|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 f3 z) g) w" E' s8 K( _
4 M4 n6 u# n3 {一.准备工作* @: N0 M3 A4 g
8 }# k( j, @% N系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ v4 N, Y+ q0 p2 D8 I
% x/ n8 ]8 `% g( t1 itengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
% y5 F" ^ s3 C9 p" L0 Y7 ^) p1 L/ P% P7 O
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
4 h3 m0 M5 I, Y1 p3 i/ Q: X$ P( p: L c
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
N' v: u6 z; Q) q
$ b$ J. Q, b. T: j" L依赖关系:( c7 O7 K+ O* E( P4 u7 w! \
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:9 a2 N( B) A j) b
4 R( }' w& \# G/ V/ @" \
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel: z& {" u2 v1 y5 k! [* o7 B% c
modsecurty依赖的包:pcre httpd-devel libxml2 apr! R( e. i+ U4 b$ |$ y y$ o1 n
* t9 W, s7 o( c1 O) Lyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel1 r% C5 Z: j" _" s
二.启用standalone模块并编译
Y( k. M' v! G8 R- @
: G* X* W; l+ y# i下载modsecurity for nginx 解压,进入解压后目录执行:% ?# y5 w7 f! `. P
8 E, B* c0 J# X2 S# g./autogen.sh$ _* Y4 L/ T+ B* b, @! Z
./configure --enable-standalone-module --disable-mlogc, B" V/ K: o0 l+ l: F/ Q, f
make $ C" A0 ?1 N. j9 @+ ~/ Y: ~! Y- C
三.nginx添加modsecurity模块 ^) m6 j2 q5 C0 x8 S5 ^% E0 E
7 |$ o% r, \ x( h2 V6 {# e2 `6 a在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:8 }' C$ }4 N$ \# \' R' p' \0 L/ J
- Y) q) ^% w. P/ j( I" u; D& h./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
4 ~3 T" U l+ C+ C* V$ R! U/ c/ W/ umake && make install3 @+ a) N2 R+ c
四.添加规则( d2 k0 D8 ]" m* o
: y4 v/ }9 }9 T6 Jmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' @0 ` U* I% ^9 u, {0 J: I
( e$ E, V/ [5 s: q2 |4 J1.下载OWASP规则:2 q. r: I6 Z6 |* M l& C9 w) w
) B t- r4 H* y9 V1 h6 S% G8 W
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ H& B- {( [* ~2 \% A
6 N; x. K' ~. dmv owasp-modsecurity-crs /opt/tengine/conf/
8 B& ^; n+ {3 O/ l4 S' c+ w \8 S6 [7 m* R
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# ~$ M% ?, C) D8 J# w6 z6 }2.启用OWASP规则:
% q1 F9 t% h; D8 [1 J' Q; a; O# e8 D: z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。9 D- e1 `8 I; s) Y* @' s
1 g7 c0 N- c6 F w$ V( I f$ b编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
" z1 d; X3 \! \; d: Q0 q+ d( {9 S3 b% _ b
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" T! k4 S* q/ M3 A4 @% Y p$ K4 m% s$ l# f, c% b
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf& Y# t: P! k) m0 B; K; h; N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 T4 ~% r/ D+ m' A# @
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
: r/ h5 ~& h. ]! S. q* x$ _. YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! u6 Z7 i' j) b- W
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 _9 w, q7 Q* F7 n6 V9 P5 h6 GInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; g8 y5 {7 u0 [( z. fInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
+ c# m7 G8 F3 v五.配置nginx
8 y& S: {3 t7 U$ c, A; w: W- }8 ?9 u L; c& p
在需要启用modsecurity的主机的location下面加入下面两行即可:
( X u9 s) Z. f; Q5 C2 W9 x* T, E# @+ S* n' c
ModSecurityEnabled on;
* t# E5 U# V8 }2 R* nModSecurityConfig modsecurity.conf;
4 }9 A- e' O/ K) J0 h6 S下面是两个示例配置,php虚拟主机:4 \; q7 z1 h, Q6 h# r
, C% G8 s- P1 ]1 D' Vserver {6 K% L6 [3 I7 r2 V. p9 s
listen 80;
, W2 G% m* H0 ^4 z% M, U server_name 52os.net www.52os.net;
* k; ~" [+ v0 W: Q& l0 t J8 }. ?; F% `
1 s `2 s$ a) h6 D( Y location ~ \.php$ { ~( V5 E% x7 K d! ?% H) d
ModSecurityEnabled on;
8 O0 y4 L" }$ \6 c+ r- ]' [ ModSecurityConfig modsecurity.conf;
$ n3 ]0 \5 K. e( f5 a7 N6 x. D7 t5 U! M# i9 `9 D( h
root /web/wordpress;
; m, d6 j3 g$ _7 Y) I L" H index index.php index.html index.htm;0 c6 P7 c% ~9 g! V3 x$ ^0 J
/ n1 X* \5 B9 e/ b* t2 ]) R fastcgi_pass 127.0.0.1:9000;
/ R1 R5 s8 m, P8 g$ a: y7 v fastcgi_index index.php;
# K" F; \) M& o, `( G5 l7 ? fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;" H* g: D7 p# A% E/ d4 A8 y
include fastcgi_params;
. h& W& f" K+ E }) M& K6 o% H+ y& `. m
}% Q& B0 k- Y7 f
upstream负载均衡:
9 e. U& Z! C- h# `9 Y) d7 R( P0 i- a$ `- C6 ?
upstream 52os.net {
+ F6 H( D% I* [$ M server 192.168.1.100:8080;
$ S S' z7 |/ E, B server 192.168.1.101:8080 backup;
% L/ u1 H) g% H0 Z: X}$ S8 Z- `9 `9 d7 _+ ~5 P4 j9 U
. \8 E. {: g* I8 o4 d! e1 h9 r7 N
server {5 Q% n1 M/ C6 G% C7 A# b
listen 80;
! Z/ v1 e% _- H. h" l; J; Kserver_name 52os.net www.52os.net;, X; @0 X* ?( W* j. k' J8 x
6 B8 t! F; r& j, q" M
location / {3 p: g4 @* u$ r& [
ModSecurityEnabled on; 7 y- _6 a+ Y7 D3 J
ModSecurityConfig modsecurity.conf; & _7 e* o1 k9 N0 R, }- v, j
o4 v. P" {' a
proxy_pass http://online;; j: D4 i0 C* B. ] j5 s# V
proxy_redirect off;) K, l1 R' I; ^3 j$ s4 e a. W
proxy_set_header Host $host;' }5 y: i% M; X" L8 m( X j% c
proxy_set_header X-Real-IP $remote_addr;/ g- |9 A& {' _' t
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" b1 V1 b, p9 W3 Y8 B3 k
}2 Y7 U$ Z, H! } i$ g
}
- Q |. h" W! N0 B0 y a' p. f0 B六.测试# V1 g5 F; N2 q
) L; s) Q# x/ D/ k5 G; G1 P
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
5 X/ V# B U( |( e, [) s% V; p; v
<?php2 U4 Q, {/ B6 J. P
phpinfo();
& K& g. i+ i! Z( F8 ~! m1 j, A! I?>
' l1 u: I4 C) O- D9 q# f% f0 \在浏览器中访问:9 {9 G8 Y8 [ J; i( b& Y+ d5 N; v
2 }+ m# |0 |# c! ]6 h! F" Nhttp://www.52os.net/phpinfo.php?id=1 正常显示。& u+ `. a% L- G7 x3 N9 d: y( C
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。; [# C: \! y0 [/ p
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。: D- E6 V- u& _8 V" s
说明sql注入和xss已经被过滤了' B, t& H7 l% W9 c
: I4 Q2 F8 L! z七、安装过程中排错
, n$ ]9 o9 k" W N
! a \8 F" Q6 _* b. T& ~1.缺少APXS会报错
/ _9 F4 C5 g e# X; E: c/ y. q
8 z% G7 C9 R9 P5 T: {configure: looking for Apache module support via DSO through APXS* S5 l$ N# L9 I/ G& u& X
configure: error: couldn't find APXS/ i3 p+ }# V" ~( \6 f4 e
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。" H+ J% z4 v$ \4 D
解决方法:7 i9 |; }( z# Y& J+ U- x
/ |- I' w0 F# U5 T, Zyum install httpd-devel
, a4 C* z- c- L: l7 H2.没有pcre
8 C# K5 g6 Y" [! S( E3 Y4 K8 B/ a% M0 t& o+ Q' r
configure: *** pcre library not found.' n& t' i7 E0 z. _6 w
configure: error: pcre library is required
. g6 P2 z. d" P解决方法:2 Y7 h6 ?5 ]/ e/ {
[! F: M- ^; }! v
yum install pcre pcre-devel; g' o2 a# c8 U# u
3.没有libxml2
6 Y/ s( W4 F' k- @* u: @, y+ {9 n+ \- y
0 ~7 j1 w$ L2 ^) r8 Z+ s. V
configure: *** xml library not found.
0 l8 j0 {) I4 {, x& B' |0 \configure: error: libxml2 is required( ^) ?% ^( `/ [9 d& s9 @9 U6 m. z
解决方法:2 ]( I' c, E0 J& a2 n
7 `9 L/ y0 C* y9 Byum install libxml2 libxml2-devel
) e% t" H. z8 h' a6 `4.执行 /opt/tengine/sbin/nginx -m 时有警告/ }5 }. P- q7 q7 L: \* |
# |: ^. U9 t& g$ Z3 _0 j3 e# P sTengine version: Tengine/2.1.0 (nginx/1.6.2)1 @/ z) S1 E6 e( Y5 E8 ]
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!! r8 ^ f( R# Y+ O: y U
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
2 u2 @* H+ E. V& [- C& d
5 ] L; t1 ?9 ]5 [5 A8 C2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, \9 b# l( p# ?& z: G" f; O1 u, N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
5 D/ j% U3 m$ B, p& }6 `0 u2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% a4 m, R3 ^& ^+ K8 W# [# Z) g7 A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
. t: h8 v! P J, u/ X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
5 R# G9 ^# i) w0 F4 L2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.$ J+ _. ?' G/ ^! J% O
解决方法,移除低版本的APR (1.3.9)
6 E, `3 \5 G& x+ S$ F: s) q4 `) z- @* i: Z6 `( x2 z
yum remove apr
x; b3 a% A) w& f1 ~+ P/ C5.Error.log中有: Audit log: Failed to lock global mutex
& D$ m* }- a4 i8 b* v
0 s. B% M i0 ]$ d- B2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock : L; f9 l8 T. ~7 b
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]2 T' G) I; h- C, E: V" y8 v
解决方法:. q5 G: ?3 J: s% |# @5 w6 K
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. a* q* D3 b5 e" A/ z* Z2 E3 n7 y2 s k. L
SecAuditLogDirMode 0777
* n9 i6 ^2 B/ a. E$ S) O8 _5 D/ A: nSecAuditLogFileMode 0550
9 r/ p5 A1 M9 |+ {8 TSecAuditLogStorageDir /var/log/modsecurity
5 \' B" H$ |. }+ |2 h7 |SecAuditLogType Concurrent4 B; S/ [6 k# G; F* \* I9 Y
参考文章:
- T. c: I) o W& j4 v* v. qhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) [- o, A6 u3 Phttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡