|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 P- f* e. E. z& y9 y; x
. k2 f3 K" t4 b- ?! n$ ?
一.准备工作
5 t! \ E% @8 I. A6 w& M' V! Q
* v' ?1 O5 V& q+ E a系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.07 L5 E' J. M" `: G$ t
% n+ m& }5 L* {- D+ `) u% G- F
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
1 f5 U1 k* a" r- _
I6 j4 [/ ?+ @5 W5 amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz4 x! h; S# k. \1 Y" s% a
, b! }, x0 a7 G8 W! u% N& }OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* g0 b' z; E/ f9 i) D8 S6 Z7 U/ X$ p" J& z7 r0 H% x
依赖关系:
3 Z* I& z/ H( v$ N' Btengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
" r7 i6 b& ^1 c- d# f
' j5 D0 O8 ]$ ~yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel/ R# U! u- j, R n$ `, T
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% `: S% `% [9 [. A. Z3 r& K, k: b- H; }
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
+ k1 L) d, j; c+ F3 k二.启用standalone模块并编译% l/ R! `+ Y% U6 o4 N4 U! K `
* V) }% G' l, P- z* h6 E; C K下载modsecurity for nginx 解压,进入解压后目录执行:5 S7 e2 c% u) J1 {) ^
% V; G- A4 G# L, ?
./autogen.sh
, U. i5 O& W8 y! U4 i./configure --enable-standalone-module --disable-mlogc
H1 K) n, w) x- Lmake
$ ~) Y' w4 v. X5 S三.nginx添加modsecurity模块3 H( A" N/ P+ d8 F' _7 T3 k8 _0 m
+ ^* Y/ g0 u% R' B6 o6 b& @
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 W8 `* }7 T7 P6 r4 I+ Z; G8 I2 R: d) \! d
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
0 H9 g2 c' Z! l. }! J! L1 vmake && make install
# O1 Y8 f* n& x5 d; p5 O e' C四.添加规则
- w( {0 H) A& ~6 `/ n( k' q% D/ [: J5 }( v2 F+ b/ H, d
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。+ j, j# \0 i* p5 @1 w$ U
; @) `$ G. [5 d0 e& v) A2 n6 a1.下载OWASP规则:
- F& i( s, m+ k% A; b0 f. k4 Q" }9 J! l" t& [& a
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs O. l, p0 ^7 ^ q+ |' g
2 X% ~" q& X \5 W. L+ P: S+ _mv owasp-modsecurity-crs /opt/tengine/conf/# [1 T7 f5 B0 Y% ?; I$ @
( @' k, y! Q. { l0 ~; a* M
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf I/ b/ @6 _; J+ [8 {0 W8 m |! z p
2.启用OWASP规则:; q- G5 [6 B7 O# g
2 t) w+ R& g7 a$ F5 X2 X I
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
( J5 M' i5 h: E5 O$ o, m: I7 v/ W, ~+ c+ m, m4 ~
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on* P3 G5 F% g0 U8 L* T! K
u" ^0 K: c- [, m; h+ gowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
$ B; S4 w( `: B
1 {* [& w# K) X9 \* r* \ e3 iInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
& e/ C2 `9 D9 R) Y, @* {$ [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
: V& T/ T% [; X" nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 \( r/ o$ ]3 y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 O; f* h% Q" e4 M3 AInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ Y9 P6 P( P3 N [ w
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf# G# m* D* t/ I2 H
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) g( `! f- E" E1 ?五.配置nginx# d" U9 j, R0 y- k, L, L/ X
: l9 Q9 R; F! U {9 g在需要启用modsecurity的主机的location下面加入下面两行即可:
" u {* A9 h8 W8 ]
m$ ^ c; X, Q$ W6 C/ wModSecurityEnabled on;
& K9 @/ h- ~( ~2 G0 M% o( r0 zModSecurityConfig modsecurity.conf;$ @' {# g+ Q8 o7 W! R D6 l
下面是两个示例配置,php虚拟主机:
5 ~# A8 f% G8 m9 X( r. t1 t) E! C& Z5 ^( y W
server {
$ b+ x& f/ M3 N$ j( E listen 80;/ I7 L% ^, n; a' D: G. Z- w
server_name 52os.net www.52os.net;2 ^2 `/ c% X3 `$ u+ f: W
% g- C6 M7 q+ V3 i/ c
location ~ \.php$ {
" G! m) s6 e3 q- [8 P ModSecurityEnabled on;
1 }9 s9 J+ Q2 C2 L5 }( ] ModSecurityConfig modsecurity.conf;
& x5 J1 p; J, M% V. f; D5 S2 L& j$ q5 q; P2 d# t) Q/ ~5 G
root /web/wordpress;
y$ w9 o) e0 `5 c3 r+ I index index.php index.html index.htm;
$ G9 j) V% X# ^! X' ~
! q, J, q. D6 L8 ~* v+ O* i }4 @0 v fastcgi_pass 127.0.0.1:9000;
! P, g; N( x! k3 R. a/ q' ]5 Q( {5 | fastcgi_index index.php;
5 @8 Z3 Y5 m, I& g3 o2 ^ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
* v. r/ M+ p6 N$ g' k9 ~ include fastcgi_params;
8 {/ m$ o( e V, R. q i$ t; @ }
0 r7 G* m# ~7 M# H0 |, W/ H6 K2 } }
! }0 S& m1 g/ w. f+ Xupstream负载均衡:& C* S2 {/ c1 v
0 L; E" a. L$ P- g' s* I; i8 Wupstream 52os.net {' @0 C6 B" J; O! _- l
server 192.168.1.100:8080;
5 r9 o+ @' Y: N: _0 ]/ `( P server 192.168.1.101:8080 backup;+ z/ n2 M7 @; Y s& \- G: E
}+ t- z5 p. q6 E; q
/ \+ ^$ y0 B% k6 \/ P. o7 O ?
server {
5 w" H+ ^2 d! G$ K# W. V5 ]listen 80;
9 l% F' Y6 y( f* f+ Oserver_name 52os.net www.52os.net;1 S1 l6 X5 [5 ^1 y
: U2 L' B: P3 N- ?
location / {- \: K `7 Y! y* d- Y6 \
ModSecurityEnabled on; ( B+ ~; ~, `2 X4 s/ {' l
ModSecurityConfig modsecurity.conf;
$ W+ u) r! C2 D" D* o6 Z# Y9 n& x o$ S$ L- |! E9 A+ X2 v
proxy_pass http://online;
. E; L) q/ n6 v# p, y, s. N7 }2 ?3 M proxy_redirect off;
c; u" U: H8 W( W8 i proxy_set_header Host $host;4 @1 M6 W5 k: F) Z
proxy_set_header X-Real-IP $remote_addr;
: {5 @# K* _9 S+ _5 b( _$ B proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
& r+ Y' c9 a5 _4 m) E* \! t! c1 E }
6 ^7 j A% O: m& T2 |) s P/ `}! {: A Y. O" f0 a2 o9 O
六.测试
6 N& C7 _/ w( R/ e8 I) d3 [5 X* H4 b( D# ^. W& z' U
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ y& ]$ n6 A) d+ @( v/ n; ~. u+ A0 \7 R6 Z7 s( A) r5 R
<?php( F$ p1 J2 V. o; D1 X
phpinfo();
' d7 T- R3 Q9 }: E; X# Y$ l3 v3 P/ |?>0 J9 S* R% l, }
在浏览器中访问:3 ] A2 F/ Z3 u9 r3 }0 x
9 x& s7 Y0 l) t% c2 |' I E
http://www.52os.net/phpinfo.php?id=1 正常显示。
3 K" U; D* |: A3 j! u9 f" \, chttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) x0 }4 j( S; v) ihttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
) |5 _" Y# K. D说明sql注入和xss已经被过滤了
& t+ z- v1 f( G p# c* o
; a8 |8 D' @) h- j6 l; ^七、安装过程中排错
1 P9 `3 U; v& X) o4 m0 f8 Z* E
) Z9 B2 l5 V5 q+ _$ `; K" [1.缺少APXS会报错- T9 r1 X8 W, l2 C4 i8 _
4 N, C5 J( j0 D! R
configure: looking for Apache module support via DSO through APXS: ] r. z" R; K- ]/ _
configure: error: couldn't find APXS
$ C( f6 p) `2 A kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。7 N& I f4 y4 P' c
解决方法:& m2 f# Y+ o k; K5 V) I
* `6 t8 g T$ q) ]
yum install httpd-devel( R7 _3 k# I! _+ t
2.没有pcre
0 H2 }; V3 R$ s) {, ?
/ j3 u) w- x- ~configure: *** pcre library not found.
! S% x- w- C8 V% ~6 lconfigure: error: pcre library is required
) t* F1 M0 B! x6 i解决方法:, x9 E9 r [" P% z5 z. q
3 k3 r; V1 C; t; N" d$ Kyum install pcre pcre-devel
N+ [0 G. }) [, `" D' s- t8 E3.没有libxml2
8 n. O: s$ w/ k% }4 r# L# z6 f
: n- q1 I$ A% J5 p. A$ A/ O( Y) u" B+ h! g# f/ M f7 H
configure: *** xml library not found.+ l% n: S- d6 d
configure: error: libxml2 is required& l7 _- T/ i& y+ V4 i. P8 b% E
解决方法:( b4 K& y+ @3 \
9 K" I& o# q2 r8 H$ x- o8 N
yum install libxml2 libxml2-devel1 Y* \' {4 @; U/ Z- {7 {! {
4.执行 /opt/tengine/sbin/nginx -m 时有警告
( ~9 L% v/ i: L( m, z4 U8 c l9 i( o$ w% D1 l! X% s4 {
Tengine version: Tengine/2.1.0 (nginx/1.6.2)- ^* O* k( ]6 v9 T3 E$ v5 l- h& o1 p
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!, w7 ?& C0 i( |. K* }4 z0 S" `
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 r- N5 D. M2 T0 V; C: }3 R
9 C- }4 e/ z9 c, O$ b3 N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
q' p9 o1 }5 P" {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
. v1 [" v/ t2 ^6 ~2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ s0 ]4 l$ f: i. ]/ l+ ^9 M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
# A/ m/ m, ^! k: O) }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 Q8 r+ a7 \! ~/ L; w o6 I& w/ h; b
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On. E, X2 W- @2 X; B' I) ?! q4 v
解决方法,移除低版本的APR (1.3.9)
! ]) m; U$ ?: Z) w% i0 {$ h2 D/ B# O3 U. l* x4 E5 m" e, a
yum remove apr6 t$ K7 B- s( s9 Y4 \$ N
5.Error.log中有: Audit log: Failed to lock global mutex6 ? T7 |" y' I6 t% ~2 F
& G6 c; U% e. [' ^5 B' x6 f3 ^" c8 l2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock , r% k) g" f* J2 D
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 B- k9 m9 z) Q$ @1 H1 h
解决方法:
# y3 ]; C7 \3 {) s5 @" `* _编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 |! C( g8 f- i% `
: r. R5 ]5 x) d8 j9 pSecAuditLogDirMode 0777
z, v0 i% [/ [& QSecAuditLogFileMode 0550
1 O( {. l5 c# r) |5 Z SSecAuditLogStorageDir /var/log/modsecurity, z; m0 W4 k9 o. F1 G1 R
SecAuditLogType Concurrent
- y" V! `8 X( j4 S& l% f参考文章:
6 `' S% s- c# P; [( Y0 T v5 _- Rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX3 C/ Z7 g& x* d+ c: Y: Q
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡