|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。# M0 w0 t1 V3 F# F* h( Q
* D; |+ R* P( o( h9 s0 y* P4 W一.准备工作
. e1 p# V# S6 @: X( ~) j* {1 R% Y* s$ L6 N3 C# v
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
+ ^2 j, S( Z# Y" O9 w8 o& ?) Y$ W/ ]+ j4 v8 _
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ N/ \4 f9 b. P: }+ `: ^1 O: R9 ?, G0 ]% e" J. N9 t
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz% M& |0 g4 X2 d9 ^. E3 `' I t+ s" h
0 [+ v3 U8 |+ k1 M
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
+ F& x7 W- `; P9 K. H2 J+ O5 E# m% u# k6 ^; b, O. j R
依赖关系:
( j* p! p5 |/ d5 _tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:/ E: R w! ~; i. U
5 x; Q; |! Y5 { @
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
; Y, w& B% @, q) q; u- w6 Zmodsecurty依赖的包:pcre httpd-devel libxml2 apr( L- {( h. ^/ e. b7 o3 |
3 @5 q0 B& C* H. |6 Hyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
: n p) T0 j. m& v7 d二.启用standalone模块并编译/ \4 ^% W& X' f' j9 X
9 ?0 d# [5 h+ K. s; n" v+ g下载modsecurity for nginx 解压,进入解压后目录执行:
0 _5 {0 f7 s/ W( l/ N
( m8 H; J9 ~/ a" M/ t \, ]% V./autogen.sh9 F- z9 N( x) B* D7 v
./configure --enable-standalone-module --disable-mlogc/ w7 H( D, E3 K$ x/ {2 ~' B
make 7 s5 J6 s, m7 A1 ^& X
三.nginx添加modsecurity模块+ c3 [7 f# S, l& ?
3 m5 ^1 h6 e( L& H3 Y+ c; t在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:2 _+ `3 M& o3 {9 m0 U: V1 n
9 U4 F$ |& V h! R& E8 Z% h1 B3 K./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
' I- a+ n3 J- {6 z, ]make && make install
/ B8 `6 j! i+ P( k- B# ] B四.添加规则
' e F$ u- x9 [) g6 B0 Z
1 H( u5 c2 F! R ~+ z$ smodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 b( o' p6 C1 P5 S( K- x( i# V7 d/ u) P' k2 @
1.下载OWASP规则: I/ `3 F1 t& x+ k# F
" |4 X- y# k# @4 ]6 W* _" q. Wgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs3 V1 v3 v! ~; K; S! z0 D( W
( ^5 y+ F+ ~3 e
mv owasp-modsecurity-crs /opt/tengine/conf/
) _, R5 b8 X: e) c+ g9 @$ k) M3 M6 U
( K* i; w: J0 ]; k1 {# M# lcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ F$ F' c/ b3 J' x+ C Q7 g
2.启用OWASP规则:
# q* k3 \/ r& b0 u, c G
1 N& O4 `3 v/ H b+ w复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 O. h3 P# b5 A# P- ^" H, d0 D; X, }* ]! b2 p% ]
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on, K, E0 _) @8 i" \2 P
) R; [6 @ J& n/ v* d* l' x. U& ]owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 N( X3 u/ j9 s8 Q: U! N$ c, D4 G( a6 f* a) Z: N
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf0 n8 C9 T+ e+ I2 o! n# R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf8 I- U, b6 H( F+ C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
4 E1 m w' w) eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
' M4 P" i" i, @3 t' y0 @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 p$ k8 q' s) x, h' m7 eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf7 Z) r! y( L1 N2 {4 d3 B
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' R5 d* z- q/ U! R/ X! Y
五.配置nginx$ H! d: b7 }7 a4 ~0 K9 F J5 J8 N
) W1 A' g0 ?/ L `* V' t在需要启用modsecurity的主机的location下面加入下面两行即可:$ }) A/ o% h v, E
' P9 E, g' G2 L7 E+ \: K, Y+ l, @ModSecurityEnabled on; ) u% e0 K, [3 ]. v
ModSecurityConfig modsecurity.conf;( E: `2 L& t& \
下面是两个示例配置,php虚拟主机:
: e1 ~* m% Y" Y5 J* Q- t) t/ W( Q5 f8 p9 d" }- X- M2 q/ n& [
server {
5 U* ], ^$ j ?) k4 J listen 80;; {+ S$ q9 Z5 K$ |6 Z! W! R
server_name 52os.net www.52os.net;
d' B$ x! C+ _: { $ p/ m" F$ c5 c/ t4 t. e2 Z2 {
location ~ \.php$ {2 p: r. s. r' O; J) W8 r1 N: k _" [
ModSecurityEnabled on; 8 }0 V, e/ ^ n9 h. h5 D5 w
ModSecurityConfig modsecurity.conf;
+ }1 T/ p! J, j( V
/ e2 b- V% z C+ @! X root /web/wordpress;
' g7 h2 L' [! Z" N- y index index.php index.html index.htm;
5 e# y% H/ V2 V! n& y( A9 c: j
6 N" w J3 T0 b fastcgi_pass 127.0.0.1:9000;
. B* Y; P( e9 b2 B: H$ y fastcgi_index index.php;' @+ x) @9 H3 H/ ?( r, o; N; ]" `
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
: i. x" g/ T# j2 I+ x5 v& v include fastcgi_params;
# C& `5 V# r8 ]) Y# {3 b/ L' u }) J/ m- d, n% p
}; G3 n" P8 _/ u/ G( Q
upstream负载均衡:; y7 e1 H+ [3 }8 h* G7 ]
& ]( t% I2 D: p
upstream 52os.net {
/ A9 Q6 c8 I# y server 192.168.1.100:8080;4 l! H% p# S7 J
server 192.168.1.101:8080 backup;6 j: m: [' J* M, U
}6 j$ m, f. k" Q" X
u% r# y8 I/ v0 V3 b B
server {
; r0 m6 L7 r' j9 M* L' ~- Blisten 80;
) \$ \+ Q: G. _3 k6 Rserver_name 52os.net www.52os.net;( U- ], c: s; W) n/ N2 U
6 c. {' H0 I1 S' Dlocation / {
8 n+ {* m, ^! P/ U5 q ModSecurityEnabled on;
- Z" B& `, s9 i$ f6 o ModSecurityConfig modsecurity.conf; 3 E& I, I; U1 O6 ~% C' @& A
, b0 u. O5 O3 P& y$ x2 V proxy_pass http://online;9 }/ J+ k; E3 `# H
proxy_redirect off;& j2 J: X1 ]; m' V, L5 {
proxy_set_header Host $host;) k% @& v; T' z1 p) L V# ]
proxy_set_header X-Real-IP $remote_addr;
& Q/ Q+ {* E+ @ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;* d- U( h: v' d9 L5 u
}* X8 t: a" i h! j) Q* ]
}, _% K$ t a) k; X) |) D" ?
六.测试3 C# h( x& W* D8 [4 _
6 f& y) ]1 O, W9 P0 y我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 c0 j( H4 W, g8 e
; j* n+ ?. Q! w- ?6 |
<?php
4 `! i9 \1 X6 t phpinfo(); / j4 ] }) H4 I3 u8 ~- V
?>. I* d* U& G& p! K' K0 J; S8 X
在浏览器中访问:
' N6 h8 o/ X$ _- Z, ?5 ], V6 f0 X( @& ~
http://www.52os.net/phpinfo.php?id=1 正常显示。7 z( v$ t6 w! { {4 H
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
" l" b' A- Q7 \) k+ Shttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。/ w8 `4 E# N% g( b( V. P
说明sql注入和xss已经被过滤了
/ H6 k9 I# x& E. N8 t3 r
3 I2 _, c# P/ Q. A6 j6 S. T( W, Z七、安装过程中排错
$ K5 c/ T" j8 h* {" |# m/ J7 C1 o. Y7 o7 s, V; q) L& @5 F! E
1.缺少APXS会报错
" i8 o, Q8 z" p+ Q0 ~/ q* h: w, V- }* _5 E1 V
configure: looking for Apache module support via DSO through APXS! N) H* O1 N, e8 \
configure: error: couldn't find APXS( @ L& c1 F5 }# k5 l; F/ s
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" {: S8 X4 Q* ~' o解决方法:4 a H: g* {8 i2 W
1 G. j+ i, H( zyum install httpd-devel. B. c/ x( s# |8 \
2.没有pcre4 c3 p3 v& b$ z3 z2 p
. p" ?; y7 g4 Z3 N g' W
configure: *** pcre library not found.& h* S6 ~8 s9 T }" q/ i( S0 v
configure: error: pcre library is required
6 ^- ] b P9 _1 y解决方法:. r3 k# f0 Q2 f9 e, y" ]! U* ~5 S
( i$ Y2 A* Y* [# `" C2 \
yum install pcre pcre-devel* L7 M6 o- m- }& \- o
3.没有libxml2
1 r' P! f, f" u2 L; g& x9 m9 N) E" a9 y) _0 s
, H( i0 @- r% Q
configure: *** xml library not found.
. B) M3 |1 f0 Q9 z; |) |+ }configure: error: libxml2 is required
' E0 u! Q7 o# O4 ?$ u8 s解决方法:
/ H3 G. W: U$ c
& n* ]( c* Y9 ^1 N. ?) M' u( |# I7 Eyum install libxml2 libxml2-devel7 H8 Q, c/ ?) }: v
4.执行 /opt/tengine/sbin/nginx -m 时有警告% P" M* [1 u+ g" z) P' O: e2 o B
2 H: w$ M% Q* }' ~
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
/ P1 Q+ ?' F7 c, x, jnginx: [warn] ModSecurity: Loaded APR do not match with compiled!4 M. V4 U3 W3 k0 p
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
9 R4 k$ Q% d# h: j% N1 g5 J! O+ K
" {* D2 H* P6 i, h1 c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
" T. M- s1 j0 `" `! U3 d: r) b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
. l& t, y; H1 _* D3 k( Q2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
7 }9 z+ D& a' W- p6 ?% b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
1 T& H$ p& O( [' D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"3 I* c+ K! Z5 u
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
: o- b/ v$ R/ p, t) s# ~解决方法,移除低版本的APR (1.3.9)8 \2 G+ ~# q! D0 y' B, O
* _8 n* K& L" u# r
yum remove apr: g! e# D' g5 t5 b+ [. r, l
5.Error.log中有: Audit log: Failed to lock global mutex7 f; \# Y( A' I- d) Y1 g& K
! }! m2 z: t: J4 J- K
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
) ^4 g9 p/ x) n! `global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]& N8 t' ^& w" J* S# k Z
解决方法:/ a; F3 f1 T' ~; i+ A
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- K* h; J! @' b2 K5 O. r) ]& m6 v# `2 p( O4 }% Y4 `# J5 b
SecAuditLogDirMode 0777+ u3 d# v5 B% d- {0 U( ]3 z6 b
SecAuditLogFileMode 0550
2 U6 r, z7 ~( N# x1 aSecAuditLogStorageDir /var/log/modsecurity1 Y' H" _4 D* _2 f) x
SecAuditLogType Concurrent
4 q4 s2 F: J% i参考文章:
1 }5 r9 T/ F: A+ a7 k8 X) g1 Chttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, N( V2 A& R5 Yhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡