|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
- @* V, I# E! H; f; _* g. j o% y: M8 @9 L3 E/ i! B
一.准备工作
- E3 A! k5 h& P8 R! @4 g& }
0 R f! N) ^& |4 ?; c! h系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
7 {) G- r4 p) R' H% e; G2 Y
7 d6 {1 E" X4 t5 j/ B- k& a+ Ftengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ Y- V) H4 k( F. y4 \$ |! X" s
* T* e! ~& f. v. c2 L" u0 n& pmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 Y+ f% t( ^9 F0 u1 X% a& p' B9 N) F% b W1 E* M2 r- Z$ O1 g
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs1 s8 j5 R s5 N/ D* i( `3 S
! H6 Y: j2 ^ f( f1 t' Y
依赖关系:
! N7 } }1 O2 Ytengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& e6 d. Y+ |. @. v- ]
! }8 |/ X, {2 C) c% O& ayum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 n) v3 q3 @4 l/ {& fmodsecurty依赖的包:pcre httpd-devel libxml2 apr
9 p5 V1 n# Q* t" x
_6 f- x" n# D5 c4 P# p( \1 ` ~yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
! U1 ], c' j. @二.启用standalone模块并编译1 o# T- z& M9 f! U
. j: w+ C9 }! d5 U# v下载modsecurity for nginx 解压,进入解压后目录执行:, ^0 {" C0 a5 _: S, r
, J7 d6 y8 I m3 L0 L" p- k; {6 |/ v
./autogen.sh
* o+ E0 w; o' {% V" r) J$ F./configure --enable-standalone-module --disable-mlogc
- B! [0 w/ l0 Umake
7 Z7 b: n: |- a' _三.nginx添加modsecurity模块
: q6 j# v1 j0 B X
7 j6 f# u! o2 J' X* G: A, Z在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:' @5 T1 Y' s8 b0 S
2 L; [' z5 {& ?8 ^9 S: z
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
' y* C4 j2 z, s0 I# e1 ~* G) Pmake && make install
' U: @8 T# g+ A: l6 S, `四.添加规则8 J/ ?) J% \5 [$ f6 ]# s
( R% y! V! E% c5 [% X' Emodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
* u- e2 E# k+ i$ O) @5 |" j7 A* ~ s, _( ]. R4 t
1.下载OWASP规则:- O: d& z+ j% h" s% j$ J
# F$ r p/ z4 q) [: s. e# [git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
# `9 _: u5 m% \* {" I
7 d: M5 }, Z- bmv owasp-modsecurity-crs /opt/tengine/conf/
% X) t. }( h3 @ j9 [: {* [% s8 ?
* [5 t( x( b. `% O3 S' b- ^cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf; U- m6 ^9 C2 w, \4 t, `- `
2.启用OWASP规则:& q) j& q- h+ ?7 r+ U
+ n% ?9 ]' k8 [# s: a" o: A6 g
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. d8 w0 A2 {) J3 b/ r. j' o1 W' m; U$ Z4 @ ~
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; F3 F% b$ n/ H/ Z1 V2 @ F/ f; t/ f( ?" F% {2 l
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
$ e+ V' |) ~- a _) X, ?
8 g1 a% J7 I$ \5 ^! y. `9 [Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' Z4 S$ M: ~4 J, m+ MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
, I F5 f/ o1 M ?: v6 BInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 Z: k1 U, O% o5 ~% x8 c/ i" Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
* y3 |6 p) D8 O2 gInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf8 P4 \/ y; q# E, y* S, x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf$ s; a" x) _* W+ [$ p- q3 N* O9 u+ t
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf% H' T1 T; E) m" O# B4 d5 h1 J. d
五.配置nginx& f. O2 f r. U" v
8 N7 O& V/ b. L在需要启用modsecurity的主机的location下面加入下面两行即可:
& r+ j3 t% T2 Q; g, \# G) U( S" o# v2 @; K7 ^3 \5 _) v& W
ModSecurityEnabled on;
( e! A6 [( T" f# n* M ]3 w6 QModSecurityConfig modsecurity.conf;
9 j/ y2 a$ m% g6 ?+ F! o下面是两个示例配置,php虚拟主机:
# B3 W: Q w( y
) l) v" Y8 E- X7 b$ hserver {' g0 O P/ ~7 `8 j3 }
listen 80; e, H: @; h" o3 P J5 o
server_name 52os.net www.52os.net;4 u1 s! Y: n7 ^9 {, m
* Q! |% |& k: G, Y/ u( l6 g; ^ a location ~ \.php$ {
2 v/ k( I6 D9 o! h& t) Y ModSecurityEnabled on;
! c+ X8 I4 ~2 E* j ModSecurityConfig modsecurity.conf;1 x4 ]6 N5 E# I0 r+ `* C/ S
& C4 L8 i7 ~, E( ]) ^
root /web/wordpress;' w% p! \3 ]* c" m0 h, i
index index.php index.html index.htm;
+ L1 E8 @1 U9 K 5 z$ L6 q: T* ?9 B, v
fastcgi_pass 127.0.0.1:9000;4 ]4 A8 r2 ~2 W2 ]
fastcgi_index index.php;8 K4 {' W% _- k
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
( L0 J* G8 B' c( v# x include fastcgi_params;, K/ F. ]! n( L" X1 Y7 v9 K2 d
}# J" Z* H1 z; B4 h
}# ~8 u) Y/ e' q) V8 b; ^2 \& C
upstream负载均衡:2 {! Q9 x& M3 i/ A5 e9 F4 k
2 \. T$ C* k2 u- Y4 ~upstream 52os.net {# {9 R! w" b1 N
server 192.168.1.100:8080;
* a! ^7 Y, G& N% ~ n2 H* W& } server 192.168.1.101:8080 backup;: ?' J; P+ w* X v
}
+ R( E$ {0 I g/ l5 i% F! O1 u y3 x7 J) ?3 N, \6 ~+ E0 `
server { {/ E5 ~- M( Z
listen 80;
! z$ t. V8 R1 U. K4 E3 _server_name 52os.net www.52os.net;
5 Z( l- ^$ a1 h/ D
/ s) ?8 v; @$ i9 [+ n; nlocation / {% B: R5 {+ L' z. T" i
ModSecurityEnabled on; : t8 }+ B% S* r9 w( F. b
ModSecurityConfig modsecurity.conf; 5 N( v, F0 Y- y0 X
/ F v; J1 `- ^7 \- i+ J/ W proxy_pass http://online;
v( F+ h" Z3 ?2 T: k proxy_redirect off;
9 Y1 H$ ?( Y8 P: d& L proxy_set_header Host $host;
! E! b$ M6 O5 k% T proxy_set_header X-Real-IP $remote_addr;
! W! s. L9 t P- J+ e; a proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;. | D2 |1 i; Q; \: j
}# a; k+ N9 u: _) U( ]
}
$ w- { J$ Y+ C9 }六.测试4 c" K/ D' r1 F! ?. O/ r" _
% _/ r3 v8 m1 A# _$ O我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ ]: l- M; a- b7 L3 _! B. \- c* ^) q0 [
<?php; S0 N4 x2 C+ T# {
phpinfo(); 6 |) w M$ J& E$ b, g, w
?>
4 T1 l, N+ J) t/ o在浏览器中访问:, c6 q5 o- ~ j+ x8 Y
Y9 W% b4 V0 H' Z+ Q
http://www.52os.net/phpinfo.php?id=1 正常显示。, E/ @/ q3 d H: U8 ?# @" e
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
w4 N% I8 C3 O9 vhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。% T4 C# c' U/ m+ y, T
说明sql注入和xss已经被过滤了8 b! [6 s1 O6 L# _; G( G
' [. [1 }! T: L7 Z8 y4 R
七、安装过程中排错% `6 L6 ^& l. V
* k- j% ^* Y O: O' e; _$ P+ F
1.缺少APXS会报错
- R( o, f s/ m) V! Z( n$ Y& _' G; M9 l
configure: looking for Apache module support via DSO through APXS
% S7 }4 g# s) K% p1 nconfigure: error: couldn't find APXS5 |$ N7 C2 F. R0 l# [6 e! \9 s
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。% P$ G0 \* b' I b
解决方法:
. d+ _' p6 H/ l Q) B. C* m. O0 E- T) H- r* K7 r1 G
yum install httpd-devel
. T- l U3 B+ C0 t3 D2.没有pcre" H1 X! A0 Q$ R1 V" e3 [
$ x! G3 X& ?' _/ B& ?' H4 K& m6 ?configure: *** pcre library not found.
# |! G2 k5 M) L% d0 |& `( econfigure: error: pcre library is required
[$ e; Y' H9 S解决方法:& Y- V3 O! @, s' Y& G
9 p) v+ U. V8 M6 Y/ e, r; lyum install pcre pcre-devel6 Z& ` k* `+ P8 D6 ]5 L5 N+ z$ |- g
3.没有libxml20 a' {5 z& ^$ G# ]
: u( r; F' Q- i4 B, T/ M& `6 }7 X+ v4 B0 D4 O; i
configure: *** xml library not found.
% H+ p+ ?( J5 Aconfigure: error: libxml2 is required
+ E8 q! x* R* q5 H2 E4 a* G解决方法:
* m' ^( b1 q4 F0 K/ y! z6 a' m3 f+ @+ L
yum install libxml2 libxml2-devel$ X; b/ }! d+ S5 J6 O+ G
4.执行 /opt/tengine/sbin/nginx -m 时有警告- X% g: D; n9 i) R b
' d" A2 S5 V: O, |$ `Tengine version: Tengine/2.1.0 (nginx/1.6.2)+ S0 Y' ~9 [- y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!$ ?) y& f' Q2 |: ]( M
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log l5 Q. Z& q* \
1 h2 N& U5 \% Z) S: |3 E4 b& \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.2 }' _+ l/ `# x' B6 m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
% G4 [! c% `8 p- y9 ^2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!* w! Z$ Q- Z% v2 H
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
' A* I, _; w7 a {; \; {- }& _% W3 s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"' G% p" `# U6 ~
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 z* n5 ?) J. q+ d; V( d4 I4 E; Q解决方法,移除低版本的APR (1.3.9)
" z+ M$ e7 B; y0 ]' a8 l3 Y
" t0 c3 o U& u6 k6 l6 ]* ^9 Tyum remove apr
) E( M# W$ g x5 u5.Error.log中有: Audit log: Failed to lock global mutex; ]0 b8 K- o# q- M: ^1 u9 ~
* c# E% h/ j0 C2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 m \5 Y5 {9 F- `( |! M8 xglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 N( ^5 Q' U' m. D解决方法:
/ c/ U& D% N; Z! f( j! q6 u% W编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
: i4 ?0 y: Q- n9 U
$ I; t0 H& Z1 `7 r: }SecAuditLogDirMode 0777+ B; \# `7 {9 w+ s# b
SecAuditLogFileMode 0550% O- o0 e# q5 ]" ~" g
SecAuditLogStorageDir /var/log/modsecurity% N& v- [6 U% K% f6 }
SecAuditLogType Concurrent
+ [/ s( v0 V* ]. c# f# H参考文章:
1 t; Q2 z( s, o# `8 v# g8 rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# S8 z3 T0 @$ F0 w' _5 J$ t: s
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡