|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
9 x. {. U7 g$ ?4 G' Y/ x
$ F3 E5 `/ k( a一.准备工作& W0 Z! b Q/ I, ~) U8 A
( M1 d. I& O/ L! S. _
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
0 G+ W. t S9 k4 F2 g. I2 T# ~: I+ K% Q+ P: N& m0 D
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( v: T9 n% z: Z$ Y9 W- i
- K7 \( T' ?) ]3 Ymodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz0 a0 n& [$ E, S' Q5 W% N
0 V) v0 I; U# Z `( N3 `, B9 Q
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
+ G9 A: ^/ S7 U9 i# C+ w( ~% x1 S8 [' S2 _7 u, h
依赖关系:, m1 j* L2 l# K! O! m: R0 z4 y) Y
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 u: S( i7 ?3 n7 L/ c5 i3 t0 l& z- Y
, L9 q6 p6 W; @5 ]9 ^9 J, F/ xyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
( L* z" R0 c! E* m) B8 R5 Vmodsecurty依赖的包:pcre httpd-devel libxml2 apr8 q" F0 u: Q$ e+ \# K7 o8 j' v' w
1 g- G6 t0 \) ` J3 s' M+ X- _
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
7 m% R: G1 a y0 i" U; j7 @0 w8 Z1 d二.启用standalone模块并编译
( z. H! S5 A4 M9 _* K7 B" V0 J8 i: e g" ]( R
下载modsecurity for nginx 解压,进入解压后目录执行:
/ l+ Y9 H' i; W3 U. _1 Y' L! j' j: G X; `. T0 L' Y# z
./autogen.sh
7 _& X+ `- U8 X0 [- ]5 f- j8 w./configure --enable-standalone-module --disable-mlogc
" z! h3 S0 i0 r5 U4 \/ e$ ~0 n% _' Lmake - r! D6 f0 ]' u$ K+ n' J/ L
三.nginx添加modsecurity模块
; G' {2 M; ?" Z2 o
8 @; n) z5 Z- L6 q6 i) Y在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( B8 U/ y# v) n; h, c& `+ J a% H
. E5 o! x# H) }7 E' J) ]& B
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 n/ y- J/ a" ~! g+ l
make && make install1 @- ^$ d- _* n0 \& @) a$ p
四.添加规则
' ^/ \5 o$ W, f3 x, p
; t0 t$ R3 t3 H; O& \modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。% w: N: P* [% G' ` f, K) n
2 k) s2 w+ ~1 m. x( ^' s
1.下载OWASP规则:
5 d& }! U2 @- U- r/ F x( Y' I8 F! I. \0 R9 A: f
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
6 B8 A* Y% m v4 k# A# Y5 K# K8 d/ q2 E8 A
mv owasp-modsecurity-crs /opt/tengine/conf/9 I) \* n e& S
6 |4 D( m2 [1 z: s" l) |" F
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf; N) v" X; u- k
2.启用OWASP规则:3 y- M% k; }: u+ F5 t6 q- W
- ~9 V- D( P2 {3 i( S# h复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。) y$ N3 P4 q8 f% t+ k# x% J
; \& Y' R; ]" F. v/ c# y8 p: h! E编辑modsecurity.conf 文件,将SecRuleEngine设置为 on& @+ h6 W, O. x$ j
+ c! L l+ g) Bowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
- n% \! h) w; Y; N1 a) F) v, E: }1 S
4 |$ V7 v: t' m! gInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
! s! V5 K7 c8 z3 ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
% p5 ]6 e) M! C9 s R1 @. aInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
; j2 k; I; r4 GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
2 o, @2 a; ]- j; R0 c3 f. _Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf& s6 x! B/ ?+ J! a3 T1 f
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; `, f$ D9 q6 V) p& q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
; e: ~6 U& t, M2 R- S' K五.配置nginx3 ^% x R. \9 M" N! r, p, L. O
5 L+ [# W, f( @ U在需要启用modsecurity的主机的location下面加入下面两行即可:9 b' B/ R0 C% a8 X6 @2 V `
) F/ t/ |( S! b+ y
ModSecurityEnabled on; ; v6 p. U) X9 F c; b, O7 ?% d
ModSecurityConfig modsecurity.conf;7 N# K! V! t* O) ^
下面是两个示例配置,php虚拟主机:
! w, _. t- I/ i7 k3 F9 V, ~8 `
: `8 V5 ?7 h+ o$ C3 P1 r3 kserver {
* n" o5 A% K# y) ~8 G5 Z listen 80;+ Y/ \! L5 N" I4 f4 K+ z
server_name 52os.net www.52os.net; [8 r7 T3 w, z U: V0 C
8 H4 r; }7 {3 I; Q0 |: o9 ^
location ~ \.php$ {! E' R4 K. R- L0 e" P
ModSecurityEnabled on; - }, `. A& S3 D: L* @, Z, N
ModSecurityConfig modsecurity.conf;
# U$ c- `: }) ^% w. U, J
! ?: M1 ?0 B" u: M root /web/wordpress;
. ~: }% I9 ]- {% A! U$ W index index.php index.html index.htm;- {. F3 v: R! q+ V+ s$ r% I/ E
# B& M) i) f3 I! q3 h fastcgi_pass 127.0.0.1:9000;
/ f2 k, o2 X3 ^" \0 ~/ ~- G2 L fastcgi_index index.php;" G3 F" o1 O9 w3 d/ h9 }, _8 O8 c
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; s E4 o3 J5 Q5 w. c4 z8 N include fastcgi_params;
- n7 Y2 n. z' Z, r0 Q9 o }
3 W# @' ]/ g( J0 v+ B$ M0 g0 A# g }- @8 k- l. u, j% Y' f/ d
upstream负载均衡:
' m0 D7 ?9 D* q- ~% i0 ^* y6 l% R- c8 c; e9 ]3 @
upstream 52os.net {
, _ U) h. ~5 Z# k V, b4 x% z! i1 Z server 192.168.1.100:8080;* w% t3 l4 ]( \' \
server 192.168.1.101:8080 backup;9 U1 L! C, G( ~! p( H
}; K9 u& w7 X/ D* w+ _7 n1 g. e+ Y. W
7 Q) J7 N4 W1 U1 t( J R' e* \9 ? Sserver {( T; w1 v1 G$ J
listen 80;
5 ]7 g( b+ V' n& Nserver_name 52os.net www.52os.net; q% `* p @, _1 B0 ^, a! r$ o
( W+ p g$ t* e9 u6 jlocation / {( `) F, e# ~. z7 t/ m t9 t: I
ModSecurityEnabled on; + ?* |& ~' }, l
ModSecurityConfig modsecurity.conf;
% a/ Q0 S' x" ?! O2 N1 A1 q$ d9 R) a
2 i2 v. m# |7 s' \. E proxy_pass http://online;
" }1 P7 j& o. W' Q proxy_redirect off;* @. x! b# y# p1 h% ~+ F, B4 N, ~
proxy_set_header Host $host;
8 |. u# G( L* J6 Y, h6 w proxy_set_header X-Real-IP $remote_addr;# _* R, u7 d+ w/ B8 p
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;) K) k! `5 z5 ^) k" p" Y3 \" K
}
( E: ~' m' i2 q# C}7 h, n8 c$ i+ O5 m2 `5 x \
六.测试+ ]$ }- g5 q& r$ w
+ x* u( X5 r( y5 z6 {- u6 d: d
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:* ]% P9 p6 W) ^0 h
9 g6 ~2 h4 v$ i7 c) U6 `' B9 j
<?php' E/ S7 k: p1 x, \. D5 _0 a
phpinfo();
% R: p! T. Q% M6 r2 V* y: b?>
; U3 F# z4 f5 D3 L在浏览器中访问:0 z$ H1 [3 Y% `8 N9 q
$ n: d, [6 l: m6 @5 i* N+ d" A4 w& `$ @http://www.52os.net/phpinfo.php?id=1 正常显示。0 J% \+ g; _) }& w6 v/ U
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。, W/ L! z! L& v( x O
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。# e0 F( h) Z. S4 i$ N6 J
说明sql注入和xss已经被过滤了* X6 C. D" _0 M [9 d1 D
) }- q4 O s% L七、安装过程中排错
6 m% [2 q# R; R" J& @- I6 b9 V! X# `' _& C
1.缺少APXS会报错
% I- s7 o5 H3 v- D
- t2 S+ R( }- N6 |& \5 p) m, {configure: looking for Apache module support via DSO through APXS. K$ B) N$ i- v5 `! G; Y# s q
configure: error: couldn't find APXS3 `: ]+ y j% b! x
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
4 P/ x5 T$ j; ]3 ~$ Y; O解决方法: l* g3 q# p6 B$ b! ~
9 d4 g2 l2 i5 s9 S- l
yum install httpd-devel
4 E( y9 H( V# c( }4 y2.没有pcre
. z) t M1 v; X4 _4 g5 X0 |: e; O& T; t/ W$ Y# Q- |4 Z9 x0 D
configure: *** pcre library not found.
: E% z' Q6 o; e- K" Jconfigure: error: pcre library is required
3 D2 o* G- ~" I解决方法:
/ ?6 X3 b3 m& V$ ~5 l7 F/ G, L! D, i5 I( \4 ^' S
yum install pcre pcre-devel
9 s, B3 z7 [% D7 C6 ?+ L3.没有libxml2 y' }' j J) D* `( ^
Z% R7 ?' F$ i2 [, C' ?0 c* L0 Q6 ^2 r2 W: M) n: Q8 R
configure: *** xml library not found.
- R7 d# ~% ~2 V% R' J% g. t econfigure: error: libxml2 is required4 q0 t% H; p( A. F, n2 U; D
解决方法:6 G# `: i; O/ b' U
7 J! E9 [6 S x u( M- S1 K Vyum install libxml2 libxml2-devel
1 t, Z# u. p! V9 A4.执行 /opt/tengine/sbin/nginx -m 时有警告* M) Z- |) V& _6 B7 u
' y; U% {4 x) ~, q, L
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
# O( A( w4 G6 I v/ R* `+ Dnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
. Y4 q1 d% A$ A) [6 P9 {/ V原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
0 G9 W! T) t7 l2 i: n6 k* t' z8 y' k1 W& q, y( j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
& h, I5 `1 t L7 E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"$ N5 \4 y/ G0 A1 q& p
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!* O7 a7 g- O1 M4 e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 Y8 U! r' ~: C/ f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 V' l4 I" @( v9 h* E
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# L7 G1 z: H* X" d. z
解决方法,移除低版本的APR (1.3.9)* p9 j* {% {* d, A! ]' c" ^, e& c1 z
. p" k9 z- a4 X/ |! E% I+ Jyum remove apr( o& V. p3 b( _ M" j
5.Error.log中有: Audit log: Failed to lock global mutex
$ y- Q$ D1 Y# t: y4 d: M, R' F0 N& K
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock # x* d) o- z6 f# z+ I% D
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' S* W9 G; ]& C5 K; X
解决方法:
% p i+ k* @: O编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:9 v4 l) d# b# M
6 e0 @4 z, `! R \) n
SecAuditLogDirMode 0777+ @/ J/ r3 a* D( z Z7 X3 q& M4 `
SecAuditLogFileMode 0550
6 e$ z8 k0 a+ i; ~- C2 wSecAuditLogStorageDir /var/log/modsecurity
) ^/ z6 Q7 ?0 a6 F& ^SecAuditLogType Concurrent0 Q: f% W! M) I
参考文章:9 } H( ?8 N2 ^9 t3 K! w+ P& ~
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX2 c8 Q' U" W+ }! q, t
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡