|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。+ e+ f) g2 I$ u1 d, I' Q4 U5 p
; _/ Z) l6 S, F9 X
一.准备工作
! o' o& \8 x# F
) O5 }$ w& y# `& {; K系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, `/ O8 ^, Y$ P+ a8 @. \0 \
8 w+ Y2 F# n a: L2 btengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
0 u6 Z' j/ S! t9 [ x0 N! O2 T2 {3 C s; ?+ S! _( @, C, Q2 G
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
6 F" o( ?% {$ v2 ]" l$ r; k# ?. e2 k9 Q2 r7 p
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- a9 y0 s. ^* T
1 L7 K, X1 {( J# W依赖关系:
6 w3 V# j# U$ V5 Stengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
% b D+ @/ t; w- _( |) p9 S6 K& L
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel7 ~ s4 K& ]# A* x+ f0 G: C
modsecurty依赖的包:pcre httpd-devel libxml2 apr
2 m5 Y( j& T0 \6 }5 p* Z- j
5 y0 \) w7 i7 ^ b7 byum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ q9 M7 G1 E S& \二.启用standalone模块并编译
8 P4 |% \0 Q! E6 ^4 V+ L+ H) k+ {1 L5 Q# c# [# ?9 T4 b
下载modsecurity for nginx 解压,进入解压后目录执行:
3 H. U% s# m4 U$ {# P3 Y# p* |, ]- m! q5 s6 y7 d
./autogen.sh. ]4 M+ @' G6 m- F$ C) C$ l
./configure --enable-standalone-module --disable-mlogc
& Z. U7 h, Q6 L$ M0 B5 q- d9 _make
8 ~& z9 B) Y1 P: q5 H! {三.nginx添加modsecurity模块
; M& q* }. q# l* j8 c4 B
' S/ U1 v3 o* p S4 E" b' x在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:$ m7 h# ^2 |" K: {5 I. i/ f
3 l6 h$ n1 C6 k
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine. y, d8 `! [! l1 R7 x! [5 V) z
make && make install _5 r% h! p. S6 h- i, z4 Q0 m# L
四.添加规则( v7 r3 H: ~) Z( \: r* V
2 O1 I9 d. p2 Z) R2 }
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。% ?- y- k' `! |. t; s" C
7 \" r) l. R2 c4 I# `) \' ~
1.下载OWASP规则:# G# v0 H. l! o6 n h4 J
7 G& R0 d- ?; m2 u. z# N
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs. b c! d4 C+ s; }+ U. j/ M
; c" _, _8 W" P `
mv owasp-modsecurity-crs /opt/tengine/conf/# _; o2 C$ k9 t( K
, b& H% F3 V7 o# s# b
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf: I0 J3 y& ?" w$ C; i" b
2.启用OWASP规则:
' ~9 G* }! L& _ `6 ?, V( b- j9 u
* ?& F3 v; i6 l# P+ x复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
4 ^& s. p! o& j" Y q' l! S ]+ L0 T1 z" h$ _9 `6 s6 C0 p) H5 G- i: Q
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% l s2 E4 z1 Y8 `& H; K! T
/ m. [3 P0 |" g: X, K! Q5 M4 {owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
% r s6 _+ H1 A
( U- _ V0 F# W6 L( ?Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( E5 G4 g W7 K4 bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf1 U' @9 C7 L# }& ?' L4 s# e
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% y# h: M3 T+ s0 jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# |, N9 {- |; `8 M/ K2 e7 Y7 J5 T
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
' S9 u/ D- v! m1 _% L( d* mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
- U- A( a/ o7 E+ W* D$ ?" v* GInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 b; \+ S; W( y+ n3 F! L# x五.配置nginx& W7 {7 S- t0 s% q& Z* [; h
Q$ ]) U: p8 j K) _9 x6 e: Z% `在需要启用modsecurity的主机的location下面加入下面两行即可:4 @# G, W3 j( m2 M
! l1 [1 x& [3 u+ B
ModSecurityEnabled on; 8 Y0 V( c$ D) j3 ?, Y$ t9 X7 V
ModSecurityConfig modsecurity.conf;
; h2 J' c3 k7 [下面是两个示例配置,php虚拟主机:
4 J& A$ f6 H$ V6 d7 l! y5 A. ~. O) Q x1 B( d
server {* J* G I+ G8 R1 C
listen 80;+ b( _/ i1 }: p! Y
server_name 52os.net www.52os.net;4 Y; c. ?3 @" ^) W. }
/ ~2 e$ N2 z* u, N; U) j location ~ \.php$ {0 z: M: M- Z+ _9 h6 u% R
ModSecurityEnabled on;
, [, D( O" i2 |; W$ H' ? ModSecurityConfig modsecurity.conf;& `+ {% Y* e1 S! t2 n- @5 A {
( ^; }) C; C4 _8 q; ?/ f, }+ h
root /web/wordpress;( n* [ A1 ?3 I; n
index index.php index.html index.htm;
( R6 ] S. L8 M- Y, E/ @ S3 Y$ T" y : V1 C1 r0 U- U. R( F. O5 Z& W
fastcgi_pass 127.0.0.1:9000;$ S$ [& H+ {- k7 h; f
fastcgi_index index.php;
) Y& i2 U/ N( V2 M) |) X2 r, Z' Q3 D( { fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, q0 b! M) ^2 V* m; j3 t3 Q3 H
include fastcgi_params;- n" i9 l, K' Y) s0 B* v
}
7 P R; a6 j/ Q }. Y. e& Z- A8 ~: g1 o! V
upstream负载均衡:
# H6 g: K1 k8 j# I4 w: u4 B2 k, E1 `
upstream 52os.net {: P2 q: N+ U3 h3 A3 |& J
server 192.168.1.100:8080;/ [3 T% ^& n5 O; O& C& Y( f3 c6 B5 K3 y
server 192.168.1.101:8080 backup;& W! a. H, P+ e% N, i, ]7 w
}
" ]& B1 o2 z/ y8 g7 x9 V, V- \. M/ o$ x: E
server {% I+ Y) `$ P' i4 a( ?0 z
listen 80;
/ x! J/ ` D0 Y+ o+ \server_name 52os.net www.52os.net;! P/ X/ a1 q: R( \& \
8 G; _, h3 q$ v: x x7 o" b! Alocation / {& \7 a S4 H$ ~2 z$ N: W" @4 {
ModSecurityEnabled on; % A; e' F3 h0 U2 S8 k# O
ModSecurityConfig modsecurity.conf; ( B" N* C# D% O8 O% W2 K, D
& n9 u6 ] M9 Y! k/ D* L
proxy_pass http://online;
5 U! ?( p3 ^$ b4 o) ^7 Y' E' c U' m proxy_redirect off;
+ ?0 }0 J, T8 [1 L* Z2 B% \: E' G proxy_set_header Host $host;
, a ^- e# c" f) u' S proxy_set_header X-Real-IP $remote_addr;
( [) L) @( @, Y6 Z% g. f proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;. m$ O$ r4 Z: V) s; G% M
}
& k$ E7 F1 @3 x8 _+ v}
9 j# T+ q: Q" z* S2 _$ ~六.测试
1 s/ K0 Q/ x: e c, _8 m# D. X% C; @6 V; \' m
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; C9 Y7 n- h& Z6 u1 d
7 g8 L) K6 U4 @4 q# L, ~<?php
6 x( b- P/ g. ` K ~, C phpinfo(); . O# D$ }* W9 P) Y
?>
& t4 S+ l8 v$ b1 S5 Z8 H2 o1 K在浏览器中访问:' o. B" @$ |5 j) v [
8 a: e% c. k5 ^2 p8 S: d5 N# C
http://www.52os.net/phpinfo.php?id=1 正常显示。
! ~/ T. `/ Z# a6 F2 whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 S( y1 C2 n5 [$ Y$ m/ s6 a% bhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
9 y8 }/ D5 @% E' U说明sql注入和xss已经被过滤了
/ g2 W1 v# \" j2 [( L( a S2 v7 a' |) @) O( i% ^
七、安装过程中排错" B" _) |* x j- e/ l: O
# v' F5 ]+ F; d% Y$ {5 E) Z
1.缺少APXS会报错
, |: A- p5 _! M
& T# T$ c" u; T( ]: ^+ A6 D0 a! m) wconfigure: looking for Apache module support via DSO through APXS) U3 F( y, H, M4 E
configure: error: couldn't find APXS$ f# A0 _5 n! S) ?1 }$ r( e
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。" V- d5 z' L6 W- N$ H3 A! k
解决方法:! [% E4 V- m) t# s* s
+ A) L1 j% h4 I* X8 }4 g$ dyum install httpd-devel
% F! A& B- {, Z2.没有pcre: e6 z3 O5 y; B3 [# s' A% }
. a( M) |$ ]1 C) C: L! xconfigure: *** pcre library not found.& y; _9 `; L, |2 X
configure: error: pcre library is required
' Y6 D# q7 d5 {& C解决方法:( a6 V. ~3 J( J H4 \" [: `
& O! S! {/ q, W4 P, N
yum install pcre pcre-devel
0 w8 r* v; c$ j6 \6 h4 u3.没有libxml2: i, X6 \9 N+ B5 J0 u; H
4 G" m* O; _- d! ?+ I m( z& V; B$ V% p8 f0 D* c* y+ H7 ~3 b* A4 \
configure: *** xml library not found.
. L9 v( X. `$ v9 f) t) @8 aconfigure: error: libxml2 is required
4 L: m/ F3 b { m3 d; f解决方法:$ O) c2 \3 k9 k
3 V: O( ]0 m) h1 x' X" z1 `! K! ^' _yum install libxml2 libxml2-devel
$ H( E* m$ I7 w( f6 ?4.执行 /opt/tengine/sbin/nginx -m 时有警告
( Z$ L' g( ~& b& p0 k1 i
! a# W s8 Y* \" K! t( wTengine version: Tengine/2.1.0 (nginx/1.6.2)4 a% V; o% P) ]
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
! j5 A2 M; K9 P3 W原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& h; Q; K* g1 _0 C' o
0 f6 M# v. s0 }. B2 @5 Q9 S6 ~. v, i+ i4 x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
% E8 g" F i2 l& K' `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" ~+ @) r; z( ~2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 l% a( ? D: c& w, K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"+ }( X/ ~# @8 v( M! [4 Y% i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": Z; Y' r: ]- @% X2 C# @
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 w& h2 K0 C: G" p解决方法,移除低版本的APR (1.3.9); U B8 [# C6 h
( I: f2 \& m3 `0 I0 i! Jyum remove apr
, }( l- g; a3 r! U4 S' F5.Error.log中有: Audit log: Failed to lock global mutex2 n: Z& J+ C4 q7 {1 i- K' j
8 v$ V4 q( a) y' t, p" V2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
6 {- T( A) f- o/ o. W4 x2 Bglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ ^" g$ l) q, M5 u0 Z w! M% G# B解决方法:+ L# t9 r2 [0 `+ `
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
: h1 Q. M( R2 t0 u. i! @+ ^
$ U: [% z5 A7 MSecAuditLogDirMode 0777
8 Z4 E) o L! p8 e, ESecAuditLogFileMode 05506 v6 R$ w! P% F. t% x+ ?
SecAuditLogStorageDir /var/log/modsecurity4 C# ~7 R/ I$ W9 P
SecAuditLogType Concurrent
( b2 ~$ ?* O2 K# r- @" _" }2 r# k参考文章:
* }$ W/ g; C0 H+ @9 thttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX) Q# z/ I5 Q7 r( g7 h+ D( E
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡