|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 X% X& z( M S: p
2 S" R! \. h6 k0 k
一.准备工作
" O0 t* X. B; d8 B8 ~/ |* z
& m/ f( L- B. Y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
* ~ z, ~4 [9 S3 s v4 n n7 T% l7 w$ B9 m& I0 i
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, f5 J9 ]& _; c( {
+ Q0 b9 S( _: p; B8 `& d5 w- Fmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( }. L* O0 o0 P# _, `. ]1 F2 m
( w9 P# W/ u7 q" [( _2 ^OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; Q- L$ H5 n% Z$ \; B6 J8 V% b& O# u9 m
依赖关系:
4 Z3 j2 `( L6 g( Xtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:9 W, u" v) E- V8 u' l" s. o
7 Q. h' j; s. Yyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( D# }# z1 W0 a2 K
modsecurty依赖的包:pcre httpd-devel libxml2 apr
+ K, L) g5 E% R1 x N
: n# t4 i# E! @$ h3 D0 ]& Tyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
% h+ t* H! s2 e. Y二.启用standalone模块并编译( W- s, S1 [! J! C4 Q
. q4 E; m0 r- [; h' x4 R1 B; E2 B$ Y
下载modsecurity for nginx 解压,进入解压后目录执行:# T, ] u3 l2 P) p; M+ C; F7 T5 Y
3 }- z7 p# E1 g d" Z. Z3 v9 b, o) s
./autogen.sh
( M' I: v# }$ \$ q r4 B9 q& y0 f# i./configure --enable-standalone-module --disable-mlogc2 m: @9 v1 w u- x" k% C" t
make
8 R# ^9 ^5 |" G1 M$ `8 G$ m5 V7 Y5 \三.nginx添加modsecurity模块; W9 F [# D: Y$ Q2 I2 S2 y" p
& ]/ b/ y3 F2 O" e/ @. y
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
) X. D# t1 Z, X+ R1 s" m6 B
4 E/ c7 O/ f' p" N+ ]+ `./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
8 O" s: X5 l, [9 Omake && make install
, `2 P. K% _2 e0 |四.添加规则
0 }8 H; |1 G. y4 b7 d! x% j, E2 c- s; T8 ?
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
% t! S: e f* l% y6 p- M' t5 z0 I, R% g4 f, e2 l( Z
1.下载OWASP规则:# b3 ] t2 a; d
3 M0 W* \0 v) d$ M
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs3 |9 ?1 v, Q* c- ^( W1 P" a4 I
8 |5 k5 ~7 y8 S. R! O1 _4 Y) x: h0 o
mv owasp-modsecurity-crs /opt/tengine/conf/
4 Y$ @+ Y) p# ?9 Q, B( x6 p
+ I2 B* V0 r' E+ f% D$ ecd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' [: w5 n$ @; l! u/ C- J* [/ B$ s2.启用OWASP规则:' q& i \* K/ f/ t6 B# |. `
' U. L P" p7 Y+ f1 R复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。& ~& g0 Y. q* h& y
8 }1 T* k" Z* J7 I* q4 q
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on: ^5 Z" F4 T/ G. j k
- H7 Y7 w6 x/ E( zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
) t) m6 P6 o' j: j$ Z) F" |' P) R2 U* L0 F! a o# _
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
4 j9 h3 |9 @& v; SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
. ^3 D) [. t+ |7 t' y" FInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) ]* P4 d" |9 e2 `, c7 N3 ]8 \Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 S$ x# Y5 U$ ^5 {Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, Q ]# ^8 D0 X9 N) M# S2 FInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf8 u" x3 f8 M. _+ g) }
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
5 g: [ Z. ~9 a; n$ L5 L五.配置nginx" Q9 Q8 a& F3 `8 M
v4 @& V; X9 d# ` V在需要启用modsecurity的主机的location下面加入下面两行即可:# |. U. p# R! R8 \, n+ k2 m
7 p2 P) S0 t, v, L5 ? L
ModSecurityEnabled on;
0 v) G) D1 b \7 n cModSecurityConfig modsecurity.conf;
5 X' ~) x* c; Z下面是两个示例配置,php虚拟主机:' L/ Y1 B) v" r. Y% D" y0 n4 u' ]
' k: B. `3 `- `4 Z @$ b \8 n
server {
3 T7 F! q1 \2 l. E$ Y% ` listen 80;
5 D* B, b' [. J% q1 c, \ server_name 52os.net www.52os.net;
8 C2 W! ~& B( S" \ M6 Y* i; X0 K 2 {2 Q2 ?) v) J3 A9 W: ?( y8 o
location ~ \.php$ {
* W$ y6 V4 h7 P9 b6 S8 T ModSecurityEnabled on; 6 p6 u# L" I8 S5 q3 l: Z# [. @) K
ModSecurityConfig modsecurity.conf;- v5 j% g9 q( D( d$ `1 w
: y* T, s. |- r) s) N2 I. ? root /web/wordpress;
- |" w- n2 W7 ?" B8 W index index.php index.html index.htm;+ t# ~1 T; e) o( A9 f( @
$ B: m0 P5 {3 }; {( c fastcgi_pass 127.0.0.1:9000;& `+ [4 U+ H3 }( y
fastcgi_index index.php;
3 u. g/ s3 r# O! L" T f fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;4 @8 V) w& j) W% f+ {1 X6 I) X1 c9 h
include fastcgi_params;
; w+ s: A6 I# q! d, ] }! W! V" L) X1 p# w1 m
}- @8 X/ X# J0 I. `/ A
upstream负载均衡:
# ]' s2 V/ P0 A4 b/ r. h" p6 ^- P8 Y( ]; c- t. Y
upstream 52os.net {. x7 M+ j1 |. e4 G, H! [
server 192.168.1.100:8080;
1 |. q8 E1 {2 ~ server 192.168.1.101:8080 backup;
' }7 m `0 ^1 O9 |* W+ l% R}
4 \* r& \9 M2 @1 K1 b0 x) C4 q5 {% c% E/ u% x5 U, R+ e
server {, E4 E, X/ T. a8 d8 A& C
listen 80;
& u8 G- e; x! \6 m; l* k; Cserver_name 52os.net www.52os.net;$ K$ x8 u; F- ?1 O$ C5 _2 r
- h: q) G7 ]: i' r& Jlocation / {1 h1 o2 @0 o: B( Z
ModSecurityEnabled on; / j; m0 @) g# G8 t0 w( R0 `
ModSecurityConfig modsecurity.conf; 7 n0 X) E. J- R& y3 j) W7 L, X
, E, |, l0 I) o3 N+ v: q
proxy_pass http://online;. e0 ~9 s& I9 m% `* U
proxy_redirect off; L) h4 y+ M% N: E$ b; y0 O
proxy_set_header Host $host;+ m8 N0 }! O. ` E0 t
proxy_set_header X-Real-IP $remote_addr;
0 }- K& `' y) |( ^ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;3 ]# b O' H4 _. |5 ?' e
}: q5 H8 d; b# l" \
}
# K. g! v% o' j% H0 h% S六.测试 p, N) S0 y1 v5 N2 u- y& _
) R7 @3 \% q& M
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
" P9 Y3 Q+ p4 d3 b8 k+ h; w' n; T0 W2 c; o
<?php% W% \: R+ {' [% b+ @6 n2 |
phpinfo(); " R6 b+ d( a* g1 h
?>$ p' q B5 k4 x2 D, q3 b
在浏览器中访问:) L# F7 C3 r! g* [0 U
- ]1 G2 \4 S* f( P! e- L# ihttp://www.52os.net/phpinfo.php?id=1 正常显示。. ]: R* \8 P2 Y+ a; a. D2 s
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
4 _3 u6 U, _$ k9 a+ k' S8 J9 bhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 d" G8 l1 Y: P# `* |, L说明sql注入和xss已经被过滤了6 Z5 e; q9 {% q; i) ?* d4 m
( u8 t! Y, B! c- y0 o9 a, }七、安装过程中排错% k5 A' ~3 a0 W" a& Y! v
7 ~ P# |+ p* n. G
1.缺少APXS会报错
7 Q7 z+ x' X& O% |1 |& T2 C4 z5 t F& t5 d) n2 z' c
configure: looking for Apache module support via DSO through APXS
: m/ N4 F' W$ I6 o3 Lconfigure: error: couldn't find APXS
4 p; M/ ^4 I( V5 aapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。8 j. o: B e9 T/ f$ A* g
解决方法:* l0 N" J; ~# @/ B+ ~6 P1 A0 |/ |
, u: Q: ~' y0 e7 R {/ B$ `
yum install httpd-devel& f! Z" j4 r0 W- b1 s% A
2.没有pcre
( m7 K4 q" \& B5 U, g! W; g- W) {7 q
configure: *** pcre library not found.( p( l0 n4 ?, a; ]" S
configure: error: pcre library is required
( w) w3 N! ~- D) }4 G" E' i解决方法:/ h2 f: O8 V2 s; B' T( Z; ^
1 E/ O0 B6 ^. ]: K* Hyum install pcre pcre-devel
1 L D' A2 C$ ]0 f0 g- h3.没有libxml2
! b" @* U1 i+ Q7 ~; |* ^1 o, K2 j2 `# |
( ^& x8 d' ?$ o5 C" C; |' U6 p2 pconfigure: *** xml library not found.
& p7 @0 F+ K- M1 b/ @configure: error: libxml2 is required, Z: h$ k, ?5 @
解决方法:& v" H" r6 y- i, ?1 V
% ~2 l7 Z0 V7 U: }& \yum install libxml2 libxml2-devel
+ e F( j/ a4 x1 u6 P0 v4.执行 /opt/tengine/sbin/nginx -m 时有警告; Q; c) j7 F" s
" ]- J9 ?1 I: }& g4 G9 u; OTengine version: Tengine/2.1.0 (nginx/1.6.2)
L6 J& T- R Anginx: [warn] ModSecurity: Loaded APR do not match with compiled!6 W- f6 b5 ]& A/ N/ e( v4 {6 N' f
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
' A: s0 N- r1 E n7 D9 l8 X0 I% u% G3 R; m( I2 m5 c: O" N; A% i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.7 _7 Y; g5 W; A: Y3 Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
: E& H) i- c/ @0 n! U2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!; j' p4 Q* H- N, E. r9 B8 T& [/ @& p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* C- b3 j0 r z- e. E/ ^ D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
3 _. F; g. C2 W; P R4 B, m |; W2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.; |* R2 Z2 c* P1 `* o
解决方法,移除低版本的APR (1.3.9)! a! N, c- |% ^, C
2 y* F/ ~* L* J# `- q7 Wyum remove apr d$ n' i) f" P( I' i& ?
5.Error.log中有: Audit log: Failed to lock global mutex7 `& m5 P/ k# d+ Y% A* _' z
/ X$ h3 W) F4 U8 E+ V9 H2 W2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
- y- P6 H& O7 E1 qglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' W0 V) t8 w+ c7 J; g1 Z/ M
解决方法:/ [ A4 q1 H# J& X. m0 I4 ]
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 z/ L" \8 t# D/ _" [. b0 c9 A; \# e
* y' q; w4 O: Z% y( f. z5 ZSecAuditLogDirMode 0777
! O* t7 p0 n; T* _SecAuditLogFileMode 0550. l* H8 r2 _" |( ~: q* E ]' w. o- J7 R
SecAuditLogStorageDir /var/log/modsecurity/ v( ]" {% Q$ X T4 h: d: ]
SecAuditLogType Concurrent/ f1 @8 W. x1 q
参考文章:
+ C; C0 Q; \# L$ V% t a4 Ihttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, n6 i: E$ z1 E E/ J) }, J# lhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡