|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, I+ k5 X& f Q" P! q8 a8 a
. G, g& J. c v3 g4 h" W一.准备工作
0 V# T0 Y5 q1 z5 C* C
0 r) n$ x+ b0 U' ~3 ^% M系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
9 k Q+ d. Q# m. s' v% e8 N1 V$ N% z, j4 w" H3 k( {
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
* Y S2 H- T1 s: }3 ? t; z' ], x) j9 Y# T) ]0 C! o
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz0 B+ c+ h6 B8 X, @' z1 e' j
0 }6 X2 z' x5 ~, [9 U
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
" `1 h! ?: H7 u5 N7 H% `
& r+ t/ y1 v6 p0 ]- c6 F依赖关系:
0 Z7 ?0 Y V7 |tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:7 U; `! k/ n7 \4 D
, q% N- c. {) ]1 a0 Ayum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
2 V) E( t( A' [' y# |; p% d3 b6 Nmodsecurty依赖的包:pcre httpd-devel libxml2 apr
, n6 \2 `" p3 B# C2 k5 w, v% m( ^5 t, D9 m, M7 D' i, L* V1 U
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ }$ x- p* d% \- `
二.启用standalone模块并编译, j* \# J% k$ O# n% |
" I6 a) J+ [2 i& o下载modsecurity for nginx 解压,进入解压后目录执行:( |6 k+ V4 c! `' D: H/ u
/ d* q( _8 f5 _) \+ y
./autogen.sh
$ b7 L' T5 _8 P. |! o./configure --enable-standalone-module --disable-mlogc
8 y1 v8 Y! {7 e: V1 Zmake k$ x/ m- O$ o+ Q1 A
三.nginx添加modsecurity模块! W4 e1 q O* d3 v2 B
/ g2 {" }% D. D. s# }
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:# t! D: N2 [& {5 S( \& X0 g- b
% o! H6 }$ |8 d7 ]& T& J
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine7 C# b U6 w9 e
make && make install
; b+ W: o' D5 B0 t4 f四.添加规则# T" Q" d: t% L: H( d7 }8 p
& Z2 A c& q% t0 P7 c) q0 N
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
. o$ [5 s' ~( w
2 }+ K& C' ?) @1.下载OWASP规则:
5 q1 x4 _, G: B7 e+ [9 N* D& i1 y( t3 Q, h, B/ j7 F: J9 R; H
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
* E% |5 F ~3 B" q! J" y8 q: Y0 f. ~9 ^/ C; e9 ^( d3 Y/ T
mv owasp-modsecurity-crs /opt/tengine/conf// ]; Z9 |2 V- R8 C
I* a. P5 ^8 Q. B$ y4 Ccd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf1 |$ W3 t" D- s B$ F# ]$ R
2.启用OWASP规则:' _1 `3 ]$ ~) n# d: `8 B
0 j( k1 v- Q: ^: I; Y复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。0 Z. _4 y: _4 z2 }
6 w6 k% F4 N, h( U/ D, R& O# w* O
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on! B! F8 C% g( y l0 |) F" T$ F' C
, q/ _3 v" _( U
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。! C+ L) r1 I# C5 u, W$ b& J6 p
# I6 x3 i7 p" g# k! b" w1 p% ]
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
! N2 i/ [) r$ d( \+ i. J6 `Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf0 {( f7 L7 y$ L
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf3 f" _3 x5 k! s" q5 L- [) V+ H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
, Y: a9 s* g. B! R) TInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 d8 @- F, K* o6 v5 O7 T' K
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' M% s3 E( Z6 O' y' jInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
1 {' p6 N' }2 Z9 ~0 S$ I) V8 _, Q五.配置nginx; q0 y; \* j- [2 v& k1 b Q
+ ]2 W- Q0 M1 @4 K3 ~在需要启用modsecurity的主机的location下面加入下面两行即可:# i S L: j# C7 ?9 h' v
% O" l% |- D; l. L2 ^+ p7 w+ B
ModSecurityEnabled on;
8 O/ G i- z- kModSecurityConfig modsecurity.conf;
/ e: e; }% t4 Q$ h: B; v下面是两个示例配置,php虚拟主机:
/ q! e( E" a' n+ d2 m& ^+ i3 \4 A2 F' t! I j% p3 s2 u& {
server {3 K% ^( B$ `6 u
listen 80;5 i+ u6 _& L8 k# H
server_name 52os.net www.52os.net;' E$ ` s o$ H
p* l2 l. M: x8 b! g! o8 u2 V location ~ \.php$ {
1 c$ o4 _2 y5 P' m u ModSecurityEnabled on;
' i y' O* v9 s4 a# n3 y ModSecurityConfig modsecurity.conf;# \5 `/ j7 R% X5 Q w
; q# F5 y2 p, M2 L5 L3 ]* l4 A
root /web/wordpress;; ?) m$ x5 B# ?9 T/ ^5 p9 A, ?
index index.php index.html index.htm;# n7 V% J) k1 |: A: P( O; k. c
R6 _: D9 U6 {# J3 P1 `/ t fastcgi_pass 127.0.0.1:9000;
! ~! g; p$ T7 J' D0 q1 ?( p. M fastcgi_index index.php;' v# E1 v/ @% \9 p% c
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;) d0 N! F& D$ F; C2 K3 |: g$ y
include fastcgi_params;% g9 d! k9 q4 S( M; t( n. c C
}
5 E2 R* @+ {8 b1 ]' t# a% |* D8 I }
. K% @; C+ c7 Y1 Vupstream负载均衡:
o8 E1 v- Z/ A" B5 j, I+ g" H3 I/ H. c1 i3 f5 `
upstream 52os.net {
4 z! i9 j% M* Y0 |+ c server 192.168.1.100:8080;
9 s; f6 I4 \, c1 l6 f$ X server 192.168.1.101:8080 backup;
8 a9 ]7 ?0 Y3 _* O( J}; K. j: g9 u. i
* X1 d& R J. z) k( vserver {
& ` }8 |9 b- w: g# Z$ llisten 80;! |$ s) H6 C! \; C5 V
server_name 52os.net www.52os.net;
7 B5 K1 b1 G2 |2 Y" z- N; |3 j' |, h0 B% @+ @: f y: O
location / {
5 X" a; r2 ^/ w( g* ^7 o) _ ModSecurityEnabled on;
0 R1 D& |6 i/ {$ O# e$ f ModSecurityConfig modsecurity.conf;
6 t/ C* n% u$ G% V& j. F1 }$ @% q9 O
proxy_pass http://online;+ A8 A& t- F- V) ?9 @
proxy_redirect off;
, f. Z- ^- L& `/ D1 s9 X proxy_set_header Host $host;8 N+ W6 K8 v; n& N9 J& i- Q j
proxy_set_header X-Real-IP $remote_addr;; G: C# e4 T# b# W* u+ S$ r% v
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
0 E8 V0 @" ]7 a0 K }, i6 |" I! r; h* F( C' ]# g9 X
}
. U7 E) x+ v6 ^1 G* D+ I! U! }六.测试) f( W2 `9 {; b2 p! j4 Z
7 }4 u3 p9 T- r" ~8 N% B8 W5 L( x我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:( V D4 {; F, l7 K" j' n
0 |3 @) I2 ]3 M$ F6 X<?php
; i3 L5 d+ |" y$ [& g0 i phpinfo(); * X d' J# ~1 B# g5 C9 x. @
?>! t2 l% D# i' d1 h9 Y
在浏览器中访问:5 G" J- y3 w2 N ?+ U
- w; T3 [( W* U5 i% H
http://www.52os.net/phpinfo.php?id=1 正常显示。$ X: L. u B- w) G8 K8 W0 F
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
5 y" M- y* q0 A! m }http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。9 B: }* r8 B# b( {
说明sql注入和xss已经被过滤了& r1 a# r: {: Z5 u1 c" c. X8 G3 V
" D* |4 n# e* G0 f/ X0 m
七、安装过程中排错
; f$ @% I) q+ |: z6 v- H8 F, N6 I- r; N7 c' [8 t
1.缺少APXS会报错
5 F2 `; W3 w6 V( M
, D* o1 X3 V2 iconfigure: looking for Apache module support via DSO through APXS
' Q+ s; Y8 Y! Wconfigure: error: couldn't find APXS
; A% n+ v6 U5 Z1 gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
7 u8 e* Y; N$ {7 H) m5 l* P! w解决方法:: [" f0 m4 V7 v# G+ z4 f
: Q9 L7 m2 E6 ~/ l- B+ p+ P, C( f- r
yum install httpd-devel
" z& e0 j% i* o2.没有pcre3 V3 @ X8 Z6 N( u$ ]: Z$ \
* i( }0 N! W" [: u. X! t; r b
configure: *** pcre library not found.
+ n$ T6 N: K- w. s% _* B8 ]configure: error: pcre library is required- H1 R" c$ x( P. y! y+ I2 w& H
解决方法:
/ S$ K4 D. w1 B# i! d+ h% }# Y% L% e+ {# P
yum install pcre pcre-devel. {. q7 C/ Z0 g5 Z8 X0 W1 y
3.没有libxml2
- b3 o5 e2 c. V6 l' c* \8 z0 k7 A9 o! G7 \( i
6 S& d8 w+ V. p; _9 t) ?, l% A
configure: *** xml library not found.
& R: Z+ J, |* N( q! H& U# L3 oconfigure: error: libxml2 is required
% _1 q. C& A( V+ a4 S解决方法:2 o" j. f" K8 X# B
1 p9 d& @; B6 \; f2 m7 ?# |4 ]yum install libxml2 libxml2-devel. G% ?2 I+ M, r
4.执行 /opt/tengine/sbin/nginx -m 时有警告) q/ X H. {) g, ?4 O% V! ?
* ?* e- X; l# [, L ~5 V& NTengine version: Tengine/2.1.0 (nginx/1.6.2)
. Q- r, B- P" {, ~9 anginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 b6 f7 `7 c6 |2 o7 W/ H" J原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log) }( {' I, v# \* |4 d. l% K. T
- `5 y1 c, B0 k4 Z4 R& T3 A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; O( d7 x# j2 Z1 h* h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"/ X9 {$ y2 ^2 a* e
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
+ Z1 {# Y2 l0 ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05", _. `6 K3 \5 K1 [1 ?0 v! {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"! \ H! N5 W2 K6 v( x, U$ t- ]
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On., t9 k) l+ e J# r. b6 ~ J
解决方法,移除低版本的APR (1.3.9)
n$ x; _8 g2 R+ B" |/ f1 K L* I! _
+ Q1 s4 [2 f1 }yum remove apr. R4 W- H _; h- [% J1 x1 \
5.Error.log中有: Audit log: Failed to lock global mutex
. r( q& C. ]! I% y: w5 ]1 O" m2 z* y
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ' w8 S$ v9 a. w i
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- H/ @( F. ]; f7 C4 {3 I
解决方法:
0 R" r# B/ l+ m2 c8 b+ D编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
; S5 w B2 R+ |- V1 ^0 i5 F
, Z6 @; F/ M$ U: F) i5 h: L' s4 R3 _SecAuditLogDirMode 07775 M$ s. q- S$ I7 s [$ L
SecAuditLogFileMode 0550
% F: Q' C0 |; w7 b, {- zSecAuditLogStorageDir /var/log/modsecurity/ h; n4 r5 u4 r1 o
SecAuditLogType Concurrent
4 M9 v6 `, A# p3 { m' G参考文章:' l7 r1 |; C# s/ z
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX% Z6 n7 p# r) a. O/ w. b$ Y
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡