|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。' L* k3 l; w! n( T# c
$ t% w }0 i1 h, c* ]* o$ \一.准备工作
4 d/ n, P/ G% q, F q) q
* x; u' }! }' _2 U6 J- w" a$ F系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
9 l' H0 S/ K8 x6 u+ v/ V; q0 a' h5 l4 E5 j3 |5 w/ T
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. T# J2 V: f- T- S/ J% F
9 f2 c% E2 W6 ^6 E/ X' Vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( s. o2 N( i' q. I
: F& Z: ], \: i' a
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ e v/ a" ?2 a+ {0 \3 {( w1 w C7 F | M O
依赖关系:
, k; F ~, G9 ]* j* `. f/ m/ Gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 @/ _- B; w# }2 F& [2 p' z
3 g, x7 I: i5 v, `) C( \* H
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel" i& ], r, U3 V! C5 C2 M: p: h
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% J( ?: g/ f& z
8 \% q% a) q2 t) }0 r# ~yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- K$ t4 B; W0 v( [# J! e1 J3 J$ q: L
二.启用standalone模块并编译
" r% h0 O0 A/ t! S: R
- T1 ?. {8 X! R; {3 S- S下载modsecurity for nginx 解压,进入解压后目录执行:
6 q/ m/ t0 r7 ~& d+ V
6 r8 Z: N6 v% p+ E./autogen.sh) u. @* e* d; {! o9 y1 D. {
./configure --enable-standalone-module --disable-mlogc
! W4 H1 M( R5 T4 X9 P; s; N$ T, Hmake
8 |5 H8 t ^" X& E( q三.nginx添加modsecurity模块
) B5 K# O% b6 Y: p- t# G3 d" @# Q0 x4 e5 \
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
# _. A& F; N5 Y8 C) d# b) ^, C. L( R
8 ?6 x6 W* ~( N2 o/ K./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
: F. E7 L0 b9 L% [$ n9 C* rmake && make install; U4 R6 N$ M7 W0 p) H
四.添加规则" ^ e! [$ x9 U0 Y& {
$ B% n& x. k0 Z+ t/ f
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
# Z# s" i" v k/ P: H& F8 M- T8 L0 r0 M8 P. }. f8 Q7 x/ f
1.下载OWASP规则:5 l! T% m4 D } u0 k( {9 l
' E1 B0 n+ E6 h) u \git clone https://github.com/SpiderLabs/owasp-modsecurity-crs: }. E( F& N+ k& C7 u8 l# |5 R
2 o# ^+ I& _ |) |
mv owasp-modsecurity-crs /opt/tengine/conf/+ O* @ f: j) v1 i5 A
$ s7 x0 C0 O0 ?7 Q- |
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
7 o( F6 ]# X k2.启用OWASP规则:
/ Q1 x2 k0 u' |: k# `; h, ?' K3 R7 x9 f
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
& `) j: K9 {4 X* h% b% Q$ W @2 N7 k+ {/ ]" j
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on! t8 i" X! F* M# ~: o
* Q o% m( `+ Z% }: t1 xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。5 A S/ E4 E8 {# s% n1 _; e
+ O- `, y7 o( G1 K) x
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
4 ], n4 c+ ~/ e% z! c+ @Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf) _) @ q a8 Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf( v. B. |) ]% C% _! R: \. u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf% z1 w! f- ^4 J& T0 \; k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf7 P, ], [2 s( U1 M1 g/ `
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf1 Q& j4 B" y; J% B' n4 o
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
: o: w0 u3 c$ y% a5 A五.配置nginx
/ ?0 z2 U! V# O+ f6 n; }
) l8 |! y" N. B+ ^在需要启用modsecurity的主机的location下面加入下面两行即可:
) s6 T* b1 V( I/ q. S; a& @8 |2 J; n0 s
- [4 h' ?$ Y4 U3 K- Z1 KModSecurityEnabled on; ( P, c }8 ] f4 q( h3 h# W
ModSecurityConfig modsecurity.conf;! L2 c' q$ p! y& i7 E* j
下面是两个示例配置,php虚拟主机:5 G5 S( L+ g7 u
6 o" i1 N: }/ W _/ e! G
server {
0 s- r' d7 q2 y$ Z listen 80;- f2 C/ V7 ~9 y/ x5 k! A
server_name 52os.net www.52os.net;
& y/ H, ~" ~7 U . p* v1 v4 W3 J6 I# }7 p4 b9 e0 S
location ~ \.php$ {
3 q) m5 b: I9 v' C7 r& @& @( P ModSecurityEnabled on;
0 [5 e m4 N. k ModSecurityConfig modsecurity.conf;
0 X% n2 D' _1 z, s/ C% S N* T, @# e% Z- {& m$ r1 R9 a4 M5 c
root /web/wordpress;
/ G4 y. \- A t8 ~ index index.php index.html index.htm;
- P" N n% G( p1 B, O& g; Z$ M1 U) C
3 t; `: B; G+ W) ~ fastcgi_pass 127.0.0.1:9000;
4 y' z- V& K! Y- y, V/ U7 |- y; A6 w fastcgi_index index.php;
- z8 u; q h, B( P+ N7 J fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;9 S. g% ~3 V9 Y; |
include fastcgi_params;+ z6 \; C7 `$ d
}
3 p8 T8 u2 o9 O( t }; d% A' z2 ]; b/ U
upstream负载均衡:
! K0 c! M" w1 p4 Q- D
' T- t! \6 R- e- @1 M4 Z' _upstream 52os.net {
! q* P o4 J; o server 192.168.1.100:8080;
3 C% K) a0 [. {& l: o8 O server 192.168.1.101:8080 backup;% z- g: ~9 C! o* i
}
2 u2 w7 z' c. `: g* E: ~1 \7 x: P; B; i, O3 x& _; } Z' ?
server {
& I1 k2 a& O6 F' P# Zlisten 80;
0 O& @# v& G' ?/ u* Cserver_name 52os.net www.52os.net;, s2 y$ C" I# [4 R4 X* _
- p( c9 F- K- {( n8 wlocation / {
; m- s; @4 n6 M+ j ModSecurityEnabled on;
1 G Y" m- Y3 N4 v; T9 I ModSecurityConfig modsecurity.conf;
% B: }9 E' s; S7 v4 U% f( D1 v1 P; @ |- ^* E& U
proxy_pass http://online;% `% {& |. V$ m+ X% ?7 D
proxy_redirect off;4 C8 P; g, ~/ Z3 i) C. C, R- T
proxy_set_header Host $host;$ ?& B+ Z! S. k& g1 d( X0 U
proxy_set_header X-Real-IP $remote_addr; p5 p# v' x, d) F/ ] D
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' P: x4 [+ j; v& J( [: k }0 B- |( {3 ?4 n$ h1 D' ?* |2 ^
}
* t2 q/ Y: D. M. Y& M( z六.测试0 g: z1 m) U" M" T0 w. v
! r6 g4 g7 C0 `我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; }1 x: M7 R& a: \: Y- M( {& @
5 U( Z+ w3 m/ s<?php: F( B6 X) G6 w* \3 f: N
phpinfo();
}0 m+ x$ y4 r" u?>
; j! g$ Y; B; D* t9 ^3 I在浏览器中访问:
6 V4 Z/ @8 P9 G* i7 T7 t; q* g
2 z7 b( B2 o9 c: {1 @2 ehttp://www.52os.net/phpinfo.php?id=1 正常显示。
4 q8 p# f6 |. H6 S$ i: b5 Yhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。4 m B" s4 Y* e- [2 g7 R6 g
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
0 W; Q- ?1 p. U说明sql注入和xss已经被过滤了2 ` ^! G! R8 @' t" _, f
- W! s1 |9 e C0 z; p/ N- _: }
七、安装过程中排错
# a; Y( O3 b% L. w, E
. r. f+ W5 i4 N6 Q- r7 _# E6 T1.缺少APXS会报错* U5 I, M2 Z3 t% Z( g# `4 _- |, _
) }0 e* e+ q6 m6 v0 C7 Q
configure: looking for Apache module support via DSO through APXS& l& I2 O3 l& A0 r) I) T5 r
configure: error: couldn't find APXS9 O2 p2 z3 B" }( h+ n+ D) w. r3 Q
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。; m# w1 |* S1 Q0 a7 F( d
解决方法:; g2 c/ R- \! {) L
! `, r d& m' v: L5 U+ F( g
yum install httpd-devel
5 C7 O% C, [& F( Q. j' ]" y4 |2 A7 l2.没有pcre
# v m1 e# B0 q+ ]
1 \5 A0 L7 }" w: y9 ]configure: *** pcre library not found.
* u% G: z4 I( V4 I7 f0 Hconfigure: error: pcre library is required
( i: ^! O2 Y2 P( e解决方法:( C6 q$ H9 }0 V. i
' Q# s7 C1 e. y$ Wyum install pcre pcre-devel
# J! x3 \7 L0 C5 E3.没有libxml2
* `* o: ~" p( Z: F# E7 ` j$ i; b! G% V* L4 F# e
( |. s/ @: f% K8 N) R5 oconfigure: *** xml library not found.
5 J9 A1 g: t( S& `1 Rconfigure: error: libxml2 is required0 R0 X I5 v9 ~0 ~, I% T
解决方法:
# K/ C8 X1 s4 y7 A% n+ [+ M, e5 [: P* ?+ E
yum install libxml2 libxml2-devel: s1 `; a' V7 l# o$ j( u
4.执行 /opt/tengine/sbin/nginx -m 时有警告! V5 a9 b. s; @: I* |1 [
8 i$ K* K0 `9 a% @+ U
Tengine version: Tengine/2.1.0 (nginx/1.6.2); O5 c. t9 ~7 s
nginx: [warn] ModSecurity: Loaded APR do not match with compiled! O% Y* b1 E3 {" S' o" D8 X
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
7 E+ C, o* V" P. Q- A. n( u$ z+ [$ g& |
; t5 ?1 k) B S% ^' k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
; P- C1 p2 W1 |0 C. Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
0 p- e7 _; l$ ^2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
& l4 m Y% P8 G- q; t# L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"6 o' C4 Z& S) P" J6 K/ b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% ?) G6 C" Y8 R e% v2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.- l5 g1 ^3 B+ j, z% L
解决方法,移除低版本的APR (1.3.9)0 ]. A6 c* V9 S4 C
# I# t5 u+ h$ e1 d8 Q! Q* Vyum remove apr
4 D0 R1 c1 X* ?9 o) X: u5.Error.log中有: Audit log: Failed to lock global mutex
* L$ N/ h! Q8 k" _% d, S6 _3 s6 c4 `( J* ^; p5 F
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
5 @# i$ O& r( Gglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
0 x& G1 y% F/ o0 H( g) z解决方法:9 \" ~6 }* _6 l1 O6 T
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ U' ]- U( l9 N
9 e; H2 `+ ^) d. xSecAuditLogDirMode 0777
1 v q' G, M {, a8 p: u* ESecAuditLogFileMode 0550! p, r' ]) l7 Z! ?3 y4 i" y1 V
SecAuditLogStorageDir /var/log/modsecurity
3 Y; R0 }+ P6 ]. J! jSecAuditLogType Concurrent' B; c5 M0 c" a
参考文章:
; t& e8 M; z% F6 @' P9 Ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
4 R0 z# b( E2 e0 I9 ~- e! n6 }% q, k+ e5 Ihttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡