|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。/ i! T% `0 S4 o3 @2 J
8 Y" ?0 K5 l3 X一.准备工作
2 Q- h- ]( j2 y- J3 T! _6 z/ F0 N) |0 T& i: n# ?7 y+ |
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
* P( u# |5 I; t+ m0 d) z" U3 y9 m8 W/ ^* t" M, B. L5 a1 _% c0 e
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
5 }. B& @! n7 J* f0 A& ]; ` p5 Q! F9 B- y. ]
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz0 m. o. ?! t6 v
" [( J& \1 {- ~" z$ l' f
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs% X) h2 `4 y, E( y `3 \ v
1 W0 ` V% B$ N7 A4 z依赖关系:
& t1 e9 r; t' w6 E$ X. [tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 W$ S1 ?& F. W4 ~2 L5 q G# v q
1 q1 X4 |. _: A7 tyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ ]) g" N0 u) \5 _5 Omodsecurty依赖的包:pcre httpd-devel libxml2 apr
. J9 u0 D5 E& S# h- f. i' {* H3 S1 J9 {, x% e# X
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
/ `. e- o$ @) S; M二.启用standalone模块并编译& I* {& E5 U" u4 `) n
$ @; g; i# R8 Q8 c# t下载modsecurity for nginx 解压,进入解压后目录执行:
! r4 r$ ?! @+ a4 C1 j! a* x. h- [8 E) [1 w
./autogen.sh0 F3 T: o( x/ m
./configure --enable-standalone-module --disable-mlogc: l! X4 u, f! _9 K
make 7 Q# X% Z& S( R7 q
三.nginx添加modsecurity模块
/ Q& g9 C8 u$ @" }
4 T; L4 x5 V c0 Q. h在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
: _3 Y6 y2 D! r; [# U2 @: v3 k
5 `& O, n% Y8 H& m+ [./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
- _8 K# o6 B( Z! \make && make install& p5 f( q1 T; M) V- H8 w3 i
四.添加规则; l& c" r, C7 R; b2 r
2 `' Z3 @. \$ | j( amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。. u: F/ K) K6 h. R d
0 U2 o D" n; J2 p, b
1.下载OWASP规则:2 Z( n, l) l+ R- q* V2 q# q
, p( M# c- k5 n7 r' q! wgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 }& K, B& j7 b( W+ g% M1 i% b7 M
* J3 v) q5 w7 K0 d5 R( }. xmv owasp-modsecurity-crs /opt/tengine/conf/8 Y5 U1 h/ [9 V y! D- W8 ^, M1 }
% @0 B4 r' j- Z% H" U7 ocd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* O9 H7 v# a" N* f4 v" r0 X9 J1 {6 w
2.启用OWASP规则:, ^$ I9 z8 f$ [4 v( D- k: ~# G
/ O& o: i: i/ a3 X' I% |复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 A: J; j1 o7 k+ L. ~, F2 G d& }, E% d: E' G! o
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
( ^) P! P$ u3 u- k1 D; J: ^/ V" f A% B9 j' \: |2 f( b5 W$ X0 H
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
; G$ v |" ]! U2 d0 v
* I/ u5 M0 E" FInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf+ r5 s2 g* _6 w2 Y- D
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* P" D) e* ~: eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
6 D3 V4 T* N# ~+ `4 CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' {% U7 [. ]& t& P
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf3 k. Z( n9 |8 _5 U6 q* q" p/ D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf$ {& i0 Y8 C+ C5 ~
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! L2 o t* H# b/ u9 {9 }8 _
五.配置nginx& i6 c7 k9 h: v
7 A3 g+ i/ f& J8 q( E8 f7 f) y) z
在需要启用modsecurity的主机的location下面加入下面两行即可:
" K- y; w& j: h6 B: V- W- V* f8 P8 f+ U
ModSecurityEnabled on; . q6 J! _) |4 N$ o
ModSecurityConfig modsecurity.conf;, |+ \% b& T; V2 N1 I$ C4 H$ z
下面是两个示例配置,php虚拟主机:( k( ~( ^* N8 R1 `
8 o* \$ S8 c4 K2 Z" b( S3 d
server {, v2 `& a/ e$ E
listen 80;
/ c3 n `' }2 @6 u) h server_name 52os.net www.52os.net;' u8 N( |) ]4 O' M1 \0 d
7 P# k4 l d8 O. S7 Q; z location ~ \.php$ {% z- t2 |7 ^% |, E% ~3 o1 T' z
ModSecurityEnabled on;
. ?$ Z9 }; r1 V- L* D ModSecurityConfig modsecurity.conf;
; E6 i3 k# y" J9 s' ~+ ~& J
4 l0 `) {: \& \# t1 L& J7 b8 G# c root /web/wordpress;
0 l3 Y$ |! \& A9 S) p9 w index index.php index.html index.htm;
1 N9 f* L, l3 L8 X
: e' X# Z. a, }% c( ~8 w8 ^9 z8 p fastcgi_pass 127.0.0.1:9000;
" D: I! O, P' A: K0 e `( ^ fastcgi_index index.php;: x6 @+ ]2 Z T6 L9 _
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;; d% ?+ o% M- v4 ^$ o
include fastcgi_params;, {: F1 q, v" k9 N2 i
}5 E& W; B- o! R7 l4 m
}
9 E; l. g* T; k5 ?% ^# a( g$ _/ s# zupstream负载均衡:' b- p" w' i6 x3 _
% G! x# o$ t1 k
upstream 52os.net {7 e& D& \# S: i" Y2 E1 @" C& V
server 192.168.1.100:8080;1 f& U7 |9 n: b
server 192.168.1.101:8080 backup;: f" X3 C3 h" [& D. B
}
) ?) X& N% @9 p$ t/ {4 Z
0 n" y [- J9 d) s+ Kserver {3 \: g- ]0 ]8 i& f- ] j y p
listen 80;& S/ ~* b! z9 { U4 y5 l4 w* v
server_name 52os.net www.52os.net;
8 a; E* {; R, \% K1 ]! f$ G: W5 \- q G
location / {) n6 K& {+ @. a$ n8 y
ModSecurityEnabled on; . |% ?/ U! x% H4 |6 i
ModSecurityConfig modsecurity.conf; 0 |5 h+ e H: e! |6 p( F* _
* d9 W; T7 O2 o. ?6 o proxy_pass http://online;1 r% t6 F. {! ?/ R0 i# C" z5 h
proxy_redirect off;* S5 [. F* } `. K, G
proxy_set_header Host $host;, h( z& D; }: R8 l3 I3 b) C
proxy_set_header X-Real-IP $remote_addr;
/ C; l% q/ k- K$ L( W proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
. j$ l0 m" ]# h, C; g }
& z2 u0 W: x0 h/ [* Q: P}. v7 L, i" ^- ^; J0 e+ l
六.测试: d9 m$ K% G3 ^! Y
2 ?8 C1 F" D5 D3 \4 q8 e- `# [
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! @$ ]' i6 X# q' N, M6 a1 o. H( E& ~: Y) d
<?php
$ d* r' p" f, Y phpinfo();
! o! m0 J* t% s* q1 d( d! j- v. R1 T?>
5 t% Q$ c; r, U" B2 x在浏览器中访问:4 G4 i' Q+ o! `
$ T9 ^9 r/ [: h: \% P- chttp://www.52os.net/phpinfo.php?id=1 正常显示。
, A" p& E4 L; Jhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: f# T" [; p( ^ k+ nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。! w% T* K1 i% c
说明sql注入和xss已经被过滤了
& \5 E5 b/ C8 ?7 j" c V. ~/ l! \$ |8 |/ F& s. W
七、安装过程中排错7 N1 D# P' y% _
% F' e4 D0 q" w! u1.缺少APXS会报错
! k! F3 J: B. m9 ]5 i0 h" i$ ~( Q' R1 D$ Y0 W
configure: looking for Apache module support via DSO through APXS
$ h8 N. p7 _) F. i. t3 x* Mconfigure: error: couldn't find APXS0 q9 t9 g. Q) _
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。4 ^% k: m5 H4 R/ S) Y& T- T
解决方法:+ P" Z( Y3 D5 G8 R3 \) Q
* M4 E" l$ h5 `9 {3 i2 Syum install httpd-devel8 t1 b( V5 r( Q
2.没有pcre
1 ]% |2 j% ^$ k8 C0 a# @4 w: q5 K; E4 [, c7 D2 p
configure: *** pcre library not found.. m6 ~6 t% J2 [% \
configure: error: pcre library is required1 I; O q2 l# ]7 e9 U2 X
解决方法:
# T: \5 p4 A' o- ?1 R
, C3 O, [5 m, v2 K8 m# [9 `6 byum install pcre pcre-devel
/ d3 b8 S9 f) E! F3.没有libxml2 M$ D5 _ ~! m- A+ [( ^
2 Z, \) x0 R1 a6 B/ a3 t2 H
! O) N# Q, j& U! X- r; i7 N* o3 y
configure: *** xml library not found./ u0 T4 O! B) _+ o3 [( P
configure: error: libxml2 is required
. O* ]4 r, }) G1 G( t: e解决方法:% s. v& x) ?; ^1 W
4 H! `$ F0 s; u k8 Pyum install libxml2 libxml2-devel
% z4 n& M0 J! [# {, {1 b. Y, T" z) j4.执行 /opt/tengine/sbin/nginx -m 时有警告
[/ V0 \% R k, q7 R
0 c# [' ~1 K" ~Tengine version: Tengine/2.1.0 (nginx/1.6.2)
8 L) V* Z/ M- X1 w" g% R y/ vnginx: [warn] ModSecurity: Loaded APR do not match with compiled!4 r( H% _; ^& z; i+ l$ z3 W9 v
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log- h' x/ ^& P0 H: F' ]+ k
( p! E1 n: e& ~, t3 [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2 H$ r& b5 Q" z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
) _* i) R6 R0 M9 I g; K- e |2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
2 F6 F9 G9 i+ z, v; Q1 \3 \7 ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"! ^' {/ h7 D" T* e J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"! g) N. E: o4 h' J! Q. Q
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.1 D' ~, Z, }2 D! s3 V o
解决方法,移除低版本的APR (1.3.9)
1 d1 i9 n9 G' P" l
( {7 |& L: S8 Zyum remove apr+ E: P V3 W8 b
5.Error.log中有: Audit log: Failed to lock global mutex H2 E9 |9 `# O. a: Y: K: M% x
* M; y+ Q# n7 z. V! x- F2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 4 j7 x8 d* G" H8 o
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"] E1 R6 n1 w* u/ F4 a4 `2 W, @* Z
解决方法:
7 i7 A9 E0 J2 ~+ ?) I编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:1 ?$ U" x: ~0 q$ I4 F1 j, n6 t& ]
6 _. C2 y/ u- D/ w
SecAuditLogDirMode 0777
4 H9 f, P3 Q$ ^3 i) A4 h x8 kSecAuditLogFileMode 0550
2 @8 A' g: v* z% ~* h9 iSecAuditLogStorageDir /var/log/modsecurity
y8 m0 U; k# v1 A# a) H' |SecAuditLogType Concurrent
6 c( T, j. \( t4 o. j W参考文章:& O9 f5 R+ \ u4 y9 ~& ]
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX3 i" @3 _5 @5 O+ Q4 s$ K
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡