|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。4 u3 k/ h6 b) W5 p% X
: t- ~* P' s( |; H- c( D
一.准备工作0 b4 {1 o. l" P6 m
& Y- D) t: S" A$ z+ V, |' z系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
! n" \" t7 {: U- @ a/ {& b. z9 e/ e, @8 p! @% t/ b6 \2 ]' O
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
( q. Z0 j% J/ j* B+ H
4 C; ]; R4 r9 V! P1 ?% [% hmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
0 G; O, v Y5 r$ ~$ L; w& Q9 r* V! A( H* q
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs" r9 K" t' J7 |" k$ q
# v7 |1 S% M' P依赖关系:
' a- h( B( e; htengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
1 K% y% x3 K+ j: u. c/ e
+ k9 R4 F1 Q, b0 ]& J5 d0 `1 yyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ ]# _7 G! S, H5 b; c5 ~$ S# w% Qmodsecurty依赖的包:pcre httpd-devel libxml2 apr& P$ v) N! e% ~' j1 P
6 _- j5 L; I+ D$ @6 o4 ?
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel, x3 G! t- t( l; f; }& s
二.启用standalone模块并编译
; g7 H" Y% |0 t! a! Q& k( i9 \, w; | N+ C5 \9 N& n
下载modsecurity for nginx 解压,进入解压后目录执行:
# z# k9 T9 _; M- P- q o( ?
9 h% w7 R0 R) ?3 ]./autogen.sh6 H/ l% n. R. x$ F/ o
./configure --enable-standalone-module --disable-mlogc
: e, _) j. b {! mmake
* u) q* c7 ] X9 d4 g3 T三.nginx添加modsecurity模块, G7 w1 H, t- y/ d0 [( L2 D
& k4 ^/ ]5 |' f1 ^! _: P0 W2 p在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:: Y* C* ~3 B* l
2 h& H2 y* _( t+ O. n9 W, ~
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% r& }+ ?1 N, g+ _5 O1 v$ w* _5 jmake && make install
7 ^& K* p8 @' a& A( `2 X四.添加规则
5 Q7 q4 P8 i& l- X7 J! K' w1 v' [0 @9 h
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
% A( I# C% ~" h" d- c: q/ f5 D l8 X+ p Q9 `0 A9 k
1.下载OWASP规则:2 G( o/ A5 o( J, p! K4 g& h6 y
0 A. t! Q( S( ], s" ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs4 H* M+ p1 Y: S2 i
+ }9 K5 V, A/ U+ Fmv owasp-modsecurity-crs /opt/tengine/conf/) ~; I3 j6 r1 C& Q( s+ H
1 N" P4 V7 f# j# J F/ Ccd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf" K7 C8 r% z& c! {2 k' W2 L" [3 e
2.启用OWASP规则:
" t7 q. Q* H3 v+ ~+ D) ], D2 h' v, q3 U# W& c: K9 \3 u, ]6 N6 B
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% R6 t3 \9 f* z4 w' f8 p
9 h" M- `* `% Y _6 U4 `6 ?! `+ D
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
+ j% ~% M- s& o+ g' j4 r* I
! Z9 F6 ?' G% f. ~2 }/ E8 c4 P9 Aowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
( y0 d8 M" N1 @' j8 H# q2 u8 l
( a) k) {% X& {, ^; BInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
$ X- e) p9 V9 c! E4 E1 JInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf0 M- Z3 P1 ~2 I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ f9 I {# Y* ^ N) v0 ?Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
4 [$ i5 Z) p4 m) `; J! n1 A8 WInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 y3 Z Q1 ?0 [2 R1 [ g WInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
( w; Y6 B- j T. [Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
3 Y- ~* F9 J0 p# I2 M" [3 ~五.配置nginx* J3 V! `$ G7 A
+ i& [. k' g! ~( l5 B4 Z3 E在需要启用modsecurity的主机的location下面加入下面两行即可:
# Y8 p. ~4 z; F; g& e; J! @2 B C: q, `
ModSecurityEnabled on;
` e. G# u2 ~8 v) J6 @ModSecurityConfig modsecurity.conf;
! Z' d. Y6 G- C9 @3 H1 i, [下面是两个示例配置,php虚拟主机:# |- L" X' k4 G9 C; A0 t8 x
2 U1 f" t. X4 ^8 lserver {4 n ^9 l& s& C5 i, o* z& e
listen 80;9 I' U- {/ E9 M
server_name 52os.net www.52os.net;
0 k; R v6 W. G9 N; ]* ?1 a / o7 v; \3 w; l0 l4 m" U( M. \& t
location ~ \.php$ {# f) A% U9 C1 _1 ]3 D/ y
ModSecurityEnabled on;
8 i7 F: X% E4 X$ l ModSecurityConfig modsecurity.conf;
- S- V2 C" P# Y
. x2 I( x0 x1 Y; U3 T3 \ |/ { root /web/wordpress;3 g; \4 z4 s% @; { \/ W
index index.php index.html index.htm;! a( L0 D8 ?' F* m' O
( X* u1 N4 l7 c9 D" n% l
fastcgi_pass 127.0.0.1:9000;1 u7 B7 _% T$ @7 @2 z" S U$ V" u! W s
fastcgi_index index.php;
; ~" \: a1 j/ j1 J0 r' ? fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
G8 |& F5 ~0 W' t1 M$ ]$ d include fastcgi_params;
; J" \ M- {# c; n9 U! l* p9 z }9 ]3 r3 k0 f+ ~: g- d
}
( I, w: p) T/ a4 J" d3 aupstream负载均衡:8 L G+ \3 X& s+ v0 `* E3 }
Q/ J/ o6 M0 g( u: ~* j. n2 \6 oupstream 52os.net {7 O {( w( {! r% X, x0 v
server 192.168.1.100:8080;
& m" i$ v2 P6 c5 b. D( n+ G; F server 192.168.1.101:8080 backup;# j* |$ ^/ p6 X- e4 a; i6 f: G
}" g% k* t0 M1 ], q
9 i& Z* ]0 e3 lserver {% w5 ^, v! Y6 a D
listen 80;' ?0 L9 t/ u8 t W
server_name 52os.net www.52os.net;
7 h" J- g! d# B5 A+ \+ }0 k7 p# y6 [/ B% o) ]) P
location / { C' q8 _4 g- Q9 p- }
ModSecurityEnabled on; 3 C' _ M( r: `% ?% m+ H7 ^( j# Y
ModSecurityConfig modsecurity.conf;
, P8 x# I! E) `4 z0 |7 j0 `3 N! ^
proxy_pass http://online;7 c$ I# ^% S7 M+ a
proxy_redirect off;
5 D; ?7 h0 h2 q/ e9 _& I% | proxy_set_header Host $host;% v h4 O5 Y+ j* j( U0 B
proxy_set_header X-Real-IP $remote_addr;9 C9 E& J% {/ A9 T
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 I& ~9 j$ X( O6 P. f }1 q2 n o, v$ d8 A5 ]; [" G8 s
}* {2 \1 g0 J/ r, V1 M
六.测试
K4 p1 ]* k, A) L8 n' Z9 t' j6 U2 i3 b2 }/ G8 x: S
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
% _2 ~3 R0 R/ R& y3 Q: q) d7 H+ ]; F Q' T9 j) G9 i! J8 W* X
<?php
/ K. z7 s5 H: v. Y! M1 b( D phpinfo(); / M7 c. ^' ]+ {; g. r
?>1 ?3 ]6 e1 h8 Z S: E9 a: J
在浏览器中访问:
2 [/ I( Z# a) m0 Z s! y. }8 _# K. h2 G% g/ U
http://www.52os.net/phpinfo.php?id=1 正常显示。
( i7 S# M+ E0 r$ ^6 a `http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
3 @" p6 Q+ Q1 \+ O5 F0 w% h/ n" Rhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。9 ?3 {+ L1 n) _9 B: g$ u; H) i( a) c
说明sql注入和xss已经被过滤了: J# X0 H% |: X% |
4 N) ?$ m6 u1 Z& ^七、安装过程中排错
6 {$ k. P) {5 ]7 {- A: B
) U. G. ^" m( i; |1.缺少APXS会报错
- O+ J( p* j+ F( K& U& q1 h: S( o6 |: ~4 s
configure: looking for Apache module support via DSO through APXS: V1 H$ p. c) C8 W0 m
configure: error: couldn't find APXS
$ A' |. T# c& Q8 y. o8 Lapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 W a3 V: U- o
解决方法:5 c+ x' I$ E3 L8 \; c' z+ r& z9 Y
7 a( J5 n0 G8 u, c9 Fyum install httpd-devel; y3 k6 `0 I5 z; M" }
2.没有pcre8 c/ C; v' |, T# q+ J
! e0 o* m* f5 ?: z& L+ h, hconfigure: *** pcre library not found.- [# e" C7 F P- [' {
configure: error: pcre library is required& O6 M1 ~, u. v
解决方法:; v4 b- s" E: d5 A2 k
1 v& P/ W* ~5 Byum install pcre pcre-devel/ A; ~2 F! v- p$ V, ?
3.没有libxml2. h$ [) u5 @0 L, p& Q a& S: ~
" s# Z0 j f3 g% U6 a
7 c9 p$ `$ I# W( y$ c9 `0 s& kconfigure: *** xml library not found.2 q0 U- A2 }. q0 g* a T4 C
configure: error: libxml2 is required2 I0 T" m4 I% q( @. x# ?) n- ?; Z
解决方法:4 i' d/ w) l! E' w7 v# `+ D
' e* Y5 w7 Q- m- g1 u, G- Y
yum install libxml2 libxml2-devel
2 W8 z( t) q: m+ V' J( B5 s4.执行 /opt/tengine/sbin/nginx -m 时有警告
* H8 c. M6 @6 S& Z( v; o' l$ }+ M: @& p8 n9 B4 k2 v
Tengine version: Tengine/2.1.0 (nginx/1.6.2) @# } A0 ^0 m9 O0 m
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!( u0 y3 M$ q b8 G" g1 G
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
& D. A' C2 R) Z& I5 W
( P: j9 H5 L0 ^. f* N+ j2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; Y- m7 L4 j, Y! x. |7 Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"- \9 ^' `: {: G
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 c: n/ T6 o v! n" m" i* f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
6 K' K9 l' Z+ p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
9 E7 W7 w# r& b% E$ O2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! [! Z* R1 z( C- W( w" r( Z, `
解决方法,移除低版本的APR (1.3.9)
+ b" h$ O) D* ]3 o0 i8 w" C; ?! g8 t% c9 c% k6 X. P
yum remove apr6 Z; X$ V: H: [
5.Error.log中有: Audit log: Failed to lock global mutex
- i9 |3 r# g8 |0 Q# F9 E
% X2 _- e" R1 c2 U% ~" t; S/ h2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 1 _/ y* a/ |& h" k! P1 d6 g
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
" A/ M+ P. V# Z1 H/ Z2 ]解决方法:( z! A& j7 M7 L6 W
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:: r/ T% j0 X+ T3 y( _$ L3 n
' v# j3 f2 {- G" ~$ p7 r, X! L. z
SecAuditLogDirMode 0777$ I1 _. `; O4 E- ]0 a
SecAuditLogFileMode 0550
: G! Z- m: w* u" e# \- W& jSecAuditLogStorageDir /var/log/modsecurity* W( e8 Z" w' n+ I7 P) O$ `
SecAuditLogType Concurrent
; b1 L9 _$ G" L2 X0 z0 v6 f参考文章:( i% t; p# b6 x; ?# s. R P
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
1 x& h% t' f3 ^: b9 U& n1 T# Hhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡