|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 v" T- k# s Z- A- _7 N, d
3 ?) i/ t3 n( I6 l( ~* h3 T; f- g一.准备工作
5 H6 ]& ?/ d$ |8 F8 r) n( l- [" B' O6 M
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
1 O+ w9 v" y/ s" {9 N9 k- w6 {3 Y& K; T4 H
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz/ v* Z2 N4 d3 n
9 j5 i: C( u: ?modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
, Y: ~7 D8 ~ G. T3 Q
' c! L z+ L% f3 U+ d pOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: B+ O& l8 T( L% H, B) `1 `+ O! _% ]7 ~$ t, e
依赖关系:$ i. N/ q# _# g2 k
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有: r! E6 v! }/ u
4 G& j) N4 X+ k2 n& z" Z+ ?
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* ?% e3 f# a6 g N% k4 W- l* Omodsecurty依赖的包:pcre httpd-devel libxml2 apr" p4 C; k2 K8 s& U* w; G
: m. c9 Q( N7 E) E0 Hyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
# g7 d0 T6 v* D二.启用standalone模块并编译
- t+ `9 f( n8 E+ D2 S* g& B; I7 q; p- V/ r; f. {% m9 O* C
下载modsecurity for nginx 解压,进入解压后目录执行:& @/ Q ?* G8 Z+ U3 C: {1 O* o$ w
! g$ D0 f+ f/ j; [# {
./autogen.sh
+ x; R' O0 M3 {./configure --enable-standalone-module --disable-mlogc
& @, G- s. E9 M7 amake ; X9 n- P1 C( p9 I2 A
三.nginx添加modsecurity模块+ q: \9 p$ w: k/ B! H t! p
$ _( [+ c0 e: T+ K$ V$ ~
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:/ t: L$ @+ [ B* ^6 Y
7 \, l/ v0 u( v
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- G8 F* S0 e" }- f* h7 D, F
make && make install2 e. M+ w. ~7 w @
四.添加规则
$ Q6 n2 ^ A( ~( M- L1 M; W' {* T# _7 ]5 v% E- o# ]
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* d7 s% Z8 F0 G9 F. c4 l
1 `5 q4 t P, m# @
1.下载OWASP规则:
7 K3 m) K' a* N- h4 _, x( K
" H+ W* U# X. S! Y( Lgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
: Y3 K$ t; ^# Q8 e/ S7 u( f' Y9 T
) Y5 X6 U( h: emv owasp-modsecurity-crs /opt/tengine/conf/
) N" g5 Y& ]. O7 \1 @8 M4 \! D4 f3 j
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: A1 t2 b& k( g& Y7 C2.启用OWASP规则:
6 p7 ^2 l6 K; l) V2 S U- e
3 Q' z. j$ G0 x+ x复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% N1 C4 C3 o9 ^; Q4 l
/ _0 Q8 J w3 \; b! t4 _
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on( y& T; w& F" [, }& d% D, n& A O
) t8 o" u7 L8 N( F) w7 G
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。 [0 i$ N; V" a$ ~# B5 R
3 c& h4 R! X3 B# f7 d- GInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
5 p" o& ?0 w. A$ L8 bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf. y) a3 h r7 W. R5 s3 k2 a" j+ b. o% A8 ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf% J9 I- B& G* l; w* r
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
, m; w4 t4 I! x$ qInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf3 J, ~7 A" f& k; h8 x! o6 D9 ^6 s, U
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf+ g- ^; R, i7 |
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf+ n; i+ }* z/ I2 i
五.配置nginx9 P+ n5 i& A- g
+ ]6 G2 T5 P" N4 O8 c1 x J
在需要启用modsecurity的主机的location下面加入下面两行即可:( [& f4 y* V( h7 y
$ I$ w7 {8 x0 u7 `' a
ModSecurityEnabled on; / H* M* B! n7 n
ModSecurityConfig modsecurity.conf;
( l! s; _4 Z/ F- q6 @) z9 \( b+ R下面是两个示例配置,php虚拟主机:
3 f5 r0 f: j9 x2 Z( E7 O# E4 A4 L( W+ G) R0 g0 K( @
server {, v8 g! l; g; e/ `* s* Q# _
listen 80;* W( n. K" j. U& Z
server_name 52os.net www.52os.net;
$ U3 R! E# U8 [/ H
+ v; N* Z+ B% y$ @" w location ~ \.php$ {, ~. \7 r8 }% w: \ Q. A- a
ModSecurityEnabled on; ; L8 t. _$ h1 `$ e
ModSecurityConfig modsecurity.conf;
: e u9 [, O6 Q7 O2 _8 N! J2 R# q& S% m/ x0 g8 ~$ S" h% g, W0 ~3 O
root /web/wordpress;
4 Y5 s# d& @, v' \. L0 }3 w2 @. G index index.php index.html index.htm;
% x( o0 p$ S* H S, p# U
9 J/ m9 C' c& T) a) D' h8 s fastcgi_pass 127.0.0.1:9000;) _0 C+ \3 }8 R9 P8 O
fastcgi_index index.php;
; ^& s: s' H; I6 E( t2 O1 t fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& I) Y6 u- l- l0 @* s0 _* |
include fastcgi_params;
5 N7 A& k4 L6 V' Y& [ }
) @# c& K; r" N" \1 q2 M }
* i3 W0 K5 N0 d# eupstream负载均衡:
f# r9 X8 y* U
# ^* C' G8 y4 V. z, ^7 Z8 bupstream 52os.net {
$ }% E/ a( Q6 C% U' R" i server 192.168.1.100:8080;; L( @: l2 i8 v, ]+ h8 R
server 192.168.1.101:8080 backup;2 ^; Q: Y/ o2 X6 C9 @
}
* `* f7 h% Q4 }2 x) H' a O# k1 y" {# t) Q
server {
: S2 j! M+ m) X. s4 U7 J7 Qlisten 80;& n t0 w) P6 _3 f# n
server_name 52os.net www.52os.net;
5 |; k! {& Y! ?3 M& L! }* y1 E3 |1 _- t$ l0 A! q& e: r
location / {
$ D0 m1 _, n* F. u% e6 O3 J ModSecurityEnabled on;
0 Y s# T$ n; l/ ^ ModSecurityConfig modsecurity.conf; - s8 |6 Z) Q0 b$ ^7 A+ P/ C1 t8 |* P
( x3 d* Q2 m% G2 {7 c proxy_pass http://online;
6 b0 _5 _% W$ ` proxy_redirect off;, N( v) s( T5 q1 k( e& x9 J: s9 F& F
proxy_set_header Host $host;
& l5 S* y/ P: G; w2 D proxy_set_header X-Real-IP $remote_addr;
6 Y" x1 J5 D; Q( E& {4 b* p+ ` proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
2 T' i+ Y8 Q7 Z+ C$ ~) ] }
" ~# o1 p8 Q w3 h0 O" g}
$ b4 b4 \ q% i7 Q% K+ l! ?六.测试8 H+ d, D9 S1 m. P; r
0 h% q/ |$ T! m4 H2 Q9 D
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
" x" F3 N( T( j y3 [9 h, A/ i# {% T$ ^ C) _8 W9 d
<?php5 S3 ^& J8 ` C. C) k) ~/ Q9 f' J4 A8 k
phpinfo();
1 p9 V4 l% Y- H4 V7 d. x0 V?>
% c' O7 G! u; c" [6 C7 ^# z* Y在浏览器中访问:
/ [3 C+ ]2 K+ q. I1 K, M) y1 E- {& l$ C* b
http://www.52os.net/phpinfo.php?id=1 正常显示。! Z2 ]0 r. q, G+ w
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。% P1 @2 R: |/ L2 d% O0 ~$ C3 _
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
, Y' z( d- F: C7 p说明sql注入和xss已经被过滤了
) e5 c) Y& {4 L( G
3 q0 A1 A) d. |, t% a& C6 S七、安装过程中排错+ t+ y& k1 `3 \$ e
9 ^. A) U6 Q" }4 w% H% T
1.缺少APXS会报错
& a% {1 ]: P0 ^( T0 t; n% H8 f o. m9 A9 S. L5 O* z
configure: looking for Apache module support via DSO through APXS4 r3 n2 h% z4 H9 z1 P1 O4 q7 Q. h
configure: error: couldn't find APXS
7 P$ J6 y* T' iapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
- V4 e+ y8 T' S0 {) U4 x, w0 t0 d解决方法:2 S% n* {1 S* P% L9 `& n
, K# \4 [2 G5 `yum install httpd-devel
; u: a0 t( X* b$ K2 W" b2.没有pcre, @9 Q+ i: f- t. W% Z
- W/ l; U) I" c6 y7 fconfigure: *** pcre library not found.
4 J a$ ^7 d/ |) x* mconfigure: error: pcre library is required5 e' {1 ]5 ~5 r8 f
解决方法:3 r6 r* `3 o, W0 A
/ t( B% _& j$ \" }/ {
yum install pcre pcre-devel
' u* j8 Z4 u! b z3.没有libxml2
, @. U& u4 t% ]8 a6 v/ \! t# V# O8 Y
" Q# [) q# ?) B4 g! `2 p
2 ~" J9 C8 F; \( b$ Tconfigure: *** xml library not found.& D- V! C+ R8 b9 X
configure: error: libxml2 is required
- {( c, u: V: T% v& u" F: p解决方法:0 L7 e. A' T% l2 Q0 b8 |* K! R
# L6 ^% f! |9 t/ s
yum install libxml2 libxml2-devel
1 D& E2 k" H/ R5 _ S1 x" _2 s4.执行 /opt/tengine/sbin/nginx -m 时有警告
5 C" W1 Y m2 j( _" `
0 k$ i$ j9 L. J: P. c: b5 |Tengine version: Tengine/2.1.0 (nginx/1.6.2)
( j6 T8 B3 ?0 @7 i- Unginx: [warn] ModSecurity: Loaded APR do not match with compiled!
d6 y( i) w& x7 m* S原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log3 D! o( @8 O) T* s( p8 A
) g1 l# k, X- s M% w% S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
% X4 Z3 D; s0 s. g/ Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"& w+ h* x w4 A) p
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
) O7 V8 q: A. @" ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
1 j0 ?+ n9 m" C2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ O( e) G: j9 b( A% E! T
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.- k* W' M- ~9 O% {. Z" s4 t/ F
解决方法,移除低版本的APR (1.3.9)
- h) T- l# M9 o- y- Y% U7 K
& r! k9 g) |1 y' N4 Pyum remove apr$ @- u) o& y, B# a0 s/ A
5.Error.log中有: Audit log: Failed to lock global mutex1 c }) j9 T: T) K
3 \* U+ ~4 E! W/ i8 v2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
5 J% L" B5 J0 Cglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"] h: o* ~& P. d( t2 ?- u
解决方法:3 X/ B. N' G) d- t, ~- |) U3 l
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:; o# p& l3 b- a0 G9 M
- m0 C9 `1 h7 [4 y4 |SecAuditLogDirMode 07775 k- W; [5 `$ E0 a" z* G& a1 t
SecAuditLogFileMode 05505 Y. e2 @, k% }5 ^
SecAuditLogStorageDir /var/log/modsecurity) P8 }; y9 }% i$ d
SecAuditLogType Concurrent+ e& Q7 [' c: r) P; x+ M
参考文章:
# Y- S) a. h7 q+ L7 r) Yhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
3 s$ c8 Q$ B9 B+ ^# _* @5 Z2 shttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡