|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
4 R" o* Q4 f1 d. H: q2 B- r7 h8 J0 j, R) w
一.准备工作
, p2 n8 p$ A- [
( Y# z) `" Q% u7 c( |系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.09 A$ q/ c& g9 q1 B6 I- O
! D) W8 f8 U" @7 ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
1 k/ p5 S( u: Q+ ?
/ s V! f: X0 G7 D4 o% Qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz" i) O; k2 G! U. r! X) J# t2 e
/ O" D; P0 ^+ q9 t
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
1 b5 U# Q' v. `) T& r5 L+ t- K. p i- j; s9 L) O7 v1 r7 `5 H
依赖关系:
: a) D9 C* X) W2 Ztengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 p: c/ a8 g4 e. }7 w
/ ?4 n F& t. }+ B, eyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
7 x5 K& k' R! \ W- u& ?8 p0 Imodsecurty依赖的包:pcre httpd-devel libxml2 apr& a& I% f& A4 x+ e" p
: R/ B4 I( ~. Q( k! _% T
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* q' p B& m4 D! N# n0 |二.启用standalone模块并编译
9 ?4 G0 U" w& H- v$ G6 o5 a1 Y2 Z. F7 v7 I1 k/ f/ s
下载modsecurity for nginx 解压,进入解压后目录执行:" j9 h. K M" S7 s8 t$ Z
4 `; e: w8 r: B; I& _9 n
./autogen.sh
# O$ k- S4 D0 Q./configure --enable-standalone-module --disable-mlogc0 K, o1 _# \, k6 R$ g+ U8 w
make
0 {( k0 q8 ]' N3 v% R三.nginx添加modsecurity模块% e/ O0 A% p4 F- b3 N4 d, G
6 y" o/ v3 l: B9 x7 E; }在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
& q0 a& r* n2 g4 {. d6 t8 [: a3 K' h0 P2 _3 }8 i5 L- l
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine6 Z- J) r- M. B' Y% ?2 [
make && make install
& A$ ?$ b- R, @3 V7 s5 B四.添加规则. B: j8 ]- o4 ?& X/ A
* {* a6 \7 r) R9 I; F6 a2 Y# x9 w0 S
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。9 E2 { m% M+ w% k& W% X
3 g& k6 Q# z/ X. o9 S" N- z
1.下载OWASP规则:% t' h! V7 H. P0 ~- a
( z$ G1 Q/ @! T/ x
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 H/ @) O M7 n7 C
; w2 I& E9 f3 Q, m0 b, Amv owasp-modsecurity-crs /opt/tengine/conf/6 z! |( _8 s/ j9 [/ C1 f1 X
( z+ t- Z& E9 R( ^: Qcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf& @! j, U) T9 F1 B2 f$ @. X5 K
2.启用OWASP规则:
) }0 v1 c! {- Y1 e2 _3 G' Y! Q4 ~( ^& B; E5 T) ^4 r+ g
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 h" _+ \( y6 t# ]. k$ E2 P* a+ z+ I. B6 W2 @; J
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; Q. e ^+ ^/ j; D4 M c& m7 Q" Z# l9 e/ R7 p
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, t& ~& \% l) |2 v' F* {+ a% n6 d8 Y' m* J) [# ]4 H Z- k3 J
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf1 C, b4 y2 [7 l" h3 c; z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
9 \" G2 D8 j8 T+ U# [) ]4 C5 B9 VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf. V$ O- C8 L0 T4 A
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf, c! N$ a4 D) R* J \
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
- y2 [) L5 f8 V: C# y: e( }Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
1 X: N* `. F* p6 E' A& sInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
8 h) Y) [% H' V: k- n五.配置nginx* F8 K! ?! ]/ y; a/ E
, y _. Q) F3 h& x在需要启用modsecurity的主机的location下面加入下面两行即可:
; a! `3 J* J- c9 H$ [( v- x& {& u) n" r6 G4 Y
ModSecurityEnabled on;
; Z& i: B7 f# b9 P5 ^) L8 sModSecurityConfig modsecurity.conf;, M0 l$ y9 m; L$ G K1 H- [# }
下面是两个示例配置,php虚拟主机:. K# n( C* o. d3 m d; V
9 t: f0 O2 q7 O8 X4 r9 ^3 fserver {8 d$ d% }% B# R$ E8 ~) { a0 `* D- }
listen 80;
0 M! z# ?. p4 N server_name 52os.net www.52os.net;
* ?! y% ^ h" [- H9 F. d9 Q 0 G" J$ x) G1 z: R }# f! X
location ~ \.php$ {
6 K# ^3 j5 F: H9 p, p ModSecurityEnabled on;
! U8 Q: r( H. [ ModSecurityConfig modsecurity.conf;
( m$ C4 _* i: a, U, h
& i0 }' D j4 ~1 n4 h& g/ Y" @ root /web/wordpress;2 |! }4 ^- O" P: p3 q& \0 S% K0 O
index index.php index.html index.htm;
# {% o9 ~6 J4 T, x3 K& W . |5 E# ^) O S
fastcgi_pass 127.0.0.1:9000;
0 |) b7 ?0 L; K* z7 D fastcgi_index index.php;, P0 d5 @& T. T# _7 \3 m
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
' c4 E L# S) N8 Z& S3 P include fastcgi_params;
4 L1 L, Y2 [: J5 S ^; i* w, n& A7 ] }# Z+ n) w9 U) I9 y0 L" X
}
* F. I7 z2 G% }2 xupstream负载均衡:. ?! Y; a6 v( Z8 D
g$ Z5 ?0 e/ s7 @1 ^/ E
upstream 52os.net {. `: ^0 r, m5 Z: t0 N; N
server 192.168.1.100:8080;% L% d9 U- i1 p% u$ Y. a) s* ~
server 192.168.1.101:8080 backup;- w1 ?8 M7 g! c3 n! G ]
}
+ S1 Q" Z% o5 r" j! H8 c+ _( k/ p
; T2 C5 c" v; V3 }* Z$ t" Yserver {7 B6 k7 b* B1 K2 _ O
listen 80;
1 M! K+ X% {( e. X: ]1 f" L4 Q- Yserver_name 52os.net www.52os.net;2 W3 c [# G/ o/ C8 Y
0 q7 d {9 R' G7 |location / {
% C9 |# @% U6 E" b9 ^6 D ModSecurityEnabled on;
7 D3 Y2 R4 m! s H6 o8 u- _1 n ModSecurityConfig modsecurity.conf;
) F# D* l1 A. I5 E f7 I9 M7 f. _
$ a; Z3 [. D i+ g4 @( [ proxy_pass http://online;
4 g, o2 ^5 f7 G0 W8 N proxy_redirect off;
+ f8 r* F5 C6 Y: [0 T proxy_set_header Host $host;
* H9 G5 v) }8 i! A3 ~; ], i proxy_set_header X-Real-IP $remote_addr;
* W3 c' m9 O, k, ?$ J5 E: F proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;1 x+ q8 o6 Z. F* k7 u7 |, h# D
}% {, K0 }& l r
}* x0 ?+ L, w* L4 ~; Q+ G
六.测试
4 \2 f( a" [! Q8 H$ N5 n5 |2 r$ e8 P0 Q) d- B0 Z3 @& h
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
) `) N) j& ~4 \& v( H$ n" Q) ~" d ~ Q# W' Z
<?php1 i2 W( n) @6 B- W! k7 ?
phpinfo(); 8 N8 @. M2 V$ [2 W/ |
?>' @) M2 D. ?% [+ J- `
在浏览器中访问:& y3 R9 b8 w% N, e$ v, u- S: j
+ S( Q6 ~! m: B/ k, X& c
http://www.52os.net/phpinfo.php?id=1 正常显示。# g' o. B) D( f; e- u
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
3 b' I: r! @2 ?. [* s' T' r) @1 t( Uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
# J5 m; h5 j! O9 P& A( P/ n# p说明sql注入和xss已经被过滤了
- O3 d4 S1 ^# c* `$ X% F, X' A$ z! j$ b4 o2 |4 [+ R2 C
七、安装过程中排错
0 s4 O; ]( p- I% Q! ~1 z+ a1 |3 S( B# O+ L. H' H B) V7 @* z
1.缺少APXS会报错
5 Q! `) s( k3 }/ Q' H9 A$ j2 C
+ C% E* ~: g! q. r0 k( i' @$ `configure: looking for Apache module support via DSO through APXS1 ]2 S8 S6 i& T1 K" p1 _6 [
configure: error: couldn't find APXS
! v# N5 L) N2 ~7 _apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ W# t# Y* Y; W$ `% |0 M- d解决方法:
% l; [! C2 h' u( l0 `6 M Q9 @0 l* q% z- U7 J. }
yum install httpd-devel
. M" v/ _ |( ]5 k+ F* ?2.没有pcre
% C7 {- v' a3 h
9 i4 t6 \' J/ R) z7 |( O; mconfigure: *** pcre library not found. s* D- J( V0 X }
configure: error: pcre library is required
) u3 R3 ~, u% U解决方法:% M' E" r2 ]. |/ ]
: d S* ?" d* Ryum install pcre pcre-devel
6 q" H' q6 E) o& J- K) ~& K, D3 F4 @3.没有libxml2+ @* `6 b) _6 Q0 M/ r
, ]" A- z9 K8 D; @9 T
( i0 F7 J# K5 l7 c$ y/ P
configure: *** xml library not found.) d8 X& d1 L. A& g- E* x
configure: error: libxml2 is required
- s3 R9 W% V7 X1 [! P& y$ p解决方法:
* ~6 \& e" ?# ]
6 _' D6 |/ q/ h/ W" @4 L) myum install libxml2 libxml2-devel
7 Q% N5 E2 b5 H4 h8 i9 k. m4.执行 /opt/tengine/sbin/nginx -m 时有警告6 [6 M0 r, ^8 a" Y
9 r4 K: q" U# d& w- N
Tengine version: Tengine/2.1.0 (nginx/1.6.2)) X4 _- D T: I
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& H5 X$ X, C e原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log% Q7 \2 F( y: d
: u9 r' [6 w6 R! o3 N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.+ q9 f, s1 q/ K( E) M$ A2 ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"( S0 ~. D4 N5 c( S
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% L, J2 Y7 D' K1 Q( R! j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"! z8 z/ |& t+ D% D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"- c5 q; f& w5 ~4 ~, G
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.3 j8 x8 p+ m7 G& I/ G8 \
解决方法,移除低版本的APR (1.3.9)0 t4 ]% L5 h+ k5 s' [! m7 K
, f2 }/ w3 `# Tyum remove apr
' w0 M1 x5 f. z3 e; Z& p4 s3 L5.Error.log中有: Audit log: Failed to lock global mutex# s6 W4 Q+ b* `
, D' y* n: H4 Q+ {$ T3 z" Z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock : U+ B' I) K" \" j. E
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- C' {3 Y' ~7 H1 Q
解决方法:
( d: F9 R5 O" a( _编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:3 f- i, T! e! _: @' g+ v
! t2 x$ s4 p ISecAuditLogDirMode 07774 t6 _4 m, ]* Y- N/ {! x/ u6 G2 U
SecAuditLogFileMode 0550
3 C; s# @( u, {. oSecAuditLogStorageDir /var/log/modsecurity1 G: B, j7 i+ i5 O
SecAuditLogType Concurrent
9 S0 a5 y) ^& @; \9 a参考文章:8 |3 ~0 d/ C8 X0 X+ o
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
1 H/ E9 T* H. R, P% ahttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡