|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
# b6 m' M O$ j% g& R! b4 a1 J- b$ Y7 Y5 {
一.准备工作
! p5 |2 ]$ W8 B; S& B' D+ c/ u( b% O- n/ [" K8 |7 K% I
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.06 `' d7 a' H# ~7 ~8 \9 ` N
% y+ x8 i7 d8 |" r* L
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz% ~; e" f: F i% _
e8 L, W' x7 O6 e5 v& S/ S3 j9 V( M
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) r3 p, W) { C* c9 a) b" M, t k0 a7 E) f+ P# M. M
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
1 V+ `* t/ V6 x6 ~$ o' c& d3 N: Q, }2 D' d2 P
依赖关系:
- d! x& I, c# ^* \1 Btengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
! e( w* ?1 s0 m5 f3 p3 J4 J2 T+ N) A. k- `, R# m
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel4 z7 @- Y3 o# e6 x+ |
modsecurty依赖的包:pcre httpd-devel libxml2 apr
Q; L: `0 t7 a3 U3 @0 {
" S" A$ D* X# }8 Q0 Y# B1 `yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( i& X6 c" A8 h& ]7 ?3 [
二.启用standalone模块并编译
% C2 {6 a5 S% U7 O- W! m
3 B1 m: P! N* l下载modsecurity for nginx 解压,进入解压后目录执行:9 r1 I' L2 E! u6 k7 q
) X) o0 n0 `- h/ i! x
./autogen.sh- P4 }6 H. U3 z( `. ~3 P5 S
./configure --enable-standalone-module --disable-mlogc' T/ x" O, x3 i' f2 E- I
make
. w/ x) a# O5 O三.nginx添加modsecurity模块8 b) w! V7 r# A) m% Z) C
' E* d6 D3 m4 x; `% _
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" b8 ]$ B& M2 x ^
3 I9 F* b F* l$ Z6 i. f. J1 |' l
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 l4 `% y% B8 F q7 B. M
make && make install6 E2 d O/ x1 D! `' A
四.添加规则
6 C) C+ `/ K2 r( C1 [; [9 ~ \0 R0 E2 z. C4 M; o
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 `& J9 N) q$ o! J% f$ G4 q& a3 _" b( e+ W6 M
1.下载OWASP规则:" Q+ [7 G$ v! ?. v+ x3 b# L$ S
K) G. ]6 B( l( B7 [% w2 I- n+ F7 Fgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
7 a6 `0 S. l% K( e% p0 e2 I& Z
/ Z- @* F4 A9 z4 _" pmv owasp-modsecurity-crs /opt/tengine/conf/3 N! T1 y! S, s
( }6 {& v% _! _ J ~; ]" wcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf: i# }( s) y& \
2.启用OWASP规则:# x6 }5 Y* E% B! K$ E3 B
2 I `) M7 m8 R# R复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。: H. ~& a3 X8 W. l0 p* s I
3 }) G; A2 [2 ^( J编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
! l0 U1 g" C. v7 U
! S0 E# s, F9 n' ]; i; Nowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
; x: P! E. E! w: o" T* }5 t( ? M6 x$ J
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf. i! ]9 s3 W2 h! `1 X9 F, }$ r$ w: \8 k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf" Q6 H0 G7 j4 w8 k: G( J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
6 z+ U0 N3 g6 HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
4 \8 {. \# S6 e! PInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
2 i1 R5 z; H3 Q- Z1 XInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf2 J5 ^ M1 E6 m2 H% ]- r
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
8 J/ L, n" W, ~$ N; K A2 W0 J五.配置nginx
- H' F. ~1 i, B% Q3 O! {5 a1 ^) l9 m8 [8 a) k9 E7 J, d3 a8 F
在需要启用modsecurity的主机的location下面加入下面两行即可:4 D. v, R- H! U V( `
" G o; q1 \9 t3 {+ O6 D
ModSecurityEnabled on;
% v9 Z2 ?) t% [8 W& gModSecurityConfig modsecurity.conf;
# O- T* U1 P) U5 |9 z下面是两个示例配置,php虚拟主机:; P2 p5 G0 @" ~; @' {
6 f3 w7 n2 X" Kserver {
0 A0 i4 r# w. R/ W* b3 E listen 80;2 x, o* t. p$ X% K4 P0 ] W
server_name 52os.net www.52os.net;
5 Q0 n" K8 A' c* _
" Y k2 ~$ S+ V. k: }/ r location ~ \.php$ {
. d) O5 l( F$ ?$ D$ Z- ~# R ModSecurityEnabled on; * Z3 p; e; N4 p1 r* b
ModSecurityConfig modsecurity.conf;
4 _/ a% T5 q( t! D0 j9 O X2 }* ^
2 x Y6 f' m/ p7 @0 L4 b root /web/wordpress;
; s4 V8 d3 F2 l index index.php index.html index.htm;( U5 V4 H; m d% n5 b' g( Y
* a, i" E: ?6 N! ^# J9 E fastcgi_pass 127.0.0.1:9000;
: F3 u( ]3 \+ v fastcgi_index index.php;
8 L" ~3 r1 }3 ?+ Y) Q fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;6 L* |( z; B* l
include fastcgi_params;% O: {' N+ x5 G
}7 B& l/ j& g- S3 U. T+ `& A
}
* t& S" t" e, ~5 m$ kupstream负载均衡:9 Q6 d* ^$ S- C" x q
5 I+ t0 e+ ]+ f+ P' \( _upstream 52os.net {$ u. [: t. ]: ~2 T
server 192.168.1.100:8080;% i2 P2 _3 m* D
server 192.168.1.101:8080 backup;
7 Q) L( U1 n3 @2 E; H}; ~8 K" q' L; v9 O. y9 d$ E6 b/ _
3 {- m$ c8 {* U9 }) p
server {
2 l% q( u; v- h! Ylisten 80;% N0 o6 x* Q# n2 T) ]8 m( _. q* i
server_name 52os.net www.52os.net;+ g9 k7 F8 J& m% m( w) w
1 I6 j! M% P6 t2 _+ ]location / {
& h! Q& {5 P9 E9 N' @ ModSecurityEnabled on;
2 F7 @# \' x* n. b: N ModSecurityConfig modsecurity.conf; 8 B. M5 x U1 J+ G
. t, J) E4 @' P8 V proxy_pass http://online;
) K/ M, m5 O: p0 o+ C proxy_redirect off;- T. ^+ ?1 s5 V& t3 M6 L( O
proxy_set_header Host $host;) z; }* X* l# R; r. i; y% ^
proxy_set_header X-Real-IP $remote_addr;
' O( @/ _( ]9 d, X1 J9 N7 A proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;! N( U& K# o7 h! s! f! V N/ i
}+ {( z2 ~% Y* `! N: j: @
}8 Z+ s' P% t; l5 S$ c
六.测试
1 v4 N% k" @; y6 G4 N/ x5 _3 `2 ^
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
( l" U2 H$ C$ }' w
' B( w% r% |7 W<?php
6 \0 E) ~ c3 S! J' {! c phpinfo(); ( t3 M B0 C. _
?>7 t* @+ {6 j1 w; n: Z: \7 r
在浏览器中访问:
4 |9 f O% O+ u! a* B6 P+ s7 ?7 O) S: ?. X% [* r% G# w
http://www.52os.net/phpinfo.php?id=1 正常显示。; j) j: d( k+ C6 u
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 A! P. C b( |0 Uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
9 X/ i# v6 u" r# V) z9 E说明sql注入和xss已经被过滤了6 t8 k3 ~6 G1 @7 x' g- @
. O' R; n% X3 ?9 w. i& w/ ?
七、安装过程中排错
2 J# q6 S! \4 Q" h- B4 a. n3 V- x! I1 J& O
1.缺少APXS会报错
( m* [% G2 y" ^) B
# U+ C9 C7 {: t- S5 I4 yconfigure: looking for Apache module support via DSO through APXS
2 k! {- x7 F$ k- J6 ]+ \( _$ Fconfigure: error: couldn't find APXS
/ t4 p1 q9 F( |; p3 Q9 vapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。6 F f9 a% M+ O
解决方法:
8 f3 U7 }9 j2 Z# e
/ ~7 u* n: e+ n& `yum install httpd-devel% A, I1 z9 n7 f
2.没有pcre
0 {( |* j+ P8 H3 u$ Z! q/ k9 @/ x4 Z5 Y _9 b- n# T5 V; i
configure: *** pcre library not found.
& Z( [1 c$ B3 v# ~. ?% x tconfigure: error: pcre library is required) J# p7 k% X. A2 z, u% U
解决方法:, j; K; ?' |7 t
; ^# j/ `+ ^/ Y+ ^! d
yum install pcre pcre-devel
- M2 _- ^7 g8 Z3.没有libxml2! p) ~ W$ ~- _2 ~$ P( I7 p* }; o% M5 J
4 O2 H, U- {! T' `# y8 r. _( I
9 A0 L4 J* }9 nconfigure: *** xml library not found., Q2 Z' L {+ Y$ w7 ?( _. i
configure: error: libxml2 is required
, W4 ]# w0 h6 ~$ c: U' z& U解决方法:
/ a8 s G3 R, z+ q% s8 m O( v; R* ^6 z) s
yum install libxml2 libxml2-devel4 Y- w1 @( Y: t% w6 R
4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ f8 E4 i, D* S4 \5 V" p! A$ c
/ @0 M5 L, U/ i8 nTengine version: Tengine/2.1.0 (nginx/1.6.2)& ~( m% p0 [- S' m8 F d3 {
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
4 N* Q8 G9 F0 r- K原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 _* a" K2 ~* i& A+ v* c" f3 z# `: R! v* p# p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
% l$ M0 }% k0 J; Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
2 E$ p. m! ]: N) B5 B2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ P/ l8 D+ O, I$ I& u2 d: n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05": r1 S4 A0 i7 Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"( X; P8 Z% Y5 K6 F
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.% i- V+ X1 Q" f7 P7 [7 A
解决方法,移除低版本的APR (1.3.9); _8 b. z9 {/ W9 u% J6 Z" R# i
- b0 W9 v6 R* L' X2 g5 Yyum remove apr* w8 P, [- H2 P7 i# o1 ?* ?' e: r
5.Error.log中有: Audit log: Failed to lock global mutex+ H- M( O% g) s: w3 B* M
0 H6 @7 x8 [; g
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock . \! \0 M7 r! U2 k# e
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ A( X) U, `" o) L4 E, Q解决方法:$ X( _0 S" m: e$ K
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:6 M' w0 H+ K3 a8 f# n' s
! V7 S5 J* I$ h! f! G% KSecAuditLogDirMode 0777
' U5 ^# L' o7 \SecAuditLogFileMode 0550 L4 f2 Y; D( r' m' ]
SecAuditLogStorageDir /var/log/modsecurity
6 j, {, S. L$ MSecAuditLogType Concurrent# P- \. V7 A5 \: ~ ^$ W7 t
参考文章:
# `" p" ?2 ^3 ?6 N6 dhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX5 s' w/ B! O# e, k8 K
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡