|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
/ I, E- \8 }2 Z& t2 N4 r: [ Q
7 e; m/ g! c+ S: ]. f1 A& L' d一.准备工作
g( d" S5 l1 x: q2 \4 P$ | q% f4 f- j7 Z0 @$ h) @
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
! z0 k* H; D. D+ W$ {* r- K4 J: I9 D, `! |* p* X
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz8 B3 {3 @! W5 {% L q$ W
3 m1 b, @9 a n6 U8 Qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz- H8 V" o, Y6 m
2 Q; Y$ g: q2 `; WOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs4 s: r/ o1 C2 s1 P8 g a! V5 l
# r3 [6 B9 @# I2 O: C依赖关系:/ |9 ]+ }# z* W+ ]3 t) m7 J# U
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
& ?6 W6 w5 U, q* y6 c5 V8 Z( G; k! h! F" g; @
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
" p, y T; i% Z7 T1 d/ I- imodsecurty依赖的包:pcre httpd-devel libxml2 apr u( o; i) a) g( o
2 B7 D& D2 e7 u5 ]* H( Nyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
; ]7 S# E9 L9 [4 g二.启用standalone模块并编译
- z7 |. p& U/ Z7 ?3 v5 i) Y0 l$ ^1 _- D, t, B
下载modsecurity for nginx 解压,进入解压后目录执行:
/ h2 T; v; F6 `. ^3 Y$ _" ^" z4 d
./autogen.sh/ y5 P/ V& d4 H4 R. F3 B
./configure --enable-standalone-module --disable-mlogc( ?! \9 i3 Q6 R7 N
make ^6 p0 s+ s3 O7 V; a5 S5 Q
三.nginx添加modsecurity模块
5 x" h G; ~ x2 ?. }
; d* Y( i/ ~: J6 R$ I在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:* _6 v( w' B" {1 Q- b; T! V& t
) X: @6 n! F( |. [! i4 i
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine4 l& E- g8 f0 |8 B( D
make && make install
- ^6 ]/ s2 P9 {5 Y四.添加规则% \! e; L* O. ^2 l5 D/ {. l
" \4 u5 D: M5 L, E/ u2 _: C% f
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 @5 j# z3 }* ~' X0 G& L! ]
7 P- [4 ?. D# u, \
1.下载OWASP规则:
6 w1 _" Q2 N* u4 i9 s9 H
B" v8 _9 ]- W- p [' ]git clone https://github.com/SpiderLabs/owasp-modsecurity-crs D0 z: G: @$ Z# n
, Z3 i9 ]0 m8 s) P8 j( fmv owasp-modsecurity-crs /opt/tengine/conf/
/ e1 N) i8 W5 o9 X. n
, t v& J$ O8 C8 ccd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf' L3 Y5 }4 Q/ ^" T" W
2.启用OWASP规则:
1 C4 M: A* l6 T; D+ B8 F# N) b4 ?& e; o: M* L
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。$ D9 Y, H1 v% A3 l
. @, q9 o0 |1 ~; H7 t, C
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on1 S0 X2 l0 \- y$ S2 G
7 X/ `7 p+ M: g5 T8 y, E
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。1 G B( Q3 B, D0 F: [
/ F) `4 A. F6 @: I' l
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf+ u' K# e3 e1 L0 ?4 g4 C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ s" C+ d* s6 H* M9 K# r2 N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
! g w' u! W$ V7 }0 n8 v- A( jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf. X9 g" R0 C& ]; s
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
! p) H9 E& }. [6 y) oInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! Y# v: j1 k7 H# z2 d& C. `Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
" K+ U' j$ I1 Y* m五.配置nginx
+ F x# D6 p$ O" w3 ?5 }$ s2 l/ M" _) k, |% t
在需要启用modsecurity的主机的location下面加入下面两行即可:
/ \% N. U* U6 Z% A4 m3 R* n! ]0 d" h1 \- h: L6 k, a! g* b
ModSecurityEnabled on; , z; o; y* k7 B
ModSecurityConfig modsecurity.conf;9 Q7 X& U3 W+ s5 U) N0 x
下面是两个示例配置,php虚拟主机:
' S' b+ F. i" |- V% n4 S* [4 d# C, A0 A
server {
# r3 o2 c. ?) x2 i listen 80;& U/ i# e7 o+ r/ Q1 ^( G" f, x$ [0 t1 b
server_name 52os.net www.52os.net;* x$ E7 s# @3 U4 t
7 d6 R% p- b, `7 f# { location ~ \.php$ {. t0 a7 R1 U6 a
ModSecurityEnabled on;
. U$ G2 |0 w7 p' r C9 c7 W ModSecurityConfig modsecurity.conf;
7 }* o, l6 M6 |% }% g6 m P% x7 l
root /web/wordpress;: l( U9 d N$ Z# j' F) O1 C7 {/ `0 m
index index.php index.html index.htm;
; K8 g3 i( R1 j& j/ \
+ m6 _$ u8 t* n- f9 R fastcgi_pass 127.0.0.1:9000;
" {; K* d' S# G6 O0 d fastcgi_index index.php;
; j) L# p- y8 @) y9 E6 R. S7 g fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name; `* @1 U4 A; k: h0 z5 t# t
include fastcgi_params;% l6 m, S) c" |
}5 g5 t6 p0 `% P8 K% ]. q
}
$ S, M& \2 C# f9 n/ R( Gupstream负载均衡:
+ u6 ?/ M: \+ ?' Z, P- ?6 c# o% S- r- U7 ^: J
upstream 52os.net {* r2 N) m1 Q; W
server 192.168.1.100:8080;
( r- z( D7 v) X' y" b) J server 192.168.1.101:8080 backup;4 P1 {3 C# e/ y2 r$ M" q) H; Q
}
' e5 C: G& ]2 k: i) U- A/ B/ C$ G; d: H' O( {' O, m
server {
( ` |1 {' S' i0 F3 f/ [+ rlisten 80;2 Z! {* e% X; L& P, D- z) U# u
server_name 52os.net www.52os.net;
* J7 n5 H/ r/ y& [5 y
- h: Q" Z" }8 i! J llocation / {
. c8 \9 x. h6 G3 i& M+ K4 Y ModSecurityEnabled on;
% [9 e- j; s" J! P ModSecurityConfig modsecurity.conf; ; c* n9 m# H% X# n
$ E! j1 a1 J! t3 q' f: v& o
proxy_pass http://online;! c1 h5 f) f* I% k0 g( v
proxy_redirect off;2 M0 a% E, R/ ]0 j; V7 v- ]
proxy_set_header Host $host;' o. [- R5 t' R, ^- l
proxy_set_header X-Real-IP $remote_addr;
" {$ v% C# r! H+ b& O8 k proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" X- E& b5 ?# ^5 i, e' K
}
( l2 O8 ^8 f- ]& N3 r4 c- S/ e}: q! w4 U$ \* D5 G* T! d
六.测试
8 L& u/ h8 A& D8 G% T! c' r- q# l R3 L3 R$ i/ G ]9 b* T& r: h
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:5 G7 E9 `2 a" z- D8 N
( a; u4 E5 D# s1 U/ ]2 m# `. c0 J<?php" x. S. p- _- R2 j4 n
phpinfo();
) q, K, G6 G& p, M5 n9 R?>8 @9 Z( r- [) [9 c9 t( ]4 ]- @9 f
在浏览器中访问:, Z9 n! g) l2 [( V- C: X
6 u0 r1 Z! h8 E$ D
http://www.52os.net/phpinfo.php?id=1 正常显示。: m8 |! Y) c5 w: R& V
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
. L; W- m/ y" j# Yhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。6 C& j* ^- X0 Z4 h: r# x! W( {/ u& _
说明sql注入和xss已经被过滤了' U- r/ J! Q2 j4 Y
0 Q0 A! k/ o' K! A: {
七、安装过程中排错. ]( \/ @1 |+ n% M2 N7 B3 A* F; g& }
+ X! o+ A; p* o" W
1.缺少APXS会报错5 d8 O* k; i3 k0 U. [
1 s( \! c# W' |& I( }: |$ S! \ f# aconfigure: looking for Apache module support via DSO through APXS: x4 _! E2 i9 z6 _
configure: error: couldn't find APXS8 p% L }! t: X
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
+ Q. G% {& K4 \: l; f! f解决方法:8 R2 ~2 U g4 @; P$ x" I
$ U4 a% z7 A3 Q" l) Uyum install httpd-devel( p8 Z+ Q% [- L( n
2.没有pcre
, w. L/ t' L" p. W5 B
( V( U7 c: Z. m7 c+ Rconfigure: *** pcre library not found./ T0 N+ q$ Z$ z
configure: error: pcre library is required+ j+ \; `9 ^- c4 @! x n/ [8 o w
解决方法:
7 p* M5 _, t% W* V4 O! _" R0 m4 M) u* C- w; O: ~* ]: I& l+ a
yum install pcre pcre-devel# S9 |; ]6 G+ {) o9 k$ d
3.没有libxml22 U" m' g) K" |! [5 ?
; D9 y$ W0 O$ x6 k: P
% \& v' P6 R: o
configure: *** xml library not found.& t- x- G; u! I8 j6 c8 ^
configure: error: libxml2 is required
* y6 u$ v0 x, t! B& {7 _) W/ E, Z解决方法:
+ u& T; X2 q4 m4 M3 V. m' z
r5 l/ N2 Q* l, yyum install libxml2 libxml2-devel
+ w) M0 H8 _7 e, G: }$ D4.执行 /opt/tengine/sbin/nginx -m 时有警告' G' ?, n7 A5 G/ }+ K. P! U% }
9 }) _3 k, M! E
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
* l# f0 N+ A ^0 u Anginx: [warn] ModSecurity: Loaded APR do not match with compiled!. U& q: T: a; m, y0 P3 A
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
8 d7 e) C% p, [. {+ y) I' J1 Y( R
" W6 t: S: X, Z( [) A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; G: z) B0 D5 f Y e6 l, e c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 a* n. H) e, v2 Q: \
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ s. G" ?) H% G. K' Q* M/ z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
- |% k. K- ~+ A G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"( V* S$ o$ t* J) T) J
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 K. v+ R) U5 _
解决方法,移除低版本的APR (1.3.9)7 [$ q- P9 ~ u& Z) g
' z# Y |# t/ l8 j* g- S
yum remove apr
8 e/ D/ `" {9 X5.Error.log中有: Audit log: Failed to lock global mutex
/ o5 f/ \7 ~8 h X, o% @# i& r* o4 s7 G f; m6 A
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 1 j1 f. f' R, g- j5 g/ e7 U
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]9 n0 h: t9 j0 S# U& B% f/ Z
解决方法:
: Y- g) V6 ?6 R6 x编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:$ s0 \9 \/ U5 f" C/ v
* K+ K: D: P8 I8 e8 b5 x, ~
SecAuditLogDirMode 0777: w# v, y, J) `9 z0 U9 D# }( Q/ B
SecAuditLogFileMode 05503 E1 f- G& K* x' p
SecAuditLogStorageDir /var/log/modsecurity9 c4 q: C; D+ k" S, K4 N! `. L
SecAuditLogType Concurrent
# N9 F& D/ f, c; I! x4 m参考文章:% C+ v; x9 d1 t) s& c4 p" x
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, f3 |& J9 [" q! _: `) I4 shttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡