|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。4 p# P1 Z8 E5 }: u/ K
3 u- e3 h4 \$ B# ?
一.准备工作
; I1 T1 \- p4 m, |8 D' S+ M: |. m; n ^ q& }( k- X0 K, S: g
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.01 B! N0 m8 G1 q) ^9 V, c. n
, C2 }) `9 [# E. { h/ m
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
! z; s. U" G4 f9 z5 _+ K* k" @
& F( [+ f7 r% a! q: Qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( Q5 [# ]* b& U+ ?" v& N A9 H0 Y
( Y6 u5 S9 }* ~OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs6 U' w: G( E+ b
( H- `$ A! p' d; i' H0 H" l1 k$ g: I依赖关系:
" n& Q. p- K5 ?/ D6 F! Ptengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:5 ?7 p1 J. z* P1 U$ q B! I
& L) y7 |3 I: H: j; _) ]) Ayum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* A" R* `6 X' L; ?9 i# S* M
modsecurty依赖的包:pcre httpd-devel libxml2 apr- t1 h& {, x7 F' _* J8 q& \% A
7 E6 A3 O8 t/ zyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
( |* e8 F h' s' u( y5 r" i R二.启用standalone模块并编译
2 d* `& d! x% q( L! L/ h
- N7 H) a- E9 O2 {* T9 Y# ^下载modsecurity for nginx 解压,进入解压后目录执行:: n- l5 Q4 S% G
9 |# [8 n8 t7 X/ m( V: G' u/ s./autogen.sh9 B7 L# L1 _. F1 @
./configure --enable-standalone-module --disable-mlogc
: i6 ?, k% J! d# J4 I" jmake ( X2 W7 X' B' C
三.nginx添加modsecurity模块% Z! l) Z; s* G' |
# C, p1 @$ \# K2 _2 H- ^" U在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 @8 d3 P6 _1 X- l* C
8 x t; i- H7 b/ R# a2 B./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine* M8 | |" y- b* j
make && make install b! C3 i2 W, T. b [ @$ f
四.添加规则" G( _( H2 C/ v
! z' U& N1 a& ?8 M* n3 V, Q% |
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ M' g( ?3 s6 z& I" E! ]8 U: M9 L" I' i& U: D
1.下载OWASP规则:
$ O7 m( z4 Q& R4 G4 L" S: c- M
- l8 Z+ d8 R1 ], Rgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
( J- p( @0 K" U: d: ]' p' g* J2 W6 `: w: D7 n
mv owasp-modsecurity-crs /opt/tengine/conf/
7 C: T& }3 k) k5 b2 j' J1 T% n' Z j& R5 V1 i/ X
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
$ k# @1 b: f+ Q6 n: u: \# _% F' D2.启用OWASP规则:$ O2 d& i4 v' a
. E/ J. t7 Q! x( B& U
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. H( ^- U1 W# W; Y8 n8 J5 W5 D
8 M+ W3 e: k; [# G
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on$ A7 O( {" x8 m
+ H. y) |& z+ F9 Dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, x0 S' {! ]- z& S8 Z' p# l" d) K
$ B# [. B/ G# V* K* [, F; dInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' p" z1 {& K9 H7 C) q; {1 f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
0 k3 y3 q9 ]. d' ~) X+ o: W ]Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
* H" `0 b; O! @5 U2 xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
, u% d8 Z0 a- {+ e+ eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
: {, P$ W/ K4 l, F, h8 Y$ O$ jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
X, p3 P2 V: @7 \Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf4 G6 f( H0 p3 K3 L0 `( K
五.配置nginx
$ ?9 [& M# G7 O/ X4 X7 ~0 V- T7 v! v8 q
在需要启用modsecurity的主机的location下面加入下面两行即可:
% S( R7 w8 Z9 O, @
' A' H+ |% d2 D! P$ Z# f$ ?ModSecurityEnabled on;
/ Z$ a5 U9 e5 c5 }5 _ h4 yModSecurityConfig modsecurity.conf;
) b, y" e4 v: S9 ]- U ?3 L' K下面是两个示例配置,php虚拟主机:: _* Q$ }2 `% Q+ X
& x. L9 ^9 D& z! g
server {
: q+ a0 z; H3 C* w H2 ~( O; B listen 80;
! O$ m/ E) p, `% s. e/ e0 L server_name 52os.net www.52os.net;+ l. S+ `4 C9 X' `" o+ l
' x# g/ i' W' _ location ~ \.php$ {" U! Z4 o! Y) r
ModSecurityEnabled on; . u0 J( ]! u- e' `6 p0 L8 \3 H2 r
ModSecurityConfig modsecurity.conf;- a+ E _+ o5 A T6 Y ~+ S
' z; S6 t7 t0 |! X0 B* }2 A3 {8 A root /web/wordpress;+ k/ j7 Q5 X; v: O9 U* j
index index.php index.html index.htm;
6 A/ v8 Y* a. n4 d
2 ?9 U c/ C5 p) H fastcgi_pass 127.0.0.1:9000;
: m$ ~6 u" i, I3 w: a5 y fastcgi_index index.php;
_ z: \4 B5 C% X# b fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& s E+ w& r- v+ R$ H$ O
include fastcgi_params;4 r+ Z. B$ @ [2 p/ J* r" r
}/ u, A% h; X/ A3 D1 ^( i" I
}
N" k& n0 [- kupstream负载均衡:1 Z/ t9 X5 h R& M- K& _
9 u0 Q/ ]; a: C8 `( y7 ^% Iupstream 52os.net {
' Y0 X. m# Z$ _4 o Y: M( ~& J: [ server 192.168.1.100:8080;
4 O( {2 n2 `" k I1 C server 192.168.1.101:8080 backup;$ O* v. }" ~4 k
}
' ~8 N# i7 Z# |5 }5 h, e7 k) g0 z7 o2 I* l- f0 R
server {
3 g% f1 K! l& |2 plisten 80;8 W L% v! K& `3 j
server_name 52os.net www.52os.net;7 c! J* h% C6 F" T, z
9 i# z- f6 k: s$ nlocation / {! w' s2 l+ X. k; A
ModSecurityEnabled on; / p: Y z4 ?$ l7 J% |8 Q: m t/ ?
ModSecurityConfig modsecurity.conf;
" u+ `& u& B: y, F0 B- v) @! f' @( A0 Q/ ]9 F6 F/ }- |
proxy_pass http://online;, D( w0 K* p8 i; S: Y( @
proxy_redirect off;
+ v6 I; T5 T1 m% V# I3 R proxy_set_header Host $host;' r) M* Y2 v* T( V% B8 A. D
proxy_set_header X-Real-IP $remote_addr;
4 C! t9 x+ p' U M$ k* U proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
. M6 }" H& H, x) ^" X# I) X }
/ x% ?' f& {' J8 G% u}
, j& t( l6 @+ X9 ~8 ]% G3 q" e六.测试7 k1 ~. B, e; B. J7 y# n1 [
6 V( T, t% P! j# S+ S
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:* D- O8 b1 }' \1 T* h
4 j' l: [) \3 p<?php
) A$ f; n2 Q9 Q phpinfo();
% \1 E+ k6 J# u; h2 m4 B: ??>- l5 @* X# i, R9 A
在浏览器中访问:. l7 Q6 D3 Z- h* _9 @6 [
+ l- T1 ?6 ^+ v
http://www.52os.net/phpinfo.php?id=1 正常显示。0 ]- E9 A8 T- _6 E% q
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。3 X1 v+ c( _$ \; A& i7 G% d$ H2 ~( V" F
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
$ k6 o# h- W. Z9 e: J* k% q说明sql注入和xss已经被过滤了
) R& ^! x# @1 s
: ~3 C/ g; a& R' G s1 e七、安装过程中排错, @: ?: r5 [2 `. o8 O" H
* o* f" E2 F# t- t! a- Q1.缺少APXS会报错
) {( B1 Y/ B- n. S) h$ v# F7 y6 V$ `5 Q) ?$ L ^
configure: looking for Apache module support via DSO through APXS
4 z3 S* I* T1 {5 Sconfigure: error: couldn't find APXS% J/ U0 f" h- R: K
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。. o l4 U$ S: R5 W, m' a8 W* E
解决方法:
5 c* g, S$ I' J: B# M! L: k- j% [+ m* g- g& _1 K
yum install httpd-devel
! l% t. d2 q. U7 T2.没有pcre$ q# K+ H, F& H+ y0 L0 B
M' A& e! c* \2 V: Aconfigure: *** pcre library not found.
: T1 ?4 p3 Y0 e$ I4 @, ^5 q9 Y- Jconfigure: error: pcre library is required1 p7 o' t" ~+ k$ }+ K
解决方法:$ K6 P: C5 _ S% C9 n0 ], a9 |
- {( Q) n; | m% i9 ^# X
yum install pcre pcre-devel
?; g: g2 P+ ^3.没有libxml2
* _9 y7 d$ w, {' z5 t
G% I) c! e. x' N% }, O: S/ G. M, E% i2 W6 b8 ?* }( p; l8 N( `2 w- _9 s
configure: *** xml library not found.
: e9 P! p$ ]8 r0 uconfigure: error: libxml2 is required9 }* w$ g* Z W- v& p! `
解决方法:3 c: {1 L) R& m9 F
* I1 ]/ u* N, m! _8 [: xyum install libxml2 libxml2-devel# |5 t: W' _( d% H. @3 O
4.执行 /opt/tengine/sbin/nginx -m 时有警告
0 b5 t) o0 m% r" k+ B2 |0 F- T, k$ p
Tengine version: Tengine/2.1.0 (nginx/1.6.2)" u( X( l% \% X1 Q& f/ z1 v Q1 ~9 c
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& C4 U; M! V( b原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
# Z, a. V: a: g+ U/ }+ E- h9 @9 E! c5 x# T, [/ N: A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
5 c+ e) b& s! ~# u( g- q& T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"0 E9 X2 B- F* k6 y# q% Y$ h
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!1 ~) ~5 `% O' @, ?# d3 D8 j. ?$ B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
+ \/ ^; Y$ M/ i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
8 q0 e+ z" _7 x+ O2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
3 g* w7 |' o C# n1 C2 X解决方法,移除低版本的APR (1.3.9)* w% P6 Z' ?1 u
. O' c8 @) e0 b
yum remove apr
K0 m/ P. k2 x5.Error.log中有: Audit log: Failed to lock global mutex" a! H" W- s: v2 e
1 U- e2 ~- J- Z6 Z& u& F2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
- E! m* ]. Z9 ?5 ]7 j, C" W( i. `+ Xglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]* c% z3 A, X7 a
解决方法:! d$ O8 |. F3 j
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
+ \# {+ m2 Z, N# D5 `
1 b1 g: T/ k) T8 h9 iSecAuditLogDirMode 0777& x# G1 G, {% d( P+ O
SecAuditLogFileMode 0550
2 L* w0 Q2 ^. b5 Q# n9 _& h MSecAuditLogStorageDir /var/log/modsecurity6 ]2 e+ z K7 W U% t- z4 T# e+ F
SecAuditLogType Concurrent; p: |& v7 F, _ B) k4 v5 i8 y
参考文章:
/ ?4 o8 L4 a& i% Whttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX% }4 E. L& k2 Y7 L- F1 N
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡