G' b W; Y
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
0 N% a5 l2 @# thttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡