|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 n" k1 U( _3 r/ v) H; _
: Y8 Z# D/ {% L2 l. H一.准备工作/ T! @+ H; l/ G. V. E1 w
, b" `9 Y1 `- z0 y( p* s
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0$ J. R2 m9 R9 A& N2 x- { l2 p
* ~ r& |8 G& F. s7 D0 jtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
' R) q& }. M$ ~1 i4 c
! ^/ F) s$ q4 O! Jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
, w; }, x2 y+ P* l: h( p/ ~
+ c' Q6 E0 H2 I5 ~3 h( |OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
( s2 H* O4 N# P1 j/ T3 j" ]1 O+ _3 L
依赖关系:6 ~5 A8 o7 j7 U' G, M, e0 S& W
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
. d* P4 ^* r* k8 M+ F$ r3 n7 @& }, M4 Z
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel6 l2 R$ t2 F7 H. O
modsecurty依赖的包:pcre httpd-devel libxml2 apr" \) ?) h) e9 b8 A" h9 }8 K- V3 I
/ M# A5 y) N gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel2 }8 C0 ^. {" i
二.启用standalone模块并编译
% s8 `; c% x9 a/ |4 G, D, W. f; @# }
6 d# X" I3 R. O# a# ~8 v! `下载modsecurity for nginx 解压,进入解压后目录执行:5 W. _0 Y( }0 T/ h
. x3 o/ j7 N! p./autogen.sh* ?( T9 [/ b2 A& Q* s1 P: I
./configure --enable-standalone-module --disable-mlogc2 Z8 Z7 n0 e( N
make
, m% P' m$ @1 T& j三.nginx添加modsecurity模块9 d1 B6 h% [. j! u {7 X
" n/ W9 I5 Q% o( E" x
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:. }& A0 E5 x1 H! W" t/ x$ V e
9 M- c+ Q/ R% I: I- _./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
6 x# b/ l2 {/ O1 T& g. tmake && make install
: W/ b1 s- m4 [8 h: z- v四.添加规则6 T8 @4 b: ^: Q& x& z, a
0 D1 y4 N7 @/ _# \
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。; z6 Z3 i0 q0 [3 K( B( a( B
r- L" F8 x+ ]0 V
1.下载OWASP规则:0 F1 q" k3 M/ G( f$ K. n7 m4 r
; b0 C9 k- D: b z( D! z1 ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 H9 M6 J" j3 M1 @* v: A7 M8 l; W
0 Z' I- k' P/ T" J, V* E7 Emv owasp-modsecurity-crs /opt/tengine/conf/
S5 H7 d# c; F
! V2 p( r& ~, U; F) o/ u: zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf3 l" t. m+ l+ m
2.启用OWASP规则:+ O0 P1 C7 A$ F3 f2 b* z
* ? d1 d- B; S ^
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
1 ?( K7 P7 x; M+ Y7 Y \: a! O c' N& U# d. ?
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on# Q% c. I0 t3 I, |* t
5 Y' U& Z1 L, L8 E( M, e4 _% P3 Kowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
9 E$ V( V# i* R" Z) b X" i8 R3 a1 `: X, o2 e$ I
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf8 y( f' y0 P0 L& G( s, v6 Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 s; G/ B7 t [
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! d/ D1 T+ g9 r. t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' [4 \$ }7 }& W; W3 B
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* u- O& Q f. r" S T6 jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf1 i& v8 G/ C8 X2 T9 ^9 O/ h
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
{: n( B1 F$ K5 @( E9 b" u; \4 z6 N五.配置nginx
/ q& {% N1 B6 D% u, k
+ _1 B) x- Y: g" W/ G' I在需要启用modsecurity的主机的location下面加入下面两行即可:( k5 o& u* F- T5 V6 n4 z" }& g, {
! y, s" c @9 i5 H0 d; T6 b
ModSecurityEnabled on;
j3 ~/ T s7 _+ L( L9 XModSecurityConfig modsecurity.conf;/ ^% \7 z ?. h6 w8 Y: S
下面是两个示例配置,php虚拟主机:/ d& Z5 U0 f5 ?1 _
$ Y- v1 s, r8 p& [- l( Sserver {
: Z+ |' \6 I) Q; ?6 i! K: {( ~! B listen 80;
: \5 I/ X/ M( g server_name 52os.net www.52os.net;9 `/ D( ^2 _* B! A1 I2 I
! ] M5 j+ ]2 L4 a
location ~ \.php$ {# @0 [4 z9 | t! G9 ^3 Y2 c* {
ModSecurityEnabled on; ; [7 h. ~1 ?+ o' T+ K' ~7 @' E; c
ModSecurityConfig modsecurity.conf;7 {* M& V+ P, j: y4 @& W
) v$ Y' I. y7 _0 B$ V3 S1 O
root /web/wordpress;4 {( Z( |* N7 g9 y/ \ b* d* o
index index.php index.html index.htm;
. ?5 R5 i4 g2 C, u, }# V: S% W 9 T z! _+ z, d3 Q$ o
fastcgi_pass 127.0.0.1:9000;
6 ?! d0 X6 p) t9 p: O fastcgi_index index.php;
6 a( l5 w* b! l; i8 q" v fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
0 {, {* `! b1 @! u9 C4 T+ S& m( d8 u( z include fastcgi_params;
0 F& c/ _8 }0 C" ^! r3 d } w/ a5 J! K& t, M
}
8 y; p* n0 W+ u. vupstream负载均衡:
8 k4 ?3 t0 U( i2 U0 W
0 p7 A+ r8 \& p8 T% H7 l+ I" Qupstream 52os.net {/ }7 d0 t' B- v& s( C* G2 u0 W
server 192.168.1.100:8080;8 _9 Q. `& h- P- ~' z
server 192.168.1.101:8080 backup;$ n6 M5 K( K& v! |2 C! h
}! j9 W9 ^/ V* S8 a5 k8 i5 o
7 g8 ]. g4 Q% T" \0 @9 Mserver {$ P7 l0 O- @7 K. I E
listen 80;
6 s7 ^# }/ m- r$ C# U2 U6 xserver_name 52os.net www.52os.net;
7 a$ R- T2 K$ t% z$ _, _/ g. E2 s) F
location / {3 q& P" L2 F! l. ~
ModSecurityEnabled on; , K. c C5 h) R' K* ~) l9 k
ModSecurityConfig modsecurity.conf; @ J" |. A# Z6 |, G% q. }
$ p' n' w0 R% y! j9 P7 x( E6 C5 M
proxy_pass http://online;' n; R$ \: o1 K1 X7 [
proxy_redirect off;
- b' p0 f& S# q( v7 O D proxy_set_header Host $host;# s0 O6 H4 W8 q1 `- u. ^
proxy_set_header X-Real-IP $remote_addr;& M5 L' [ @) ?* w9 D; }% i
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ H7 `5 [- n3 [
}
9 ?# A, E$ f% x/ H ^7 A5 i( U* t}
0 F1 T( L& `# o. `% X5 R1 J+ k2 Q! f; g六.测试
+ m; I) Y! m% R: a9 ~+ y* X# B- N4 ~0 m+ V
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
4 e( E7 ?" n8 {
1 k% g4 `& k- p" O% m4 C- s<?php
% ^: L2 f2 [0 d7 R9 p" b phpinfo();
! B% K5 {5 K# v& Z) u: \2 f6 |& X. L?>: I5 ^8 k3 X& d' J
在浏览器中访问:$ H8 t( P' c7 l/ ?% s/ F) {
8 p: a! T3 v4 k' f- Jhttp://www.52os.net/phpinfo.php?id=1 正常显示。7 {2 U: P! |7 j! y. c8 x. j, g
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 e9 ]5 q3 [+ t, c( ahttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, y$ C4 f2 ~+ L" K( E
说明sql注入和xss已经被过滤了
. j0 D3 k# P' ^$ k. C- n4 V( Z/ Z2 D- Q, K$ I4 n! ?, e7 r
七、安装过程中排错
1 S+ j$ o: p5 R0 [2 u$ F [* ~- U0 a1 y U; Y
1.缺少APXS会报错
9 ?# v7 {- {. {
/ \7 d; \. Z+ @8 W. i9 {) X' D% econfigure: looking for Apache module support via DSO through APXS9 c3 R g9 M3 S* `) M
configure: error: couldn't find APXS
( F" \' k2 y' w1 `apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。% A: G" ^% I' r1 J
解决方法:
; N! |! I/ ?3 q$ j, u# i0 w% _5 H3 c' d. p6 V; ?
yum install httpd-devel
1 {9 Z' L- h- l- V& B2.没有pcre
0 X0 [9 D+ T o4 c1 a# C6 o* C
* F4 S7 B: n) T8 v2 \' y- Vconfigure: *** pcre library not found.
( m& i- [7 n S# ~& |configure: error: pcre library is required! H {* b, F- m* s/ W+ B$ R
解决方法:8 `& T, j$ h& h- b
5 h: n. D/ c7 u
yum install pcre pcre-devel7 S2 W7 D) Q& j, w6 q3 b3 q
3.没有libxml2
" j3 I# ?% T5 A G, T: U5 W, _9 m+ T4 L
5 N& r( [5 N& j- R% U) u: S
configure: *** xml library not found.) X: N D* z3 y" m& w6 p
configure: error: libxml2 is required# w5 ]5 Q0 q8 p/ S: g! n
解决方法:
( S; t! K* E2 q; }" }0 q6 v2 g: v o5 _* n( T
yum install libxml2 libxml2-devel# H' a( f2 z& S1 X( ^
4.执行 /opt/tengine/sbin/nginx -m 时有警告! U! p# y4 T' o' S3 J/ s
9 J, M- [" k; x$ A4 p; L
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
! a2 h9 E& O7 g' L( p7 W. bnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
3 }0 N( e; F6 i- C8 b2 v9 X原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 a2 O6 i$ m8 b4 [% T+ @
$ B# R( F- [3 [9 }) {. O2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 U T% q; B0 X0 {% v/ o7 I- {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 S! |3 R" }( j1 c
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!; p; P- w' e, K8 \3 }6 l: q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"! X F3 H. C7 J1 W* I+ l7 P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ e1 n& [; l6 X! J
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
. Y/ i- x! I, j7 {" o解决方法,移除低版本的APR (1.3.9)
F, t: G2 G/ L+ o: k* q) M: D( D
8 O5 y C. }1 ?6 G8 F3 y8 z* Y( vyum remove apr
. g' t8 e9 I; u& H/ w6 c6 O. f5.Error.log中有: Audit log: Failed to lock global mutex. Z: x; _! n" W
, L! z! Q9 J/ k5 W# u9 S+ r2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 G3 S; W0 Y2 e6 C% gglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 \: v' M& ^# H* F3 l9 J
解决方法:+ T) V; y! _ T }( x8 k/ m
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:) o8 ~; i8 y) w* u
0 e+ j9 D x9 T* Z5 HSecAuditLogDirMode 0777; x! Z% n# G- L3 ~: E
SecAuditLogFileMode 0550
; `( q; n# E- J9 dSecAuditLogStorageDir /var/log/modsecurity
m/ T6 \& I4 E+ E, J) kSecAuditLogType Concurrent
~' |$ E4 x+ ^2 P) n' _& ?参考文章:+ w: ]$ x1 m( h' g& \% ]# o
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX) ]: g: m+ |1 }/ \* ~) N
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡