|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 e% V9 f Q; ^; u5 f
* i. C/ U$ D; T- u/ i: M一.准备工作
% V8 w. y+ }1 e) p$ M, b, I6 T* V% s3 f9 y( V
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0/ S2 ^3 P/ u- R& ^+ z! ]$ N
8 K. g3 l# s6 m, O' o: Ftengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz* n- r& ?$ A2 y4 S* x: G
+ S: O0 J. q3 {' j, hmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz. N( {0 X6 Y, U2 K; Q
9 K0 t8 H' F; U) [
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs% ?* f: H. b0 a. y
; y5 ]- f3 M% j/ C9 r1 W3 A依赖关系:% `. Z4 y4 ^7 ^3 D: O
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
0 i! [( l* D% h0 c7 [, ~( q! |" Y4 c# C/ _
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
' Q4 z$ R; I! Fmodsecurty依赖的包:pcre httpd-devel libxml2 apr& c; H' |2 _6 K Q
* e2 F' f! X4 m+ c4 ]
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
2 o/ I8 h# j( B* K二.启用standalone模块并编译
3 l, l7 B3 n5 V+ |* Z1 _; t" q7 Q3 J1 R# V3 B, N' P( }
下载modsecurity for nginx 解压,进入解压后目录执行:, V4 L& O7 F( p6 B
$ \& l* |: f+ s+ w! G./autogen.sh
3 G: F/ c" j% m, W5 P./configure --enable-standalone-module --disable-mlogc( S/ D5 `5 w0 Z% {* H. h
make
) @+ h. i9 S' Q _) R, h4 v+ z三.nginx添加modsecurity模块
1 j% F5 ]2 v3 Z+ ~3 @. s: i) X
~) G0 P8 O1 U1 ~# }: e在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' C, Y& x2 Z# Y( n
- E) ~) H% L1 b5 D D, L& C./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
: k! H4 z1 m3 Q8 Kmake && make install
5 G* f2 G- `+ H- _2 ]3 Y四.添加规则
7 f" `: [1 X' O5 |
( I$ z/ N j0 x w) \8 p4 `modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, y" c, ]' l# w9 \
9 k: m" _* G+ q2 {. D7 ?; v1.下载OWASP规则:8 |. h" ^1 \. W* K( f# |
9 I1 d. _) _: [/ Ngit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ j. K3 Z7 h" m7 l7 J8 R c
# _7 u3 H9 G1 L* umv owasp-modsecurity-crs /opt/tengine/conf/% I! a6 c% x9 z: U
4 t2 z! Z* i" k+ Z ucd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* p' @ b& H' Q
2.启用OWASP规则:
0 p" s! f* K; D6 u, `. R) I
% S7 V# {8 U5 N! _$ M' ?复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。7 ]! K% }$ M ]) E
: M' m: ], |0 U编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 O' \- l* [6 ]& ~/ j4 }5 F: {
) G6 D% y$ M+ C+ E+ z8 Y% P
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 j: c) v, _2 N/ E) v0 P" t3 u! J
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
- p C$ m Z6 ~! f7 W }5 \1 RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 K& U& q2 I5 B$ i. q R( v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% c+ O( M" O- m) O# t( xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf: o+ _$ ^9 M% }+ {9 u. n* V! j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 Z. b, w$ p0 TInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf n/ P: _8 T6 |2 Z+ j
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( U0 R: f# ?: n五.配置nginx
/ S0 [& E2 i9 o" T" j9 F# a; n1 e" O! e/ }; p. d& I
在需要启用modsecurity的主机的location下面加入下面两行即可:* d# n; x7 o# L a7 l% h9 N
b! ~2 b% a0 \: c6 g+ P& E, L
ModSecurityEnabled on; % V2 h D' q& X9 v; R4 a- V
ModSecurityConfig modsecurity.conf;' x* ^% f) c9 z5 {1 l" z1 l' O S
下面是两个示例配置,php虚拟主机:
9 O$ `( k$ y0 o u
: c. w& n+ [ T n# C5 hserver {
; x' i9 i. h$ ? listen 80;
, U) m9 O1 G! j2 q) ]# b% Z- } server_name 52os.net www.52os.net;, N/ E% N4 h# U' R, `1 X8 b8 y
( `: e* [. s# ^- }1 L
location ~ \.php$ {
$ {3 [% R/ h( K) \' S* H5 |! q/ w ModSecurityEnabled on;
: O6 _- J# t# Z5 E& y" n+ X) m1 A ModSecurityConfig modsecurity.conf;
4 K- ]8 {0 N) t* U" y
0 C' k/ t1 E! z% h* ^! w) S+ D$ G+ I; F root /web/wordpress;
! u6 d# s# y+ i: B' C( g/ V. c index index.php index.html index.htm;" P' W. O |: u* w) c
. T# ~2 L8 ] o6 S- z; i+ [) l
fastcgi_pass 127.0.0.1:9000;
3 d- `0 l2 x& a1 C0 c fastcgi_index index.php;' x. p- D% p/ Y' x5 j0 b
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
$ J# T, g( T. ~ include fastcgi_params;
5 z- F" ]6 ~4 J9 _ }+ v' {; {3 Q: L) s
}$ _" f" `8 }& D
upstream负载均衡: r7 R- [$ Y4 q
2 E$ n) B" |& g& r+ A: Cupstream 52os.net {% k. i9 i% E+ ~/ n
server 192.168.1.100:8080;
% T$ c/ t( [( r1 M' K6 g server 192.168.1.101:8080 backup;: p4 z3 k) t0 D5 }
}
/ f* x) \2 B7 |" Q9 q5 C$ C" x* W% L! w& r
server {
& `5 Z: @2 o* C: q! Tlisten 80;
" R) ^1 D& `: l5 xserver_name 52os.net www.52os.net;
8 R: B c u5 c& @& k5 x) @+ A t. C y( C
location / {
/ _" W8 C; Q6 D ModSecurityEnabled on; , p i9 A( I6 q' E7 c4 O- i
ModSecurityConfig modsecurity.conf; $ t8 M, G" c/ a" P% n, ?4 n
. W4 H) \" i: S proxy_pass http://online;$ s' ^3 n. t" _. d
proxy_redirect off; P# f0 t; N3 }" f. X
proxy_set_header Host $host;
& o& s8 w- B& [0 | d( L proxy_set_header X-Real-IP $remote_addr;8 L2 Z0 O9 m. L) u' E
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
$ q9 Y% M- L: W- M! w' c% O }
9 J5 o) Z* d4 m; ]}( A2 Z9 ]/ b- m. w! f
六.测试' B% V' P* l5 e$ t. Q4 @# ^
! M3 i' s* q' Z7 \$ F% A
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ \! }; B& O' x' ]* p1 y. M1 s
% O( R* Y8 i# T$ G( B5 U4 j7 i<?php0 I9 H7 ?+ D2 @; R
phpinfo();
' `! r$ G" J% ?4 @0 O?>& G3 t" j. ^& j
在浏览器中访问:, k" @/ x, s4 B( T, a% {# K
' i+ d, k! N( Mhttp://www.52os.net/phpinfo.php?id=1 正常显示。* V( }* w0 f& r: L: P& v
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
- ]5 O, T4 I! @ I) y+ D3 n2 z- phttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
+ \# h! @' _1 h8 v% k& |7 g+ n; C说明sql注入和xss已经被过滤了
0 T$ q9 R C& {2 i4 \/ `$ x2 @: a9 l
$ l4 J. z: C$ J& }, w/ e$ D2 i七、安装过程中排错; O4 ~1 N& @: ^+ q1 U5 G% j" G
3 m' G5 }# r, R1 M: `: P" C3 s
1.缺少APXS会报错+ ?) J' L, I- e0 s. K3 H6 s _
: a+ j9 E& P! c" s, k: |
configure: looking for Apache module support via DSO through APXS+ _' Y4 m* S' u& @
configure: error: couldn't find APXS
) K T% i: M2 s ^5 Oapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。& B D- V4 Z; [2 Z ]) H0 \
解决方法:0 y; _' F, g7 D/ d0 x- F
; N4 x8 {9 `- }
yum install httpd-devel
. `) T0 P, K4 y5 t+ U: e2.没有pcre
* k6 j" f( U+ }$ V+ J" |/ H _
8 g, j: Q7 _# p* {* o" wconfigure: *** pcre library not found.
) L- Q, z! z+ C9 B& w) Sconfigure: error: pcre library is required
( a3 L) d' ^: {, A# {+ b5 M$ `解决方法:. K. j. O3 t' |6 Q4 O
" c3 P W. A, A6 \# S0 t' @( |yum install pcre pcre-devel; X% p' E7 `( m0 A
3.没有libxml2$ Q; D) H' k& `
) a+ q- n5 a3 ] {* E8 N6 ^+ T3 t( J4 I7 {' U1 P/ @! V# K
configure: *** xml library not found.
( j/ ~3 o: x, L# wconfigure: error: libxml2 is required, T p% \% @/ p- c
解决方法:
, g8 P0 J( G( ^0 Q" u2 E3 N. g, I6 |* K0 |* U3 l# J3 W7 C
yum install libxml2 libxml2-devel
$ {. ]* q7 i+ z/ ^4 F4.执行 /opt/tengine/sbin/nginx -m 时有警告
: o) L- J3 r( d/ x+ C
4 `5 Y6 e- n8 ~% e2 L! ^" DTengine version: Tengine/2.1.0 (nginx/1.6.2)
) t" Y* o, a" y2 p4 { Anginx: [warn] ModSecurity: Loaded APR do not match with compiled!4 a# o, j+ _6 O3 X
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log+ A0 [4 u9 a% X. L
8 N7 y3 K$ o& R- d# }- s: V' A& A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured." N; C5 r2 E& l4 h" R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 {: n7 F& ~$ E2 N2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled! u; z+ V! J' O6 s5 q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 ]# X" R9 m R% y# y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 X% L6 A$ d/ g, R4 R8 G2 \2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
7 h6 U( t% B) h5 o c解决方法,移除低版本的APR (1.3.9). W1 S B6 H6 w) L2 g# q
3 Y) s' Q3 l3 L8 `7 p/ Kyum remove apr
8 F, c G0 K% B5.Error.log中有: Audit log: Failed to lock global mutex
6 z' B5 ^- i( \7 Y2 d# @* V0 h$ @3 W2 F8 m( j
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
5 e+ D1 d1 W8 a/ c% g0 S1 iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
- L: y" x w7 M7 a解决方法:
) ~& X) H& M* G: @编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
* M4 y- W& z' {
& G8 v! p5 T2 a( K9 {SecAuditLogDirMode 0777
7 q5 B' j$ E9 I/ |SecAuditLogFileMode 0550) t m- W1 v% \( O N Y. @
SecAuditLogStorageDir /var/log/modsecurity
; o- _4 O, ]. j$ h" f7 qSecAuditLogType Concurrent2 f/ P" {1 q# c' P
参考文章:
. a- C, {8 m z* Jhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 J! x- ]1 [" E& s- ]) {+ ?4 ?- w( o# |0 f
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡