|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
B$ G k* g9 T8 h" q; {; M# Q( r$ u3 v
一.准备工作) d: t- f8 ^6 H" `4 y+ g: I- h
$ J; h; s; X/ u3 }. {- R3 \系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0 v. k: L: ~3 O" B4 l9 Z
5 n6 W1 W- u, G5 ? R4 C: C5 l
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz0 }0 O: A) K5 U
' o$ ~% r& G) G9 W/ Q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
* {2 O5 d0 S+ j, [
0 r- L5 i$ Z1 zOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 s1 j( \5 V6 v p5 }' t P
) s% {+ P2 o E) Z( ]) W3 `
依赖关系:+ ?8 Q' t, F4 I
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
1 _) W+ p7 }- C( j' G, z& w7 W
2 u2 |/ h/ v1 ?yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* q! @$ |! ?) @
modsecurty依赖的包:pcre httpd-devel libxml2 apr
) {0 l' E0 ?4 U2 @" {$ Z5 l' i! I! Q7 b! g5 l u) T
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
) N2 f* \8 G4 I/ l/ f! l二.启用standalone模块并编译* Z# q" s) S$ q" ~9 [$ g
3 A4 g% S! C5 B6 T7 w ?7 v& ]* J$ d- a( O
下载modsecurity for nginx 解压,进入解压后目录执行:
$ g1 a/ W4 n, b, s" O8 X' G
/ W t8 c+ ?* r4 l- G! z. l% l: N' n./autogen.sh
% @( f' C3 s% H4 W' ^./configure --enable-standalone-module --disable-mlogc+ w% Q+ ^7 b" `5 q% M0 n; o
make ) P7 @# Q( _9 D$ c: a
三.nginx添加modsecurity模块8 t% `7 ^. P0 o( ^ z
3 W z1 I5 n) D. K: x4 v; J
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 I$ n `6 V6 Y& \5 m( r4 O* f, Y! ~9 n# t7 S" Y
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine6 t4 M- d% p0 z* ^' H* p" E
make && make install! b( i6 n# y) j! |1 h
四.添加规则
w# C# c$ U: h' k O# i! F+ y$ G" d# v+ ], x8 C+ R7 ^
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 H5 ~( c/ b$ b# x5 P
: U) E u1 [( b$ E% G, q- n* o1.下载OWASP规则:
* B. `% W, `, p1 l
; `; Q- D) l/ b, o" ogit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
2 C" s7 Y `- {$ c3 [
( E, M7 s; j5 q& Amv owasp-modsecurity-crs /opt/tengine/conf/9 U# m: k: J O" V) g
, a/ _" z' @6 q0 {5 i. s" U0 Ncd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf& [0 l+ Y; p# z7 k; Z% _
2.启用OWASP规则:. j! i3 g% m5 N( k* d
' N# M2 R' q. A# Q& t9 Y0 M& d: T复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
4 G1 |3 ~+ Y* ]" i5 h. o! I2 X9 D* |7 ?* x2 L! n
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on- v/ ]9 W+ j6 z1 X5 X4 [+ }
! E: _+ T$ y5 b' ` I0 eowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ R8 [ }; r5 U6 B
( A! M$ L: C8 b
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf F! S; M8 {3 x+ s. q) \) p, N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
; S* {8 C' ]+ h+ D5 h' BInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf/ t. k/ l9 [5 c
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf1 N# _- V" V& P6 m( K) D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ ]* U( x9 A! T
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* ^& Y" K' j- G- F1 E
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf+ L+ e) N$ k, g7 e
五.配置nginx
+ v; w" g3 q5 y, @; ~! c% }* F# ^0 u. H1 X+ I, `: x- X
在需要启用modsecurity的主机的location下面加入下面两行即可:
( ~4 a: N) j4 D! Z0 [$ m7 ^+ F* H4 f' }' e% r0 ~8 o& e# a7 s, a
ModSecurityEnabled on; 6 E0 h7 s" \+ w7 D4 t
ModSecurityConfig modsecurity.conf;1 O3 |' @# c5 N- N
下面是两个示例配置,php虚拟主机:
& i4 A5 q4 J' k% Q$ Z; b/ N$ P
6 _2 m6 a9 }; w/ nserver {
2 x5 \3 H- \; u, V8 y. q( \6 c4 u* O# a listen 80;
9 v& y$ F+ D+ d H. C! W server_name 52os.net www.52os.net;
+ [! N3 g C) M* u+ G 5 ]% E5 C4 k$ e
location ~ \.php$ {
$ M' O7 o" f! }: T+ w ModSecurityEnabled on; ! [% I4 c0 ~: T6 {& Q
ModSecurityConfig modsecurity.conf;/ l) U( W) E" M3 w% A
& W; u8 K4 A4 ~ root /web/wordpress;. ^% [8 T( j; l1 F0 M
index index.php index.html index.htm;
, |4 y z% ]' l9 @/ U $ F' {( t- L9 U. M2 K' ?
fastcgi_pass 127.0.0.1:9000;# I, t" d8 t% J2 g& @1 M1 r
fastcgi_index index.php;5 j( I7 x* L3 C0 i" @% V/ u
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
9 f/ y6 j6 x' S8 Z include fastcgi_params;
. @* L9 a9 |, ? i6 g( ` }
1 R y% A6 h& K% y }3 P! q. c: {: F5 h
upstream负载均衡:
1 x) s& H C3 ]/ ]
1 M, `1 z3 {; |- P& o- t7 rupstream 52os.net {% @" d1 k) _- Y" U0 i7 R- e
server 192.168.1.100:8080;$ w: ~3 ~, T1 g
server 192.168.1.101:8080 backup;; \ E; R8 {0 K# f' u g ?7 h
}
$ _# ^* n1 I- r+ W( ]# |8 _, a( o& {. p
server {
) b3 e' x0 o7 olisten 80; m! X3 q2 a! O6 j8 t3 n
server_name 52os.net www.52os.net;
: I* X: ], ~- ~
! \) ]3 d. Y7 J: C7 N1 dlocation / {
* s4 B% s) ~, r, D' o/ M ModSecurityEnabled on;
7 Z0 _- S! _1 N* A9 ?5 K3 k ModSecurityConfig modsecurity.conf;
$ d% v( p. i, @( m6 N4 N: X5 U' O# T+ y( }& x5 j7 \( m
proxy_pass http://online;# |+ ?5 l U6 r
proxy_redirect off;
8 c/ c& l* o! }, [. { proxy_set_header Host $host;3 M: n; H, E/ [5 C7 \
proxy_set_header X-Real-IP $remote_addr;
) w/ h$ A) H S' T: { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
" `8 B) ~# n+ O. [# |1 J }+ k, d9 X) Z* y) }& c! y
}
2 L b& k8 p6 ^6 V3 m5 J6 S" B六.测试4 _1 i' F: {. c/ o1 U9 @
8 Y2 @- S4 C, F$ P1 i我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) H3 R& b$ h" |5 r% k
) n& ?" E# P7 t% c( g2 ?<?php+ m/ ~: }* e7 ?6 w0 }5 |, I" U9 n2 s) M! O+ f
phpinfo(); ' ^9 p8 U7 ]( n) e/ W
?>
5 ~: }+ }$ \! k# j( W2 q在浏览器中访问:
* B% M# b) V: H O2 m! F
4 H8 }7 f3 k+ Z' e3 V, b, yhttp://www.52os.net/phpinfo.php?id=1 正常显示。* v0 R+ x' N; x; p
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。' [. Y. n* P3 f+ S! p P6 G
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。! U1 o% J5 V' n+ I
说明sql注入和xss已经被过滤了' R) p% T3 P& `; n$ H$ W. u# i. R3 _
9 i3 l. m2 d3 [' [七、安装过程中排错' k4 N; Q1 j5 K% C* w% k- g
( A: V, L4 _! E( N0 m! H: f9 ]" R
1.缺少APXS会报错
+ P6 ?7 e4 Q- d! }) w5 _6 O
8 L3 R" S8 i( T, [configure: looking for Apache module support via DSO through APXS- T! g& F% O- `% F/ R, r
configure: error: couldn't find APXS) N2 a9 N. T0 [8 C
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。6 R3 L; H! Y# y3 ^/ S
解决方法:& \. v0 U" \2 G
8 l& W% ^' [/ y) B( ryum install httpd-devel4 I( m' x4 X+ u) A9 h! T
2.没有pcre2 |" y' K- T5 _! o$ u
& ]$ I# I8 B8 O% U3 n1 a% g3 I; i- aconfigure: *** pcre library not found.: ]. y9 R0 {8 M# c P. a
configure: error: pcre library is required
! ~) G6 F" y) Z- ]2 ~6 f! ]解决方法:+ R( T" H0 ^1 X" ]8 k" `& l
5 N W; ~/ }- R3 `/ Kyum install pcre pcre-devel3 S! H1 [& H- W) Y0 y" t! q+ M( [
3.没有libxml27 T. f" p8 _. Z! M8 z, P
2 @) |: b7 D1 a7 f0 d8 j7 B* ~- K+ p
configure: *** xml library not found.
8 c- }; C1 o ?# A4 F9 Q* Q6 Q! yconfigure: error: libxml2 is required
- ]' A6 x- \0 A' x' t* G! J解决方法:
& i7 _; E6 i* g: ~9 S7 ?9 j5 J# u% G5 e8 f& o! W
yum install libxml2 libxml2-devel
2 T! B, i; Z) p4.执行 /opt/tengine/sbin/nginx -m 时有警告
' h- c" {+ v+ t5 Y! R x4 j e$ L4 I) V+ p, K
Tengine version: Tengine/2.1.0 (nginx/1.6.2)" H9 V# z; |4 u! ~- I R5 v
nginx: [warn] ModSecurity: Loaded APR do not match with compiled! ^$ G& v4 _2 i7 y1 p S
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
: s; i$ D4 W0 D. E# o. b8 j/ a. o# u
1 h+ ?: |! l$ r: K4 }. K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
' e8 i5 Z. T% G! _! p/ O- p) {# U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 \0 o1 T ?7 W* K* n- f
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!1 M- J+ o$ j+ b0 i: M x9 W0 o7 E1 y' a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
* |+ f# a3 e: P, D' q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" M" @% i! x' `7 A2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 _* @& @+ Z; a* T6 t' ^
解决方法,移除低版本的APR (1.3.9)
" k, D n1 L+ @/ W& V8 p' G- o7 P& `5 E* w
yum remove apr
) P( x; U% q- Q5.Error.log中有: Audit log: Failed to lock global mutex3 E- y4 U2 B4 s& G
0 k) w f* r j. w
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
a+ A I3 C v3 Oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]2 @' D6 N6 @4 a& F
解决方法:
# X2 i- F! O7 y& S编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
S$ F, E* ?) l9 F
; F! Z1 w9 e, l7 {$ N, PSecAuditLogDirMode 0777
; X4 C6 a& J9 F! q0 OSecAuditLogFileMode 0550
& E, B" x" `) n1 Q" t4 XSecAuditLogStorageDir /var/log/modsecurity
6 Z1 e" S0 D( j& X6 B# m3 X* ZSecAuditLogType Concurrent
8 W) w7 r0 S6 P/ Z. ]4 L参考文章:0 r; A5 v* \9 G/ ]
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX6 v! C0 [+ C) \1 e- } }
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡