|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 H( \7 a$ R9 e+ s
( e* t" o+ U& v7 @9 u. u一.准备工作
; U+ c3 W6 f7 W" I
# a0 z: n2 X0 a& ?- P5 V5 t系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0% g' J; D1 y% _* g. d
; P6 b$ h- ?, ~/ y7 Xtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; X- @4 e' ?0 v2 S( X/ n: x9 w) |! x2 K z( C' L
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 x# @: F8 I! }
6 U) Q& t1 `- _; P1 e3 n6 m
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: |- N5 j1 {4 v# X( J8 c {/ D# i' v% P5 W! _
依赖关系:
[9 U: ?7 C$ v1 z8 ntengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
+ @. A* F& n$ y9 D9 G5 E. L- `) Y! V5 N
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel. s% \0 x- R+ ]( U9 w
modsecurty依赖的包:pcre httpd-devel libxml2 apr
, ]. ~9 ^& a, d# U4 m8 f4 ]# X- Q- V! K) {
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
: w3 {; y0 q& ^" N0 ~二.启用standalone模块并编译
1 t3 H, S# K0 F; ?
5 K. v/ d* W* W% E' [/ `: I下载modsecurity for nginx 解压,进入解压后目录执行:: }; g6 Q1 W6 ?
8 a" t9 n$ h# B/ J0 G1 v8 ^6 ^4 K./autogen.sh
2 q& t. Y) b9 b( ~+ f./configure --enable-standalone-module --disable-mlogc
* m: f: D% U6 F. V9 T1 omake
c$ l" O+ r5 F0 ^三.nginx添加modsecurity模块( s% H- R3 n3 r4 }0 R1 K" \6 C2 C
1 h; a; G6 ?! O b1 u: x- e# x在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块: O- i. j6 j8 o$ V1 E" G) e4 ^0 m0 I
3 Y' A r9 |. Z( s; P) @./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
) K+ K9 U. O0 D) Q- `: m! Tmake && make install
& E ?" K* y2 @( S+ }; b) A四.添加规则4 g! z# _! U2 @( I# U9 a: u3 K
; U# B. K) @- h7 h, C% P$ M
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。9 ?/ Z l# ?$ ]. h" A1 A7 w
! ^' v' m! i6 i/ i. P! e- y* Q1.下载OWASP规则:
# D& K! |2 Q6 Y; K( e- R& M L2 P: R2 y5 ^
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs' t/ B$ H+ v7 Q* X
' U8 f; |5 O/ g" Imv owasp-modsecurity-crs /opt/tengine/conf/
: a! |( Q% o7 L, k `, O1 p
# T' Z; e9 h& I# t; ecd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf$ l$ T2 a* L, d' x4 {( }) Y9 @
2.启用OWASP规则:
' d; X4 K- R- p8 ^# @" Z$ Y3 B% a& T) X5 Q k! x6 j, e' {
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. i0 y; b5 t8 H1 B+ p4 G
% ?8 c& Z* e9 C8 c: S
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
7 |7 S0 y) }0 ?3 V& V& c5 L* G5 H- S' G
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。2 a+ R w% D2 O S4 b
: A7 W! J6 \, ~
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
1 l. e( |; H. p7 l1 {" i# iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf3 M4 M0 N1 A- X Z: o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, l2 g8 R0 o/ W9 v3 I, x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf1 ^5 |# a9 Q5 z3 ?0 H& V) [
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
/ K" }; A. Y; k: BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf2 X' s# j) W) a
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& F# \ L7 o2 \五.配置nginx
A1 t) p: v( D! m( X( p9 @3 i& D7 e! t6 |7 L
在需要启用modsecurity的主机的location下面加入下面两行即可:
7 I% X" o5 r8 H/ r! W% j" W3 Y9 O6 ?; w- Y+ E, o5 X1 R
ModSecurityEnabled on;
8 O9 k5 {& C( cModSecurityConfig modsecurity.conf;- Q5 s; G7 `; B3 x1 m, e1 n
下面是两个示例配置,php虚拟主机:
4 E0 S0 P+ ?! [2 S# a& Z* P$ ]0 p, P
server {4 v2 V' e, w! ?: M0 z2 i
listen 80;
! t, ^5 o; i& y2 G7 O O# v server_name 52os.net www.52os.net;8 x' }" {8 P6 J' Q1 T# r
0 c9 y8 d6 V t" T4 u
location ~ \.php$ {
6 V7 H" x9 D7 D; m* J* f ModSecurityEnabled on;
) }! i' z6 A1 J4 X/ _2 x# | ModSecurityConfig modsecurity.conf;! M( M6 v1 X" f/ f* k4 b
0 H7 b- n4 Y8 l/ B0 r! r1 b root /web/wordpress;7 _1 E& Y7 y# w d9 m# W
index index.php index.html index.htm;
" D- p: |6 c0 u! l
# }; W' r, V5 x* e fastcgi_pass 127.0.0.1:9000;
3 N: x0 b, `( `- h2 m+ d% i# n fastcgi_index index.php;
+ I6 \! J5 w2 u3 k fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 X+ z( K* _& w( W" ]! M9 x4 j
include fastcgi_params;
8 v& f3 |+ O O- A }0 V: V8 C; w- q
}/ g# @3 X9 ~' H! g
upstream负载均衡:: R. W* S S& @6 x
8 P. p1 `" I y% Q4 lupstream 52os.net {
% \1 b: ~6 s! ~6 u server 192.168.1.100:8080;
9 G8 k3 p( i3 o. y+ F/ m6 _, w. S, g' a server 192.168.1.101:8080 backup;
# W/ x; g% ^' a; B+ y9 J}
7 N9 C* I! y3 m5 l5 N2 Y1 r. `/ F/ P% {! N0 i# H; T
server {
; E1 b! e" \4 D2 `4 \listen 80;
9 [7 i5 t% k- Sserver_name 52os.net www.52os.net;
7 y" O4 n6 ^7 N
1 j' m! P4 E3 e+ x% Z5 Rlocation / {
* b+ Q! }+ {; Q/ q6 l ModSecurityEnabled on; . @9 J1 |% V b: a2 ~* y9 K: c
ModSecurityConfig modsecurity.conf; 5 E% E. C0 C/ k# Q5 H6 q
6 h$ m) \$ Q' M9 T) ]4 A
proxy_pass http://online;: F T6 s% |. Y |7 y% \
proxy_redirect off;
) h" m$ z9 b6 a proxy_set_header Host $host;
. F& I. W/ ^3 e0 _1 R proxy_set_header X-Real-IP $remote_addr;
5 ~& J7 U3 B' G) x A9 ?7 h proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ P; P1 N. h; q
}& `8 p% p+ E h( C3 `
}
8 c; u+ e' Y: W/ B1 F. }六.测试
! |' Z$ b& c8 Q6 u
- e: q; H& e/ k8 P* p: k# N我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:; b' `. f) Z( P# M( |2 P3 B
9 \9 d/ r9 |, E( n% `<?php1 X2 D% F( _0 ^: R+ X
phpinfo();
- }/ n: ~' T( {?>7 S% d6 F* I1 X; f1 Q6 @1 D+ o
在浏览器中访问:! \, Y% E6 ^ H, A7 O2 e
. w" h0 M% q( jhttp://www.52os.net/phpinfo.php?id=1 正常显示。
. N( o' h& [% j3 _http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。/ z; H' ]- x6 c* l P: x! f T
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。6 w2 ~5 M" s2 {( ^' R
说明sql注入和xss已经被过滤了
8 g1 F! e1 _$ Q1 ~- t# R# s- G Y# K: [3 V- u+ Y7 r9 J" \3 q
七、安装过程中排错
. X6 `- v" n g. k9 \# j5 ]
1 @ G' X! I. C4 h% b1.缺少APXS会报错
, ^$ [4 c& y: B+ ] r: ?/ @: m& Y! a! A& `2 G, ~0 ]
configure: looking for Apache module support via DSO through APXS: b U( x& m1 L
configure: error: couldn't find APXS
8 x4 F. x% i# k) _0 sapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。$ Y% ~! [4 a- H$ F$ j
解决方法:
1 f6 B' K2 `& M3 S3 [+ I }& ^+ J, U2 Y
yum install httpd-devel# J6 Y: y/ l* n3 h: G, ~5 Y1 Z
2.没有pcre, p. u! D' U. X. d" W$ b+ w! t
6 l5 Z3 N( O3 z" k$ k% Z' o0 I
configure: *** pcre library not found.7 a! v/ A, {. F3 ^3 T
configure: error: pcre library is required9 [3 ^/ G) s9 Y7 |2 ?+ v! t/ k! B" G# |
解决方法:
( T8 s/ P6 b7 T' r
% K! h) K0 [9 ]5 H5 Xyum install pcre pcre-devel
) l0 A; t( D9 d9 b/ _& Q3.没有libxml2( b/ D3 q+ I+ n4 l) S# @# a
# m* Z! v# M. _, ]$ \: u1 y7 d. |. {9 u
configure: *** xml library not found.
: B" q/ v! ~* H$ b. Y4 A( `configure: error: libxml2 is required& F- S. _5 k6 m. N
解决方法:9 _' G* I- D" z( I/ a5 s
, z% T' c- _4 ^- C
yum install libxml2 libxml2-devel
j$ w: j; h. D4.执行 /opt/tengine/sbin/nginx -m 时有警告
* B3 Q1 b) b( I' L9 ~
) E# |3 {& z& b1 p, L. Y; \: }Tengine version: Tengine/2.1.0 (nginx/1.6.2)
' |. T1 i) K! b0 vnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
$ h, _# E: S1 D. N6 ?原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% H5 {8 Y s8 {
( u0 c! O3 }5 B6 E0 t$ u: Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
. O3 d( C0 e+ f7 Y* e2 W" Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
% b% L2 |* D5 U, t2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!" W) c1 B8 a: n0 z! ?4 a. |
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ v. y6 j# N4 H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 o1 d9 `2 e( u1 X$ m/ {
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 f; w P& b) M5 S% p9 i
解决方法,移除低版本的APR (1.3.9)
+ r5 t( ^! l5 I% q$ U6 m7 W6 ] r/ b, \* D6 n/ R# g
yum remove apr
! v0 a* x/ ~: o5.Error.log中有: Audit log: Failed to lock global mutex, K# A6 N: X2 v( F
; G; |9 Q2 k% ^
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
. W* U% m9 a7 l9 \global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; P3 O" Z7 y0 i3 w* l' V3 s解决方法:
' a9 [- l6 V5 t, }! d: ~8 }. ?编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
7 `. n8 a* n- g: c- x4 s1 F% ]7 I7 r3 w
SecAuditLogDirMode 0777
h" I' s5 H$ u$ fSecAuditLogFileMode 0550
7 N3 r; q1 e5 F' _: W7 Z {4 h4 jSecAuditLogStorageDir /var/log/modsecurity
- r1 l K8 g3 R3 K4 f X! [) G# ESecAuditLogType Concurrent9 \$ i. G' w) Z! e7 \8 M
参考文章:
6 @3 t- m% |( \https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX$ U( }7 B1 a0 S/ V ]& ]; n
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡