|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。8 M# x4 ^, y9 |/ V8 [4 k6 g
5 ~" j6 A3 ?/ _! _5 g
一.准备工作
6 c& M' a3 p0 s3 ~
, @. `' ~7 p7 |# K* ^+ c系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
: Q+ H, c* Z$ n' O1 d
" b" F5 v5 j! L3 Z% c) btengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
( p# u% \3 A. z! a5 P, p4 s$ a; `0 I. q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
6 `9 u9 P w0 d: K2 _
4 @/ w& T) K9 }& HOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- o) o# d4 z. s" L Z# U7 A. m& }, u5 v& u% g
依赖关系:0 E+ c6 H; }4 d) _
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:2 v% m$ }$ _ j) l- n, Z# G/ i
6 g+ L1 s: ]! [- t5 p4 hyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel4 d% U2 k3 p( u, o9 i/ m$ d
modsecurty依赖的包:pcre httpd-devel libxml2 apr' r; L+ q# ~; r/ B- O0 |0 Z; P
0 v/ n+ P ^ }: qyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
1 u4 A1 z$ L: v! W二.启用standalone模块并编译 z9 M( e* E3 ]% D; {% r/ o
. r6 n) w, \. s+ j# G
下载modsecurity for nginx 解压,进入解压后目录执行:
; T: m9 u7 F3 y4 K
1 }! e3 V4 \: t! O3 L$ o./autogen.sh
2 U( f& O8 v; L./configure --enable-standalone-module --disable-mlogc- n# x* m9 |) ?, P. e5 Z) ^; b0 q5 {
make + o% V- d2 ?! H
三.nginx添加modsecurity模块$ V6 W1 z; r) b" ^
* f# u* Y& _, |5 @4 L, Z在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:# q9 }! I B, I$ d* T+ R4 d6 ], C
( @; E: U2 @% J9 S- T3 k./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine: W5 Z5 c( ~, t1 W) L5 v! }
make && make install
0 x" W* k& ]& d四.添加规则
& C) E5 M2 g4 w: {/ m" C7 g" x$ z' F
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
) x6 Y9 b/ p3 G; S2 a7 e1 W; ^; C, O! M! f) x
1.下载OWASP规则:
5 `! ^/ }) n3 t
( O+ z" c# D* u- s7 F8 jgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs- h) m4 T, Y; g- r! M* `0 c
( \; O" z8 z" J& X# _6 D* lmv owasp-modsecurity-crs /opt/tengine/conf/
; N! ?; O, N E
& y6 f3 Z: g$ H' u- V; h& Bcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* `* ], `& N7 ]% y
2.启用OWASP规则:
( P/ W0 j' h" Z& a2 Q0 g Y, I. C9 U" F* R
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% H( r/ l5 i: P C' K
9 N1 o6 s- o" B, K) u
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
5 F0 X' b+ ]5 z
) B% Y/ O" k& Z9 i2 C9 xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
8 n- [- |2 N/ g4 T* ]: h- K6 b& h# [- ?
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' G+ z: m/ q; g6 p5 e9 |9 w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- L' p6 @4 @1 @! @# b% K* n7 B
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) S2 `; j9 Q! {$ T7 h' n# o# ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
^9 U& A5 l$ \3 bInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, E' t! p# e7 Y; c% b7 x0 @1 `% tInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf# g# Z2 t7 o, b& V( B7 }6 J
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( i! J3 v) ^3 H" L五.配置nginx
- M' a( V4 M" |4 R3 x' n/ Z; l* C* A
在需要启用modsecurity的主机的location下面加入下面两行即可:
* G/ D% _/ x% O& C
, @; F! T& q4 N% rModSecurityEnabled on; % p( X" s. i1 }8 ^4 I) G9 m% W
ModSecurityConfig modsecurity.conf;. Y2 G) I8 O4 j# A! d
下面是两个示例配置,php虚拟主机:* s1 O' x; {, D
9 {: B2 z k+ ?5 d; T- Nserver {
3 G+ M7 U5 X0 N' l listen 80; j2 ~7 ?2 Q; @# g! `
server_name 52os.net www.52os.net;/ p3 E% B6 \* q- F; C& G K! v0 h
8 ^' M0 z( k0 \6 e: ^& ~
location ~ \.php$ {6 k v9 |- g$ @: m) G( ~
ModSecurityEnabled on; 2 G/ k- h& a5 A) b: m' a+ P
ModSecurityConfig modsecurity.conf;
. ^$ z9 z1 s& u: y* K; A
8 d3 B [1 H% {3 v' N root /web/wordpress;
0 F1 z U/ `; H7 o index index.php index.html index.htm;
' x! N5 E, E W# |* d! y : h: F7 S! s) e+ a4 n2 `8 Y
fastcgi_pass 127.0.0.1:9000;
' ~$ t" O+ h, v& o2 k fastcgi_index index.php;
. B# Q, V# ~( z( o+ e fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;4 P, D; \3 \5 H+ M# k, u2 F
include fastcgi_params;2 W9 F6 m4 ~0 R, e2 s' m y5 T" q
}2 k$ E2 X0 ~3 u
}/ @: H3 C7 ^( H
upstream负载均衡:
$ L* Z* q7 }7 V: p5 d, `2 u
8 N# u! _' U/ Bupstream 52os.net {
0 N9 l1 q& Y1 P1 U8 ^# s server 192.168.1.100:8080;
% R5 S$ k( r* ^0 p* ~& ]% g/ w server 192.168.1.101:8080 backup;% f% d( O5 A( Q
}
! h. s3 I8 V {( C$ q9 x
' Z" E& o1 D# b7 J, E! ?" O( o, Dserver {
8 S$ W9 I4 K* W: c. k8 W1 |% Flisten 80;
/ f+ m; R' }* p m# [) z+ gserver_name 52os.net www.52os.net;
. r4 ]; x% x8 h8 Y" d; S; |0 E/ t% N v, `4 V# b7 s4 G
location / {
( z& ^$ [- {% H4 N7 C G3 ^+ ?& k ModSecurityEnabled on; : z9 I1 C$ W, _$ y8 }0 [
ModSecurityConfig modsecurity.conf; 5 @2 X& w3 Q* f( f3 ~
+ `$ ^$ A$ R: l/ F. I
proxy_pass http://online;/ _5 U1 W/ ^; [) t2 b0 z( f% M( ` n
proxy_redirect off;2 s9 A" {1 j) Y. K Y/ I
proxy_set_header Host $host;5 u# i% J! H2 O5 J* b6 L
proxy_set_header X-Real-IP $remote_addr;
* G0 A& U$ [7 e" v proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- A/ P. Q4 r: g5 d }
$ q0 J( G# m9 T8 G. i0 x6 z9 @7 ?" M}- P1 s p( V) ]2 D
六.测试7 q( ` I: d8 z
: X8 G9 q8 V; s1 M- B" u
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
6 z, R' U5 Q3 Y* B& p" O
3 ]! C9 ^% V. B" o<?php9 j, [! g( h' ~3 U9 E# }
phpinfo();
$ e T8 F# Y+ B$ g$ t; O0 D6 \?>/ N9 R" O" A* G7 F o1 B% l: Q
在浏览器中访问:
3 R' _+ q" o' f9 ]
3 i0 k5 |, m+ C4 L% |4 whttp://www.52os.net/phpinfo.php?id=1 正常显示。
' t6 {4 O V) b, l( }http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
! A8 Y$ R t8 S: ]2 R' N4 rhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。+ r+ m( b. w& ]: s# i
说明sql注入和xss已经被过滤了
% s2 B& G# g% w! B" @+ ^6 O$ B* X5 g& |" z
七、安装过程中排错7 \% F4 c! V- D& w
$ i7 Y# v) \9 B5 w4 ~2 ?$ t' R1.缺少APXS会报错0 s$ f3 {+ L( @% I, x; A- S- ]$ L! _
0 B3 \/ V2 M1 N: V" ~# t
configure: looking for Apache module support via DSO through APXS
0 q+ a5 L4 t( ~ d+ s0 V6 e+ Iconfigure: error: couldn't find APXS
0 S, Z: H5 r7 i- R0 X- \; |apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
. i& C i/ _7 L) e3 g6 g解决方法:
; `! u# J) U% w/ `! _5 e6 b4 F" f0 N+ B' p
yum install httpd-devel
' o' e8 ^$ x7 h3 N" [# q/ ^2.没有pcre
( O' s/ @4 n$ ?( _5 B
$ U/ N. Y& A% g" Q2 k4 gconfigure: *** pcre library not found.0 j5 G/ L+ f* G6 m/ o3 `5 k9 w4 d; c
configure: error: pcre library is required
' |9 }8 y" o+ N解决方法:& {) @& Y& {# H& z. J7 C3 `: I6 s
) }5 d+ s- j+ | p9 q" Xyum install pcre pcre-devel
& N$ d e& R' o0 v3.没有libxml23 z# l2 N4 T& S" h/ Z. m4 P7 B
& [( L. P7 t4 @" ~! u8 \6 u/ ]6 ~% z
6 x$ l# C# u; T4 l" w: p: |' xconfigure: *** xml library not found.
" H6 E% y6 K1 _configure: error: libxml2 is required
3 f- x: B7 a% i5 t# ~: |8 U解决方法:
* G7 M, t O; A, A) C& @% L ^. |5 R' E1 w6 Q
yum install libxml2 libxml2-devel' K- Q: ^) S: U0 l7 `: y
4.执行 /opt/tengine/sbin/nginx -m 时有警告: \: I* D. v1 E
2 E& m% F- c, d1 e$ M( ^
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
5 b4 v7 u, z& A4 N- qnginx: [warn] ModSecurity: Loaded APR do not match with compiled!9 u0 h% G+ S9 k; K
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log) f8 \* C/ J3 k; G6 i
9 m: p' z7 [& D5 m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 c* {- D9 [) L4 [5 |+ H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
, ]4 H% z6 ]8 R2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( B0 l4 F8 W7 f) I8 P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" m2 k p0 V& J. r# i7 @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"" h k$ h- A" e' N& v& x! _
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
/ \ \; A% K! U/ C8 P解决方法,移除低版本的APR (1.3.9). z$ x9 a0 ]: x/ ^2 [; @% D. Z
( g& b' s s4 n0 J6 z
yum remove apr
( \2 P- b5 d2 H5.Error.log中有: Audit log: Failed to lock global mutex2 \8 p3 n/ Q- K) p" U7 ~, {" t) J
" m7 w/ u. G r
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
: h/ Y5 F& K' ~6 ?global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
+ P6 d3 L7 x9 ^( { r解决方法:4 P3 R6 Q# g) O n
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 X [/ |; P5 v/ M
1 ?. V) L2 H! r- |' Z5 H& F( o xSecAuditLogDirMode 0777
* S; ]$ {) Q2 I# x% v( z6 `( |) ASecAuditLogFileMode 0550* l1 T9 C7 o1 S4 L- t) g
SecAuditLogStorageDir /var/log/modsecurity
& G5 E( |3 U5 cSecAuditLogType Concurrent
. m9 n9 T6 t* f8 V- d- J参考文章:' R& w7 P. `) z
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 [/ w: _. a) _& \
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡