|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
/ P5 s# `( x8 I" ~$ s8 w. F% w ^3 A. E" I. ]
一.准备工作
2 C# K h4 \( ^- q
9 \9 D0 |2 C- X2 V系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.05 `* Q0 {4 l/ t
1 F. L" S! O: e& }
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
9 W0 K/ a) ~* x7 {: Z
& Y0 p7 f4 J: T% }) Z+ rmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 S$ V6 \. W6 j8 G: M/ n3 e
$ v5 G" b( F, L+ V5 UOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, Q5 [* ?4 E6 P8 q% X+ D* o. U' K+ u; p. H! C: o
依赖关系:
4 ]- U% x& i& w% c9 S0 I$ ?1 [tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
% l5 r; U+ |9 w/ v; s! G) X( J$ m- A. K/ z1 J# S5 e
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel5 g; \; H" P- s8 y! L$ z
modsecurty依赖的包:pcre httpd-devel libxml2 apr# H& O; x0 c r4 T5 V# N
. W) U, A6 w* I% Z' E8 f
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
0 d6 O( c" [+ }6 W5 \. h& m二.启用standalone模块并编译7 f# {* j) i8 F) U3 R/ _, M' D- h* X N
. G+ K5 l, O7 o- Z下载modsecurity for nginx 解压,进入解压后目录执行:; D$ V& Q1 K$ h7 {* L
# ^! {+ e- \# M5 ~
./autogen.sh2 P' P& K. | w2 S6 F
./configure --enable-standalone-module --disable-mlogc; Y7 S* U& }3 X4 w8 r
make + D9 [% v5 O0 @
三.nginx添加modsecurity模块% ?9 u, H5 L k) p& x
% }: p p! X7 j8 y在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
" F; X* D# k4 U- n
2 G5 e( g* s' U* {7 P/ n/ B; @ K./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; h9 \1 N i1 V- \" l D ~2 h" H4 Zmake && make install- Y+ ?' a, c" M# n. q* Y. {
四.添加规则
7 A( X6 `- v9 ^! d3 R$ e
% N" |6 U) F. c. nmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。6 I( N4 d& {; G' a9 n4 l8 q: S8 l
. v# [- J* R: }" w5 p+ m4 x
1.下载OWASP规则:; M$ k* u* G2 X# k- d
& Q& y" m5 }4 [% t! ~) _5 Pgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
2 q7 \# t7 v6 ` Q, j* h8 ]% b& @% M# D ~# y( F$ d+ |
mv owasp-modsecurity-crs /opt/tengine/conf/
. t- G. j+ N$ e: p8 i5 `+ m1 o3 E* |) t# d5 `) q; P u3 A
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, @) V# u0 E& a( w! h& M) C! {2.启用OWASP规则:
( s) n! T4 [0 c, Y, z- _3 N
7 _/ |8 Y! z$ u复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
& x: Z4 q2 m" y& P4 E/ y ~( ~0 a7 ~
8 h$ m0 { f4 `, W+ V; R* u编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
* X3 [. k$ t; H0 {* K. a( @8 K9 L* b8 K7 @: P# Q
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 {" T: w* j1 K4 r$ U, s# q% c+ P
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 D) X! q6 Z3 d' A# U; }8 nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& u( q' @3 H0 E N& @Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
1 ~: C0 w; G4 y# |Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf7 x) |5 V3 E r! v+ {, C
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) J9 c3 R: I C3 ], i; y4 _$ ?. J8 ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
7 X$ Q. t F2 A0 bInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
, a& e5 \1 O, `9 V, n五.配置nginx ^% W. Z" O3 o3 f# z4 T
$ T8 Y3 m- v( H$ X4 V+ w在需要启用modsecurity的主机的location下面加入下面两行即可:4 S6 \7 C# D* I' o4 d& Y
) F4 f) Z# a& ?$ G0 ?ModSecurityEnabled on; * q1 l: F) m& _$ j2 _9 ]5 Z- v
ModSecurityConfig modsecurity.conf;
8 I8 O5 d8 S, [0 n ?下面是两个示例配置,php虚拟主机:
5 v) j7 m9 W* N( o0 O0 u9 a1 Q8 k& ?
server {1 I) y. d" l% Y. ~5 D$ ?+ w
listen 80;) q3 j4 A. Z6 a2 q) `: f
server_name 52os.net www.52os.net;. }7 A1 i$ R2 X. \
0 b2 j2 @; E) K# t2 W
location ~ \.php$ {
: l& h( t) M' B5 v- A ModSecurityEnabled on;
$ j) V. D6 N6 B+ s5 x: V ModSecurityConfig modsecurity.conf;
/ M, e0 _) X; H6 _
; \$ [% {8 g" Z% r. @) o" X root /web/wordpress;9 N3 f2 M9 I+ h- P
index index.php index.html index.htm;2 x: N1 y; c6 ?" L2 E
& o, ^+ u# M- V3 K5 x fastcgi_pass 127.0.0.1:9000;
& |: E# R: p( i4 Q fastcgi_index index.php;$ p8 D* s% r* N+ k5 j
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& g3 ?# Z( ? I) g& N6 @4 w
include fastcgi_params;
+ w% p |1 |4 s7 G5 L# K- l7 k, }2 {& { }
: _& m8 z/ ^# {" B8 C }% f( Q% w2 F/ u8 K! m) _5 Y; Z% E
upstream负载均衡:
! i* o* u2 C4 _0 F. _5 P4 o+ t7 i; ]! S( |9 `( Z5 I( P' G7 w
upstream 52os.net {
. y7 C B8 ^) q6 c: w: x8 v server 192.168.1.100:8080;
3 S( a7 ?! v: a, C: [" F/ \9 O server 192.168.1.101:8080 backup;8 r+ } |: U$ l( ~5 J
}
( I; T' R5 Y% u7 c; P. Z+ ~
& T0 ^! j" b9 s# l+ a& eserver {% i, H" Q7 D' F* s% O# P. _0 S) b
listen 80;
8 I" Z7 E# K8 oserver_name 52os.net www.52os.net;( L* L; T/ f+ C
* D! @; n& ^6 u7 N# v# nlocation / {
% B8 L4 k/ I: b3 a& c& U ModSecurityEnabled on;
1 G5 k. ~# f/ A( W8 Q ModSecurityConfig modsecurity.conf;
- t% n( N! W% b9 W) l5 Z" Q6 o8 S0 H1 L& w+ ~
proxy_pass http://online;: p, ]: B- L6 \ r
proxy_redirect off;2 H% T( a7 ~; ?( [6 D/ Z# G. F
proxy_set_header Host $host;
: R! }+ n! J' v) ?( L, ^ proxy_set_header X-Real-IP $remote_addr;% t$ {9 V/ s/ c# m/ X/ i+ B e
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;( W+ T# n9 U+ M1 O! _
}/ d7 I$ n+ K9 ]8 D
}
( m" v$ t. d! n" K9 T( ~- @六.测试& M8 e- U! M; k* Q
+ N9 ~1 S* t2 S8 V我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: l* s' {9 x' [$ b
3 H7 D- B4 R$ F. \7 v) }<?php
2 l2 }/ u0 V, I3 V; @# P# `' |) b- F phpinfo();
: Z- ?, d: F" }( l, N?>% n4 {5 T; s7 p/ |8 M
在浏览器中访问:# v: C4 w' G& h5 X( p6 a6 s$ C6 r3 K- `
Z7 H! k) Q9 G& w3 r9 o
http://www.52os.net/phpinfo.php?id=1 正常显示。
7 R5 a) T% z7 G1 w* Uhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 u! h0 c, e. x) K. z" ^http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。 S! U9 h9 g2 y: `, H' G0 y, c
说明sql注入和xss已经被过滤了
) C) |% D% F( X# Q
& Z- m3 T! r$ P七、安装过程中排错8 G% e1 z# H& X4 i/ a- {* `5 O2 K$ i7 u
( M* ]0 v; g( s* ^$ w: K: M1.缺少APXS会报错1 O" T- L9 }' @& c
% _" @) ?) [) _
configure: looking for Apache module support via DSO through APXS- L7 A9 c" W1 l6 |1 n; _3 B
configure: error: couldn't find APXS1 j3 D- S: c) O% m% |
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。( h% t; K! q+ R
解决方法:
# R$ s0 b* _1 t2 {; J" |& b& k" j& E$ Y( `+ c: m; m5 e5 g
yum install httpd-devel$ Z: {4 p; Z8 `$ p3 K
2.没有pcre: j# l7 E8 H- X' S; C! i. F
O8 |+ W8 [; G! o5 p% s( t
configure: *** pcre library not found.: B3 b/ g6 T( _5 X7 L0 _
configure: error: pcre library is required& W6 M- N1 U. B& m7 P D/ C; E( v
解决方法:" ^- z, h& D r1 b+ v% V. b# R6 A5 z
O# s0 J1 t8 _: @
yum install pcre pcre-devel q* E5 R+ L' Y' h% ?. D6 b. X! o
3.没有libxml2
, m* D" G. Q4 f, }1 { W7 H( k% F. o$ y- B4 `: B
& v5 L! I( T: R1 `5 D& l
configure: *** xml library not found.
4 m2 o3 U: `$ Q. C/ Q8 ~configure: error: libxml2 is required
: l6 {4 v) W. a1 [) @解决方法:
' t/ A* U |' [/ o {3 w6 G! O2 b8 F: ] |! a H6 p
yum install libxml2 libxml2-devel3 g3 }7 @& J& t0 m: s* V# p) [
4.执行 /opt/tengine/sbin/nginx -m 时有警告
3 s o, I$ @ s* I/ x- l5 {
7 H, k& b& ~ L2 N X( gTengine version: Tengine/2.1.0 (nginx/1.6.2)
6 J) K; i0 |8 I! j4 Cnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
* b% {; T3 ~0 \原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log G) U M) _9 F% Z$ h [
! G3 A& t) U4 R5 g( g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
- l1 ]* z0 H7 l# L' x# |, T# h4 v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", |" `8 X0 @* x. g0 C
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
P$ _& q }2 ?3 L K7 n; e& |* P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 f" r. j$ ^: N2 v& l- `0 |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"- Y+ x$ E7 I* F: @
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
0 U0 @" l+ l# L0 @2 w解决方法,移除低版本的APR (1.3.9)
2 I7 U7 G5 B& p- r% z Y; n: Y! J
yum remove apr
3 z- Y% H# z1 [7 a# T5.Error.log中有: Audit log: Failed to lock global mutex
2 E3 ^% Z3 s, y4 ?' z
5 W; Z& @ B: Q6 s6 j# U: a2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
' Z+ V8 z. V( D3 R+ @# i7 Vglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]* ~. h8 B* |, E
解决方法:2 K7 q0 \% B" m
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:, E4 _8 K( V* L& v5 O8 m
' U6 D" l% B9 D5 L Z
SecAuditLogDirMode 0777
; E2 ~# W' V- `# WSecAuditLogFileMode 0550
0 K- ]# Y% {8 f- x! ISecAuditLogStorageDir /var/log/modsecurity
2 X. D* U0 _2 b5 m" ? Z2 m# A2 ASecAuditLogType Concurrent
1 a# G F* G" V% e) w- r- I参考文章:
# Q: b. B$ Y0 C3 ?- [https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 V; Z9 h- W/ Y4 [" B; M+ L1 k
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡