|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- L0 O3 C7 ~2 j! ]9 `
6 Q7 L$ E% L, p, u
一.准备工作
# T3 k& ^# [$ @3 ~5 j7 s) m4 G$ Z7 ]" v: P
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
8 C W. f7 v O2 |4 d# W0 t* z7 o+ R# w/ \! V6 A6 _( ~2 h
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
& P2 y/ {( P2 ~6 h
/ p, R0 q4 J+ H! o8 amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
N) [- E. R( y/ `5 @+ N l
" B1 w! Q9 [4 y# i2 } F! b sOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs" C; `9 s; Z4 g* C
4 n* z z" h) [
依赖关系:
8 G/ |4 o0 X3 Rtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( }# |" g& o' {3 t. J J* Q4 |, E8 A
% W J0 M9 k' M5 T. b- u% j# Eyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel4 \: W" g% ?" N- H9 W
modsecurty依赖的包:pcre httpd-devel libxml2 apr0 a s/ A" D- O( {. O
/ x( q F2 U" T
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel* Q# Y0 h, S( W' O6 O! v, E8 G
二.启用standalone模块并编译& s' V1 W& r, O4 f0 f: z* z* E! w# g! U
; y, U X+ j, |# A下载modsecurity for nginx 解压,进入解压后目录执行:1 G" u3 b& I+ N1 S V! z
0 D- e' Q' E) E
./autogen.sh( q/ p2 A5 \1 p+ P& b3 M* }
./configure --enable-standalone-module --disable-mlogc
0 l! @! A) r6 g5 ?make
5 s' b. f2 G( { o$ ?+ \三.nginx添加modsecurity模块
1 m3 S8 T8 H0 e; B7 k; N! B1 J! {
% t& o6 D1 e8 E3 F7 {" V d在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
0 y7 k3 i5 a" @, l5 {2 V4 j. U4 e+ f0 D
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine5 v* g! a) K! _# T
make && make install8 {; r) \- W @$ l# ^/ d
四.添加规则
# |' J2 |. M) z' q
7 d7 L2 i8 f1 Y3 f M8 I3 Mmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
/ A% x s6 P" H# D- T. G3 I3 t. J5 e0 T* a
1.下载OWASP规则:
! H5 A! L! g. {1 m4 n" x
: }6 _- u9 o' o0 s. U/ Kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs1 Y6 X: C) n" u3 ]9 v
/ Y9 Q) S" u9 m9 O/ d. P: G. J6 z
mv owasp-modsecurity-crs /opt/tengine/conf/3 P" J& i( Y/ x. x( O- b7 C# T
5 F# F& v5 ]$ _) ^3 y/ Jcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( T/ s/ Y& V6 X4 y9 v' D
2.启用OWASP规则:4 q, @" k# B' c
; o/ E- T7 ?. w$ d5 v' K0 T复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。2 t" N# { s' P: Z
5 J7 i2 Y7 V$ z# A5 }2 t9 b
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
, F2 |& ~6 g2 p9 D9 W& d$ D0 w) N( o5 U2 b9 d* h. B
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 T5 N6 I% q& T% V" x. O- W6 n7 |) ^
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" Q- U& f( j! `$ s1 M- mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
0 X+ R* S2 J3 H% |$ w$ D KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 U2 }4 R- i9 ]5 h/ Y8 C/ g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf- J" }* {& N- o
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 ?9 R! J- h! Y# h, B) K: @: \) F
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf# g0 C+ v n6 t4 V1 U
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
5 n2 f. s' m. k' Q! e4 M5 a五.配置nginx! {5 i- t; E0 ?( n) F; \. V. p
6 {( z3 A9 ?! r1 ^4 S) ^& ]
在需要启用modsecurity的主机的location下面加入下面两行即可:# M* x6 g( ] u7 Z |# c& L8 {$ H+ L1 p
2 i" n3 D& a: B, X% u+ Q
ModSecurityEnabled on; 6 L% i7 C( h( l K
ModSecurityConfig modsecurity.conf;
# V, u4 C1 W, |7 f! `下面是两个示例配置,php虚拟主机:: K' O0 i$ V5 U# N
- q/ P( ^0 [5 g7 _6 D' |* t
server {
& w; g) } u* `2 o# I( g+ } listen 80;% \# d; u2 i: \* X z0 T, R
server_name 52os.net www.52os.net;
2 \4 O- H, @% u" j/ S$ b8 [+ P 3 D- J6 Y! V5 B3 p5 |2 F
location ~ \.php$ {
( m% o" U5 R5 M ModSecurityEnabled on;
% u8 t* }9 L+ X0 d! }7 o; k1 E ModSecurityConfig modsecurity.conf;
& O0 s1 R4 F& _ C" \9 T, ]8 X5 P
9 W( c# L, Y0 U: F4 r' } root /web/wordpress;6 ^2 w2 w2 u# f( I5 N
index index.php index.html index.htm;
+ r. g; s- X3 N3 L4 Y
9 O( j7 ~. Q$ R4 j) W1 g. r6 F% i0 I- J fastcgi_pass 127.0.0.1:9000;
4 _4 {/ E+ Z/ U$ C+ H fastcgi_index index.php;
" Y$ \/ o" h! N: y' X8 c fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
% R! x, x3 T& l* @% w include fastcgi_params;
$ ?; }! b1 d2 L7 m- G; @ }
9 N$ s' F# h0 K' _ }7 q* f2 p% M& x/ ]* @: g: p
upstream负载均衡:
- M: j% z- r# ?9 M+ e1 ~; v% W0 T3 u& W& x" v' p& P- r0 ?5 }
upstream 52os.net {
6 c1 X" x2 C ]. G9 g! d) Z server 192.168.1.100:8080;) V9 ]6 J* T) r
server 192.168.1.101:8080 backup;& [9 @7 e6 A7 }; p8 [1 _! g4 P
}
5 _* R& M0 v+ \; @$ w; ?: k4 U5 K G, o& A5 X) \
server {1 c; u o* i) h! X1 l6 M
listen 80;/ d3 S* I) i5 @) X5 Y
server_name 52os.net www.52os.net;
) w2 z) V) S# J9 a5 t4 w
9 u! O' l2 i/ H- j, U( j6 X" G: m$ ulocation / {
, ~- p+ n% h' p4 W7 _$ B) t ModSecurityEnabled on; 3 V( U$ I4 P: \9 k0 F
ModSecurityConfig modsecurity.conf;
) s0 ~7 C4 Q, n& X5 `
]8 v7 Y- C/ p) [ proxy_pass http://online;
$ D* a- {8 q* B# A, s- P- w* Z' H proxy_redirect off;, p" \0 e ~5 g) U5 ]8 F
proxy_set_header Host $host;8 }& @2 s* {2 T; R4 j
proxy_set_header X-Real-IP $remote_addr;
$ A1 l' T/ `, ^" h$ X proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ R# A# U7 a0 o, n: V& s
}
5 q T9 A2 ]) B V; B5 [- w}& M' e( O; ] m$ |/ m( ?
六.测试
- p" H8 c4 ~% ~: h( V* H+ X" Z# a3 X# v& _( `% [9 Y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
8 t. u, T. H9 T0 i! z
4 w5 H" X: v7 W1 V<?php
, O- @; T& R4 p4 n2 c phpinfo();
( w- S1 H% D. q?>! K3 N) c5 S4 y; c
在浏览器中访问:
7 P1 y+ g9 O3 F7 _4 o3 }" n5 Z) s$ I
http://www.52os.net/phpinfo.php?id=1 正常显示。( h t# z/ W( q, B
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。6 c* B2 J2 a6 L
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 [7 z0 W! A0 \$ j4 m& y
说明sql注入和xss已经被过滤了4 `/ n' ~! a4 r8 T% b" ]
9 h" q1 c# k* E
七、安装过程中排错0 Q6 v/ u8 [8 q& H, ]% \, P& T& l
7 M! o+ T/ G! z, y7 a# }/ s1.缺少APXS会报错8 D1 q5 v8 n+ o4 M
5 O2 X9 E! J/ U6 X/ r% ]) T8 ]configure: looking for Apache module support via DSO through APXS
' O1 ~" I3 {; F! a% R+ }configure: error: couldn't find APXS0 _: t) P I- h& ^7 R. |
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。4 S4 ^+ N2 s+ H- q/ @% \
解决方法:
# E3 [( V% e# O$ o. J: {, ~, H' N
7 t2 D4 t+ c6 k+ b a2 X& Oyum install httpd-devel9 |- v; u. \) V' h! ]
2.没有pcre
) p2 P! P8 ]4 k. ^& O7 ^& V, s h8 h! s8 w7 ^ L* ` T. E
configure: *** pcre library not found.
7 [; k2 `+ H2 L) tconfigure: error: pcre library is required
% P& j8 Y/ M% f% q解决方法:% X" S+ ? T& t1 P3 I, h M5 y% [
0 v$ N) U( P, q2 q6 E; H$ P2 \
yum install pcre pcre-devel2 z$ V1 _' P( r' ?% j
3.没有libxml2( ]# u/ H2 T! D% L2 p* @! j
* }3 q) c: |: o/ {% U% H
* [# u: O+ s; O, X* I
configure: *** xml library not found.
p0 S4 I( w* r4 M ^; yconfigure: error: libxml2 is required
/ a/ F7 p2 p4 r p. q ?6 `2 M解决方法:
5 b/ T6 L' X* ]. y* T5 `1 P. K' d _1 v! p
yum install libxml2 libxml2-devel
S/ b0 {, @* U* y, a/ }' h4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 e, _8 @( _# Z& i( u, [$ S: S# V. V$ P% u# u+ y
Tengine version: Tengine/2.1.0 (nginx/1.6.2). g, \! {$ T: N' b8 J
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
# a# |) l0 v: n# j" p原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
$ `5 C8 `1 S0 i1 r6 ~+ h6 L4 A- x. q8 r6 j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* M# o( s: p& S/ n: H
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
, R& E- {( e% N2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!: Q: \ ~( F) y$ j' v# |* I/ J X" |& e% P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 O4 R, R) |/ _' g: x, e: ?
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6", \# a0 t: H5 i% f
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
! A$ i& a8 b5 Y8 G解决方法,移除低版本的APR (1.3.9). K0 u5 D5 E: U6 z, y- Q5 \
& @) P3 D, v! T/ u" t' X" z
yum remove apr
$ @- T' x) H. M5.Error.log中有: Audit log: Failed to lock global mutex
, R9 Q f, i& q" p1 K: b1 t' D5 v8 y. R8 ~3 q1 J+ d: L
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
9 I4 m4 T: ]3 K$ v" E3 @global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& p. I& H, K5 g+ H解决方法:
i4 G0 {. `. Y% J# _3 n编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
! Q" u* {, k8 S
- ]: H" [/ M* V, n: }SecAuditLogDirMode 0777# f+ s, s) d, x* V) \* [2 A7 q
SecAuditLogFileMode 0550
" X, I% B5 f( f3 Q) wSecAuditLogStorageDir /var/log/modsecurity
. Y# Z+ G, l4 I2 p/ ?SecAuditLogType Concurrent9 C n8 @0 l4 s4 j* v
参考文章:
9 y& w% U \' ohttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX4 \8 E7 w& o6 S2 ?4 i
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡