|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。6 d$ A6 J8 n! @( q5 `- _
) [6 O/ A& w% a( F% \, d( [& q3 `
一.准备工作3 `" Z" j4 ^" ^* x
~" T% p; s) ?8 J1 T6 V7 `系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; S( h% q3 R$ Z! O$ w4 q0 ]) f8 D
1 r* L4 e7 F# E" p& j, X( @tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' Z( Q! T; |4 v5 @( r
" P" x P. b) m" G/ n0 umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
" l* [# l5 C$ E+ D8 j# x& N1 W
1 B# s/ Z o( I6 X4 @3 I3 D) rOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 ^2 G `2 ]% y0 |5 y+ I2 H8 C/ }0 K& k/ v8 L3 j7 H& X D5 E5 f, s
依赖关系:6 P; _& ?1 C' ?; }9 S
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& e# E" N% o8 K0 `$ s# S: U2 _
/ G2 ^& I/ s( ?9 Wyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 ~4 k3 H* q G B2 C9 [1 q0 hmodsecurty依赖的包:pcre httpd-devel libxml2 apr
j7 c9 Z3 e) [' t: o/ C
' B! G# G E( E. Syum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
+ X" O6 A" d; Q0 A6 ?二.启用standalone模块并编译
" ?5 G! j3 \3 S$ \
$ M; D! r* j; G* z4 ~) x/ d; r下载modsecurity for nginx 解压,进入解压后目录执行:
% b& Q! p6 `" {: P0 L0 \7 b
" f6 j. \, S# F" J./autogen.sh( A3 J( t: w" p+ G, r) k
./configure --enable-standalone-module --disable-mlogc/ F1 b9 Q, Y+ E
make
& n, p: L$ ]2 J% Y三.nginx添加modsecurity模块
D8 ?+ M9 B7 A+ d& p
9 @& N* D, F1 K0 [( Y G6 P在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:* B" g8 D& R9 }# r2 z3 h9 b* J- \
- ?& r1 a. M8 q3 J% z3 G% w+ F./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine; a3 c$ G2 Z( M7 m- N9 O) E& }1 o
make && make install
- P# L9 Z' q' w3 s) z4 ^ k四.添加规则: m- s: E9 v* ]$ d; |& e% P1 X
* ~) N) r8 p6 B/ M% D) \" c9 b0 n8 |modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, ?. Z7 ?5 @1 s- @4 D3 C6 X0 d' E# y( x4 n4 I; K$ G5 _+ p: o
1.下载OWASP规则:( E) d4 m% N! I- u# M, }
6 r. f* s0 V3 ?5 G; u
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 Q9 }1 Y- L+ P$ C7 u6 _* ~2 w4 n: E9 t* O$ n8 j5 o% q4 S
mv owasp-modsecurity-crs /opt/tengine/conf/
6 D/ Y! W: l" K' J4 r/ m8 T/ `" b' R" A% k( N$ ^) L E7 l
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf, Y4 U/ @9 s+ T( ?+ b
2.启用OWASP规则:
* z8 q; X7 T9 U" d3 Y3 h2 p4 s, s- E: ]' B/ T; H" ^
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 _0 H! ?! y: k4 a+ p
4 A1 j7 I3 V2 D7 n& T" L$ F' F) x编辑modsecurity.conf 文件,将SecRuleEngine设置为 on/ z8 y2 `9 C4 d8 k0 v/ v
4 |" @- a7 E" b
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: A- b, y* v$ Y) `# |( E) ~) c
) L; J+ V9 d" k7 wInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' A7 r; l; b7 m) D+ |- @6 \5 OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+ X, |- v3 Q% F3 VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" ]% e \" L+ t4 U9 Y. UInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 K* P4 p! y+ D) mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf, Z) V! m" ~/ \2 J; A, l/ X2 p- ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf: _! A# L$ b) Z, T: ~; `
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; J# | u, D. x* q5 {5 `
五.配置nginx+ w1 R* \; Y( N2 H- _3 \
: W% c8 H; y' V( o- _在需要启用modsecurity的主机的location下面加入下面两行即可:& C) m& S q) K! _, r
( C" _5 |; X2 b% d, H8 B2 TModSecurityEnabled on; " ] Q1 r7 e% T1 q
ModSecurityConfig modsecurity.conf;6 @4 x; a. h6 x9 Y' y# K' f
下面是两个示例配置,php虚拟主机:
( h( Q4 b, V6 A
f6 O9 h8 c1 ]9 |# m0 V: W& d$ Xserver {
$ {" L0 I. t: h6 |/ `! h+ q% u listen 80;
; m3 x8 B6 {6 }' y t server_name 52os.net www.52os.net;6 A4 o8 Y3 v( B* J- y! W/ m
& ]. b' l" N; r5 p: f location ~ \.php$ {* T. c2 X# g; {: q, l; P7 f: M: m
ModSecurityEnabled on; , B1 K6 w5 [/ s8 M- x
ModSecurityConfig modsecurity.conf;
) E$ ?2 c# Q) A. F
/ D! ?9 M# q- K" O7 V) _ E root /web/wordpress;
* E1 Q6 A% T, F; o* y0 Z6 ^- } index index.php index.html index.htm;
U$ }( d) S# T4 i b / P: a/ _0 m$ q0 q r
fastcgi_pass 127.0.0.1:9000;, c3 ], b" h8 _ m( g* H1 S4 ]2 }
fastcgi_index index.php;
. Z" [. f8 m# f% S( k4 V fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ d" `% s9 O1 K% @
include fastcgi_params;
' Y8 o$ g2 ]7 [; s0 g2 A }
4 ?6 _/ H4 }5 H- ]6 O( y }
6 V# Q( a& N4 R Dupstream负载均衡:, G* X. Q p# Q! q0 E0 ?
1 Z* g) y' ]4 h# R! U/ G3 B1 ?6 a
upstream 52os.net {
% u/ }3 ^0 C# t5 A) N7 I- _+ O' ?: w0 S server 192.168.1.100:8080;
e7 q# n" ~* y) J ^7 p+ u server 192.168.1.101:8080 backup;3 i3 G4 D: r' V0 W* }- }
}& _/ B' l5 Q( @ r6 F, p7 J& m0 M
; }8 O+ U5 Z1 b
server {
' i7 J! v# L0 C! e: Q% llisten 80;& C* C: L+ Y" {: N: n& }0 |- P
server_name 52os.net www.52os.net;
; l% m9 G, u5 Z/ \- z: E) l7 |0 m4 H; O" h% n8 t! J! ^: H
location / {
( N& b9 `* u: h: K* \ |& ? ModSecurityEnabled on; 7 H8 a1 x; _/ _- H4 K9 \
ModSecurityConfig modsecurity.conf;
$ S! c6 V1 i9 g: x# e8 e, @+ e2 Z' E3 L {. F! N
proxy_pass http://online;& ^) U/ N4 k* R5 B: {
proxy_redirect off;
4 V y- @9 m6 @" S, p$ i' Z0 s0 g proxy_set_header Host $host;7 H, {! t' Q) F
proxy_set_header X-Real-IP $remote_addr;) i4 g" `1 W; c; j4 m
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;7 D1 T/ g5 W9 \2 c5 g6 D& w
}
: ^. |% {3 D/ S8 V+ K2 k ~}0 v+ J( x2 m9 x" ] S
六.测试
$ S5 F& I+ ~ g
4 w5 K: _0 R" }; i& p+ b N我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' z/ L, ^) d: z5 v3 Y2 c
2 S# ?; |( L: \- z7 b k
<?php
) z/ c! t% _$ ?/ a) j phpinfo(); % ^2 { B3 e8 l; ?. m1 }: T; ]
?>, I4 [: G5 N9 I8 w4 R8 H( U
在浏览器中访问:
+ X- H3 e4 U9 J$ A- D/ f4 |! G. w) \5 O2 ^9 p) L
http://www.52os.net/phpinfo.php?id=1 正常显示。! d+ [" @/ w8 V/ {* f
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 l7 f' l& g2 F4 H1 C# r( O; lhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。7 ~2 E4 P7 J/ Y9 s# x9 g. s
说明sql注入和xss已经被过滤了
1 C7 {4 C i7 a2 S, M, F
$ w+ r: R ^8 L, c* l0 h七、安装过程中排错
9 [' t% \/ e0 \! M4 {' y; E
# G% T) _% K2 A( w& A) @; ~( g5 m1.缺少APXS会报错
. w. x& ?6 P) j* l' p% |1 P0 J% f3 U+ M2 a: t8 h. U5 h$ ?! q
configure: looking for Apache module support via DSO through APXS
m( {; l! l- `configure: error: couldn't find APXS* G$ V4 c( ?1 l' r+ O4 l* l
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* i: e1 k% |8 x9 }
解决方法:; ~- l, e, }7 e( |7 \6 V
0 g+ j( G) R5 R$ `& x
yum install httpd-devel
# A# c) T' s1 f2.没有pcre
# b, C% D' w* W+ p& L' \+ k3 r+ g+ _5 Q. [1 v7 f/ m9 i
configure: *** pcre library not found.
* u( |8 E5 h1 gconfigure: error: pcre library is required7 t5 B4 H1 C" b! U
解决方法:
/ o4 t/ I" X% g2 b: Y% U
3 _ J1 y" ]( t& L; x8 Ayum install pcre pcre-devel3 u5 K7 I3 a- R# |5 W/ b
3.没有libxml20 f$ S" U( H. d! H# m& a
* n) r% x. i' Q F$ L
) u5 T+ V: G3 s) n% x7 Y6 q! i* |configure: *** xml library not found.
+ ~$ N. C: l, u" W( J' {configure: error: libxml2 is required
& Z* N4 q- z0 ?/ p% }5 k* C1 K解决方法:$ N" v! Q) P9 \6 Y7 P7 P+ n- p, W
! p% u' R* m) p
yum install libxml2 libxml2-devel
# P- k/ K( U8 z9 C( k u4.执行 /opt/tengine/sbin/nginx -m 时有警告8 n6 C( P& b+ Y! |; B
' H9 Q* I! }7 l% r0 q. `; \Tengine version: Tengine/2.1.0 (nginx/1.6.2)5 K7 @- K# t1 U! i- }/ w6 C2 q- k0 o
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!. Z8 d7 w4 c0 K& R6 r2 m' `7 @
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log H0 s# z( p; ?. V( A4 f
, i) }7 E( d! y+ ^5 I" Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.0 }3 Y& E- {1 o6 @& e5 O6 T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"$ _% w6 R8 s# g% _3 _( H* s
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
2 q2 r" Z8 s- c2 A c) [& T U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"' G0 C& @& m: \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6") A; V5 b# v; w; L/ _, x
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
- b! }. _& C1 H* K" B h. c解决方法,移除低版本的APR (1.3.9)6 B4 N8 C$ h2 n* Y) _
! f1 G: Q; N+ k, F: W+ f
yum remove apr
# I! Y A6 B: r, `5.Error.log中有: Audit log: Failed to lock global mutex
; o1 Q% v6 E' E$ a( y# i/ v1 K* H0 X
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
/ X, k% Q9 {1 Z$ w( tglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 S1 ^! k K3 n4 r解决方法:/ @3 ?8 W1 I5 X: K N" C4 i) _
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& B9 o# w6 o% s1 K) Q8 j" ?. l5 n2 t
+ H5 s6 B( P0 f, b* _SecAuditLogDirMode 0777
2 ]& r9 q# ^, D6 t3 c- qSecAuditLogFileMode 0550
# j3 N: ~& d% B7 `* {0 @5 kSecAuditLogStorageDir /var/log/modsecurity& ^7 ]( z# }, Y( | E& N, `
SecAuditLogType Concurrent
: ]! G( T3 c, C0 r0 M参考文章:
6 @& D& b9 V& [1 _' x3 |0 t1 hhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
2 ^- F5 D( D7 z4 Q M7 l! Qhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡