|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
3 ^ m% J- H- U$ [/ Z
: u0 W. B0 V+ l- @( I. u一.准备工作
6 d" q6 }2 s: l* \' ^, N
! r2 ^0 N, x0 n系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0! ^2 T$ r2 g" r2 \8 T( h4 h. u2 d+ z5 o
* \. A) f8 Q, Vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; s6 w- r+ @! h$ l0 K: j$ H. S% C; g0 z# p
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz4 m; X- x1 P) K1 K9 ^9 |
8 a h' X( n: A% uOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs% N m9 c. ?( V0 Q1 r
( F! K* \) o3 F6 \! O9 U
依赖关系:
: O' j* G3 U, w1 etengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:4 j" ]) f0 K8 G3 A( S: k* c
8 [7 {0 I7 _& [
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 i$ k5 `/ C- ^0 Rmodsecurty依赖的包:pcre httpd-devel libxml2 apr6 b2 l. G# f& u5 P/ Q3 }+ s! M
w% x6 R; ]( O! N4 |% m; e) j2 Myum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( A+ N; l4 J' e$ D, c8 G4 V( ^
二.启用standalone模块并编译% w. F. r' U h5 ]
( ^! S5 z) m" S$ W1 h下载modsecurity for nginx 解压,进入解压后目录执行:
, m7 z& l- R6 r% r# h* n; [9 R) f2 F( z8 H$ o. \: T" H$ A
./autogen.sh
4 N" R" v2 d+ |9 e+ C4 T./configure --enable-standalone-module --disable-mlogc
6 d# M- ]2 f& P) Dmake & }( m# d$ f) X. d! D* m3 ^ W
三.nginx添加modsecurity模块
! T$ k9 }8 C9 T0 ^: d3 M7 t _& k* Z e! g+ e8 ~( W$ R
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 c- |/ \ `& u! V6 G& c
) ^" k& v" {4 }- c5 W( d, G./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine) e8 p+ A' [% {8 I
make && make install
0 N; O1 j3 r. U, W3 E四.添加规则4 ^% {1 r6 x, M z
% l/ p% w( V% J0 j cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
" |/ ?/ j( T: N# O! n- v$ B) I% t
$ z! g0 h& q) E6 U- M1.下载OWASP规则:
2 U) e% ^$ `1 ]9 Q
. A6 R9 [8 f _( d I, vgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
# U F9 a3 v: J, h5 ]4 ]
% H; S6 ?" m w A* M% |mv owasp-modsecurity-crs /opt/tengine/conf/' w1 l f6 ^8 Y% v- u7 |4 @
# X7 \1 ]& M3 |$ V% G
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf' P# F% r6 k, K$ e. ] m
2.启用OWASP规则:6 F0 ^6 c d/ n) z% A0 z
+ B1 Y: D/ q9 q7 h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。) x" f a& z' ?" @3 S' D. G
0 ^# a( K' k7 X1 F+ i# q
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on' g% x: m3 @% P8 N
2 n1 J( t: N: u. u) x
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。3 t2 j2 A- r" ^: Y4 g9 A
8 h* W' M8 I) I6 A, S% _$ v, R. Y0 iInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf7 ^- Z% J, r7 B/ H/ f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ d+ r4 d4 @" o" C+ S- w8 b. {: p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! c4 s l' D6 |. _
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' |, `' q0 V6 A: O2 S* p" O, d" `( M6 C
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf# U# f2 F4 d+ J9 y: a0 I; v2 H
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
8 O; d& }8 `: E7 L3 ]Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf1 t) H! i4 a1 V2 g1 J" P/ @' m
五.配置nginx
% Z5 r% Y1 L$ j* F8 b7 @
, K: m: g9 I, r; k6 X在需要启用modsecurity的主机的location下面加入下面两行即可:
( | |9 ^4 v3 L: S, B: m9 Y% n3 b
ModSecurityEnabled on; 0 N0 J9 x' Z3 L: t# }) _& n
ModSecurityConfig modsecurity.conf;; A& b4 H% G+ b3 P1 x8 k
下面是两个示例配置,php虚拟主机:* d2 h# K! s' R9 h; i# ?; d/ V) S
( D1 s. c5 q, S/ O' X' hserver {( y) e& C _: E$ E* L
listen 80;! \+ G- v- r8 ?' s9 h3 x
server_name 52os.net www.52os.net;
, b8 g4 F6 S0 K; y + N' I6 a0 A; F4 b
location ~ \.php$ {
+ v# M, K+ Y" Q! U% `. e ModSecurityEnabled on;
& H) x4 `! R5 k5 Y ModSecurityConfig modsecurity.conf;% m3 b% @1 o1 J# n! U+ [6 N; T& a7 U
0 [" A$ f! [; o) S1 F! C
root /web/wordpress;
5 U- H% L# w9 v- ~, N' U: A0 J index index.php index.html index.htm;: B" Q P# q0 k9 S. R2 H' K
2 G3 x, K1 L8 q
fastcgi_pass 127.0.0.1:9000; F9 X* A% |3 @0 v q5 i
fastcgi_index index.php;3 @3 z+ t/ f* b4 b+ O4 V Y
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
{( v( K7 E+ M& M* Y/ ~) s include fastcgi_params;
5 B8 W* c, J" `) Z+ M! w5 ~% H) P }2 [4 `6 t1 Q+ J m
} O l5 d5 m6 l2 D+ Q
upstream负载均衡:; ]9 N F$ k% k1 t
$ p8 B4 F* P S1 o) A
upstream 52os.net {
8 @! d7 N4 [2 n server 192.168.1.100:8080;7 b. w& f# @% B9 K0 y
server 192.168.1.101:8080 backup;, ? Q2 Q: U/ I: R0 A# N8 X
}
* V* u: t- `$ f2 m7 k5 k9 n0 V
server {
* P: h, {' |* ~) Plisten 80;& D% Y" r2 U6 p( ^( Y# J
server_name 52os.net www.52os.net;
\( g! v& e- h/ `8 u- d8 O4 w6 g3 @* p# S9 q, x$ a0 X, a
location / {
5 S; Z. R2 l# q ModSecurityEnabled on;
6 [+ W8 F7 N% G% Y. P5 @ ModSecurityConfig modsecurity.conf; 2 K$ J1 j$ Y, L' X5 G8 T) @
# S0 I, @/ J& G$ y& f F$ r/ K- p proxy_pass http://online;; s, n* \ ]; P' \ ~
proxy_redirect off;
1 K; O& X5 `; S! n. T8 c proxy_set_header Host $host;, ?6 s! K( {: t& j) m7 D2 j
proxy_set_header X-Real-IP $remote_addr;
: C2 m- X+ `( |1 T% b proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
" b+ Q6 k$ k( X$ Q* L5 m0 P$ Y }* Y& s; ]4 R+ L6 h1 b/ F1 G
}- n8 K5 V$ ?/ t$ L% H8 G
六.测试* @1 W: R1 A* f* y. o$ S" X
- c$ K0 v- |: N/ A9 q
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
8 z7 a* V, B; v' v( C7 d" t8 I1 F6 X+ o& \# d0 D1 w
<?php
: z; G4 K' K, N, j phpinfo();
: K3 H- p& m0 u) v?> b6 m+ K# ?- y& F
在浏览器中访问:9 U& f7 K9 d8 b% m5 k' u8 e
+ ]1 z' Q4 S4 E4 Jhttp://www.52os.net/phpinfo.php?id=1 正常显示。9 B! {2 d- \: q$ F8 {
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。/ S0 H/ r. z" y, Z, M
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。/ l% w$ d1 r/ ^# n
说明sql注入和xss已经被过滤了
3 [2 d. ]7 z4 K1 |( ]
+ ~8 d) T' f* e$ d# }七、安装过程中排错
9 g7 G" f; A4 j* n3 E2 s/ V
7 _) P" D7 g" f/ E6 m$ ?1.缺少APXS会报错
& {8 x( ]( S" Q; v0 K3 k" u E. F# X& z. ]
configure: looking for Apache module support via DSO through APXS
# f6 p8 h$ a2 H4 a7 ]( Kconfigure: error: couldn't find APXS* c- C; ~$ j0 c9 J6 c
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 C0 c+ n& k2 J解决方法:
& I2 v- A" d4 U* @0 O( r# E* d9 g+ c) n1 S6 x- U. X* I8 s
yum install httpd-devel* t7 h7 Q$ ]: f4 W5 |
2.没有pcre
8 b6 Q' k- s* T3 y7 G: U W
4 ~. I- l$ W/ I" ?2 W$ L6 Nconfigure: *** pcre library not found.2 c( I. X( f3 Z0 i& d1 E5 e
configure: error: pcre library is required: m: f: W4 t2 o9 W
解决方法:
- K A' q1 C) d- f3 m/ o, A, _! Q5 s4 d' @
yum install pcre pcre-devel
7 X$ d9 T o4 k, l6 ^% i/ r3.没有libxml2
- Y8 b( p( Z6 R) `& q1 r$ f1 [: q7 |
% Y) B. y4 l2 `3 }
configure: *** xml library not found.1 U* c) `% N1 h/ G' S* O
configure: error: libxml2 is required. I( |$ e+ i/ H
解决方法:
$ F: y. h& u. a8 G
( U# f, m( ]# c; W yyum install libxml2 libxml2-devel
4 G& W+ ?) P P2 J, g r. }* c4.执行 /opt/tengine/sbin/nginx -m 时有警告# A9 V# R- N# d
$ U j2 v, y, e- v2 Q0 j* M+ A& BTengine version: Tengine/2.1.0 (nginx/1.6.2)/ A I- ^' o9 ^7 G3 j" Y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
3 m& h. U J T. Y1 N+ n H原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log" d+ `- V# \1 }' p! L. i. w9 a
! j: x& }7 J* u
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
: s! G0 @; g [. s5 @6 a! `2 Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ O, I0 E1 s8 t' V) h
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
& X7 l4 m; A: G: E) t' }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 H, f" |, X% N* ~2 X6 Z* o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! Z8 P0 k/ \. F+ O5 ^+ Y2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
* M$ l0 Y% e+ ^5 W/ Z解决方法,移除低版本的APR (1.3.9)/ H* t, J" [% U' t7 m7 }
; ~- x: a) z$ E/ Z% p/ L# {. |
yum remove apr
: G! {' U6 o* N$ F5.Error.log中有: Audit log: Failed to lock global mutex
$ R8 `" s; D: D- D! X: }4 B
3 f$ e p0 X* m" i/ k' }2 i1 E% h2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
7 F/ l2 U) ~ N2 Cglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- V# G# l2 w( j* ?' G" U1 q
解决方法:
9 ~, ^+ b+ v- M- U编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 x- A) u3 o' Q4 M7 z" W5 _% t8 O! j" b* K5 F
SecAuditLogDirMode 07774 w. l- I6 O, G* d! z' o: S. t: O; X$ ~
SecAuditLogFileMode 0550
9 E( t8 \1 K- u2 {0 H& m8 ^+ ESecAuditLogStorageDir /var/log/modsecurity
: d& I' A# ^. C7 b% h* j, [4 fSecAuditLogType Concurrent
* r4 s" q) T [$ M: c1 a参考文章:
( p1 p0 c+ A0 C1 m7 Uhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 S% y, ?7 a8 B; K- A3 Y i/ Z: Y5 [
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡