|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 s( y$ X% x9 r' v5 [# S% C
* k7 p, X0 K0 K. Q3 u( O$ F一.准备工作
) W- X! r# D( O5 v2 q' n& P* i6 e
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ n& S, h3 \6 c! l3 n5 L( D
, G* ^* b6 E9 o/ Xtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: Y. ?+ a( V0 l# @
: x J7 {) k( J; K+ Q1 Q6 V# Wmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
$ p) J) J. z8 g/ w' x: X; M7 G' N/ H$ {3 i: Z0 V* E- g/ C& U! B
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
4 G$ W+ {5 z: _1 R) M/ ?
6 b" S, H# W: W0 c2 `依赖关系:
) q" I. Z# q" t0 Dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:, J; o/ ^( |# E* B$ F! `) t# r" E
2 `8 d D3 m6 e3 n
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
; N6 C7 y) M9 amodsecurty依赖的包:pcre httpd-devel libxml2 apr7 {( x3 V' z6 P: X, x& v0 E) V
. D5 X& E, }: H P5 G( g7 vyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
3 r9 ?. W9 S$ m$ R/ c. X9 ]) E! U二.启用standalone模块并编译
|3 {/ o, G) B% S' q9 E& n' I$ r B7 |/ \$ Y5 I! W
下载modsecurity for nginx 解压,进入解压后目录执行:
4 l X6 g! C& I% F `1 I+ H- B4 N$ O0 p1 v5 `/ Y0 z
./autogen.sh$ Q6 y1 W7 j6 l- _8 Q
./configure --enable-standalone-module --disable-mlogc) ~% W* a {1 u0 M
make : E8 }% [4 d b6 g
三.nginx添加modsecurity模块
T* g8 s& H8 a) }* {3 ?, W, g" T, \6 `8 a: M
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:0 w% j: f7 D( N1 ^6 Z$ J
# P* N. p3 x9 c. Z0 W/ n( k. s./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- _ \6 }- J b% S9 L
make && make install7 n5 y" d$ y" Y' M$ P1 n
四.添加规则
, v% u3 o' g' ~" `' ^8 V! l! r* j% u. B$ W
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。. z7 k" R8 u1 `6 R1 W; \8 o! _
* y& h2 A# ^$ M! D7 E+ k
1.下载OWASP规则:, h! ?8 W- {7 r/ i& F, F% l! Q) W$ B
( Q5 A1 G$ a- Z9 B6 {- d3 ^) }
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs3 @1 t+ b5 }! H/ S6 R" W o
0 i6 |; G, P$ p5 J# K7 f/ ~; i
mv owasp-modsecurity-crs /opt/tengine/conf/: u/ F# p( S E
( b. a0 H5 m4 a! _* M; F) N8 Hcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf- Z0 Z5 W/ |5 U& ^
2.启用OWASP规则:2 C- m' r2 k9 g; \$ j3 @( ?
1 J+ W- |% w8 n复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。# i- q1 L: z4 c# v. d3 z( i
0 s+ ~) }+ V p# z" B1 c+ o编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
$ E! X) y! d( ~8 |5 P7 d5 l+ x3 O7 g# ?2 ?3 P" \5 V9 G3 J
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
: @0 h9 x: ~* n, g% L: d& F4 z8 r2 c
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
9 w, b" J0 y: K) NInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* p% y w/ Y: ]8 \3 e8 g6 TInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf; {: [: ?' `+ d0 e' G3 Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 \1 }* V, J( N% G ~) M* Z" fInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ Y. O' ?, Z9 p" |1 }$ @
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf) G( r5 N" E) D7 g( { k, B1 k
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& r1 X: z8 W8 E/ n, E3 m五.配置nginx
+ W/ O2 Z y3 P/ @+ v* m6 ?0 d* C
在需要启用modsecurity的主机的location下面加入下面两行即可:
' \: s; {7 z3 J0 E" E& l3 R+ n1 l; x7 @6 O, ~8 ~$ [+ G4 ~
ModSecurityEnabled on;
; P% m8 t7 y# u5 k- v! R0 u5 C5 HModSecurityConfig modsecurity.conf;
" q& o, {, a. [: f% R下面是两个示例配置,php虚拟主机:
/ {3 t3 i: e5 }
& {' `! `* q2 |% h' W$ {# E4 _2 p; }server {& \$ E1 v% M' v1 ~6 R+ P6 q9 R: [+ v4 k
listen 80;! f# J; ^4 p4 L* |3 a
server_name 52os.net www.52os.net;
7 h% W$ F/ O' X3 H9 j
3 f" z ~5 ?+ M- B/ y& I% a location ~ \.php$ {
6 W& X8 d5 m. K) ]/ B9 c- M$ \ ModSecurityEnabled on;
+ L9 J e# I$ V5 s! g e ModSecurityConfig modsecurity.conf;$ l/ a; B- J7 j& X1 i( C" I+ R6 A
$ W- @9 O# q2 H% e' z: k9 V
root /web/wordpress;
1 e; d4 g: J/ `7 d/ A index index.php index.html index.htm;& ?) h9 e$ Q; O1 w
* m# H- |) S4 t M7 @- `2 t
fastcgi_pass 127.0.0.1:9000;) p1 y( \, U2 ~# U3 V1 Y5 P
fastcgi_index index.php;1 o$ k/ ?; N2 g- z
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name; G; |# s! t5 p& \0 B+ V* ^
include fastcgi_params;
! [0 n7 \0 w) u* t9 D( I }! e: D5 ^- m+ B0 z
}- }7 R# ^. E. u9 \% I: Y, b
upstream负载均衡:
* P& y! Y5 ]1 C( |. ]) O
: y* I$ J* }: d6 `1 c( [6 Qupstream 52os.net {
8 b4 D9 o( ~$ b0 k5 ` server 192.168.1.100:8080;
) Q% D' R+ a5 ?9 H% z+ R3 y server 192.168.1.101:8080 backup;
( D4 Y3 Z! ^5 i4 D$ U}
+ v o1 M0 y v2 E0 r
. C8 E& y; ]" G# h0 a9 Gserver {# f, s$ @8 t, h1 r5 J* `% q) Y
listen 80;6 R- B5 V; j. M* o! J
server_name 52os.net www.52os.net;
6 w# {! V$ b$ g0 ^
* O5 G# q) J+ V# S1 D# x3 elocation / {: V4 |/ q* t9 O
ModSecurityEnabled on;
/ x" ~: T: S& F, [ ModSecurityConfig modsecurity.conf;
% R ?7 E- c/ J4 I! `# `1 ^) J6 R, I8 `- V' E' \% M
proxy_pass http://online;
: S, K1 w$ w" x [ proxy_redirect off;! u9 h& M+ [. T5 d0 L7 E
proxy_set_header Host $host;
$ _( c2 j5 z$ v3 R6 {6 h+ C proxy_set_header X-Real-IP $remote_addr;: K! e% ` n, @: e
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
: L- B3 R- p& p/ K) L! F' n, ~ }
! P/ ]( l4 O; {" Z. `}0 _( o! @9 Q2 z, L$ }6 p
六.测试
" K9 N% m ]9 e A% A% C! s& J; u3 ^
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:! U0 \9 y! S) ~. b) g
. R1 t" t1 F6 n' z m/ h<?php& h9 G8 ~/ G% L' O% ]
phpinfo(); & s( Q( w3 R. M) S
?>
$ N% _5 w: |& B9 T& [, h, w在浏览器中访问:
: ]2 g4 T# Y* I# X- f F: M! e( G8 F2 l$ Q. [, V
http://www.52os.net/phpinfo.php?id=1 正常显示。 z' c# N5 P, ~& y
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。) b1 n6 }- s- i/ l
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
+ K, y! Y! m; f/ h说明sql注入和xss已经被过滤了
2 O; `( Z" |3 l6 j. j" @5 x
' [6 K( @6 t5 D$ x) _4 Z' P七、安装过程中排错( P0 f$ i9 x! K; h" |
9 V6 F6 s# p4 d( w2 u1.缺少APXS会报错
. v+ w' R8 L" ?4 q* I5 o+ x
! e2 P" h# {/ [0 Hconfigure: looking for Apache module support via DSO through APXS
5 g8 G9 A% q1 |3 Bconfigure: error: couldn't find APXS
6 x+ Y- z, k( i+ |1 {7 j& X$ sapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 m/ ~; e& I# T7 J1 S
解决方法:: V3 z4 F. |" w0 g
7 D) A0 Q; e5 H6 `2 pyum install httpd-devel$ a2 p _( e, U# M0 d
2.没有pcre
3 u3 l- S, U' t) E. o
) Y+ H: D, P0 C! J8 ]configure: *** pcre library not found.
7 ~/ `* Q6 s e3 U% g1 k7 _configure: error: pcre library is required
* ?" h! E G* K1 f" M u解决方法:
$ A5 J/ Y* w$ Y5 p3 c# d0 s2 W. C; \+ v# _' r; k& G
yum install pcre pcre-devel w( w! c r" m2 e' k# H$ W$ V
3.没有libxml2
# n' k# H( Q" R6 U/ m# @: V) w8 M. M+ A5 X8 b8 b
# }5 {+ X: U {
configure: *** xml library not found., D, x6 u5 l7 t6 B- s
configure: error: libxml2 is required
% t" u' a. V4 x% w5 p解决方法:
2 V& A& S' p0 ^, @ t1 A3 j/ j5 r' G- {
yum install libxml2 libxml2-devel
: }+ b3 e* F# A' v, R4.执行 /opt/tengine/sbin/nginx -m 时有警告# b6 T. [( E4 ?2 T6 ?0 x7 Q
5 n" O# |6 m2 N0 }* Z5 E$ |, ]' X: h
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
1 }8 i K- N5 {7 wnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ H/ z" O9 k! T+ u: U原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log* J8 B/ q6 o5 g' S' f
, }0 O$ W2 K4 H; B+ o' H2 c) r9 F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.5 q+ ~* H7 g2 r% B6 n, p# _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
. a# H- Q) K5 h! a2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!! k" @0 r% F5 e, U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
- z$ J/ l% v5 _/ m* j2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" N( R7 f8 R( H9 @$ W6 Z2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 g7 L, Q3 l: t( A5 u
解决方法,移除低版本的APR (1.3.9)
" ~4 P" s B k) r$ s) H. v% p( a0 b) n6 {' q1 d
yum remove apr
0 Q. ` S* O$ s5.Error.log中有: Audit log: Failed to lock global mutex
4 D4 y; _ p; Q3 K8 Q+ k6 l5 Z
/ q5 s0 _; W' ?' U2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
* ^8 z1 h5 a: U2 y3 r1 L, p( r8 S& ^global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"], F! s2 i! I( b1 K8 L5 B0 E$ Y4 k
解决方法:
" e5 F) r: p2 i/ l+ U编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:6 K' Q& v0 v: ^+ G2 G6 `0 {
# U* @) g. q1 SSecAuditLogDirMode 0777% i9 a$ n$ ~2 a7 i8 g
SecAuditLogFileMode 0550
1 z9 r# y4 w: O$ N# x6 |% n* i7 XSecAuditLogStorageDir /var/log/modsecurity8 `: `' }" b9 B7 H7 T1 Z
SecAuditLogType Concurrent
5 n5 _" y6 h. g参考文章:) \$ y* X' h0 B i: n" |- I
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' ?% f9 ?" }. n
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡