|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 _% i' ~7 m) ^* u, s) f7 o
# T9 h R+ w0 i# u8 g- Y6 q: }# g1 ~
一.准备工作' ]9 @. M" A' }0 i
1 [. n& R- s$ D* C( ?4 I$ Y! A
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
# d, w, D' d2 y9 x2 o; } m; R1 @3 L& z2 a3 L; T0 Y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( [6 `5 }* R; V1 v3 O- q/ L( r/ p
! D h+ ?1 O6 S- Z- k0 K
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz4 ? Z- r/ D% Q. ]$ C3 Q6 _# i
5 I% Q( r! d' T- H Z$ j& L
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs1 ^: q$ _( v5 P2 b
) m9 S4 H& S6 @$ ?) O0 }& D
依赖关系:
! X& X# H" e% f8 Ftengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:( Q* @- s" A9 k( l% v' N, h" _! @
+ @, ]% Z, p4 l! m& A
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel/ R; s1 }! d) ~, E8 Z6 ?4 O: ~
modsecurty依赖的包:pcre httpd-devel libxml2 apr+ r* [4 a3 r1 J+ F9 c0 d& ?
/ r9 \9 O; s; F; O2 t1 pyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel, B+ |$ g- }/ C% z) V0 ~
二.启用standalone模块并编译
% ^* ^- c( C! A$ O& W9 E
0 B$ G3 _/ j! ^* m' W! I下载modsecurity for nginx 解压,进入解压后目录执行:% e W# O) A% W X) O l2 @% x8 p
9 {8 W- D! p2 W# O+ W) V
./autogen.sh
0 X/ O- ]( T' j- U./configure --enable-standalone-module --disable-mlogc
4 b4 m$ Y9 E1 F- j* v* Fmake
: T+ S2 Y7 |/ ^/ }' E# o% d% F三.nginx添加modsecurity模块
3 }& p" }3 w2 F+ f2 E
, {$ Q3 P7 `' a在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 B2 @( i y9 w0 C$ O/ R* Z- g9 S" B' m1 O
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine: J! M3 _2 y% `
make && make install# @% @( |. c0 b! \, B& ^+ n
四.添加规则 j {" s7 i6 z
0 ^* z% p0 T* n+ U- V2 N
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
2 O5 _/ W# R- D6 N3 T+ T. d. K; f" d4 _3 q, Z
1.下载OWASP规则:
( a- @* o @5 S+ X( z* ~" f3 i% S6 t* \4 |& [
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' ?: p- d _1 `8 y/ |* C' e( C/ W; l9 i' z( y
mv owasp-modsecurity-crs /opt/tengine/conf/
. k5 q( W; Y O) e: k" i
, C0 Y3 n9 O! Qcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf- {+ B) h( v8 L% C
2.启用OWASP规则:
; B7 t: U4 v9 b+ ^. B: N+ c2 a- z- n5 A) i
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ A! v8 @# u5 _2 z8 [9 s: M! V
9 |/ H; J5 l$ K5 ]+ Q& A* d. _编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 r7 U! y3 P. v
6 ]1 r5 R) v6 `1 [owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。8 P3 {9 C# [' E/ s$ d: A7 k) K
/ i( V4 k' T+ h) N" q9 oInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
6 V5 ~' }; `' a: Q. nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 g$ r5 [$ d* B- N% T9 I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
- j. f4 r8 c* ]) D. m' ?Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf9 M$ P) |, f$ I- R4 N
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 M7 G7 J" l5 a5 Q7 l2 ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf0 P) F% Y/ |: ?- q2 {5 p% s( b
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf" y2 \3 u% P$ p$ {, j, F" a
五.配置nginx' m7 x+ ? o6 Q! l/ k9 Q
+ v2 g/ r1 |4 L4 j1 K
在需要启用modsecurity的主机的location下面加入下面两行即可:
! Y+ ~! b0 A. R) ~
5 s1 g: N8 `5 T3 p ~ModSecurityEnabled on;
) X7 H* r$ @, G1 g5 hModSecurityConfig modsecurity.conf;" m6 A2 w" `7 @# f2 Q9 N( g
下面是两个示例配置,php虚拟主机:
# i, B- w* Y. E8 W H% M- J
n# i! l. o: G+ W* G' j$ Userver {
/ D/ c, W2 _7 J1 l! Y9 i+ b, o0 P listen 80;9 H0 Q% ?/ l! W6 S+ d9 V; b5 L
server_name 52os.net www.52os.net;
8 A) P( [* `; x _2 d
* M$ h% K. g, {& f, F location ~ \.php$ {
- o; G) |& l, j, P: G ModSecurityEnabled on;
1 q I/ i- |0 {9 G+ V$ G9 y ModSecurityConfig modsecurity.conf;7 ]5 ^0 A: V$ V# K) W
5 ^( w I* S4 K9 \) I. w root /web/wordpress;' z E* _2 f l a5 z$ Z
index index.php index.html index.htm;
2 Q: W R+ V0 M, a0 g8 S4 e + ^3 A; ]5 B& s/ x7 h( d" D7 V/ q
fastcgi_pass 127.0.0.1:9000;8 u" h, g7 }! P h: Z6 ~
fastcgi_index index.php;
j& V- G* R2 I; X% X fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
/ O% s; q3 E# r( h( m. s2 w5 g include fastcgi_params;
3 K, i% r/ o! b8 C }
6 t+ T' f$ i; F% q0 v }7 O6 ?% k9 R u' Z/ Z, w3 K
upstream负载均衡:
5 ]) K* S+ f% K4 V: x
( O1 R; ~/ R: ^, c D' Z" O3 [upstream 52os.net {
6 I9 a! d! h) q: |( G9 K server 192.168.1.100:8080;9 O5 O, T& J; k" y2 d Y8 e
server 192.168.1.101:8080 backup;
; q0 [% Y+ z; x6 g0 A8 J, Q6 a}
; N. l+ q7 D6 l R6 Y6 k: j9 W5 V: q# T: o2 l& ~
server {5 s! y6 |4 b3 ^0 K) U6 Q
listen 80;8 i Q. I8 e7 S; G' Q, a1 {! n% m; Z
server_name 52os.net www.52os.net;
' K8 F3 a( i; x1 e9 a! d8 Y5 y* |5 C" R4 K6 Y
location / {/ [9 U/ m1 _/ T6 Q. c) P
ModSecurityEnabled on;
8 w, G8 ^8 b2 t4 w! L; a ModSecurityConfig modsecurity.conf; 5 Z: u5 j: L9 t% o" N, D1 z0 E
% \" _ V8 M' w! k" h
proxy_pass http://online;
' Q$ @. F' d. D Z+ Y proxy_redirect off;4 c6 n/ a; G, u* o1 u
proxy_set_header Host $host;
4 H) N& _6 t# S1 ~ proxy_set_header X-Real-IP $remote_addr;
4 f7 Q# [" e" Y- r5 u proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;1 O* f6 L+ ~$ F8 A2 H) C
}- T2 _; v, S5 b* B
}
6 q9 B8 j% c5 V! k8 z$ i. i, T! e六.测试% r( C* {( H2 \+ X- G
& f* `" }. }) |& b
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
. ^! N4 E8 F* f- B( X
, n- y, N, B, \' l1 @<?php; | ~) \$ V( h. A% r
phpinfo();
1 a+ a6 r- X/ x) t?>1 P# @4 y7 {3 I0 ]: W6 N
在浏览器中访问:
5 r" f% X/ o+ N+ h0 X4 n
/ V7 e! w, Y/ `1 y& y) chttp://www.52os.net/phpinfo.php?id=1 正常显示。5 G! `' ?3 \2 O5 d! r
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 ^. v$ d3 L' Ohttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
4 J( B$ {4 u. c: ?说明sql注入和xss已经被过滤了/ W& m* W. r$ G/ N2 i/ a8 [
( V+ D. p Q) g7 w七、安装过程中排错! C( o' l4 d6 E5 {2 v
) e; q8 l% k2 t+ a1.缺少APXS会报错
1 J. g7 S3 h5 \/ q' B) f d* v* k- Y2 b
configure: looking for Apache module support via DSO through APXS5 z( M+ q, M3 d# \0 F- y
configure: error: couldn't find APXS
" b. a6 m6 Y g5 s8 {/ }apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。 D4 `/ e$ o6 M
解决方法: G" V/ t( n/ \3 s, B3 N
1 X. V) c3 @$ n7 R9 `3 a7 a/ H% W4 Eyum install httpd-devel
( T0 V7 {1 s# T7 J7 r6 B2.没有pcre1 L' v S! M- J. n4 ~5 K* R
; y6 C" ^" j7 Z
configure: *** pcre library not found.1 G. k5 f7 y+ R/ {2 f* B7 `( R
configure: error: pcre library is required1 u$ w: S" W$ v8 |
解决方法:
; R/ U: }* i3 j( N8 J) y, v6 y1 S0 J. z4 w3 }
yum install pcre pcre-devel
! @- Q9 d3 M8 C3.没有libxml2- V% L% S3 G+ g6 |" L* Y# A0 _
, E* {8 \) m2 Z6 y3 D; F1 B; S* W1 l# C+ X
configure: *** xml library not found.7 k+ E& z9 C: n
configure: error: libxml2 is required7 |; V& X d0 v2 I
解决方法:
B6 P7 ]2 C9 O9 C* H% p& ^7 a4 K9 l4 Q* F
yum install libxml2 libxml2-devel4 b0 T8 ?, e# s7 P; Q
4.执行 /opt/tengine/sbin/nginx -m 时有警告$ P+ n; g' I2 j0 C
3 X7 B8 U$ ^8 V& d% n
Tengine version: Tengine/2.1.0 (nginx/1.6.2)9 W/ k- f4 ^% y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!7 |3 Y _: m% u# N! g* `
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log4 i* J) I; f+ [* J
m3 L0 f! b+ ~+ Z$ u1 h( H
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 m/ c6 E* S( [' q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# H, K# i* M+ A, f& R9 L
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 J: c' j$ t' W: k$ J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"/ L8 x( @5 l) h7 K! H: T* C; R& G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
7 M) a, V j+ y; j2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
P3 |) \9 \4 z8 Q4 E4 d6 i解决方法,移除低版本的APR (1.3.9)0 ]0 w% z5 ~9 x
+ z% k( ~7 W" U p. R) Q; \+ p( p2 oyum remove apr
$ N* ?* a ?; W/ y( O) t5.Error.log中有: Audit log: Failed to lock global mutex
! I8 E) i! j+ {. Q; r }; v5 ~! B* {) A
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock " C3 N6 I3 ^# O/ J4 z
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' j$ a& v8 D6 B n解决方法:
! \$ J e @* N编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
# B3 i; c# k7 w5 t* e) Z6 d' s" k2 [& s2 H$ ~4 u: D$ d8 Y- ^- W
SecAuditLogDirMode 0777
( t1 \) o8 p8 a& \1 v1 uSecAuditLogFileMode 0550
' f# S6 i, S4 }SecAuditLogStorageDir /var/log/modsecurity, A& a) T' c% E" D- f! T9 k: A
SecAuditLogType Concurrent
" O9 |3 R7 O1 O) h* G参考文章:8 x7 z7 f! S9 a5 Q8 w+ _+ o. b( r
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
" d0 F% ?. g3 nhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡