|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。 `* h7 Y6 G! f! @, P' \
- n" a" v/ J- _, E* r- `$ ]一.准备工作8 m4 V6 A# f; t: H
3 {. O1 B, e- \* k
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.03 U Y8 I- D" ?# j- r
3 v6 b* f! e; n$ h- f7 Stengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz" I) X" V5 |% x( Y2 {
' P/ ?6 E6 n/ ?, z6 `& Tmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz* z& Y8 }+ ?- P2 I# r: n7 R
, h& @7 D, m5 s. P+ X1 bOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 d% O0 P9 u- y `/ [9 y/ C9 q
) {' M, o: {% N2 R
依赖关系:
) e2 i8 B: c% Q! u5 y" G5 n* Itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:5 B8 I c' ^8 \9 o8 h- J
% F% X0 {8 X, F6 \* h2 {; B
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel/ t" e4 W ]% I2 S
modsecurty依赖的包:pcre httpd-devel libxml2 apr; ^3 m3 k N: _ P
L! i( g; {6 u8 f! \; \! xyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel, p8 M5 n/ n1 F/ w, {
二.启用standalone模块并编译
% c1 r* Q6 J+ S7 t" p `/ b+ ]
( n' n' s' L' J! P' ?下载modsecurity for nginx 解压,进入解压后目录执行:" u- g( {/ E8 w0 t8 V0 Y( k) ~
; A; R! r9 p3 ]4 Z! w% A./autogen.sh+ ?. v, E5 v1 m; w
./configure --enable-standalone-module --disable-mlogc" Q$ Q% ]" Q2 _6 |+ `1 Y
make 1 a; N( E3 t5 t4 J) s
三.nginx添加modsecurity模块+ y! f2 F& q0 h: X3 \$ G1 k
$ H! @7 ^7 ]% P1 n: P在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
. H3 `6 k* n9 S4 F2 {) X% k: N. j. Z( x" n8 C$ q R7 r. a0 c
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
1 { d7 ]3 o. r D: `make && make install
# j. I2 K4 |8 B! x四.添加规则# P& a) S9 z; d
* t$ H& }* Q2 |( J: g8 ?
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 _0 D7 u5 d6 j5 V
( A& r9 Y4 O1 p9 e% Q! z: o1.下载OWASP规则:* j0 J, H/ ], W# l2 m+ Z
) q& @# q6 `; Q; fgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs" F5 J/ I" Z" p
, N# P4 ]7 R/ q; o5 O8 y$ d0 o2 Y3 Y
mv owasp-modsecurity-crs /opt/tengine/conf/& f# z( F8 W$ u' X
0 Q7 |0 U2 [8 ?8 M3 J
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 u; Q. x1 g9 X+ C
2.启用OWASP规则:
" i! T' x9 e% W1 V+ K3 V% L+ G$ v) w4 P6 N
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
! F5 n" c! H# ?- Y Y2 I, q
/ D$ ] i) O. V8 _% F+ x编辑modsecurity.conf 文件,将SecRuleEngine设置为 on9 \7 A! Q! I) ^
( m' z& K) [4 V! X% H
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
4 u; { U1 k C8 ]3 Y
, ?% R8 {' l) `0 J- XInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* E( S. a( ]6 m9 |6 Z- jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
0 D- h& e% a5 E$ S/ Y y. b) yInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf( ?* }% B- J# {) i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 m" [( h0 }) Z @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf5 ?1 ]* B/ B2 T, I6 M
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
( ?; U" S7 z5 T9 y8 G1 }0 {Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
6 O# e: q$ w/ ^8 U8 @+ h五.配置nginx
8 K9 {3 K% K [8 O+ B. j& p- O3 ], {9 b# l" ^5 I k
在需要启用modsecurity的主机的location下面加入下面两行即可:
( ]1 V3 w5 D! O+ C# ^' c0 v) g/ U9 L6 T3 F; g6 T& y: n0 P# |
ModSecurityEnabled on; ! \: p3 A. y: \! a9 v C. S& J
ModSecurityConfig modsecurity.conf;
; W6 V4 Q5 g! u4 H3 X$ B下面是两个示例配置,php虚拟主机:2 n8 k2 M" b' Y& r d, v
- r5 J* f6 m( k/ ?% M
server {
" K& H3 a' A: }+ b2 L) n& V) d listen 80;6 I; `% o% ~* q" q
server_name 52os.net www.52os.net;0 [9 R, |5 X1 l; ]; {- Q
! r* S* {+ O8 U! X* V& ^
location ~ \.php$ {' S4 M/ l9 M! h- P2 t. H$ u1 W+ Z
ModSecurityEnabled on;
& Q7 t7 @' z) Q% Q1 O: u6 k' ]) E ModSecurityConfig modsecurity.conf;
$ x, j# _4 t4 z4 ~, f6 e5 ]! o1 |9 d2 k. p: s! B
root /web/wordpress;
% w0 x% L: y1 u( |7 g index index.php index.html index.htm;3 O9 Q" ^# Q) o
7 F' N! ?; c* X" u( S# J5 s
fastcgi_pass 127.0.0.1:9000;
& y) P* z7 @" E* O+ s% b fastcgi_index index.php;; s( i4 L4 _ r- h. I0 I
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
+ T. e/ h+ q$ {: q9 q4 V( V1 a include fastcgi_params;
9 A- [- T4 h; o }
( s4 Q7 |1 i" ]# b6 o }* n W2 L& ~/ f/ y$ _6 U
upstream负载均衡:% j& n/ c) j0 D" F) F- q
; B2 G$ c& ? b/ Z
upstream 52os.net {
. l" g1 [& X5 M9 {7 w4 u server 192.168.1.100:8080;, v* N- n3 T; P% n
server 192.168.1.101:8080 backup;
d+ u5 M0 K( L1 z2 e}
! [& p3 T& B% n- l( z$ N% E1 U' [8 x, T9 q/ n% r6 y6 T
server {6 w" c/ \" H' L* h6 ]9 C/ H2 V
listen 80;
, p) L) X8 c- V1 {0 I4 Hserver_name 52os.net www.52os.net;; | ]; d2 d1 p) S$ Y" X, B
! E2 o ~, C0 c2 O% N& K9 ?. V
location / {
" K$ _( l( W- P' z: P ModSecurityEnabled on;
. B) h: M2 C4 V4 K/ e: P# l& M ModSecurityConfig modsecurity.conf; . o$ j I4 E! s) i
! g, F0 [; a8 L
proxy_pass http://online;
4 N# v* u. I# D5 z proxy_redirect off;) c2 d& _* @6 n. O* e/ z6 E4 D2 ]0 v, J$ j
proxy_set_header Host $host;0 s6 k7 h% C- j4 m* }9 ]: z2 U) M
proxy_set_header X-Real-IP $remote_addr;
4 n6 G! d5 J1 p proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/ h" N8 G9 a$ c3 I. z7 j" Z }; e' o# g( Y9 N( n$ ?. X9 P
}* u; ^3 F9 t* p4 W+ D) \) A5 f5 e
六.测试8 h7 T3 M; A/ F. u& \
2 |, a. P0 `7 Y. v1 a' Z我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' @& t( a1 V# ^4 a% P7 q
# }2 R+ _# n+ C9 ?2 ~ i ?& M' M
<?php |" e/ m8 o$ V+ D) o
phpinfo(); % \4 A4 B8 V% c# @
?>8 }4 f7 Y% ^, Q
在浏览器中访问:
7 t- g& n- R7 ]& c; \5 W! \7 e7 {' K( Z( J) ^6 e/ ?& |! S
http://www.52os.net/phpinfo.php?id=1 正常显示。
7 a/ b K, W, g0 u' thttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" g8 P: K/ T% I* M8 @. \% Q; E! _
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。! E6 y8 b3 s3 b% B! N$ v
说明sql注入和xss已经被过滤了
/ W! o- f( `5 i I
& [' T9 w4 x: \6 d0 s1 N七、安装过程中排错
8 r% O3 r; l' ]) j: m9 k
7 C, _$ V. s, j L- [ c1.缺少APXS会报错
7 l- g; v/ ]7 Z& C; X& r7 |6 ]: a- `( E+ R/ X! A7 C4 `; \
configure: looking for Apache module support via DSO through APXS
6 u( T/ ]0 l# |6 Q( Uconfigure: error: couldn't find APXS4 x$ ?9 K9 ~ E: `
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。, f* J/ x0 d8 e! B+ e7 \
解决方法:6 w+ t& v/ L: s" w$ d( `6 t
( D y6 F5 k! _# X. K0 w5 R" pyum install httpd-devel5 s" ^! v6 b* a+ ^2 ]6 W Z3 V
2.没有pcre
5 Z) Y. m9 f2 W2 i5 d0 X7 e9 e& k% g0 U+ I T6 ?
configure: *** pcre library not found.
; _8 o- k/ ?- ~: B( E, s) cconfigure: error: pcre library is required1 r& b0 [4 `' R
解决方法:
2 N/ K( |6 X4 @! t2 Q* |0 C% ~3 T# T" A9 ~9 t7 S! O
yum install pcre pcre-devel
3 A' ~' l0 |2 _# Q3.没有libxml26 I- }) D9 D* _! ~, y
6 l' S) J- {) z, `/ M
8 a0 f1 a" `& i- s5 J8 m6 ]) Xconfigure: *** xml library not found.7 }5 R( g& k' ?
configure: error: libxml2 is required
# f; N. J9 P# y6 U& W解决方法:7 q8 Q% _. x, r% p; J7 u) `
) q! V$ N0 p. y; l q3 f Byum install libxml2 libxml2-devel
g4 l. v/ W( j. r) C, H( J( v9 q4.执行 /opt/tengine/sbin/nginx -m 时有警告* C) K3 j2 D5 p2 g. K. {; n# u
: ~$ B/ I! W& o, Q; l
Tengine version: Tengine/2.1.0 (nginx/1.6.2)( j( H0 S/ r O% D
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 b3 U( p; V6 v: C4 ~原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
3 I n, w3 J/ `' h9 A
4 j5 Q5 |- [2 k+ z! f/ N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.. i7 m& ^1 g* \ f% v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" h( d' {% `$ z6 E& h+ o2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!$ T1 x! V: B9 O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
# I+ b1 x) f& a1 \ n7 z( g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
3 _" b- P# Y8 v2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
) v% Q4 V# J7 {. p$ N! q解决方法,移除低版本的APR (1.3.9)
1 l; i! A z0 |, b$ K9 A4 _% [" A& n" h: x6 r# [
yum remove apr. X1 A0 A" |( `
5.Error.log中有: Audit log: Failed to lock global mutex
5 K! a" Y2 [1 z0 M# o: v Z3 e
% ]! c' G( S, s# K2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
/ Y6 r: R5 j0 S0 R+ I; F& M) sglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]4 @ L5 p x& v2 A
解决方法:$ [/ U4 \6 @" z$ H" b0 p
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:, U8 r" D/ U- s8 X- d* }, m1 L
* b9 v* R# q9 }
SecAuditLogDirMode 0777- S4 Z p7 `/ k7 T
SecAuditLogFileMode 05506 o1 z8 ?9 r% o7 c6 @- l
SecAuditLogStorageDir /var/log/modsecurity* q5 Z6 m" t, A& b
SecAuditLogType Concurrent! B0 s* ~' g* G4 W2 L3 E: k
参考文章:
H- X* }0 E' g+ Y! B1 J7 H( F' Z' ihttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX, v5 I" q, r! N5 b' G) n
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡