|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
7 ~6 m( S2 d: F- y, i
- @. W3 O5 F2 P" j- r+ M* x* X: l7 D一.准备工作
- n, V5 x/ S7 g' X) y Q2 p' w6 ?0 f* g
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0% Z1 o# O' v+ Q) x& W
, {6 q' E3 ~$ ^) P4 w) Wtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz& w/ I/ A) [* i6 h; A! Y
+ B; L6 J( Y+ w8 ]* Umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
, r. k# Y. x9 y
0 }! i# r' w$ D' a$ XOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
( H8 s* Y* L. t' r5 g
: D' _7 |4 x& C/ ?: A3 \: A依赖关系:
& I5 P$ ]& {6 L( c: }( R5 X# [tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
/ S" i/ H/ S7 K ]0 M4 h* {. @% s: l7 c1 L. m, O% P2 E' N7 ]
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel; v7 y6 W1 Q9 ~' F8 }; Z4 z
modsecurty依赖的包:pcre httpd-devel libxml2 apr1 q# e% |) T5 V+ p3 k) `" t- z* |9 `
z9 I& x: R6 i) a0 jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( W. l9 |& n' t! W
二.启用standalone模块并编译" A) x1 R: G6 w* n8 T. Y/ ^
- @6 \+ S* w" B下载modsecurity for nginx 解压,进入解压后目录执行:
4 u( q4 D* I$ l8 r* i5 X; [% u: y2 I* g: ?; l# S' F. \+ `$ e; x" K: i
./autogen.sh
9 U& f3 d1 R# s./configure --enable-standalone-module --disable-mlogc
" P( x& f* e2 g% G! k* Umake
1 J! L/ e& l8 [4 C4 V" j) ]三.nginx添加modsecurity模块
4 M4 w, x# @( x3 ?8 p. S& @2 G. |- W& D6 F% @( x
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:4 `1 l8 ], p5 w h. D( O n2 i
* u% k5 ~0 l$ u1 V: g( f; {1 f! g
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
) a; ^+ m" ~% W( N+ Hmake && make install3 Q5 h0 U6 c: l
四.添加规则
z9 R: p( C4 |: t. |% }, ~
! n2 k' o q0 b$ e+ I" s$ x! f' Bmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。/ a; Z" d0 j4 [7 u
5 H! V' R3 h+ A2 _- M) z' G6 r; A1.下载OWASP规则:
) X* F' J5 I! g9 R" I+ g* `: L" M
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs) ~) B( N7 O: S6 x3 O- x
+ L9 m8 f9 M; S; M* d1 g( n
mv owasp-modsecurity-crs /opt/tengine/conf/
2 X; e( N& X3 x- A0 d: x- C
) S; X% }, a \1 {cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
" j9 A! h% P. C4 N5 L6 c2.启用OWASP规则:# Y0 y6 ]8 r6 ^. P) Y8 U; q
/ z4 y0 H" c5 K3 G# G
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。' J) k3 F4 R9 M9 m
! ]- R( a' \% d8 j编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
8 R$ F5 n! }+ F, u) _4 S/ W9 q/ g. V6 H4 Y* Z
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ `4 x& Z% ^3 u3 K9 q7 {/ c
# k) Y* R+ e& B+ b& Y0 KInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* f9 j! m# S' t- s$ m! l3 h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 M& w; i+ v% [* ?Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
# B6 x! S! y% o1 T- B- OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 X5 s+ l8 m3 Q6 D/ {Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf3 e& D/ [ w2 x$ v+ I+ @9 i$ u
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf9 D. I0 W4 t$ b1 u- g" Q% G8 g
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
; t) C/ s% `* [: a' W五.配置nginx
) f0 f+ C% ?. `4 E* A& k6 e) y- w L1 a: S* Z
在需要启用modsecurity的主机的location下面加入下面两行即可:
% s/ f; \; d5 k
" K! H; B( O- O9 Z9 X- cModSecurityEnabled on;
7 Z9 j, O! P4 D2 wModSecurityConfig modsecurity.conf;' y1 i' J- U. _
下面是两个示例配置,php虚拟主机:
( ^6 m0 c( F" L1 l& k5 i9 C0 R' O" i& F6 ]+ W8 P
server {
4 p0 X! H/ a$ Y9 b$ e# `( \9 k5 G& o listen 80;
/ }) x1 } D+ }/ x' J6 A server_name 52os.net www.52os.net;4 F. u- `- {& i% S m4 l
4 B, x( S" B2 ]* F) u location ~ \.php$ {4 n9 d( `. x0 i0 p6 h) E0 @
ModSecurityEnabled on;
/ R2 V2 ^. N+ L- [# y9 u ModSecurityConfig modsecurity.conf;
( H( ^9 ], {+ n/ x/ g4 d- ?) T4 J2 H; f' B: Z% T# t7 e
root /web/wordpress;8 @2 H. N# U! z+ M" X" l1 d: B
index index.php index.html index.htm;, D/ e# m% I* V+ R8 G
( W6 o6 A( X: {- b+ ~4 _ fastcgi_pass 127.0.0.1:9000;4 _5 g9 L6 y' b+ d- }
fastcgi_index index.php;
* @; N, o) L( q. K2 R$ k: } fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
* R- }$ F+ S1 x2 q include fastcgi_params;
/ M+ }* z2 o2 V8 { }: A( n8 t2 L5 A5 n, `
}
" [: I# d1 H3 y8 o1 dupstream负载均衡:5 h4 a# O' q+ N0 ]9 J
1 u# k6 N. E7 Y! L
upstream 52os.net {
; `$ a" Y A* b5 B* e server 192.168.1.100:8080;" O/ k5 v/ | y" j0 m1 v
server 192.168.1.101:8080 backup;
4 C; ^7 G. x' f; M1 |* Y0 P- Q}* U, x% \' x1 z; V9 f
2 g: \( `+ l! `2 ~6 Q$ W% r& l
server {0 [ e6 K; T) O0 U* f
listen 80;, E3 E8 o9 n* o, P+ l7 u/ U
server_name 52os.net www.52os.net;
# s I C+ T, W
" |3 C* O7 ~7 t, ]location / {
, h% ]0 r8 i* {* Y ModSecurityEnabled on; : @9 O/ v' G( u. Z6 T) I
ModSecurityConfig modsecurity.conf; 1 n( U. E7 t% @9 ^
! p9 [6 i% N/ q6 G
proxy_pass http://online;
- I, h, `2 a! O! o4 x proxy_redirect off;9 a' y" U5 O6 M# {9 D* }
proxy_set_header Host $host;- u9 F5 _, d* l" c0 z: J
proxy_set_header X-Real-IP $remote_addr;) }& J8 _+ s; d
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
0 E. d& X0 e2 A6 D1 ~, E }
; i& k/ a Y. G}, u. C( k9 d( h% \/ v4 a8 j
六.测试+ F. Y7 u7 K7 R: M6 q2 _
( w* Y4 E0 b. y4 G& f
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:; K! W! K; D Z8 A! A3 T
8 q8 y0 g' M1 q0 z5 t<?php+ c; Z% ?; b2 {& ^1 c
phpinfo(); 4 e" C) i7 k# D) C9 o! t
?>
: m5 q6 o% [) Y在浏览器中访问:
2 e( ~8 }, H, ~/ K
# U- W6 d; Y6 Z. n4 J+ m- chttp://www.52os.net/phpinfo.php?id=1 正常显示。
* P( D l5 k* A; Rhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。+ m% q7 F5 `+ N2 @, H# C
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。; G( a* s: @& H; I
说明sql注入和xss已经被过滤了: D: X5 H ~, b8 Z$ ^$ Q: K3 U/ A
: A6 Y( Z" @! R
七、安装过程中排错
; ]& N \( x6 [; b; @5 I
# U3 q! |' [5 q* K+ G1.缺少APXS会报错, R, E# n# S: f# C
! b5 ~( e4 O) \+ [ y
configure: looking for Apache module support via DSO through APXS+ u1 b# d1 S" c7 C
configure: error: couldn't find APXS
* ~3 i- e; x+ k" Y( t" rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。9 g8 r/ H/ G' W4 l
解决方法:
6 c+ J( [, B' A3 L) o5 _2 | A" X K* S* N: Q5 j/ X
yum install httpd-devel
Z: w( I! O; U" ]* e% q2.没有pcre
# u+ y- V9 ~5 A$ X# O1 {# W8 F7 k0 s
9 o6 i$ ~( G' uconfigure: *** pcre library not found.2 _% D. C( Q6 x1 |
configure: error: pcre library is required
' N+ L* X/ O% ?解决方法:3 F- \/ G0 m/ e: M+ U
9 \3 ^. b8 v5 V/ Q3 l$ Z' x4 a( M
yum install pcre pcre-devel; p0 Q. e+ F7 z5 G/ Q: @
3.没有libxml27 D* h, C% }+ e* e8 @& r
0 J) f; r' N- e* \
+ [! s" `9 N$ r3 N% U- C
configure: *** xml library not found.
9 y- K6 o+ W& x2 x% P+ Fconfigure: error: libxml2 is required
( y/ R3 Q& D: U# G% A% A解决方法:8 M/ R$ Y8 X0 M1 I2 T. H
, o2 c: s" p8 i; }5 A, }- ^3 P
yum install libxml2 libxml2-devel/ e F8 T# C. c" }4 J
4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ I% V& S. M9 a+ Q$ o, b& T3 y( V: }4 h6 C# V1 Z0 l
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
/ X* O. ?8 U( k) Q+ d' w* Anginx: [warn] ModSecurity: Loaded APR do not match with compiled!& {& S# z3 e( D3 ~+ f! D2 q& C
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log: I Z6 u7 f u
& ?8 B: u: x" z0 b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
! @6 Z! p+ V& x# b7 v0 k+ m+ x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
$ s, E S$ j% q( _; r S& b2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!- P" \8 S( n8 V) E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"% |# m$ f/ K6 F0 i6 v" Y5 b; W! S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
; b: I m- O8 O; b) P$ S; `" P2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 g; d7 r* `, N
解决方法,移除低版本的APR (1.3.9)
5 i6 Y" t }( t& d9 ~0 _- N& I1 u# e$ \: c$ F
yum remove apr: L+ A8 E* f$ i* j2 k% i7 H3 {
5.Error.log中有: Audit log: Failed to lock global mutex$ B* C0 u( @2 v; `1 P$ r
7 I, x. h* ~) _1 c
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock , E) W" J9 i: _3 Z
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]9 M5 q7 h# ?% K0 ]5 ^) P# U: [
解决方法:& N/ P6 ~5 S4 P5 M, E6 ^
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. ]) ?( {4 f$ W
. j7 e1 @- z4 `# @& o/ K( T+ MSecAuditLogDirMode 07776 j& x! w/ G6 r, s& Q& }! ~' ^ _
SecAuditLogFileMode 0550
" z3 n& @9 n0 j! j6 [SecAuditLogStorageDir /var/log/modsecurity
+ F4 Q* R9 E9 V7 bSecAuditLogType Concurrent
- Z6 ~ [$ u, |( L R* i% S参考文章:
4 ?0 w- Y7 j& E7 h& H. r4 X% Qhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
9 X3 |1 t3 S1 p# a2 h6 q5 Qhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡