|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 \0 E! l' E& _: ?, e, W1 T( Z+ p4 r2 `3 c7 e9 t% Z
一.准备工作
4 [8 B! G1 K0 G: ~6 W% Q- Z2 x) `6 I3 w: @
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
& r% k& R6 g* n7 o$ [& D8 C' ?
5 ^5 X" o. U. Y2 g) s" p0 Etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 {4 w. P! j/ e- ?) s" a. o: w ]3 J! N m8 p" F# [
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz1 g; B! o+ x6 V! r$ ?% {
7 I! g, A6 A/ f, R; {
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
{! v3 s5 u) K4 S A) Z
1 k$ z: s# d$ [- W4 ]依赖关系:( N8 k: W" P0 }; j/ n8 J: R
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% O$ p, U u1 a& D) }5 }) N
4 i9 W, _# s& j+ d3 K2 Byum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
( |0 f( B( [1 q$ w: Xmodsecurty依赖的包:pcre httpd-devel libxml2 apr
8 ?8 |+ C, [1 j$ C; ^+ ?9 L, V, {3 E. M& J/ ]) }6 y
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
+ Z/ f$ p5 e' _" O/ [5 i1 T二.启用standalone模块并编译2 y0 F3 A5 X8 C* T' j6 |& e
8 q1 ?; m t" Z( @ U3 b下载modsecurity for nginx 解压,进入解压后目录执行:$ N7 I( ?8 P( w
7 z2 b) r2 {' f: |
./autogen.sh
V! `0 F9 V; b# g$ P./configure --enable-standalone-module --disable-mlogc2 U# H$ R6 ]+ ]+ s% J- j
make " q' y5 N$ e+ G" [1 y# B7 ^
三.nginx添加modsecurity模块
* l) z# Z! w* G3 w8 A7 q
/ A. o( L6 Z" y, o在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:9 Z R. [7 T" u" `: ^* s% o4 b9 E
: D. y& r$ H& J9 O1 O; ^: C
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine0 L+ \; U6 E6 s: T% h7 \
make && make install9 V! x% l4 c5 s! F2 d+ H: o0 Z
四.添加规则$ z8 p- l8 _( C9 j6 U. r' M( a
Y/ i4 Z+ M+ K+ y' ~" V' I, K8 Nmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 U$ K+ ]; l& D; o! K @0 q6 [' s4 q" n9 B. Q
1.下载OWASP规则:, Y- Z6 c& F2 z7 F9 ]
! h+ ]5 R5 E1 f7 V$ Z
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs0 {8 `2 U) o8 [8 _, @ N$ O
P" y# ^" g$ Q- e
mv owasp-modsecurity-crs /opt/tengine/conf/
, Y% H* O* C- a, f4 o3 E' }( h+ O3 H/ G9 U
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ {5 D0 m: j& j2 v
2.启用OWASP规则:* ]& d, g; a! W8 E3 P5 B) [' u
. B; F. o* ]' U8 P; A( I0 S
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
, M2 b- v: {0 |7 @( V
" d, [( P' u' R% N编辑modsecurity.conf 文件,将SecRuleEngine设置为 on% @! R9 k! _8 ?% g; x
x2 Y" n0 ^0 p: }% {owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
: x' |* L' N' h+ P9 E: N- z2 Q: ]6 ~+ Y3 W& s) c4 h
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf- _1 E1 l# l! O0 z: G1 C, g5 H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
3 o; N! q, m$ SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf- v7 ?% W K H: W D
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
1 [ s6 A4 B6 g+ vInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
1 ?* I# B, \' NInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 s0 w. E5 C' m* I+ C) c* _
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
0 G# G" ? n+ a8 F* l8 l五.配置nginx
( F% g, a' y% ~
2 a' B$ E2 U0 g P$ g在需要启用modsecurity的主机的location下面加入下面两行即可:. U& N% d- |( \$ A. G5 z2 ?0 @
" U9 U! ` w) FModSecurityEnabled on; , h+ [ N+ Z8 }/ ^5 g
ModSecurityConfig modsecurity.conf;
6 z+ }1 o" ~: v Z/ q# Y下面是两个示例配置,php虚拟主机:
8 G1 _% u! z9 p+ ]3 e
% L, l: Q2 b4 z$ C( k4 N |9 ~server {' z% ]. o7 f* E8 w; M8 }3 Z
listen 80;( l- l# p- D E+ J) K7 ~
server_name 52os.net www.52os.net;
7 `& E; V: l3 I3 R+ T$ I# n + q7 D' c, k i* C% [9 Y3 b
location ~ \.php$ {! g+ @1 J( P3 D: Q
ModSecurityEnabled on;
9 k- l! x' |5 x/ q, x ModSecurityConfig modsecurity.conf;0 \( U% j2 m$ q- M% `# |
3 o% Q) a2 Q' \* Z" S; _
root /web/wordpress;
9 H; U- k) ~3 t index index.php index.html index.htm;
# h, y" h0 H) X- W0 y- `/ Q ' U. r- C. `7 r( W8 a/ Z+ r
fastcgi_pass 127.0.0.1:9000;
U* ]+ l. z9 m e" d9 B1 R& j2 h fastcgi_index index.php;; [. n) Q+ h" b* M( o9 O
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name; N+ l* L- C2 e0 r4 N, v: |
include fastcgi_params;
# i: y% V; I2 |" n+ V, F( G }
8 l; z2 G" k$ X! R# e }4 n% s& r- J5 O$ Y& z
upstream负载均衡:
. Q# k- Q/ O$ k8 n3 o' I, B" I( R% P, Q: m7 W
upstream 52os.net {
7 O; E; d' |; k' Z server 192.168.1.100:8080;% n, m5 }: o f' L5 V
server 192.168.1.101:8080 backup;
* E6 Z( B$ Z- K}6 {# c3 ?" K- c' g4 i6 ~! j8 @
4 U v' i3 d1 s6 u3 k( \7 {
server {; H$ \6 P$ V* q4 P
listen 80;& u1 t L% h. T6 p8 j
server_name 52os.net www.52os.net;1 ?* Y5 l$ R) g: o* h/ P
7 H' D: E6 A7 K
location / {
6 t0 r8 Y. ?$ s# A4 |" m. d ModSecurityEnabled on;
7 i& _& T. F3 s& r ModSecurityConfig modsecurity.conf;
/ L/ Y! ~7 g! B* i; {4 t# g ], R. }. O8 V$ i
proxy_pass http://online;: V% e' f9 d; P B7 `) h3 R
proxy_redirect off;" D8 i0 E" [! ?: ?7 a( G# L: y- G* `3 D
proxy_set_header Host $host;
3 a0 `/ v" n: { proxy_set_header X-Real-IP $remote_addr;/ Y% s& m% K! }+ Z* e% \9 K+ C
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% n' l! h% O7 f }
/ \* M. m" l* l( i0 D}( K6 r" u. Q. {
六.测试$ f7 p9 s% |3 G2 d9 ], Q/ ]
+ }4 [# P. f. o4 P1 n5 `5 {- y我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 u$ e- J* w. Y2 n m
) E. Q5 X0 j7 Z! Z, P4 s
<?php
( p; l* ~: \& I3 ^7 s$ y+ A* S! S phpinfo(); - Y- @* E; i# P7 o7 y
?>
' z' ?' Q+ F# e3 `. f0 [* s在浏览器中访问:' s0 F* I: P. U: F, D- a$ o7 S
. q- ^8 ]( y* W6 B0 C. H" u
http://www.52os.net/phpinfo.php?id=1 正常显示。 T" L7 t7 J! |, B% n, M
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
! F2 o0 ]0 ?" P Thttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
4 C% r2 y+ A5 \8 |4 m3 e说明sql注入和xss已经被过滤了) ^ K( Z- @1 S; _
& ]3 f% _# f4 M# |七、安装过程中排错 t2 ~4 H/ t9 o+ v5 e: A# J
1 `! K v" w4 W; c- A, k1.缺少APXS会报错
8 q( R4 P0 A3 e" q2 w, u2 B5 y, `& g/ X" w# k2 L
configure: looking for Apache module support via DSO through APXS
* H U1 q0 B- gconfigure: error: couldn't find APXS
8 q' g9 V0 G$ I) Y5 W- I; Eapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 {1 z/ T8 Z; S' k" X解决方法:- V, ?: k1 h0 X( n+ f) k; g6 Q, D
5 m* ]* q. O$ w# B% F
yum install httpd-devel
& u% m' f# P& |9 }: [0 w6 {2.没有pcre$ [- p1 Y/ Z$ h3 C! h
$ I- R3 B, u4 e
configure: *** pcre library not found.
! [0 k+ Z8 d) K' uconfigure: error: pcre library is required- i- F5 f* e& L3 ?, F! m
解决方法: V( w; S) M2 P( I9 E
* N$ T1 V: i* B/ }. B# G
yum install pcre pcre-devel
4 h( f, \. ]' {* }) K3.没有libxml24 C# [; ^) q" [( c8 X7 ?
1 U0 H0 z4 B/ F6 y" J/ P$ k
( a# S( r3 o5 P5 `4 J9 N! uconfigure: *** xml library not found.- v S9 c9 r& c/ q- P1 q
configure: error: libxml2 is required
U5 o G" g3 z! m$ \解决方法:: b# B! A, ]7 R' k6 b/ W- X- k* b
7 E$ X1 h% j4 @- s8 B# c; c
yum install libxml2 libxml2-devel* |" f) P4 H$ C8 Y6 D- f6 k
4.执行 /opt/tengine/sbin/nginx -m 时有警告
5 D) f+ Y7 D8 M: k2 m; \
+ C0 U0 e. G: q2 VTengine version: Tengine/2.1.0 (nginx/1.6.2)5 ~ M: [5 B2 C5 e) s; Y* z
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
# F5 c3 w7 I4 d# A' f4 B0 I原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
0 f/ W1 N, U$ R+ |+ U, V
+ y: S6 b3 I4 ]: r) Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) ]$ i3 t1 ~' E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 q n+ G5 S: N
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
4 U; ?+ c& Y9 W9 X `+ v1 a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"4 l3 Y, A: m7 |
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
R4 e5 A$ X* w, _4 t- E+ M ?2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.; R9 U6 |6 p `, r
解决方法,移除低版本的APR (1.3.9)
+ ?" w: B9 U' V) y/ a. a* R7 B+ a8 I8 V- G3 j0 R
yum remove apr
: ^* i8 L O" i* @4 o, v5.Error.log中有: Audit log: Failed to lock global mutex
( Q& R9 f& e2 q5 L0 D% d6 ^! E) Z9 w
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock * n# Z5 R5 ?9 L# f% l% c. v4 a3 e7 {
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
0 a- n6 i) r; f: n解决方法:
( L- w/ P! P& S; ~, b% d" B编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:6 ~2 M) z, S# G
: @3 y+ G( t& B ~% P
SecAuditLogDirMode 0777+ G: ^3 _' e8 M2 M- g; ?0 }
SecAuditLogFileMode 0550
# [. k& e0 O4 k) t; nSecAuditLogStorageDir /var/log/modsecurity
$ @/ ^$ d8 b9 R/ nSecAuditLogType Concurrent: q2 N1 m8 d3 ]% _/ k
参考文章:
. K: ]8 S8 _3 g9 \$ K3 Q8 X4 nhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
- m' Z+ M, I; V2 M1 ghttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡