|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。1 k3 p0 _" g! {2 G9 S$ K) Y
4 D9 Y9 s; w, K' U( @5 O0 [
一.准备工作
' ~/ ?9 f9 n6 s+ |2 R/ t
, d4 O( T o3 h* R! ~" |, K系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0- U+ J8 V% p- U6 m4 \% r8 n0 V Y$ C! S# w
# Y# @) R2 v ^: u {' K/ Atengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
, A# ~, T$ d/ ?: N0 O( a7 o9 H- C- i7 W8 n+ i8 D
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz% J5 k4 l5 d0 O: G1 i' t
; d' V' k0 A& D2 N$ GOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, I5 B) M, X3 D+ z9 y# I
8 B# L; B0 Y8 }) x* e2 p% Q$ T5 D1 D依赖关系:, `1 o0 G4 P) D" J% Y/ H
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( T7 S2 r; x1 B, w
! R7 z5 M2 [8 E/ X1 F6 a+ i; [yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# @ l* z5 N$ Y, n. qmodsecurty依赖的包:pcre httpd-devel libxml2 apr
! _: b9 Q0 w- }# i) m& E3 ~+ I+ l# w" a: b* r
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
! P7 ~; l0 F, t9 D% K& z二.启用standalone模块并编译
) @) O5 B7 f( p ]1 M# |8 O2 j0 X
下载modsecurity for nginx 解压,进入解压后目录执行:
6 A% x- X# I/ P
3 I1 w6 ]5 q& {. q3 Q; |! A4 m./autogen.sh& T9 Q& F- l+ t
./configure --enable-standalone-module --disable-mlogc
4 s6 v# z4 J i' Amake
% c7 g) A9 \5 @4 y0 o三.nginx添加modsecurity模块
- r* y" c! S6 ~. U; X7 S- N
6 P% \& w7 c* D" @. B" d在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:5 A& O/ G0 V. _: f/ b9 {" ]/ v( Z
9 T4 K: O3 S; K; _2 c" E1 L0 v8 p* W./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
0 {$ f% l* O% V, ?' Y3 Umake && make install' p: w, D4 h6 Y. h5 S9 Y9 n
四.添加规则
: B& l% a$ @0 O2 C
7 C( b. Z& u% c# T2 R% o. ]( Zmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, A1 k. v' i3 z# T. c! a* m* d" }0 v
1.下载OWASP规则:
* _ g+ ^# J$ H, ]+ ^( ~0 ?2 o+ r' S/ v! U7 d6 S/ F
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 f% X. M* |7 q3 `. q3 L5 y. _
. u) _" s: V8 s# Z H' Gmv owasp-modsecurity-crs /opt/tengine/conf/
5 d, K, b& }/ h. o
9 c6 F! X+ [) _1 K$ e* zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
+ h; a; g, J' x9 n2 n; W; M2.启用OWASP规则:, A8 }& d" R, d" Q5 l
% ?3 s2 G4 d1 W1 l7 o4 n1 v! L复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
, f; ]% q* K8 p* B7 l* M
! s: ^. O1 R, e编辑modsecurity.conf 文件,将SecRuleEngine设置为 on, {* f- B- r. d' ?7 w; S/ v
3 i' _! G, |/ X; s( @7 }3 X/ t6 dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。% Q9 a! |" _8 x Q- ]
% F8 C9 u" ]& w7 j8 I- y$ DInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
) ]$ l. Z) B+ b* n( ~ YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- M3 q& g( B, J7 K2 W3 U, P% lInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
* k$ O1 K- ^' n" E4 V9 CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
9 `. W0 X* c/ H8 a& I; X0 h% o2 LInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf' g. s1 J* B$ `4 d' O
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf% a# `4 y2 O9 M* z6 N4 L
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 A! x8 R6 A, _$ L: D; B, h1 ~4 @2 ^五.配置nginx
2 {" W# c" K- [1 f8 @* _3 q* v$ L8 V3 w
在需要启用modsecurity的主机的location下面加入下面两行即可:; L9 O" U2 a4 J% L: V( t( K! A8 p
: F) |+ C L# J( x: H, N, R: fModSecurityEnabled on;
9 X U* K- ~; \& f% r8 ~9 PModSecurityConfig modsecurity.conf;
. ~# G& Q1 }! P$ x下面是两个示例配置,php虚拟主机:
2 W. M% f6 P: e* N7 }* U8 f
x+ ]0 t+ D4 v5 ~server {, T6 M5 E% q6 E2 ~# t6 \
listen 80;* q; b! b7 q# k/ R. W
server_name 52os.net www.52os.net;
" N. v1 d/ {4 h3 z8 E
; H4 u5 }$ F) @4 j location ~ \.php$ {( @+ ]* ?% w( V# s9 i
ModSecurityEnabled on;
( a0 K* V2 o6 S/ y9 ?* W* ^$ W" ~+ U ModSecurityConfig modsecurity.conf;% K1 L$ o$ @8 R" E
0 O& J! [8 O8 { root /web/wordpress;1 }4 f% E( h0 }5 r& M
index index.php index.html index.htm;
Y) k( B( a# X2 s- r6 b$ S, n8 p- ^* Q& E- W ' ]7 b: F0 m6 [- V4 R' t
fastcgi_pass 127.0.0.1:9000;; `8 r1 n' [6 Q3 p4 L
fastcgi_index index.php;' }% j, _ j- ?1 t3 \" y
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
, X2 y- Y/ j" m+ _; B& N include fastcgi_params;$ k( k. D" _- Q ~9 y# j+ g
}
. c# W6 d! ^' r. R f }
- P3 T3 J7 d( l: L4 r# j4 pupstream负载均衡:3 [9 u q% X7 l D; |5 ^2 i, m
# A; W( |) K6 ~upstream 52os.net {
# m, ]/ D" g7 \5 X6 j server 192.168.1.100:8080;
/ ~, Y( p# s) @( `& E+ S server 192.168.1.101:8080 backup;
2 b U, D3 ?1 s2 V}
; D' v& [" N ~' Q! a( E6 y& A
! d2 L; F/ z" rserver {. c( q/ A$ S- u5 U- S4 f
listen 80;
* ]% S {' K$ K" R3 t2 Fserver_name 52os.net www.52os.net;
( [& E5 @' q; v1 j. {# |3 j8 m; f- x; i. m4 K
location / {2 m+ B# _3 L, f& l& {5 g; W3 {
ModSecurityEnabled on; ) N0 \" O; f% j c- f
ModSecurityConfig modsecurity.conf; : y( t9 X3 W8 e! O0 V
$ I" O4 c1 I; g6 L8 `
proxy_pass http://online;9 m; T$ v' ]; l, ^6 ?
proxy_redirect off;
' |) S+ x3 @3 K. _+ e proxy_set_header Host $host;
) ?4 s d: G) f/ h7 {' a3 } proxy_set_header X-Real-IP $remote_addr;) u6 ]2 O r+ V3 E8 w7 g+ ]
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ D N0 v8 y m- H3 n# F' ] }
- k0 R" g9 r3 {# D7 T, M}
3 K8 p5 Q/ }' v# c2 C s5 m! s& H; N六.测试' C5 N4 q4 ]1 A0 [1 h ~) W
4 q7 t0 G8 V. g5 L S我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 ]; K5 _8 O( T6 g# e3 L+ A; D
% p" h0 Y$ g7 V<?php' o6 P' I3 G2 i1 i" ^& E
phpinfo(); / D: n3 p* w, [/ c( d
?>$ a, h4 u# N1 B* \+ [. E
在浏览器中访问:
0 ~4 C, K, a; b; L! w
$ f+ `, W8 u4 t6 c; O c& s% ?http://www.52os.net/phpinfo.php?id=1 正常显示。
. H% U% k& d( o& r# Q# _http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) G, ~* h5 ~! \! Y- Z7 K" bhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。1 k, T* w! A; F* X
说明sql注入和xss已经被过滤了* Q1 y/ F; W: c9 E
" e$ m; H p) y4 T+ m七、安装过程中排错& {( E6 C2 O0 t3 Y
0 |" N# d7 e3 v6 Y7 Z
1.缺少APXS会报错. j* E0 U/ Y5 t% `8 a7 B
+ e: X, K) p1 f1 p; Mconfigure: looking for Apache module support via DSO through APXS. S# V" N' Y2 p& E6 Q
configure: error: couldn't find APXS
b: M, j0 f# B* f" q6 l+ japxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* s9 W3 R5 F( t0 B) n
解决方法:/ A) A" {: `* W* e! G$ m
0 U$ U, Y) d* t i+ c( ^
yum install httpd-devel
- I4 f7 V9 R7 R, V8 r2.没有pcre
5 ~! u( F/ w- V" o( j0 c/ { t" i' ?3 v
configure: *** pcre library not found.
; M5 }' C, k; p }0 M% ?- g# zconfigure: error: pcre library is required, D; R6 t6 _ h* }' F5 E0 u8 ^
解决方法:0 C& y! G6 ~$ ?- O7 ~- o
( {, [5 H0 {$ G! ryum install pcre pcre-devel, d/ {) ?, Y/ o( E
3.没有libxml22 X9 S- F6 w* `8 A/ V
$ l7 x1 C5 L7 x% i, U8 D
6 q) H# ~! ~, H5 Z5 h) ?6 ?" ^configure: *** xml library not found.
8 K# j& l" @1 |$ m' A0 L9 h2 nconfigure: error: libxml2 is required
$ X, h2 |6 r5 Q$ B& z t9 U解决方法: }! k" i/ p9 o$ H5 v
2 }, Y3 S+ s& n8 M4 L) ?" T" Yyum install libxml2 libxml2-devel
" s6 o7 F3 ^( ? A, @4.执行 /opt/tengine/sbin/nginx -m 时有警告
5 o) i9 E) k4 o/ X" x
! `. c1 d3 |+ I" n: e1 ?& H( _Tengine version: Tengine/2.1.0 (nginx/1.6.2) |) v+ ^9 \( ~; A
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
. r) [& J: k% z6 K R* F原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log' }4 }. P& G# ? U6 N5 [* U
/ r) d# c7 s5 [/ {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
4 z( F# ^- Y5 ^% z7 L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"2 i. L# _8 s. l# Z+ V- S
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled! e' p: _' Z; n8 v7 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 `$ B+ \+ i' T- k8 j+ d7 d+ ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
K0 V) i/ Q% N6 w2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
. E4 h( B6 f% _" M+ x! l/ f/ O解决方法,移除低版本的APR (1.3.9)
$ j; y: w3 |7 R( f# @- t
5 U0 L1 ]8 X% n8 v( m( ~, _yum remove apr
3 \8 \: P4 P. g5 V' I) U5.Error.log中有: Audit log: Failed to lock global mutex
% |5 U2 V) P* y0 C- r3 ?; G
4 w3 w9 u9 \( u2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 H9 ?6 G7 }* e. b3 zglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
* B& `8 H# F# ^. |' q8 ~解决方法:
( `1 l* i- U1 f6 @编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" F$ E3 B3 j& k* K- w8 r" h+ n( @
SecAuditLogDirMode 0777
9 ~! v- D( E" a) t# `8 ZSecAuditLogFileMode 05508 Z+ Q: K2 i$ {- U* z
SecAuditLogStorageDir /var/log/modsecurity5 R! |# c/ r% G+ k3 o
SecAuditLogType Concurrent
; i& B6 V( U# _4 \3 C; M; B参考文章:, Z: `- S* i: y9 I* K+ W
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX. d- w g/ \. Q$ P
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡