|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
# r) v: ~' J) o7 U3 D D5 S
! D& ~+ P6 V0 O8 ^一.准备工作. J% m& p7 \# [
, W: `" }4 V) R+ J u系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# A5 a- T6 k8 Q4 }. r
5 I8 j. R$ P& L% a, Stengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
# b% f; a, e b) S2 W! [2 _: {% @ K% C
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ ] S6 L, j* b' J" \; ]% G b
0 a+ c0 Q; O4 t8 K1 Y- pOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! l D- H$ h0 [7 v7 F1 A
1 o7 L0 O" R" ~
依赖关系:
1 K* R8 ~, g9 \7 [ stengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 n% J. h7 W( R, `" K+ P* ?* j+ d
. [% h7 n% z. \; ~2 S- T' O( K/ wyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
" n) v& Y4 [ j3 I5 b9 v: Wmodsecurty依赖的包:pcre httpd-devel libxml2 apr
6 V3 N: m- E- }. T' W
9 Z9 z! \& w! C9 V6 U8 jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
. S$ q& p: p" z0 Q8 L/ O: G二.启用standalone模块并编译
" R9 h! R* C! I" y5 }
S- i# J$ [: G& {, ^下载modsecurity for nginx 解压,进入解压后目录执行:
7 l; F2 |, ~- P$ Z
& U" v) H1 K, ]5 Z! J5 e; g./autogen.sh/ l5 P: D0 l8 m- g; F# ~
./configure --enable-standalone-module --disable-mlogc
7 Z0 e/ y. w! B. Lmake
. B4 @" @4 o3 N0 i' [; s. I% l三.nginx添加modsecurity模块
+ D% I" k& `* @9 ~3 j2 }
8 R @4 L# j9 \' V在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
: b. n! @* s, j8 K/ F! `# J
[" G) o# _* ]1 r8 F5 N./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
6 H6 _0 S1 d5 l B( E- P/ ymake && make install# \8 G0 `6 X7 U; g
四.添加规则
4 O4 T6 w- B1 n/ s; a
, T' c+ r, d M2 amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。7 ]$ R7 H( e1 n/ k" L( S! M( V
- d& y! m# w. h1.下载OWASP规则:$ J" J; b6 Q; t9 v5 T) Q% V8 F
6 C4 ~. [0 o+ h5 h+ ugit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ v; c" y" V; p! \
6 L& ?- J) i0 w! O' o, r& Ymv owasp-modsecurity-crs /opt/tengine/conf/8 ]( Y8 ]; l; \
u: T$ j2 V- V) gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf1 B0 O: H3 ?& G% B4 P1 L z! T
2.启用OWASP规则:3 `$ { P# D# H
/ M+ }# \; y- e% ~
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ Y+ ]; g" e+ D- e- |0 A7 A' \6 p. \: i2 U, M* Z/ L
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
. K. i. c! [- [
9 ?) d- k2 \# u3 h5 s/ t6 l- t9 c7 {owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ l9 x7 S! q n( O8 n
- `3 |% d8 ?) O) U9 u! L; c" J
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' ^7 M0 D9 U: m8 b( V& sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* A1 R3 e) W; |* h! j+ M/ t* YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 \: X7 r1 g0 V! ?; T" k' @! }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# m9 W+ ?( y$ L% ^ W" t+ t+ h, }
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# Z" B1 O+ ^/ CInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
, _! h* c. L; w3 uInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
+ E. Q8 W. W8 e* r/ K4 @) {) h" M五.配置nginx
; N3 D- Z. j0 z" A* m1 _6 U- \* o9 b( a; j; b. I
在需要启用modsecurity的主机的location下面加入下面两行即可:- n6 O( H' j6 o8 U5 I1 O N
. u* a* m* b6 q4 W3 r$ Y+ M
ModSecurityEnabled on;
: B- P( G. \* a# d# hModSecurityConfig modsecurity.conf;
1 O/ T* |7 d' W) o下面是两个示例配置,php虚拟主机:! O% O* Q" b2 r z' U1 A
- Z w" Q/ ~8 i6 U6 ^5 K
server {
0 l- @" B+ n+ y- a+ z' T: p listen 80;
X/ n! K4 b; z5 H1 B server_name 52os.net www.52os.net;5 A; {* X, d5 S" X! `
+ x3 v2 o0 U5 s" ^$ |. f
location ~ \.php$ {9 w# x4 {9 x- I
ModSecurityEnabled on; ! N) B* b V# C
ModSecurityConfig modsecurity.conf;7 B+ ?$ ~& o) G& I4 n8 W# \
1 \. h2 ]. R3 p0 _5 `
root /web/wordpress;: M% l: `6 z' N5 G5 h0 s" V$ z
index index.php index.html index.htm;* ~7 m' p6 P& r) j" ?! [
# |+ U# C1 _$ q8 M! a! O
fastcgi_pass 127.0.0.1:9000;
5 W% O& O9 D% `0 x+ C! M& o2 P fastcgi_index index.php;; N' S8 b5 T) O" b# l) y
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;; C$ c- V+ B$ \& v) e) ]0 d" P& N; h
include fastcgi_params;
+ _9 X0 r9 V/ a- C; x2 C }5 U' g( v8 x0 b5 `7 |7 q, Y
}
/ I- _; w% x4 y4 ?7 O* dupstream负载均衡:
0 d8 {8 P8 O/ s. N) ^- y! b% E' V% Q4 l4 S
upstream 52os.net {9 ]' q" p& j) A8 b8 G
server 192.168.1.100:8080;
( S3 k% P' I* q$ N$ B- |0 | server 192.168.1.101:8080 backup;
. s5 |9 H/ G0 V6 ~( {}# v5 {1 x6 T4 q# J. F, X' R
" s) `3 D# d5 L D9 Iserver {
J7 |0 a! u! r8 Flisten 80;
0 x1 w( | u- {, }2 k5 d7 Xserver_name 52os.net www.52os.net;
7 S& R$ z: w/ \. y; ~, f# H% J0 I; w$ K) _2 I" K
location / {
* M" d+ ]9 Q* s0 V ModSecurityEnabled on; 3 `8 I* t( h+ ?2 f+ ]0 D
ModSecurityConfig modsecurity.conf;
9 w- \( I# G+ T0 p( U+ ~: U+ ~+ v* G* q3 n1 t7 X( p, t
proxy_pass http://online;
* a6 \8 r) ?3 T7 k proxy_redirect off;
m2 v" l, Z4 }( {& D proxy_set_header Host $host;; n6 |. X; t# y& z. N( j7 C7 r. a7 `
proxy_set_header X-Real-IP $remote_addr;
: P8 L ~% v: J1 \1 o0 x: M proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; {; C* I! N/ k
}
8 E |" }, P* p# }: N}
1 D$ [& i4 T% v. S. O' _# x6 g! e六.测试
8 |+ V' e9 D! F6 {' N* `* n- X; b1 J6 H
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; h9 m6 q) N1 b, r7 I9 F
) V7 w! e" W1 x2 t& l3 D4 ^3 l z<?php ^# Y9 G2 k% F6 ?7 G# d9 R
phpinfo(); ! \2 k& [3 c. [' V/ c" Z
?>
+ Z+ r! }+ h/ H5 P0 V在浏览器中访问:- @9 A7 Y+ h _4 `6 J X) I; v6 o! D/ _
3 ^! i# }$ x# v4 h% z! Jhttp://www.52os.net/phpinfo.php?id=1 正常显示。
/ P7 g( W Y `0 ~& Ohttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
% b! \) U/ n. {0 j- F! i2 B" Z- Xhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% S( K! r$ D- n/ P. J9 c# ?说明sql注入和xss已经被过滤了
: ~1 B' B/ X/ ?3 i$ i
3 w5 w/ l7 m! s' t8 O. ]七、安装过程中排错
( p2 g2 {3 h! `8 ^, e$ U: O$ _+ l# o' d8 `: |
1.缺少APXS会报错' ?/ w# F( N9 G. q8 R
) e: i1 B: `3 S( m
configure: looking for Apache module support via DSO through APXS! I7 m: B6 @. |$ \5 P" Q+ q
configure: error: couldn't find APXS
+ b+ S2 M+ N' w4 R/ L/ Gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) H5 b: k$ [0 \5 M' L+ n, t0 g. g, U
解决方法:
) U1 p8 I/ ]9 I1 V. t( x; v" K0 m3 c3 C; ]" E5 h; t
yum install httpd-devel, ^7 L% o! @) v2 u& I: o
2.没有pcre
0 L) T, V: T& g* v9 t3 c
x1 k: P j x5 P( O5 R6 Econfigure: *** pcre library not found.7 b8 K; C, {( p
configure: error: pcre library is required& i4 _7 K; Z/ {9 A. d$ N% s, E9 \
解决方法:
& a' f0 s9 \8 s P6 Z3 n) {+ N( Y ?/ {+ f8 Z5 ^* ?/ {* f
yum install pcre pcre-devel
# }6 N) e t. i: u( ^3.没有libxml2. g9 R0 O u8 _% @
9 D% p* O) _* y3 C$ F
* l1 i T$ Y$ }configure: *** xml library not found.6 J/ }/ Q$ k% D" m: S4 R
configure: error: libxml2 is required
0 l* O J+ C: v- o; p6 @# a解决方法:
0 X6 S) b; s. E! M$ |4 Z( F
! M) o" L, S- Qyum install libxml2 libxml2-devel" ~. j7 u3 l& A. m! |/ K
4.执行 /opt/tengine/sbin/nginx -m 时有警告4 x* Y/ {1 z. A. ^6 x$ L- Y
! z; z' X& F# ^ k- q, n9 S% D3 nTengine version: Tengine/2.1.0 (nginx/1.6.2)
, Y+ f! P6 R5 _" k1 s5 Y# `' j' s/ o# onginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, c" j2 A/ }; {# B$ f原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log, d* [! ^9 j1 {. B7 |
+ h4 ] K* T3 }6 o& h% p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.4 M( \1 P( f! U9 J; v2 I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
4 l, O0 ]; B ]% d. n& [2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 I2 \" t' U. x* F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"& `5 G* ~- m# V/ t$ u1 b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
5 z8 n1 I3 m3 @0 q% |' Z/ L5 b2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.- u7 A5 a1 h c0 K, N; l7 R% s
解决方法,移除低版本的APR (1.3.9)0 e& ^& d/ y$ h% w$ |1 R+ D
4 t# Y- j$ M# S) V6 p; q( Wyum remove apr# Z8 e7 i0 c* p4 w" \9 O
5.Error.log中有: Audit log: Failed to lock global mutex
% t. @0 p t) w- |) z2 q5 ?2 Q
# K' q3 U' g0 s% h- Q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock . r+ d. J3 C _; r$ v% ]
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]. b% a6 n+ O2 {
解决方法:- s4 y( N3 I6 _/ E- N
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" b1 g7 x' V+ h0 D' r/ i
2 \8 { F- Q/ s. V" kSecAuditLogDirMode 0777, D) l2 R% f2 \3 R* ~) `
SecAuditLogFileMode 0550: t7 t( j. F, T; p% S
SecAuditLogStorageDir /var/log/modsecurity. ?$ H) H% k5 k3 m
SecAuditLogType Concurrent
( N" t- `* S V( V( P- F+ Y8 U参考文章:
1 ]8 f+ o t6 S* ]3 i a/ c8 qhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX% C6 H3 T# a& T2 v7 k6 J/ ^
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡