|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。! z* f C9 \# M1 {
; }8 p% P; F9 d) l一.准备工作
/ x+ q9 _; A0 g3 @6 {4 c3 ^- k6 p1 q) O. O& _5 q% [. R- [0 |" b
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
x7 G5 o |' Q
' V% D& Q; m# Ptengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
: C- B m1 @5 G6 y* B7 Q3 y, I
! i* q. E. f8 J% a) I4 Z$ gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz' @. ]5 [+ r0 ]3 t( Y9 L) S3 Q9 t/ \
/ {- o& J6 P% y( p8 v; P
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs& ]& @% k* `7 S1 b
0 x9 }3 e2 ^5 {' u2 c% F依赖关系:
* {, Q! I9 @! Y: q# S5 r# ~% o0 m9 Gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:# Z+ C# _/ N3 R J' _
) {1 ?+ {6 a+ E% g! a2 ^yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 A! X% |# V& h# P4 g2 ^4 ~2 r
modsecurty依赖的包:pcre httpd-devel libxml2 apr
# U) T% z: x% J+ o" J6 t; A4 N' a8 @2 j6 \. V2 ]3 x' l q7 _$ A
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( d. F# A2 t) u
二.启用standalone模块并编译
% D+ e% m1 q8 f, L( V
3 d/ C. H3 _4 ~下载modsecurity for nginx 解压,进入解压后目录执行:
8 c: S! e# R# f; h! E9 L; H6 H/ o( ~
./autogen.sh
2 |# R9 A9 `# G./configure --enable-standalone-module --disable-mlogc
8 c0 ~5 s4 }) u# N; j0 \make
5 ]6 s4 _9 V+ o$ h1 W+ @三.nginx添加modsecurity模块) N+ ~0 a+ g5 ?3 i4 q6 d7 X5 ?$ v+ N
5 `" }; }; Q; d4 h
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" y) j7 m+ A! E, x! a
. G8 R) N$ N1 ?
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
* k2 d" i, g* k, O- D" wmake && make install5 u7 ^0 k0 J0 H
四.添加规则 T# @- {1 v7 I' T" R1 Z
* Q8 G i' K$ v, ^; _) T5 u
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。" u: r# W& R8 Y6 P6 n8 S
3 Y: {% e9 g6 @' V0 S9 X1.下载OWASP规则:. N1 X1 g B5 S3 g* T
7 H( I# y9 x5 j3 A* D- ngit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 k( s! D& O/ k$ f
( S7 E T* y. E' Hmv owasp-modsecurity-crs /opt/tengine/conf/1 n8 s5 _! I2 w. m* l# M( C
5 z2 C" {9 e, ], D
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
; M; _ u% b) o2.启用OWASP规则:
7 {% k$ ~- F- E {9 m; V. c& r6 W$ k' E/ N( ^
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
* u2 { k: \4 ~3 F( X: ~2 e: K
) o% r) I6 W3 \" W! T0 T, v* k编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 ^, ?/ q1 n* B" r
4 X3 }0 Q$ ^9 R+ D0 E3 ^; }owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. m2 Q& B+ X! G; p5 r
4 A; K# I% |2 E$ KInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* |7 Z* k3 Q9 l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 R5 C5 d2 c' X5 ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf$ N2 A4 `% p8 m' J7 e3 `4 I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
$ H3 G; z( \1 \9 k4 Z( iInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, A* G+ x2 U$ n7 r3 gInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; `- j$ X. ]: @* F
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. Z ~' U1 q7 n; f# d( n
五.配置nginx0 D$ f' D/ k0 {* r
7 D8 \% n J- y2 D/ K: t- x
在需要启用modsecurity的主机的location下面加入下面两行即可:( f2 [! L9 {. s. }: s! i# ~: S0 o
% n+ [; U( s I/ {4 w$ |% L8 |ModSecurityEnabled on;
8 ~% Z2 W( R3 J# B+ O8 ~ModSecurityConfig modsecurity.conf;
! j" D1 N; ]& M- \& [: P下面是两个示例配置,php虚拟主机:
1 R9 _% M+ C+ @/ O! @+ f5 O! ]- `: S. _# Y4 f: \% V2 O+ Y
server {# s6 w1 j4 Q: W/ |
listen 80;6 z c0 r9 }0 r3 f. Z; n
server_name 52os.net www.52os.net;
+ o0 c2 I! V! ~) r R+ h& z3 |5 ~* u2 h6 g
location ~ \.php$ {! q. M# R/ P) X! U8 K
ModSecurityEnabled on;
( S+ `3 h; e' i4 b ModSecurityConfig modsecurity.conf;
2 ~9 L. ^4 C1 V6 s9 H8 O3 X; W9 _, ^" v5 {2 [( w% t: E% E4 x
root /web/wordpress;1 Z& Y4 H' [( E. x! g
index index.php index.html index.htm;% l: U6 \ W" K
/ o! [, p/ u7 n x$ [1 J3 S
fastcgi_pass 127.0.0.1:9000;
5 @0 h6 r( s# i fastcgi_index index.php;
+ f3 R5 a7 y: Z5 H% E fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, t5 h a: m5 |! f. x
include fastcgi_params;% s+ `% X6 P' t5 p2 x
}
* B; }5 x: G8 u* f+ K; C) D" W }# R' h1 l) }7 r+ d" L: u
upstream负载均衡:
! E: p) e c* w4 |3 k* S" m" L5 P4 f) @/ [9 U
upstream 52os.net {8 w P H9 ?4 z# X
server 192.168.1.100:8080;$ K3 l9 N( d4 k# L
server 192.168.1.101:8080 backup;; c2 X6 e" [+ }% z4 q6 g$ v
}
1 x U! J0 y( G$ n Z; D) y+ z. D; n8 D0 t# u) ?( H" Z
server {
8 Q( T) D" h. A: `& B) ulisten 80;
! h8 x4 X" z) jserver_name 52os.net www.52os.net;
3 q- Y: Z" X& F$ l3 ?
( C6 h2 t" h) zlocation / {
5 ~, J% {+ O C* V ModSecurityEnabled on; . S. _7 s4 O8 W: K8 p8 o% G0 ~% ?
ModSecurityConfig modsecurity.conf;
+ z" V" U/ d3 b1 i6 B; p) d' W9 ~. Q" G$ i1 U& t
proxy_pass http://online;
$ h6 y% ^1 m& }, A proxy_redirect off;" R. P7 E4 q) x+ X: @4 Y
proxy_set_header Host $host;6 a! L; Y9 Y, ]: q) Q0 [6 @# P. ?
proxy_set_header X-Real-IP $remote_addr;% d. z2 s4 @) Y3 Z; l
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, R; q9 p! M; E1 a9 b, A- s2 x7 j
}' x! Y( ]" h; I1 c! z' O
}0 d) V" X8 s1 f' u4 M" i0 s; @
六.测试
{. o7 h0 ]+ j7 y: u: b) |1 K, z! }6 y1 q" }( q
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
7 O9 d6 {+ G5 I' u4 b. T" N D- N; h8 h7 \% S) w4 |% d$ X" M
<?php
8 C. ~: y9 a1 n( v( T0 e, j- ^ phpinfo();
/ X3 a$ z- P w7 F. ~1 t?>
' ~. v3 ^. d) m' d3 j$ h) K7 q, p在浏览器中访问:
1 v( s4 T+ A. c. S7 Q, ?4 o) ?
7 N( `( H3 g# L/ D+ dhttp://www.52os.net/phpinfo.php?id=1 正常显示。
' B d4 u: I1 \% y$ d9 Uhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 Q1 d T" n4 K _# h8 R. g% K
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
) C" ^$ Y( @" `0 B* ]0 ^; l: S1 n说明sql注入和xss已经被过滤了: E8 `1 d3 u0 _ n8 H
4 ]- m) o: Y5 A' j
七、安装过程中排错2 o) K7 r% l6 o' A' b4 P p
* ~7 l" o$ s9 y+ _3 r. |5 u1.缺少APXS会报错
: i0 l$ V1 `$ D* P; q' i- f, d3 D1 G: y
configure: looking for Apache module support via DSO through APXS8 w0 X3 P4 U4 G
configure: error: couldn't find APXS, K1 w: D$ x' Z
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。. o( G ~8 q- u4 T$ S3 C
解决方法:
: L0 x/ w6 B/ J' e- e/ s
! d0 S' Z+ H5 S7 V" Dyum install httpd-devel/ t+ O t+ w# t4 c# f& D: `
2.没有pcre b+ ^7 e8 u0 B! P
3 o0 x" ?% `- |* ?# U
configure: *** pcre library not found.
/ w* K+ T. a; {" W" Hconfigure: error: pcre library is required
, g+ @+ u* c( D5 b' @% B/ I解决方法:
" g3 U: q6 V' }9 j Q
' v/ ?# V; Z8 T, ^: b6 Myum install pcre pcre-devel Y. j: U9 e8 x2 x1 O3 l
3.没有libxml20 j" t! Q4 X* n+ U
2 ?" Q) i9 ~+ k* `- e
' O) |, s( _) i" r1 iconfigure: *** xml library not found.
* c' p: r- w0 x0 ?/ X/ U uconfigure: error: libxml2 is required; z r2 ]: G, v: f, Z
解决方法:
5 `0 h: w+ c% ?' G( u
* [ p) w0 N. [! N1 q, Cyum install libxml2 libxml2-devel( R/ t c; h9 p7 ], s9 h
4.执行 /opt/tengine/sbin/nginx -m 时有警告: |: e8 K2 B) Z+ x
+ s! [- f3 [$ D: VTengine version: Tengine/2.1.0 (nginx/1.6.2)
k: M% ~& I T3 M5 fnginx: [warn] ModSecurity: Loaded APR do not match with compiled!! n" l) F; S G+ W) Z( S" G: a! v: A
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
. ~' l- e6 m0 I) e0 p
$ k6 V) y" z7 F$ g8 T' z; |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
; R2 y, A6 G% `8 |( }# U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
% i- u% _! T# c2 R2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 @& B0 x* U2 K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"' Q3 u9 \3 o [" h5 }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ |* P$ L7 Q8 r e c" Y) ~8 Z
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
# m n- l* L) v2 z: s解决方法,移除低版本的APR (1.3.9)+ p' D( H& O7 |7 L- P: Y
3 `* }& u) l2 {0 @9 hyum remove apr3 x$ j/ ^, Q, o- v+ ]$ _
5.Error.log中有: Audit log: Failed to lock global mutex
, L+ [3 H9 C; A# {/ h% Q0 D2 Q, t* [3 s$ r( K/ q- |
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
" A& @2 O, U- k1 eglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 d% k/ C3 v1 ?% b5 T- H% C$ S
解决方法:
$ S2 L9 P4 g9 `/ [ k编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:; u' F* ?$ g+ @2 A! h+ l4 e- d1 W
/ M, r3 z0 a) I7 `* E1 q1 n; G
SecAuditLogDirMode 0777
, ^, x: H# O8 u) tSecAuditLogFileMode 05500 {9 ~. {+ Q/ }, r7 L
SecAuditLogStorageDir /var/log/modsecurity
' z) b# D6 t2 L5 G% J" qSecAuditLogType Concurrent
; ^6 b* p: b3 L: t. [参考文章:
' x2 ^! h( k* |5 ahttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX; [1 ^9 o3 ?7 X; V; x0 e% f0 f
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡