|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" L' `. j/ Y4 j+ J; O8 N$ ?+ I4 E% j/ K/ X4 u
一.准备工作
0 Q; P6 g+ Z% q* t! x3 Z, r; ?
# h4 R8 b' {6 L" ]7 w系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0- S+ t" Z8 A0 j! G, t0 ]" V. T( v0 K0 }
" }- A6 t3 P# ^& y/ R$ W
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ n* C4 O; b. q0 ~6 M* v1 {, @! @3 M5 j }% ^2 y: A* S/ G& {
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
- p$ h) c1 G. F- N3 k2 A8 v+ v c8 W( E; S4 K* d1 Y! z
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs# ]( @* u& M, o I3 c8 F8 Z# ^2 C# a
8 @& a# N6 W" y( o
依赖关系:
/ n# j6 ^& h* \- b1 v/ _' y3 qtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
; V4 ^% D- k" T( @0 P$ p+ N2 V( ?& U7 B
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel7 w* N1 i! T5 C8 ^0 C M: {
modsecurty依赖的包:pcre httpd-devel libxml2 apr
$ {6 J: W, j$ \/ u" B+ i @: b4 N9 S; o- R7 v9 Y, y# s; M3 n3 r
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
1 H1 t% D6 X( T9 e' _二.启用standalone模块并编译
% a, a# ?' q1 m$ h% f6 s% [ R+ o1 A$ W: v) V! r
下载modsecurity for nginx 解压,进入解压后目录执行:
( W) v& J* x3 S) C; F% W
" S! `3 o8 r. O" |, l./autogen.sh
7 D( R4 ]9 D3 b. D2 |./configure --enable-standalone-module --disable-mlogc
9 h3 N4 F3 b F9 Vmake ( e9 L+ k9 Z& D+ J
三.nginx添加modsecurity模块: \. q0 H* Q' f) G
7 Q G8 N% ]# d# t6 [+ }
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:8 U" L5 }8 ^7 p% W3 i# |4 P
/ d% @' ]* m7 ]! b; l
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% s" V. |4 k( R( mmake && make install" M5 W, U+ V5 U* M* c/ J
四.添加规则
* M+ J, o( u7 y' k& k( `: H" e4 u+ h: g, K& {7 U" w. o! I: R
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 \+ s4 a/ y% a3 U/ f( L
* t! f: n, [( k- {
1.下载OWASP规则:4 S7 |! c, K/ ~ \! C4 U0 e+ u
$ r0 M2 l4 i3 P& z
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
, z! X) y) C) W0 d7 h
1 \5 X* @3 h$ x8 E; ~7 \mv owasp-modsecurity-crs /opt/tengine/conf/
' {% q) d1 r$ s9 M1 U k9 @0 N: C0 i& I0 [$ r! s# V
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
" _! k$ ?& W7 ], M6 u0 i5 [2.启用OWASP规则:- j1 u5 j4 H6 r
6 u2 F$ L6 t! U2 r
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
Q; V3 c: ?9 T$ @6 ]. C! L1 S0 Y7 B _2 Y6 G
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
2 R3 ]. ?* S/ p/ d6 g- H
* v$ `7 j Q0 @ B9 y( }owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
: S7 U0 q% D7 Q4 a5 T! ^
8 v3 U( V; Y" t7 j7 YInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 Q4 ]* r6 c7 s% E# S) v8 I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& F' g' ~* C! X7 k9 ]+ M2 b7 O$ RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 u. t3 E! z. q9 r* k1 ?4 F
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
4 ~) E: }: i, T3 U9 HInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
3 B" d, m- } h; N1 pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
4 y: b3 J W) N1 lInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. n _) Z3 n& B3 C+ ?% h
五.配置nginx3 _! X: ~# I1 k' d. r/ p+ R" p
8 v* {: D% Y L& x2 M' k# ^, k
在需要启用modsecurity的主机的location下面加入下面两行即可:2 ?. q$ I4 z6 M5 L. d$ k
7 u' K' A" _! ]0 QModSecurityEnabled on; ' }2 G9 v) X1 U, f! ^& ]
ModSecurityConfig modsecurity.conf;( |( o& x1 O: a% G- _% O
下面是两个示例配置,php虚拟主机:( S3 Z( l: q$ Y) U! i' u2 l
4 O. T& \' X) Z
server {
7 B! z" u# a; D" L8 u listen 80;
: X' f. ?6 h, ?; W% k4 i" O server_name 52os.net www.52os.net;
7 R+ y% j7 Z; f; z7 M/ F" L
, [, r: R, [+ P' i' p7 u' y# s location ~ \.php$ {( i( Y# E @5 D8 z
ModSecurityEnabled on;
7 H# @- y t B8 S$ X" a/ K$ I2 q ModSecurityConfig modsecurity.conf;" u3 e% ~) R. K
; {7 Y& |/ e5 t$ F, O* h4 b
root /web/wordpress;
1 v# e1 q7 K) c: V, [ index index.php index.html index.htm;' ?5 A* e& S9 C7 V1 y# h
9 @ N" j& D! d" W4 y4 ?- ]7 q( S fastcgi_pass 127.0.0.1:9000;
% @+ \# E: ^. V* F+ n/ A, a, C fastcgi_index index.php;* `' E* M& N* h1 |: x z1 D
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, d. M* `7 C$ n' r
include fastcgi_params;
3 \9 k( \7 h' a. y! y }7 ~" j9 l3 S2 S% `# g. P) d
}0 [! v6 a" U# Q9 Q! Z% k2 G: q# T
upstream负载均衡:7 u2 a* V; k5 `) w- M
$ D1 d9 c' O9 i) S( ?- U2 [$ I
upstream 52os.net {
' k" ]1 V( d- ~- g; Q) u6 R server 192.168.1.100:8080;* [/ H9 B3 w& ^+ F
server 192.168.1.101:8080 backup;
0 E! X- c! T. Q, G}
e1 q* ^4 M6 W- r: q5 r% @6 j6 }8 b& @4 Y
server {
- \4 P3 C0 o8 J3 Z ~4 n- W6 Klisten 80;
1 n+ I+ \: L! G/ [4 z# |server_name 52os.net www.52os.net;
$ u9 M5 b9 Q3 h) E& C+ P' a5 F# Q
8 t2 k3 ?6 {. I/ _! [" r! ilocation / {
; O* a0 G3 }9 Y/ |' [) g3 e ModSecurityEnabled on; 4 w, e3 b; ~- q) }$ G
ModSecurityConfig modsecurity.conf;
+ K, |! G1 p' y/ z. F, n) t" s
: u# _* o9 z) b8 ~- A proxy_pass http://online;, ~& a, C5 `9 V; k1 @1 o
proxy_redirect off; ~+ {2 } Z" C& L% c
proxy_set_header Host $host;9 q, w" B: e8 U
proxy_set_header X-Real-IP $remote_addr;' ~0 G n1 y8 j/ @
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 j4 @7 E* M: [- ?+ q l0 B" W } x2 r" X# R: |1 o4 P: z
}# w$ r! B: s- J: A2 ~; f% _& G6 P
六.测试8 J5 ^" a4 J6 p. c# _8 h+ @
0 o$ B# Y2 s+ Z2 G: }8 ~我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 T( r. B) Q6 E T: y7 \
# G7 H5 t4 f' A! y9 w7 ~5 v
<?php
- G8 a! n' ]7 N7 ` phpinfo();
8 [$ q4 N) F: R( J$ v?>- K9 ]% _0 z' O7 Z. g
在浏览器中访问:7 e0 f0 ~( l1 t% {
+ X( A! L9 }/ p1 R6 E
http://www.52os.net/phpinfo.php?id=1 正常显示。
8 m3 |, T1 g0 Z2 ~: c$ Uhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。6 I9 P2 z# A ]7 a2 P* ?& W+ v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。7 e/ S3 f6 P' M T9 M# t) W
说明sql注入和xss已经被过滤了
: m0 O8 V& k3 E' p6 _8 G9 s8 p
3 @& u, K" g2 `6 t# J七、安装过程中排错( `! d6 K& s4 B
i& Y7 V' w; ]7 ~0 u$ h+ R
1.缺少APXS会报错
- F" M* g' z8 G% Z5 X( M6 Y6 C7 a
( P& A) P2 _2 u% k) V! Iconfigure: looking for Apache module support via DSO through APXS2 z0 p/ N& K% n
configure: error: couldn't find APXS! @- x5 m- H$ y/ k2 M
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 r5 I$ }! L5 e- m+ v6 M2 p2 ^
解决方法:, ]9 P& A" y8 t. Y0 U, l
* o9 Q0 [# Q+ X1 b8 j! ` H
yum install httpd-devel' Q% a3 t% k& Y9 d7 ~
2.没有pcre: v l k7 {/ L9 {/ `3 ^0 h+ k
7 y" u. N% K4 Y9 econfigure: *** pcre library not found.; L) Q ^8 ~4 P6 e5 |
configure: error: pcre library is required* O, [0 g6 x# Q% h! B. L
解决方法:
# L# r4 U) S% U- y2 j5 q: `7 D; D- @7 P6 p/ g T2 j
yum install pcre pcre-devel
# H" e C! r5 C* Y( \, Y3.没有libxml2, h. [: Z. L. a
# `/ K; Z2 G* u+ l* r& b: s
5 K+ p4 X! r# F! N$ }+ r+ vconfigure: *** xml library not found.
, S6 s6 J$ a( [6 \( M+ G9 s fconfigure: error: libxml2 is required
4 ?% e/ a1 y- v. U2 ^8 q解决方法:
* a$ ]- S2 x. f4 j- R7 r6 F# W& G2 w8 Y; `" P
yum install libxml2 libxml2-devel! Q: v, d2 R A" t4 M
4.执行 /opt/tengine/sbin/nginx -m 时有警告
: J- f! ^/ J3 B0 T! Y6 X+ ]" f. }6 b7 q6 r/ @+ d! n
Tengine version: Tengine/2.1.0 (nginx/1.6.2)/ Z8 C) S3 W! V7 {+ r
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
- E& K$ _" M7 B2 N# m0 J0 J原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
. _, V* p* m1 ?! |" a3 d9 p5 G7 E$ e
! T: ?, c+ U( o' I/ @$ N& _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.8 p2 @; F5 B, w' l4 o1 q$ Y5 U) @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ h1 q/ \6 y* `: H
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!# Q/ `* }+ L: a0 Q, o/ j# `; x1 S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 B$ S# R5 U! [! F8 p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 M9 ^ S. R2 W
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
7 R& P2 C, N$ l2 U/ v1 L解决方法,移除低版本的APR (1.3.9)
, o7 K+ V( b3 B, u) w: A
2 t- b' z% W# A6 Byum remove apr
0 i2 ]6 M. g) f1 l$ x+ c5.Error.log中有: Audit log: Failed to lock global mutex; y* c M- _4 r2 s' U
0 x5 ?, }3 `& ~% @$ S9 W
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock - w. Q7 L3 [& H- `
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 o) L5 C Q7 I3 q7 }, p解决方法:+ N7 q# i4 r: F$ T. p; t
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:! \% ?& D( V7 O
# B& u! S* _( a1 U4 G
SecAuditLogDirMode 0777
7 r& C" N. _) M! oSecAuditLogFileMode 0550
; [( Z: E- T/ U, G& P2 r2 Y3 q6 D! fSecAuditLogStorageDir /var/log/modsecurity
7 x* o4 N) a) fSecAuditLogType Concurrent
9 b, _# c- y* Q2 I. ~参考文章:
% U" {# P* h" d4 H. xhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX, ~8 x: V* U! P; K
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡