|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。* h: @' n$ ~$ b% a" e) K/ h, J
' _" \0 ]0 \' p" [, P' \
一.准备工作: @' z: M5 v& y& \" c9 u% ?+ Q) ~- p
& E' j3 ], K; D, c E0 i X
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.07 d) y" u% @$ U3 @8 \- Z' i1 @
+ j0 I4 V# L0 O4 k* f% ltengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz0 {4 c- {+ e \2 ^, Y; e
! p6 J3 }) i" G0 [modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 @! u- e3 f" A/ ]' j9 O2 y) a( Q7 n; o* i3 g
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs# V( ^7 F" s' U- N x
6 y; y7 h. x: V/ ^, M) m9 F
依赖关系:
5 T& u" W a' V3 ]tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 c- j3 K3 Q- K6 e1 W. }1 g* W! y% v" p/ w6 c. W
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel+ ? Q. q5 v' [7 L& P- m6 Z) g
modsecurty依赖的包:pcre httpd-devel libxml2 apr
1 o0 ]5 A% w% r& r C" C) S& B1 H, w1 j2 G9 K! l. n
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ k8 b7 Q# g7 }: E: W) Y. |: G
二.启用standalone模块并编译5 t9 C: [, U" N7 b9 E% _
3 x ], b, Z% N) _3 g下载modsecurity for nginx 解压,进入解压后目录执行:
6 m2 P, }6 d9 e T: ?% p0 _3 e
3 ?7 b! w# P5 k9 Q+ i% w./autogen.sh- g' f+ P9 X- i9 X( e$ n% p
./configure --enable-standalone-module --disable-mlogc- w* H$ N0 ?9 ?2 l9 H
make , |3 g+ Y; }% H& ]" C) ]) o
三.nginx添加modsecurity模块! l; y" K. {3 Z$ O+ [1 n
6 l. m9 D( \8 x2 h+ B
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
( W; j$ L1 `' J, G( d* Y( Z$ h, B3 G( n1 ?
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine% T+ v8 w) E s
make && make install
) |! q. J# ?0 p, G四.添加规则2 F$ t8 R* C4 N( t
4 J7 g2 k9 |" I) p5 D, B
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 I5 G6 ] r# k5 ?1 n4 b4 r O- x' c3 x- ~5 u* l
1.下载OWASP规则:
0 i W3 n7 p* ~. n- Z" \1 r/ C- t# E( u( c/ ]
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
6 Z$ p1 j/ r2 t. ` r% u
+ Q: F# c2 n4 i- ~# p) Gmv owasp-modsecurity-crs /opt/tengine/conf/
4 E8 q6 i C; }5 C6 `8 ~+ _& C3 }2 L
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf) N2 e8 l" }2 }& x/ @
2.启用OWASP规则:
3 r* J4 R" } c! C, Y/ z* ^1 ^% C/ V A
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。& I8 t- k9 f. d& L& e' I& y
/ i7 d- m+ \, r5 T' V) @$ r' x
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 _( V0 p$ m2 _" m
. v7 }0 l3 J0 S% \
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
6 r" Q4 r9 |/ I( W5 C1 j) Q7 i& }
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf) a8 v* ~0 V: c2 O& d* S* v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf$ Q9 M1 \+ K; B" C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
2 n+ g' K: m0 P" x7 c2 W& EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
+ C9 T0 m0 P) T( Q4 L* qInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf( {- R" p( F! f0 A {4 n. d! J1 u
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; o' o; ]7 S9 ~* o3 i
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& p2 |; {8 z0 H+ d3 c5 r- f0 c
五.配置nginx
( w) v3 }# {& h
' I7 Y, n2 l3 ?9 h$ y" `在需要启用modsecurity的主机的location下面加入下面两行即可:
: k1 m; I; ^0 c9 Q; \& s$ H% ?: M( J9 ]" S: M6 a
ModSecurityEnabled on; 6 O( h& }8 j y, q" p6 z1 O
ModSecurityConfig modsecurity.conf;& Q# M& G N0 G9 J. j7 k
下面是两个示例配置,php虚拟主机:
; e1 ~4 o5 C- T/ S$ u4 o3 T, x/ I3 I
2 O4 b% B& n5 k3 F1 yserver {7 h2 @5 j; c% B7 A( n
listen 80;1 F% B8 j$ p6 m1 [6 |5 m& c0 }
server_name 52os.net www.52os.net;1 E5 f2 ~% n) k# ~$ _9 t
$ F/ j7 O! U7 I4 d! L/ D location ~ \.php$ {
) o3 R- R- |5 k: } ModSecurityEnabled on;
& S. B, K/ p! B) J# p$ n% z# w ModSecurityConfig modsecurity.conf;
" Z* r& f0 V/ [8 F" ^3 w2 U9 j2 r( O. O2 Z
root /web/wordpress;; q5 I# H; {' U, }; Y1 {
index index.php index.html index.htm;, {9 W7 c3 |! P; R7 B |
' Q* t1 Q% p9 J) p
fastcgi_pass 127.0.0.1:9000;
) z7 { c; l$ M4 ^9 B: h" z( [2 B fastcgi_index index.php;$ i& T' J" R s3 U8 k
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ m# J& ~2 R2 X0 a- C
include fastcgi_params;
; U& B+ P- Z$ q: N' \, V }$ a$ ?) Z& f& X4 _$ V; c
}
8 n& w% p2 O6 ^2 E- ]upstream负载均衡:+ X( d" m9 n0 t6 p4 ?' a& V* M
6 k/ [9 x" q$ E
upstream 52os.net {
2 ^! x7 J0 k( x% W' i! y server 192.168.1.100:8080;
6 U& s; O% g1 `, L5 O server 192.168.1.101:8080 backup;1 N' _2 u* E, X
}' b+ \) @9 a* w0 q, p5 M+ K+ R
6 W9 V6 I. s9 Z8 B( S
server { j+ N+ x* ?8 n# i0 j2 v* S1 E5 y
listen 80;
3 A" Q8 k, m7 l& {- z% P) Gserver_name 52os.net www.52os.net;
! j; G* V, ^. T' R0 T! w/ m- I/ u. T0 C$ p5 {4 v1 p6 J: l
location / {
! t% @8 R! V( {' S7 n& C6 Z r; m ModSecurityEnabled on; ; O5 ?$ a) k: y6 J
ModSecurityConfig modsecurity.conf; 1 N+ M* C7 E1 x6 d* t( J! _9 i; v
1 k Y5 U9 V1 u& X proxy_pass http://online;8 R( _3 i+ F# t' g/ E
proxy_redirect off;
1 W2 L( n& |# X* e6 X+ {* _ proxy_set_header Host $host;( h4 c+ T# \0 P! J' t- W
proxy_set_header X-Real-IP $remote_addr;
( ` i$ t+ X: v8 R0 `( e% B proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) M- n) e" s; b; a2 W }
6 K8 |: g- B4 h) m5 r}
( I0 l# J e: A8 B0 N: `" @! W六.测试4 V, [$ s! p0 P# b% B! [/ @2 P" f" A
/ ^2 p D+ H9 i1 n8 v
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ j4 U8 n7 z* `: B% p, h- K% C
' }0 i: x5 G; o- a<?php+ F l( ~/ L0 \9 y6 @3 G% d
phpinfo(); $ T4 }" ]0 v2 C0 A
?>
8 E" n" f' |4 {. j- o! M. B6 p在浏览器中访问:
( ^+ i/ C* s& H. S- [
. I l+ k3 H" R0 ?. `9 y! Ahttp://www.52os.net/phpinfo.php?id=1 正常显示。
1 D% V) r& P a0 q: g" dhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ ~" g) B0 J) \ c8 shttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
/ K! _9 P! M1 b2 `8 } Y! y说明sql注入和xss已经被过滤了
9 d# x9 K3 t! j0 o. Q% b! B) m) W) k+ e& c
七、安装过程中排错
/ k. u3 ~/ V g/ T9 j# _! Q6 {$ J" B6 E7 r
1.缺少APXS会报错, ?# w: J" R8 w k7 m# v1 o
4 O' u" J, G0 B j% N7 q5 m
configure: looking for Apache module support via DSO through APXS8 ]: C# t; C* L8 W
configure: error: couldn't find APXS8 i/ M% O) a; n4 q
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。- u5 @/ o, D! }1 j% X1 m. h
解决方法:# G8 _ _/ M) C% P
0 ~2 s- `5 t' l/ d4 X$ F$ T
yum install httpd-devel( t3 _& a5 n; }4 Q2 ]
2.没有pcre
4 {" j) [( s% O9 v2 d4 b9 X# z; x) X* k: y( G$ `
configure: *** pcre library not found.2 z2 u* ~+ W3 M6 K% j) M6 N
configure: error: pcre library is required
- J) f7 r! m, `6 Z; ~' u, @& H解决方法:+ I/ L* G: h, E
7 k( F" G/ Y+ X2 R: oyum install pcre pcre-devel$ I' S, M! u8 x% M( v' \
3.没有libxml2
5 ^, E) ^6 s+ s' z1 l4 w2 A9 }) B( _, h6 h: d j
* O! G9 `9 {# f3 a
configure: *** xml library not found.9 x8 ^, `6 @7 R1 x O8 Z' l
configure: error: libxml2 is required$ ^" a4 ]& x+ [+ E
解决方法:
$ w5 v# D9 c$ C6 g$ V
# U y3 I' B7 |& D# Y, S- U( tyum install libxml2 libxml2-devel( q( N! |0 L/ O" d
4.执行 /opt/tengine/sbin/nginx -m 时有警告' Q' F- r! o- N1 g& b, ]. \& p4 L
5 c; w- |5 ?- M5 F) G8 U
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; g7 D: u5 Z7 Onginx: [warn] ModSecurity: Loaded APR do not match with compiled!- f8 \# u4 b* a3 m, a2 `2 C
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
x7 Z. j& F ]- |$ Q% M/ \
% D5 {8 y$ }; x# v+ \( G* j/ C2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
M7 Q8 r) B/ d4 [2 T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"2 B; Y2 a' F n- E0 T. b
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!3 o/ l* }+ z3 T* F9 \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"! P* }( y/ L7 k& G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
7 S: h7 R( e( t3 N8 c: c2 _2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
% b1 g' }6 s* I# E* R& u解决方法,移除低版本的APR (1.3.9)8 y+ g s7 p. O) H4 Y, K& H0 b
0 ^. y% c1 q' oyum remove apr. X. v$ z0 O0 t. q ?& Q: ^; E
5.Error.log中有: Audit log: Failed to lock global mutex' X3 C, P3 I D, a
" ]) ]# x! z1 g$ T
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
6 X7 c" T# {% J2 M. Qglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
3 V) F8 ^) |6 Z c$ V$ K/ Y8 r解决方法:
x, U% g5 i0 R3 U3 i/ D编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& e$ E z8 R, K+ f. g$ v$ {& e
9 d1 J0 |1 v+ |' f! t, B2 `
SecAuditLogDirMode 0777
) S, _7 b2 u$ ]% @" ]: `SecAuditLogFileMode 0550
. ?) R4 }0 S/ l8 g2 u) vSecAuditLogStorageDir /var/log/modsecurity; I2 N0 [- l: M9 m
SecAuditLogType Concurrent% Z% |5 ^! C- w9 j
参考文章:+ ?" S, I$ \+ w4 ?4 G0 _ u4 w
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX l, S7 f) b0 X1 p$ w) U, H5 B
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡