|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
# r& j' R: ^! K+ d) j. @1 J8 K
5 r8 d3 Y) O+ ~# |一.准备工作9 s" t: f7 n2 E0 |0 K. [+ c
; ~% f) g* Z0 G* i( q7 s
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.08 N. X; K' E s& v7 ^; f" H
" B2 [- m8 z6 w8 I
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
& z3 X |5 A! n9 j; t
+ b& E9 q) o' ?0 x8 dmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
+ Y3 w" D/ B; |) q% K
& c2 u' V" a2 Q9 b+ @ NOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
+ e L; X* k h- B. k. a: `7 |- b/ O- e+ v! k3 V( K0 r
依赖关系:
, I5 a2 ?/ m& }tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
0 y# m/ a" a- a# S) Z1 v4 s8 v* y( |& l
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel8 w6 r" v8 [0 L9 o
modsecurty依赖的包:pcre httpd-devel libxml2 apr
/ a' i% a+ } m, [. H$ _; P/ g9 g t9 r1 j# z
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
, W! r- x( C D) B( I二.启用standalone模块并编译
& N$ |$ f. t: Z& t$ r: `7 f3 g G$ j+ e% D
* ?3 V$ R& P$ W1 E3 G下载modsecurity for nginx 解压,进入解压后目录执行:
3 R8 g3 x( m& W$ y+ u
: b9 q% c* k$ s% p( m7 i8 ~) t./autogen.sh
t( V9 I, }; `; j4 h./configure --enable-standalone-module --disable-mlogc
# l9 Y3 w6 r# f1 \+ ]! x% ]make + @( M& |2 t; {# k/ E, T5 P
三.nginx添加modsecurity模块* q* m' ?2 \; W" E: y
; r; _% o5 b" [6 V' C' g9 c
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 }1 Y7 x4 d9 S; ^: \' {7 i( G3 v# e! p7 X9 a
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine( |0 j! J4 e8 V$ c6 V3 e5 n7 n
make && make install- V5 b- b6 m- b: |' @& [. m; l
四.添加规则
0 y; J6 p$ P. Y v1 X, Q2 I3 I) a5 k1 {/ |1 \( h0 ~
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
# F4 s3 x/ M" @. v& Q; e' q. F; d4 C
1.下载OWASP规则:
" t; A2 n. W& e. e. D O. f
$ U3 @: X; y) s q! ~git clone https://github.com/SpiderLabs/owasp-modsecurity-crs U7 W. [' H# E
3 j" j2 F; b% \% h5 G
mv owasp-modsecurity-crs /opt/tengine/conf/
. |. x$ s' E+ A
& a9 F% h Q/ {6 H( }3 X2 p# [# Zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# z# o/ X# ?7 ~1 m# A- o+ W2.启用OWASP规则:4 M& l$ l, l: ]' l, ~
+ v9 O% i; d* E" c- h! d* ~5 \
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。; i5 Z2 M& ]5 M& k
5 A# n" y0 t+ C% ^6 e编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
0 q) J+ H) e- V ^' b; x# ?
& Z" Q: X0 u. A1 F0 |owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。( H1 \2 U# m+ }& O3 ^; H
5 g4 T, n$ Y7 P$ i( H: D
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" c. `: ]5 A0 ?* zInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 E- I- O3 z% s, j+ `& s" n
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, ~0 Y/ Q' p" h l8 N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
$ R: b# {6 k& L9 l% o1 GInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf7 ^9 R0 V! G7 W/ w/ p2 W' G0 N
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
/ m5 i0 L6 j% ^* [- f1 c/ mInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
: i0 X1 M/ B0 v5 S1 A6 W五.配置nginx
; a4 q. a. m/ c4 G6 M" M3 V1 _
在需要启用modsecurity的主机的location下面加入下面两行即可:
7 Z4 S5 N ~2 P6 {% s: ?3 B: \6 o2 V9 k# v4 v5 W" h" c8 a* M& a
ModSecurityEnabled on;
& o f, P& E. ? OModSecurityConfig modsecurity.conf;
& F e( X4 w% ^, w1 [) w下面是两个示例配置,php虚拟主机:$ N( a# j- m% @. D1 N, G
7 s0 F$ |/ k1 |# `" N1 A( z
server {2 ]4 r: {! G5 f' L* [1 R9 d
listen 80;
" j, @+ k# J4 W" { server_name 52os.net www.52os.net;
# @6 j5 L3 _9 t & e! Q+ H7 P4 S# V6 L9 x$ E6 P
location ~ \.php$ {- k+ Z0 t2 b4 N( k: R
ModSecurityEnabled on; V( }) z/ u' m$ T; c7 }
ModSecurityConfig modsecurity.conf;* Z, W7 ~: B9 W3 i- R* z
* l0 ~# Z% g5 V root /web/wordpress;2 L( x) X8 J0 X% Z+ w' E
index index.php index.html index.htm;; Q' |# x7 E1 U) O2 R5 [/ J
/ ?+ f8 _) \: U! l* a
fastcgi_pass 127.0.0.1:9000;
% y0 N7 ]2 I; R* ~# ~* W fastcgi_index index.php;
# Z% x& ~& y- u4 l" b v fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
5 o! s. C: s5 H$ N: [1 j include fastcgi_params;
2 f# Y$ N2 `7 [7 ^+ P/ T }) S) A% ]# ?' B. m# p5 ?0 J+ ?7 [
} E& W) N8 r7 [7 ]
upstream负载均衡:
, x7 c* W& `2 D/ @: G4 ^5 |( d" }* {' _" a
upstream 52os.net {
; o% m" _0 v! H% [' l server 192.168.1.100:8080;
! ?8 a% g' T* {- v server 192.168.1.101:8080 backup;
! B0 A5 t7 K$ K- @7 r}
1 A. }# i+ h/ p! G7 y }' M+ d6 v- B- d2 n `4 G. @8 _
server {+ G8 o5 A1 s+ l& W' b; F
listen 80;
0 x9 K2 N5 e. o% a% r M# S$ m) userver_name 52os.net www.52os.net;0 i9 S7 j; C3 d
, A+ G9 {/ P/ F
location / {. p5 ?$ f( y: V% g
ModSecurityEnabled on; ' M, J8 u% r% s# ?7 b# |4 x
ModSecurityConfig modsecurity.conf;
, R' v# X! z& [2 r
- T) \$ T3 B. i" d' a' p3 h proxy_pass http://online;
/ C9 m) v* u1 y) x4 S- | [- w proxy_redirect off;
, [9 f! R g; a/ B; H9 h: L& L' F proxy_set_header Host $host;! U4 `/ p& |4 F" C/ {
proxy_set_header X-Real-IP $remote_addr;
+ V v6 d1 p9 \8 ^& n6 h proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ @3 X3 V' ]' T* ^, I$ L
}8 C5 H7 K3 P7 R2 e
}0 u8 F; V3 M" |, k0 L+ G- g7 l! H3 L
六.测试
, n( N0 E" p: H* R) Z: f5 n1 }4 Q& g# n9 N
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
( Z$ y7 Z! h, x1 H0 p, a9 I; o d: ]) l0 T
<?php
, T, C: i& J4 n/ M \1 l phpinfo(); 5 h. P5 o8 U% r3 }1 `9 m
?>
7 G/ E0 U* J$ ~# x$ j0 H在浏览器中访问:
4 c3 k" y+ S3 O e: i0 h. u6 v7 z5 h0 M
http://www.52os.net/phpinfo.php?id=1 正常显示。; `7 Z+ t2 u1 a9 E9 V2 M9 o L
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。) N& v" _+ v* r2 X8 w! ]
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。& @: E5 S6 \$ j
说明sql注入和xss已经被过滤了
9 r( g, S# {+ B2 P, w4 o
( {. W2 E" e6 Q' p七、安装过程中排错. E6 r/ Q6 H! F* g8 i, T1 J
! x/ x; w" J: V% G
1.缺少APXS会报错1 [# R$ F' \% a6 R' C9 ` M
* o" A5 x R& i7 A5 L7 Y8 H: j5 ~configure: looking for Apache module support via DSO through APXS8 T% T! |& C! q0 G6 v, k# U7 ~
configure: error: couldn't find APXS6 Y1 T8 k- O# b' W* W% X, P
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 t" c9 |4 P' f) P- ]+ X3 E解决方法:
( V% V+ s) z' u& {7 O9 l
( u E6 ~$ [' ?9 A/ R7 @yum install httpd-devel
5 o! |6 P8 F8 O, n2 X! c4 E" H8 a2.没有pcre
% z) ~; d7 T2 g$ g5 x9 k% R! N( B: M- i Z
configure: *** pcre library not found.
1 ^4 m( v6 T% r! v+ jconfigure: error: pcre library is required
) ^1 z: o5 R2 ]' v5 U/ m% K& _解决方法:
4 [3 X4 \; b" b E
( @, Q, {, d: q7 Nyum install pcre pcre-devel
8 d8 _3 W( C( ?- a0 X/ L) t" J3.没有libxml2
+ ?# A% z; X+ l9 i; u) i
1 U) A# k. V) p1 z. p8 T$ }, v& @$ x0 \
configure: *** xml library not found.; k5 j' o/ \+ ~: J# o" r( s
configure: error: libxml2 is required4 {9 `+ ~: E3 p* B+ w! \! U
解决方法:
: b* x( }" Y9 B! ?: o2 U& ]) k' {3 \& d5 t! ~$ g) ]
yum install libxml2 libxml2-devel5 L' e8 K m8 M/ Y: L, {$ b
4.执行 /opt/tengine/sbin/nginx -m 时有警告- c2 ~, h( w3 B7 F
: m. c$ T6 ^1 u2 O
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
7 ?8 L1 ]% Z2 K* O% n+ Fnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
% \, _/ | E6 Q' u. W: C原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
9 b1 U- d. h# K) K/ W- R' B5 \
& Y; K1 ]% a6 G7 A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.+ u: ~3 |6 n- r7 F, i+ Q, A; M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" P3 {! ^, P7 l' w2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! ^2 N9 i! q3 k* O! g& Z: c5 B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"' g" r, s9 e6 Y f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"4 N1 r0 {* r/ r$ p# [! A
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 c9 h, X/ w# y# E7 u! P- B8 i& U; t
解决方法,移除低版本的APR (1.3.9): N2 w8 C1 O" }4 ^* c
: C3 ^; q/ m, v) Byum remove apr x6 Z( y3 \- C6 v0 R- f
5.Error.log中有: Audit log: Failed to lock global mutex
+ S! ]( A6 H- x6 V5 I' D6 {* y5 r* Z0 y9 m
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( m5 B: x3 P0 X* b& J, `/ S; K4 I+ ~
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]* t; t N4 j+ O. ? n4 T3 C" C8 q
解决方法:; P' t) _3 x* m1 X* {
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:4 E% N2 E1 F e# z- h2 S& {1 B p
* _6 m9 l( t& k3 |, W. VSecAuditLogDirMode 0777# X1 ~+ T* x; T/ ^: r
SecAuditLogFileMode 05500 F$ [: \3 a$ c3 ^9 ]( P
SecAuditLogStorageDir /var/log/modsecurity
% n5 P' r4 L1 K& a" CSecAuditLogType Concurrent3 H7 z+ `# b& Q7 `; b; O2 O; ]
参考文章:/ u; I$ A' L+ e
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
% J# J& g8 c. w8 j/ F. O6 g9 khttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡