|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
$ M: P& l7 c8 J8 R) G0 J2 [ T
5 R8 A; I, H. X- R一.准备工作; f0 U$ }: y6 y' o3 ~- Q& Z
4 Q3 I; M3 @3 w系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
7 `- R+ j5 B1 B; }. j# \6 _
]- V" ` l/ I, k. Vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
( E% f2 b3 f0 w. b6 ]
; K* W( ^% T, V; |( M9 m, U5 z* Hmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz7 r0 K+ n% K0 }. R1 V' n8 @
3 l" J; A! h9 F( ~) IOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 J& L5 q' [4 E$ D8 ^: q9 M" v1 V
依赖关系:4 q* ^( v+ R* ?: ]3 o" m+ A& V
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:: S$ G' b0 g& i' `% T+ S
5 k" e. X7 O- {7 }: W% H; s# [
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel$ r# g: G3 F; _4 B. T9 N) G
modsecurty依赖的包:pcre httpd-devel libxml2 apr- G* P5 M% V' ^
; B* V* ?0 @6 E/ O: p6 ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
: ]" m4 R- V% w6 i( l# f二.启用standalone模块并编译+ s0 Z/ R- w3 P2 J: e
: Q. L- P& \) T下载modsecurity for nginx 解压,进入解压后目录执行:
0 k. D% C2 Y" t& v; A) t0 K+ }2 A" S5 w
./autogen.sh
, l: B/ E: \+ q/ R- e% g W# i./configure --enable-standalone-module --disable-mlogc
+ M3 B# j- e! n! cmake
1 M% z' B, b1 K7 `三.nginx添加modsecurity模块
6 u1 S9 j; y( C+ }4 h) A; F2 C
$ @( c& s- s9 n) I! v8 ^: m在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
: {2 Z! F1 J+ ?2 y6 s6 |: ~$ z9 {3 N, v7 c, }( H6 h3 ^
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine8 H- v3 A) G3 l9 ^( F
make && make install; ~9 Y- s" W! [. E
四.添加规则
3 B0 w! t; B0 u5 s. a7 r
/ g y5 j4 |6 v, f/ _modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。% ]! \, \# k: l8 G) T
# Z# V: }5 @; ^ j
1.下载OWASP规则:
& O# z2 t- K, J) l) q8 }% N' b4 u: p+ d
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
( P* W/ `, U5 {/ ]2 e7 w- ?
) l; B' y& z( w2 Q' ]mv owasp-modsecurity-crs /opt/tengine/conf/9 B3 f$ B% C7 o; \2 r! f5 t
O l7 F U8 k9 s# lcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
& O8 ]4 V+ u @7 |) W Z; B2.启用OWASP规则:3 Y4 c3 q+ M- u* A1 `. W5 }3 x# X
% l( i( r+ b* `* W复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。: C8 m: ~; j! f% j1 O% o
) c1 Y; ?$ m6 t0 s编辑modsecurity.conf 文件,将SecRuleEngine设置为 on4 x( |; B( Q% S' f4 e
6 X+ @* U3 t; F+ b
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 y6 e4 a- e2 T& p( t2 n3 d) q% x) p" c& _
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
& R3 C5 r* @: ]/ Y7 \8 G P8 |Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
, R! k1 p7 p: B2 z/ f' CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf% T; }! M+ s1 o a3 e! n* C1 z6 h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
& d! {1 Z0 N" n- ?9 r' B, sInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) C) [, }1 j/ i% d
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf2 ]* x3 o# g7 ~" Z
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
0 {7 N" I, v- u6 m( c$ N7 U& Z五.配置nginx- c; P1 O4 o0 S# e$ }( ~
; k P* c; _) c) k0 ~( h; E在需要启用modsecurity的主机的location下面加入下面两行即可:
( K! _# i9 g9 t8 D$ P6 ]3 Y1 s
! a5 I9 A# K% _ModSecurityEnabled on; + O3 i, \% B" t! h( d' Q) R1 p* _ e
ModSecurityConfig modsecurity.conf;: G/ _, _6 ~) _/ X0 z
下面是两个示例配置,php虚拟主机:5 W) l. F) s9 s- i5 M
& F# v. D. M& m: j8 o8 s5 Tserver {' F% _5 H) w1 @( i7 |2 |' ~- A
listen 80;
3 p! Q$ Q% H( P* T server_name 52os.net www.52os.net;8 F0 ^* \( A' d( e; H5 p4 C" v* n
. R' i2 B% ^: ~" {7 Y location ~ \.php$ {
" C7 v) W! p' }) F ModSecurityEnabled on; ) N. x6 f2 L6 B8 _9 ]5 X
ModSecurityConfig modsecurity.conf;
3 m1 h- C& p9 M) ^3 X$ }. t9 S
* x% l4 O$ v1 @. N: f+ {0 @$ } root /web/wordpress;
h& ]3 Q9 N/ s* P0 Z# U" t; W index index.php index.html index.htm;+ K: Q. i) _+ B* I. T3 M7 U4 l% L
$ m/ z- Z, z+ w: y% x f0 ?8 \
fastcgi_pass 127.0.0.1:9000;
5 [$ F0 |' i4 x$ ?1 e fastcgi_index index.php;& p; ^! D4 A8 u. W5 `9 t
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
+ ^6 f' i' y7 T2 s/ n include fastcgi_params;! \: f9 U8 s7 c( Q' G; t8 Z
}
+ w: q3 O) H( e) n- j+ B+ G, j }4 N+ o5 k" f0 t, [. q' q$ h2 o+ s
upstream负载均衡:
3 K1 B1 ]- Q' L& ]/ g- T( @' g$ G9 _( a
upstream 52os.net {% b& }3 u2 h% y$ C
server 192.168.1.100:8080;
8 l* b, {$ @' G) a7 ` server 192.168.1.101:8080 backup;% E; l; L) H2 b) V6 w
}
; W0 n2 F' M- M
3 v" J1 P) \2 f' {8 @server {5 s9 `" m3 v. C: A' k
listen 80;: A3 N" P1 j8 O9 L3 T d; D
server_name 52os.net www.52os.net;7 G: { G9 i( P7 V* b4 `
3 o$ E' S$ m W: ? W
location / {
# R0 l/ K, E) k ModSecurityEnabled on; 1 _( q' a7 k3 @/ b9 f3 v9 K7 p: y
ModSecurityConfig modsecurity.conf; " O F1 w, h" y E
& e' z3 J6 ^: Q9 E proxy_pass http://online;
7 _0 Z7 r& u F4 L0 F* Z9 b proxy_redirect off;
/ x9 q4 W, _3 G( B3 I# f proxy_set_header Host $host; b" R: M7 A/ N9 P; B0 [
proxy_set_header X-Real-IP $remote_addr;
9 n$ O* M- p' Q w0 r T ^ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" B. y8 a( e- D4 f5 s" \+ u5 P, F8 S
}! d, U9 e) P# n$ n4 k
}3 d7 K) \8 l: U6 `# B* {
六.测试, `) R5 F ?7 ?. r9 `9 g1 Z
, H$ v. @% }7 q# \" a
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:! N3 L. F- z& @1 \4 d
7 l8 V5 a4 X' u* J9 d
<?php
5 H6 W/ P! ?; S, Y phpinfo(); 9 H @5 ^9 ]* @( ?' r6 A
?>+ G; m9 R8 _$ Y1 L
在浏览器中访问:
# X D1 z3 ?0 _( s6 ?0 I! v: @
) P/ }& e* V8 Y9 c3 {4 z/ xhttp://www.52os.net/phpinfo.php?id=1 正常显示。
: R8 E8 w+ Z$ e8 u( Chttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
' n+ F# B. d8 s2 }3 q# N$ w* chttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。$ P( j# m* o7 j
说明sql注入和xss已经被过滤了- \+ s% H# G) z- n1 S
, z" b! ^# x0 w" f* w9 T" l: {七、安装过程中排错' V1 }! R# y% u- K' Z# A
6 V) Q5 b' |: @3 n7 F9 K( y
1.缺少APXS会报错
9 M) T8 s$ C x4 D6 _ e$ W4 n) T# Y
configure: looking for Apache module support via DSO through APXS
) |& A- @9 D: ?: i* ~, u/ Z5 cconfigure: error: couldn't find APXS
2 X; ^- n6 }0 ] ~3 zapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
+ e3 J) q6 E) ^* J% P解决方法:2 _8 C0 v7 r0 V) h
7 p/ ^1 m9 q: `( W6 v0 `& D8 P
yum install httpd-devel
' r7 E6 @; g% S" W# s4 ~' ~* n5 ?8 m2.没有pcre. m! F; i& \% `1 c* U
& u k/ Y$ `3 v& q. j
configure: *** pcre library not found.* u: g$ `3 I0 `9 e3 A; G
configure: error: pcre library is required
2 w1 F3 D6 `, y6 x解决方法:
7 w' c# ]1 I4 u4 K7 u
8 V# }6 U+ E' }9 U$ z: p1 jyum install pcre pcre-devel
0 X3 {; Y A+ V3 c" K/ h; ~+ j$ l3.没有libxml28 Y# x9 {# J8 n# ^- [8 x5 ]' W
4 T. a$ {2 d( m! j/ O, s; Y7 l/ S- I1 w, X5 l( l0 [" W% D
configure: *** xml library not found.
% D' K5 Q! i' u) u7 nconfigure: error: libxml2 is required, I( [- V; `; L8 Q
解决方法:
6 z8 N4 C. A- q: @& r8 r+ s3 u' W, t8 Z+ {) O! B; V
yum install libxml2 libxml2-devel
2 L y: k# L& o2 O4.执行 /opt/tengine/sbin/nginx -m 时有警告
: [. ]) o! K# [0 a( g$ w4 A' r5 A1 n( X0 q. w# q' p" o
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
8 s% T* U4 _! C& L# l9 |# vnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
. I% q5 m, V4 H( f3 ~/ ]" k8 k6 L- H原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log( o/ U5 Y5 }8 @
& c! N; y: t9 a& D4 m; M( b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.! g& X, u& J+ E8 j" S( D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
4 P) L% N+ V; V$ ~6 H* W* ~& N& d2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!# C; j6 b! ~ L# M- K/ l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"- x+ f; f1 ?: h! j$ d& U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ Y' J. A* Z7 W3 E3 s4 l M ~
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 T; @: S2 @# b* S解决方法,移除低版本的APR (1.3.9): }2 y8 g: \+ C" B( X
: M+ H- P+ t% F% Z+ O0 }. H
yum remove apr) G( t8 ]7 I0 p, E4 L. U
5.Error.log中有: Audit log: Failed to lock global mutex
$ t% ?& U: U7 W( N7 W6 ]! g+ |6 |- i- }9 I) d/ ^
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
; `; a% N: O1 F: S9 xglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' f3 M8 P% @$ Q# o
解决方法:
( `7 Z+ i: Z) H- a Z; \编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:4 ]" c+ ?' {) t/ S) V% E
# y0 Y8 F7 b8 h( a$ \$ xSecAuditLogDirMode 0777
- m4 j6 R1 O6 E! i- USecAuditLogFileMode 0550
$ x1 }( R, {% M0 ^) P3 R/ xSecAuditLogStorageDir /var/log/modsecurity3 U7 ?" q: v% e6 Z9 O, C
SecAuditLogType Concurrent1 Y$ W1 y* F( S% J; Z
参考文章:) C, W' F/ O# o& J
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 d, S) J# s& Z5 C( G9 E7 o
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡