|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 P& w- i) W! @
0 F$ P- e/ Z3 w2 H; c一.准备工作
5 h/ [! I6 ^" E* i$ }& Y; D4 Q
- b! d3 Q/ g" X0 H系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0& d+ a0 H) J& o/ @& u
' Q: s+ y9 V8 h0 G( H. V* z* Etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
0 m7 v& H7 X* Q0 ]# F8 A! V
% @+ C- t$ G: ]: I, Amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# A% \9 h5 F8 Z# r; f
|& k4 {2 Y+ v. KOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs. n8 V- [' S& H) r
) _' w, v9 _. l7 f! n依赖关系:
) s- G! |3 }' }6 A& ktengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:+ H' _; A& y' W+ ~4 o" }
1 A9 _. J. |& _ P' syum install zlib zlib-devel openssl openssl-devel pcre pcre-devel1 k' ?) O; ?: n- @0 {
modsecurty依赖的包:pcre httpd-devel libxml2 apr4 F2 U8 [& V* j9 R
1 @8 F: r* P R( @, k6 h1 _; a# X" F) `, D
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
% h# x. A9 X5 u" Y" z6 a二.启用standalone模块并编译 c9 Z; [0 m. Z5 ]) z9 k$ ]
6 K7 ~' t8 O' ^: A ~
下载modsecurity for nginx 解压,进入解压后目录执行:
. l2 y7 v! r& F1 f! r: A; r+ V5 x( _# F6 ^0 P- {8 ]# }
./autogen.sh8 O% D. g R: {& _
./configure --enable-standalone-module --disable-mlogc
' g' C6 N' }! q6 b% v1 {' Fmake
- l; K3 p7 S7 C& w9 f# t三.nginx添加modsecurity模块
- I5 k$ L9 Y1 h) r7 `
; W1 Y9 P" F: e8 ~在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ Y$ x; L. C3 A8 ~# g& N' R3 {
/ ~. Q! ?% ]' G# a./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; l: `# s+ d8 B" k6 z+ g/ ]make && make install, k T4 d. C2 B( N
四.添加规则! k1 U' n& {* W* d. U, L, C8 C% M
" y& d0 a* Z: Z+ `
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
2 |! ^+ `, A7 ~7 I) ?; \( X1 I& m/ ^& z* C
1.下载OWASP规则:) V, L8 v4 |! A) o, n$ U9 T. n
/ z) L9 O: V! z) {) S" p& ~ B
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs2 ?( F# Y z' e8 R9 Y
, x+ t* o6 X$ n" p4 nmv owasp-modsecurity-crs /opt/tengine/conf/
% T+ R4 I2 d7 D! r" w1 \8 f
6 [/ V, r9 n6 ?cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
& ]" g4 k1 [+ y L' b* y$ Y# w6 P6 q7 s9 S2.启用OWASP规则:, y( D( x2 _' c8 G4 I' S$ h; G
; G7 U% X% K: O4 s+ F9 }6 \: `+ c复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。/ x) ^7 Q2 A/ u) Y8 N, t: S: F. S
) E# q( O N, M( r% H q/ }' l' g
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
+ m& h4 f/ m. r$ _$ P% K0 T$ Q
9 A+ d$ w, w2 C" m. n: u3 G- K# t! r' X0 Yowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: r- h% q4 }% T; _( @" c
2 G( [+ k4 Y$ T. T! p. Q {Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf; P* q; w# } E1 E% H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf9 Q# W5 Z+ J' R$ }- `* k- h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
/ x, d3 X$ b5 v* D8 Y; t5 hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
+ e3 E* R, d/ a! {" GInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
" z" a" W' j! G, `Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 W) r2 x- d4 M5 a* s' o* y" t. d
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& N' H. _. G `' Y五.配置nginx
( E' L5 C4 W% ~7 t/ u
$ C1 E0 S9 m9 `7 G在需要启用modsecurity的主机的location下面加入下面两行即可:- k- q C6 [6 P% z5 t7 E+ x& F
$ y2 p' A) _9 x/ o6 cModSecurityEnabled on;
% E2 X n' W# D: `: E4 c- O3 c3 vModSecurityConfig modsecurity.conf;0 N- D% u3 L* w
下面是两个示例配置,php虚拟主机:
7 J: p$ r" A) b: K3 f0 j' N+ h' \2 n
server {6 I$ q+ }3 ]9 n9 D" x, ]
listen 80;
- M( f4 I1 ^! u5 n; g( t, x server_name 52os.net www.52os.net;
7 u% w; M. v J8 r/ W( n# J
# O1 k4 z, Q# c: k$ ~ f! ] location ~ \.php$ {. j! A3 F, M; J( {. t
ModSecurityEnabled on;
; W7 j" N: v; U8 T' C. d; ] ModSecurityConfig modsecurity.conf;
+ e0 W9 G: N" `! I6 Z% D
! \! m; |+ K W6 ^& J root /web/wordpress;8 R( z9 e9 W" [, \9 ]4 ?
index index.php index.html index.htm;+ v4 l6 Y' a/ O% Y5 ]8 p8 l
) w6 r/ v' o- i k1 _6 H2 w fastcgi_pass 127.0.0.1:9000;- G% W4 B; G& P9 y7 l
fastcgi_index index.php;
8 _- v1 \: ?" j1 ^, V fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* n$ L1 |& I N# i3 B
include fastcgi_params;# |9 C2 q$ E- ^3 S
} n2 b/ r$ ^& H$ m1 r
}' y$ }6 o3 s, B9 y+ O* `) n
upstream负载均衡:9 F. g& f" L) W" q' B* y
4 G( c. y5 A) U# q# u: l
upstream 52os.net {
) u2 s, K) |1 ] I& J) y% e9 h server 192.168.1.100:8080;
7 B- U. r; K) { server 192.168.1.101:8080 backup;
: H! i3 v# s8 ]6 ~) J7 Z}
, a& W+ i+ z. \# O2 T2 V% }$ y0 p. V! r$ I
server {. B0 {% `2 q$ c2 ]
listen 80;; D, t$ `. v; l$ ^% v1 }+ |
server_name 52os.net www.52os.net;+ e" t* V8 X: F5 S
7 Y) P" X! n4 p' u7 a+ ^' A
location / {
6 [0 H, q- ~2 h, o( g; l ModSecurityEnabled on;
8 @* J7 z3 n8 v+ Z" D! \ ModSecurityConfig modsecurity.conf;
9 |4 M( ^( A7 y, z% n: n
& V E' t+ R8 V: i proxy_pass http://online; a- `+ |; K5 Q( o& q/ V
proxy_redirect off;7 \" v/ `% L9 u8 B1 m h! w
proxy_set_header Host $host;9 H- ]8 Z2 K" \7 d# `- J4 K5 M- z
proxy_set_header X-Real-IP $remote_addr;5 a, x2 ~4 N# X: E
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# M0 V' a1 b( V3 U
}5 f& { |7 U! P w2 y! |8 E
}
4 c: ~+ c0 [4 m6 l9 Z六.测试( W/ Y# |# r- t+ j% H8 w! e% A
. Y3 k" V8 N3 K+ N4 }& f
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
3 |/ Q* ]- b. _. B, h
% v, u6 U, a6 U% }: @<?php
+ E* X2 i1 a/ E, D- c1 G( I5 ~ phpinfo(); . M" l, O2 `7 V7 v; g8 T
?>
7 v8 v5 X' I& x在浏览器中访问:
- Y4 }: C% U# R% Q; ` r% g6 X! s" k
http://www.52os.net/phpinfo.php?id=1 正常显示。
& K9 j b" x. z% _5 u& Jhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。8 W' t# m5 |7 l5 X" c# k
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. K3 A6 s; n9 B/ c1 R
说明sql注入和xss已经被过滤了
% B8 {& O# {9 M* p& i, f) Y9 `/ \/ k
6 Z) v5 z; z6 c& c( e( t七、安装过程中排错) y1 x+ ?. I( g% x( P8 N* H& ?3 B2 A; [
* `" N) N, ^" g+ E0 l+ g) I1.缺少APXS会报错
1 P% M/ h* u: c$ q# D' H% ?2 Q" V
# l' h. g* O0 }9 ]+ ^6 w5 b8 hconfigure: looking for Apache module support via DSO through APXS7 ^, }7 K. m' z0 Y! c
configure: error: couldn't find APXS
; c" Y1 q3 ^0 ` H" rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。$ t5 A/ h) B) `2 |$ W
解决方法:
8 p% h4 @0 B. b8 g3 P9 b9 n
) c; ^' N; V" wyum install httpd-devel& k9 W/ Q3 o: _+ ]% E" `
2.没有pcre
* p$ W8 t# o, M, U% X/ ~% S% e" e& d$ y" H1 h7 v, H/ f: }" t
configure: *** pcre library not found.
# V! d! t! M8 \" B. M' b# U7 uconfigure: error: pcre library is required
' @7 I& @% \3 g0 |; G l解决方法:9 `+ v3 s; x0 @* b
, Y1 F, ^7 ^4 \+ a
yum install pcre pcre-devel* U" `/ ^. p7 r4 D0 b
3.没有libxml2
2 p' M- C, `; d1 q
+ E! Y" {- u' V0 T9 z+ H; w; S2 i, u" d' m* ^" n# B. ~1 e
configure: *** xml library not found.6 o8 b0 ]( Z4 k; R
configure: error: libxml2 is required
& g2 F4 [; E. {0 X8 j2 l) i解决方法:+ Y# O( N9 g. O+ [- ]* c
# W: W$ O% k5 U1 g( L) z1 W4 Dyum install libxml2 libxml2-devel" v! S- J" k- O: B4 s
4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 s6 v6 \! M1 M8 ^. c: L) e& o: G" m1 R
Tengine version: Tengine/2.1.0 (nginx/1.6.2)3 ^$ }% c4 ?. F1 t; ~9 [
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!; g% i8 v' v# I P! V, S
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log. H3 z+ \$ v( I6 q7 P) F: P. C
& o$ j9 l1 s; V, C9 P4 Y1 V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
: `; E: t3 G7 A) Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"( s h# U4 J& g4 J: ]' y/ l
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
r) k d, H5 Y1 ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 C0 e, \! r7 Z6 v1 z4 O2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
/ S9 j2 f! |' n( L/ x2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' d4 Y J% F2 [$ b( @! q; h9 O/ U解决方法,移除低版本的APR (1.3.9)
. y. j3 P% K) N# o. c+ q* U9 |
( L" E: `& s& \( {& Byum remove apr
! C, ?2 W( C- V# W. q1 m5.Error.log中有: Audit log: Failed to lock global mutex
- ]7 y4 k6 F& v& Z# G. f" j3 E8 ]/ M1 s
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock $ G g. |8 E M3 G
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
1 `) k, O+ k5 ^" J9 W- f解决方法:
& S* f+ w3 {- I G) C( y编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- w. Z! m& S3 H4 ~ x' E; J- R5 D, v( J' J/ H2 F5 z, U0 ~
SecAuditLogDirMode 07775 R0 w8 v& ]2 h/ m( A- J9 @# t3 _
SecAuditLogFileMode 0550
( p7 H# e6 N& k& `; Q; I8 zSecAuditLogStorageDir /var/log/modsecurity
% C! Q8 P; e& D9 b! A0 qSecAuditLogType Concurrent
: w; }. O% m! j5 x. x5 N- n参考文章:
/ I+ ?7 w: d4 |1 j4 F v+ lhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX" t4 e {) `+ A
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡