|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。+ ?- ^0 J- g+ X+ e* X1 R
) \' B# H% l& f* _0 m
一.准备工作4 S# r% ?' z; |3 o: V
9 Z: h! v4 X9 n/ s4 Z
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
5 Y0 {5 r6 w; j
8 Q9 h8 F& @ p* @4 s0 mtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
. \/ C" [! _ L" T* S& T+ q4 \
& t: g% L- t' A" Umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 P( C) Y, c7 i5 M2 J9 l. r7 }& w* B+ C4 T% J1 H
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
% U( k" f3 [+ Q" B: w
2 ]+ f6 n1 C( p: g7 v7 H依赖关系:
& T$ O1 Z) h D6 e- Y; R$ b( N1 Mtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:! ~1 P# `! Y* C; f7 l& D" e6 ~
$ |: H$ K1 E+ s" g. d" Fyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel5 [+ j5 w4 Y0 [- f( T! W- h0 }3 b
modsecurty依赖的包:pcre httpd-devel libxml2 apr
6 S0 C/ \& d0 U! N) {2 H* _8 R* i6 H# ~, O2 G1 e* F- \7 W
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
: ]1 Z% I9 Z1 t1 g& P0 ]% x二.启用standalone模块并编译
' k T8 f. t$ u8 g" {' N2 @. n+ N9 ~! d
5 U/ o2 n3 Z+ e l: Z. w2 S下载modsecurity for nginx 解压,进入解压后目录执行:& n, a: F% o! b N- ^0 W4 C1 b
- u( W3 W [6 U./autogen.sh8 ]8 T4 J& S. X4 x6 m
./configure --enable-standalone-module --disable-mlogc
$ W8 {, @0 O/ N- a( q* Mmake
) H$ n9 o6 h9 C三.nginx添加modsecurity模块
v, n a; U# V# `1 n# ^6 U) U& ~% A) D7 m# M# B
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' g' A+ t5 \* x$ M$ v) t7 K) g
, b. d; Q' F. `3 f, L" r./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine' l. Q$ T: X+ h
make && make install
' b' g2 |( l- r, ?4 e/ f O四.添加规则
( @, C4 R; |8 [3 T* z$ Y' [4 }9 K) q2 n& @/ P/ D) p0 w
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: m2 H P2 F) t% R* V
! J/ ?/ y/ o$ ~& y8 J( i! M
1.下载OWASP规则:' ~4 L' m8 o3 i
. ~' {+ L8 l9 E5 P3 u; y& Cgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ G& T/ y ~" G2 u/ A, s% d n3 P9 n/ }+ V2 z F) m' r% R, Z
mv owasp-modsecurity-crs /opt/tengine/conf/7 x4 Q2 |& U \+ f
8 y5 J2 `" d$ N, O' Q! ?- K
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# R( @! T! w; C, k2.启用OWASP规则:# [2 e& ~* B: N7 c
! H7 \" Q6 }8 L! F& x' m复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
- B# A5 n3 h: [$ Q9 C9 ~* n* b4 U4 q0 r0 ~) q! |; l
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on* B9 o. j. C v) ?: _
' k0 V0 P. p3 m# xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
- m& w5 ^; h& Y3 M \+ h2 z
6 z4 @5 B. ]3 HInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
! K. [* r7 Y# {- pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* @' S/ h9 b9 u \- @5 CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf/ j8 S! K( c b' r5 R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
+ _$ O# O6 o5 e0 I8 U( _8 CInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ u! a0 m0 e; V; q8 M6 N
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf" I3 g& G2 N' d7 G
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 {: n! V! V1 h1 ?五.配置nginx
$ n( f' \' |1 S: H) H9 \6 [, \
5 z8 o! q2 g9 U. o5 r2 y在需要启用modsecurity的主机的location下面加入下面两行即可:
. i' U8 E% ]- o% q
& K; r8 |' c9 G) Z: S: ZModSecurityEnabled on; : n/ n& L3 B# S
ModSecurityConfig modsecurity.conf;
: D3 k! I" h, B; F9 X+ t/ ?下面是两个示例配置,php虚拟主机:
2 {8 ^ @: N: s; U* Z( d8 {, c% Z2 N+ A
server {
( w( i8 w' s9 P+ s- c+ ?* ^ listen 80;
% U9 t. v; F8 G% j8 P& ] server_name 52os.net www.52os.net;
+ B9 } @% q$ s$ z/ N6 F5 A: ]: w 9 O7 D# j; U' T
location ~ \.php$ {
4 c) G! g w! ]0 s1 N ModSecurityEnabled on; 1 K2 g9 Y) B. K7 S
ModSecurityConfig modsecurity.conf;
0 X9 u( f5 r% f& h2 A8 K7 u! |
% u7 o' o) O$ T: P, t! F9 v- g root /web/wordpress;1 n1 ]: n7 U0 w
index index.php index.html index.htm;
' [. A4 o' e. h y& u! d( s
0 G* p6 q& z8 `8 W1 P* H fastcgi_pass 127.0.0.1:9000;
6 q: n% \+ V2 o fastcgi_index index.php;7 |6 U/ e1 K& u) g! z' S
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
& D; _5 }3 A8 o9 L* _ include fastcgi_params;
3 l! }) \) h; q9 r- Y+ f8 `3 O Q }
8 H ?. u! ^! J" K* [4 W }
; x2 A8 p; {2 Z2 Xupstream负载均衡:3 B8 s8 f% Q/ S/ `# ^
" ~' r [ i# p, Z; u3 P; y6 { fupstream 52os.net {
$ p* l8 Q1 f1 n5 k9 K server 192.168.1.100:8080;! a2 K- |; ~; |% m7 h
server 192.168.1.101:8080 backup;' n( a, d. J3 q: R7 V
}0 V* V) X# b) Q! C3 L8 c
+ P) m1 @1 S2 pserver {
# p- Z0 J+ z" Q+ A rlisten 80;
, D* T2 |8 @8 K' D1 j- xserver_name 52os.net www.52os.net;6 V( I( j$ q* f! R9 G0 f+ X
( s. Q- y) [' g& P3 Ylocation / {
8 ^6 l5 i/ Y! K4 s ModSecurityEnabled on;
. X$ v* X7 q; g# L% I- R; i ModSecurityConfig modsecurity.conf; ' o/ D. G/ e6 }% Q, o
2 d% g+ }0 I; [& p' o) v! N% H) |- e
proxy_pass http://online;
( |5 }, u5 T9 [/ l2 l, x proxy_redirect off;
/ w0 c" A* Z+ h o proxy_set_header Host $host;
, y5 S+ u8 O7 r: c& z5 D proxy_set_header X-Real-IP $remote_addr;
* U8 e) i# N. t+ u proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
" S) G- n2 W" d9 v7 p } l4 G6 J- k% j' I) ?: X6 l( m; `" d
}
3 F. j0 o- k3 c! v3 ^5 e六.测试* _0 \- E# V+ V5 Y. c: q
8 Z: U& L* ]& Y' x2 z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ I' _- ]/ ^( K N$ m* G; Y0 d% C/ q+ a5 i% n9 R
<?php/ j. ?! _- K" V0 d7 I: D# u( g' w
phpinfo();
6 p: ]' ^. _. I" [?> D5 r0 w9 P3 M3 k' r5 G
在浏览器中访问:
" t+ ^9 i+ O2 c6 }* m2 C$ k4 e% J3 g3 L
http://www.52os.net/phpinfo.php?id=1 正常显示。0 y8 X/ ^" D/ I5 n$ g
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" X. G6 m% i8 @+ D" G3 G W7 ^4 G
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。9 V. { n- j( ^4 N+ g3 i
说明sql注入和xss已经被过滤了
) T Q, o6 l/ {$ I7 d+ q
3 i4 h! Y5 i. n" I/ ]七、安装过程中排错# D; F K6 {/ a& Q$ w
- b' B' W2 C6 a- X1 F. m1.缺少APXS会报错
2 q) w& e; m; ~: V. Q$ n! x5 f0 c- }3 X( J& w, a# E. _+ T# V
configure: looking for Apache module support via DSO through APXS8 Y; [; ]+ o% v7 ^; i
configure: error: couldn't find APXS# z6 W2 E! _" \, ^4 K
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 ~; ]/ a; e# H/ g
解决方法:
1 s8 s! \ o9 Q8 d J5 y
- ]3 K( X4 h1 x; F, s/ U5 byum install httpd-devel2 s6 i' h9 A" _3 V+ X
2.没有pcre
' T. ~' |; F# {. s9 q# Q6 o2 S% a7 k: `9 |
configure: *** pcre library not found.
$ m& D" N& }) P5 E& Wconfigure: error: pcre library is required5 X2 q8 Q# m5 O" r8 q7 a: n: x
解决方法:7 h/ X! N, {& E, V( ]
4 ]+ B R/ S( i# \; f f
yum install pcre pcre-devel: `; a' f/ X ^# v6 M! {4 F7 L
3.没有libxml2
9 X" |0 ~' |' _; \5 y6 i1 y6 y c2 z& r# Q1 l! j4 h8 w
4 x! d, l& t; v, E
configure: *** xml library not found.6 m5 J- ^! i! s' u9 o
configure: error: libxml2 is required) J& }/ x% S' L* c& J' F( V0 w
解决方法:4 [% T$ `( x' ?0 f5 m4 U2 K$ u
. K! z: @7 _' ]9 Yyum install libxml2 libxml2-devel: T3 I) C' a, ~. k
4.执行 /opt/tengine/sbin/nginx -m 时有警告 i" k, @4 U6 W9 N) Q
3 X% v' a" y* cTengine version: Tengine/2.1.0 (nginx/1.6.2); @/ \2 T5 v/ A- O$ U! i2 `" V
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!) J' p) J$ ^ G! `' K
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log! b! {+ x: `5 J7 r7 ]3 N4 P- W& H, a
4 U( {, o! H$ W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 t' @$ f2 j- s9 |0 f& z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
; R' m' |+ e* g, t5 {- r! \9 f3 q2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!( b, M& [* C& i5 _" _' l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" r8 Y e! P" u! @" p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ W' o4 {0 z9 i1 V- Z3 t
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 G4 V ]/ q2 F* S: C; @. u6 @解决方法,移除低版本的APR (1.3.9)( ]+ v8 m' r7 [
. x8 }1 }' F- D( W' V
yum remove apr
3 _0 E) z' |. I3 |3 Z5.Error.log中有: Audit log: Failed to lock global mutex
3 y( n" k; M, t( _( @: p+ n
8 D' y1 X& E; E& B% _4 U2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
# F$ W, n6 y3 u# W& t8 }global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"] G& s" E' H2 C
解决方法: E% k# ], K4 d. T
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ }" N, j( d7 j: |9 f0 b( q- o7 c
0 X1 n( T8 o- ~* E% X
SecAuditLogDirMode 07779 S! P0 f& W( X0 N5 X0 B3 s
SecAuditLogFileMode 0550
! S s2 t. D% h2 bSecAuditLogStorageDir /var/log/modsecurity
0 R5 _( b" Z4 L% lSecAuditLogType Concurrent
% Y" A1 ]) i5 n1 t参考文章:
0 V) W; a) I! ]) L1 o% Q0 O: phttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX- [( L2 A' x8 F4 B; I- z- y
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡