|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。' ^$ F$ E5 ~. ^+ `& \, D
' y& x1 M3 \" I# j) j( d, D一.准备工作4 k. d9 a$ f( H( h
9 n! c# Z$ F$ c系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0( c# K- s( N( Z# l( \; b- I3 v
8 X" S5 x9 `& x Y/ v( S
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
0 ^0 Q) T, S0 L8 l
! Y& W& e! w, @9 Q- \% X8 N6 Rmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
" C( ^- f' O5 q7 p7 Z1 A
) y. C: _' O; {5 `/ ]" JOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
0 H0 T# ^8 N$ y5 M/ s- T1 \! s6 {# n7 ~4 r+ i4 F' K3 s4 s0 j% [7 R
依赖关系:
0 F; U% j" s0 `/ K; f' Ftengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:2 r6 b# E: ]* e0 G
, q' G3 c& n8 I3 F" fyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel; [2 B! F% t. r& p) }( b$ \
modsecurty依赖的包:pcre httpd-devel libxml2 apr" K4 o; X6 @4 _4 ?1 S+ T% o
* o" x& K8 f8 A' K% W& J8 Q) V3 \' nyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel% k' X3 j" g5 Z3 v1 M
二.启用standalone模块并编译
% N, `& ], M5 ~3 |4 M( u' ]/ s( V3 C' b0 g$ N
下载modsecurity for nginx 解压,进入解压后目录执行:
* r! _6 P: ?8 s8 }: a
9 J- C* E' t. R U./autogen.sh
7 s2 r$ ]/ J. q D7 J2 j; H/ C" f5 M./configure --enable-standalone-module --disable-mlogc
5 ?0 s2 u0 b* A5 S: Y; N; Mmake
: R$ C2 `# P1 R, Y Z( D# A三.nginx添加modsecurity模块
8 G2 U# o0 y1 Y. Y( x9 a1 e0 L
0 l, N; ?- {' `7 J0 y在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
; t" k+ K# Z( i1 s N
- I, Q9 k3 ~- Y./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ @# X% L8 [! _+ w# k! o( }
make && make install
4 }" y( S8 X2 J; D四.添加规则6 U& I5 J" o0 Q
1 ?* M# M, I( Z6 T- K
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。9 |- Y0 N: F, U, G+ C# x+ F
/ W; G+ \/ T1 F$ M2 d! y( K8 U
1.下载OWASP规则:
0 Y# [$ j( u# o0 A- u# O; v6 w- d# h1 Y, ^' r2 D
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 w: F5 O+ H6 _1 ]+ Q4 `
8 q$ T' C# y% wmv owasp-modsecurity-crs /opt/tengine/conf/- C6 }0 d6 ~# `
5 t6 V, E% E; M+ S" r: v: k1 b
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 @: e( L T7 B2 u2.启用OWASP规则:& @& B3 P, X6 [+ m
! l; h. m1 S& e r& E复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。7 |; X' f+ G1 F4 ?2 U! ]0 }
- ^8 W, M; N7 E9 M编辑modsecurity.conf 文件,将SecRuleEngine设置为 on# W- q; _8 Z8 k; V
7 P- L6 n" _& E/ u1 S
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。0 r' [. H8 t l
( g q. I- ^# o; @
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 u6 Q/ s7 d, R0 q6 u. `1 P* PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
0 Y3 w1 a$ y9 Z$ o/ gInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 p8 F3 f; C: r' GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf& ~. R! t* G$ c- Z# M7 L
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
O" f, f5 I' N; L1 U0 u( wInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 {2 D$ K* V; B5 A. T) \
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf( v, n/ U- ^: s7 ?' j$ l. b5 W
五.配置nginx: \3 |) M" H! _1 r* S+ u
! L- E& w9 S A" q9 N- U6 l
在需要启用modsecurity的主机的location下面加入下面两行即可:3 c. A/ I; [! \# w \! A' g
4 h; S4 v. J6 @2 `' X+ BModSecurityEnabled on; 9 p) x/ a: V" a* Q) E4 ?
ModSecurityConfig modsecurity.conf; a% ?! o7 c0 w. `+ R& _
下面是两个示例配置,php虚拟主机:
: e# a0 ]. h9 k- n! e2 f4 g/ w. \$ N: _9 j/ j
server {
1 t" @2 d0 }1 V. m2 j) H listen 80;& M5 x- K' o+ V
server_name 52os.net www.52os.net;4 V: H' [: g2 H6 o; v2 l
" [8 t! p/ X d! w' `* e location ~ \.php$ {
0 w1 Q6 |8 t+ D ModSecurityEnabled on; 2 q) A! K J$ F% u2 G1 H; G
ModSecurityConfig modsecurity.conf;
9 I2 p6 k3 n! l7 k" y' q1 Z8 C
% D9 f U2 P6 C8 w- p root /web/wordpress;
! h( g3 W5 M1 Z5 o5 l; N0 k0 N# e0 M+ X index index.php index.html index.htm;/ p$ x* M7 l% Z
4 o- T& z9 U8 l4 n8 N$ Z) a; i
fastcgi_pass 127.0.0.1:9000;2 c" y3 o( n( W- z/ E" x/ |/ P
fastcgi_index index.php;
: A. l9 m4 ?! x( S fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
$ N3 Z3 ?% e9 Q) ^# V! z; U& l include fastcgi_params;' J2 {# L. `$ e' t& P2 v7 A5 _. m% t0 K
}
& ~) U5 d y+ ]) Q9 ] }, y! ]6 z+ }. g/ ~5 G4 b
upstream负载均衡: y+ s- s' A9 F( h# L0 ^
" N @7 @% b* r: k
upstream 52os.net {
( g( p6 [/ l8 D2 E server 192.168.1.100:8080;4 |' a4 }- {2 t5 A% \
server 192.168.1.101:8080 backup;# i7 b7 p) f; _5 b
}2 ^: d7 e! z4 ~* E# }0 O/ a
" F% L' s9 f0 X$ E2 @server {$ O7 W! z" i- h
listen 80;# h, h7 |. `$ w
server_name 52os.net www.52os.net;
( d' O9 y- P, D" r7 ? }
1 j' p) ?: t2 ]: r6 t) \location / {
! ~- F4 |6 J* n& {7 ] ModSecurityEnabled on;
# t6 v z" T4 s ModSecurityConfig modsecurity.conf; 8 M: B5 `, s% `; u
/ ]4 a: M- `3 M3 W3 J0 M proxy_pass http://online;! E) @7 s/ A* E- T
proxy_redirect off;, |! ?5 x8 ?' f1 _7 ]
proxy_set_header Host $host;
! K6 C) X( r2 K7 @) Z `" V proxy_set_header X-Real-IP $remote_addr;
4 ~7 ^, a8 A0 T ^3 r7 v k' X proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
1 p1 f. K1 G5 H2 m0 e: L; ^ J }
) r* r0 m0 N- G# T3 {}
: k$ S* {, T. \+ S# n8 Y! Z& M六.测试
6 W( n1 v" u) I3 I) @
% ~1 t0 ^' H; w+ D我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 ~1 i8 g' V. O( N) Y) ^1 u/ H$ o
/ x+ Z# |9 N9 w" A2 h<?php
0 K/ |1 w1 l# D) { phpinfo(); : a( Z" ]5 U" P/ `0 F' I; e
?>
+ }6 P# P' Z& A+ C9 m) [在浏览器中访问:
. _9 E% K# u/ A
4 B0 V8 @' n% o+ t% F& uhttp://www.52os.net/phpinfo.php?id=1 正常显示。
& @7 G3 [( I$ I3 T9 ]2 a* nhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
7 C9 `: K8 q) v! B8 q- U% }http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
# q8 W7 u+ u! T% I' v$ ?3 x说明sql注入和xss已经被过滤了
% `+ q1 z: b U6 h, i7 o8 Z+ H0 s1 J* P- e9 e! \8 J: C. ?4 }
七、安装过程中排错
4 F5 u; ~: c9 _: ?' ]/ o2 H2 f& a: b2 ]' {1 b/ ]
1.缺少APXS会报错
& D: h, z& w+ U8 k8 U0 r2 H. l% s. G( n" J* p. @& ]
configure: looking for Apache module support via DSO through APXS' d& S/ g+ u7 q. [0 B0 {: I' B
configure: error: couldn't find APXS0 [. R8 a; g+ u% o" f
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
! A O( V/ F; H" G解决方法:$ X( S' i* Y2 }" R
m0 v7 e& i! _* ~% p! Q" C+ ]: y
yum install httpd-devel
. F1 q, G+ f& Z! q& Y2 s2.没有pcre7 r- o0 g* d, @
2 N$ z1 s9 g2 e" h# Y% Cconfigure: *** pcre library not found.( j% y- N$ ?3 H" W6 e: U/ R& e
configure: error: pcre library is required1 d' {+ D5 l3 `2 g6 K& L4 }$ Z# y
解决方法:- i2 a- q, ?! o0 o/ b9 R- S
; x" z$ @9 ^. ]. u) S7 @, Ayum install pcre pcre-devel
/ {) B: ~. T3 x# A2 s3.没有libxml2
+ q$ K/ Q, [6 j5 Y( p; X: s' k" t
7 |6 Q* `# ]5 ^* S; T! E7 Q, o. Y+ Y% |
configure: *** xml library not found.
' H9 k- U! g- R+ Cconfigure: error: libxml2 is required
) n3 w0 y% K1 |3 H7 q解决方法:
7 j7 W; d; `( m# Q2 n: o& R( A( n2 P6 Z+ a+ w
yum install libxml2 libxml2-devel
2 s L4 M# j1 n, x6 [4.执行 /opt/tengine/sbin/nginx -m 时有警告: P2 _, K, _# s- ]7 M. r
; B* p/ g4 ~3 L5 G. ^% W% ~$ U- R
Tengine version: Tengine/2.1.0 (nginx/1.6.2)' Q/ y5 Y; k& `5 ?$ B
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!) p& W6 P0 K/ I
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
' G- i5 o9 T' }( [% Z" q: p3 O/ ?' Q$ Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
; }3 e: ^9 v4 R7 F7 E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"9 ^- Y+ C- T i
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 G7 Z. H/ ]- q2 p0 G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
, t: y$ q2 s, A# f5 U0 @ p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! B5 y3 g% j' ?: K0 B) V/ ]2 x2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) X; d/ O4 {0 g' d1 L4 w9 a7 W
解决方法,移除低版本的APR (1.3.9)
' R' A4 c7 I. G* Q, ^# o
* e. J; I- w( y! ?; o* h9 Pyum remove apr
" a# s( v8 M; |) I7 f3 X" Z* c5.Error.log中有: Audit log: Failed to lock global mutex% ?' f( i z1 w, P9 j2 |
$ C3 x; t3 d6 D. T
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ) q3 k, d% R, o F* p
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
3 U, D- W& e( W* I解决方法:
. x0 |) c4 g1 [( w+ b9 V编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" p- C) i- W0 n1 A
( b8 h+ e% o7 f: D- n! aSecAuditLogDirMode 0777; N! ^: E" C" q& D# n4 v- n
SecAuditLogFileMode 05508 y R( @# S+ c- Q* i; y' ~5 F
SecAuditLogStorageDir /var/log/modsecurity
# C' i; A; p# n3 Z* H$ XSecAuditLogType Concurrent
% V/ t w5 j) f; L4 y0 K0 C参考文章:
7 `& m2 a9 b2 ?, _* R% V4 Rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 ~, _1 K' U( T) X9 x- `8 @
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡