|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
, }2 x, I. E, H8 r2 ]! w: d: G. M( a- r
一.准备工作
G( p- y& ?# r! U% {& q- y7 C6 _$ ^2 o3 _2 f
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
8 v% C4 Z: m# N8 E, L. M* I) p9 g. b. Z1 W
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, D: J" s4 r& V7 G& _( V& ^
' k' D" |2 b/ ]! q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz4 D; n2 `, ]. ~4 L5 R$ q
. p6 }: [( `6 u( ~+ o! v4 j! MOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
W! [ s0 N) P, P; v3 G. W6 k( S. D9 O5 t
依赖关系:
9 b3 h' k2 b+ V! u. [' D2 mtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
/ S/ Z) f( Z* I/ b P- C- H4 B" S! W/ x2 V9 _
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel6 f+ m+ |- J3 m! T+ S: W% M9 R) {
modsecurty依赖的包:pcre httpd-devel libxml2 apr- \& k! W* X8 F) f( o/ u j2 W
- r0 @; N! A ? |! l- Z- V+ q
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel X0 ?) D0 a2 Y1 B0 j
二.启用standalone模块并编译5 M% j1 J: j9 u9 ~* p
) d& H8 {6 g! |4 Z6 @2 X' w! r- |下载modsecurity for nginx 解压,进入解压后目录执行:
' b1 G8 \$ h% w1 R+ `# A, @
+ S7 p; @$ p& P' @./autogen.sh
5 Y9 s" T" |1 K* \; \# S1 I./configure --enable-standalone-module --disable-mlogc
$ n! y' d! x6 A, M8 Kmake . z2 q/ o- O. q* Y# F
三.nginx添加modsecurity模块
4 q8 f8 T8 q7 e I- L# I8 W) J" @7 X2 L" f
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
: Y) t! z2 ~! M b! K7 {+ A" c% d5 z E8 {* E9 O4 v( j
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- R) r; f- z1 h
make && make install
* r; w" ^3 b, {( m1 K四.添加规则
- t' I |8 g0 D* z6 a! H) n# f; ]4 P. W0 q1 A# K2 a* O
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 b# U6 }9 n: y7 N# m5 m. K- d; n0 _
1.下载OWASP规则:( ~# `, r" }% J! r8 j }
" q# G, P" y- W% [5 u' u* \git clone https://github.com/SpiderLabs/owasp-modsecurity-crs% ?4 j$ g( a5 C9 V$ P" x
' }$ e. P- a" ]" T2 I" q( d
mv owasp-modsecurity-crs /opt/tengine/conf/+ n' I! T6 n6 H# J
( ]; d5 }4 x4 A5 C2 {8 t
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf I& x; c" k+ W" O
2.启用OWASP规则:/ h) U4 [) ^$ J' `+ d) ?7 U
8 M" [! M5 k& b* I1 i复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
! ~0 w/ M" a1 w! T2 D: t. v
9 U. P* j0 L5 Y ?: a" \编辑modsecurity.conf 文件,将SecRuleEngine设置为 on0 V6 o6 v% f# s5 G9 k
5 m& P9 x6 q2 | b4 k8 E' W7 }owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。9 P, [3 g$ \" J# J1 F( l1 S7 g8 _
" v* S3 s" ~2 E1 e9 K& N4 J, \Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
: H& C) {) W1 e( ~- B/ _* fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/ ?, ~. ^1 o, ^7 LInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
' [" z. a! ]5 y9 ^" G( j; |Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
n* y m2 W, c# _* m( \Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
! r( n' t; X; T2 q& ~/ ~Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 [! \! W; H6 T( v
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
}2 @$ q) Z. s! ]" H五.配置nginx @( P4 Z- ?, i1 V g, Q
3 r) D0 @' r& D' q7 h: [1 E在需要启用modsecurity的主机的location下面加入下面两行即可:; S* e/ ]9 n5 S/ C! ?
' N& l7 S* d" A
ModSecurityEnabled on;
& z, n; V9 w- w2 u yModSecurityConfig modsecurity.conf;
" d) Q8 A- |6 V8 H% Y6 |下面是两个示例配置,php虚拟主机:2 a9 N$ e- A2 x- c& Y6 J p+ G ~! E
6 i# s# C& J5 s8 q
server {
8 l' i# j4 K J/ K( c; R3 T listen 80;) D- x8 j$ u/ R' M- N1 z! u0 N8 _- y
server_name 52os.net www.52os.net;3 {$ x8 J0 ~% c: g9 s! \4 ?5 l$ S
6 [% C0 ^9 M5 w- q, X3 t; P i2 t1 u location ~ \.php$ {
/ t% G1 r% M2 |, O+ v% X; D0 v0 w ModSecurityEnabled on;
, Z [" m; m% W7 E6 F' w% ~$ s* M ModSecurityConfig modsecurity.conf;
2 V! Z' U& V! x# ^5 w
7 @8 s8 X# x# E! g- j4 u root /web/wordpress;
. d# B5 N/ J1 A, [0 ?7 O" V index index.php index.html index.htm;
8 A# g- O5 e* n& M9 h% `
" G9 V6 Q" e' F# K fastcgi_pass 127.0.0.1:9000;9 M3 W# J* Q8 ]- M' z% G0 |
fastcgi_index index.php;
X' J1 y9 ?* n$ o fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;/ Z3 _4 g4 ?. z
include fastcgi_params;; G0 }, {0 M' Q' X. E g& Z
}
( n. D; u' l8 G7 k( K( I }
! M* d2 X5 ?( L7 cupstream负载均衡:
# m& V5 B% ^- S- _' J8 q3 S' u1 g' k+ S
upstream 52os.net {% |- M8 p: ]% e7 Y1 ^# b
server 192.168.1.100:8080;8 M6 T2 d; z) k+ t3 I1 q) S
server 192.168.1.101:8080 backup;
2 R/ \: g( ^& ?}) p# }2 w6 e% Y" K9 N
3 j4 @& `7 |" i3 g0 Q( s. Aserver {$ R- N Y- V0 y* g4 f+ q
listen 80;
9 p2 h% Q) r* [( a2 c. M) D/ Iserver_name 52os.net www.52os.net;3 M; o6 N; K* x; w
" W% F$ ]* [. D& x$ Q- p
location / {
$ E* w2 T$ s6 \$ q$ U ModSecurityEnabled on; + N V$ ]: E0 L! q- ~0 j
ModSecurityConfig modsecurity.conf; ( o: e6 f7 T3 z; t7 v* N! L. o
/ Q1 ^4 C2 n6 u. L1 X proxy_pass http://online;
4 a8 I( F$ u9 q7 R- z% ]4 w- ~ u/ w proxy_redirect off;
* I( l1 r4 ? n5 p3 P" g* O+ _ proxy_set_header Host $host;& e6 v6 C9 K9 i% P& F, T
proxy_set_header X-Real-IP $remote_addr;2 k b+ c2 g! B3 m6 k
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, U+ \% N8 x6 s" C, g% C- \ }
) X& @, i1 W6 c# {/ V4 @}8 Y- B7 m. h5 L. n) w
六.测试4 [2 C/ _2 {/ m7 T( z
" W6 E. G0 _+ q5 V L. m0 q% R6 k
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:/ y: n- j7 U# m% ^( b* H( M' R
, f& c. r5 Z# B<?php
* @" T' T- _& P$ n% ^$ g7 q/ G phpinfo(); % G+ q, _+ q8 N# i
?>
) L; ?) d( m' B在浏览器中访问:( O: P2 L2 }8 Z7 K
1 f) f: e0 ^/ n9 N. X/ J3 T
http://www.52os.net/phpinfo.php?id=1 正常显示。: V2 d- N9 O5 z* H- u% m
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
& i; p. E* O' I; |6 Qhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
, F* ?* x9 n8 _4 W说明sql注入和xss已经被过滤了' s: S+ r8 \$ b# J! x4 ^
. J6 B1 T& S9 W6 _
七、安装过程中排错5 ~" E6 y, E @8 ]4 r
# h; h4 |; L7 c' Z3 |
1.缺少APXS会报错
$ q& Z6 R3 m% i! n+ p
4 W; ^* X; I! D4 [: r! Z$ yconfigure: looking for Apache module support via DSO through APXS; L. i& }+ u, O7 p. z/ ]1 m
configure: error: couldn't find APXS" `1 _& F. h$ Q M4 t8 r
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。( C6 T* Q4 O$ _# H
解决方法:
6 k- q) ?# S& i" D3 z, F
2 e- r- C* c* e- Jyum install httpd-devel
7 t4 B& W3 H! v& c2.没有pcre
1 B4 `# _% P6 X* U0 V
' J+ v# f$ N- O$ P7 J; econfigure: *** pcre library not found.
+ K3 U+ X4 V/ F, d Y3 Qconfigure: error: pcre library is required
/ B4 b2 m$ w& T- t. i. c解决方法:
$ b' V7 { E; U v: J( G
* k/ d2 j# E( [& F. G1 jyum install pcre pcre-devel
0 E. m' O! P" n. y c* }% ]0 X3.没有libxml2! t7 c z8 X9 B. q% u" o; L
# V+ w& a! X( v" I
2 u+ n% i, b9 j& Gconfigure: *** xml library not found.
9 N- I2 w y2 l7 e) ]configure: error: libxml2 is required
& d! }/ x8 H( |+ E" R" Z+ L, v解决方法:
S% J' m/ X* j/ F5 R( R) `
: ~0 m9 ?0 G( Z( D2 [2 C" u1 \yum install libxml2 libxml2-devel4 j: v1 ` E6 L: o2 I' [: i5 C
4.执行 /opt/tengine/sbin/nginx -m 时有警告
J2 u5 d6 N2 d' s ]+ i6 w$ y4 p- R) ]0 p* D4 h/ ~
Tengine version: Tengine/2.1.0 (nginx/1.6.2)( C# t" W! \1 a, V/ L
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
# ^* ^. ]! @8 m6 g7 [* A; ~原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ |. S( e$ t6 l+ n
s# C5 M7 [) ^% A" y, Q4 Z8 g. d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.& E; z" `- o7 O( ], }( G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
( Q, t, Z2 V, \4 \2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!1 A! E, l7 T/ L8 y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% |1 I% {. Y. {; F! \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": B5 i% W6 S( |3 @# q; ?
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.1 R2 u7 y% Z/ m2 g* I$ q
解决方法,移除低版本的APR (1.3.9), ?! E; K W$ d0 Z) T& F4 i
6 d, M; K% [0 M3 [7 d. q- W* N. w0 ryum remove apr2 a2 ?: ^9 \) a" I
5.Error.log中有: Audit log: Failed to lock global mutex
2 k% V, n3 J% o$ z( J( V# d" d" b, B- F; |
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
+ m; ^9 w* i3 z! k" ^global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
3 |1 k* |2 D/ N- ]解决方法:- h0 t$ e" N% ]! B+ ?1 x' i
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:9 K. N# L8 E+ r; q" F
( L; R+ m4 y1 e# n
SecAuditLogDirMode 07770 @* j; e: E2 y0 v1 |% x% t
SecAuditLogFileMode 0550: D2 u( S, f6 o! B+ V
SecAuditLogStorageDir /var/log/modsecurity
# ^$ f l% k9 H8 q- _8 q5 bSecAuditLogType Concurrent
" M( u ^+ x+ I7 \/ Y参考文章:3 d7 b; ~% E" b+ s3 }" S
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# N" b9 F) n/ P! g/ P' G8 k
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡