|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) j% q; x$ x. d8 `: X* S1 ]
" N4 u# S7 k% x& t+ R
一.准备工作: ^; J4 S' Z/ i- a2 `
7 e+ V! b0 j2 ^, d系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
+ L0 {9 _* h( Q3 w7 z8 ~. S' N1 M9 z- N
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz9 e; C( D; q! _/ ]
s0 j# x% C% @& X
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz2 c) E. m- W+ ]
% ~: L3 |1 H T5 }OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
# a$ T6 c0 M$ `- v* @: y: b/ m1 s
. a% ^: _5 C7 W) K, A# T依赖关系:
( X. Z ]+ ]) T5 n$ Ntengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:: o0 c6 T3 l/ z" I
7 j2 A, }$ @6 x4 a/ p4 Yyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* b$ M5 M3 e3 Z0 [modsecurty依赖的包:pcre httpd-devel libxml2 apr0 I- `5 n6 o1 w, @) v9 t# B
H5 T- \# C- p" l: D' K; w- U; G
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
1 _2 I3 ]8 ]# i2 o二.启用standalone模块并编译
( ]% I. r% B& d, p, u) \3 n2 h/ B0 a
下载modsecurity for nginx 解压,进入解压后目录执行:
( x! B: H! r$ L/ n7 f9 C/ z7 G
- K! o/ x5 j$ ]# h3 ?./autogen.sh
, K- |6 ?# I6 l! y: n./configure --enable-standalone-module --disable-mlogc9 |% `# {" r& N( s3 p9 L
make + f6 u0 w* Y" Q# ?
三.nginx添加modsecurity模块
. b* m$ E3 t0 O+ V8 \9 a+ N
# o9 H6 `2 I0 u J" {! g- |( K% |在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
& u" C; g5 w- \! E6 h1 B8 s% f+ m$ V. F+ n8 f
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine3 W/ A! X2 }# H+ P* N. W8 t
make && make install8 S2 h9 Y1 x0 i* w' o7 g/ F2 x
四.添加规则/ h* I$ ?/ K2 [" K7 ?9 j
% R4 i$ Q# L+ G( y- Y% E
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
/ v: o ]/ P3 Y1 `9 z/ z" Y/ m1 k" {' U1 ~
1.下载OWASP规则:
, T7 S. z4 ?* o _6 _ S( |6 G3 E4 |; d0 I
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ u, L! j; A! R4 R1 X5 b
- t3 @% G5 \/ ?, p; c, D1 `# \
mv owasp-modsecurity-crs /opt/tengine/conf/3 ^# Z5 s# b- p# k; ?
`- L+ \0 E9 ~: E2 X: Lcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf7 C2 ~2 s; t( _& v; l9 f
2.启用OWASP规则:' b2 P* a' a2 f! H& Y
* ~+ L' E- j5 j+ Z, W1 w复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
2 ]8 @ i! b- Z/ m
: w9 D& Y) U- B5 G, C编辑modsecurity.conf 文件,将SecRuleEngine设置为 on, |. |' }' V& W/ q# ~3 K
. P0 I4 |9 i3 [, [ h nowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. d% u" S! v) m) ]
! I- o) J: C0 ~Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
& P! ^0 { f; X/ C8 ^9 QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/ q( L' g/ U- M- P. p% h# [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
, P+ n# j2 o$ u1 tInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf- w6 G, Z: P- Q. h
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
" e) F% H) V) F3 ?Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf: s" |5 d9 [: ]; t6 P. V, j) R
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
, [8 z' z) }& ~8 U五.配置nginx, X# a# B7 r' y8 |( R- M
/ r9 Z0 h1 ]& x* Y0 m9 q
在需要启用modsecurity的主机的location下面加入下面两行即可:7 E- F$ P9 ~* u; q5 J( E
4 I# D0 z" y) ]+ x7 R* T/ OModSecurityEnabled on; 7 A. d2 V: p Q- |& b6 C4 H
ModSecurityConfig modsecurity.conf;; A1 R( \( j, j( M
下面是两个示例配置,php虚拟主机:
6 T5 S. u* ?/ m: s1 s$ k* z& I
5 g3 _& {1 a s2 D$ _& Hserver {
9 _! N9 F% n. _7 |4 y {, a* y0 c/ x listen 80;
: a# L1 ~) F8 r' L- m3 C% l server_name 52os.net www.52os.net;! Y- R5 _1 U* s1 I3 k) u3 I" U
: h7 N$ S* v; q* @( |
location ~ \.php$ {
5 L+ S9 X2 N0 j+ y- F ModSecurityEnabled on; 7 P& p6 `1 k! V9 J9 U/ h2 s3 T
ModSecurityConfig modsecurity.conf;
0 G+ w) N+ {7 o* A. b9 q
6 l" ^# |% D6 A/ n+ g root /web/wordpress;
1 [ B# b1 E/ E } K5 [1 \+ r index index.php index.html index.htm;
' [5 k Y( ^" g. K3 U/ p* F " I/ _2 A0 D( c# s# t" y2 M2 u
fastcgi_pass 127.0.0.1:9000;/ q! x9 d& w$ Y! T
fastcgi_index index.php;
6 _$ C3 i9 z$ N5 M+ e2 J fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
z0 W- g, u$ ]2 _ include fastcgi_params;& ]( i0 y. [7 h2 B, S/ `4 p. l
}
( F% e$ n( k/ h- O2 d }
' y8 F. ~# L0 R: ]# I8 _8 {upstream负载均衡:
( n- J1 l7 c i5 i+ _
6 F4 g: `( ~7 B$ m; }upstream 52os.net {
# d5 Y) X2 K& Y" y6 I server 192.168.1.100:8080;3 c9 [7 L$ o1 q" p) B6 F8 u& v d- u
server 192.168.1.101:8080 backup;' _* ~ o a1 p: l% l
}
# V/ r3 `+ P. a4 b* m* ]2 J, V- h
! Z9 F5 S9 L, o1 \ T( `. s" p7 ^server {
+ {; i4 i1 `4 M2 {! b9 ylisten 80;, Y, d M. B7 r) N
server_name 52os.net www.52os.net;
( ?! _2 @0 t$ c& H: x" f9 f; | X
) P( \6 F$ |! Mlocation / {% m% @; J' I5 \) X R' J
ModSecurityEnabled on;
* W1 P' u; F: s4 h- X1 |& M! B3 E9 r ModSecurityConfig modsecurity.conf; * D$ n( P6 D z# O
- D# m# X# R4 y! a: [0 V- c; q! f2 G
proxy_pass http://online;* `# d5 V) _& ~* P) c4 B
proxy_redirect off;
: ]1 {* k! h! z proxy_set_header Host $host;
! `+ h0 k2 |8 O% d5 V+ |+ n proxy_set_header X-Real-IP $remote_addr;
. X: u' g$ D* a: _/ g& [7 A proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6 @' [( }2 ?, Q, ? }; M. t3 A& m7 G' I2 v6 l7 r, k
}; K3 h. Y; G: |) Y
六.测试
: v' P1 D& n: ?: N, X2 V9 D7 B x' S" d! }% [! z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 K" O( J4 B9 \
c& \ n3 b4 T" e<?php8 a0 Q) v# k+ `, K* X2 b: r
phpinfo();
7 o, d) n1 K; X( U( J' u4 T?>
/ l, l+ v; i' L6 k! a) T, n& O j在浏览器中访问:9 v6 G T& ~4 \; S* U9 R: ]: T+ K. j- ~
6 F& }' c4 D8 d* q" k$ Ihttp://www.52os.net/phpinfo.php?id=1 正常显示。
4 E/ g, C4 `1 T Whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
- @; A, R: }; [# U& ?; G0 U! Fhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
- g u/ l! Z, k" M( q# \1 ^7 l. P说明sql注入和xss已经被过滤了8 a. Z8 m$ q/ U5 m( O
* K9 |+ w6 l! V) p. x9 e七、安装过程中排错3 V4 l% P1 G6 K( k- r9 d9 ]
' t! x! {6 J) H- u1.缺少APXS会报错
6 P9 C! [0 o2 r, z& l. m
. e4 I& s" O( |configure: looking for Apache module support via DSO through APXS- e) y; j* B: [- s9 l
configure: error: couldn't find APXS5 y3 u. N2 ?, D0 X7 v2 T
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。+ ~- G9 R5 T; k4 e
解决方法:! T8 M' x z/ p
1 u* q7 B+ j4 e/ j$ w# \
yum install httpd-devel! C- L! Q. A( W: M7 a6 M' c
2.没有pcre, j5 k5 A8 n& ]* b8 f7 o
6 h- Y4 I% C1 k4 S
configure: *** pcre library not found.. P; F G: [7 p
configure: error: pcre library is required" M4 w0 H# X& K8 u1 V2 y+ g1 i2 Q, P
解决方法:
p4 ^. U2 k! {" ^9 l
4 q! ]0 A1 i1 _( Yyum install pcre pcre-devel
6 C% E9 S$ a- A" W( c* v- }% Z, g4 G3.没有libxml21 h1 x) B7 o! G3 Y
& Z/ H4 x- e& D; F3 m
! f( F* ?& r! Q# p) pconfigure: *** xml library not found.! g; a( n5 v9 f
configure: error: libxml2 is required
+ T# d0 I8 j8 W3 A1 C解决方法:
5 d0 \/ d% C+ w: h& x" }, b T0 U0 }' ? x$ ]( H% w _: p1 Y
yum install libxml2 libxml2-devel: f8 Q1 R$ C) ]4 [
4.执行 /opt/tengine/sbin/nginx -m 时有警告
, A6 X: l U. {& V0 g, U
9 _. z7 b& n: o3 DTengine version: Tengine/2.1.0 (nginx/1.6.2)$ P0 O/ z; _# J9 M. C# c- ]
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 W+ H6 O$ R6 [原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log* K( s# D1 n* w5 g# t' Y9 o( y
; g& u* Y" ~) U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
+ U8 F @. Z! {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
4 b. Q$ @# j1 e2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
y: d$ B- N4 |5 n( J/ ?* z# p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"; v. ]8 o3 Y& @ ]& `& M& a6 O) r3 T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6", _$ O- y* A2 w% R4 T
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
; S, F, a# Q9 \/ k3 ?解决方法,移除低版本的APR (1.3.9)
! N2 `" m- a9 ^" X/ Z& o7 R
7 g5 X/ |7 [; ^' hyum remove apr+ A' ^- M e G; |1 f: a# X: P
5.Error.log中有: Audit log: Failed to lock global mutex
/ B. J" K6 r1 _" t5 J9 t# Q* G' p$ v0 P5 \5 N& i7 O V0 O* X6 p
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 _: o* s0 J3 u! t7 W
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; K6 Z! C: t+ i$ K解决方法:
2 N. V: K+ S. V1 P$ [$ a5 |编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:+ h, [- Z6 Q5 u- y [' p$ b% L
: T: [3 ~3 o8 U5 G- ?
SecAuditLogDirMode 0777
) H3 q- s8 D! c2 M; k! c/ E- E: dSecAuditLogFileMode 0550
5 s- P) L. o% q, q3 W3 JSecAuditLogStorageDir /var/log/modsecurity2 t0 @/ \0 h! B2 Q7 o3 S1 [3 k
SecAuditLogType Concurrent8 g! B- k9 M9 J
参考文章:
( k ^. A2 F" o5 K" V8 i% Zhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX% T5 p# P# M4 \2 P. ^8 i$ E( `1 y
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡