|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。! p% G4 F0 M0 ]3 f4 v
/ C" ~% f+ ^1 i' _' E$ I8 f4 i
一.准备工作/ F! L9 h. z) u9 T& Z* J1 e
' j- r+ g1 m' A/ S1 s- q系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; E! U" O# B) l! I" T
1 z3 A5 j6 G d" q; Etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
) q" H; d* B8 X+ M/ r, y$ q# T0 S; ^1 K7 |! r: _, j
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz* e! B, Q z2 L6 d( U
7 ?4 r* U1 X2 \* i2 n' X7 ~OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
7 L; o# K7 Y: M8 N3 A# G/ i* [3 I' m8 o+ W8 p
依赖关系:
3 d8 K% f, J2 W! G K3 y6 ktengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:1 |$ P* V& ?3 s+ Q, h
6 s3 ?& e. _) W; W; T- k( i- l! zyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 j7 V4 x# f3 K! w/ |2 Wmodsecurty依赖的包:pcre httpd-devel libxml2 apr2 \3 ]" A9 Y. O$ o) L# F
6 ]2 e# _: e& X8 S' N+ l) x
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
" [1 {- `- T4 I二.启用standalone模块并编译/ H& |5 t- |8 ?: J# l2 e
4 e* B6 L g/ q0 K: @
下载modsecurity for nginx 解压,进入解压后目录执行:
- `, J0 N: p2 Z5 `: M; b8 T7 W& f
./autogen.sh( s5 n: p. \; d
./configure --enable-standalone-module --disable-mlogc
, s _* O7 H8 f. lmake
. C/ t8 L7 h; y* h三.nginx添加modsecurity模块; C) x8 B( ^6 b+ c4 B
7 C, G$ L, S' a- H1 ]0 h* i) u+ w在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:# }9 Y0 U- E7 {( W1 S7 t
/ ?( D0 w% T. w
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ K' [; x9 m" n, o, O. w5 emake && make install
, s" b, u' g. L5 Y+ r四.添加规则
$ y3 f0 | T! W
$ X) N# ]' Z/ d7 F q A. Ymodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
% ], h1 T+ b- V6 j( f3 R
7 D2 R, X6 c6 z8 M1.下载OWASP规则: _7 c0 @ @5 _# R8 E9 o- ~
0 S- e3 n* }8 Q ^+ B7 i
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
$ b5 X7 i* X9 J7 ^" G1 [
( [7 r% {7 {7 t# a2 A- xmv owasp-modsecurity-crs /opt/tengine/conf/# {* @! }6 N5 h f. N! @+ D
# C4 X* P. s: M D" \cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf9 Y B' W# W* M
2.启用OWASP规则:
( D8 D: b' ]" a* @* k/ ?; b! t6 d' a+ d4 h6 m
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
5 Z. s' E8 O+ Q) d& V+ i
1 `0 b$ S# u+ w3 a! Z编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 u% j( [$ x9 X$ a. y" w' m; G
6 D1 F7 `# D1 M; x
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。, ~0 Z+ }8 h; {) M
$ G' ~. }1 r6 N
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( _) w7 F2 N. q1 u( F$ @, [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf' d' q4 c' S* c' N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
2 D! d* R& E6 S. q6 @3 @% W6 oInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf8 v3 H9 p6 @7 S1 r
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# W9 }4 x4 F% W" Y& @" ]3 \# r6 tInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; k7 ^ w, F8 G6 R: H6 R
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* M D6 m3 N- V' i' L7 \
五.配置nginx
$ Y# d2 M6 k' v$ {6 S. C/ L1 P- j
" @: t' t' ?- a# v! \5 b在需要启用modsecurity的主机的location下面加入下面两行即可:
5 ^- R. M) N/ w+ }3 Y1 ^" n
# }9 [& @4 g9 E' ?1 v/ `8 RModSecurityEnabled on; 4 q4 M: Y5 X# I; Q4 V% p
ModSecurityConfig modsecurity.conf;( i, F( o( g8 ^) s& `
下面是两个示例配置,php虚拟主机:
% v/ \1 J9 S- j( ~
# `" S9 P% H3 b- K7 ]1 ]" y0 lserver {
0 b1 q" U( Z4 @0 [1 c# S1 l' O listen 80;3 Q% p/ S$ W; [
server_name 52os.net www.52os.net;8 ^# d" c& x6 q( a2 D& w. M
0 U9 a8 O) B" q4 l
location ~ \.php$ {
& @3 |4 O* c2 d6 c1 f3 c& {& b3 o ModSecurityEnabled on;
4 r# k) F! C/ Z4 N' b% X- P ModSecurityConfig modsecurity.conf;
2 W3 c8 \% L2 X9 Z' a2 M+ O" }4 D: X. E1 j2 D4 O+ l
root /web/wordpress;
" b' e3 m# f f# c index index.php index.html index.htm;3 ^9 j K3 N v5 o3 g" ]/ A
! O0 c+ t3 _2 c! m
fastcgi_pass 127.0.0.1:9000;2 Z/ K% [( g4 @5 y1 K2 [% A
fastcgi_index index.php;8 J$ P( g# w1 M" T! N( T% ?9 j
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;9 z. a O# p& N5 }4 ^: Z
include fastcgi_params;7 C! j, y. k( @4 V: ^. Q" \
}
^& ^& o$ H! ? }
* P6 n9 z7 I: \5 @8 O6 pupstream负载均衡:+ ~; U8 g V$ J9 ^& F
2 @# e* B* L9 m5 S+ l- j% ]* |9 R8 K
upstream 52os.net {
- D1 i& I& p3 V3 h+ r& d/ e- _, H server 192.168.1.100:8080;& x+ N$ r0 O- a5 I2 x8 C7 W
server 192.168.1.101:8080 backup;: |1 T9 E$ V, d
}4 }/ F9 }, {" E( t
2 w5 R* ^1 i" F" K9 gserver {1 j& B4 a/ c m0 e
listen 80;6 m2 a5 ?% F- Z1 K9 r
server_name 52os.net www.52os.net;
* G4 i4 N6 G7 O1 m
% k- j, r1 u2 wlocation / {; ~3 |8 G$ d0 v! j
ModSecurityEnabled on; + A& z! E3 u7 [* L
ModSecurityConfig modsecurity.conf; 6 C& i* y, o* o* a& D
) o* {8 v+ z& Y2 _% b+ e0 g proxy_pass http://online;
, [- _7 A, h- D proxy_redirect off; W7 J+ M/ Z) @1 A. m6 p) t6 l
proxy_set_header Host $host;
1 O. s( ]5 K+ I5 n proxy_set_header X-Real-IP $remote_addr;
0 s, ~$ C6 S) W$ d2 p6 z( i proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) _/ g9 m$ ?! S( ^- @ }
: m; D4 T% @9 k( ~2 O2 U}
( ?6 K8 s, }% @. \3 j- {; L- ~六.测试
$ y( ?. ?1 E3 R% y' |# g9 b4 R9 t3 `7 J4 q4 ]& C
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:7 k! U/ B& V' E
; h0 f+ W8 t, A- q# L6 o
<?php
4 u$ f$ U, x% x0 M, b% N6 b! p& j phpinfo();
( p3 p) n6 Q3 F6 i1 B v, r' Z) \?>
, P) u1 X4 K3 I在浏览器中访问:
: z" y3 y& ^1 B: B( {+ s- y9 ~* ?' t6 k& W% ?8 x/ K# X
http://www.52os.net/phpinfo.php?id=1 正常显示。
6 v, s+ D3 ?7 M* w4 }http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
2 r7 Y7 R1 i7 ?- R8 Shttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 N3 o; V/ f" K. V& S说明sql注入和xss已经被过滤了
1 n* {$ }4 g" ]4 k) T# X# Y! z- ^/ K5 r% z
七、安装过程中排错, C" J& R9 L/ m5 v2 C' @8 u
9 `$ w/ s9 J m0 T; q. z0 G t1.缺少APXS会报错) b0 q/ a- v& i% b$ O
; \, ~5 L# h+ h1 Z3 P$ X0 wconfigure: looking for Apache module support via DSO through APXS
3 A2 N7 ^3 N; a& \6 f0 q5 Zconfigure: error: couldn't find APXS
; T" V( V5 l: I0 W- Eapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。+ I2 r; o* |$ k G6 `4 E
解决方法:
- e, J, L' K4 t) y2 }
6 h3 r6 X: ~' x/ Oyum install httpd-devel7 V( c# {; N" R) g! x
2.没有pcre
. v6 C# N6 G; V2 |% l6 K; G' q' g' f
1 h! x2 X/ A( ^ }2 `configure: *** pcre library not found.
6 c, H! D( d5 k) } jconfigure: error: pcre library is required: o m- ~! A" E# ?+ _( `
解决方法: c, G7 M) ^( }6 L8 `
+ l; p- f8 X" c# T. Tyum install pcre pcre-devel
6 c3 ?) L; X* p& H% \8 x3.没有libxml2
. U2 _1 p+ f) P' E
# M8 S6 H. G H% N+ T
- ]3 k. g4 w( iconfigure: *** xml library not found.
. j- G5 q& M7 k- E8 E5 n0 econfigure: error: libxml2 is required- ]! B8 R, @9 D; ?( P, B, F5 ~
解决方法:1 R6 \. \# z. i" i9 k( Y
, d8 _7 }- `2 W0 Uyum install libxml2 libxml2-devel
% \* r7 s: V5 C+ J3 q) i( [) L. F4.执行 /opt/tengine/sbin/nginx -m 时有警告
! ^. @9 z' V! B3 t% n( g% O: I
3 \9 I7 j* W; d. z* ?9 zTengine version: Tengine/2.1.0 (nginx/1.6.2)! O3 C; A: }6 ^" C. u+ D
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!4 x- R1 l8 D) {, A, U% n* o+ R
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log: c2 X) I5 U) A4 ]
0 \' h7 {9 b7 }9 u, _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
: R' h# x) F H! h( p. `- S- A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
: ?, S# E$ T0 s" L2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
; A+ `5 g# V1 P* X8 K2 G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ y; B7 Y: b" y% w# w% e& f' Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% [( J1 e3 ^ p& l; a2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) d" s. Y+ M/ Z! U, S
解决方法,移除低版本的APR (1.3.9)$ [% I% S E! X/ v; r! o
( ^: W% r; x$ A k+ P2 p
yum remove apr
4 ~' d7 w& k' S" |5 O4 \9 J) j I7 k5.Error.log中有: Audit log: Failed to lock global mutex8 @/ l9 i$ D* }
! H& o/ N. @: ?9 I2 Y+ P
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
" J/ _; Y2 [4 M! e/ U5 Oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
$ J. u: [% U+ m: N* N! v解决方法:5 Y: ]' z4 D) T9 L9 r3 d! K
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:% i) r2 D: k$ D! u; o
" d! {3 R3 o+ B: }* N3 ?SecAuditLogDirMode 0777
; X6 y: I' I" C6 XSecAuditLogFileMode 0550
! p# O9 K; r3 Q3 J. gSecAuditLogStorageDir /var/log/modsecurity2 t- R+ R0 ~/ x3 e+ n4 H8 o4 A
SecAuditLogType Concurrent4 _* }7 W3 k" X9 `2 M; g
参考文章:
3 `0 d; }8 ?. a/ t( }; {https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX! k. [, {- c5 C6 \& L
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡