|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。( i3 x. U7 n3 j3 S- g( _0 L6 l
! ?+ f/ m# A2 I d y9 ?一.准备工作( f: q% {: m! f G# q5 F
1 {( U" [) W6 D+ B) q! O, h7 D系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.08 S$ x1 b" E& } m% X4 r
3 p4 Y3 y/ ?7 Vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
" d$ I8 _: v% h( g/ }& @9 l" C$ |& W, k. }9 c2 _7 l
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
- O* f% d* t7 y3 h; ^9 z
) v, X6 U5 H* Z* J" }+ ?; kOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
) {; ]5 V3 A( g- w2 r/ f/ k3 O2 O% i9 w3 J
依赖关系:# y% f" Z' g, `$ P6 _% R0 f1 [7 f
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:+ m- M \% z( j: j# j
6 [7 ^+ \3 ^. \" s" ~! zyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
i9 S# g+ `% L g) Lmodsecurty依赖的包:pcre httpd-devel libxml2 apr1 j! k" v; E0 V3 f5 M' t
) p9 N% u+ K# @; T
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
4 _* u: ^! n0 m5 A6 a二.启用standalone模块并编译
! S+ J% F6 Z) D. T0 i ^2 o0 E4 w7 C9 J
下载modsecurity for nginx 解压,进入解压后目录执行:9 U l* K; Z8 d& ^; y) i$ X' N
6 Z) {5 h. Y& ]2 k' \: t./autogen.sh
' a) Z& }7 ~5 p6 N) O R./configure --enable-standalone-module --disable-mlogc
2 k5 l0 Q- z: h% F0 _make 5 C, t- A: B( U$ W: t
三.nginx添加modsecurity模块+ c; Z' j D9 n& c! n
- |# {( c1 \; G- P在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' V3 B9 q5 a# S3 E* {1 S( r
& \! k% t7 c4 ?$ u5 Z) q./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine4 n0 `& r# g; f0 ~/ H/ l4 i
make && make install
" ]' ?; J t+ M; e0 ~7 {5 @5 H四.添加规则- x4 U% [$ m3 u
; S, [4 Z4 _+ L5 y& Cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
Z- _' X/ v& a K
) U8 e1 _8 S. y: v1.下载OWASP规则:
^6 x* N3 J9 o; X1 J! m0 n; `& t5 `
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 z5 [' ]9 e; ]) V3 _5 I! ^ x& i2 Z5 ~9 S0 R% w
mv owasp-modsecurity-crs /opt/tengine/conf/6 M' [% V, |6 U2 `+ ^
( g/ W7 Q2 i8 ~cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# n N7 R. M- m& s2.启用OWASP规则:
! V1 j/ Y& t. g9 W( w) I* I: }5 o4 H: w' |; h# ~
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。- S8 ^4 I- G0 }; t$ \% h: }
) w7 b% w" r& z' s( j8 a( c! k' S
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
' m$ s- w. D6 X/ X$ o' M4 X7 v+ ^2 o2 t4 W( T& l1 Q G) h
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
9 x+ R- n* s& @3 ?( o( r
' V9 m% u q' V. K0 yInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
/ v# d9 ^/ [! Y2 V, Q5 m+ dInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf' g% Y0 Q8 I }* w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 F0 N( g, c7 \( T" |1 v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
) c) Z* j3 {2 P! [# J/ ]Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
) g \( Z# ?9 p! a4 pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf9 g! @) R- v* C7 {2 J3 }
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf0 p0 a8 l) i/ h2 g5 z3 x$ z( ^$ _ @
五.配置nginx- Q' o$ `" ]& M, S# Q* K
p6 \6 |7 k$ X! u8 ]
在需要启用modsecurity的主机的location下面加入下面两行即可:
1 @3 {- Z5 h% i( G6 Q5 P
. q; g% O( e- R3 @ModSecurityEnabled on;
( N' F! _0 z4 H# ^ModSecurityConfig modsecurity.conf;
6 M' g: b. e5 e0 X下面是两个示例配置,php虚拟主机:6 W- N' l: o/ w. H
& | n/ \' o! M) X6 j
server {
: Y0 Z& e" @# c: `# e( ~ listen 80;1 a9 B. i3 y- n# n. u
server_name 52os.net www.52os.net;6 r' P7 p+ o" d; q9 h
4 H4 p8 f \ G3 ]6 U location ~ \.php$ {
7 d) R. z0 _/ [: \ ModSecurityEnabled on;
1 H) x: q7 Q+ S4 W8 Y1 F" G. d' C2 H$ a% S ModSecurityConfig modsecurity.conf;8 p# |* s, t( J0 }
$ {5 L9 H% Q: r9 U root /web/wordpress;
9 ~2 c0 g7 h& g7 ?9 o, ^' i- { index index.php index.html index.htm;
) @ \0 w+ I6 Q6 l3 i# r" G & p9 e2 n/ r& f$ A0 {
fastcgi_pass 127.0.0.1:9000;
$ Y$ X' _$ ~1 u* K% d0 G; Q6 ` fastcgi_index index.php;0 \7 Q c* r m5 o; Y# M
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;- O/ C% l" K- \: Z. v' [
include fastcgi_params;
- e) X3 b8 [0 ~, u }: z- C, ]6 Z$ d" Y* F/ X& ?. g
}6 m! S' Q' v2 y+ H* ^
upstream负载均衡:# q4 f1 i$ z! e: I
& ~& @; A) J1 t' j/ E+ A, M
upstream 52os.net {
7 I* y% A$ `* U( ` server 192.168.1.100:8080;6 e8 w( }1 |( p4 k
server 192.168.1.101:8080 backup;9 w/ Q8 `6 G( j2 L) T& l) W
}
1 M4 `7 U5 g. f; M5 o0 c7 E' F, `: [. [" F4 r# A4 b% W+ M% t
server {
% j" u( \; C% N& u8 `9 rlisten 80;5 B+ H; A" {5 Z& n$ M- X
server_name 52os.net www.52os.net; b, l* P: N; c
0 ^; ^: R! E" q
location / {9 N' e$ i+ z6 R8 x, k3 f
ModSecurityEnabled on;
0 S2 u8 v4 m; j3 h ModSecurityConfig modsecurity.conf;
2 N5 I9 w' g' V ~8 R/ f: g7 y
- ^- m9 }+ j4 _0 A; @ proxy_pass http://online;
I) O* ?- \/ J& t) o4 S proxy_redirect off;
0 J3 L4 ^4 t4 k- p1 f( O4 `2 X/ L proxy_set_header Host $host;& D; {5 `- [0 m7 H8 C
proxy_set_header X-Real-IP $remote_addr;) t2 y1 K7 B) g; G8 F, b+ ?9 @% r
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;- |4 @0 H# E# c0 J& f2 W
}
& X9 I$ E E/ n: | O}
( G% S* b' r) y% v0 \六.测试
. D# E* @" y* @" r
+ x- R" y- P; v0 w3 G5 B我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:7 U$ q* j" [% Y* p4 V- o1 K
0 L4 M8 _5 x5 Z0 m$ z4 u# J
<?php: I4 P. j3 _3 l, I3 T3 {
phpinfo();
4 N* R6 v% O8 n4 @" ??>3 _; ?" R) A- y
在浏览器中访问:; v4 P6 D# c6 p$ u- p
& t0 g) ?; }5 j
http://www.52os.net/phpinfo.php?id=1 正常显示。" Q; Q% N- W8 w: }% K4 l% k
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 K5 e: D2 D: v" V+ ^, S
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. R5 u1 Y1 L' D+ l: a& [
说明sql注入和xss已经被过滤了
. o1 V7 V. E! G" l* C/ a1 N; B5 V8 I- D, w
七、安装过程中排错" J+ n; ]+ V# L! a5 |
$ \; f( o" p. {+ M; ~5 M8 ^: O1.缺少APXS会报错1 p Z: L' j8 T& J
3 L9 O% L2 k1 a+ c
configure: looking for Apache module support via DSO through APXS4 y4 M# v& v% X0 i# R& Y
configure: error: couldn't find APXS
2 b$ l5 X# J) j4 a. iapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
* |! M; ^% w4 \2 C. B2 w& s解决方法:9 I4 E# {3 v( ?
, [' l' P8 i8 N: T* H, M" I7 y# ^& Q7 lyum install httpd-devel" s% `9 [! Y1 E4 |) h
2.没有pcre/ Q# @9 h8 o1 c5 L
' j; x# p* X- J/ ^
configure: *** pcre library not found.4 t0 R: G ~! ^& ^
configure: error: pcre library is required5 Q2 W+ O8 P4 W2 M& R. J
解决方法:- j% c. c& t2 E
) F, r K& F1 }& R# t0 K" kyum install pcre pcre-devel7 T/ I" ~6 a8 J, B; S! l6 o" l
3.没有libxml2. J2 Y$ ]7 ^0 G' Y, @6 c
! X4 ]9 ^1 Y3 d5 l
$ d( q T t- [& V- l8 u1 ^) q3 \4 y, iconfigure: *** xml library not found.1 P. ^" ^ R E. i" V; j
configure: error: libxml2 is required& {& \% U$ L w6 E) N$ f
解决方法:/ V& [' O( A& ~( r& @2 l
, ^7 b8 G U$ e' q6 ]
yum install libxml2 libxml2-devel' v3 J9 `5 T2 k
4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 U7 r2 Z) Q# L4 V
$ b( O& s9 u/ M% |Tengine version: Tengine/2.1.0 (nginx/1.6.2)0 }+ x# ]' H, H" `* d9 g7 K
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
" n0 [2 [' b7 `" K9 F1 ]原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ f2 z- Q; [0 A$ j0 }% k3 e D) f5 _# C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured. @) }- g+ V7 ?& Z- Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ O* b% [6 E- B$ s2 X
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!+ y7 F9 E& C- U5 f, ~4 t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 s% B9 h- j: i9 [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"% @4 z9 Z! f( @: ^6 D7 C0 k, r0 P2 ^
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
9 p8 k( Y4 k) \( Y解决方法,移除低版本的APR (1.3.9)7 O1 @- V, ^- T7 _
+ |. X( w3 b; q9 i2 x: [yum remove apr
. T- u# d8 _- h) |4 n5.Error.log中有: Audit log: Failed to lock global mutex0 |; Z1 L: w# [1 q. I; A3 B0 U2 b9 M
5 |. e6 ?% }% K% ]% O1 g' J5 g
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% O+ O! z3 |3 Z1 u" X( pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
! f: ~3 H, H9 m) r1 Z% u解决方法:
" E4 `3 x: e4 }1 E D4 [$ R7 E编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
+ t6 ?* [2 P1 \, J) I: z3 V; [# X1 r; ^" U+ m
SecAuditLogDirMode 07779 A# U& G1 h7 y1 N6 [& @$ G
SecAuditLogFileMode 0550! t/ s) @8 s2 m
SecAuditLogStorageDir /var/log/modsecurity
+ V6 l& b9 `; w( L" y! [$ p8 z& R5 [SecAuditLogType Concurrent
: j, M! f9 k% k+ L# R1 U参考文章:3 q1 G$ t6 A. G9 `
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
L- {$ ~3 _2 t2 I8 _/ b5 khttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡