|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
$ K) a; }9 _) S4 E+ a6 G- k! |* H3 v
一.准备工作
3 i A! m5 C- y' ]* w: F' N$ L! e3 \% B' ~" S; |, j
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
* l4 j& ?+ @3 a( V
) d$ @8 d) J! m% E. Itengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz5 w9 {; P0 f+ y5 t. T& U" D
- R- P) Y2 ~, s# ]9 N! k
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
, ^8 A1 ~/ g3 J2 U/ ?7 M; ]
, S7 E0 Y1 z* z; G6 G$ L H& _) _OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs" E+ Z: E4 V+ X; ^- f; ~/ W) d( e# a
8 |: Q1 w" w+ Y$ T) E8 B依赖关系:
% {' \. h/ B4 a0 O- w; dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
" _4 @8 M4 K" j+ V9 T! f, q% b) ^3 H9 C. a+ u. [5 N
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' B/ D. }) ]- U, x" ~( E: _
modsecurty依赖的包:pcre httpd-devel libxml2 apr
) E5 I9 V6 F, X5 \# p# ?6 B7 [) n q8 ^2 \ R+ [: i; u
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
0 n, ]. Q/ H8 j% H2 s二.启用standalone模块并编译
0 g% a; F0 s+ I a+ o$ P# y" ]2 T2 b0 D+ N7 p; I/ a6 w2 H
下载modsecurity for nginx 解压,进入解压后目录执行:
O" `; N( \- {' m/ c- W; c
3 S r; x8 G1 V1 x* M./autogen.sh
1 w( h2 j8 j6 I8 V./configure --enable-standalone-module --disable-mlogc
! |9 G6 @1 w8 e$ Mmake
( }- d) C' t0 ~1 Z) s3 G三.nginx添加modsecurity模块
5 y8 ~5 J ], s8 \2 ]/ K; G3 r! d/ d
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 j9 H' b- a3 d5 P8 I6 c
* _2 m' c; t( U+ ?) c0 T./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
3 Q; X/ I6 D# X: n9 amake && make install
( G4 ?. {( A7 g- ~0 r四.添加规则
8 t( k$ J& d8 M6 b; q
9 P8 F/ K1 u" o) R g5 Nmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 W1 }$ a- Y9 r' D/ |2 K" O; P
( s7 r5 }/ ^# s7 E5 h8 e. d1.下载OWASP规则:
6 f3 \6 O/ {3 J
" g. k1 I/ B; Z! X3 ~git clone https://github.com/SpiderLabs/owasp-modsecurity-crs# }( s) ?5 ~! Q) B' \3 o. t/ s
3 K& A, ]- @( \3 o
mv owasp-modsecurity-crs /opt/tengine/conf/
6 h; A. q( g. G0 L6 s% s
# g' h* p9 u$ L7 w% W, I4 @+ z, @/ ]cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
4 o* @) c& W0 H+ O2.启用OWASP规则:/ o$ T$ K: W3 z- h) @% s
4 l& H6 e$ w/ I, N5 f7 B# U1 E& c( m复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 E' C0 `, Q8 G% Z( e6 D! y6 ^8 z; |
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
1 _1 P( L9 ]; [9 r7 }$ s1 C: m0 Q' [2 b* @
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' X' {6 o$ q" g5 c
) ?# j5 d2 S3 s" ^2 P7 uInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
- [% a; k: Q+ K# F U+ gInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
" V O( R' u5 N/ h: r; ?Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ }7 ^9 N0 n8 v7 ~: @) {4 [" P( \4 x9 Q, k. ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf9 |( @% d) U/ r0 R) A
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
/ j, `$ E Q( Q/ I; \- _Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
) W' H* P4 Q8 L' \8 N* t. @) mInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
" Y2 m8 z- Q, u. ]- ^) ~- U2 z五.配置nginx
j' J2 n. z" n* ~; \$ m6 e% W, J: Q2 n0 O O; T7 [- T
在需要启用modsecurity的主机的location下面加入下面两行即可:, I) }8 B: D1 d* z! w! r, `
# D B$ l1 {& D& N5 xModSecurityEnabled on;
5 ~4 o. c; Z/ XModSecurityConfig modsecurity.conf;& i! Z; q8 _/ ^+ v' I
下面是两个示例配置,php虚拟主机:. H8 ?# I- o$ u X" z# i
! t! |- ]# B$ _+ N8 u
server {
, t. e2 \- k% G6 z4 D9 A listen 80;
" I9 N$ p$ Q1 r# J y& h server_name 52os.net www.52os.net;; [7 |2 k: t, E z1 Q
: y/ S! { }4 @# t: O% K
location ~ \.php$ {
% X" U" }) \. U) v, N ModSecurityEnabled on;
( n' o, Z7 i/ N" b- i9 X$ X& e. T* x* y ModSecurityConfig modsecurity.conf;. o1 q2 j8 T; F- V& t/ m
% Z# |# _; a7 Z1 }% d/ B root /web/wordpress;
\5 p9 ]9 S6 T( y; h! G index index.php index.html index.htm;1 @5 |% u' I( Q
7 f" c8 [* t3 p fastcgi_pass 127.0.0.1:9000;
% P& Z# r& z1 ?" @/ y. w fastcgi_index index.php;' M0 @! v) K3 R+ E8 r$ _6 m7 J6 g+ W
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;; M2 F0 x# h: O+ E: x
include fastcgi_params;
_; S8 H+ ?1 r9 E1 B& U }, L6 {- O2 |; |' q. G& J6 r# ?/ I
}
( c m+ |6 g8 j w k) u1 \4 q* kupstream负载均衡:
# m( X, j# b& J# |: f( n: c7 m2 H6 {
upstream 52os.net {
4 C3 p8 C. u3 |3 q- L5 y4 R. W& L server 192.168.1.100:8080;4 A' ~# I( Y% \2 H
server 192.168.1.101:8080 backup;
2 m9 U5 s6 U& Y; I, U1 S}7 V% F0 ^& G/ s
0 Y, H% B- }9 \( {6 N
server {, `: ?6 ^+ q- `! ^, I. Q% L( w! W
listen 80;
$ m7 r# N+ ?0 y* Z' E' G. x/ cserver_name 52os.net www.52os.net;
# l+ e, r' ?+ i, [2 p
8 P8 o$ [7 C ~6 dlocation / {
+ c7 I/ C, @; M8 {; s. R ModSecurityEnabled on; ' Y7 T+ s7 \2 W4 x4 ]
ModSecurityConfig modsecurity.conf; , P: B$ e: P8 j( h5 ]
& {" h/ N) V) w. Y proxy_pass http://online;
2 |4 O9 h- r; b: B% F. \% m proxy_redirect off;
3 Y' \7 @/ E9 S2 n' t proxy_set_header Host $host;- a2 n! ^5 |2 k6 R
proxy_set_header X-Real-IP $remote_addr;
. z3 F3 p! b( u* f( t- ?- P proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) s5 m! l1 T+ \# ~/ [ }: q; n. F; p. ]& Y6 r3 \# }0 x
}
$ h6 l r0 c6 S# o9 f. c. d$ ^7 h六.测试7 H! ~! \) Z9 n! k0 r( `
0 p S, F* B. S" }我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
2 z# n. e! ~0 I& V" t( U+ _( c9 }! s, ~5 s! @* C" P0 A: E7 [
<?php! C) b; e% |7 {; g, g
phpinfo();
; f: W" E/ E' [: ?4 v; P$ Z2 u?>! l' R4 E4 z8 M n3 m+ A
在浏览器中访问:
N# K/ V! T+ J. `$ e9 A- M: U0 d# ?
http://www.52os.net/phpinfo.php?id=1 正常显示。. N$ K+ j/ m: w' t
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 y8 ^6 [% ]0 |0 P( _http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. \4 k2 M7 s2 }- y
说明sql注入和xss已经被过滤了
& [* H7 R# j( Y/ `8 o
; {6 q; w! w. o3 L; F6 y七、安装过程中排错
! E0 o2 k! h$ D5 U+ ~
+ {% u- ~& Y# R h1.缺少APXS会报错' w1 A" @. f9 O& @
- ` j% z) Z, d' _configure: looking for Apache module support via DSO through APXS& y9 ^0 x8 ~- P7 ^5 N
configure: error: couldn't find APXS8 H$ z8 N' {: A: s( O0 t7 T" `6 r
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。+ R9 ~% p8 C0 f' e
解决方法:
- m' G" B% E, _, O) S/ c9 b5 X! |+ m5 O* d5 \
yum install httpd-devel0 z$ `! L8 E( R
2.没有pcre6 n4 }& @4 k% E& z
" L& O# o# J/ u2 J2 e C) j: o
configure: *** pcre library not found.
( k+ l6 @+ Z" vconfigure: error: pcre library is required
, V. y8 S9 O! ~. H: M9 A! ?解决方法:
% {0 F1 [) S: O- }7 B0 r. C
3 z' P) c% b. z9 I' dyum install pcre pcre-devel
3 n: S }, z% b8 a9 t) }8 z+ t! Q3.没有libxml2( |+ M; C" x' a w- z5 j4 u s
Y) M# Z4 s8 p K5 a8 X+ `" u
, E! I; z& i# pconfigure: *** xml library not found.
, @% v0 A( H- H2 b5 o) Rconfigure: error: libxml2 is required/ q$ f% ~( T+ t2 @: }+ Y
解决方法:
/ D* g; ^4 L8 h" ]' U1 v8 O
( c( E Q9 q( }8 Xyum install libxml2 libxml2-devel1 _, Z0 E& c; N0 ~8 D6 n
4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ _ }1 \4 B0 [7 I! Y$ C0 j/ |" b
0 A' ~- _, z5 k! G/ p% Z/ \. yTengine version: Tengine/2.1.0 (nginx/1.6.2)
0 G8 d# z! A+ l1 b1 e- I# Dnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
* O- T4 v. e7 G# G5 H0 {3 V/ G原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
7 X% A2 h$ a2 |) F
0 c: A* e+ V9 { y6 Z0 X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 w$ y1 w0 p9 Q( U' R% h6 a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
1 r" h/ u- i7 H; Z- F2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!+ R; [+ Y& L1 V) [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
' d D$ s% e; }) d2 j( F& F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 K- t& p1 g8 y1 q" b' N2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.% t" X' j, d6 }5 Q& m
解决方法,移除低版本的APR (1.3.9)
( P3 @( D' S! g: m, X8 V' }8 I% z. Q/ l& ]6 h* d' C) }: p4 r
yum remove apr0 W% C' S0 y1 f
5.Error.log中有: Audit log: Failed to lock global mutex# R8 C3 ~" T8 t' F5 C; A2 t
( ]4 J6 `+ O5 X" {/ A4 i
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock . g7 j, g, H1 u
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]" i" N% ~1 N# [
解决方法:
+ l; T2 _. [& p, ^& w1 L" d编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ o8 G# {, w |' }7 X$ Z$ R
3 U' y7 W8 s$ r @
SecAuditLogDirMode 07775 E/ F [7 U2 s" _
SecAuditLogFileMode 0550$ k9 j6 w' w) H
SecAuditLogStorageDir /var/log/modsecurity& J' z* H( U! T2 ~
SecAuditLogType Concurrent
5 ]. Z: @+ y" S4 `1 b1 ^参考文章:$ k- a/ x0 r3 B) p% J
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
& b% y8 t: n3 w( V, v9 z# v: Hhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡