|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。/ |. c/ Y. V, o; H0 h/ ]9 o" B* j c
+ t# Q! G0 h; I2 a: {, s6 R
一.准备工作) V( h" O. m4 z4 [1 i
8 c* U- D# I5 R4 k0 V" E) j
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.05 P9 E `5 K( ~* o
$ E8 C8 U" k K. d( i
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
" u' X& J* ]$ n9 F
( E+ y; |$ b/ Y8 x* B6 fmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
3 L$ {1 U9 e2 A' n0 `6 h5 `* a: c" Z0 f! ?
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, g; {( o& o% t5 s4 d
& b' E2 O/ z* K依赖关系:! V. k/ E, e" g6 P5 ~1 V
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:* e G4 t9 X' c8 @8 S4 R4 D
" L; X, `$ ^! k4 q4 a7 I1 A6 r: Q
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
2 ]- E8 c$ t( ~modsecurty依赖的包:pcre httpd-devel libxml2 apr0 Y+ w, F% b% E) |7 ?
2 {2 q8 F0 H" {# V- \5 N' Y3 `
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel; R' q# C) k4 v2 I1 k) x
二.启用standalone模块并编译& l2 J2 Q) U0 {( \; C
6 A3 e* \+ \' ~% H- H下载modsecurity for nginx 解压,进入解压后目录执行:
; n& U- y! B# g; Y5 q, l7 }( q" _! D
. _+ ]( i2 z7 `4 y./autogen.sh- X, A, y- ~. X. j x; K M \, L/ M
./configure --enable-standalone-module --disable-mlogc/ Q0 S4 i9 t. o. u9 a! N
make % Y8 z/ ^ X8 ]3 L, `/ I L |, Q
三.nginx添加modsecurity模块
, q, m: K4 `/ l0 Z$ W T, g
; W6 V8 Q! z9 W6 d* W P3 K2 Z在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
$ b0 ?( L. _& A+ S9 ^! x% }( P8 N5 A; m: d5 c; F
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine. P9 _( u' V' a2 X0 M
make && make install3 J9 l* Y( E2 j1 I: H8 d7 S! H& z
四.添加规则
/ B* k/ k3 `% C: I* n% p
4 z" U" y4 n+ m, a% |+ O0 Ymodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
( j7 K) ?6 {' g. M$ D' E, {# ]8 v6 K# C0 K8 m6 L
1.下载OWASP规则:
3 \; h: m: o" k! a! k/ j
9 m7 B- X U8 {: V8 H/ p0 c( Lgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 X5 `0 V+ k7 Z3 X/ a
/ n# q! C5 t5 B- r: D; jmv owasp-modsecurity-crs /opt/tengine/conf/
9 f, U5 K2 n& {( f P3 F6 F8 h8 r. `, g4 v" `1 c1 M! u4 V
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf g6 Y; W1 l. w
2.启用OWASP规则:: k7 v0 S2 f0 W: P! _; O4 B
, m5 j0 t1 a: _$ \: m) F6 c' {! h复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
& u" s9 m$ m5 X) P0 \& C& r. f- P0 B8 f) c* S
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
7 r; I' ?; J" E' G! B. p, z# R! V+ w# _% x& h
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 ` L% S% h: f9 E5 w8 @7 r' o, X3 ^6 o, _' {% O& e i0 o' ^3 I) E
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ I+ r# v# ]% t% y$ j! ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- B' n5 V+ S/ w1 R( i) M% fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf( I1 ]1 F3 c! M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf7 C" D/ @' `. E; Q& S! o
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf# V6 ?. ]* w! B( u
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
. Y# E0 i6 {# ?; MInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& Q, ~1 C+ X4 \
五.配置nginx
9 k' g/ l+ N0 O9 m
- N% x4 i0 s F4 M+ F! L( H D在需要启用modsecurity的主机的location下面加入下面两行即可:* z, x) e0 b" X% N4 I7 D E) G! U
1 k% Y4 Z) [( T& H1 R3 b
ModSecurityEnabled on;
$ c7 w4 S" }* D I# @9 L: NModSecurityConfig modsecurity.conf;
8 e% j+ {; s, a: g# H4 C下面是两个示例配置,php虚拟主机:
5 N9 A2 s: g* w' U- t& J" {
! Y/ D: C! w. G c9 Fserver {: w7 }, \$ ~/ Z% [! e
listen 80;
' \( h' x* `2 j: ~) a' O6 E5 ?% _ server_name 52os.net www.52os.net;
1 t* h# L2 ]6 K
- n6 O; R* w9 m7 g6 a5 b6 C( W1 v) @ location ~ \.php$ {
* L8 z* j- s6 D% T3 C ModSecurityEnabled on; ' V3 ~" D7 D4 a! K4 f8 I" c2 o" J
ModSecurityConfig modsecurity.conf;: \" t$ P$ S+ @8 ?5 P
; H0 T) G7 X! t1 {
root /web/wordpress;# X( R2 l- I8 V1 Y; l
index index.php index.html index.htm;+ K# g% _, i# l( k
( c6 n: f" F* m/ u" a( m fastcgi_pass 127.0.0.1:9000;
; B, t& o) X2 s, {8 P- y+ k fastcgi_index index.php;8 y. d# k* J/ P; q& T) j
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* P% J2 B( ?! N. x
include fastcgi_params;
1 H( L8 p+ H& V8 D }( @' x' [) {. }3 M+ {
}
: D: i0 w) {2 B* N8 Nupstream负载均衡:9 n5 P2 S/ d) a! G/ C. |& _$ z
. T+ Y. m; o; Q A9 Xupstream 52os.net {2 } ^$ k- I7 f7 c2 o
server 192.168.1.100:8080;# H; Q' ^: W* x. ~" j& l% c7 I
server 192.168.1.101:8080 backup;" e; [# T. @0 z2 o) B- s$ }
}
4 M, O* p% H$ d& t8 v- D$ r& e1 ?$ J3 N$ T/ n
server {/ ]: u7 H- f ~2 l1 c
listen 80;
+ Y6 f& w( Z- D1 _server_name 52os.net www.52os.net;0 A e7 r6 ~# B- Z4 e
8 {* N8 \, M+ u4 y6 ]2 Z
location / {
3 Q, }/ H4 ?2 k/ Q( q ModSecurityEnabled on;
5 c9 r9 [' h" b ModSecurityConfig modsecurity.conf; ! X7 J! i- G: P7 C
4 q2 K, M; b' v( ~
proxy_pass http://online;7 y+ _7 [7 h$ k U
proxy_redirect off;/ X% n6 {: T; H* H
proxy_set_header Host $host;: |$ r8 \3 J# |& t8 l
proxy_set_header X-Real-IP $remote_addr;
) d5 f2 x. J5 G5 M proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;% m* i5 p+ y! x& E G" J L: j, ^5 [
}
! o- ?. e2 m6 n' P3 \+ l}9 C: N& s! b* \5 x* U5 c) i1 A8 I
六.测试9 L# N1 s: [7 _; A1 A1 r9 _& K- u
. L3 J4 t8 t; z; L
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ U' x3 M3 M i
, a+ L8 O E3 S6 P6 [% Q<?php% Z; \3 p$ w* B# i- A
phpinfo(); . b x! u, w Q
?>' j U8 u2 H0 x& K' ^ `
在浏览器中访问:
% e! D7 q( [1 h$ a+ R0 M( z0 s& q( e7 u& c& S9 q, l
http://www.52os.net/phpinfo.php?id=1 正常显示。2 G; V. U" |9 B8 E! w
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。# S) v w" ^( T& V# v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。5 P2 }6 u5 v+ u0 J, z0 G8 h
说明sql注入和xss已经被过滤了
; p% N. V% A7 ~) e, e9 A- h5 w) g5 n% A/ v* S7 ?, b/ L
七、安装过程中排错3 E/ d- s+ {, G3 l% Z2 g" C( L
g$ ], i$ ]2 e* W& O9 W" @
1.缺少APXS会报错
5 R' D+ w, v5 v9 ^1 ` W4 s5 S; E7 V2 F* ^
configure: looking for Apache module support via DSO through APXS) h- J! [( Y; Z
configure: error: couldn't find APXS
1 Q' U9 l9 V5 qapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ H; t: a$ ?; E& M解决方法:. c* P7 k; a4 s
' f# k8 ]; C. l) _. S8 ]yum install httpd-devel
- R" J5 o+ U- k. S2 ^2.没有pcre
5 Y) v* P; F6 C" G1 J: t; S
+ k0 A7 ?3 f/ l6 `configure: *** pcre library not found.
- S1 ^/ ~- D1 n5 g7 f/ N$ bconfigure: error: pcre library is required
; M* a; w# a6 q" Q* e" V3 |- t解决方法:2 ~0 Y9 k, k8 D. S# r
# D' s4 O2 p9 g4 E0 uyum install pcre pcre-devel
& i9 K: G( X6 e) T' k2 t3.没有libxml2; c/ a) z( q" S* K
/ P' X- B, K1 n
0 K2 ~# j0 f# i Z* A# J
configure: *** xml library not found.
) s' `6 @: q/ P, Dconfigure: error: libxml2 is required
/ ^: j) V. D& q5 R解决方法:" X. ]$ y7 V. C! E! j
( L5 \( _3 e5 x/ V" D0 y
yum install libxml2 libxml2-devel
) H) W) v. g& \7 x! s$ \4.执行 /opt/tengine/sbin/nginx -m 时有警告) B3 w; a* c6 k" t0 {+ U$ N
9 ]; `0 u6 i" M& JTengine version: Tengine/2.1.0 (nginx/1.6.2)
1 R" t' c7 x: w1 @nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
' T7 T, b4 v, H! P$ `原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
4 ]# q, L4 f: n! N' |8 X/ J' \3 T8 X6 Y! K4 i9 U5 ?
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured." p& y6 t! p" ]* _! Q0 Q% h# Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"- r5 @% z& i9 y8 A( R
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
q( r1 \( {% k5 b8 X9 {' O5 X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"; {% |) r6 _& r- S. F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ J- z0 m( G; V. }% n% D/ v& n3 ?$ I
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.+ F/ s2 S* y9 [! {9 J- x9 E
解决方法,移除低版本的APR (1.3.9): ~# V) k+ y4 m
# G. t8 g/ S# m+ Z c$ U3 ~yum remove apr
! R: b+ H6 K! w% l0 l4 @* o2 g5.Error.log中有: Audit log: Failed to lock global mutex
5 [' E! E- Q, ~( ?* i6 s+ R3 k, L6 V5 O: T5 {0 b' l# C' q+ g, L: G2 F
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
& U% N- V% C d) Tglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
: @! e% f3 x( e; f9 z解决方法:( |# c7 n+ |4 x) J" x! o& ^3 p
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
/ }" G4 X: z) F& i" l B
2 ~3 m+ }& i& p* i6 RSecAuditLogDirMode 0777
7 `$ O- F, f9 a2 C, V& f0 rSecAuditLogFileMode 0550; ^( \8 L% p; E* W. r' d+ t
SecAuditLogStorageDir /var/log/modsecurity
, {7 R8 ^; S6 SSecAuditLogType Concurrent: y, B# p* o7 L5 w5 `/ p3 Q0 _
参考文章:% L: U ~. |! w% K1 X3 f1 \5 _# {; o
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
# v- g6 n. o% O1 M6 M, w9 Mhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡