|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 q( f( N8 ?' ^) B# j+ M( {
( f! @4 T7 w4 f* | Y; Y/ H7 `$ ^
一.准备工作* G. ~; Q+ N" p0 P6 ]
# q& s( U0 J- }# O系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.09 m. k! u# l9 k( M
$ u6 g0 }' e1 N
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
# B7 j4 |- c" p: O$ |
( [- h( g; f; a3 h/ o) E8 Tmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz3 `! d6 M. u( W/ J" E/ r
4 @- H1 E5 e# I6 u& H' x+ j
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
4 M) t6 r [' d9 D6 ^7 {. K, V; l5 x4 Q* y: ~8 _0 _# K& I8 _! x
依赖关系:
' Q& a$ N+ ~+ W5 s* X9 ytengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- L4 Q/ n3 A0 u. o6 {$ E0 T5 @
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel" m6 Z, v& Y! i. P4 m
modsecurty依赖的包:pcre httpd-devel libxml2 apr5 |' X6 d7 ?3 u2 Z/ U8 W$ W9 o
: D; [7 V5 V' h
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel8 Y) y9 ], F* D9 y
二.启用standalone模块并编译" d7 i+ E) | ^% F! U7 {# U6 ~
$ @5 B+ N7 O4 J6 n
下载modsecurity for nginx 解压,进入解压后目录执行:
; h/ G! c. B `2 n' i6 m) y! U1 u! J) C
./autogen.sh
4 u6 Y9 h' N9 f4 S./configure --enable-standalone-module --disable-mlogc
3 }/ a4 I7 M0 C2 Wmake $ S8 M) N0 ~+ z7 }/ `
三.nginx添加modsecurity模块- E7 E: C/ T$ B) q" N
. m# p5 y( _6 O# ~& I% E
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
0 J) a! A9 L' c) {1 }7 V
3 X/ L4 d' o; H1 [2 C5 w0 ^./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 W* ]3 L) M/ n
make && make install
! v. ]; E) e7 f# f& S8 s. ?四.添加规则 F4 D1 ^6 Z' Z1 K
* Z5 N7 y% L8 |$ Y
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
& F$ u- d. W& b% ]4 C
# S0 B3 g. R( k+ |) D+ M& n+ A5 l1.下载OWASP规则:! [0 V& Z$ J$ t% |
6 E, f( D$ [2 k r* s5 h8 Igit clone https://github.com/SpiderLabs/owasp-modsecurity-crs# ~& z1 x1 c8 `5 y
. h% Q& }+ b& g7 ~( V
mv owasp-modsecurity-crs /opt/tengine/conf/0 M6 x3 k8 X! ?
2 f: x) A* t; gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' X. K& i' g! \0 ]2.启用OWASP规则:7 ?9 E( g1 v# p& E$ {6 p( b" `
; a# m* |1 a3 a; L# s
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。 c5 {/ Q; B/ f+ e
1 S# l, I k" Y( E: {6 {5 M& f编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
8 `9 d* B7 j6 J3 m6 X& m
% Q: w8 A5 N. k: c# Iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。2 K3 y6 U0 k! I" i' J
" D5 |. D0 j/ y3 T1 o- b1 B2 {Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf8 v' P7 X; S+ \/ w* K1 B! T, l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf# q* X8 ]' F d' }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf& G* s5 }- y( `4 i5 H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
8 ^$ r* E/ a' {* P3 {Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
8 E6 \9 C8 t' a$ R9 I7 L4 N% o" z" YInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* _6 N: j/ ]4 {) P1 Q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf1 o6 F$ s) L" ~7 G: p
五.配置nginx
1 X8 n: v2 A, G( Q" H: L# t7 T% z8 g O- ^* U
在需要启用modsecurity的主机的location下面加入下面两行即可:
& L+ Z1 H9 Y5 Z0 a$ T( Z
3 L0 _7 V" k t& n) aModSecurityEnabled on; - O' i: c/ ]; G1 I7 B; S
ModSecurityConfig modsecurity.conf;
V: h0 p3 u6 H T% [5 [下面是两个示例配置,php虚拟主机:
% W: w4 g! ^0 v$ @) b4 X0 Q. k2 B( }7 l7 G( f/ N t
server {) v1 F' V9 G* n/ f4 f8 J) `7 M
listen 80;0 T: S5 T% @1 c4 x3 a6 d7 m" Z
server_name 52os.net www.52os.net;
0 O- R# F$ n" \ `; l0 T' N1 g 9 W/ V4 e; q4 T N/ h
location ~ \.php$ {
$ k4 N* Q. ]" T* M u+ j, z ModSecurityEnabled on; * n1 `5 s% y! k4 g8 d
ModSecurityConfig modsecurity.conf;
4 O" P* b# E2 a( X( W$ c! A5 }- ]$ q/ E
root /web/wordpress;
2 c3 z0 U5 G$ e y* a A9 z index index.php index.html index.htm;$ o% {) |0 N6 t8 l9 M. o! [9 L5 o
$ p. z4 Q w# H- ]
fastcgi_pass 127.0.0.1:9000;1 S. ~. C. b' D- ~) b
fastcgi_index index.php;
' _. K" ^3 }# z6 A fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
. i* S; x* o4 |$ W4 J include fastcgi_params;) H P& D, v# U6 d0 B
}! Y+ S! L; Y' I y* I7 w7 p' h
}2 g! ~$ M, G* Q* c$ u; P/ J5 n3 a3 x
upstream负载均衡:/ w% b4 z, v( D; \% M( r) |
3 e5 t( z. T, N4 L e4 eupstream 52os.net {0 j6 I# d7 p$ y. n* c
server 192.168.1.100:8080;
' ~! g+ W' w0 z) g' }% C1 w; d server 192.168.1.101:8080 backup;) P' }% F* N! F9 S2 d
}( |9 s% M! L( r5 A% t& F# c
9 V* m7 ~3 \. v' bserver {0 {! K8 r4 ^3 ]2 s
listen 80;
0 ^; G* {5 V) F" A- ` {1 Vserver_name 52os.net www.52os.net;
# ~! t% A5 H) U3 f$ l9 V. A6 ?+ p5 M W# U! y
location / {
, P8 I; {3 j. g2 p; p ModSecurityEnabled on;
5 ]/ o; k9 H9 d( ?- b; U# A. ~ ModSecurityConfig modsecurity.conf; C- l' X' F7 Z0 W9 `8 N
0 v" I& I# o5 F; g7 L* E3 i
proxy_pass http://online;
" t( Q6 Z+ S" R3 l! T8 F1 c proxy_redirect off;
: u" G' H; W: s3 D( i6 M7 V* b proxy_set_header Host $host;& r6 ~$ I, O9 |) }0 j- S3 \6 |
proxy_set_header X-Real-IP $remote_addr; ?8 [7 b* X: e; w8 \" n
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
u' }/ O- V" T7 _, i; g }" ]7 N( C* H) C% j5 d3 j/ |+ V
}- {. e5 A* A' a" [7 f- T
六.测试% p$ v5 T' J: j- r$ b6 M
) M& ]3 N1 i4 a, N& Q) G. q
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ K9 p. t0 d0 d* }/ U( ] N, @: z. I) U! C( V$ O
<?php( ?4 O1 H% r6 \) X; N
phpinfo();
8 `6 L& K$ a3 J" S- _?>
1 P6 }$ q$ x7 j9 }0 ^在浏览器中访问:
. u, W3 L7 ?8 K6 u) Y* g# f! Q( \* U2 V
http://www.52os.net/phpinfo.php?id=1 正常显示。
" D; ~+ h) R% R, ihttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。4 {/ K2 E a3 \
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。8 g7 _0 z1 H, y! v! a! i* i& f
说明sql注入和xss已经被过滤了9 Q2 s6 i# C- d% Y5 B2 C3 s
3 S7 e8 F: V) i8 E+ t: J9 g6 z, ]( t七、安装过程中排错
. k$ r2 g. Z0 m
- G: [1 C& h9 y1 j1.缺少APXS会报错" N/ Q- b L, M/ e" ]
* z, I2 j( ^2 L, N4 V. l5 `
configure: looking for Apache module support via DSO through APXS
5 R; m: l w8 u% ?/ Jconfigure: error: couldn't find APXS
6 |( R5 o6 [+ y# a: |/ Rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
7 ~% }5 }2 s- k解决方法:
9 D, n9 t9 Y- P- }) \0 D( Y* t. p4 ]
yum install httpd-devel
7 Y/ _! t+ |4 {6 t; Z& w! Y2.没有pcre. {: T7 ~- x% ]; _( B# F( e
/ N5 o, J+ v) i
configure: *** pcre library not found.
+ z" u2 \' t9 O+ Aconfigure: error: pcre library is required" N9 d. u4 s# d1 l, T ^7 L8 d
解决方法:
; [+ @8 f# u* N8 g
7 |4 T( x r G) T8 Oyum install pcre pcre-devel9 f% \$ e% h8 @8 \2 i* d# Q
3.没有libxml2
& J8 H4 e: O; \4 Q( W9 w/ n5 e) D+ {& ]) Z6 Q: d
! r/ U0 j( L$ o: n4 d7 l9 o' {8 j$ F$ iconfigure: *** xml library not found.
- M1 Y5 D8 e2 q( \* r; Y3 u8 Y1 n' V( Wconfigure: error: libxml2 is required6 ]2 P9 T4 U. \+ u' w) m* i1 D
解决方法:/ `; H$ x/ p) w3 J8 |
, P8 B( T( S+ E W" n' ]8 oyum install libxml2 libxml2-devel
+ t$ Z5 u p5 n+ k0 L4 a4.执行 /opt/tengine/sbin/nginx -m 时有警告/ F2 _* _; C( n9 C: A1 R; u3 P
2 k* c; o5 S% V3 u7 Q' ]( K
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
+ f+ s+ p/ z, }4 k6 w% G: A7 Ynginx: [warn] ModSecurity: Loaded APR do not match with compiled!
9 N8 z6 G% n- U; h原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
: k$ }; I% a! \( D; N# H6 h, q+ l& `4 A9 B5 l8 o) J2 {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 N) D. b6 s0 @- h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
+ ?; @' o+ B$ o2 h9 m1 E i2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( K) B: L, A( M: {7 D/ ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05", L; p3 l& F* P8 |; o3 d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
0 X1 k1 W$ ^: {2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 z6 z4 a, ?2 e解决方法,移除低版本的APR (1.3.9); g! d/ `8 R# C! d U
) k# Z# w0 F S# t+ h
yum remove apr
5 j8 P" K$ W7 x% M# K5.Error.log中有: Audit log: Failed to lock global mutex' O. p+ \( D3 i2 ]9 h; a: C
8 k! Y$ V) o4 |: M" d/ _' @2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
- @6 [* ~3 o" H8 U' a6 i# Pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' n2 f N: q, L, d& z解决方法:0 d1 z5 B% S# h, V+ W" v) Y6 L4 s
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
; g9 X5 L( J9 s) _) A# g1 Q4 X9 s3 [: l
SecAuditLogDirMode 0777+ ~: c, k8 H7 I# h# m A
SecAuditLogFileMode 0550+ h$ p% v- R% q. t1 e7 d
SecAuditLogStorageDir /var/log/modsecurity6 ^2 x* N0 g2 Z" e% s! x. s2 c1 {
SecAuditLogType Concurrent
) `1 F( _4 E7 s/ W6 ?4 i5 M! z1 \参考文章:
( K3 B( e* \% V8 u% W: vhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# d7 W) q7 [9 k7 N' W9 \
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡