|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。! y% v ]) q5 L- D
' _: H5 p" i2 h一.准备工作
8 n, _ }0 v! ~' V: V; @1 |$ Z8 D5 w+ ~6 N( R; q4 [6 M5 j- V
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
N, B. n9 N4 s: v$ h6 r/ b( a# Y8 q$ a5 ~
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
( G/ r, q2 n% G0 i) ?$ _$ T7 a/ O0 N7 q) r6 I7 w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz+ N$ A) D: G3 j# _! e
3 R6 i' ^7 j+ J3 n. k' B: g4 O
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
6 S: P- `- M: b# f" F3 j
( ?; k. R# T. a! Y依赖关系:
8 Y$ C$ e7 w, [tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
" y B$ n2 P+ k
# t: \! ~: o& r2 n$ Z$ tyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
1 z3 {4 L0 ?2 `9 nmodsecurty依赖的包:pcre httpd-devel libxml2 apr! P. \8 @2 p' a: Q9 r3 e
! O/ y( C* S. M' n: ?* o# f1 f0 d
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
2 i* b5 ^' e% t( Z1 a二.启用standalone模块并编译
/ Q' M+ ` t) A' Q* @1 t! j. [. [1 i3 s8 z2 m
下载modsecurity for nginx 解压,进入解压后目录执行:
% Q0 n7 e6 p" i3 R( Z; D# I0 |9 R5 x L! Q* t
./autogen.sh6 h! P* u# u. M* n# ~
./configure --enable-standalone-module --disable-mlogc
$ Z6 `5 n" k5 J& Vmake 4 ?; o; |% M" f0 |0 g8 n' D4 x
三.nginx添加modsecurity模块
* P7 ~+ F' r1 m3 A/ n* h( z- Y2 W- \
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块: N( G# b2 U9 ]& z8 ]
0 ^$ j$ F, c; s9 a
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
8 r+ W* d3 _& D/ ~1 i& fmake && make install
) x8 ~( A" e" ^' i- d四.添加规则4 {+ h4 y: I7 G1 G" m" z
8 G- o" ?# U( V; Kmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。2 q* A; D* _% U, K! n' Q
+ q3 {( _/ [0 m }& t
1.下载OWASP规则:
4 n: c! \# B3 h) F
' B7 w5 q; d- Q' j" q; |git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ F2 _$ s+ L0 v4 y1 ^1 d8 D, [7 W2 p+ \9 c; H1 E Y$ O6 ]
mv owasp-modsecurity-crs /opt/tengine/conf// E4 e2 Z3 N9 ]2 S, \! B2 @
5 P: `0 T- } K$ j1 Z( K
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
% _) \# d s. ]# I8 j, g2.启用OWASP规则:
% B' p* Y) Y5 N5 _1 f! ?, P! O! [- ?) Y L$ T( M5 _% g0 i k
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
" r; I- z" s! _6 v" \
9 P% F6 {0 H d, `, J9 l1 V) i编辑modsecurity.conf 文件,将SecRuleEngine设置为 on( M6 ^' D9 V! S8 b4 }
2 q7 F- k9 x" G3 k. Y& q% S( }owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
7 @% n( q& q! f( G' B8 Z' u# g3 p% l3 L* y" C8 K3 Y1 P# ~
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
- i, P2 f( r& f$ G' e8 ?Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf& Y( O J2 p8 J6 f/ ?: n5 A
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
( `, B8 B$ f( z" e; EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf) B9 o7 T* @6 _7 ]! U0 g4 j' q0 Z
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ `9 l' e! ]" s" Y, F" c! D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf# t% `0 m g* r) w3 ]
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf6 s) }' g0 U0 L( a0 @
五.配置nginx; x$ b, ?2 C* V6 J9 S$ T/ r9 e
- S7 r# i3 Y0 J! U3 K
在需要启用modsecurity的主机的location下面加入下面两行即可:
2 I0 X W; `- I( I8 D; e; Z# G/ y1 r
ModSecurityEnabled on; ' _( y: c# @( F3 E; K* w7 K2 D
ModSecurityConfig modsecurity.conf;5 n0 a$ W& C) V) @1 g- u7 |
下面是两个示例配置,php虚拟主机:7 h6 F# `& y% R, }0 [) c
! V" F" W0 b3 ^9 l/ G9 Y4 U: [
server {3 `# J6 W R8 @4 w
listen 80;7 ~& X- Y( E! ~
server_name 52os.net www.52os.net;
2 w, X6 P2 B( t$ }
1 Q' f1 g* j+ H/ K1 g9 G+ i location ~ \.php$ {% i, {3 f" ^ }/ E
ModSecurityEnabled on; . f0 T( f0 n4 K- {
ModSecurityConfig modsecurity.conf;" |5 B* c3 k2 t! z; j" h- X) ?
! ^2 l5 P, }8 l3 Q# k root /web/wordpress;
! R1 i. y. S9 V( n5 Q index index.php index.html index.htm;
2 i7 u5 k. Z. P* F7 e5 S. s9 R
# L' ]5 X; ?5 l Z" P fastcgi_pass 127.0.0.1:9000;
1 U u T8 L( b2 [( {8 C2 N fastcgi_index index.php;- e/ f9 o& y$ [. a
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
/ y; P' R) F: i, X6 |, m5 _ include fastcgi_params;
- e5 ^8 ]6 q9 E' D0 m }& H3 X" }, c: ]
}4 [( ~: N4 O4 u- r. e
upstream负载均衡:
5 X: Y- p/ Y# d5 |! C( B5 N7 H" e
$ E/ T5 U& o+ K7 Y& i3 kupstream 52os.net {
9 s" W( X/ b4 ? V/ F. o% t server 192.168.1.100:8080;
9 u- M8 }8 Z) y7 k" N server 192.168.1.101:8080 backup;
$ ~3 r8 w% _8 L! W8 I& r; ` y1 K}
* m2 e0 j& H0 o0 q
, `+ h8 v3 j& l/ C6 N6 }server {+ \) V* Q- x# Y
listen 80;. q7 S C6 m4 N0 B
server_name 52os.net www.52os.net;
/ `' {% \" @8 m$ ~ E' |$ G" x& x2 u2 w( o9 A* ?& _1 m( ~
location / {
' F* t$ y" m- H* s% h& Q$ h% q7 Z/ Z3 f ModSecurityEnabled on;
* V, w3 K. z5 E% X1 V4 } ModSecurityConfig modsecurity.conf; & K, T `7 q( t# C
* f6 w- u/ G2 D9 ]
proxy_pass http://online;# p% B& k: `+ ?! B# m
proxy_redirect off;5 X! Y. J4 o& o5 G( O+ ^
proxy_set_header Host $host;
+ M1 g4 G% C( O) K9 e1 W) A& k7 P1 p proxy_set_header X-Real-IP $remote_addr;
4 f9 d' y5 \. e) J! O* }; K proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' p+ `: w5 h& [) j" h- v1 z! {
}
3 G) E* V m K} X; [( C# L# j* Y h5 J* B8 r
六.测试( P. Y7 i, c" H# L( m( G
5 y& A- c0 h9 |: F
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:! y5 j# r: b/ O" i6 A
; @$ D6 ]) O& X! c7 {<?php+ s' P* `& r5 ?) ^; E7 w
phpinfo(); 1 y. a0 ]$ t$ k" j. H
?>
; J8 {3 K4 w7 j1 V在浏览器中访问:
. U7 I: _! F' U: O; X; s" { g( U0 W& h1 ~
http://www.52os.net/phpinfo.php?id=1 正常显示。
% G8 a D( n8 n( q' Ihttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
9 `% e R% b7 D( l7 Nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' H; h) }, S5 F% A- F3 ]6 p6 k* ?) x) S
说明sql注入和xss已经被过滤了1 a- |9 R u) P, d, Z( j
$ v+ i( k. }$ x- [, ?% F' v1 k七、安装过程中排错
5 c. Q: O8 k! T+ U
/ J& C6 ?& Z/ f3 Y1.缺少APXS会报错
n# g" _" k F% C9 T
% ~' p2 z2 I2 ~( |7 V! a! t+ Oconfigure: looking for Apache module support via DSO through APXS3 `0 l' `) q& Z1 R3 z! I6 e- s2 c
configure: error: couldn't find APXS9 f! T# T$ _5 h0 p- h7 b( p
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ y9 s) o2 P0 I' Q9 K! d9 W解决方法:
^" g# ]8 k; Z% o8 j
7 l+ M, k1 p% oyum install httpd-devel
$ C% s$ N4 r' L" k2.没有pcre
% C E+ U7 ]3 X' n- C: g5 o8 @' { F( G% z& q& Z' S2 U, h1 O
configure: *** pcre library not found.% D3 B2 j, o: M( P
configure: error: pcre library is required
# G1 s/ h+ f6 g& X解决方法:
{# y! _* O/ M
/ @; a! m5 Q/ lyum install pcre pcre-devel. x7 ]8 X0 h9 s) x4 q8 B
3.没有libxml27 N9 c0 Y/ G" S
' |' ~: @: w* H# z
8 ~0 g9 R" e4 P% m' H+ M2 E; P% j" o5 rconfigure: *** xml library not found.
& U7 J4 X; J! G" M4 Bconfigure: error: libxml2 is required- ]+ J8 W: Y6 y( _
解决方法:0 Y5 X/ @# R4 `$ N% h* _
4 T- P/ d0 o8 w. T( a* v: |yum install libxml2 libxml2-devel/ O& h4 h0 T" S+ C/ T
4.执行 /opt/tengine/sbin/nginx -m 时有警告
' P( _: [# ~ G- Z0 T' |+ `1 K
" e4 e5 I* C. P6 NTengine version: Tengine/2.1.0 (nginx/1.6.2)0 s R% c+ o+ X% C$ i) l
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!, j5 T6 h# D' i4 G, K; I; q4 _
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
! \+ F. W& L1 }& h. }- T% b- u4 c2 M% x: D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured. l* }5 {4 f' I3 |9 ?( g
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
! f7 c: _0 Q8 I2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!5 t! A/ x! f# t) v: ]3 Y% C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 [5 K( o) Q: u/ u& S0 d1 P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"0 G) ~6 d) }' ] e3 q/ J
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
?( J5 f" ?0 q: P9 t解决方法,移除低版本的APR (1.3.9) q: U6 W( O! r& m% c# I
0 |* X, X$ z" L) G; ~# Nyum remove apr7 o! u/ x' r* |7 J) {" ~
5.Error.log中有: Audit log: Failed to lock global mutex
: j I4 k3 I7 j* H( v
5 X. ]1 U/ i' D0 b8 @4 Z2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 Y3 I$ J) I" P1 Y( t' pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
! e7 s- A: z" H$ V, ]3 c' `解决方法:6 a+ u% _( D7 P1 R( c7 {
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
# d+ c" z6 Y3 a5 Z) G6 h# N1 ^. x# { @% y+ o
SecAuditLogDirMode 07772 a2 f2 M8 ^: t5 M3 Y6 j
SecAuditLogFileMode 0550' |% b# p7 V- B1 L0 ?
SecAuditLogStorageDir /var/log/modsecurity
; M! ~1 [% T3 O" O, W0 H R1 b' XSecAuditLogType Concurrent& O1 Y8 |9 G6 \" i
参考文章:" G+ `: c0 [ |/ T0 i0 Y
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' M+ O4 ^! r0 S. O _7 |/ J
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡