|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。' J. y7 e0 r! p. t
: j; d8 O0 k) ?! }% I' K一.准备工作0 {9 C5 G( G7 ~# E- v- V
- E. N+ u0 T) l, r" h! S! I5 g- h* P
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.09 v) v! x: g5 [* ]0 w5 ]* o& a
2 ^5 ~; c# w9 S' ]2 v. _
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz3 O; R% ~3 V- {# m3 u: y
( H, k6 o. A3 ]% P! k6 [7 E
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz6 W& t! A$ w: ~% j6 f [% @/ D6 X5 W
0 Z+ M7 c. `# _- w, X! U' Z* M# r9 P3 VOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs# W3 b0 @* f' j* K
$ g* p' x' Y% A# w1 a
依赖关系:
4 }0 f1 ?* V. Y: S$ v3 \; N% |tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:! P( F; B. v, p! n, K+ Z& K
, R5 |9 h! s. ?yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% _% M5 A I6 ?% P
modsecurty依赖的包:pcre httpd-devel libxml2 apr
3 T+ \6 b+ M& K6 \0 ^8 Z. a0 ~8 v1 h+ d0 H5 `+ m8 ?: j
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
; N: [- j. ^9 C7 S( o5 ]二.启用standalone模块并编译: }2 @! @$ H2 v. s3 q# {
" }1 R5 T$ { Q; I2 _; u7 w( D下载modsecurity for nginx 解压,进入解压后目录执行:
0 o1 k. y8 u% l6 a5 _
! A9 c3 i$ x9 u6 Q" F' |./autogen.sh
) F5 a4 y! I5 j g6 [* j% f h- D./configure --enable-standalone-module --disable-mlogc
6 V- S8 J1 s5 C5 _$ |4 _ x- rmake
" R& a9 h1 d1 b8 C2 l v" k/ Z0 x三.nginx添加modsecurity模块- T/ V) x& k# ]3 o2 h/ D. K$ {
1 R! }3 d4 x2 P4 g在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
( |4 P) e# b7 H
1 a& H/ q, }# a* c; J/ P./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
r1 O- p( U1 v0 bmake && make install
( q2 h% R* l- P四.添加规则" T* \% ]9 ~) Z: R# S. i
# z: @8 t# ?/ }modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
5 U/ y8 {+ j1 X# q" s: J- g6 g' O3 n* D7 `5 H$ h) K. ~
1.下载OWASP规则:
0 K" f+ x: P3 \% g# E3 b% o2 G
# F+ W* L g3 f# a. ?) ?git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 {3 v5 v! l7 A& ]' u6 l( d/ s7 ~8 X( i! z
mv owasp-modsecurity-crs /opt/tengine/conf/
7 ]) `( w* j( k0 [. ?3 L
3 E+ c# h0 J, H) T( `6 [cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf% A A; f9 p E
2.启用OWASP规则:( C, K( h( T8 g7 q7 H s" q; s, Z
5 V3 }! ?# C( U/ U. J. s& q复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。- H9 X/ v9 G. V6 l- }7 U
& I" z3 f3 E) }) D
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
K6 R/ L9 E3 W; V+ a/ n3 Q3 o* W/ M1 {' @* _
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。! C" h/ e h0 [ P( {& y7 ?
( D6 e2 u8 Q7 u" p$ k* M
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 x4 c* u. L/ {. I, K; X% ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
' N7 p1 Y+ ]0 s" ?; ~: YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 R4 X# @) \! B* l# `9 h8 f) GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" o* V$ f2 |, C! [ @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
) ~, {! s5 H+ o5 X& `: a v( b4 gInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& G4 ^% O0 A; W, I* o
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
8 Y$ y+ F. P/ R* I五.配置nginx
$ U4 |7 W+ n+ \: I6 g& `4 }) f- Q: X) Q8 w" P
在需要启用modsecurity的主机的location下面加入下面两行即可:
* W, C( M. h* J5 {% X
8 M9 V1 C; o0 C" qModSecurityEnabled on;
1 N+ w$ t0 a) u! u3 B' o: [ModSecurityConfig modsecurity.conf;
: N- [" {2 T1 z8 o( a/ A; h9 g下面是两个示例配置,php虚拟主机:
3 E2 s9 T- b9 C. J" k4 `
" Z/ J# R0 t2 K% Sserver {
8 Y0 d C/ V" C# X4 N listen 80;3 T3 q3 }$ y& J R
server_name 52os.net www.52os.net;
* J+ e' l5 v9 b6 o7 e " u2 n6 z* O; c/ ^( m0 V
location ~ \.php$ {+ S" ~" @/ {: w& z V. m6 H
ModSecurityEnabled on;
: a# [7 P& {& e1 [7 H ModSecurityConfig modsecurity.conf; b0 G1 q( W! t4 e9 S% s0 u7 w
, Z3 M& j/ ], A6 [3 ]+ U4 D root /web/wordpress;
( x5 [9 u+ D# U index index.php index.html index.htm;2 r* [. _+ P. t4 v8 G4 U' C( n0 c3 U
w: C. p+ c* v/ U/ A fastcgi_pass 127.0.0.1:9000;1 g& n* o W5 T/ ?
fastcgi_index index.php;- D2 J4 X0 F! T, W8 H7 ]
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
( \- j2 r& w1 V include fastcgi_params;3 w- c# X0 e5 V
}
! h6 g6 d# h# @8 }9 q2 j5 H }
& o- |1 S6 ^& ?$ w; M( lupstream负载均衡:% x9 e! [) x9 C6 N% D6 y$ W
$ }( E2 T5 c; p f; N! x; k9 K
upstream 52os.net { R) h2 {: P, R8 u8 Z# Z4 D+ P2 ~" E4 v
server 192.168.1.100:8080;
8 R# w* a I+ _# U5 v8 N server 192.168.1.101:8080 backup;1 A1 b) Z( q8 V5 c# k' ?) v
}' v* \. U+ [6 Q4 o* g$ n) _0 ]
+ m% S) Q+ A3 j7 w4 [5 ~
server {! V' s, J5 y& t' F7 j* C
listen 80;
0 o- I; v+ E( w# g& _# Q0 c1 eserver_name 52os.net www.52os.net;2 K: _* ]6 O, }
) r7 K; W3 O' h
location / {1 ]% O' m! g" ?3 e; B7 t
ModSecurityEnabled on; - U. T2 a/ P3 G6 y8 i4 Q- M) i$ O3 u
ModSecurityConfig modsecurity.conf; 0 l) |: C, a( @5 S! G
: Y$ Q8 k0 N0 C; ^8 m
proxy_pass http://online;/ n! a# L' s& F1 |& Q
proxy_redirect off; n( J7 `8 n1 T
proxy_set_header Host $host;
q4 ?1 H5 Q6 | proxy_set_header X-Real-IP $remote_addr;" y, S8 i" l/ _1 s
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
; z$ ~2 }- C: X$ n) e7 d" @ }
" @$ ^4 ? } D: R M}9 k; d2 j9 W5 I. N8 T2 t
六.测试
( D7 U* D& D. w9 G5 I7 Z$ a
8 Y0 X) g8 q& @* d/ k- m1 z我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; Y2 N* K0 E. @% d; A% z) ~+ y! F, r2 j" ~( `1 e
<?php1 N! `, T2 Z) w( O
phpinfo();
4 q8 a# u) V$ B4 A?>! Y3 g2 v/ n8 A: J7 x4 \7 C8 H
在浏览器中访问:
4 K7 L2 j$ @, l& _# ?: f0 g
" \+ _3 ]1 [4 \- @; g& ^) e' ihttp://www.52os.net/phpinfo.php?id=1 正常显示。) D% v* s% a4 }8 K( s; e! T
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。2 e% l# Z7 U0 L$ x: x
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
* p2 g: {0 I0 ~5 m/ N$ `说明sql注入和xss已经被过滤了
& P( E. C# R" |) P( q$ `
`7 U1 w+ ^* _! A+ S七、安装过程中排错
7 w$ F! k% q( M9 n9 L5 H# T# Y
' ]/ p3 D( M, J* F1.缺少APXS会报错: @# I3 t8 B* \& v3 y
& e* m1 @7 c3 P z
configure: looking for Apache module support via DSO through APXS
0 ~6 D1 ?0 `6 n. w, k9 {/ ?6 u2 Qconfigure: error: couldn't find APXS
4 y* R3 O) K: F! R+ n* M |3 Fapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
9 v6 u" u$ U: G解决方法:
6 c: s D+ W* i; y# P
# m% o& p J4 ^- r+ d( Gyum install httpd-devel
P* y, J( W& S2.没有pcre6 P2 \2 g2 c7 A5 k* R
2 k/ Y1 k7 Y/ Uconfigure: *** pcre library not found.! l$ o" L! P& c$ C
configure: error: pcre library is required
. u8 ~5 y F' O/ h4 \解决方法:" R) m y6 `' y* f1 r8 }: v
# L, @. E; p* l; L0 d' Dyum install pcre pcre-devel0 G! ], H+ ~8 _' w& e. h) s# o
3.没有libxml2
6 q2 ]# q; O% b9 ~% [: W' j2 b$ r9 e; A4 J, |; Y: f
2 A5 j/ g( N- F: i" l8 F$ Kconfigure: *** xml library not found.
, g( i- n1 Y$ B- B# kconfigure: error: libxml2 is required
6 E3 N: t [; K8 s解决方法:
! Y E( c3 H/ U m+ P
/ U/ \7 _. R r- N' hyum install libxml2 libxml2-devel
2 r3 |, K$ m# h4.执行 /opt/tengine/sbin/nginx -m 时有警告
}# ]' \: k _6 Y& I
@& V( [; C \& F; Q$ JTengine version: Tengine/2.1.0 (nginx/1.6.2)
: v: i* v% t9 g" Lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
# Y6 t' k0 p$ e1 @; |; C" b1 }! |7 b原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
) }8 T! A5 h: _3 u
0 {* K7 w: E ?# N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
* b* n, i9 m; `/ p2 b& J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"* Q' _, _, `1 D4 x1 _3 Q
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
7 V+ K: f, ?) l" w) n7 T. m: G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 k/ Z1 s, e6 D' Z( t8 X- }8 s9 j* ?( @9 T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* i/ i l' T/ \' g$ \" N3 }0 J2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
5 ^& o2 A0 V$ p5 j# M% G- c+ _解决方法,移除低版本的APR (1.3.9)
5 S8 b, V- f% O( r, a* E* A4 u, W/ L
yum remove apr) b* Y- S8 S5 k1 k: E2 r: O
5.Error.log中有: Audit log: Failed to lock global mutex5 F9 [) q) P' U% Y* k
; u# A8 g: d8 C# z2 j; t5 G. L7 r
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
$ s7 s4 N! k8 h8 }& j: I- Eglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
+ ?( r9 Z3 K2 B; n5 Z Y' Q解决方法:2 @" N6 s9 A; G+ L- D: a$ V+ G, q6 w
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( K! {, { Y0 \( e, l
2 C- e, g8 n( D% Y5 Z3 j/ d! u
SecAuditLogDirMode 07771 D$ N8 R. p- c/ w" m, N
SecAuditLogFileMode 0550( V& B) s" q7 y$ @% s
SecAuditLogStorageDir /var/log/modsecurity8 }# z4 `* [$ j- _* U- N- S
SecAuditLogType Concurrent2 A# ^, \( }! g$ o5 J1 i" m
参考文章:( ?+ E. L* H5 C: ^3 I# F! ` Z
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX( U) }9 t- ?, U& a2 \1 q( O( y
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡