|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。! j; W* H& J; C- f* `5 `+ T
. ?# M. E3 v# C5 u& S
一.准备工作" b2 }% l' x7 x: U$ M" v
% I0 A D2 L1 X4 m2 i
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0% M2 d( j8 k0 `/ C' h
6 y1 J ~' k3 c4 y% k9 ttengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz9 ~& ~+ s4 o. u! n! ]- x
: o ? a; Z, z" u7 ^; @6 G; n. l1 N( S
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 h6 f; T/ M+ x" O/ ^4 h3 Q- D) r, w+ T( a0 \/ N/ f4 i
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs1 }( e; y0 h* `( g
* Q. Q9 m7 _. I( K, I9 {依赖关系:* D8 J' T8 k2 ]+ ?! q
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:* V, \2 R1 K }2 B: n+ t! l3 I
3 U# I6 O$ M" L) ?7 b1 t
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) h* y2 V$ E0 dmodsecurty依赖的包:pcre httpd-devel libxml2 apr
/ T* ?" r' `; r; I) z+ r6 j5 | P! {3 O5 F
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
) Y) Q" e: K/ m$ I- z* Y8 X二.启用standalone模块并编译
& {7 I5 K4 a) ~8 X9 F7 f( A( }5 Z# K& h9 K2 x4 H
下载modsecurity for nginx 解压,进入解压后目录执行:
. h$ L0 x8 s" W" z: t0 J, r# F' Z& ^* s7 u6 {$ V/ L0 L
./autogen.sh
) L+ d! `1 H' e6 ?! |) A9 O/ }8 G./configure --enable-standalone-module --disable-mlogc
, g, B2 f+ B5 J) zmake
( c# [9 d8 x' p x三.nginx添加modsecurity模块
! O, i/ r# X" B6 { c0 a& h. N! J9 K- Y: Y( o. M B" k8 |/ `
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:/ ^3 y& N$ X6 a8 b) X
( P P% G- F9 \: j
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
2 I3 S! [; V# d U I, s" Smake && make install+ R' i O, H/ r! `+ e% t$ g9 u
四.添加规则) h# }& O, {( F9 B' q
/ r- h/ M ^9 g6 M" Bmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 @* b I1 Z/ A6 g: C, D& Y) f9 b* E w/ i1 L
1.下载OWASP规则: r8 j$ ]2 _. K6 w, `4 [7 E
9 k' W3 U# F' \$ ^/ `git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
" v6 p. e9 F& i* j# ^. r4 B9 Y( P$ Q
mv owasp-modsecurity-crs /opt/tengine/conf/
O" P7 e8 i9 m9 s X. [" \) q; ]2 p8 l- @* F9 }3 g
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# F4 J1 }1 W. w5 W$ T' j
2.启用OWASP规则:
0 Z: r) D8 |& t
% m" Q, h {2 w8 ^4 T复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
4 W M4 E, `, Y& X# ]4 b# O
7 H- q( z( c7 h/ n5 A编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
0 z( p0 P* A" | h- c- s2 S9 A/ A1 O5 A' i: O: E8 H `
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。5 [3 D; Z ~' S
" u( a; o h9 H/ _# c7 @
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf4 C: r( h8 M! x8 f5 U+ Y7 O
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& A$ s7 p. x5 O5 [; a( {# j% z, BInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
2 N% i0 c% Q+ q5 O2 ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
* F( s. c1 b. HInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
! P5 J" n- v7 }! Z9 h1 K3 v' ^$ bInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
0 i. s& K8 N! X; p N+ r& LInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! H1 k% l/ g0 E* A
五.配置nginx, {( w6 h2 z6 B: l; s# i
( M3 l* X+ r% I' _+ G% ^" {" ^2 ?
在需要启用modsecurity的主机的location下面加入下面两行即可:% N* t& v3 @. N" M, _$ c2 f3 v% N$ Z7 S
c' b) \5 ~$ C" e4 y
ModSecurityEnabled on;
- X7 `- F# A' o; [# {4 Q, A# ?ModSecurityConfig modsecurity.conf;6 i, X5 M! E/ l- p5 t }6 _
下面是两个示例配置,php虚拟主机:
4 x) C# C8 @3 d! j- g1 _' T f4 l% W" {- d- `4 f/ m" e% j( ]
server {* z6 F. w; N; S/ s( ^
listen 80;
4 r$ M$ |6 S! N, x( R server_name 52os.net www.52os.net;
' B3 ^/ }" }4 m
8 W& I4 Q4 y% ?& I) P" v location ~ \.php$ {
1 S7 B( C4 g' D: t4 A: n% g ModSecurityEnabled on;
7 {# c" w) K6 z7 q ModSecurityConfig modsecurity.conf;) ]4 S7 f$ R) B1 @# j9 Q, x
6 V8 ^+ p0 @6 ~
root /web/wordpress;1 l# ^3 P3 y& U; K
index index.php index.html index.htm;8 N$ G2 x' `7 S+ j* b8 i0 ~' M6 s. g# {, `
# ^- a9 C3 N% x! F/ U6 q& o" e fastcgi_pass 127.0.0.1:9000;! y# a& S$ o; V( Q% T, Q
fastcgi_index index.php;: ]1 n F3 R" ?" A% {9 Z! O
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
$ B1 q- T. ]& v% x include fastcgi_params;
& O% t* Y$ y5 `/ p1 T# _" Y }6 f! y; c _4 i. w$ _: V. C
}& b0 f0 }1 m: [3 B. l/ w& K, r
upstream负载均衡:+ P E+ l1 R1 Y6 _$ K# e: Y
/ w/ S5 _+ Z2 X$ T f2 Z5 s5 L
upstream 52os.net {6 b" h1 S6 e. P* B
server 192.168.1.100:8080;8 m1 F, U- ~' ~+ Z
server 192.168.1.101:8080 backup;
% \+ Z1 @. ^+ O6 @}
4 P$ ?) N1 u# G6 Y
1 _2 U% b0 F8 nserver {; e; g C- v" [# Y
listen 80; C' N% l" E. G+ r
server_name 52os.net www.52os.net;0 h% y" ?9 O+ n; N
4 T- b7 t+ a. e/ C nlocation / {$ a; a$ Z# c( Z+ j
ModSecurityEnabled on; 0 D, S! |' y4 |3 _0 {" ^6 L, F7 _: z
ModSecurityConfig modsecurity.conf;
* n+ M9 g: t% l d$ X8 n. G( y$ z3 M3 I
proxy_pass http://online;
8 E& [" o; [% S1 u proxy_redirect off;1 N; c. _( E; t# `' }8 P
proxy_set_header Host $host;, [0 m; V* p: e3 f
proxy_set_header X-Real-IP $remote_addr;, l. L* h5 |" a1 l5 S" R
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6 O. }) q+ {& p }- q, k Z% l& b) v. {
}7 e: s/ d* ^3 ?1 _) m
六.测试3 f+ c) O0 V6 o7 R# J! f% J
1 v8 f: m: E" i+ K2 p0 ?- e5 ^
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:5 Z, N% S9 L2 h! c0 f( U
: T1 z" X5 Q& y4 a; c W0 w<?php
1 O0 h E; S$ q; D+ G3 R2 z phpinfo(); - V. {+ o! q; F2 ~) E8 |
?>$ I- r, p6 {& M5 R3 i& Z. U; ^
在浏览器中访问:
1 J* t/ Y% Y9 J% p$ x: ^" y( R+ {
. w# a7 \5 b$ }, m6 ^8 ihttp://www.52os.net/phpinfo.php?id=1 正常显示。
& J: k+ x0 P) qhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) ?% ^: o5 `6 L3 r( [, Ghttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
! f. ?, }: g" ^0 b) ?说明sql注入和xss已经被过滤了
7 T: L- N2 N$ X# d# j0 A7 ^7 ^8 \1 s. R% }
七、安装过程中排错
- }+ }2 b, u0 \: X* Y2 ~! u+ F- Y- j8 w1 r8 u* F
1.缺少APXS会报错
4 M# `' p5 k9 S. C
4 p% C- D8 z3 _( S* {, O* T% econfigure: looking for Apache module support via DSO through APXS
. z7 |0 k, O8 F8 F( ~$ w( C% H; |configure: error: couldn't find APXS4 @- s) G7 }: A' K. L1 b0 |
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。+ S+ w0 k8 a4 V% F1 x+ F
解决方法:
6 s# [3 M$ p T& v( c7 {
: `9 ~& D- [* w0 B' u9 B8 hyum install httpd-devel
$ q4 i2 a+ a. h) d2.没有pcre
# }, n9 a) I* I2 j6 c7 ]2 @; y
7 L |, U6 _' p5 rconfigure: *** pcre library not found.5 g! o9 R) k2 s3 P2 z! ~" c
configure: error: pcre library is required$ r9 h4 G# h1 Q" n
解决方法:
/ x* m0 Y# V, R) O, l$ v# _% b' d; ~+ m5 z/ T
yum install pcre pcre-devel
. ?- j% l5 B& q: o3.没有libxml2
: F2 L8 h2 y) J
8 s0 w q; z8 b0 H
& _ O6 w) P- Q7 j5 D( p- Cconfigure: *** xml library not found.
, {* B6 C& Z, H$ e% X, S' Zconfigure: error: libxml2 is required' g6 a4 z+ x) R8 ?" L( z, ]4 s! m
解决方法:2 b/ ]) j' c3 a% Y( p
( o; b* z, m8 w( v e
yum install libxml2 libxml2-devel
1 ^& \! Z% ~+ f! x$ l4 ^4.执行 /opt/tengine/sbin/nginx -m 时有警告( i. P) ~1 n L- M, m7 p4 k
- ?2 D4 ^& f" _; u, ]3 Y( F! ITengine version: Tengine/2.1.0 (nginx/1.6.2)! |; S, g4 y1 G5 z4 m1 ~
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!9 T! {2 i3 k3 z( Y" k" k
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
: l" a, ^, i- K( z% h4 J3 z% W( N& g. j: n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
- ]1 F4 z1 C0 M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
/ v2 a: c+ Q( N5 R' W2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!0 _" ?) _: ^# ]0 _. O$ ^2 \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 ~$ K* ^- u' C2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 Z- n, `3 O) ]6 {6 O2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On." N( e& `$ U: e$ ^" i
解决方法,移除低版本的APR (1.3.9)1 S- }$ P1 q7 |3 r* N/ i5 K$ U9 l/ ?
5 c1 f/ v8 S( i+ H5 k
yum remove apr
; ~4 l& \/ i7 G' _- w5.Error.log中有: Audit log: Failed to lock global mutex
* t4 u& W' Q& w
# K8 S1 V$ a& s! S% M/ g9 ^- E* G2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% ]; }/ t( [( T, ^& t6 \global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]( a& b7 `' c T# U$ L
解决方法:* k/ R7 H+ `) E7 l* y* W. K
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: r, h/ F, P4 O7 {) Q, B$ O) }' X
+ x8 o* q* G, y0 A6 u/ d- I
SecAuditLogDirMode 0777) v4 {# ]% Z" M8 n7 J$ h
SecAuditLogFileMode 0550' b, H' q3 e* o0 q0 R1 t% Z0 |1 F
SecAuditLogStorageDir /var/log/modsecurity
* `! o6 N7 G0 w: K- Q. c6 gSecAuditLogType Concurrent
$ G2 q. x* W+ x! I参考文章:) q2 s% ^3 p" i8 Z4 K; V& J8 U' r
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX3 c0 T, b! {/ ]1 j/ J; d
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡