|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。/ x; y& I/ e) J; B0 t8 a
Q. G8 Z) @. K/ U一.准备工作
3 i6 S( ]: t, h J1 t: l! X
5 _/ K a5 [: ]& G8 u系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; l, J8 u! @- d, k% k
( X3 [9 l. O& y Otengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
f) c1 w( V# w! y4 U- u/ U; v: E4 y, h1 k
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) e/ I' c2 ~' o; _( T; I0 Q
% J: A1 R* y$ P6 G! n* W! O( O( yOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 n$ M! l/ n G4 z, M* \) x; y/ ]4 g# V2 L; L6 ?2 Z% A( c
依赖关系:- C5 f9 u/ s3 c9 a
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
" K, Y1 y4 c: p8 P9 ]+ s; l3 y
- g" {: e; \" A: O* Nyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ t9 P7 S8 h4 U* O; t/ M" Hmodsecurty依赖的包:pcre httpd-devel libxml2 apr1 x& o! j, b+ Z, M9 Z. ~: U5 g" x
: k6 q' W: R& V/ pyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 X. N! K" q8 K9 ~/ i! {: u2 {& N( c二.启用standalone模块并编译
* g9 G$ q) |/ S% H- b$ Y9 Q. f: n# x5 a3 e
下载modsecurity for nginx 解压,进入解压后目录执行:
" L' }) T8 _ Q: L: L' ]! k- x% U* ]! g) P1 M5 S7 O
./autogen.sh
$ D, X& ~. ~+ h2 D/ z" h' E) C./configure --enable-standalone-module --disable-mlogc4 R9 k+ E, i# T6 U
make
* ^. K# s( m3 M7 I三.nginx添加modsecurity模块
6 T8 Q" ~0 n& |( ?4 S; {7 W0 A0 ]1 T8 F& S/ s
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:3 P& E& l7 }' }' K
! M& P! |4 ~( T o" s
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine4 Z4 [% i: B# T0 R9 u
make && make install
) [, X8 H' O# B四.添加规则# x* |' s+ e& z7 u
! D5 M" {3 E7 |5 L* Lmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。3 I, D8 Z2 m7 V& l1 H3 v
" ^9 v+ K$ D5 u" y7 T* |# Z
1.下载OWASP规则:
/ ~. N3 u% j q* ~$ c+ P
2 P" X- |, d. o X. a1 jgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs( j+ \9 I6 `3 D1 W
+ A' D5 w; f9 R) g7 d0 j) C# u
mv owasp-modsecurity-crs /opt/tengine/conf/
+ Y" {/ ?. X1 p
1 x# H0 j: E. L8 rcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf" ?! X. z2 i( U4 |2 i5 X9 h
2.启用OWASP规则:
* V' _/ p( B% i: L5 i% m V/ f+ r3 @. U- S& A9 C. N6 B6 p( c7 d
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。8 ?" H) Y; u( d7 [
. J% y# f9 n, b! L编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; k9 I" Z8 M$ U' J0 W' |/ F s! f7 H E* X. p
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" Y* X+ \, H( S- ~' Q* W+ L/ F) u" U! v& @
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf. X9 \/ |- X0 `. x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
$ m. [7 V8 z4 A' r8 O* E) CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 U: H4 L! C8 \. \8 ]Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
0 _$ u( ]2 s" U8 nInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 T* R8 F' Q" R. l, Z+ A' {Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
Y7 i, ^9 ~9 Z! z# h0 I% LInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf( T( @- v; O f- k3 e5 g5 B
五.配置nginx
6 b) M8 ]7 X0 I5 z$ x T0 T" @$ J. `6 E, M, b% n# \
在需要启用modsecurity的主机的location下面加入下面两行即可:
5 Y2 L# B8 ?* N% Y6 s1 g2 [' d
( R( D0 s. u* c( X1 R$ N4 \ModSecurityEnabled on; , R. u' g0 ^& g5 [. S x8 M# w
ModSecurityConfig modsecurity.conf;
# F5 C! s& v, h( G6 v; O+ r+ x下面是两个示例配置,php虚拟主机:+ |5 {/ O; C0 j. ]. |% ]# o
4 O( D( |3 l- P' T( ?( j- f9 o7 w
server {
/ Y+ p( _4 e5 d3 X listen 80;! V v7 a6 } \
server_name 52os.net www.52os.net;
' \' i2 Y' F7 G) ^" _0 q 9 o2 g( W2 r5 \$ t$ ^% {( I
location ~ \.php$ {$ T' K( ]& X( w! M0 I
ModSecurityEnabled on; / A5 V& j0 G7 L" Z, t8 C7 o# V
ModSecurityConfig modsecurity.conf;
! e3 [$ b) v6 I3 f! A) {5 L2 w7 C" z+ T5 D
root /web/wordpress;/ h5 L- B" Z/ u$ u8 f
index index.php index.html index.htm;
8 J! |( S6 t% e- d/ B ! d" C) u& c, L- Q% L
fastcgi_pass 127.0.0.1:9000;+ l! ~: R& S* }+ w! l6 ]
fastcgi_index index.php;
( G( G. u# {+ b fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;+ F. W# o- s$ }5 ^# T. _" v3 I( m
include fastcgi_params;
1 i8 W( N3 w4 p) x }
- g8 F! ^6 ]5 u5 d) O0 g) o# } h }
% J8 U$ S; Y$ R! N( l* ]upstream负载均衡:4 L* ^, l' G/ u( I
( u: c* y7 k6 G" E, P4 I/ @ H* ^" {
upstream 52os.net {8 ], B# a _8 T
server 192.168.1.100:8080;
C! @" L; b! L# H1 e server 192.168.1.101:8080 backup;
; |) d$ m" f( r8 L/ y G, v}5 ? h! S' H* b1 ?' t# C+ t
, s9 I* S8 x" o0 y% B) fserver {" I% K2 v! A) h% p! S
listen 80;
! s' Y% M3 r$ j; x) U$ S! \# Xserver_name 52os.net www.52os.net;
) j8 Y6 w" V6 Z3 Y
# Z* B3 t' X( Rlocation / {7 O! f+ m. U$ P! v3 k+ K
ModSecurityEnabled on; / f7 h& x! y4 |0 Q; u* G
ModSecurityConfig modsecurity.conf;
) r! q7 |2 c. ]3 n5 T- | ~4 k) W2 l
proxy_pass http://online;# }. K- S( \' F$ G2 q
proxy_redirect off;
# d3 I# }! i& g0 c/ N9 } proxy_set_header Host $host;% R. d8 l+ Z8 d) V
proxy_set_header X-Real-IP $remote_addr;
' o2 U) D% p4 d1 J+ Z proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- J5 m9 M8 j. k" O }2 P6 i7 K5 w6 M5 L7 }
}
- A0 D. k7 i/ j9 n) E8 ~+ P+ {/ u六.测试
* o9 K( x+ }5 {3 G# T' q! d" K5 `* v2 V# a! S9 W. q
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:. p- I/ w/ y; u: Y5 q, V5 i& U
1 E0 P& d" y; w& `
<?php
: w' ^4 i# K# W phpinfo(); ( F* @% D7 z; U4 g( T' v) K
?>+ Z O9 _4 |3 Y1 K
在浏览器中访问:
* m- z! @# a0 [1 A3 b' C
( G x7 a) ^7 A. e( P5 }http://www.52os.net/phpinfo.php?id=1 正常显示。
9 j( r% D2 C3 W) k1 Ohttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 N" j% e& o' xhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。/ r' b9 z- I8 B5 W
说明sql注入和xss已经被过滤了- Y, ]) a6 D& B5 n+ t5 F4 q
3 a6 k, E* g6 B5 t+ ?七、安装过程中排错
% F5 V1 C: A0 `( @7 b- \/ z c+ p/ `% h" y1 ?* m
1.缺少APXS会报错9 g K' Y6 D6 P8 w2 r; f9 J
' d/ i$ d! S; L$ I7 Q) B% R
configure: looking for Apache module support via DSO through APXS
B2 K, `! S1 m1 E' q9 P0 p' ?! e0 `# }configure: error: couldn't find APXS
0 G) w6 }+ L* \6 Y$ U$ S6 O xapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。 I' m( c `6 S( ?1 K+ ?- S
解决方法:
, m7 L' q& K, ^6 D$ O$ ]# f8 P0 x9 N: f1 ? }! v1 H ^$ T
yum install httpd-devel
* Q; J) D3 a. `. h1 v, \2.没有pcre
+ P7 c$ }) w- r* j/ S2 ] M) f: m8 I O# Z" N) i9 w) K
configure: *** pcre library not found.8 R3 ~: l T, l, r9 N
configure: error: pcre library is required0 V. R3 d7 i3 U; [4 V8 x( I, I9 X
解决方法:1 @' V0 D* P; G3 ~1 x0 d' A7 Z
( L) ^+ Q" c$ ]/ _% F9 c' j0 @% ?yum install pcre pcre-devel
w+ M6 n. ?7 g; V3.没有libxml2) r7 o0 b5 t" M* n3 x" S0 A
2 f* R9 q& r8 C) P3 Q
% y( D) ^! h; I& O: W* m
configure: *** xml library not found.
. s( \1 _4 m% w' L. [; uconfigure: error: libxml2 is required/ K) L. A* W2 Y- `& b4 s
解决方法:) }7 m5 g# L* c% M
: _+ ^# ~" ]" y- c/ K6 }% _, byum install libxml2 libxml2-devel
4 W: i6 R% F+ |2 |4.执行 /opt/tengine/sbin/nginx -m 时有警告
* W# }7 C) {3 m$ Q" S, T8 P( o9 K. l: m4 s2 Y3 _6 [: ^
Tengine version: Tengine/2.1.0 (nginx/1.6.2)' Z1 X3 A3 L- ^# J6 {3 L" Z
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
- ~' `' R/ i7 o2 Z& O1 g原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log( f9 D0 V! \$ H) V1 O- l% y* _, C
8 E3 O8 v* Z) M: h, a4 N6 @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.3 P0 s0 W$ j9 Q; D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 J' F. ?+ E% f1 e$ B4 Y8 \- }2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
J J) d% n9 P% l- D: d8 h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
- I- u, m: ?! z9 O; y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 J. N# [4 Q3 {: r* c1 X' D2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
7 e4 ^' e% c1 T5 C0 `$ E+ f解决方法,移除低版本的APR (1.3.9)
5 }$ [) E& V- s! \9 A: X: o. X- p0 d4 ^" H; n( S9 k) L
yum remove apr
1 a) W" ^" s% B5 p: ^5.Error.log中有: Audit log: Failed to lock global mutex- L+ A/ f' h% @" p. O
/ q R5 w; y G- O; x2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
" l/ @# o4 I+ P6 j9 Eglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; L/ y1 k4 c& z5 j解决方法:
0 Y# R& A3 U8 h x3 q6 t/ Q( R0 m编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
! [! U0 B* H# i
! k1 i1 j8 E$ g0 XSecAuditLogDirMode 0777
5 g- G8 t' r$ t# \SecAuditLogFileMode 0550
. K( l' {4 C1 m' D" H/ m3 a* WSecAuditLogStorageDir /var/log/modsecurity+ t0 r/ t0 z7 n! Q0 a
SecAuditLogType Concurrent2 y( n5 A2 ?( j ^
参考文章:, i6 g4 A# n; d) O1 Q* u
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
7 z; ~* B! l2 l" C- Ohttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡