|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, K" @6 B/ S; o+ q
3 V/ `9 A' r& j) D) _
一.准备工作
+ C5 W+ {% y' v3 z% q3 e
2 s7 w3 n+ i6 {0 V! Z' `! o# o系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; d: `# ^* J( i$ X1 @8 \
' o% `; d) m' b1 utengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 y0 ^) ]1 Y0 f* p) w" i% i9 i9 ]
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz' c+ f* G- m/ ?7 o5 k7 C# ^
$ b( l$ b$ d7 x- b9 m4 q
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
4 z* E# D. E3 s# Q% r0 K: x) O) E+ }2 e8 k
依赖关系:+ r8 m) S! Y, _
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' s( ^$ }1 k, @
# X& [$ r" _" {7 E0 F) M/ `yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 [# l+ J# L0 w: r* H& E+ i* hmodsecurty依赖的包:pcre httpd-devel libxml2 apr( }& d; X6 |- w) }* A6 \
+ o5 \( m/ k/ Q0 @4 V: Y6 _
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel. l, C5 p5 S4 u: C
二.启用standalone模块并编译
) S. |2 w% ]. a' T6 L) m" C- M* H$ c8 S6 P3 S) S
下载modsecurity for nginx 解压,进入解压后目录执行:
- t0 N. b7 f$ j9 a/ T/ ~4 H7 a1 {4 `* x8 f/ e: |. Q9 `
./autogen.sh
/ y5 o( d' J( c9 R$ j3 k# ]' R7 Q./configure --enable-standalone-module --disable-mlogc
& O4 V5 t P$ ] y; wmake # H# C7 l% k; D
三.nginx添加modsecurity模块
8 g: m0 W6 h# |$ E# q( a4 b( L- w8 G
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:# N3 a% ?+ O @& F6 |
! K: Y Q ^+ ?9 t
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
: R; E( L- W5 n3 Y2 C gmake && make install
5 n7 o% y+ e7 K5 e9 N; @3 F四.添加规则2 `4 {' m f& M6 d, K8 o
. Q7 a" p8 ^( j9 D- [: N
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。/ L- N% `) Y7 s# p9 B3 \- {+ H+ I
! U9 h6 |; R3 M3 w. s: E. E3 P( m5 w1.下载OWASP规则:2 L3 H/ X' v0 E, b) r. {7 b
: B, j7 Y" `) rgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
9 f' K. C5 u! h* l5 `+ |" F( ^' O+ a; I' u/ s) Q0 A2 I
mv owasp-modsecurity-crs /opt/tengine/conf/
( z! Y* s: w6 O1 J1 h" t
2 q/ u5 w, I3 h3 E/ w) C2 Scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. q/ K0 ?) K. K2.启用OWASP规则:, k o0 F! d$ B$ |8 @# K; \
" }: Y" h$ f6 l1 N4 K
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。: `3 n8 a+ z, V$ u0 F$ r/ \
}, S# W3 O4 e* ?6 [0 Z, `
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on$ M( A' [4 ~ v5 G8 q& A( ~
9 E' V4 S$ G4 eowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
# B" t3 N, {+ E2 i8 D `; s8 H, a/ e- e
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ A! r$ U5 m% b: T; W, o% [) dInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf' I, a' x( Y% J* x, n9 ?; s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, X2 E; A% i& v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf( f- i4 j- W, g$ d3 W3 \3 V
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 t& C$ ~/ }; P* r2 NInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
+ `* _5 {' k" I# u# T& hInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
8 e$ @ y; ]& a1 ^1 {* z7 |$ ?五.配置nginx6 x; ~! w2 U( k9 }0 s& v. X# P
1 A, c/ _+ o) {" d- c在需要启用modsecurity的主机的location下面加入下面两行即可:
& ~. d. [, x1 N, O) z& i2 } S9 X* N: u6 |" G0 P
ModSecurityEnabled on; * H( w. N9 I) B( v
ModSecurityConfig modsecurity.conf;
3 p* n, z) Y. k7 y, K0 Q. z8 B( [下面是两个示例配置,php虚拟主机:1 S. y" J9 ?( \$ O# x
# y! A7 T) Y, w. Q- t& _
server {
5 C" H1 H ?0 V, R/ [6 v. { listen 80;
`4 I- L" ~* `% ]7 o server_name 52os.net www.52os.net;
' j% s6 `$ a3 a3 }+ m; J
1 _" M' O6 g9 M4 K" b: V location ~ \.php$ {
8 @, W8 i7 `9 ~6 t" |) K ModSecurityEnabled on; # h* L: w# s2 {( l& H" m
ModSecurityConfig modsecurity.conf;; s" a L- ]' `* p7 f5 ]" k
! f9 z' R+ M1 f( h5 J
root /web/wordpress;9 U, A& g5 t+ ?1 Y
index index.php index.html index.htm;7 Q" z: [8 D% T3 e6 }% H" H
+ Z) g" ^. ` ?# k) d- }
fastcgi_pass 127.0.0.1:9000;
) `1 k$ q0 A5 Q- d$ ]+ i fastcgi_index index.php;) s# x4 x' b' I) J( W$ ^* p
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;( C2 q' u) b2 y7 b5 J' `& y' T
include fastcgi_params;& N0 b% z* i5 p; w8 r3 \" D$ }
}
3 R/ }* a" `# P }1 B5 s$ `' i* M
upstream负载均衡:
" V4 v( X0 ^1 Z* }( c- _- d$ V$ F0 }6 P% s
upstream 52os.net {
8 u X! q7 Z* v4 R4 [7 d server 192.168.1.100:8080;" m0 _* _$ \: v& Q% q2 z( @
server 192.168.1.101:8080 backup;9 Y* s1 g% a" t7 u
}4 D+ A9 B4 n. _% j. s2 C
- X& d% x* d3 l i
server {
f( |! c. {" Y0 N1 g1 Zlisten 80;' r3 D: K- y2 E* h8 {8 f
server_name 52os.net www.52os.net;
7 ]5 L& _0 t+ Z% W% N g4 t, V* q& _
location / {9 G0 y, {0 V2 i$ |; [
ModSecurityEnabled on;
# d- X* s! R" f; U) b# W ModSecurityConfig modsecurity.conf; + V C3 S% G& v8 M3 u" r
H; r) I- U/ h$ h! C" e7 R* K
proxy_pass http://online;; ?) G5 ^ p/ |9 E0 R$ o
proxy_redirect off;
; E7 d. m' g$ g/ b4 H5 f5 g proxy_set_header Host $host;
; q7 `- G+ |3 l: n proxy_set_header X-Real-IP $remote_addr;7 m7 c. D9 H3 P$ h" }- x2 l
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;: [" G6 @ H- S& D4 Y
}
# V/ D6 o) y z X/ X. i}+ b% U2 H( r% W) {5 d. L
六.测试& ^. P2 T8 p3 J ]* h% R4 n8 s) T$ T7 S
T0 a# k; V- W+ U我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:+ L6 |! V3 i' _8 K, a
9 \- ?' d ~4 \+ w2 V<?php
2 \, A! [, u3 J2 D4 j, k r" G phpinfo(); 7 i/ c: b6 R% D7 a3 _6 ?
?>- C' s. L/ O' X
在浏览器中访问:( \+ z. H* l3 m3 X0 k2 C
0 W0 ~9 V/ ?7 @ E# @http://www.52os.net/phpinfo.php?id=1 正常显示。 s9 S0 a, Z, a' B$ |8 u" s. F
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) }3 b' Z! B: k. Q. }- Khttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
8 J5 P! G$ y3 N说明sql注入和xss已经被过滤了+ l4 z. [; p* J$ c/ `0 W( t* i3 p- P
% k9 i( V0 j& h7 J, e
七、安装过程中排错
8 ], X/ H; a' Q: Q7 l; w X; _0 D! S) U* o' ~
1.缺少APXS会报错
* n" [! R- d# b! d1 _' s s/ p* q
: w- }- z P E" nconfigure: looking for Apache module support via DSO through APXS
% m" G, k w0 |1 X% ?9 Y$ E9 h, d' Nconfigure: error: couldn't find APXS
8 G7 ]) c( s" o& Iapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。- X% x: P* O2 ]. [3 X% m& e( i
解决方法:
- Q, B4 U& x+ W" _+ e, G6 h2 }- I* e8 r! _3 E( ` E
yum install httpd-devel2 A- g7 A+ N# p0 V
2.没有pcre
+ ?% V9 ?: E) o; }5 R) l* t! z4 K' K* R- A" ^% L& e4 Z+ n) p) l
configure: *** pcre library not found.
: U) Y! \& ? Q$ Dconfigure: error: pcre library is required+ q3 {) {. z6 c3 k+ t& e1 G% H# [
解决方法:- z5 }( h. U3 i3 S. e( T
# v5 K! h* g* Q; U
yum install pcre pcre-devel+ c2 h+ ~' W& q3 i# T5 a
3.没有libxml22 C4 y3 m/ M1 z c
" o' m4 d4 _( g; ~' Q, V
6 r, `& X/ p' A* c3 Q, nconfigure: *** xml library not found.% n, {% U; _; {% G+ ?& p
configure: error: libxml2 is required
: |' O) ?- k/ y9 `' P5 v# K解决方法:9 J' u, m1 H9 A5 a3 q; _- Q
( z* {7 |$ u0 F E: _0 zyum install libxml2 libxml2-devel; U" y% |5 ?% p
4.执行 /opt/tengine/sbin/nginx -m 时有警告9 m" s9 Q G6 m7 Q; _( G' ?
2 ]& {1 J: ?5 F, C1 b
Tengine version: Tengine/2.1.0 (nginx/1.6.2)# [- O/ t* e$ ~, [* {1 Y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!) C1 u! G, }1 `
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log5 s# e' Q: X: c- v8 L4 ^* b
9 y, r3 n5 a" `* {$ b* r2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured." v# {2 l( i! g" o! y! k5 k' k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"; G! R* }1 P! e F4 e1 C3 q
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!. @& v9 l8 k3 l3 j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 g6 ^, T" C5 b7 P; Q8 P! a( u
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 Z( \: t9 E& b2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.' E8 X/ {' U0 _2 X
解决方法,移除低版本的APR (1.3.9); q! p9 u. W3 t$ m' p2 `2 C
. l+ W3 r" ~! w# z6 I/ ]- @3 A
yum remove apr2 u! ` O1 R* J0 y3 e. J
5.Error.log中有: Audit log: Failed to lock global mutex
) T9 v; T* ]7 W6 S( V X
$ `1 e, P% Y! E0 E2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
* r% D5 e; k2 x: Mglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]4 Z! `6 d9 ~2 n3 p6 I4 R3 ], i' T/ a
解决方法:% H" j- ^4 K' m( J
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
; ^9 h7 Q! N. [, U/ H6 w, W( g: ~. y/ D4 L
SecAuditLogDirMode 0777
* M% W, g9 v' h& x; q% B6 q: ^SecAuditLogFileMode 0550
# F* S% B* {: `; a! [% lSecAuditLogStorageDir /var/log/modsecurity- |% j# U/ A% Z6 a
SecAuditLogType Concurrent( @3 H/ }, C2 s% {+ q) R
参考文章:" g0 I2 f- Z5 Q$ z
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 U0 Z) M6 c. {
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡