|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( e- x$ f8 M( Y& c, @/ r
/ d1 _) I" a0 f; g一.准备工作
! T/ h9 z9 _9 f& P2 ?1 {. Q; n/ M9 W3 x; s$ O& A
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.07 F' O3 \" s+ H% c1 Z' \1 r
" M5 D, M) u% d9 Y9 Ztengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
6 ^$ M) g; w6 s$ r5 U( j) ^7 U U9 U3 i
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
, z& y8 ~$ Q5 Z; Z( }& B% c0 y
" g$ Q/ T: U! S" H+ @% R. AOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs% t- o' B Y1 {: A( B
/ W* H+ T4 h$ A) O# i9 T依赖关系:" _. l' R8 Y/ x2 {! H
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:8 L) Z- D% U7 w2 F
# b& f8 N* R( ?4 R( P! U
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% H8 y6 V8 i5 B/ I, Q: Y: Zmodsecurty依赖的包:pcre httpd-devel libxml2 apr
7 U' L6 a0 P$ T! z8 n" U
5 `3 N# H9 d! h# |2 Byum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel6 E" o7 }( S" L9 f, S3 h
二.启用standalone模块并编译8 O# ]# U+ _$ _3 Z3 ^
* a# Q$ R8 S/ N3 p
下载modsecurity for nginx 解压,进入解压后目录执行:
& d. v( T2 ?0 q/ m4 R$ L# M$ h4 ]7 p+ q% L" @
./autogen.sh
1 ~4 q( n( S/ {, D& |./configure --enable-standalone-module --disable-mlogc
b0 I( A3 m/ i4 Z; q! g8 N/ imake
6 a$ j# e. I) }. |* P三.nginx添加modsecurity模块
6 x: G9 c1 g( @* u1 K- j! H) c0 F7 x2 L
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
8 o" R+ a) ^3 x3 E. \$ f, Z3 O( u5 A3 [& O
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine' G6 g& _2 h/ s/ k
make && make install
+ M8 g& o* S4 w- H( ^! R8 h四.添加规则
; Y2 p3 ^. C4 ~6 u. O7 {; l: P: J1 y8 w, i* A& r) ?7 C# h$ F7 @
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
! F3 ~- q5 n( Y- V4 a; e& w0 Z4 g! j+ P% {# }# F; ~/ W
1.下载OWASP规则:/ g, ?) y" F7 O; D+ H& H e/ J
: K' L! D/ U5 p8 l' C) `
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 g. u* H* W* {; o) Y4 U/ D# B- h7 p3 F2 b; F
mv owasp-modsecurity-crs /opt/tengine/conf/% M! }: ~ Q, g; U0 a+ y
! b9 @5 s Z" N; K2 s- S
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 b4 J- `5 H& s1 _2.启用OWASP规则:9 ?& A0 u( N7 Y9 P: I1 D6 ~
3 V1 P+ j& E! o7 }" H6 `
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
) H' F- V7 O' m% ^0 p$ Y4 F4 P+ V* V, ~% v
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on" C0 q% Q. G6 K0 F/ a6 |
% |1 J3 x5 ]* I5 c' L) _& M
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。- m" p6 x P! D0 a7 f; K
9 f0 ?$ d9 e5 j5 B; N+ c
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf% |5 w" u; v! Y- u& f* Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
4 d9 k z- k, V# s$ RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 F& ~; |9 h' Q- j& m3 _- K6 QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" [6 D( o# e& `! f! a$ j: j5 AInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
2 {7 n, k$ [8 T" V1 b r% S' Q: NInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf% ^. } q0 _( z; }
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf6 ~% |" d) ~5 e9 y# Y. [6 E* B* S9 l
五.配置nginx
) ]2 Q0 K j& L) X3 z( u5 {3 K' K' }6 _ @
在需要启用modsecurity的主机的location下面加入下面两行即可:/ }! _0 f t0 P8 w9 o3 U1 u
+ R. T) z, Z0 n. f- p3 dModSecurityEnabled on; 0 d) l' b- E4 j& \4 x) J
ModSecurityConfig modsecurity.conf;
+ K+ k6 D% d, [. w* b4 K下面是两个示例配置,php虚拟主机:6 t" p( H" A* F7 @
% j! @% t, `% R: Y
server {
) u! l5 a$ h. o: a4 G# o) G listen 80;
4 y, F0 e k8 W: i( H1 V! o8 Z server_name 52os.net www.52os.net;
7 k& H' U4 n1 U) ^ % w v5 N" Q7 T2 U. U
location ~ \.php$ {" e8 k+ a9 b! B4 a
ModSecurityEnabled on;
e8 [( W) s7 { ModSecurityConfig modsecurity.conf;
. {. x }: |! F7 M' W7 j7 O! c/ {0 [3 V8 n" p5 [
root /web/wordpress;
# ^6 @- Y, ^7 p% B2 d: [ index index.php index.html index.htm;4 \" F4 Q* U0 j
5 J3 Z r# w/ d& U0 ` fastcgi_pass 127.0.0.1:9000;( D4 r, Q' M$ c/ a( [# \
fastcgi_index index.php;
3 N, t1 ~" P! i- |! O fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 e# e" {% M2 S3 f( c# h/ J3 n
include fastcgi_params;5 _% A- u& B# N
}' X* c+ x. a- {' V: P
}4 w- [; _' O* A" F4 h
upstream负载均衡:
/ S6 L0 M2 ~; j, F
" R { g( F: i" Oupstream 52os.net {
R' |5 I; ^4 }$ w# m9 L% q9 y server 192.168.1.100:8080;
% [0 [+ c3 M. o2 o* `; F server 192.168.1.101:8080 backup;% K% W, v: c7 W3 B" _1 h+ \* k
}
; l/ w/ S1 C, w" r6 q0 i% s0 X
* H. x5 a2 F) {" Z$ a3 s+ I' Nserver {
. a: p) K; w! h3 Elisten 80;2 V" F- C& [9 ]# K& Y* R
server_name 52os.net www.52os.net;- O2 \. Z- F, Z
; ?+ C$ ]$ {& R2 {* S, n$ ?location / {
: b/ T9 I' d3 Y0 l ModSecurityEnabled on;
h' J! O0 X8 S ModSecurityConfig modsecurity.conf; / ]) b5 q% K. P0 ^. `, v8 V" S
$ N/ _4 H5 W _% |! B$ h
proxy_pass http://online;6 Z! v' M0 U/ _+ l
proxy_redirect off;/ `0 t" p1 p2 j4 u; s* i+ M5 G, p, H
proxy_set_header Host $host;
0 {# [5 E. P9 X/ P% \7 N9 j$ z Z proxy_set_header X-Real-IP $remote_addr;4 k8 T2 ~ u' X% s5 M
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- O7 [ ]! @& z" r I }2 J5 X( K6 W- I. O g" O% @
}# `* L7 F) S2 L
六.测试( l" g* w& F; u9 h
' h# `* ^, N0 J& T9 p( A. T我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! d p( A4 t" o0 p6 o' Y9 j7 @/ m) h5 |1 S
<?php
2 u b9 U1 W3 Z. x' f/ M phpinfo(); * z5 |1 ~1 P. S7 d7 W0 K: [
?>% _, q: @' W0 c5 t
在浏览器中访问:
5 \' s! |9 r& v2 h1 C6 A$ M5 m4 @& B
http://www.52os.net/phpinfo.php?id=1 正常显示。- h; e7 Y. P' w ?1 p: j3 B
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。6 N( ]" s1 h3 J5 e. A( U
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. Z$ S6 _# c' I& I2 k3 Y
说明sql注入和xss已经被过滤了
; f a" M* J2 C; a* a
2 O& ^( O( S3 X- A+ Z七、安装过程中排错' c: w' Y# U0 B' K0 u
0 \+ d! q2 ^( |" q
1.缺少APXS会报错
9 y' z4 _7 r) }5 b) S6 b4 L; I, g1 \; M( W* C5 e2 K8 ]2 P( d( @
configure: looking for Apache module support via DSO through APXS
' [( M5 i* f/ M( H( {- Uconfigure: error: couldn't find APXS
6 Y7 u! _- w+ f7 z5 w1 `( iapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。$ R2 X% X& `9 P6 t0 m. B7 q: Y' y
解决方法:
! i- m' l8 Q/ Q+ X- G2 R6 g# r' ]: w! M
yum install httpd-devel
3 I, k4 t3 {$ U( |- ?: q, ]2.没有pcre* ?! J- W$ Y9 C4 R/ `
$ h; q: A4 T0 c# F/ d5 Pconfigure: *** pcre library not found.* j0 p% N/ H4 W6 b3 O3 F
configure: error: pcre library is required- e3 Y0 e- u& G/ L b- _
解决方法:
% W5 o/ _6 i: i2 Y# ~$ p
) j& ~7 ]- _ G4 r# nyum install pcre pcre-devel- a! O9 S7 J& Q# Z
3.没有libxml2
) S9 b e; D* d2 B) R8 A" ^' n+ X( g
# W# y$ N# i. b2 _0 r! S7 Z5 d0 ]4 i N% f/ ~2 I" g6 l
configure: *** xml library not found.
! B9 F" d' I! J2 mconfigure: error: libxml2 is required
0 Q) s8 E0 R% ?4 m0 i. a: ~解决方法:
- b9 X6 |1 O0 M9 i+ v) }
! s0 X8 _* E6 I9 {' W3 i; Qyum install libxml2 libxml2-devel
8 o1 a* @* D9 o3 G4.执行 /opt/tengine/sbin/nginx -m 时有警告' n" B' j* B5 Y( p+ o1 y* p
3 g( P1 I. j' R0 J: w* ^) `* r+ FTengine version: Tengine/2.1.0 (nginx/1.6.2)
6 f2 Q: ~( T( X b) j: [9 unginx: [warn] ModSecurity: Loaded APR do not match with compiled!3 l# z1 g, a. X; A; H
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log$ C4 _- S" o2 N! {% G- e
( D6 d& R G* Y$ a& k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
; P8 c7 `% b) G* W3 p) Z+ `! j5 t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"8 c9 c$ i. e5 F
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!1 p9 k! b0 m9 u8 H9 I: p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 o; t$ b( R9 m# v" R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 V( u8 b! F$ y1 E2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.( \1 S" i/ s. v9 J4 {* b
解决方法,移除低版本的APR (1.3.9)0 W7 [" E, H7 H- i3 F4 J
* c; L6 f0 \ B; K9 E6 l$ F( M8 V% P5 Uyum remove apr1 l3 T' \* u- o: \" N' C
5.Error.log中有: Audit log: Failed to lock global mutex7 Q. p; J0 ?) T9 L- T. V
" O C5 O1 H+ B( J: G& w
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 4 x8 n; ~) X- g# a s7 P9 |' ?
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]6 [% m# S Q: P
解决方法:+ p+ T9 I! G$ l6 o. x; v9 r
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
/ h8 p/ G* F9 x1 l4 b2 M2 x0 I6 [7 |8 S ~# z8 T* [
SecAuditLogDirMode 0777
! w) J1 z) y" I/ O& ~& _+ O( g, MSecAuditLogFileMode 0550
& l4 C9 y- \8 G" j {7 {0 fSecAuditLogStorageDir /var/log/modsecurity
0 j3 n; \% O ?* Y! e; u" K1 q S$ tSecAuditLogType Concurrent7 s" b* u! o! ~: h1 Q$ F
参考文章:! j( D2 L W4 ? x; \
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX) {" S. Z4 W8 J5 N1 J3 t' ~
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡