|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
+ Z3 A, M2 ]& `/ A2 u# e, o) ~8 W% _6 V$ d6 l
一.准备工作
) G% I* _, K; v+ e/ X0 \1 |5 X' v! Y. M
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.09 i/ a0 [2 D7 v3 Y$ @4 ]) B; H
5 E2 e8 ^( ^0 F+ @
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
# H, _ D. C% g8 q# M9 C4 C, p* T" ]6 P b4 h+ u
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
! U1 [4 [0 s* u( l0 \
r( y! G9 W# AOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs' U1 B& e$ O: h
* T' y% U1 g+ U2 d4 ]. C {' @2 f7 t依赖关系:
, j! o* q3 I ~0 p; Ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
) x6 f b! s9 @# {/ i
) g& Q8 y: O. d c6 Q& B+ M+ syum install zlib zlib-devel openssl openssl-devel pcre pcre-devel L5 p2 O7 U+ `1 @
modsecurty依赖的包:pcre httpd-devel libxml2 apr
+ }# c8 ~( g4 V. m4 |* A# e: T7 @3 ?& H" s( q8 N
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
, }% i- m5 {4 g: l5 l* H& q二.启用standalone模块并编译
w' V2 D( ]0 t5 `; K8 f$ ^- j) s& c! e4 \& U: U w
下载modsecurity for nginx 解压,进入解压后目录执行:
( Y4 l/ K3 `" }" Q1 X, g+ \+ L# }
3 V% V, \3 d! h) L( D0 ?# h9 f- v./autogen.sh- z/ ~3 H0 H; c
./configure --enable-standalone-module --disable-mlogc
+ v i, {) a: ]make
0 W7 N$ V0 L; r# U! m三.nginx添加modsecurity模块) l4 T2 f% x( e# m/ z6 \$ y
1 G" D8 ]; v/ a* E4 T# L. A: C! z, M在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块: |) \' l. {5 b/ P- f
* X7 D/ Z1 w% b0 I7 r
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
- P2 R, k' _. u1 b; y9 Omake && make install/ ~& |9 e6 ]6 L5 ^% t* E/ a
四.添加规则
" N* j" [- r7 C3 d$ m, {8 P% C P' v8 p7 z7 N2 h
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。5 a% Q, y3 }$ u! D. |' O$ [
* X. k' N: }0 f: v1.下载OWASP规则:+ v d1 r) M% ?( ~2 [! f J
( p, K D `! ?: r' N& b, kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 v3 T- _! \5 V1 l& l
5 m, T m. m7 M" |0 ?6 fmv owasp-modsecurity-crs /opt/tengine/conf/
) v! U9 B# L1 x* p4 l0 d
# { p, R; Y# ^% [# Jcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
5 h* n1 M- W- v2 ?! Q' y) _2.启用OWASP规则:
# G" V2 U7 ~' }/ f5 f; ?) E6 a, J
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。) m$ J) S. D$ ^/ t# `; f2 H- I7 N, P; @+ J
' S8 P& p! \# |' X0 g5 o编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; [/ N# _% N& w/ c, v
+ C5 I. \8 C. _, F( V0 g% |, Z" zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。) f# }2 W6 }4 \
- q6 i# G s5 K
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf {4 y0 s4 S" {9 o+ a
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 x; k. D8 |& S/ x9 c
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 h; ^$ l" B: W. w5 ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf: W! p; M$ X: N" H# q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
" ]; `3 w2 v7 ~5 s8 IInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
% Q( N5 [" B2 x4 [Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
" C! w1 ^2 C8 `6 T: E五.配置nginx
" [1 }2 }4 Y2 A; u- h6 C1 _+ n5 j, a5 m
在需要启用modsecurity的主机的location下面加入下面两行即可:
q5 H% r: u' b* m1 {! X$ a8 U3 n8 ^6 \$ x8 u8 p
ModSecurityEnabled on; 5 g% Z" \' G; c. M4 \; ?8 i H
ModSecurityConfig modsecurity.conf;3 t. ~- \ E2 u/ a, @2 J
下面是两个示例配置,php虚拟主机:
3 p. F+ d p5 W+ b8 M
1 H3 p% ^" O7 M! ?, ^server {
# ]4 _& f2 t5 `1 `8 B z: B listen 80;* f: }; E9 e/ R* G9 w9 ?# b0 H
server_name 52os.net www.52os.net;
! Y2 L7 q p7 q3 ?) \ 9 s4 z& @" v3 P$ J B
location ~ \.php$ {6 c% E/ w" C, a: V+ G- W
ModSecurityEnabled on;
; l7 v4 _) D* {! ^, `& J' u5 a ModSecurityConfig modsecurity.conf;
! c, W0 T' V1 g8 E. e
M) H% }6 L q$ ~& a root /web/wordpress;
4 i5 C1 ^! A: ?2 [0 _ r+ m* u0 B index index.php index.html index.htm;6 y7 z( q( y3 ? a) b( R
5 v0 ?6 {; z, j2 B+ ~- a S/ i fastcgi_pass 127.0.0.1:9000;
) q3 A7 y" I) E1 y3 i1 A fastcgi_index index.php;$ G6 Q$ z$ L" y7 H& q: s) {) {6 H
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ p6 @! h% T |
include fastcgi_params;) ^5 O1 ]$ j! x+ z5 K0 z9 Z8 p, O
}
/ K/ V7 r( T+ F5 n8 m }6 o" x9 [; S7 ^
upstream负载均衡:
, g R# J! c6 P! r7 ^$ O7 i* i0 m* R' R
upstream 52os.net {1 D6 o5 s3 v/ S* l3 n
server 192.168.1.100:8080;6 x* U" C( d- I; A. S. I( \
server 192.168.1.101:8080 backup;" y' T6 p& ]! w2 @( H1 K6 L8 ^& |
}: x# W" x$ i" F! }+ Y$ q3 w& w
% n {1 a: C2 u
server {
% m m4 p( f) Q4 B2 zlisten 80;
. s1 K$ v- O# q+ t ^1 tserver_name 52os.net www.52os.net;
% |4 K4 Q; ~& Q7 H1 S
6 g- H' U0 w4 Y3 Slocation / {
- e+ t, S) D* A* L$ H ModSecurityEnabled on;
]! {2 i9 r$ Y; K8 }. b ModSecurityConfig modsecurity.conf;
$ `: M2 j+ l2 ]7 {$ U1 k
$ {5 {3 M% G) b4 a' | proxy_pass http://online;( E4 \! i/ e" w' k3 ~& c% b" M7 H
proxy_redirect off;- n& W( ^5 m1 L! M) D8 M
proxy_set_header Host $host;
# M7 Q- B% I, T8 O4 s proxy_set_header X-Real-IP $remote_addr;
' D J5 b/ y$ m d c proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# _- M: Z3 m7 U9 t }& z; W# A, O/ _" e8 Y1 d6 P8 C
}5 L9 O* o6 ^' }/ q5 ^! U( A0 g# J
六.测试9 t0 t. e. V; R. K% W7 ]
+ E& R/ X4 k# O- @: o我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 x" r+ X" E) w" @1 h# ?; k
1 y+ H- s* _5 ]( A
<?php2 O. @$ u+ n) {+ |2 N9 B+ S
phpinfo(); - X8 D( q( z! H/ t8 k; b$ P y
?>) ]4 ?& O% U/ L& f- F/ {1 ?
在浏览器中访问:3 J) | i$ e; R4 o3 c `
* D7 L- m! x7 }3 Jhttp://www.52os.net/phpinfo.php?id=1 正常显示。% V2 \3 H1 N! Y. P; @* H; w' ^
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
, U$ j% T" J7 D) Ohttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
) P% X7 H( @. u3 o说明sql注入和xss已经被过滤了
# h% Y( S5 \. k, q& v. l+ @' b3 g) I% ~" O4 b8 b" W9 L2 C; ~
七、安装过程中排错
& |: w6 c2 l& ]" u3 W) x/ Y; ~. J e3 ]- B1 \0 b" H3 C* b" S! ~
1.缺少APXS会报错
$ d8 f' S+ S% l# ~: {/ A! ?. F3 I0 Z" U g
configure: looking for Apache module support via DSO through APXS
6 D8 s: V( O0 M2 `configure: error: couldn't find APXS9 ?9 U7 H; D! V
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。3 t4 y/ _1 o- G+ U
解决方法:
3 z. I* `% z8 r( n2 W4 w3 p7 H1 ]: n, ]* i
yum install httpd-devel
& H5 B+ |' B1 S2.没有pcre& x6 G% h: k7 a8 B; @5 j
/ y4 o8 r0 A1 [& n
configure: *** pcre library not found.) @+ [9 t+ d5 S/ X1 ]
configure: error: pcre library is required- L0 @0 e7 ~ w+ C$ @4 X% E
解决方法:
5 J6 @3 @, o" t' y. Q1 n; }
+ ` R8 E7 ^# Tyum install pcre pcre-devel
' W0 g8 a K5 R- ?3 o5 [3.没有libxml2
) O9 U& Z# Z) n4 H' x+ z: n! c0 e
. ~% y `* Q6 T5 B1 N0 u1 D. Q- V. B% l( b! J' O# P$ q; m
configure: *** xml library not found.+ e0 C9 F5 i' f5 C5 |" S
configure: error: libxml2 is required& b% g7 I) k" w3 J) R3 P
解决方法:
( f9 Q- s$ y) i* K0 u! Q' }8 n" s9 `$ \2 e
yum install libxml2 libxml2-devel8 ]7 O" \: ~- v' g
4.执行 /opt/tengine/sbin/nginx -m 时有警告% m8 d6 j _' L' Q3 f5 M6 g
0 G7 s7 ?, Q6 T* `
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
5 b4 m7 V- C7 ]# b! }nginx: [warn] ModSecurity: Loaded APR do not match with compiled!, h, E( g5 `9 i2 [8 }" `) U
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log: o& W2 u/ N: p% u; \5 [4 k
8 F' F) H! D3 r8 P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
* j- N( e; V7 ?# _( B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
4 _' q+ V, {. K6 C' V& _2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
$ l1 A0 u* a+ v6 g# z. G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
* ?7 i/ ~5 o! y% K3 p8 r; h: K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 Y; m v8 C1 G* k3 X% z" B
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
- w* i! ^. Q; s6 c% s& s解决方法,移除低版本的APR (1.3.9), L* ^3 q( k5 Z" \% E& S
2 ^/ R7 R$ F: @/ ]' f0 E4 H& I$ Q2 Tyum remove apr
# _) z/ K A K$ F; m8 c/ i( a5.Error.log中有: Audit log: Failed to lock global mutex
$ U3 Z, @* W+ a& `
4 \8 y, _3 ?) l2 z# q" C2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
( f, F, c9 O* Q% hglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' ]$ `" V1 S1 M9 G- _1 r+ E% i解决方法:* {, j& g- s' s$ K' J" h
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
0 {6 R1 `5 j$ X4 F0 U2 m: L8 o6 D- e+ [, T$ J
SecAuditLogDirMode 0777
- a x% a. u8 b3 ASecAuditLogFileMode 0550
9 s0 s# D( `0 C0 X6 z' _5 V5 BSecAuditLogStorageDir /var/log/modsecurity8 v) g8 i! y! t p+ @0 d
SecAuditLogType Concurrent
. R$ [. E Y( O. I0 S7 v+ `参考文章:
0 P8 w f! U; w+ ?https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# Q- C% o% v( \, ]5 L* s- h
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡