|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。3 g2 f& a- _- z( w
- i i& x9 f/ s, @. y* D5 K一.准备工作- f [7 O; N2 I3 Y J; `+ T
! c! |5 ^" l0 p
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.08 P( t& e* t, C3 C- p2 p
0 ~% J* l4 x- R& A1 L
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz; K4 y* p! Z; Z4 q4 M+ F7 p
5 C, s6 }! D' A o8 a, H$ y! j- N/ jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 Z; {* W1 o- y9 J1 i+ @* i+ s& T
: ^" Y1 Z8 h" ^& M2 gOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
& t, a2 ?3 e$ O) }3 w& N" @! p3 v. v) M
依赖关系:
# E5 g7 E. m k4 Ptengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:) l! k+ k2 ^1 P" d
/ J. v( q7 [6 Y# _! T! Z% \+ Qyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel5 z: N/ W- u+ N& G% @1 b
modsecurty依赖的包:pcre httpd-devel libxml2 apr0 }9 ~' S/ m" g2 p9 `
2 `+ y1 ~+ m/ C' p: X, tyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
5 Z+ ^! Z- `* L9 T% f6 x% l二.启用standalone模块并编译& |& F: m2 X, _2 w: r! l$ X2 p
7 a6 [, k4 @4 i' L. I
下载modsecurity for nginx 解压,进入解压后目录执行:. _+ d' h- b$ r( a* W2 }1 a5 X
' @; H: n# M! H3 `5 }
./autogen.sh1 G0 I- v9 @% r! ?% v
./configure --enable-standalone-module --disable-mlogc
4 B3 n' X1 G" R& x5 W- \make
% K u: [ J+ a! w8 c; r2 F4 S" X三.nginx添加modsecurity模块% ]) g+ q- D4 E
& B* i6 d/ J, W7 ?在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:- j3 ?! V$ N# ?1 V. }( R
- K7 W- `1 O: r& t./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine6 i* [4 _7 R+ E5 D/ P) |' o6 L
make && make install1 K1 P3 F- t, z& i
四.添加规则
0 h. A K& f( y- B4 e) t% w0 d; N6 z+ ]9 e
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。# f7 F1 n8 e' q) p
z3 M1 g7 d m' {- K4 [/ L: W9 _
1.下载OWASP规则:' ]* x9 k; A' }& R0 B; Q
9 i t1 K$ L! n1 U
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
0 P5 T% A7 g3 |0 {, n6 ~
# l6 ^1 V2 [3 F9 s3 M- Y* K2 l$ n6 `mv owasp-modsecurity-crs /opt/tengine/conf/" R. O3 A* q+ U- o5 e
. ^& T; q: H0 R1 `9 h( Bcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf% R" Z; s5 P3 j( b8 M
2.启用OWASP规则:
! w5 `9 I! O, b6 h9 d0 ]+ i# l8 u7 |) f+ @; }, C7 F
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。0 a. _. }! }8 i" s' Q
9 F; `, k- t/ }编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; p' ?6 h7 b" W& v& {
) V- u) s' R* P6 U) aowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: t! X8 E) n2 W
; i4 p+ F) m/ CInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ C F' m" ~- d* Q; P, n7 P
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf* T9 r' X- C. I) [. _6 z6 r5 Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf1 r2 G* k7 O9 [: N0 y! Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf- P5 C P1 U7 C' H
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf# ^7 Y1 l- N$ u7 x8 O) k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
% ]; L' j4 g3 ^Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
. m( M! x0 I4 l0 B+ l9 T. ]) o五.配置nginx
( {! s7 t/ P4 r% P/ p1 Z6 Q" O
/ e5 w S' y6 @: q) T: b在需要启用modsecurity的主机的location下面加入下面两行即可:
/ Z5 I# F( W' b4 v) [6 L3 J( r: ], v$ @
ModSecurityEnabled on;
' a1 |- [5 {& {9 o3 r1 XModSecurityConfig modsecurity.conf;- z+ H) j7 R: f5 Z2 ^
下面是两个示例配置,php虚拟主机:: Q/ v, b( z5 D1 {; J
! _1 {$ Q/ {7 `
server {
5 t1 ]2 x: w1 G: ] listen 80;
. }+ I7 D, T8 { server_name 52os.net www.52os.net;
& E0 X9 P6 _9 W! r. k
' t: Z' I! t# w* x$ E7 u5 e5 y location ~ \.php$ {; H7 ?( O: B/ Y; G- P
ModSecurityEnabled on; ( U# }/ z1 I! J- V/ \1 K9 W
ModSecurityConfig modsecurity.conf;
7 q# A) i( m% i4 u8 e
3 @0 q. o7 ]; X* K) K" r root /web/wordpress;
, P4 e. M$ ]4 q R7 {4 @ index index.php index.html index.htm;
7 }6 q3 r; r: d, C2 ` t/ N# _! X; q/ E" L
fastcgi_pass 127.0.0.1:9000;
* X6 U0 d8 Q4 L+ k8 c( w# S fastcgi_index index.php;
0 M( _7 D# e0 F2 d9 [$ a# y fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;6 i, A0 R# k2 |$ F: j6 R
include fastcgi_params;4 f6 |- K3 [2 M6 x% d1 j# F
}
: f- [& a: ~$ t7 N% }" j( E }6 G% V( R* a* R: F. X
upstream负载均衡:9 U& H4 M' ^5 r5 B
, f5 U# M+ i* bupstream 52os.net {* B$ f. [3 z' h! m
server 192.168.1.100:8080;
7 i+ D0 d; o: A5 v- A server 192.168.1.101:8080 backup;
1 f" K6 t$ S$ U t0 R}
( B8 V; i2 l/ R/ P
, |& Y) e, a1 Z: h- O* gserver {- Z6 A4 R6 l8 M2 a7 f0 r. j, @
listen 80;
) n8 ^, |/ H' K* Userver_name 52os.net www.52os.net; j ^2 q5 I- o: ?0 i# u/ i
. E9 E0 W# N4 Z# A; o' p
location / {9 F. [# M2 X4 Q% s; L7 V
ModSecurityEnabled on;
* z7 o( w* k" q4 _: l1 f ModSecurityConfig modsecurity.conf; + I3 f8 o7 R- P+ c- B' n B; L: w
" m1 p- A! ?0 M$ l7 ~
proxy_pass http://online;
6 F5 F/ h$ [' v& w4 w proxy_redirect off;, G2 R3 c3 W% ~" b
proxy_set_header Host $host;* W' {) Q0 {- Z7 ? L4 c7 s
proxy_set_header X-Real-IP $remote_addr; r5 I+ R* f/ Q' s5 l
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;3 B5 |- k) R; K3 A7 w# M
}
* z! M& [; y7 q6 f+ @% j8 K# s}6 ]0 W$ E( L, v- D" j; {
六.测试" Y1 U, E/ q/ p: J" J+ u
/ T! t$ z% ^6 Z2 c( o: z9 A W
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
# d8 w& ]% a3 U8 E) D# a' G
- w+ {6 G8 a( {% i" T2 R<?php- w" w' G8 q5 x' n5 {4 Q9 Y1 a
phpinfo(); 3 h) Y& @! |' H2 {( S" H
?>
8 W- y2 x, q! w8 B L2 B在浏览器中访问:3 z& D4 e5 C* k8 |) w5 p+ v" q
! n& b5 M8 y t' Q2 H& q
http://www.52os.net/phpinfo.php?id=1 正常显示。
+ K! o/ P% F3 hhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 e5 w' M. ]2 [! xhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。# h; _ n7 m. D+ H8 u% O
说明sql注入和xss已经被过滤了! f! |' \' x) p; I4 ?
" T- V; ]! r- p1 h b* o {# F七、安装过程中排错
7 ]% Y$ T2 [8 U% n( n. r4 P/ r( V( ~7 x( r5 |
1.缺少APXS会报错- L1 r6 O' Q$ [1 O# R8 _
* ~) e9 p! U. P; \/ tconfigure: looking for Apache module support via DSO through APXS
/ j7 X _3 q9 G' K) uconfigure: error: couldn't find APXS
2 O& ?% ]9 w& Wapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。' d2 P* K, A: Q7 U
解决方法:
+ H7 ^7 Z4 G- g3 R; }4 r d& N: w- M. O2 O' R/ N* d2 N
yum install httpd-devel
$ n+ _+ ]; K5 Z' M2.没有pcre
% E; |; A$ m: ?" R7 t$ H# E. r- O# f1 Q W9 L
configure: *** pcre library not found.
8 c4 e" H; |8 \configure: error: pcre library is required
* \3 J& T1 U$ e/ K解决方法:
. H' \+ w0 \* i! d" [, ^6 D* Z
& m1 U- U* h( ?7 x+ i/ I5 T" ayum install pcre pcre-devel
8 I8 F4 w4 R- `% a$ P3.没有libxml2
/ s! k" }7 x4 f, R2 [2 u9 U. h$ {
# m4 p: j! c# i( x4 _. W9 }1 y: w4 T- ?; i4 S3 a, K7 x
configure: *** xml library not found.
/ X& Y* }0 u. b6 W+ ^4 @configure: error: libxml2 is required5 X$ G* u% m6 J# d& n# j
解决方法:
' j% C" P- t1 D6 ~5 H2 A
% G- I. U9 R ayum install libxml2 libxml2-devel
& w7 r% a4 T ~5 n5 W) R5 U) q4.执行 /opt/tengine/sbin/nginx -m 时有警告9 |; o! N& F% Q4 G# W9 e3 h* W
L5 [. T2 Z: k
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
( h6 Y- U9 U% f8 T/ Xnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ \/ Q$ T/ u$ i- g3 o. R原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 N k4 ~* \" s5 E# d9 X; Q6 f( {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 R) U% \+ j# J6 p( K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 @* ~* V- c3 ~
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
& r; u1 _, }4 t! g6 F! }& Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"2 f4 g" Y+ S+ z7 [+ ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
8 C+ T6 {, [- v; A0 @- F+ Y. V2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! O, ^& b! S" e1 q* B! q: _
解决方法,移除低版本的APR (1.3.9)6 P; z9 C) @. i9 f+ j) l
: m* G* r8 n$ P b* ]8 ^7 y
yum remove apr
& H/ U4 m3 e0 H1 X+ v5 j5.Error.log中有: Audit log: Failed to lock global mutex
- S; X& o4 ^; y2 T B6 ]- d; |
7 t; D8 i' C: V% k( l X/ z2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
, T7 E/ {0 [) f! g$ P2 J9 vglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
% R! K% t; n' L( k' u解决方法:
0 s! b5 B% x& W) R ]2 S! Z编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:# {) j2 [/ Q& v: K
0 }; |# n6 v, I1 a
SecAuditLogDirMode 0777
3 g* _9 G' B4 ^% {" M0 o4 ~SecAuditLogFileMode 0550
, D& {, q# x% F, @1 D2 d8 W; JSecAuditLogStorageDir /var/log/modsecurity( `; {7 }: M5 @, i- Z- l
SecAuditLogType Concurrent
$ S% R! \7 b- a- D: c& T参考文章:
4 ]% Z7 Y# M; Y t9 u0 ^https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 q; d/ _; v# C" |" I9 Z
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡