|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。 J; k2 v0 U1 v8 w' u
6 @) Y: r4 j; a
一.准备工作 h9 n, K7 \5 X. o% ~
+ s0 |+ p4 K5 Y' M$ n, ^7 q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
. J% u1 [( U, l `
% \$ \9 q3 V! Z) M: h. etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
7 X3 }' L% R( H5 R* Q1 u1 b5 k, H: X' U: N P
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( Q3 J- v+ }* c8 l% [! d
$ u6 d$ k" {. H1 Z1 {
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, f5 n6 z" ]0 B- B! X5 D
; v6 f- L( t$ {, e, q( I9 d
依赖关系:( i! L2 n: `. {5 G! p4 ~
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:" x; g0 O$ c+ F; B
C' p2 R/ _- ?* h: qyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel1 b; o1 T7 A6 f+ h+ ~# y/ I! G) h
modsecurty依赖的包:pcre httpd-devel libxml2 apr
* U6 n8 N9 l8 D0 R. t) l6 q
3 _$ @3 t0 D1 I5 r- J# y: J- [yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* K, H1 I8 h# D3 \二.启用standalone模块并编译
* s; A, X$ t3 I) P) N- @+ O! } n1 {
: Y: k. d, ^- W& h. i: Y( a下载modsecurity for nginx 解压,进入解压后目录执行:
! G6 a# n- C7 h% Z" _2 F; e0 f) [' @! u; L' n
./autogen.sh6 p/ @7 ]' Z* i& X" m
./configure --enable-standalone-module --disable-mlogc
$ C$ c# ?2 q. F7 s3 i: cmake 1 K0 W B+ ?6 ]
三.nginx添加modsecurity模块
w" x5 a3 d) Z" v* U$ I
& L) J0 Y; h: z- J在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
% d8 I( T; q2 {% A" H+ z I) x7 j3 V' ~ X& q/ o
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# A8 v. Y3 e6 }- umake && make install7 {. t. a% b0 E6 r, T% I
四.添加规则
" A4 M, r7 s k. M
% j; x/ t3 q5 Y" H2 C! A* Rmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
* `& E8 M5 M5 i% V% ~4 e2 d
* n' S+ Y% B E8 p1 x3 y9 P* }1.下载OWASP规则:; v( z" W! N& O$ l# A2 t. e
; Z* Q! J2 Y5 S0 r. ~% xgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 Q* C" B `0 N0 t5 Y4 U' ]! f5 `$ k: B
mv owasp-modsecurity-crs /opt/tengine/conf/
2 |% T; o3 j7 ]7 M5 J! {8 E% C2 J/ V$ P* J: [6 _
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, x2 I+ J1 _# c" ?6 J. M7 I* x: ]2.启用OWASP规则:
# v4 F+ }7 @) m8 F
; h; u' f! Y) E/ s/ Z复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* ~4 H* W9 Q9 R7 e* i$ p5 x
& i7 x, i4 M5 `8 s6 W5 j _2 D
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on* H# j) h7 |. I( ]
! G# Q1 n2 R4 L1 h/ @& W- L. @/ T% ?" O- a
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。0 N; H% L: Y+ r. h: `
3 Z# H# r5 @; f
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( x, e* N1 R3 Q0 j" KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf, s& W2 T& |# b0 t- N- E
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
- f: ^) Y5 \9 |$ S7 j7 i8 S4 mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" z1 _9 w) S; P2 LInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) m6 i4 |5 y N) d! ~( q# r9 g
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. N- t0 P7 f' t$ @* i& g5 w
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' S( j. p0 }5 b* l( H, i+ O五.配置nginx! O' ?; N/ }2 m. v% j. n
6 D9 b/ ^/ t3 H* U& D在需要启用modsecurity的主机的location下面加入下面两行即可:
# j! P/ a: c1 N9 F+ k) T- Q) @
7 y }1 o6 l. YModSecurityEnabled on; - e z& }( c# t. \
ModSecurityConfig modsecurity.conf;
( V. N; g5 y0 t% N2 K ~下面是两个示例配置,php虚拟主机:
2 n& ]9 |& H9 X
$ h: a) g$ n4 j/ _# _, r2 iserver {
2 c+ w/ j8 w; N listen 80;
' @4 Q+ p% C9 ?* c) u server_name 52os.net www.52os.net;: E4 C' n/ F% C& U6 e4 b
j' a2 F i8 K& j9 L) y location ~ \.php$ {
0 }7 p H2 Q) |9 Y" S ModSecurityEnabled on; {6 E {$ f1 p
ModSecurityConfig modsecurity.conf;
2 K* {* Z# K: M4 C% h3 h
' n" Z; G3 e9 `0 C3 J root /web/wordpress;9 g* V: z( s6 G0 I
index index.php index.html index.htm;
7 Y( M+ R( @6 W, W0 H % x6 Z2 f) K$ A m& r
fastcgi_pass 127.0.0.1:9000;/ b( D. ^: i" f$ Q$ {
fastcgi_index index.php;$ X* W2 d' s6 O! o$ d) C
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;( \, [+ @+ w# Q; d8 O y
include fastcgi_params;
: a8 ~$ O. N. P4 z }
: `+ T; m) \( l, Y4 h' g# P6 K }
8 z l$ a8 F% _/ G8 Q0 w& [' K. uupstream负载均衡:8 E/ o$ x1 g3 y2 _- s% H
% E; W$ r3 o1 q0 zupstream 52os.net {
: S& D: C; ?( b+ G5 G- ? Q server 192.168.1.100:8080;9 J+ v. e( z2 G2 N8 Y1 s6 ~
server 192.168.1.101:8080 backup;
+ O- R: J9 t: O+ t}; C$ ?6 H! Y5 ]: v
& c* |) T& U$ K5 D+ ]$ xserver {
3 H' W' L: D% @9 I$ J/ w: S1 V, |listen 80;
' T- |6 E* T) I u5 [! r+ V* yserver_name 52os.net www.52os.net;
! y) o+ R( a, O- H5 F
' [! @2 j& D: h' _location / {/ ?) u4 L9 [7 ~. M! D
ModSecurityEnabled on;
8 a& g3 U! S' E' l2 j q7 n ModSecurityConfig modsecurity.conf;
1 i1 c+ Y8 z% n& ~0 A+ L( @% ~
! k6 h: j. F/ a. h3 t H proxy_pass http://online;
0 F p4 \( u4 W8 B proxy_redirect off;5 [# V7 j# H& q; W% b
proxy_set_header Host $host;
2 J% W: X* P, [4 o proxy_set_header X-Real-IP $remote_addr;2 H" L' Z7 e& \6 k. r; V
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 F( m4 n& G; Q8 D
}
1 a# ]5 [# c; i1 n5 |7 _}" Z, I4 P6 y2 p# i* n( Z9 W
六.测试
6 V- H3 f) o$ B- q1 ~6 e+ s+ |: V; d1 z9 X4 Z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 z! Z9 X; T! m2 z* Z. k. m
3 \& g, S( }$ J: R8 v5 l5 u! Q! P<?php& G4 u: j; R" ]: \: \/ V" G
phpinfo(); 3 D1 ^& v0 y7 d9 C% U- _! W
?>7 m8 @* e+ `3 ^' U6 |. O
在浏览器中访问:# ?- ?8 e" q; i! A6 k
: \9 q* x' U- A7 W, d
http://www.52os.net/phpinfo.php?id=1 正常显示。' z2 {' K) [4 v! k
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。7 H% i1 k. T6 |+ h
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。2 |) T' u5 o' ]8 |8 L) [
说明sql注入和xss已经被过滤了
! F, k- H$ I* U: s" x! ?) S$ o- v; l9 _. T m4 R9 u
七、安装过程中排错' M! x. ]3 s w# p9 t9 R
: o- f3 m0 n6 P7 C! p: I( }# u3 z
1.缺少APXS会报错! ?( H) e1 Q& x
( Z% q2 }8 O. M8 [2 B
configure: looking for Apache module support via DSO through APXS
" X, v+ Y% m! r+ j! S; Pconfigure: error: couldn't find APXS# j" A7 p( [8 }' [" P) H
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
* M K' I9 Q" }; a0 M/ ~* u解决方法:
5 v# O+ u; P: o3 I
: Y! M5 D$ `8 P. A Oyum install httpd-devel
. w( s; y) P; ^0 v2.没有pcre
3 M, [& E- z! X, s T, ]# ]' s" @
/ z# R' `+ n: _configure: *** pcre library not found.( {& d1 P2 q8 {$ c( K2 N, j) V
configure: error: pcre library is required6 S- |7 _( t/ `. U2 H. @
解决方法:/ L2 F0 i" h4 k
2 w/ ^+ ]# v `( w, M4 w
yum install pcre pcre-devel z2 W' v$ ]. o1 B; | z0 }9 r# v
3.没有libxml26 g+ l+ V r k4 t& u p4 }
+ {7 G* e/ ~; j" A
' `) S1 k+ h2 D; ~1 Z# b' w2 Jconfigure: *** xml library not found.5 y# A1 X' _. @' v
configure: error: libxml2 is required
& i; T7 y; q ?5 } ?9 u* x4 G1 L解决方法:
; Y) d' \' `* A' b m
5 V! e3 \2 f7 ?1 W+ N7 Myum install libxml2 libxml2-devel' n o( r' Y7 z/ k/ @ n! O
4.执行 /opt/tengine/sbin/nginx -m 时有警告7 w& v; g- T( u4 M0 O
# f$ z+ s1 _4 `, k3 ITengine version: Tengine/2.1.0 (nginx/1.6.2)0 V; t2 f7 l( {# _
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, A3 e/ S. D% n7 `3 k3 m# }; K原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log% @! _2 K- T# D) T- ~1 P4 p
) i% A |6 k7 B" p$ ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.: {$ s$ Y2 g) A* ]" A2 k1 T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
5 g- h% n: q z9 E( k2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!. y$ Z( ~, }' \+ @3 `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% f( w8 H, f( T8 @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 w: g+ E7 b( t/ ~ x2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 U: q4 f) I+ q1 @* R, A& ?+ B解决方法,移除低版本的APR (1.3.9)
4 q! G6 q3 g4 E' q) M( V1 U7 @
. E/ s- L4 s K E5 Fyum remove apr1 y( u$ |, B" `3 H( q! V3 _
5.Error.log中有: Audit log: Failed to lock global mutex9 I1 M/ o1 T' L p
# m" O& ^( Q1 ?6 S( A3 q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
# c& d$ u8 \' ]; U, U) Yglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
: h% ^8 g+ ^6 g( G1 u解决方法:
7 C% h. _! Y' Y& w' [编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 l; ]4 C$ Z# i, q3 j( D& K, {1 S/ a8 u! v# j
SecAuditLogDirMode 0777
' X. P w8 o# m+ \+ \/ c( U3 TSecAuditLogFileMode 0550
4 c5 c* q6 q9 k& Y) v5 ]: o6 BSecAuditLogStorageDir /var/log/modsecurity
& X! P% Q1 D+ w5 B2 vSecAuditLogType Concurrent
' B0 W9 M4 l. S参考文章:
% `" `" j1 J. ^: m F0 m( Yhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) Y, d; f0 R7 A0 G# m2 @http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡