|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) D# c( |( l0 K5 G2 S5 L+ A
n7 O4 t2 x7 @) }. f; g
一.准备工作/ A! i: F* t7 n3 ]2 C1 U
% e% @5 z6 }' A5 G! t/ q系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
/ q4 ~( [0 s( k8 I- _. Y- n% N: x& q7 d: T
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz! u4 v+ U- ?0 l, l
( H8 l. K6 C. A( Xmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz, v2 R) D$ j) V+ L
& o+ b7 B- J D3 U# ?% A$ R& V3 {/ H
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs6 o/ N5 Q1 Y# Q/ [
$ j9 \+ A n9 m依赖关系:
" r% J4 q; D) Ztengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
5 d' k% o. F6 |9 ^0 k/ `. G& @4 o1 T* X M" a# |: b
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' H2 e8 r7 |+ F; [1 S
modsecurty依赖的包:pcre httpd-devel libxml2 apr
$ Y# H* p, B j7 X; q* Q6 ?4 K
- I/ p" v* T" N+ i6 S1 Ayum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
) d$ V4 P0 J" [1 L: ^二.启用standalone模块并编译
! R; D) n% H) k8 E: o
0 A# \7 i# N, z& P. r- {3 Z2 I下载modsecurity for nginx 解压,进入解压后目录执行:5 F& C! e p+ c
( ?1 n: r6 y7 H" H3 v
./autogen.sh
7 |$ \( A, _/ F) c./configure --enable-standalone-module --disable-mlogc
8 M% ?$ o1 M r/ h j; tmake
# R5 u+ t8 e3 ` Y/ v三.nginx添加modsecurity模块
4 r e/ l8 ~3 g) F3 U c/ l# _! K- z |% l0 k4 [2 F/ B% r2 I
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:: m+ d, V! H4 D2 g( ~, I' P ]" {
$ ^$ G& v1 J; @6 q$ q& j
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ b: c+ ~9 f! n
make && make install- h' ^! z7 q/ ?% v9 I6 M: i5 q
四.添加规则. M: p+ @4 M5 r8 Q/ |
! S( r- n$ H b0 A6 v* ?* X
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。; O( q, x' g. f
+ i! \7 V. S4 Q9 U4 p7 \1.下载OWASP规则:
9 d, O7 l: u0 N
K- i3 A) k: d, I$ |. u1 |+ x. Ogit clone https://github.com/SpiderLabs/owasp-modsecurity-crs& s, R2 P; v8 y- E8 T3 R& n
) q$ }) K# K6 V( A: Wmv owasp-modsecurity-crs /opt/tengine/conf/ X9 U4 u, d2 U2 X' U- ^
. i& Y; I0 ?& x% r! n( n8 tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf6 \. d) a: _5 N0 x
2.启用OWASP规则:8 r5 y1 [5 l2 t: L8 x
0 g/ P+ y. G* H6 m/ [5 c) s复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
* D" B; {" p; p8 c
, C" ]. V2 v# W' P编辑modsecurity.conf 文件,将SecRuleEngine设置为 on' R1 K% E9 y( T( }+ B
, }* _% \' P C6 G# X# ?6 yowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 @4 h4 U F7 Y+ f) F
1 i/ O3 s" c7 C% h; TInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf& m' F5 ]5 S% E4 F$ Y& n$ L: Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 J7 v. I9 E `, J+ W3 } G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) o6 H: }' h0 k- @5 h: [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 q* T) f0 j9 |1 }Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ b0 X l- [4 F; C7 A+ f
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
7 ]7 b- l& ^3 }" v- T. m0 b, s* u$ ^3 h; XInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf# O: Y& l+ q2 a4 u; p7 H
五.配置nginx
% [/ J8 E* I" V5 W9 w; E" j) H# M+ V% p, w# C) S8 c; \" d3 ]
在需要启用modsecurity的主机的location下面加入下面两行即可:
% Q5 }8 [+ u$ F ~/ P; f l. f- a0 i, C/ I8 C
ModSecurityEnabled on; " o; W* O7 P9 t5 i
ModSecurityConfig modsecurity.conf;7 d3 M l! g0 C' d ?- F4 {5 P" {6 Q
下面是两个示例配置,php虚拟主机:
2 |; `. V9 u( y. R8 ~0 G+ z3 x8 s" t" M6 X- {; Z
server {
0 N, N5 e6 ?" x; O9 H, w Y, ? listen 80;
y+ V- `! K/ Q server_name 52os.net www.52os.net;1 ~2 y2 ?4 {# ]+ @" {5 N" S
3 w' |* q# r1 L5 H' Q( K
location ~ \.php$ {/ u, ?9 s! z3 a- }
ModSecurityEnabled on; ( Y1 d) _4 n! u) C; X
ModSecurityConfig modsecurity.conf;
, c/ w+ Q5 w+ k8 ?' \4 Y8 P5 J; N b' ]8 h
root /web/wordpress;( |, I. c: b+ P
index index.php index.html index.htm;
# T- B5 S# n" Y& O) M _! K% t: W 8 |3 b) }, e, \! w+ @: x
fastcgi_pass 127.0.0.1:9000;$ u8 P7 i" I5 U7 X I9 [
fastcgi_index index.php;9 Q" @$ M. [3 F' U
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;) S2 @2 y8 x0 k8 Q
include fastcgi_params;# B3 `: E: Q% D0 H7 F/ L
}
- c) d# H, Z0 K4 J }. f* u2 Q5 ~7 I" N
upstream负载均衡:) w, P8 X5 [% O7 [/ n
( n2 m- D9 D0 A# Tupstream 52os.net {
. X6 }; N' Q3 }+ f server 192.168.1.100:8080;: p4 W" }9 L$ W o7 f; E
server 192.168.1.101:8080 backup;
2 Y7 j8 U$ \1 l3 H}
8 U4 w; o$ C1 T t' ?: o& P; }) I2 U( K; ^
server {3 r2 C% F8 u5 \9 K
listen 80;+ R/ k6 B; K' j
server_name 52os.net www.52os.net;
' G) N5 D( A4 w! w3 f% |( \8 j) \7 S1 f
location / { M( P( u6 K( m! R0 E, c0 k
ModSecurityEnabled on; ! S+ c+ n( c5 t: [
ModSecurityConfig modsecurity.conf; * e3 N+ Q! L. p
4 Y0 p9 n& U/ S8 U3 q! `4 m) F a proxy_pass http://online;) o# |' a& U. s9 l4 u
proxy_redirect off;
* ~& Z0 b$ j. A- r. w* b4 N: J proxy_set_header Host $host;* C& i; Q: e Z& S" @$ [' M
proxy_set_header X-Real-IP $remote_addr;* Y W1 V( R, ?% }: j
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; t8 E7 q, S& m; }/ q( @+ `3 {
}3 C$ p' z; o7 ~
}
) E3 m2 |( {6 J. c六.测试
7 G; F% p( M+ k& W( u& {7 B ^9 K+ C2 c) ~( L5 N2 F V3 f# ^6 T
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! a$ L7 U& s( l
4 ?* Z1 y9 h" q8 f9 P6 R/ \+ _$ W N<?php
& n0 T% }1 \# l2 J: q& b& Z& m phpinfo(); 4 M. |( m4 P' U% V
?>4 A# s$ r* e( z+ @. P
在浏览器中访问:
0 c6 M/ `- x% C" C( W+ L
9 |' ?+ K& S4 {: i8 X$ T& l; r+ bhttp://www.52os.net/phpinfo.php?id=1 正常显示。4 L) }" t2 \( V/ ?/ F8 [! V
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 ]4 h0 B* t( thttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。9 U" S5 t5 u T0 v h
说明sql注入和xss已经被过滤了, K) }+ o. u/ d" d/ {
$ B* q _1 v m q七、安装过程中排错7 I$ e3 X& f1 B4 f3 T
9 e i# A H5 S! O- G
1.缺少APXS会报错
& H$ @, q6 w" C/ `5 P6 @ y. H- { L, ?) A5 Q7 Z3 M+ J( U3 j
configure: looking for Apache module support via DSO through APXS
A0 F9 q7 W [: ^! ^7 k% wconfigure: error: couldn't find APXS
Z9 [. J# D4 M0 i6 p6 R8 B. Mapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。: Y4 E7 i' a, g+ n
解决方法:6 ]0 T- ~$ @7 Z! Q3 P X" P- S5 b
: ?$ g0 w+ t, [; x/ F# t
yum install httpd-devel/ Y L+ s, a0 k( k, b* R
2.没有pcre
, Z5 e" i# s9 [8 _* a0 }: U! ]& s+ H: ?% K' e
configure: *** pcre library not found.- p! r* x" s& q0 x5 l. i! l7 V
configure: error: pcre library is required, b* @: i! l4 ^! a
解决方法:1 Z+ D8 }" G; [: ^# n" x
& Y* P( s6 K/ Z. b$ b) qyum install pcre pcre-devel
9 B( m+ m4 b% S; F$ l3.没有libxml2
o; {/ u" c7 T' h' y3 o* ?3 \0 w
' @8 l& c Y' s/ u% Q b1 H3 u+ M; i' H% O
configure: *** xml library not found.
4 ?- w4 k. [) ~; |$ Q2 v2 v7 Sconfigure: error: libxml2 is required7 X% z2 t0 P1 h/ V
解决方法:3 T: k/ }4 ?* Q" t
7 s+ a8 u# d$ y4 w, @& D5 n
yum install libxml2 libxml2-devel
+ H: \6 w u5 P# C. M, r9 a4.执行 /opt/tengine/sbin/nginx -m 时有警告1 w y! O% p1 f+ X; t( k
8 e) n9 k* o) \
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
" }1 [$ l/ J- D5 dnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
: t. H& q6 K# l# ^; a3 n原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
" x* s% L. w$ N1 V4 m8 H) |; P% S6 u( Y$ W
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* F! U. s/ |! f( P8 B* G5 H' m* p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"2 @; G: X0 ~: K; I, N: O
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
- N. x4 v. _) z" |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
+ X3 u, q" F% h& N* l0 l$ o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"' {1 [ G/ R1 C3 ~7 D* h! L
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) U- z' c5 T6 T/ B5 h1 H6 t+ `
解决方法,移除低版本的APR (1.3.9)$ g. l( E7 a7 S7 i& c
; l! H4 D3 d* [2 p2 C& @yum remove apr
* T3 P. ~+ y0 f4 E0 ]7 k1 ]+ V5.Error.log中有: Audit log: Failed to lock global mutex
8 h4 E1 F$ K. _# N' s
2 H5 r; J* L3 N, B- H% g2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 3 p5 A* \2 T" f9 s1 a( C
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; ?4 ^! ?: z1 A! R) F N解决方法:% b' l5 ~; g9 s! w4 _7 E; {
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ @. R: I+ H% w* t# z# j1 a
: v# p2 @+ X5 c. E- o4 OSecAuditLogDirMode 07778 E4 H4 b4 }; H# i6 _3 Z- Y
SecAuditLogFileMode 0550' |4 h4 j- J/ |, N1 p: s% p" h
SecAuditLogStorageDir /var/log/modsecurity1 y. E- ~! {; K9 d
SecAuditLogType Concurrent* ?& c8 s; H5 k% C4 n# b
参考文章:3 d; y7 e! j( h
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX! r# p* b, S4 z0 ~
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡