|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% `6 ?( y0 k' L
2 b4 d) H& B/ S+ v+ r; v一.准备工作
( @8 b( f8 A/ \/ }0 C1 U( H' `8 `% v) [# `1 Y, ~! [) n
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 Y$ ~9 |1 M2 c: F2 C; C4 P9 j
" g4 N, x \" M: }tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz4 Y) A7 I9 h1 p) T. Q( a) N
2 M5 x S1 Y$ I) L3 K: O2 omodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
" M) A1 s( C; f' c: B2 c% A: z. w
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs \% Z$ T9 o& s, W: z# C6 t
& D9 g9 y' g& F7 M9 @( s5 U依赖关系: U4 G$ D* m/ K) {- e$ H
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:+ h& `5 Q% m3 X Y2 ?: O" E9 e. y
6 m7 `# M* i/ O' A# t% v
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ q: B1 }/ I) i( q- R* [modsecurty依赖的包:pcre httpd-devel libxml2 apr3 H( o; e: X8 x/ I/ p( ?1 w. f5 R
9 E+ ^& ]9 `9 Cyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
% G" U% Q- ` j* p* ^: E二.启用standalone模块并编译
$ Z h! G# G3 b0 ?1 u2 Z; x
) |4 E4 I0 l4 x% H) h$ k. V下载modsecurity for nginx 解压,进入解压后目录执行:9 x6 g& K- y+ N7 I' d1 H; R
# @4 ^: `$ U6 l- n- ]; H
./autogen.sh
& G- X: Q* n6 e# {. N9 \: l1 x./configure --enable-standalone-module --disable-mlogc
1 o* ~4 B1 e5 a4 K! ^; Dmake . T+ m) n, N2 U! p" a
三.nginx添加modsecurity模块8 ~6 b% e: s5 \9 K: d; ~$ M8 \
. K2 c# U* n' m在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 d# {% v5 f4 b% w6 G- H7 j& N' t7 `+ x, E# r6 u* Q6 Z
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 {. u7 J2 [( j, S" smake && make install7 m# c+ F7 H- _8 Y5 \ I% }
四.添加规则3 N( |) k4 O: I# x. G
) B: {+ \0 m4 v* A. _, n7 V5 ~4 L
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* e U3 a5 ]1 U2 M! F' o
" j4 R/ `, t# o4 Q* g' m( l
1.下载OWASP规则:1 z! R3 y0 l2 f
% U" Q% U2 p) ]5 _" t; Y* D2 M$ C
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
8 F! T: h, \2 y0 A: o1 `+ Y7 H* z( t& F
mv owasp-modsecurity-crs /opt/tengine/conf/
- F2 X. L# ~4 h
' J* i' j" k9 \! N3 e' Zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ Y z) Y/ X9 w- r- k! O
2.启用OWASP规则:" H; m% Y! t( I) s [
+ f4 ^$ B; {) S) q( v2 T1 u复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
1 Q7 d& O0 w0 y% r
( X8 W5 C# r9 R" l4 U' @; R编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
* Q1 {0 E# `- I+ m- L6 i* d5 } W
4 M6 O1 B L+ o1 i3 I. kowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 l6 g1 d( V2 @) v5 ~5 R/ x1 ] }+ x$ l0 F) e
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf& G" H) v6 e0 @5 ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 i6 Q0 Q4 @5 VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) A) E, Y, o0 d! Z: eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
( z4 l6 L% j" q5 D* mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
- J, x2 ~% E ~# o8 `0 mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
" j' E6 {. p# h* ]. N7 c3 H8 `; NInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf9 a- r3 V% f; N
五.配置nginx c9 g3 M9 ^+ _4 c
) V3 p) m5 N' P! U" H8 f6 _
在需要启用modsecurity的主机的location下面加入下面两行即可:
, \/ s+ r; G: c$ \0 h2 g+ O% I8 }1 g
ModSecurityEnabled on; $ ~0 f/ z$ ]* r, x5 h6 a) G
ModSecurityConfig modsecurity.conf;( C+ x) e1 l, H6 }0 P( k8 q. G
下面是两个示例配置,php虚拟主机:
* z z C1 ~8 W: r* b
9 Z+ \+ V" L, j Vserver {
& D, f) y/ ^& p. M7 W( s* K! G listen 80;' f8 i y1 W* m9 P4 ?; T
server_name 52os.net www.52os.net; Q0 u$ ~4 Q8 A
! I3 b! r$ u$ @; y# E
location ~ \.php$ {( T3 n, @8 i+ K" ^: U
ModSecurityEnabled on; 1 B0 _* ]0 t7 B2 ]! A2 i7 h
ModSecurityConfig modsecurity.conf;0 a" m% `* B; ], D
$ x( y+ g5 j; ~# @' b root /web/wordpress;& ^' t! o4 E4 u" _ n& \
index index.php index.html index.htm;
4 N! A7 Z8 e$ o9 x ( {" f- w! j! W R
fastcgi_pass 127.0.0.1:9000;
6 q* x; ^0 `7 C8 c% g' C$ u fastcgi_index index.php;
! p$ a: q9 s+ z @% C fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 L: @- g2 `7 c6 o) v
include fastcgi_params;: c( [) s k9 P* T: Z
}* n% C% J# b; h2 }5 p% B% j ?
}2 ]" ~. t$ [1 u1 D4 R2 v
upstream负载均衡:
5 F4 u, d& V' K2 s& b( B: U- n4 E& {
) H5 ?. [' E nupstream 52os.net {
- a, A: V2 k9 N( P8 s server 192.168.1.100:8080;
6 B$ z) g& n! r6 O( a: T% J3 y# | server 192.168.1.101:8080 backup;5 @; W5 h7 d3 I% E' w* r- i3 K
}9 ~2 X) X9 p% q( p) r% h
5 |% }+ t/ m+ L' e$ O \$ u G4 P
server {
& b/ r3 q0 ~" G! U/ t' x# j- D* rlisten 80;% |7 ]/ K; E9 _3 n4 N' Z& O% V
server_name 52os.net www.52os.net;
2 _* u$ \" F4 k* x6 T. `" D, h/ U; N
location / {
) Q' n3 I5 I- E7 y2 p3 ` ModSecurityEnabled on; ; S* F" V( Q) _
ModSecurityConfig modsecurity.conf; 5 |2 x3 h( \1 ^5 N" m# C# V
3 s, Z8 s! ^5 U2 n& `$ e0 v2 M
proxy_pass http://online;
1 N2 l S# W l9 X H/ O proxy_redirect off;' W% j( {+ g- c5 _; N- V
proxy_set_header Host $host;+ F* m% h( j' `- i' `
proxy_set_header X-Real-IP $remote_addr;0 ]2 p* s+ `3 t8 R* Y
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;& d1 ^3 c3 g. i3 J' J* O! b
}
; l1 \' c: Y1 j}" y1 x- O9 p$ n/ T
六.测试
0 a% g9 b: M+ R; Y% k5 g" P0 Z/ L! [& C' w8 p8 x" s' U
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
6 V* Z0 P( S# _% T# y
4 N. P, R1 e; X0 t1 X _5 A<?php- r& m* ^" F9 @; Z) I, {. y
phpinfo();
6 `4 P# @8 V8 A+ r2 A8 a; ~$ V) ]?>
( C. c$ C' J# T$ P% W5 \在浏览器中访问:& C/ ?' y" Z# ^" U) q! h- j w, t
8 F! u' ~2 b' m# Khttp://www.52os.net/phpinfo.php?id=1 正常显示。
* v/ z, v8 N" n& whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
/ ]5 Z& X7 V% H' ]1 R* Y8 |http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。( B/ c& }7 [* e% G4 t# \
说明sql注入和xss已经被过滤了
6 u# ~9 k5 \8 T9 A8 P0 x* Y6 w4 O9 X2 U' h5 ~" O. H- p8 P$ m$ }
七、安装过程中排错7 W# o) i, ^, _6 `0 E, O a) w: n6 Y; h
8 x+ L! Z) ]" H- r$ o2 c1.缺少APXS会报错
/ e7 d8 s0 F; Y
# k5 k0 P; d) t, L4 Z2 O7 M& Lconfigure: looking for Apache module support via DSO through APXS
1 E/ s2 C: z. Y4 D) ~ f# hconfigure: error: couldn't find APXS
$ ]- o& M: D% xapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。 d; S! j, Q' `, r$ ^! W, H, y' j
解决方法:
& {8 i; `: r; N4 U: w* ^
- F7 c# u, J4 r( L1 M! l6 v7 Myum install httpd-devel
" m# \0 p( l. K, G$ l2.没有pcre5 U3 A- ^$ p4 A- g6 ^
9 @4 F, a/ L% m5 [! t( M
configure: *** pcre library not found.9 F7 g$ E; D- |8 Z0 ~% Z
configure: error: pcre library is required$ V# t$ S) `9 f! R5 A
解决方法:" S7 M, @0 m. E& u( f# d! b
7 M, q: Q0 {0 u6 q( L/ nyum install pcre pcre-devel
$ Z$ Y9 e2 ~/ |; R& o1 q3.没有libxml2 V! \" X1 h; ^0 M* R$ u8 S3 e$ q
6 `( C6 B$ e# m- W
" S4 L! |+ J. U& d0 j% p
configure: *** xml library not found.; }2 M% ^- X K3 k0 H: O5 ]6 J* D5 S
configure: error: libxml2 is required. Y, R& u9 n6 i# [
解决方法:7 m& Y! o, H3 e/ D9 r" F
* _0 _9 U# ]& c, b( A% xyum install libxml2 libxml2-devel$ K$ q `+ e+ {1 @; }
4.执行 /opt/tengine/sbin/nginx -m 时有警告$ Y6 X# {& j; t9 Q* X
. ]+ Z9 x5 H; n* i8 ]* C2 _
Tengine version: Tengine/2.1.0 (nginx/1.6.2), f& j$ w& @$ I; u* p/ L3 M
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
# w- Z5 R2 f" s* j: Z; b原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% U; E+ B9 }( K
) h1 o; E. a3 t( B# ^2 ~5 {' h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.' i" W( @- |6 y5 N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
2 Y; ~1 b" {1 o. M2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ ?/ P, f9 e! d7 ]' v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2 f, [+ |9 {/ U) B" |3 r" u: e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
+ z, V9 o6 J- C7 o8 B2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 w; f { j- ]% ^* z
解决方法,移除低版本的APR (1.3.9)/ X+ i. H7 g: B2 \" h
: _: K5 q1 X4 P! ?# i3 |6 @yum remove apr
X4 R: S& U. ]6 p* Y f. O( F% a5.Error.log中有: Audit log: Failed to lock global mutex9 C. M( V0 e. f$ D
* \+ A( m# I* T" |; l! s3 F* |: i
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 0 t6 u/ b$ Z8 U' _
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]3 Z( F! P2 N$ h. N5 V
解决方法:
( J% o' C5 I5 G- N* t6 d& c编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( K$ L/ d4 p, f2 z$ i; f! i
7 M3 o O' z& q9 i" b
SecAuditLogDirMode 0777; e+ w% k2 q4 [% j$ C/ ?7 r" F4 A+ i
SecAuditLogFileMode 0550
+ u8 f6 k2 m. z2 O+ }3 N6 U5 t- v' M9 i2 L5 [SecAuditLogStorageDir /var/log/modsecurity
: ~2 _; O7 C, N. ]4 ISecAuditLogType Concurrent" W. F+ t9 a1 i8 q* D4 q
参考文章:* H3 g2 ]2 O: m& z2 _& @# r
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# u: P% j$ k7 }
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡