|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
3 f# K: A+ I1 U7 C$ W; p7 E- {# J6 {+ y; u L4 k! l4 T
一.准备工作
@4 l8 q, a2 z/ S: _) A6 ~+ @
+ O: t5 x/ s) P; n系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0) T% e$ c. H4 v+ D: y
; E& e, t j( Y* W! Q6 G( z$ Dtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, S7 i1 h& K1 s4 d% A
' v# q4 A5 u5 {+ a6 J* E
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz1 ~+ P3 @) R; M4 i
- G8 W4 W3 z6 q* XOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ q( a M! [) U
1 e2 n) G, a7 L2 \* P3 F依赖关系:) X- e0 S% ?: ~: ?) `
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( z9 v: E) G2 R. |' H
" w3 Y+ c1 n1 O! e S! Vyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel3 z/ o/ g; m. i! E$ H
modsecurty依赖的包:pcre httpd-devel libxml2 apr
. e } H1 V; C3 c* s) I( T( l" t4 H4 b( D) G1 a
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
. ^) M M {' L- ~二.启用standalone模块并编译
! N' ?. @8 v/ L4 [% y; ?
( Z, j. [5 g/ j3 n下载modsecurity for nginx 解压,进入解压后目录执行:
, E( N) i) y) o9 J/ {# ?" @; t6 q0 N ]) g
./autogen.sh, e) E, S9 c1 P) z a* ?+ Y
./configure --enable-standalone-module --disable-mlogc. D8 _6 p p/ i6 |; L. P
make ( Y, ]/ A8 q5 s" z
三.nginx添加modsecurity模块
0 ]4 b, a1 k- }( B7 o
4 I, o; C, O+ L6 ^在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:0 Q/ s$ i# n4 `7 u$ S# X. n0 R; x4 x% O5 {
3 A0 R" T2 W2 ?! J/ W, j
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine9 Q: R) n2 g0 b* D
make && make install& B& }0 j3 \8 f8 J7 s7 B
四.添加规则' }/ G- c% ~/ U7 u3 g3 P* |$ B, o
4 B4 B0 ?! b: \1 Umodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。5 ]! ~5 w1 H' {3 D: ~( p
3 }8 Q& D3 i9 U6 Y3 b$ r; x- f1 E T. M
1.下载OWASP规则:1 O9 Y; f( t2 m5 o" ~! W* o9 x4 K2 P
; p% k5 z; h, G" [- J- `, X
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
" T; q+ Q$ [& D [; p! N, d) h8 V9 A- ?8 c3 u5 Q
mv owasp-modsecurity-crs /opt/tengine/conf/
$ ]7 f2 |/ z$ F$ F1 [* A3 x) o$ }+ D! S2 G5 ?: d
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf, Y. l7 p# t2 j/ s+ a
2.启用OWASP规则:
& l5 N7 }8 ?: m" d" Q+ o
! Y4 V6 J4 e- L复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。 I5 Z) E `' C7 O: f) @
0 _3 {/ x2 I0 R+ W" G编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
9 a+ Y! s2 L4 X7 C* E3 S; R( h
' x z! J6 i" x, G/ d7 nowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。# U0 S* I' f9 X7 q/ d3 }
6 H1 l) r5 ]5 ?! L" C6 L% |2 U o& h
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
/ e: ?( R9 t5 S7 p5 W, B" kInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf. d, y/ W, D7 a
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 C: o; _; s5 K. N& R7 c8 w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 z1 ^/ Y# w" B. k0 f! G9 SInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf" H& B/ [0 F- x1 f6 J6 x4 M
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
3 }% a N5 I( n6 x8 r2 G- wInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
7 F6 ?) W( a) g* C/ `; U; Y: B. A五.配置nginx# f. M) _5 V2 i
2 b, R, A! { r. j* A( r
在需要启用modsecurity的主机的location下面加入下面两行即可:& T% X X" P# s" y& Y
( }6 Z) W1 d: Z: ^1 w
ModSecurityEnabled on; * h6 t2 m: @, E# Q1 {; S
ModSecurityConfig modsecurity.conf;9 \6 X$ S% D! d4 j" ^, b
下面是两个示例配置,php虚拟主机:
" m& p) }; w; i5 O% y/ ^8 @2 N
, R- q& T9 t3 k% D9 |, jserver {
2 [! C1 |4 @+ j/ X( w+ S listen 80;. ~( x+ H0 a1 t, C
server_name 52os.net www.52os.net;
8 F: b, H# R Y
# @0 s# z8 T0 k( U location ~ \.php$ {
) A# S# z0 W: F& I! |& S ModSecurityEnabled on;
8 g) b1 t1 q! {4 [/ ^ ModSecurityConfig modsecurity.conf;1 e1 o% j7 c( ^ w3 u( P
* ~/ h2 A1 }$ x6 ^ root /web/wordpress;6 ~1 ^, m4 q- C+ r: ^$ d# _& H8 W0 a
index index.php index.html index.htm;& F+ m$ X c- ~7 q
" J; a+ ~! N7 h. h1 A6 q w
fastcgi_pass 127.0.0.1:9000;: M/ y( Q; ~8 f) U! q& g
fastcgi_index index.php;8 f: z* F) c9 ^
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 t' ]7 ~" x+ c: ? e* y& j0 ~
include fastcgi_params;
& k, [4 `. F+ m: U }+ Z& l. R& b: x
}* n+ ^. q8 r% E5 G5 m! `
upstream负载均衡: |: Y1 {' w: _% {* Z' \
- h$ D* [( |8 I' g- Aupstream 52os.net {
2 s' v( ]4 A) f4 V" X7 J% \ server 192.168.1.100:8080;3 a1 m0 w) {( K2 [9 t$ H3 [
server 192.168.1.101:8080 backup;' m$ d \3 p( _$ p; b
}, t; | @6 N, K2 g
2 ]8 W9 j3 B0 Y; C& x; _* ?1 Jserver {
: i' B2 w8 C. G5 g7 t/ v2 Ulisten 80;
! n: U# s# X7 g0 W2 c. u5 |% cserver_name 52os.net www.52os.net;
3 D1 F8 C/ m) K" R
7 d! _- {9 ~7 K0 S7 alocation / {8 M3 N, q; d% r; p9 B# S6 L) R2 i
ModSecurityEnabled on; ' n$ F# }! d7 k9 \) |
ModSecurityConfig modsecurity.conf; ' y1 h7 w0 L) Q, q# L+ E/ o+ ~
) z% O/ C! i2 Y7 h {: } proxy_pass http://online;, Y* G$ f J( t" q
proxy_redirect off;
7 F5 H6 L# L" D7 O proxy_set_header Host $host;
/ b; {6 S y5 {, E proxy_set_header X-Real-IP $remote_addr;8 g7 Z6 _+ i9 a! ~ A0 \! I+ j
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 o* B4 [; [. [ K2 ?, |: A
}$ D9 }# ~2 C& j3 X
}
' b- x- H6 N) B5 s$ F六.测试
3 X) N) L6 r# T' }
7 q' e7 |; H; @7 G7 |- j2 B* {我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' n, w" f* }& E6 b# g* l
9 {9 L' g. j6 N+ ~
<?php% L: C9 o% y2 u7 V, Q$ z7 `" |; v6 p
phpinfo();
4 W* K7 I6 N8 }: ]?>
; t& S8 v8 A8 c" v/ U2 L在浏览器中访问:
( x9 s, q. E K9 }
/ {, ^- u" @5 p* F2 whttp://www.52os.net/phpinfo.php?id=1 正常显示。
G' Z0 {9 Q9 ?8 yhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。' @, X# _3 u1 _8 ?- m5 Y2 f3 N9 r
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
6 E* @6 _7 E) d3 o! `3 N说明sql注入和xss已经被过滤了
6 Z( }0 d4 w: l8 e9 f) H
1 R) o+ M$ ~: j8 r# k- L七、安装过程中排错
4 f: {4 c& ~2 U8 o: G/ ~! w( R9 s9 d& B5 }: S( I8 {
1.缺少APXS会报错
; w$ J/ z0 r9 Y b
/ @8 \* r. h8 U4 ~" ^* _4 G. S3 Pconfigure: looking for Apache module support via DSO through APXS
) d, E( b U& L- ]8 Z sconfigure: error: couldn't find APXS
% H5 `7 S9 [* r( }% W2 U/ w @apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。1 B: C) }; q5 B" X
解决方法:0 D4 H" q. y* k1 ~& B9 I
" [2 @8 ^/ h" Vyum install httpd-devel9 w" @# T* p+ ~. ^3 Q! h1 K
2.没有pcre. i! n1 L" R3 \7 Q9 v, \+ K6 n% [
- e/ D$ O' i, t% a2 ]
configure: *** pcre library not found.- Y4 r/ y& q4 L' T5 ]% K
configure: error: pcre library is required$ B3 E2 q3 O7 d9 e8 E7 Q- K
解决方法:
+ L1 v& R$ ~# q3 n0 z/ L7 b" B% e; ~: D
yum install pcre pcre-devel" {7 Q: P/ v- l
3.没有libxml2* v. T) o. r& p0 F
+ I+ l7 O1 g& r3 K3 j, r5 v0 z
. I) X3 t' c1 f xconfigure: *** xml library not found.
' ~. \1 W( b- ^% kconfigure: error: libxml2 is required
% S0 t# R$ x! U. q解决方法:
' Q- ~! v/ m. x+ N" F. v* O7 ^: K* `8 Q8 ]; C! [. X6 I
yum install libxml2 libxml2-devel' Z0 l. S( _- P$ H) q# k
4.执行 /opt/tengine/sbin/nginx -m 时有警告' Z; o# @' {5 I- F5 T
4 m3 H) J) V l$ E; H- g
Tengine version: Tengine/2.1.0 (nginx/1.6.2)4 ^ {5 }4 ?$ U( J
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
0 X6 ~! g+ K2 }" p2 ~; P原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log s) G* R. M- ~+ H' G6 L( ~/ @
* u5 u: q" h3 U# A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.# K2 V' W3 J0 f5 M3 h* Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
/ l% B# T/ B7 `" d$ C% P6 |2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
4 n4 _1 _. a+ W8 W' c6 ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"- J* D/ r/ g" p6 i5 J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"5 E6 i$ d: _$ r; p
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
t. K) Y0 X) H( h解决方法,移除低版本的APR (1.3.9)8 r! r; D* G# Q$ ]/ f, I9 q: V
8 k" C8 e" V# k
yum remove apr0 U) S$ x2 U5 o) {4 h$ e1 z
5.Error.log中有: Audit log: Failed to lock global mutex
: S+ Z; ]7 L. m, }8 i4 z# p" f
3 o0 V( Y3 \/ w( ?, T# U2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
! S0 `" H) n- lglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' G, G) l+ J$ ^ w2 ?
解决方法:. I* u! X5 O" }
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" @' m7 b- H9 x& m5 {7 p; g& y* S" m9 K3 i4 S0 d+ s- P) J& j
SecAuditLogDirMode 0777+ r. X- n% [1 I9 A9 I" p( |2 k
SecAuditLogFileMode 0550
( M$ }; O+ s* g% `SecAuditLogStorageDir /var/log/modsecurity: C+ p9 k. G! k* X% z7 V
SecAuditLogType Concurrent
$ A: S1 Z% i1 F8 X0 ~# n- n$ E9 F参考文章:9 C* d8 H2 u( w+ }$ t6 B
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
0 x1 F) {5 N0 s+ R8 r7 O4 Qhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡