|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
. M! }, ?% c0 q/ D( i2 d6 v- u6 m- [: C1 G
一.准备工作
* M g1 @" j3 J' m+ D- V4 V+ G( i( D$ |8 U
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0) q! O' k/ e3 g# [1 n
3 v% ]8 E2 b% }! E' g( b! mtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz; {1 R4 k, g8 }
, u8 {6 O. {; ?6 n" N! Bmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz: y3 s+ s# ^* q8 P6 P" |3 R
+ c0 s; R/ s' y+ \& B6 IOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 D0 v3 e7 P' b- m6 f2 D" Z! ]
$ [! _; g$ v0 n! F8 X9 W
依赖关系:' Z7 ^* z! N( d2 @
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
T( D" H5 i* e0 @( a7 d5 H5 V, j$ b+ W5 V4 Y$ e+ n4 s
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
8 h, I, q% i( m/ I7 Y0 X1 \modsecurty依赖的包:pcre httpd-devel libxml2 apr
( i$ Z% v, R: y) f+ J/ M+ h9 N/ a9 X
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel0 _# Y6 l4 Q# K
二.启用standalone模块并编译' H# w4 l% v+ o
9 R1 n) \; ^5 M- Y/ @$ m9 t
下载modsecurity for nginx 解压,进入解压后目录执行:& h' Z7 i3 T Q8 P- ?
- ~+ f$ a% e, c! i- k+ K- b6 f
./autogen.sh
( |, o2 Y' v" _! T1 x% M./configure --enable-standalone-module --disable-mlogc
% n8 l3 V3 `: Z( bmake
* O5 N, J3 X4 q三.nginx添加modsecurity模块3 l4 w* m4 T# _1 ^
3 l2 j: n2 g& a0 D. u" {
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 p: S z& u7 }$ d) m* K% A- N4 o
l. k _; w* B# ~$ V./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# [/ g7 C# k5 xmake && make install
2 L; i" b" \1 F. g) ~! C' C) Q' ^四.添加规则
6 L% E' Y5 B3 S) H# Z6 t
" ^$ ^8 u1 G8 O7 q( U1 u, D0 Ymodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。8 d8 S Z+ {$ z' i/ _
7 y% h2 e$ U" h9 v; ~ p0 L3 T+ Q1 K
1.下载OWASP规则:
* p4 f- M( X6 F8 L) L0 u3 |1 v2 b7 {# ?; L9 M: x" Z
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
! X/ T B# @9 D0 a* I& s u
0 A4 {5 h" ?* p7 v# z3 F0 P9 ~" lmv owasp-modsecurity-crs /opt/tengine/conf/; U5 O- p' @4 t! a2 j. i: g
6 j( I7 y: m# h1 d9 s
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. N5 h5 n: V9 u! n9 R2.启用OWASP规则:! V/ H' d* h/ k& t" Q
6 a+ O) c) d/ t4 J. Q; r
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。! ~+ D* q, @ E# t. S
2 ?) x. u6 B3 K9 W) L) x编辑modsecurity.conf 文件,将SecRuleEngine设置为 on+ a2 f& ]: ?( A$ d( X, x* H( s
, S4 g- z, v3 f5 O5 h$ k
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
0 p, m# J. U! I9 l
" T {7 O% _) u3 T& K/ R# JInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( a6 }0 @6 g# s* u8 c% i2 j+ KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf/ P0 T3 D: I p! L! f, C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 A& a4 R" a5 Q1 LInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 l3 Q) T' C* z- S4 J! G" GInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% M: t, i4 O. L$ O/ WInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& m: K6 @* Q3 J
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
% C4 ^/ s# b, N1 O2 F9 f. Y5 s7 w五.配置nginx4 A& {; r2 t" t: t
2 R* J4 W/ F' q: \, I: ?
在需要启用modsecurity的主机的location下面加入下面两行即可:: y: T0 N0 J* F2 J
0 V- t6 l8 i" K2 s' E* n8 c6 SModSecurityEnabled on; ; j* J$ Q) h) b% }' x3 w
ModSecurityConfig modsecurity.conf;
0 W x& z* V8 j$ O8 h. m: x下面是两个示例配置,php虚拟主机:* n7 X$ S1 n" t( h& {+ ?2 G$ X
: |! `! o' t3 Y
server {# ? S+ m6 }! H3 z, n
listen 80;
( P. n+ A7 s1 t+ Y+ ^ server_name 52os.net www.52os.net;! n" t0 p, n9 o4 k4 Z; G; u' {
. ]; h# _5 y) d l+ D( x
location ~ \.php$ {" I- ^) J6 h+ N/ x) {7 O: S6 b
ModSecurityEnabled on; 0 `+ J; K# R2 v4 ^
ModSecurityConfig modsecurity.conf;; P' L& A# c, F. ^
. S+ s; F5 ?6 i- _+ J1 G
root /web/wordpress;8 P* j! F2 d A- U2 h
index index.php index.html index.htm;# G: a _2 c" m+ h3 B0 _
2 B8 N4 I' a8 A* d; k J6 K fastcgi_pass 127.0.0.1:9000;2 H+ i Q; I; |1 L3 R" V- G ?( Y: a
fastcgi_index index.php;
; ]. j' [! D- C8 e, F4 D- J- w fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 l. e2 d. d2 X* H& z0 H4 W include fastcgi_params;
+ d5 o+ d; D q6 {* f ~7 S }8 a4 [. c8 y5 Z% G
}* i, E, p+ D& D" j& B" C2 _3 }
upstream负载均衡:
1 }; Z* K6 e& f
: }: t; t, \: G% I! D9 nupstream 52os.net {
/ U' o" E5 A. m( Q0 k7 y' o server 192.168.1.100:8080;
M' K0 U+ p( g' I) n/ U server 192.168.1.101:8080 backup;
* F& r. N% T9 x2 F}1 ]" S4 l& i9 V8 A# ~
# R& J8 v( n7 [. F5 Y0 P X
server {4 K" r& G% `& ?) w# s
listen 80;
( t2 ?/ j% M% |4 cserver_name 52os.net www.52os.net;$ v: |: @6 r# e; t) P1 P
4 B$ m" m4 {6 G% o6 t9 C
location / {
0 d' b) N7 l. Z* ^& R ModSecurityEnabled on; 6 V; H# `3 e8 r0 U9 @4 i) `. l+ _# o
ModSecurityConfig modsecurity.conf;
2 H, d" [; ?3 [* A/ v! u* V1 ~- w( v" I; t# |
proxy_pass http://online;6 m- o8 Z( I- f. v+ ]' l M, P
proxy_redirect off;
6 O; @* {4 G2 N9 B" P proxy_set_header Host $host;
! X* j9 ]1 E5 N7 d" r proxy_set_header X-Real-IP $remote_addr;) H5 x/ j$ {' q: s( L( x( Z, X' F; e
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% B8 k# a( @% Y. n, l }
# f |; }3 a8 F3 S: l% j5 Q2 k}# q6 t8 t' l, ]2 b, [8 T
六.测试: u% G! E3 c, h3 J/ y- F! @
4 k$ \! S" i- V: M; p: G8 C
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
3 H5 l- B7 f a
( g. I8 f% I0 Z* L6 w3 p<?php
& s' _5 s7 A- K; T, p phpinfo(); 6 q8 j6 S: L8 j3 x$ _
?>3 [/ p6 X7 ?) ^
在浏览器中访问:
9 q' h3 Z$ P7 o# j: {, R/ |' s J. P% P' k2 K) s9 D5 P" j
http://www.52os.net/phpinfo.php?id=1 正常显示。
+ O& p4 c. `9 o7 L, ?* a) Zhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
6 c" j. ]# w- R: F$ `+ a% _* fhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 m s$ Q3 m& D5 k/ _
说明sql注入和xss已经被过滤了
& W" @: h3 Z) O& \
' @3 ~* ?6 {; p* ]/ T1 {& \七、安装过程中排错
5 _& Q7 ?! c: r5 H+ _7 S- C- V8 Z X/ c: \& n8 [
1.缺少APXS会报错
3 e4 z6 q; c* Y2 `2 w8 ?- H( H& {* ]- |/ p6 ^! d, N+ P) r" _
configure: looking for Apache module support via DSO through APXS
, D/ S; Z* Q) J5 A4 |+ Y1 s- n: V$ J6 econfigure: error: couldn't find APXS
6 U: \( F s( x3 t. napxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。' ` Z H# t9 b
解决方法:
/ S( L7 m2 s" D1 ]7 X* s
6 |2 {9 \/ v1 }1 |5 P3 |3 zyum install httpd-devel2 A; C/ T8 J+ B7 q+ N( U8 B
2.没有pcre
w% d- k" q4 L' I9 s
5 G6 b- [6 x0 V4 v- Pconfigure: *** pcre library not found.* V) ^9 Z1 `# V) K& }' n7 w5 s+ d
configure: error: pcre library is required
4 r$ a T: b' w解决方法:# k! v+ G2 C% T
$ w! m% c( @/ T* g) x1 {
yum install pcre pcre-devel
( k3 B. O4 o' e. ?& r, }2 r! T" @3.没有libxml2
' b9 o! c: l D3 {& t W- m% n' L+ j8 G6 ]/ C* M
6 l( Q% K" o3 i' u5 sconfigure: *** xml library not found.2 Q- }+ N7 j2 i: Y* } q
configure: error: libxml2 is required' W6 @" F" ~) W& D/ S* O. q
解决方法:; F j/ V g- e [+ ?
( q% V6 j# z) h
yum install libxml2 libxml2-devel' ~0 f- _8 Z" s$ Q% g2 c& R
4.执行 /opt/tengine/sbin/nginx -m 时有警告7 l( u0 u$ K4 M9 J i- x9 O, {
+ Z: D4 N2 K6 a! f6 STengine version: Tengine/2.1.0 (nginx/1.6.2); L4 v8 f. V. L4 _ P2 S
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 B* Z/ p& ~$ r+ k
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log3 I: R) p9 ^1 x7 E$ W- _5 h+ D9 k
' a' S" W- h6 K' e! \0 v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.) u& W5 J$ `# a* ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
* j6 m0 |) s. g& E4 C. L2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
' m; E2 _ g1 E# Q4 @" D7 e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" @! e k2 X6 y7 h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
V) l0 ?; t/ m% B/ D" E2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
3 Y3 k/ C+ r6 L1 Q解决方法,移除低版本的APR (1.3.9)+ ? E) m) Q6 Y5 ^- A4 V! Z* O0 f* h
, x* I* i8 n0 o" J: R: Z9 }yum remove apr6 L& |: b; D, g5 r1 p
5.Error.log中有: Audit log: Failed to lock global mutex
1 L) u) e$ d* _2 t# p" o3 c, N- r' @6 J4 O: V+ b
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 8 _- ^* C3 `9 `' e0 d
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 Q2 u$ T$ { d5 D3 z' O- \- L解决方法:
" V4 ^/ P8 v1 V- q4 N编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:1 s( |( C8 i# W; y# v: P# h
$ i( N+ w) ^* L3 L. PSecAuditLogDirMode 0777$ P" c L( U. x7 {
SecAuditLogFileMode 0550
' V' |# d/ q3 g0 gSecAuditLogStorageDir /var/log/modsecurity
! j# J4 u4 D) y) Y$ R. W- m5 Y, XSecAuditLogType Concurrent1 ]3 A: R3 f! X
参考文章:
; T! Y/ v4 T8 a& i! U+ N6 whttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) C3 w6 w" O$ c5 A; }9 W! ahttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡