|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。1 @! W% n9 L$ G
# E0 W6 Z: G6 b# U% D$ z4 F一.准备工作- x `5 {: @: [, x) e- d
) `( E& B) s$ A* O7 p系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0, d) M2 y7 y" Z; f
* Q! F. a1 C- I, u" \0 Y- b$ k
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 S( \. n) i! O: Y$ j: ]& Y# x3 |; B# n/ m" O9 P/ w4 Y
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! C( K+ Q( d$ ~% V8 F! P
/ N0 E. u2 q( g7 j8 l |6 mOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 q1 J" |8 T3 v, n3 Y/ \) [( u: n" H7 v6 E; L4 f0 L4 e$ \
依赖关系:
( V, q& W& R( A+ V* R* Ntengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:# R! O1 S! A* `8 ~7 r- Y
. t" S) z6 f5 V
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 w) W4 Q6 O$ \! N+ z a' ]+ M
modsecurty依赖的包:pcre httpd-devel libxml2 apr
" ^1 Q0 R$ e/ c* e0 d0 F8 y4 B% L% l* Q: T; z+ K
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
, j' {( |8 Z: A7 u, `二.启用standalone模块并编译
7 L8 F# z/ [6 U3 B# B/ p. n4 Y. ?) \. U. }! v+ R! L! S
下载modsecurity for nginx 解压,进入解压后目录执行:
?, ~/ B* t# V5 U! f
/ |1 s/ @/ d) `' H) R./autogen.sh
5 S; G% O' w/ A9 F; ]! k. l! q$ J./configure --enable-standalone-module --disable-mlogc3 U5 G, W* [3 y9 \) q6 H9 R& q# ?
make
$ z0 S& D. ?" k! f: m. i三.nginx添加modsecurity模块$ \6 e8 \0 z& K( E
2 }* p2 i7 l) R3 f; d在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 l1 }2 G1 a. o9 ~7 N. y7 g9 G
1 o: |, a5 ~6 m; c8 R( Q# t./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine s8 J+ v$ {5 v" X- y7 h
make && make install1 S" n2 ^ K( S P3 M% u
四.添加规则
# i, T& }. I6 `. q2 M. |
% C6 E( Y. U, e2 R7 ^6 k3 Rmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 G/ i- K8 Q6 k2 O, ~ E+ V0 T3 H( K
0 ]4 q& V# E& K3 E1.下载OWASP规则:0 M9 ~: n2 s0 C2 r x7 d0 T
2 B; R6 {3 H7 h. k+ [3 Ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs) t5 f4 ~# I' g# Q+ E4 ?2 o
/ E- n7 [# Q9 O7 s+ Nmv owasp-modsecurity-crs /opt/tengine/conf/
9 W: d$ l, H1 k/ q5 x3 X, g+ W- V5 Q1 m& j
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 `, Z* J1 J' v4 a
2.启用OWASP规则:
4 h# l+ e: j7 P: \
% u. B. X% O5 W' \5 n O, {复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。# a1 Z' F0 V# y/ D! Z
" H1 d0 _( J3 C
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% j# T# X! F. l! ?. W) L* n, v h; o, f4 w4 q# u( J
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
& I+ S/ O& R8 X4 V7 O q( G# s w/ ^, Y2 c8 I5 ^
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
% {$ p5 Q6 @# e. {, }4 ~4 z$ {- \/ mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- o" J2 i4 Y, G- j2 i: s6 mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ A5 R% n1 U, t3 G9 AInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
. p5 [8 t! N. H# {Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf* I/ v/ ?% _; X
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf" v7 a6 N( N" c3 [
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf H4 i2 B9 H& C u* }; V. t/ p6 R+ O
五.配置nginx; h: R2 X% @( w
5 ^/ x9 a5 e _+ c+ p在需要启用modsecurity的主机的location下面加入下面两行即可:2 W/ \( k; E) W% @% @+ m% f9 S4 z
3 f3 |% Y ?4 ^( \ `" n1 DModSecurityEnabled on; $ b4 }7 q" `- b9 N4 c/ s3 b
ModSecurityConfig modsecurity.conf;$ M7 D! H. p/ \/ V
下面是两个示例配置,php虚拟主机:
$ Y6 z! w. U# v2 ~4 ]& z* f$ S. J4 u
server {
v7 `$ {' s6 R listen 80;
0 s7 I; x- [7 j8 L; T4 ^ server_name 52os.net www.52os.net;
! K* b* s8 j* o, P" Y; g
* c# t5 F$ D, e# W location ~ \.php$ {0 R! x( ]* R" `
ModSecurityEnabled on;
/ R8 l, m. O I& m# m2 i ModSecurityConfig modsecurity.conf;
" y* M2 s! s$ l) _5 E
" N5 k& `7 c# _& r root /web/wordpress;' c: N0 j9 M+ {+ e2 K9 V7 n
index index.php index.html index.htm;. v! k/ W3 V& p0 C
# i( o; o! Q' U p6 H+ f fastcgi_pass 127.0.0.1:9000;+ ]& ?9 N! q7 t1 ^$ l
fastcgi_index index.php;
. Y) [, K( p; B& m fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;" G( G9 @/ e$ ^9 D. Y+ h% s4 y2 N6 u( K
include fastcgi_params;
7 r6 ?8 h, {* j$ ~' P/ c( e& _6 V }
# K+ l' l* a! q0 Z( K }4 b& y/ p. D% r. I" j0 u* ?: [
upstream负载均衡:
6 p; Q n" `+ ~9 P
" I) I7 G- E" jupstream 52os.net {- B& l( w) r* q6 x% i+ F
server 192.168.1.100:8080;
8 G7 I5 z0 J3 ]) ?0 O8 q server 192.168.1.101:8080 backup;
- J& h1 c9 }6 d. c7 s2 z. V4 J}' y; L4 O* M" n. r$ X
* R2 q1 Q' i: [: dserver {9 X6 O' [4 y' {& s4 r! D$ T |
listen 80; z7 J3 D: F5 c, b
server_name 52os.net www.52os.net;
; P1 s! k7 m4 T' B6 Q5 o9 B2 |; X |& ]; `+ t& c# X. u6 i
location / {
5 n8 k& ]( ?) b ModSecurityEnabled on;
, a$ w& a) Q: } ModSecurityConfig modsecurity.conf; , I% L+ n6 [7 I. D; Q
& c4 Q, {& \ V7 b* @: w2 f& m2 J
proxy_pass http://online;' r7 D3 {2 ?) P8 l) Z
proxy_redirect off; {3 y% C: b& b, N3 Q
proxy_set_header Host $host;
7 C9 c# {9 U- m8 L8 [! x4 P proxy_set_header X-Real-IP $remote_addr;
, f7 w. J: Q5 s7 i- g proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ j% H. q8 M3 S5 C }5 T% _# a8 b4 l% P3 M
}
1 }3 h) g; L$ S' t, S六.测试
+ @4 r& k& E5 _* Q
$ M [5 V9 w5 P8 \我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为: t! H, f, g# J2 y" Y/ Z/ C
3 S K1 x% u% Z& O- x<?php4 J! Z! q( {- D1 a6 Y7 L
phpinfo();
: [6 b6 D3 t9 K; h' ~?>
) x$ e4 f/ q) h# J, q在浏览器中访问:
% l. ], Y( O0 t- f, _7 @/ i
4 f$ w1 I) f( ~/ [/ G# ~- }http://www.52os.net/phpinfo.php?id=1 正常显示。3 f5 l, }7 K1 `% r
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
W8 u) p- z8 zhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
& C) K# p) H1 E7 H- E# x说明sql注入和xss已经被过滤了
2 H! p1 R) `7 ^- {3 y
, `' T& b& S3 O& L, E' K% C, F七、安装过程中排错 S7 M& r7 [" T8 _/ ~/ E. b
0 S' G# R8 f# @2 ?- ^
1.缺少APXS会报错
( g" t1 t6 ^) E& b" {( v0 b5 C, L9 e2 ?3 F
configure: looking for Apache module support via DSO through APXS
3 J3 w* k& R- zconfigure: error: couldn't find APXS
, |0 h: e6 ]+ W2 Q8 ^1 v8 v7 sapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 q# L+ Q' a- @. ^; V
解决方法:! `* U& j9 w* ^
9 x7 J( H Z4 H! u" O4 K
yum install httpd-devel) {' F8 k0 }8 q" h+ v
2.没有pcre6 _" S B' k9 B' X3 e
! u* D! D8 Z" k$ @6 c) Y+ A
configure: *** pcre library not found.
! S) I! d! ^( Z1 Sconfigure: error: pcre library is required
4 P! A- v& o% \# d! U5 k) X; b解决方法:
M) _) x7 _( V8 u: ~
# x7 D4 E: S0 R4 b& j2 c' c# n4 _yum install pcre pcre-devel' v [. j: M& e- P
3.没有libxml2
; h: h7 y+ e# p g K1 P
9 q; f5 `0 l5 P( R; D! G9 q" ~; Z' i- j, ]3 t
configure: *** xml library not found. {; H& \4 b6 S( W7 v' c
configure: error: libxml2 is required
/ @* ?$ C1 `" K% x解决方法:& S9 H' }* E4 J5 P
! F% d0 N3 X( V: s; B f; D
yum install libxml2 libxml2-devel
* w0 _2 r4 |" }! J7 m: @4.执行 /opt/tengine/sbin/nginx -m 时有警告
6 I* W% U* _4 e. j& ]* P3 l# P$ p g: j+ i1 H: y" h6 G) j7 z
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
5 {' C; [ q% L. k: O! M m3 O- Snginx: [warn] ModSecurity: Loaded APR do not match with compiled!
s! O: t$ N6 `原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ r3 t I0 }8 k+ a6 W- h' `
; n. D. y; T6 L w4 N/ ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
* K2 F- ~7 ~5 m- M' ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"& e( K) X, x1 Q
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!8 ^! E' q/ I7 X6 Z+ k. G" B7 x" k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"( z8 t4 H* _. Q8 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* l- T4 e! Q. Q) I) B0 {2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.3 {. H" \. M1 b: U
解决方法,移除低版本的APR (1.3.9)+ R2 a4 Y* ?( A2 t
1 X/ o4 l- s% G! ^; B+ oyum remove apr
$ W* N- x8 W* j) u" k5.Error.log中有: Audit log: Failed to lock global mutex
6 q- ?. O) M, b% L! j4 C6 R+ o$ z; E8 E' r7 Y+ q8 H& l( ?
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
+ z; F) N* F9 Wglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
. D j* K( {# N解决方法:
0 h4 ?# r r* f( t编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:6 J/ z: ~, z6 V% `
o0 T# S% N( x0 ~9 Q4 Q6 R' [/ ?8 j" d
SecAuditLogDirMode 07779 h' i2 |6 V" p. R
SecAuditLogFileMode 0550: m6 y5 [; A$ s' ?+ s8 z0 J
SecAuditLogStorageDir /var/log/modsecurity
3 j: }/ J1 C+ t9 l- tSecAuditLogType Concurrent
1 l, D3 K; L0 Y, n& T- A参考文章:
9 t! z# |" U( Vhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX* ]0 ~; b1 o$ A" M9 \* n! t/ G
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡