|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。+ H; y. j( b3 x; }; Y+ m6 M
" H d. h/ C+ f5 _( B w一.准备工作1 x- \/ n, ]1 L }# G0 A! V
8 G" Z9 O2 E( S1 q: J
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
R. `% x3 Y" e" N. K# L9 W9 a2 ]4 _4 o8 W; N
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( }. } f6 i, j& J# W
+ C! S% d' ?$ C, x' x. dmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 Y6 A9 V) s1 e0 ~: r2 i: @/ @
) \7 W8 I2 ~4 O9 O- |
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs- t2 s/ v% v% q. o/ v6 p, ^
1 ?/ q3 h3 k* R2 T6 I3 V
依赖关系:* @8 u) H4 ]. O1 S) E# w' v7 N
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
+ D4 b; I# P1 W$ K/ {, |" t3 v" K
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 F! `" ~) Y* D& v# I
modsecurty依赖的包:pcre httpd-devel libxml2 apr- Y! b8 m# e# x; E
# s3 G7 a4 Z0 _0 f$ cyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
+ u* q" [/ b1 h# V+ }6 c, J二.启用standalone模块并编译! ?! K3 \0 `! W
7 b. C0 ?5 }' Q( _, A3 d下载modsecurity for nginx 解压,进入解压后目录执行:! b5 p. M9 m0 [4 ^/ R
4 G0 d8 q$ Q/ l* ^* y2 {
./autogen.sh
9 P8 _( V; u3 Z7 H, t./configure --enable-standalone-module --disable-mlogc) i4 o+ F0 P3 _1 I1 M: v( C
make 5 p! o: z" D0 m5 d
三.nginx添加modsecurity模块3 K( c0 G/ A& z, z- D
% M/ C, a- o9 e( r6 P在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:8 @8 B% k5 c2 z6 l4 ?. C" V
8 j$ F0 V0 \% [! h' O& F
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
2 [ S6 V H. _3 xmake && make install* W& f) U S" ^8 _- m. Z# K$ }5 b2 {
四.添加规则. ]4 q6 \; C2 r/ }0 z/ |9 c2 w
|0 E0 z7 }. n
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
1 z/ w' e) w: Y
) H: Y4 }/ }& E* V* x0 e; V5 i1.下载OWASP规则:% C6 N4 ]4 j2 _0 N- t* b6 c8 Q; `
1 f& G& N! J+ q( w
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; r. F# V7 J& i1 a5 i0 w$ ~# k6 w% X$ z$ Q5 W: Z3 u
mv owasp-modsecurity-crs /opt/tengine/conf/% R& G K6 {+ A) v* a( p
0 y( U* g7 E1 D" c$ B4 a$ K5 ?
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf2 k [7 l/ e* |4 D$ v( |$ Y7 w/ A
2.启用OWASP规则:
* w* q# S& l# C# J$ Y5 e7 C* ]3 c4 o8 J7 i: U3 {
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
) V$ W. _' K& S0 ?- t5 ] y8 P- g Z& }
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
5 @8 B$ x h3 w6 r
( ?9 h3 W7 t- Q2 p7 Uowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
2 Z+ ]+ w% H% c5 r/ T' F! s0 k4 L$ @: F' s- W/ @ l
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 E. C* j5 r% F' ?3 |3 w8 Q Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf0 q# E2 h$ @ a8 q& \/ h0 }* s! Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
4 r9 s5 s( y( @- w$ p% {7 CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf4 F2 m9 `/ P/ l+ H8 H8 O; K: c; ~
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf: R2 ~- V0 _. d# |6 `/ N
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf4 I t! M6 l# B( r2 U0 _
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf2 L, _; r n5 B: Y$ s( M
五.配置nginx
1 h( C8 y7 A/ {. f! q
+ U" j! l2 s" m) `% `4 j在需要启用modsecurity的主机的location下面加入下面两行即可:
$ T5 l0 `' A) p6 |4 Q4 j
7 [" F" ?% {) p. V$ bModSecurityEnabled on; 4 v. c1 |* |# h* t8 c' W
ModSecurityConfig modsecurity.conf;
( o5 K% O% r# Z0 b! M6 r下面是两个示例配置,php虚拟主机:
6 k. J2 E7 b# S: P& A1 X' c
( \5 D% J6 ?! L9 V# q) a% ]: j# C/ xserver {, w! x, F4 J* J! c; u/ G% f
listen 80;
3 j; _/ ?; C- ]5 T( e; J! ?" p server_name 52os.net www.52os.net;
5 B6 N5 {( y7 r0 O* R8 @) z/ W$ ]
6 o; s! A8 u2 V+ o0 f: B location ~ \.php$ {! z; D2 i5 i8 o' ]9 {# M
ModSecurityEnabled on; 6 ^, B& N7 Y2 ?6 c' b2 u e$ W
ModSecurityConfig modsecurity.conf;0 |% G# ^0 C" \9 f. ^
1 ]7 ?: T/ c, g* U$ ?+ L6 ]* I* z root /web/wordpress;1 g: L: k0 G+ j4 a/ G2 B5 U" o
index index.php index.html index.htm;
1 T6 r! k1 Q: L
. ~1 t# @4 ]2 h' z4 h5 x fastcgi_pass 127.0.0.1:9000;# ^- J% F: C: {$ Z% t
fastcgi_index index.php;
5 k; Y+ O+ n }) n fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
0 n2 O8 p# b) k! I1 I include fastcgi_params;
' K) ^6 t+ _0 p) z5 Z }9 c# r2 L0 K0 A( k. a
}0 o1 {# j1 u' G( Z$ d8 H* K
upstream负载均衡:! l4 r* j2 c' c2 R/ o. t! E. ?/ D
4 s. P% R. G" ?; ?- |. yupstream 52os.net {9 ^4 u$ @: M5 V) J+ i( m. Y# N
server 192.168.1.100:8080;
1 V" a _/ [6 _: _) v- B& Z server 192.168.1.101:8080 backup;: W6 j3 A+ U' \1 _
}# ^$ Y& P8 y8 Y9 n" N& U; \+ f
+ Q1 c' K9 G! x- ]% ~( Z! G5 R! t/ R
server {
Q$ F. J% K1 }: n- S7 _5 C* rlisten 80;
3 F/ L( s! d8 ]7 e7 n+ v9 wserver_name 52os.net www.52os.net;
& @( d8 V* F6 ]' C
' s* i4 s) A6 Mlocation / {
- \7 t9 F' `1 F7 S! w ModSecurityEnabled on;
" t6 U% U, p/ ]& p* [, ?" e ModSecurityConfig modsecurity.conf;
$ R! e- T. }/ ?+ M& E4 R+ L/ t/ B. I4 O: b8 A8 t7 c8 y
proxy_pass http://online;
/ P5 ~: r7 m* l" M) Q7 g( X proxy_redirect off;6 `: j$ o$ T% b' F/ h
proxy_set_header Host $host;: |7 l. o, m9 |0 C0 y$ Y/ T* ~
proxy_set_header X-Real-IP $remote_addr;7 k- q) h/ V5 U1 \7 M8 X
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;. o0 a4 j& o' l b6 S! g
}( w% ?4 }. f- ?. I1 N$ Y) Z
}
$ G- I/ g, Q# Z8 \, v5 E5 e六.测试
0 |( a! _' `. c9 u; y1 D+ K" x1 t. o9 |5 O2 O
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:6 I$ ~9 }% f9 E \
& k0 x0 h3 ~9 W' y9 k$ _: L) y) A<?php
2 }* n3 ?9 F& L5 P' h phpinfo();
- g5 f/ `9 T/ o- j?>
# h. v# w+ Y3 h. F W在浏览器中访问:
4 F4 V/ Q& {# U( C! o+ Z! G
' z1 c: p; K7 `4 Nhttp://www.52os.net/phpinfo.php?id=1 正常显示。
/ U' a# g) @) q, xhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" b! g' f/ t$ t2 B9 ^) {5 [
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。% @; t" G3 t% ~& I/ B3 y- S1 ~
说明sql注入和xss已经被过滤了
2 @% [ j4 K V& Z
. W9 @: i* f& t& N# A! _; A七、安装过程中排错
% g1 W- G# i- x9 Y& m4 r8 V+ t
+ c- B/ P/ U8 D! k1.缺少APXS会报错
0 F- \# R& u- h2 \; B, P/ Q; |1 B t! U! h+ k8 k l. |
configure: looking for Apache module support via DSO through APXS4 c4 O1 H( u7 w+ j
configure: error: couldn't find APXS
/ s- k- N7 [- k# J4 w# _* ~apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
) d0 Y; R8 |0 S3 @6 o8 ]. X解决方法:5 {9 \' K% [( N5 d d
2 d4 a* A' Y' K
yum install httpd-devel
4 l/ a( E" T) |* n% c2.没有pcre6 f# h8 y* F/ { l
3 J1 e+ T5 L; b
configure: *** pcre library not found.
/ A# u h; I4 Y+ q& mconfigure: error: pcre library is required1 B9 T. j1 t4 i
解决方法:# p; y+ C9 M0 j. a7 ~% |$ r
" ]5 @) k1 @% h+ gyum install pcre pcre-devel8 ]* L) I1 F& t+ i. M2 A6 Z) h
3.没有libxml2; v8 ]; f7 j' X7 d" X" H5 Z
" e8 q3 N3 P! Q0 m# g0 m0 @* M. I$ W! c- c, l
configure: *** xml library not found./ Y5 {+ B: Q+ r/ Q1 m1 \, y
configure: error: libxml2 is required c3 j) K" a, `
解决方法:+ V0 H% c' O0 q* S# Z, \
J+ S# W$ J: R1 Yyum install libxml2 libxml2-devel
X9 x E3 n3 p. V4.执行 /opt/tengine/sbin/nginx -m 时有警告% A2 X% t1 r, Z' ]+ ?
" ?2 ]% D9 L6 o* p9 B
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
( n8 g: `! Q$ M9 b% _nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
$ v0 a; ` d) X! r' {3 ]$ K原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
( `+ v( D9 f' ^' d
. P% K; y' F1 @5 Y8 u$ V9 s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, h$ b, `" \6 S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
% {7 p) F4 A1 ~1 _' N2 g2 N6 R2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!" ?- B; M& q) f+ g
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" L$ A/ w- }$ ?! I2 Y- c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* s5 ^" [$ C- Y7 F6 B2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.: Y0 S6 [' `8 D
解决方法,移除低版本的APR (1.3.9)
$ j* C& I( ]" P* [, a$ W. A& t9 A) x7 o9 v! c8 M9 T
yum remove apr
- ^0 b" }) j& ~( f1 s5.Error.log中有: Audit log: Failed to lock global mutex. ]0 l" G3 U3 v3 p
+ x& R- R; J! J2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 6 S; S2 E" a9 W& N7 |1 @7 |
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 {" B) v& {* O8 K解决方法:2 |5 _) S) V+ b' K. H ]
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
Y9 v$ Y1 c+ ^) \: f0 l& `! b& g& |3 y; w& Z, k {0 w4 s
SecAuditLogDirMode 0777( A) e# l7 Q/ k; O. ^0 ~
SecAuditLogFileMode 05501 i9 I, d& ]) o" f& @+ Z' s
SecAuditLogStorageDir /var/log/modsecurity- J0 ^+ ]& R0 o' l- E- h5 M! a
SecAuditLogType Concurrent4 U& q1 }0 G. k4 f& h( }0 |
参考文章:
1 W" Q6 U+ ]- k$ C8 Zhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ n4 I6 c7 {( t" @1 l S% ^
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡