|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 ~5 a& ]3 A* h, t: b4 Z7 f% J
+ t% a! q* r/ |3 W; {一.准备工作
6 Y+ D1 k4 _+ g& b& d' E- @* I4 W1 M1 C) o
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
# E0 X' N# m! U: p L) f: r0 }8 m _( U, o4 S. G5 H* v" @/ U
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz) _3 j# o5 i$ h+ P
- P/ G$ X/ j) t, r) ~/ w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz) c6 i) L+ p# s# M$ A/ p" O
1 d/ j1 o/ R& M9 V W4 rOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
# A8 N, {/ |' Q' I0 U
3 F v% B9 d$ U4 _* f7 S: {依赖关系:
+ N1 m' T" D% Y- J; H) g9 g. {( L r% ptengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:, E/ u- X7 d: m
1 a; Z u' n; \
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 T: g& r1 O- |: Jmodsecurty依赖的包:pcre httpd-devel libxml2 apr
/ a" x! l) N' j3 \* k5 n* ?
+ H( e0 @3 ?3 y2 syum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
! r1 r, {9 ?7 `; E9 `* a) R% f二.启用standalone模块并编译
/ p# ~! ~. k7 M% d0 a7 [/ k" Y" s- [" \5 ?/ i, ^- _
下载modsecurity for nginx 解压,进入解压后目录执行:, s5 I( W: t* R( D
4 g) \0 ~; X) M
./autogen.sh3 F2 Y5 w: j5 w+ P
./configure --enable-standalone-module --disable-mlogc
0 e0 ^2 e2 ]' d r) ?/ jmake
6 X& B* g5 ?' u+ `" u( |三.nginx添加modsecurity模块2 N+ d5 ~4 U0 _3 T+ ]: v
% L1 g' A+ d3 F6 i' i; |; ]: U' w
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
) S7 x& F$ @' h2 h2 ]
, E0 [9 K2 M5 x+ x: b7 f1 u/ }+ w./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 c5 }4 n! n! F1 k
make && make install
2 F- F' |1 G: {; u四.添加规则
9 M' O4 T3 a# e3 |7 [. L/ a4 Q" i# m
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
5 J# j, V/ [; Z" c- P6 K# x. ^. D8 E9 W! G0 x; X
1.下载OWASP规则:3 j! _" p4 O' D/ Q
. S8 G3 e+ S" Y( E9 Zgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ B Y( ^1 ~- ~( j# q
! s. f2 S5 _/ h! V/ \mv owasp-modsecurity-crs /opt/tengine/conf/
9 s% o' {, J1 `
9 f! N) g. }% [; E5 ^2 Q [cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
9 n; E, {- C5 t4 S8 j4 S2.启用OWASP规则:2 ~9 S+ ]7 g7 M$ R9 p
5 L ~# Z) Y- S% _9 g. I; z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ X, b+ E9 Q2 A- O# d, y: a6 }( r, d
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on) [1 w3 z# R1 C" r$ B+ K
! K' Q& D6 {2 Q4 A: P! }owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
# s- q) \* R0 B, r
: x& R! B2 y1 [1 N/ L# xInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 w/ L, {7 j1 f' J' m0 u. IInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* `. L4 c0 n' s- X( xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf4 x/ ]$ C C4 F
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf& ` [1 I$ R% h' ^8 M
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) F+ t4 M0 C1 r: j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf( F& P3 p5 _0 I: N7 @, u) @1 W f" N* C
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
- F' H! c$ W- w4 t* E+ T; `0 Z五.配置nginx- h. f& O6 g' W% B% K1 a. d6 L
/ o i$ I) C: ^+ g. [在需要启用modsecurity的主机的location下面加入下面两行即可:3 E8 J1 v7 F8 q: G7 A$ P
% t0 b( f, K$ c7 I2 b- e
ModSecurityEnabled on; 9 E4 W5 R8 @$ v6 p
ModSecurityConfig modsecurity.conf;
& j0 p- h; Q1 u( B下面是两个示例配置,php虚拟主机:
+ A: w) q3 t# O4 V8 [7 r% T: e! ] T# K8 N4 j- q( h- e
server {# ]+ t9 n ^$ x; m9 G7 S
listen 80;
- C$ M, |: f! n% A; ~ server_name 52os.net www.52os.net;
s: ~$ f6 c- Z1 [. f- c 9 p) e+ e7 ^. {9 ~2 u( |
location ~ \.php$ {. E2 \/ W1 {# \6 h, o6 ^& c
ModSecurityEnabled on; + y/ T7 J, k0 B6 L0 L
ModSecurityConfig modsecurity.conf;1 w4 N: R3 b4 @+ s7 k0 s
6 H" ?- g! j3 p' J0 T4 K& S6 e+ v3 I
root /web/wordpress;
8 S! X5 T2 B h9 f index index.php index.html index.htm;5 S! q* Z7 p, Y: O8 j" a/ r0 x$ H
3 D3 j$ k: z" k$ h0 V
fastcgi_pass 127.0.0.1:9000;4 H2 T9 r, u8 T
fastcgi_index index.php;
- G8 H4 P$ l1 p% x fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, @" t/ L8 _5 j' M" C& y. l9 ^
include fastcgi_params;8 ^4 L" p8 i; w0 _: ?7 {. R
}
6 t' Q! B5 ^& f7 ]: P6 C4 [! w }
# m, S3 N# v# ~8 A) Q/ Xupstream负载均衡:) S8 E; [) P4 z' h( h% ~
$ ^: X, N, \6 G
upstream 52os.net {5 Q( q9 I3 m% J$ S, L
server 192.168.1.100:8080;0 p' }8 s& ]5 z! C8 f
server 192.168.1.101:8080 backup;; X! K/ f* P2 s. C7 H# p7 |
}& W6 i/ ?% y" A
! C# X x+ G8 D2 W0 C) [; E( ^server {
5 A! @, l! K7 J; {' z8 P6 v& rlisten 80;
) J$ g1 ?# f6 f" k, d+ Qserver_name 52os.net www.52os.net;. V( E" N1 a& E+ m# d1 n( y/ ~+ L7 V
. \4 M: d1 i5 A- k8 W. N
location / {
' V; {5 d% ?. g0 N ModSecurityEnabled on;
7 {$ d( W% f( A3 f# u1 ?/ x ModSecurityConfig modsecurity.conf;
5 z' z( H+ M2 e3 I
1 ]; w; y& w' |# W% m proxy_pass http://online;' r( w u0 L9 ], h3 Q+ {0 y
proxy_redirect off;
- C4 v0 N) u U B$ X" F* r& n proxy_set_header Host $host;8 N* X% F- N! x1 v
proxy_set_header X-Real-IP $remote_addr;
- z) l: w p" i* X6 P" P0 ?$ I3 x proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
8 I7 K% g/ C3 Z" G; `3 g9 S }
/ `6 w1 n9 w( d! l; d}
3 p& f) d, A" o2 m六.测试0 U) a! c4 J; F# s
' l; m- l2 L% J! {' P
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:( b" ^( Z# a2 \: {
; C* U5 ]' l( Q+ R4 a<?php) z1 O$ e1 b* ?$ Q
phpinfo(); # y/ ~! |+ [" ^8 \2 v& Q5 T
?>. E) F, g' H1 l
在浏览器中访问:' M/ Q8 W( p( i0 B; W
( k6 C, Q# q9 s# ]: o( O
http://www.52os.net/phpinfo.php?id=1 正常显示。( N1 ~* ]" T; i
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" M9 P" L3 D9 b
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
, d: ]% n4 C1 O说明sql注入和xss已经被过滤了/ U$ u; C1 j. [( v
) L: r% H5 l& w f p
七、安装过程中排错
~3 r- D1 O$ N6 r" z$ c6 U$ s/ X0 ?- d' t& P4 y2 i
1.缺少APXS会报错
# P1 h0 R+ H7 ?2 `. j1 G5 ?# u# `- T& n+ I- C
configure: looking for Apache module support via DSO through APXS( s9 V7 b% d3 @& O. ]& P1 X
configure: error: couldn't find APXS4 R* O' Q0 F3 e( ], |/ N6 s
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 ~: O' ]( i+ E& i1 X6 \: a解决方法:
R* T! O* h' B, e/ I+ ]0 n
/ p7 _+ q |* M5 V$ Q0 X- ]4 T$ ^yum install httpd-devel
' C0 |1 J4 O8 p: A2.没有pcre! t' O9 j Q, B; Z! C7 K/ f5 |
4 X( N+ j4 {) b [/ j5 E
configure: *** pcre library not found.% ]$ H) f" ^0 A6 U+ C
configure: error: pcre library is required
/ {0 @ p i, D解决方法: i: T# Y+ I, ?$ {1 `1 ~: x
" c# c( V1 `5 Y. d" n& l! f
yum install pcre pcre-devel0 w- F& \2 f8 ^! ^* `- P
3.没有libxml2* H& [2 c3 W& @( d5 s
' D9 q0 _) Y* I* b
) o6 i8 {: |0 P9 C( N Q$ G
configure: *** xml library not found.9 M# c# c6 b8 W$ ]; }6 t# d
configure: error: libxml2 is required. |( l; _: ~ t
解决方法:
0 c4 {1 |. T/ {. W- J
; y$ ^+ a# L$ h! W x9 Qyum install libxml2 libxml2-devel/ [+ l5 d# d$ P( j$ l- f
4.执行 /opt/tengine/sbin/nginx -m 时有警告5 j* m* x/ z# \7 X6 d% Y
6 S, W' e( C5 @2 v ]
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
$ g/ }2 I; F3 u' [1 Anginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ \% b |. w9 n$ _! Y原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 `0 O. V+ g ?) H: s3 U& N5 c& V0 T' g( T# D. w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.+ v3 A1 I9 |0 E* H. X4 c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
* \4 ^1 Z4 M5 }% q2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
5 A n* A9 x( V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 l1 {6 e& u9 j; N: o- W5 b- o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
9 u) a% O- e, f9 `7 @: k% H+ \2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.% O, B' a% W* ]9 z- m
解决方法,移除低版本的APR (1.3.9)
# u& X8 R% I3 d
) W3 g, c! y$ f: A- I4 Byum remove apr
3 d$ r) I/ r% {9 f" S9 L& t" q5.Error.log中有: Audit log: Failed to lock global mutex
7 V3 E, j- ~% @9 d( _0 q0 c0 s# p. \/ A8 U* F) Y9 @6 n6 U
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 7 I4 Z) ?* `' X9 \# x
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]0 E& t! Y5 d6 @# W
解决方法:6 }! M/ V' V( g& `/ \3 l' T$ N0 S! w
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ ~% @ P. P6 h' t- r/ s
: ?% l* [( [: R s% d4 CSecAuditLogDirMode 0777# `$ \% t+ v" \+ X- C q
SecAuditLogFileMode 05500 y* d/ l [$ _' J4 n5 a+ n; G9 k
SecAuditLogStorageDir /var/log/modsecurity! ^9 }3 Y0 B' j* ~
SecAuditLogType Concurrent
% F8 w8 C$ ^. K8 j# P参考文章:/ z( k; r. S% r7 \( z: L* P! A
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
8 @$ C7 B2 w' @( N( dhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡