|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 R. X" X; @. O, ^2 \
9 q4 _' K9 S4 w, z
一.准备工作, r6 x: }' B' q
, j: J. D( Z5 J( Z. F
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
4 ^9 P! M$ ^/ Y$ }3 E1 ~! i, W. f
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, [( \) a% g- G% y' d& d2 Q+ l
7 U) H; H) Z$ w" D5 q8 R pmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz) s+ s/ R4 X" T$ _* j
) u) r9 P+ S0 U$ i
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- O5 u" V8 t. k1 z4 Q, Z2 @. D- t8 L
& a- m; z- S& I- R! y B依赖关系:, R9 F( E& ^8 b( Y0 h& s: C1 S1 K
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
$ U( g4 _: b# o8 L5 E3 |. F" K H* y- A
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ |8 P' F! f2 m) v- Pmodsecurty依赖的包:pcre httpd-devel libxml2 apr
6 L' G. ?: o# @- i$ c. l5 ~: R. l$ c" e' ?
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel# w1 H7 X/ `+ o |# K4 u0 n
二.启用standalone模块并编译
O; _- Z" k' a# |# u* G% | F: Y4 r" F4 R" F) v) a/ z
下载modsecurity for nginx 解压,进入解压后目录执行:
9 j9 Z* [/ F: l+ X
5 O! _9 C- w2 N1 F1 U./autogen.sh
; o, ^- G3 V, W t/ b, B; m1 u./configure --enable-standalone-module --disable-mlogc% T- p/ }0 G$ a! a% h
make
" H# O- ^8 m7 Q2 _+ e0 Z+ ]8 ~三.nginx添加modsecurity模块
" R! I1 a( v- ]
3 I( D( M2 p. w \ A在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
1 u* a: a8 x) M4 z# o, r' [' x9 k3 N u% N t7 I
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 ~4 v: }" f! I J
make && make install
% H9 R/ {& y$ T: l四.添加规则
/ J" Y( H& T8 U. }9 Q& A- j6 t% e- ^% q3 Q$ c; I7 F+ C; Y
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 t0 a' x6 z' Y% t; T1 U% k" I9 h0 q
0 r& K B# y8 L* P8 Z- U& Q1.下载OWASP规则:: F4 _# g# ^- v0 @" d
7 p. {6 l4 k" |8 a! `8 [- }git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
2 G# N( K+ o+ Z" h- F4 I) } m9 Z4 W) J
mv owasp-modsecurity-crs /opt/tengine/conf/
/ R' f5 R2 j& _) V2 o0 R: K! j: f4 f) k- c
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ a/ E+ [0 h* d
2.启用OWASP规则:0 W% ]6 l3 t8 }7 B, o# ]5 {) ~
) L% n- [& y8 @/ i复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ \2 I& i1 Z1 G9 d" @8 J/ x: [: z# C6 G3 s- `
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
. t! D1 }9 e. h- ?% e6 J* Q# c+ U: P" z
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
6 `6 N, B- F- s8 T; s7 ^$ j! ?. V! n% K
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf9 M( ^8 C# \6 g r3 m
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
2 X3 F7 J& C/ ^2 pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, V3 w6 S& g' k* Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" ^2 ]% g' a% p6 h6 U) s. y1 ^; n( S
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 W, ~/ L! }9 R
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf+ z9 m- h+ D; P! {, a/ X( A* K
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
9 v5 }0 x8 T. c6 w5 b6 \& h五.配置nginx a Q8 u: r2 ~+ f; d
5 l7 P. x _1 z# ^/ \! \在需要启用modsecurity的主机的location下面加入下面两行即可:
. C6 ]9 k7 {# U' r; t5 u
W9 [- y( a! p8 v8 YModSecurityEnabled on; 7 u1 F* Z! w% E( T9 m
ModSecurityConfig modsecurity.conf;" H1 M) z4 Q9 ^) M, l% G
下面是两个示例配置,php虚拟主机:6 \1 y' y5 S/ G/ w6 |
, L0 H. Z8 |' m% k1 O
server {2 o8 v9 t7 X$ P/ C' A
listen 80;
1 ~, m2 f/ n$ P server_name 52os.net www.52os.net;2 L& w" ?- ?+ q, c4 k5 Q) G
6 k" @6 J6 T: a2 s
location ~ \.php$ {
' o- t a/ W6 _: w6 @; ]1 A: R ModSecurityEnabled on; w1 v$ M3 B: t, s- X6 [% V
ModSecurityConfig modsecurity.conf;6 B7 c( Q0 R1 E# o* l, K# L' k
3 V! D! q' f: z B2 V- u; u root /web/wordpress;
2 a5 t( @1 O1 E; l6 s8 g, v& W6 L# S! h index index.php index.html index.htm;
0 A* `2 u- G* f/ X5 M9 v1 k ' Y4 M. j. s6 h
fastcgi_pass 127.0.0.1:9000;/ o2 b1 S8 V2 q, Q5 j, i0 H7 E
fastcgi_index index.php;2 } j1 c7 T% I w9 Z) Z
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 m' u1 K/ p/ q0 E+ T
include fastcgi_params;1 ]' _- X+ ?1 ^, T4 ]- l2 c
}4 q/ {/ K P O7 [" t* P9 J2 P P8 c$ n
}
, T( k: c6 Y8 |- {- o% p/ lupstream负载均衡:
" i+ p- ~4 \4 C$ |! Y3 ]) ]( d: t& {/ u- [. M& L9 B
upstream 52os.net {
1 g( L' ], S) J' C server 192.168.1.100:8080;/ g( L( B& [$ B% e
server 192.168.1.101:8080 backup;
0 Y9 J, s$ m+ e( i& I}) P! V& r& `0 H* a, Y$ O
" @" P# A8 n" w: K5 Z
server {
( [9 s& b& R1 e! v. G8 b# zlisten 80;7 v: n) E% p }& S( n: e) q4 Q7 L' Y# @
server_name 52os.net www.52os.net;
) s( d, k; r0 [: S) Z: a$ p ^, r: ^$ m2 {7 C, i
location / {
f0 `2 [. P3 L ModSecurityEnabled on; * g* i2 ` b! q, a
ModSecurityConfig modsecurity.conf; 4 V+ D/ u7 P0 `
( B7 P6 k2 ~! L, y' ^2 b
proxy_pass http://online;- ^+ J. N8 l, t2 ?( W
proxy_redirect off;
' a# X' }! J4 {5 n9 Z. f proxy_set_header Host $host;
( }- N% g1 k* g. O5 P R8 a proxy_set_header X-Real-IP $remote_addr;
- n% G4 f7 _, {8 f4 |- b proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
5 ]! A( @( n4 N0 }7 G }
: R: o1 i3 Y4 |! C. f$ e" p; F/ T; X}
5 Y, C7 w }8 f( q六.测试- x; a" G7 u9 d) W
" C$ M: R$ G, M: Y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ i* Q! f5 }# F5 d1 O
0 w: g+ {( Z; ~, v0 A! W
<?php2 y* p9 B& k1 O( J' y& B2 j s
phpinfo(); 4 V" i. X: ^. x, M7 }
?>
" l+ X% C, i2 W) n1 U0 j5 U在浏览器中访问:
$ P* Z! U' h, p5 ?! v- B4 I4 n
! | i" I7 u- ]+ khttp://www.52os.net/phpinfo.php?id=1 正常显示。
v7 w2 m% e Q7 Rhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。8 r/ F; C% ]! H0 }+ f
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( F- k) M v7 b& {8 I+ R' {) |$ Y说明sql注入和xss已经被过滤了
, s9 W5 C- y! [$ Z) p8 Z
2 R& h6 p5 H: B0 M; ?7 p. ?七、安装过程中排错5 @, J$ m) w/ n0 C6 `9 g# f
M8 G* Z, b" W- j! P; ]
1.缺少APXS会报错
) C! P- H3 Z- [# Z/ _
7 V8 @! I1 g: aconfigure: looking for Apache module support via DSO through APXS
7 a1 n+ ?4 Q2 I1 ^, \0 econfigure: error: couldn't find APXS3 H0 I- p, X k' `
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
! C' l# V' u, W. |. a解决方法:
# A4 H' o; L' ^6 M
0 T% [( J; F" _6 @8 q8 \9 \yum install httpd-devel
9 v+ u; J% r' \- I/ p5 k* {2.没有pcre" w9 H0 v y; p+ n
" I, }' d+ c9 F% s, D3 ^4 z
configure: *** pcre library not found.
* s! i5 r& p1 _8 E6 ^& s1 Gconfigure: error: pcre library is required
* f& ]6 p. l1 k$ @3 `; z4 i解决方法:( d0 P% k+ }2 ?. b# |; f
6 t. H1 D- T4 c* e8 B, D6 u, w( gyum install pcre pcre-devel
0 S( U6 x' f1 R3.没有libxml2
1 r4 Q' w( s3 p7 W+ \9 V' E$ h( d% B% r6 ^8 X0 ~+ P7 W" _, b u
. M0 ^* K z& j3 k+ W+ \$ }) h4 i# ~configure: *** xml library not found.
; q [7 J) l" |; b$ p* {; Kconfigure: error: libxml2 is required4 s( K$ H' L5 h) I' M
解决方法:0 d" V8 x9 {6 M+ P2 ?; J, u
$ e7 Z6 B! V5 l! A) F8 L" W
yum install libxml2 libxml2-devel
4 H0 D8 R$ p0 m, O; Z$ `2 |4.执行 /opt/tengine/sbin/nginx -m 时有警告* R6 V8 l# N a8 m$ G, W( G
! }$ N1 a% ^5 x6 a. O
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
: u; f2 t* n3 F: n7 Znginx: [warn] ModSecurity: Loaded APR do not match with compiled!- J: Y% `% `5 ]2 S+ Z, j
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log v' Z7 c N. x/ P
, Y( X, p6 U5 v# i4 Q& I) Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 R# z7 `/ l/ A, x4 s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
8 {# c3 F8 T x% P" P2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
, z* Q2 m h/ m: P# ~$ i4 @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 v( w" l Y% N& s! R6 _' p+ y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 m: x/ d) c" c8 @
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
7 y$ C- n0 l$ D% i6 f解决方法,移除低版本的APR (1.3.9)
; z! P$ F7 N/ ^) w1 |: J1 h' `( S
. H5 L. g! ^9 `yum remove apr
. q" \+ p4 V4 \+ t; y- k5.Error.log中有: Audit log: Failed to lock global mutex
. |: x! `5 i$ U3 j \7 d+ s4 l5 I6 _) {
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% n' P* j* P) Wglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; o) Y. B0 `- _# M, N解决方法:
3 E* |# h0 M. X8 t% o, ]1 q' L5 t编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 _/ f) w+ a2 p. N+ [1 d! A5 r; r# l$ z9 \" d, N1 {
SecAuditLogDirMode 07779 r4 S" H2 ~( W1 [6 u, v! g3 ?0 w( Q+ {
SecAuditLogFileMode 0550
2 y3 K' q: \: @4 I" mSecAuditLogStorageDir /var/log/modsecurity
; b0 X2 e7 B4 ^* Y) J0 {SecAuditLogType Concurrent
0 n' b1 P0 `' E& x$ t- w参考文章:( ?, I K' S& a# R8 d+ l
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
6 s0 ~; M0 r- l/ thttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡