|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
/ u5 g- O1 G6 S9 g6 ]: U* R2 S% |" k+ k! m9 } f; t) ^+ K: Z) O
一.准备工作
2 T0 |6 Y/ T& O P. E: {/ ~( i4 h" o2 b1 i' W8 ]& ]9 O) J
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0( l# [1 l5 h" f& [& [
" u! _: [( @8 r# G% S! b
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz) O) Q+ R, P, Q$ V2 ^
' l4 F5 V$ K& gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
+ i$ u$ f. p8 P- D* E0 p
, f# |. @; \9 n* K( w3 ?OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs9 |8 I' J. R1 o ?+ I5 m
+ c1 p% p7 `! r6 Y! F依赖关系:" T$ j; _3 j, l& e1 Y+ P) {9 I( L
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:. Q) D6 _% y& q% h3 ~ Y' U
# O6 N7 @8 G: G/ Z& u3 f+ _; }
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 K) M) F0 ]8 x. @6 y' Vmodsecurty依赖的包:pcre httpd-devel libxml2 apr% i0 W/ K/ Y# h: }
+ i5 j! H: L0 }( cyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel3 A* y: J( X) ^8 ?; y! r! C
二.启用standalone模块并编译
. i% Z d9 k5 Q; `# T! z7 s( O1 N2 w U8 U, m
下载modsecurity for nginx 解压,进入解压后目录执行:
3 T( f" O, P9 U7 k" g h" X8 g6 d( k/ m
./autogen.sh
3 A. n- l$ ^, f# c& E1 C* P./configure --enable-standalone-module --disable-mlogc! h4 J3 v1 x$ n0 ]
make 4 N2 i1 V( t9 z. I3 n
三.nginx添加modsecurity模块
6 D, H+ `" {, ^' ]2 C
$ S) M8 k# e6 `. F' p( x8 H: l* k在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:4 r- \3 t% W& Y k4 y: j2 y+ W
6 _ O3 w- Z5 X+ `* E, Q./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
' L7 j( I' |- _. e2 l; Zmake && make install; A7 s2 A+ n0 ]$ \" m
四.添加规则% b: b$ `; ^2 G- O: Q, T, p
& h# q& ^0 Q3 f4 s! B! u+ V6 X
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。6 |% b0 p4 {8 M9 Z; I+ r' r7 N
% M, m: h5 o6 `" Y- M3 r/ m. p1.下载OWASP规则:
' ^2 r3 q2 l8 W# K: d3 i$ I) x- p* f: \
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
# z- i, h4 _7 D1 \
3 c. Z' A& T) e: s+ J: xmv owasp-modsecurity-crs /opt/tengine/conf/7 L# `2 e( I: I( E, A, h
* V( r" s- Y2 n2 j$ N6 xcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. e* U1 w3 {& L/ X4 N' j* h
2.启用OWASP规则:
$ X" q( z" P1 {( T4 c$ e
3 n% `1 |9 G0 K7 n复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
m# R, u4 q- f! `* a/ M% c& V, P: @& H9 C2 n
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 d1 Q" Q8 V. `7 j) [/ C: K- t3 {3 R8 Y% q' {
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。8 m$ w5 {( Y/ ^& t( B7 k
5 A7 [( ?. U$ k% |/ {; h4 |6 a' a5 ~- kInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf( S O7 W; z, A; f& \
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
% y: b9 V8 M% U# zInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
; w5 P3 F( S* A" \7 W- ~ DInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# _) q: a2 [, t0 o* L9 S" ~
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
6 f w" ^( p( X! Q6 mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
) U$ v( {1 U7 TInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 \% V, g7 D0 S2 t4 I+ g1 l五.配置nginx( P# r- x v* ?7 a0 M
1 F% n) b- n2 U
在需要启用modsecurity的主机的location下面加入下面两行即可:
) Z9 c) F/ Y# M6 X( R
) ]9 G* d' b3 R1 u% qModSecurityEnabled on; ; ` ?$ s9 X7 Z# m6 o3 C5 u
ModSecurityConfig modsecurity.conf;2 _1 J; t1 g4 e: u7 ~
下面是两个示例配置,php虚拟主机:
# \* _ [. x: @% b5 I+ c6 V; Y- X" F( g+ u5 N
server {
9 o1 v E- f- C# w2 ? listen 80;, [2 X% d: B5 a7 a8 o: T2 Z
server_name 52os.net www.52os.net;* M3 H9 M0 R1 g( c7 T- `: ?! k& P
+ M3 X' [. [! ]& U( ]
location ~ \.php$ {6 n- E4 S& U! F8 O9 l$ U: Y
ModSecurityEnabled on;
6 ? @) t) b7 }" f$ I ModSecurityConfig modsecurity.conf;
1 }4 K6 s$ _( B' K: ~9 Q* e: {9 L3 v) V/ I& m8 w' X& O9 B' s
root /web/wordpress;
( `8 |- l% R- v- E( H4 a index index.php index.html index.htm;" ~2 a* n* n* g }* n; o, ?8 i
; ]* g% l5 t/ s4 ~ @
fastcgi_pass 127.0.0.1:9000;
( p# ~! u; m/ e9 _4 n2 b5 d8 J fastcgi_index index.php;
/ N/ F+ I/ \/ g& |) b% ~# [& H fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
" a6 d: q2 n. z- g( c- i3 M7 a include fastcgi_params;+ @% C* S# f; s
} q9 i- F" G( H$ R* L
}% ?0 @* i/ ?1 W
upstream负载均衡:( h8 G+ N5 I4 Z! f
8 }# i( _* x) K" o
upstream 52os.net {
9 }$ f9 E7 |0 W) _+ G% j( a% I9 _ server 192.168.1.100:8080;8 j0 l' x6 d7 B' s" d$ Z- N
server 192.168.1.101:8080 backup;
/ s* L% C0 o& U( H2 V$ x- p5 o& U}! Y. J& O" a7 j2 p3 C
* I" H8 u2 u2 V- w1 }) A, t
server {/ R' x- i( d8 G2 U
listen 80;+ V& Z( I1 q1 H* w1 ]
server_name 52os.net www.52os.net;7 R8 D- T, X3 ^& J3 P; A
1 u& P3 X! Z* d0 Ylocation / {
& P% w+ g' I, S$ T$ ]3 @ ModSecurityEnabled on; . e- Z* v1 U& P0 n" z
ModSecurityConfig modsecurity.conf; + W4 p2 S9 c/ o* S+ Y
+ E( v/ p3 C" d; R7 _1 |* V3 S1 M
proxy_pass http://online;- X9 b- y5 b" ^6 _7 r) b! X
proxy_redirect off;5 x: g7 [2 o' {. z7 D
proxy_set_header Host $host;8 l2 C8 U) u- ^5 E* j% b! y
proxy_set_header X-Real-IP $remote_addr;
/ Y/ ^( G# K9 I6 E- f! n2 p, @ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' U1 G! }" Y( I4 {' H }/ Z' n% Y7 m5 v5 N
}
3 h" I* D$ [4 m六.测试' ` e8 Q+ Q: m9 y, R2 U
/ ?' h" b; y. ~5 E
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
4 Z3 p6 a- f- ~
. |9 }: [8 t# r, z- f<?php6 e: x2 o/ O$ d6 W0 |
phpinfo(); + ` L0 Y8 t5 O# I2 [$ M& @
?>, h8 ^0 G# C; z5 B1 E+ h( B# }7 x% S
在浏览器中访问:
# }% k7 q6 J: k3 c: n9 u, ^$ F3 z1 j
5 l* O: ~8 I! d& Phttp://www.52os.net/phpinfo.php?id=1 正常显示。0 E& i; O0 M" i" u% ^! T2 \
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) E. J" d( l+ A2 Rhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。" e0 {0 y8 m; d
说明sql注入和xss已经被过滤了: {- u( d% A9 G+ i8 ~2 z6 P) r
/ b$ p. z `7 y9 H5 _8 g, U: N/ z# U七、安装过程中排错 @* \; L, P1 S4 ]9 x
* L9 z6 m. Q( i) @! I
1.缺少APXS会报错4 d0 W5 @% Y$ {& d: V
3 E4 U+ j1 I2 L G. {8 W" S2 V6 C1 e a
configure: looking for Apache module support via DSO through APXS9 t/ G+ w7 ^/ ^; P E, {' {
configure: error: couldn't find APXS
|5 ~2 W. Z2 E9 S& S9 G$ K0 t+ Kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。. v9 f" H" A. G: k! @, R
解决方法:. _6 k& M/ A, r$ O1 e2 ~
4 D0 f3 k1 _; l5 q, P; t6 b
yum install httpd-devel
5 F# s$ [# x3 u' ?" B. |2.没有pcre0 O- g0 w/ _) H0 ]% [
. B# N' r8 u- ~( ^( R
configure: *** pcre library not found.( R& b: Q' q6 W6 \7 `; p
configure: error: pcre library is required$ M" t/ w6 k, F" ^0 Z1 r9 R; b
解决方法:7 C/ m% S( `# L. o i
9 k- v' B& U+ M3 o. | j- syum install pcre pcre-devel7 l1 V! p+ P+ n0 f' [+ a
3.没有libxml2
5 j5 s4 e1 {7 b8 H' D/ ]2 P9 r8 F" f# j! k2 b# d5 F
: J9 i& T# E: R5 Mconfigure: *** xml library not found.
6 T" @% K" i4 [) U0 i3 uconfigure: error: libxml2 is required
+ A9 S6 R% Z- ?/ X. R1 v& u解决方法:0 x2 _% N5 u$ V e: e; a4 K
& U- H8 O) ~% o& ~- `' t& p' _
yum install libxml2 libxml2-devel& A# G/ _& S6 h; n q
4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 h$ T9 h9 z- I6 f) u" q W2 { ?% T) |
9 S( S) M! C5 E3 CTengine version: Tengine/2.1.0 (nginx/1.6.2)
) R% G2 T9 |, [; Onginx: [warn] ModSecurity: Loaded APR do not match with compiled!9 m( r/ B' R- x8 D
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
& g+ t! y5 ]* r+ Z+ j) g, ]
3 D1 Q3 G. r/ a& X& Q5 L7 @$ T& r5 c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.8 P& v. |5 e+ Z& ?6 z/ W# x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 ?3 h7 l! o4 e& p7 L1 Y1 g& p9 @2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, p* |% S! s. o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 _, }3 V8 C, ]5 {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ L% n9 b) v2 [! u7 \
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# k6 e0 ]/ G% `9 S v
解决方法,移除低版本的APR (1.3.9)
% W$ h4 z& T& L7 d, a& E7 F" b/ |, F7 A
yum remove apr- B# [# }8 t* t0 t1 j3 F
5.Error.log中有: Audit log: Failed to lock global mutex
: y/ f$ Z5 s* I! {7 n' m5 t( W
2 j; b# t7 n3 I2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock / N; Y3 d; @7 \5 J) E% f
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
+ c) W$ a# N [2 G. T1 B/ a4 k ~解决方法:5 Q0 D( Z/ v+ y" k
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
, R! D$ i, y8 K" K/ l- b" j& L2 P7 Y
SecAuditLogDirMode 07779 j' b5 i: J. x, G) H. X* W
SecAuditLogFileMode 05505 q: X/ q3 E V- I
SecAuditLogStorageDir /var/log/modsecurity
6 o" C5 O& ]' C' t7 e4 }* S* FSecAuditLogType Concurrent7 S; i1 i7 @ m: V# B* x
参考文章:+ n6 w% E5 M: \$ D* j/ |, T
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 y Z& H: W+ c0 ]( a5 h; u. Y4 w
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡