|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。; \2 }# v1 U& }4 _/ Z, D
3 C: k6 _0 K: `0 A" ~一.准备工作
1 a* b& C! T( I. g7 A) d# ~: n7 q& Y& A2 e1 E
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0 E, }9 J' N( t; S- p4 w/ Z
* W3 U% [9 Y0 o& ]" `" a( k2 vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz+ A8 u+ I# E+ a. L3 E6 {- J
/ } e- M& `7 W" gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
4 z- j$ N. \" s2 Q: n, k8 u
* Z$ H5 J' q" N2 |6 WOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 X( o6 b& A$ Z z
. Y5 e3 m( E; n/ \
依赖关系:6 e8 v, h3 I; M5 A% q3 ]: O
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
7 `- F. V" z* p5 X3 Q9 f* S& ~; Q/ q; L% g! U1 z+ B+ m
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* `$ U7 K. r) w. L! w9 H
modsecurty依赖的包:pcre httpd-devel libxml2 apr
/ r2 K8 J) x1 Y, {4 _* m
3 O3 o# f# ]* G' U6 ~8 M, Eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel9 \$ x9 G- ]/ R# q( j& H
二.启用standalone模块并编译7 T3 q# g' i# g8 F {1 c$ e/ K
+ ~1 ?9 r. z+ F1 C下载modsecurity for nginx 解压,进入解压后目录执行:; `# G9 o, ?* ]
% ~- V* T1 ?) Z! K! s# o
./autogen.sh
5 A3 F" z/ g2 f; o z$ t% w5 R( G./configure --enable-standalone-module --disable-mlogc
1 ^) i _+ o& S# K' emake ) k( O- j; s4 X: o% i
三.nginx添加modsecurity模块
2 t c' Q* V2 e$ P# g( R$ Y9 q( \+ N+ ]* R) V- x3 x
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
{2 h( H' j9 Q& S% _4 s1 H) o) P% Y' @/ G6 u& _$ w
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
y: y( `1 ^6 [* ]make && make install4 k% y$ F1 h; A2 u8 `
四.添加规则
/ ?& V( e( H1 n& ^8 l$ e$ B1 D
) S" I4 D; @, R& [modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
9 C' K" V$ x4 F) p: I5 X8 X% y/ a# i0 }* }$ W
1.下载OWASP规则:5 d9 [ S7 W7 [' j' ^1 l
- D3 Z* E( Z/ w, |0 y
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
7 e* S* E" T9 Y* P) M% m" {5 o& v& h* _0 W0 a3 Q" i+ G
mv owasp-modsecurity-crs /opt/tengine/conf/
- I2 x3 C3 O2 b1 n$ `2 `5 r9 c0 n( y! `9 h$ s5 Y6 J6 r4 `4 Y
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
5 M$ L* B+ V) A( E* o" c2.启用OWASP规则:
& P3 i1 K& G0 v; z1 h6 z# J7 o' T$ _0 ]6 \. L; j
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。, s/ J+ l4 n0 P$ A- p% k! ~" Y
( o& _- i. G, S/ i* ~编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
/ G3 x1 Q5 B# R, G; D1 o$ I( }2 u1 Q2 j/ a* J
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
! X5 |4 O' E8 _3 _0 l7 X0 V* a- z! B
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf8 ?4 }- H3 U1 S6 B* B& t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
" E; J. X1 G4 E( L) \* OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf0 C* @& `% L, w4 X% `( ?: \) _
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf6 l+ F# w2 } F9 L( o; w5 n: \* M
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
. g% _/ K. P9 s" s8 }9 r9 N* yInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf, r- C6 h9 E/ H
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf( R6 s: O: `" q. W0 w m
五.配置nginx2 e! l# Q/ |9 u2 i
, F/ x4 j" y h2 t. n* K
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 P$ ?3 J @& p8 ^9 X4 X5 L5 k( r. g. U" V/ q6 u+ E
ModSecurityEnabled on; & p7 g1 t2 c7 I, [
ModSecurityConfig modsecurity.conf;
/ Q s5 @. k; p$ Y3 V5 R, ~3 L: c下面是两个示例配置,php虚拟主机:
' Y' }; H K0 | c1 s1 {8 S9 Q
" n: ^. n( Z5 Wserver {' e. j1 H+ m2 l. h. F }, G
listen 80;
! h E- j3 C( C9 ?6 z2 z% j& M0 G server_name 52os.net www.52os.net;
2 B# Y9 \# m9 e; f, A ; ~6 [6 L+ T& I$ T" g# D% B
location ~ \.php$ {: [' {3 G( A" a4 |
ModSecurityEnabled on;
% H+ [( ^% s) ^1 `" I& E* O3 n ModSecurityConfig modsecurity.conf;
1 X, o6 Q+ ]' n! \1 s
9 i4 l6 [. t5 x% V2 Y. Y5 e6 e root /web/wordpress;! }7 k5 f2 `& c) h9 X8 [
index index.php index.html index.htm;2 i8 Y1 d! \9 O
, [/ I6 L7 q5 U# ~. n+ f
fastcgi_pass 127.0.0.1:9000;9 V$ Y" {% @: ~' u5 c
fastcgi_index index.php;
) ]( C* F2 a0 _7 ?# c4 U. m8 W0 \ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 R$ B# _2 D) Y8 A# S3 a+ b% ]
include fastcgi_params;
; j5 I) }# }0 g- \: f }
& X/ _. L* j8 Y4 S$ A# x) r0 |6 k3 A }
8 O* B1 Z6 z$ C% bupstream负载均衡:
3 T7 M$ W% Z1 P- v% L3 L, @3 C7 `" T$ N' m) [$ f
upstream 52os.net {
# g; a! E6 D8 D0 M server 192.168.1.100:8080;( B: ?1 w2 R8 n% O3 T, G" ]
server 192.168.1.101:8080 backup;
+ ~' ~3 d- m3 g! J$ y; R}. C/ F7 _$ _- t$ I3 y/ H
) v. z( r/ v9 E. Pserver {% ?" ^* r0 j/ k2 @. _7 T
listen 80;# m3 d% F* U. s% f
server_name 52os.net www.52os.net;* L- h k- V) F) _: D# ]/ p/ V8 A4 k4 z
( N7 M% ]' l$ g, m8 m0 d
location / {
$ W5 h+ ]9 n3 F, G& b* i ModSecurityEnabled on; ! W: c* Y+ L* O
ModSecurityConfig modsecurity.conf; 0 q& h9 I+ w3 f& h
$ u/ W9 b( M! c% `/ l" e proxy_pass http://online;
' M. h3 h, Z8 B( w% F proxy_redirect off;2 `2 j' N, g, d
proxy_set_header Host $host;" }/ Y( E. }0 z5 l) x9 `; {
proxy_set_header X-Real-IP $remote_addr;7 \ c$ q% B4 N+ L
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
x: ]2 P6 m7 h; ~$ D' V }( f8 J: o5 t* b j( A5 \
}4 Z# A' J7 p( p/ r
六.测试
4 U: L# Y: e. d: q! i* S/ d# z- g( _' q& c
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ {( W. \- {7 }
8 l, y) ?7 Z. V, ^* h/ }* C<?php
K* j0 O7 j3 v( E1 x x phpinfo();
5 f" F+ H" K7 Y2 w?>" d6 }: N/ S% H
在浏览器中访问:# R' I$ C, Q1 i3 E! y
5 J+ c3 W9 e- g2 e& T+ N/ I$ k+ h
http://www.52os.net/phpinfo.php?id=1 正常显示。
+ Y. T. P$ g) Q0 \( ] W0 g+ X" dhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。: y2 M- D& H& h8 w" s4 B: |, r2 B
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. n: G5 H- f0 F, J1 S
说明sql注入和xss已经被过滤了
: t- [3 K9 [) O0 G, Z0 D
b9 I) m9 r5 k( j& r七、安装过程中排错; G9 T$ l3 @& |) u
7 P, e' S$ X H+ R: v u% @1.缺少APXS会报错
/ E, H5 x1 p; }# d; J; \- [# a! \
configure: looking for Apache module support via DSO through APXS
! B( i& A: C% g3 P+ c1 hconfigure: error: couldn't find APXS( p6 m6 }: d; n. q. O2 j
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。8 C I! M$ K8 ?5 _! w
解决方法:
% w, `& \7 l; Y: H5 k Y2 D+ M Y' M" B& v/ s
yum install httpd-devel2 m. v! G) d% n3 Q
2.没有pcre0 U2 \+ b1 m g. Q- Q# y
2 u" p$ G+ e+ A* Y" J
configure: *** pcre library not found.1 n: A+ W5 s; c
configure: error: pcre library is required# ^2 E3 h( T0 K. w; S
解决方法:
+ {4 k& `1 I, T0 C% ]
! @0 v* Q3 i" Q9 m9 hyum install pcre pcre-devel9 [. L1 i1 q, F3 K
3.没有libxml2( M) k+ s2 F- l4 T- l
) N' Z3 N7 E. b$ q
; t" g# q, a$ U& Vconfigure: *** xml library not found.$ ], O3 h6 f' a+ N- {
configure: error: libxml2 is required
+ z" n, K+ ? m' d) Y9 ^+ F" ?解决方法:5 M4 l1 a; k ~6 L/ T) A& ~$ @
" H; l K2 l& A* t5 Zyum install libxml2 libxml2-devel
; D8 x" Q" _& ^) s0 {- S7 }4.执行 /opt/tengine/sbin/nginx -m 时有警告1 y! v6 L7 Z1 I# d9 n+ l4 A4 X
6 W* g" k5 { r' ^- A
Tengine version: Tengine/2.1.0 (nginx/1.6.2)3 ]4 c0 ?% o" _) R
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!& W: Q6 D: J( N' c, `
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log: L" h( L2 ^+ U) v! U
! W" x- c j: h" S1 c$ ]/ i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.: s) x+ y. P3 O) G6 U7 A/ X$ K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"4 k! J3 n3 S( B. ~
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
7 ~/ T$ L, r8 Y. f3 a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
& ]! A% ?3 c; D7 {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
$ [0 L! r& j; u5 E/ e5 O. x K2 b2 @2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 |0 b6 k. ~3 m- g2 \3 [解决方法,移除低版本的APR (1.3.9)
0 y" ^. Z3 B& W1 T' c* |, X
# W2 P1 e* y9 B s# u* Yyum remove apr
9 k/ E. `" W8 `* A4 N5 b5.Error.log中有: Audit log: Failed to lock global mutex. ]$ v# C; a. n5 D4 F
# u3 ~8 S$ I) e2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 a) `; l" S& |4 A! _' z$ r# ^1 k
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
% P: C. q6 D; |% F/ Y% e解决方法:
# x6 M! h- }2 K: x. P编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
( S$ q- K$ @' D" U, I) T. L2 _8 J6 U9 \: ^3 H. e
SecAuditLogDirMode 0777
& C5 a: i1 m1 u4 lSecAuditLogFileMode 0550
9 v" F+ G4 O' ?$ \SecAuditLogStorageDir /var/log/modsecurity
" t Q- k; [4 {+ s$ X9 J# l. `SecAuditLogType Concurrent
) N% P* n5 j( I/ Z参考文章:" }- `& E; v0 D( x
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
4 a# Q6 D3 u, t& `; L7 ehttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡