|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 U% ?" T! d& ^9 |
7 {9 t& i5 ]$ p" h& J! v
一.准备工作
3 t6 Q2 D' f& a* u! q, S
- s4 p/ ^+ M% i系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
9 \- G6 V$ l' n6 R u/ U+ Q0 m5 s
3 P6 C- H4 ]0 b. ntengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz2 m1 t& _! [8 G! _0 a( s5 v
+ |- C. r/ [3 G+ i) ^4 u: y% |0 m6 I
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
1 R2 { `+ F, G
) J1 i+ a$ ]/ C: Y2 xOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; Q8 l" J. n4 J7 [. N7 U2 x; u
, H; ^ p6 H+ E7 L5 N依赖关系:# b$ v9 x4 R- E8 u" D! S& q
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
% P9 ]8 d! \; v0 c+ `6 U- X: G5 b$ G. O1 u5 t$ W% q# k5 v/ h" T
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
. t4 r- F1 J9 N4 w5 F2 m9 jmodsecurty依赖的包:pcre httpd-devel libxml2 apr
5 N$ y0 q D7 @) d3 Q# u+ D) Q6 E& U
8 L8 n; E' Z/ j4 h6 D. Kyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
' y' v$ `/ Y$ |) [% d9 ?) Y二.启用standalone模块并编译
; m( G( T# Q$ r. \( k" x
$ B9 x' W N& R( V. I下载modsecurity for nginx 解压,进入解压后目录执行:
5 L& M: y1 M( L4 } n9 a& Z! W4 Q
./autogen.sh+ ]) I+ s$ N0 ^! P! r
./configure --enable-standalone-module --disable-mlogc
# v0 A- F$ R# h7 {+ X! lmake 6 |/ n4 g6 J! h2 y- b4 P& u1 q: h4 g
三.nginx添加modsecurity模块
; [8 Z3 m: R/ m ?" A7 O2 ~. A4 W. p3 Z9 `. e5 Y& V
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:2 y( e3 Z U8 X$ y
0 @: s8 ]" V# N6 @, A( |* E
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
9 M8 M! d7 i4 Q2 E% K# |make && make install; o- k" C# E( p6 R: |* D" B
四.添加规则2 {% N9 H9 ?8 ~$ `. G. `
" r3 r. ]- h$ P x- o7 K& Smodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。& `% Q. q7 o3 {5 M/ b2 H
. v, r# s5 k/ Q
1.下载OWASP规则:
9 j3 P* b2 ^* E A( H0 b5 T8 [0 s/ }% ^9 o( R `. \. }
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
) j: {9 P; _; s* w& a' e) i8 L
0 \0 X5 g! a7 z' u! amv owasp-modsecurity-crs /opt/tengine/conf/
* V( _9 S( T6 t. Q7 @$ O" m
2 f9 U" m! M" z. Ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ [/ }, s/ h' R' x. {2.启用OWASP规则:
% f1 G5 b: K/ G' a5 i6 m4 u! [8 q/ o/ b) o* ~' ]+ b" X& d% j
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。- @3 L1 n) `1 L# k* a
! e) O. U2 Y% \, R* q0 g编辑modsecurity.conf 文件,将SecRuleEngine设置为 on1 I! Z: h* F4 _2 R
9 r' d% W$ n0 t+ a1 vowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
% Y! _0 d- J; k. y1 T4 B5 l. V/ g. e5 \2 S6 n {
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
9 r4 F1 K9 U/ ~4 {3 I7 kInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
. O' ?- w3 n" t6 V# D- UInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
! W8 [1 J% u9 J: [% _% I- @/ d, `Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf* Z% n1 R a3 ` i9 q+ J& N
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% h, ^9 T; H7 M ?: P$ yInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* q: d# Z: ^" n, P6 W/ ^5 l8 o
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
0 V* N) R7 X S& |: N3 K4 S五.配置nginx
. _. t- ? i) W# q& l4 h" C9 Z; y. B: F) p1 d/ S
在需要启用modsecurity的主机的location下面加入下面两行即可:
7 |$ F) G. \2 c7 F! N) l" ~& P h9 F$ O4 n; y& X( @8 R
ModSecurityEnabled on; , P b) b" f1 s; s0 I6 N# m
ModSecurityConfig modsecurity.conf;
0 q: k% x4 B& D, S下面是两个示例配置,php虚拟主机:
; a7 z* w# D9 `1 `# N5 i9 I- V! P s4 n; D
server {2 \: ?( i% q. s
listen 80;
0 S( a2 l' n* |: k server_name 52os.net www.52os.net;% ?& e% H& a; C6 O: Z
: q0 k7 ?$ u0 @/ j* H
location ~ \.php$ {
r3 Z) a- h3 T! K! [7 @5 k ModSecurityEnabled on; 0 l7 A2 b. F; j
ModSecurityConfig modsecurity.conf;( C) E7 d/ k8 U2 h
. ?6 _! t$ ~( F1 W. v% c root /web/wordpress;
n" j1 x0 a7 C/ q, p Y index index.php index.html index.htm;
5 Z# D0 _& L' p; Q6 Z
# s; O2 c+ X4 `4 S; b Q! u$ T fastcgi_pass 127.0.0.1:9000;
( q% i( a( g5 }( c; h+ H% [- N3 p fastcgi_index index.php;
5 B9 l+ B6 m. Q, W6 e- g$ S fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;" k' ~% A6 e8 O! |$ l
include fastcgi_params;/ F1 G9 m$ T" e5 v A3 K9 Z
}; O3 {* i4 Q; S" q6 \
}6 @) v$ u$ a$ e1 B/ m8 ?3 `
upstream负载均衡:, ^* B9 x4 j$ G# N9 e( S) i
: b Y+ R! b# _ M& S: Iupstream 52os.net {
" _% c9 H/ _0 B. A" i# A server 192.168.1.100:8080;( M. P3 L! O( {) J: l
server 192.168.1.101:8080 backup;% [# Q, P2 G; k: k, y
}" z0 ?5 S7 R. H
) Y( {! m+ @, E _; L* Y: \, ~server {- Z; T+ n9 w' \5 I; G$ p
listen 80;! w+ h1 P% k. i9 _2 h0 I1 n: |
server_name 52os.net www.52os.net;
3 m% i% u% Z: d {$ N6 z/ Z/ f9 m$ W' v
location / {
# m0 h& e& w* Z$ f( K1 y* V ModSecurityEnabled on; : D" ^" ?% q3 ^& N
ModSecurityConfig modsecurity.conf; * ~& H2 O: n6 x; I. I' h
3 M# F. z+ B' U2 t3 m
proxy_pass http://online;3 u1 g; k$ P' l$ w
proxy_redirect off;! l" x1 f7 b1 x+ s" t
proxy_set_header Host $host;2 j% c0 D& @+ b* i. \: x
proxy_set_header X-Real-IP $remote_addr;; u s. x* ]. s3 g1 M" E/ K% `
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 X- J# z" M) `( z- A. C }! d$ X3 U5 z7 n
}
, Y3 ]- C( b0 S, U. e( |2 x- s六.测试% h! S& X% G$ u* y7 x8 e
$ s1 r, q Z& n, I' N* U$ A
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
0 ~6 w& p4 K0 w1 |* i( S" _* n# i) J- \/ n- N4 s; B
<?php
7 @0 f. L4 X9 L6 g" z; ?( w" x phpinfo(); ; F4 Q& B# Y2 ?7 @, n
?>
! R% X+ |" o) d3 _/ T在浏览器中访问:$ J/ j7 i* S3 [* e" g7 u
* S* j/ j$ s/ Y) w
http://www.52os.net/phpinfo.php?id=1 正常显示。
: g4 x7 o9 l: z# W$ jhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ T9 Z$ E6 A& V: T6 ohttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。- ~+ l( M$ K/ N, B7 L0 X* c1 Q. [/ h
说明sql注入和xss已经被过滤了
, S3 J B- `! t- _9 J2 R- V2 d2 ?" V! a! n
七、安装过程中排错1 k$ j# \$ J+ y+ c# T, _8 x
1 J* k0 G& F6 t% h8 {$ O7 k6 J& E
1.缺少APXS会报错
, f* ?: z1 l4 T( a& B
5 k9 m( Q0 T3 u( P& rconfigure: looking for Apache module support via DSO through APXS' T% L9 L! ^2 M
configure: error: couldn't find APXS$ `5 r h) {9 D& e* i, u
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
- N6 Y2 E! i# D# s解决方法:
. |+ ~2 X7 K# q1 G
8 t* A! S9 x/ V# D' Z8 Eyum install httpd-devel
/ D* p/ V3 z8 F+ S" J5 u; B2.没有pcre
, s! q0 x. }5 ^+ L+ Z* W# n& @
8 D" s/ ~, y) X: u+ ^9 m2 Y" s0 R4 Vconfigure: *** pcre library not found.
/ W0 ^: ~5 o% z! A4 N C |. [configure: error: pcre library is required
& I9 a+ Y. P- L/ j解决方法:0 `7 F4 }# n. h2 ~! G P
( j2 @% n% T1 h( t+ I
yum install pcre pcre-devel
/ N8 k1 h. q: E% A. I e" X3.没有libxml2
( `4 g: N5 M. C1 f. I E v5 V5 r: ] M [: ~! t
2 J6 m" G+ B, U( y* X* J
configure: *** xml library not found.4 C- n5 U* t" y0 ^
configure: error: libxml2 is required
$ n k# C9 O |! A ^解决方法:1 _7 Z. A$ }5 f+ W, S
; D' G1 O. M3 V( E
yum install libxml2 libxml2-devel5 X4 C6 ?9 n6 W8 W
4.执行 /opt/tengine/sbin/nginx -m 时有警告2 u+ `" q9 {3 a/ n' m* N* i( E( R/ e
/ ~7 F" c( \1 Z* ^1 f9 F. n dTengine version: Tengine/2.1.0 (nginx/1.6.2)
) Z a. [5 M0 b! p& Jnginx: [warn] ModSecurity: Loaded APR do not match with compiled!9 T0 Z, l% I1 s# s
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ t0 _& g r0 G/ c- j* m
% D$ O6 g% }3 K& x" i' C2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
! ~- \, n7 g5 x! c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9". a" B; {+ w5 H4 W9 C
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
4 ]9 l) U4 d4 x! `! n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"( \/ M. j- f$ l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
4 ?: x- r9 m" k$ Q2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On./ \) t7 k* C6 K6 s" q" ?/ H7 r
解决方法,移除低版本的APR (1.3.9)
. d+ E/ m6 {: T1 M5 q! }# Y' ~1 r, ~; [" Q7 ?4 o1 C2 P% a8 x
yum remove apr9 Z- |4 }2 Q: a) T5 c7 K m9 Z q# H9 c
5.Error.log中有: Audit log: Failed to lock global mutex
* H: d# K& t+ p- u
3 g& t0 e$ D# e! v, r( G2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
/ C( J7 C+ O) O4 F; c3 pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
- `. s% V. H# _解决方法:) W8 @0 B0 l( j& ~& u* y! q
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
2 w9 M4 g; x' Z
: `! `, m6 i3 \; d- R, d6 s4 u; cSecAuditLogDirMode 0777
* e. D5 V, ]5 v3 ~SecAuditLogFileMode 0550/ E4 k2 L, ]5 K9 Y
SecAuditLogStorageDir /var/log/modsecurity k2 C( Y) x' I" D6 Z# s! c
SecAuditLogType Concurrent" r( c) [! a/ N6 e9 M
参考文章:
. ]5 W$ u0 l+ H% ^/ Ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
3 r* E. }6 o& Q; thttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡