|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 u( C2 b V; O( P) V6 e
& {! z% ^' z2 Z: N3 M- W/ q* }; l
一.准备工作
; k( W( t2 }, o J; y' k
. ^& F9 C: |- k2 u* |; U$ J5 F4 w2 a系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
" y9 b9 F2 l. ^: y4 V- ]
. \ s* W0 p* W4 W1 d( ctengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
6 F6 Z+ b A$ z# y- ~9 M+ x" V
8 @/ i! x) Y0 m0 Ymodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& ?, S" O! C' n4 }) I* X; ~% J8 G
. |' b' G. {& v* [; s2 X. s% `OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
0 [) H% Y5 l, o/ M
+ w/ [: Q0 x' [8 ?/ m7 z( n3 O依赖关系:7 O( o- R- b( t/ L; b
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
8 |. |$ |; q$ `, X/ ]# {* v0 A$ q$ i1 y: R
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel, l* G, h& q& X; ]
modsecurty依赖的包:pcre httpd-devel libxml2 apr1 u' H7 H! t8 G; A8 V0 @ D8 T
3 g( I8 z! L; T/ t; H& S& g* gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
4 W3 T" ^5 w) f二.启用standalone模块并编译
" F" _/ g* G b( E; p( g K$ ?
% q7 o9 v. t X3 G8 Q/ H. e$ B下载modsecurity for nginx 解压,进入解压后目录执行:
- D* ~3 A+ n2 p7 C. {8 f1 W9 s! t4 c0 ~
./autogen.sh2 K6 b1 u; Z9 R6 `( ~) R
./configure --enable-standalone-module --disable-mlogc
" t4 H x6 |1 }+ W2 x0 O; K6 z) Mmake 4 i4 J% J I+ k4 ]" M
三.nginx添加modsecurity模块
" d1 }9 |0 O6 |$ O A- T0 b! a) D% L9 Z+ v
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 F: x% e m( j8 }. D# y) z; n' ~* F; G) d( P6 p5 s
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
- r, C" m E1 h, N( Gmake && make install! \- `3 l8 ~$ _5 i! y6 `$ l
四.添加规则
! E5 \/ m1 B( I- v( t1 u, b2 s% E# B) {* g
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。8 v6 m; @/ E6 |
7 Z" M+ b6 Z- Y8 ~* U% _1 ? B3 Q1.下载OWASP规则:
1 A L- K v7 a+ F
& l' X' F2 j! O" k& R# [git clone https://github.com/SpiderLabs/owasp-modsecurity-crs4 ^/ _, r9 Z0 Q8 E" Z! _3 J
5 {0 n: w" U o1 t/ B# |' K
mv owasp-modsecurity-crs /opt/tengine/conf/
9 e5 o4 Z, Z1 ^0 m5 c0 L- V, {+ A# d1 }' ^. F
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ a2 h+ u5 l+ J1 }9 A4 \3 W
2.启用OWASP规则:
7 W, K# ~' l0 h ^* Q! |; d$ l3 N* s& d# K+ Q
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ S( q2 T+ l& r
; G3 R' p9 u* T4 v3 h编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; V; t1 [. t1 x) a! r/ b/ l) ]3 D" K/ E4 M
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。( ]8 A; D) F x. {
: A9 g8 g0 Y4 vInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf3 ~$ ?& K9 Z5 D+ I/ d
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
' c0 c% g1 q4 c/ DInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf$ A; R4 q1 h+ C: j& c
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf. ~( B5 }# z# F6 q6 j! R! j+ `
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf# F! C9 y f8 I
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
. t5 ^0 h) e) T7 V& M/ yInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf- C4 [0 X# q( [% d% t+ \
五.配置nginx
# Y' Z% q& q4 M; X# P1 [( u8 ~5 D$ u" U; I
在需要启用modsecurity的主机的location下面加入下面两行即可:# x; K: |& ?% n+ N1 z
) s: l J5 \' k8 u1 D- ]7 s2 k
ModSecurityEnabled on; 5 b) P8 S+ P! [! { K1 Z
ModSecurityConfig modsecurity.conf;5 N0 y( V0 T6 B- P% Q
下面是两个示例配置,php虚拟主机:& e: G% N& U/ b: W+ }
$ y; y; M) v# E& M; n
server {+ n: q/ U* j3 ]* S
listen 80;3 J6 M: _/ h9 k+ n$ {
server_name 52os.net www.52os.net;
& L7 X+ ]- V2 _8 f5 m. n5 H2 X8 B \* w% O3 _& }% g- ~9 @
location ~ \.php$ {
+ ? u3 \1 v; o _2 v: _* Z2 U ModSecurityEnabled on; 9 n$ |, V4 I- x* x) c ?4 S
ModSecurityConfig modsecurity.conf;
8 ~. ~. S! m- h1 \1 l
# m5 H$ I# U( @ root /web/wordpress;
# ^- S! _. q! H" t* j index index.php index.html index.htm;6 E: S+ u; d! X" z4 ]6 R7 O
2 Y0 @0 ]$ q1 e6 U! o& a" F: t fastcgi_pass 127.0.0.1:9000;
4 ]& I x! d# _ fastcgi_index index.php;
Q8 O! z9 m- l& n* u$ m! P fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;) f: ^$ ]5 P/ n9 M
include fastcgi_params;- J, P( L5 k0 n0 m2 v
}& S. K1 G8 }0 W! u% W( S+ @& J
}; S/ c( q% }: T8 w
upstream负载均衡:! Y' g! Q) c y; V
$ _' H6 D8 J, q- Kupstream 52os.net {
. A8 {0 w: b. S& r0 n3 f server 192.168.1.100:8080;
/ N2 J/ J3 ^, ]& ` server 192.168.1.101:8080 backup;. h+ r- v2 v) {# l( V
}, q" y) @! n( i1 O Q0 H
3 y/ d7 Q" O1 k% g- @; n* @3 s7 [server {
5 j! u6 R# E% I0 }listen 80;6 |+ X: X! D c, p% s" P
server_name 52os.net www.52os.net;
; A' d/ B s6 h( I6 e3 e5 H p& I5 l1 h7 W D, C! i
location / {
' M/ j0 K. {# ~2 u ModSecurityEnabled on;
6 V& A5 n. D* }0 t$ ?$ S9 j ModSecurityConfig modsecurity.conf;
: b$ K( o1 i4 ?3 f1 \
! \& Y1 F* O0 J1 m proxy_pass http://online;
- W" n: C9 \" U proxy_redirect off;1 f7 m; b1 y* _
proxy_set_header Host $host;. F* n; o& r1 g g y: F' r% m
proxy_set_header X-Real-IP $remote_addr;
. p' k( v% x! [0 e* x* v proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' D1 y- a4 K9 E+ C; Z% R6 v, s, A0 m7 _ }/ D# C7 Q, o. T0 u2 Q7 {
}8 M+ L, t1 g8 P
六.测试
5 ^' s" R6 `& \- a; a, C0 g4 M6 }
! w4 k! z& r2 i2 W我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:1 Z( {7 f2 R& m$ @
7 X6 W! ~6 e) E6 ~& ~ c, k
<?php& e4 I6 k0 L3 o
phpinfo(); * D8 S; ]& t* ]0 i7 _! @
?>* y( I1 F' e* X* y; L- b
在浏览器中访问:4 z: f5 b/ C' C& @0 W! y- N/ u$ u
$ O- r( g s$ w8 U8 F4 n
http://www.52os.net/phpinfo.php?id=1 正常显示。5 m; R( h( H4 ^& A
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 C7 q$ N' k/ {( q/ Bhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。* v- H& N2 i# F4 `, p' G, q
说明sql注入和xss已经被过滤了
9 N9 |: x, b+ z( C
) L8 l$ f5 t4 ?, e七、安装过程中排错- C/ q& V }. H- h/ E( d& _$ M, Q; P
' ]/ R5 C; T8 L& y% K$ K9 H1 K9 U
1.缺少APXS会报错& q6 C8 U2 e' {& p1 ~
/ G/ c) R- e) |
configure: looking for Apache module support via DSO through APXS
1 j6 V% N9 q' F# y2 v5 Aconfigure: error: couldn't find APXS. t# s; x1 @2 ?4 q; X
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
* |( s4 N( F" ^6 v6 N解决方法:
3 U6 F% J: U) S9 d& ^* d3 V% e
$ H% C4 I% k5 ~; n/ y/ syum install httpd-devel
- N' N: `4 F8 A4 J' b2 }2.没有pcre% w7 f/ l9 p1 c: n' C8 G
, Q6 ` W' m" j$ w2 y
configure: *** pcre library not found.
* L3 A, l: b2 s: G& m0 Bconfigure: error: pcre library is required# t5 Y5 R' y; b/ T) s. s
解决方法:+ J" _+ O. k# f6 a. V8 u
5 T$ } ]+ z6 H2 L; Byum install pcre pcre-devel
# V1 U! Q7 F5 L6 _( {. @: @3.没有libxml2* T& P) T; `# e- Y" ~6 C, D8 T N
4 I8 {5 O" k3 b4 {! F! Z9 z) ~) L+ J, n) R" _) @- U# R
configure: *** xml library not found.8 I4 b9 y O; C2 N! `
configure: error: libxml2 is required( h7 ?3 {, m3 ?' m6 i% H& W
解决方法:
) ]6 B1 k' p' H$ p, D5 c* W9 Z( S
$ E" V+ a1 O- U4 \0 z% i1 cyum install libxml2 libxml2-devel. U8 a1 ^4 n7 ] ^* z2 p ?7 l/ v
4.执行 /opt/tengine/sbin/nginx -m 时有警告/ X# z, D6 ], n$ Q5 i5 X9 G$ e9 K+ S2 y
" g/ g7 p- T& C0 qTengine version: Tengine/2.1.0 (nginx/1.6.2)
% e- o! C. m' z% `' g1 |nginx: [warn] ModSecurity: Loaded APR do not match with compiled!! z5 H, Z/ p+ Z% W% E
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
; J& ^8 F5 ]% o6 p3 b7 l! B$ z
' J- A2 }8 ^% ]$ |5 P% D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
. ?+ Y. `% D4 }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
) H( O) q; @! D0 s6 k# ] q6 R2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
D6 s! A1 E/ \6 U" O! X5 Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05", A) A% P% K8 H0 n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"* \+ I( [% @( P( |- j# c
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 C2 Z7 m5 g9 @' f; s0 o, _8 _解决方法,移除低版本的APR (1.3.9)
2 F6 N: V8 Z8 L6 n2 P
( S* c* d/ U# g; e- Pyum remove apr. S1 L, S; y$ L" `! ?/ n
5.Error.log中有: Audit log: Failed to lock global mutex$ n M. N6 w8 J
# Y9 |" T( r7 v/ E0 ^8 k( l7 R
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock % a L: @- U/ e, A Z1 b# b% p" ]! s
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]4 O* G, H. o U k/ M
解决方法:! V% i/ x& s" k; p- |0 W0 p3 Z( ^
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:: S& v0 {# D, Z3 i" G F/ R) M0 J
5 Z, {# c% ~ g' ]: t0 R1 O; C
SecAuditLogDirMode 07771 O+ Z& V m0 l1 k3 y( [8 h* K6 \
SecAuditLogFileMode 0550: ~ C& ?3 f4 R: X6 h1 l& ^
SecAuditLogStorageDir /var/log/modsecurity( \* k) @" g; A9 _
SecAuditLogType Concurrent
/ r8 J# B3 A/ S5 t( T参考文章:
4 i3 z8 I) r1 Q# Fhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX6 r/ M# H7 w, R9 B6 H
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡