|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。" D- ~9 o& m9 i6 d9 W0 h
, H* ]' S5 O# t4 A5 I一.准备工作' r$ d% B. y( k* i/ y; w
" o- A( N' \8 T% q! X, @
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0- _- N# }. W( A. h1 J' O2 [; U
8 e {& h4 X9 s- ?: F& U
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz- x0 Q9 I5 l% B- n* P
6 I0 L; [+ |4 x6 p
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz2 k9 J; J+ u& b I, L* s1 s. n6 Z7 f
: v# t0 Q; D. D. V* D4 t/ W$ Y
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs1 K' J3 g9 r/ j9 v% X7 N& E
, e5 k+ t4 c9 m# B8 V
依赖关系:
6 [' w' S5 b# p/ Y' itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
6 v: o" y! |1 _( c9 ?9 s$ h! p& g- q/ q# i8 D4 O$ v! D% x
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel8 ^3 }5 a, L" B K; c
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% h# J; r5 R# \1 T/ Z$ `+ P* F) D9 [* v. D8 Z" T }) N9 X: z, \
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
) S5 a8 ]3 z9 h1 d二.启用standalone模块并编译
W0 ] Y, i" J8 {8 J9 O6 R; g! U7 a. r( A9 d1 Q. M$ A
下载modsecurity for nginx 解压,进入解压后目录执行:: ~2 `/ B2 [* w( ~1 }+ }- ~# t( n
) u% A9 ?/ A, N/ B3 E
./autogen.sh
! r* S) h( d6 u" r# A./configure --enable-standalone-module --disable-mlogc
4 y/ O E; L; u3 f Umake
% \# H, E; }9 ^; Y8 U8 U! O0 C三.nginx添加modsecurity模块6 o, R: b$ N0 ]3 k! b
( H) q# F+ m& ^" a1 M1 w
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
2 Y4 U+ k8 ]/ [8 n7 O- _
; v$ E- M5 N7 ?# w7 p./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
7 y( \' H2 ~& U ~; @3 R) [make && make install
% z" ^! i& N, n; o0 i& |8 h四.添加规则
9 d, q1 c! x! `. [6 T" L8 t1 G, _. Z* h4 a2 p# X3 i
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* E" P/ \3 |- Z* l& Q: A5 e" f) D
: D0 f3 N/ y& e$ w6 x1.下载OWASP规则:' U; O2 a7 B3 c3 s( P2 e* {- F2 z
9 V( X& \- x/ }/ _5 g! cgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs, ]+ I: ]3 c2 q) ~! K& u
! |" n, O. u w" K* Z2 dmv owasp-modsecurity-crs /opt/tengine/conf/
Y3 @5 Y7 F0 \! e) e3 P% u# T
0 r0 E$ f0 R* j% c5 I( r: P1 ucd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf) B$ M" b+ e; S8 J+ s
2.启用OWASP规则:& q& t* H; x, G' }
# g. w, i0 `/ h) }3 P# @ p
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
1 ?. ?( p- q* W& N7 ^& [
: E, G/ w- e* D1 @编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
, `# x8 d( c4 A4 J
/ @# X2 ]0 y+ x; Z- zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。) E! B7 r, q3 I% h' o
( ^; u# d$ Y! W7 g5 w8 e; hInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
# {/ I: \# S) p! HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; h& z2 D3 O$ @2 X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, k6 O2 Y2 G$ w8 ]5 z+ r
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
! G2 G$ Q- F& [+ h0 p" @+ Y7 X: [, DInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf- C2 U0 t' h0 v0 n8 m0 R- M7 Z
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
5 }8 O( }- P2 g% m% i- gInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
* G1 k, a) r3 W* q" D" b五.配置nginx
" z& ~$ ?* ?: m" \0 F6 a7 A% w; S: [3 R. G* d! v
在需要启用modsecurity的主机的location下面加入下面两行即可:
% @5 b* [) F! P! O8 a v& t% ]% i" }
5 @/ z7 Z7 [- b# i& y( [; M! WModSecurityEnabled on;
/ e, H! x F8 G2 c# N1 f9 w8 FModSecurityConfig modsecurity.conf;
9 ?# Z5 J' a- ~; P$ d下面是两个示例配置,php虚拟主机:
" _. e+ }1 z0 }1 D5 c+ p- ]3 V
! |% @7 y( W# r% [+ Q: O$ U4 |server {
- n7 e$ u# H7 S# p# B2 \' y listen 80;1 M9 H) `+ |! Z6 o0 x- A4 Z
server_name 52os.net www.52os.net;2 k9 e( h5 a/ K6 H5 @: Z
N& h+ J- d3 H- ^7 s8 J; c6 Q
location ~ \.php$ {
7 p. o$ }9 {1 o% J( J( w ModSecurityEnabled on; 4 G1 }2 \ I8 n
ModSecurityConfig modsecurity.conf;
! ~0 k* u0 Q4 u$ b% b8 K- a9 F: J, C3 D
root /web/wordpress;
! ^. B! \0 H9 s. x5 J( N6 L index index.php index.html index.htm;
5 v: @5 o6 \$ d; D9 |# U . z0 h- r7 ^4 T% a/ P. {
fastcgi_pass 127.0.0.1:9000;6 {! I4 H G b5 C
fastcgi_index index.php;
; N) F2 C: e& M5 V; Q fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
( P$ I5 d) K" w3 Y include fastcgi_params;
. K* Z7 P) M2 R) s c! e; u }" B3 g: D$ u4 O! f# g) z
}; K) Q2 \8 }- Z1 m. U) w' P" o
upstream负载均衡:
# q+ P, J* O9 O/ ?/ y/ b6 e. U, ^! B1 n0 s% V0 o6 ]( M
upstream 52os.net {2 \$ V& D4 O8 Z3 z) }) S6 O
server 192.168.1.100:8080;
1 {; O0 ?. u( A: R# d+ [: _ server 192.168.1.101:8080 backup;
' p7 B/ S" @+ u' Q}% s6 x: _+ C- M" u6 {, Z5 ^
A; m# b7 G7 s; @* e; g
server {
% Q& x5 l: `; Glisten 80;# j: ]) |+ t* M3 P
server_name 52os.net www.52os.net;! \; r, ^( Q6 h1 |5 H2 J
( t3 x, x8 F% t6 k( q
location / {: ^ f! V4 h! ^$ `
ModSecurityEnabled on;
- D1 H6 s. _ g9 I: W! @ q ModSecurityConfig modsecurity.conf; 2 x+ @2 }3 m) C! Z! I
% p: @# a8 t( a6 f9 v proxy_pass http://online;
- Y6 h! j) K) q+ V proxy_redirect off;0 h$ b: M% N2 m+ Y0 T' g' G- t
proxy_set_header Host $host;
. i5 i. A. X8 ~4 \ proxy_set_header X-Real-IP $remote_addr;0 w5 j0 }" z. ]
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
; F& I9 P- X' k* a4 g }
8 Z+ i8 X K: D, [' @ @6 G8 \}# f9 b7 j* h- d
六.测试
- x0 y( C: w' I/ B$ n3 |. l' E( |3 Q( y' v: }( ?6 j# Y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) H- I! K5 @ y' z2 r
; ?/ b0 s1 {1 ~! n0 l9 K8 \: a( ?% _" }: E<?php0 f- s- y' D1 r7 h$ o, a# p
phpinfo(); : y k; s9 |" [* Y
?>
$ I# X+ k* O$ h' X \在浏览器中访问:
& \- i4 G5 ~! V8 H- q; R F0 |, `5 o) T5 _/ q
http://www.52os.net/phpinfo.php?id=1 正常显示。
" e/ M. M3 R% I- q4 O$ \: bhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 G/ I2 I; }. D0 N0 f2 p* d
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
+ G6 l5 K- v+ U( D说明sql注入和xss已经被过滤了
3 A; C5 B: Q; r7 n. n. S( y8 T! i
. t* s0 @0 l% A7 S! w5 [七、安装过程中排错, n0 I5 h: J& ~5 f D
( N) Z+ G" S5 v. h1.缺少APXS会报错
' A1 D9 z% @+ Q! t" H7 b* s/ z8 t3 `0 p7 q5 D9 ^
configure: looking for Apache module support via DSO through APXS
: x; x" [2 |% ?$ ?6 N. f$ L; X+ Pconfigure: error: couldn't find APXS& ?. V$ G5 U) O% R6 t
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。9 x" m0 M- u# q3 P% H
解决方法:
5 Q& W% p9 l! ?' C9 g/ ] t9 p% M8 l1 C3 D. o& M
yum install httpd-devel
! r4 Q! n( H( o$ V7 i1 F2.没有pcre
2 C/ u3 @- D( C- W9 I1 L
+ o" V' W. N* W6 A1 Uconfigure: *** pcre library not found.
- _+ z- H4 M3 qconfigure: error: pcre library is required$ \8 {& s, T% i* \; D
解决方法:- g" C8 h& n* q4 A7 D' l
/ T5 W* N3 K" V) w8 Q
yum install pcre pcre-devel, a( h1 \' {2 \% v$ M. W4 U* R
3.没有libxml25 {( o r; s+ p9 a/ p) z, Z9 `" F
( c |. r7 K- \6 }" g4 p7 `8 G1 }! `1 n+ H
configure: *** xml library not found.0 D4 g1 q# {& |3 E6 `1 G
configure: error: libxml2 is required W& Q2 X! X0 E- b# I- F
解决方法:
' l& [5 @7 q% R7 N+ n6 a2 n) x0 z6 ?" s* \; V, G* I
yum install libxml2 libxml2-devel6 O) |8 E$ V3 q% B$ T) M2 }- ]
4.执行 /opt/tengine/sbin/nginx -m 时有警告6 t* ?. j7 G& \& o% _! }# `5 e
0 P9 b4 U% [- O3 VTengine version: Tengine/2.1.0 (nginx/1.6.2)
! M- N! Z( \6 Fnginx: [warn] ModSecurity: Loaded APR do not match with compiled!& W8 m2 }) e3 e) m! |5 l1 [* ]
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log j% ~1 f2 n* X- g* b) ~& f
+ R/ _0 j8 N# @& _ F% t* [: z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
( d/ d+ S" t p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 c1 {7 p, }; v8 r/ g2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 Y) H$ F6 ]) N, c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" k$ D. F, f' f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
. C0 O: {$ o# x7 R2 i" U2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' u) |+ Y5 o# h5 E0 b) `# _5 l解决方法,移除低版本的APR (1.3.9)7 \; f, R y5 c- ~ `* ]" L
/ f: }( e' `3 I7 g N$ e* G6 e
yum remove apr
' {) X, U% `1 ^8 l N+ b5.Error.log中有: Audit log: Failed to lock global mutex
g0 v4 ]2 [ |+ R& q Q/ f$ j& l# w/ g% y/ H; F0 M
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
! i# D# g, l5 P3 pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]+ `' `- C7 Q3 Z p
解决方法:& y4 ^ U' C( S; ]3 l
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:9 Y: a6 \0 M' k4 g& W( x
- f5 ~$ ^7 V2 D- p& v9 B% x
SecAuditLogDirMode 0777
! B" A, g3 k+ B9 @SecAuditLogFileMode 05501 r+ r$ K1 d) z& R9 t) f. d
SecAuditLogStorageDir /var/log/modsecurity3 \6 q% f0 T/ M7 K+ ?/ \
SecAuditLogType Concurrent/ x% V# B1 m0 k
参考文章:
4 G0 `3 y8 f( z* r% c; G ahttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX( T9 B' Q# Z* l1 H" {1 P* u
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡