|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
: q' T' J8 M0 h0 Y' S4 n
! ?& c* ` l5 \9 S- P, {9 \9 z( ?一.准备工作5 t4 Z- b/ J% f" i0 k" f% f) D
7 f# J0 L% @( n. F; b& _5 n
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, w7 ^" X6 d* a* N) F8 M
- H: D$ ~% W8 I4 r( \tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
5 g3 u4 M9 ~( k9 W f u6 U% D$ }5 s( G8 u
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& g6 G+ T/ X$ i+ l- F
Q' t8 H" t1 X3 m' ~OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs/ H0 J# L, ^$ F4 H6 h* c3 V
0 H5 l4 G7 i" R6 n+ I- }0 h
依赖关系:
5 F+ \& R, T2 L4 n1 U8 ktengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; C x" Q/ |% a P
% o2 s7 g$ e7 ^
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ a* O. p0 U$ W- \; {modsecurty依赖的包:pcre httpd-devel libxml2 apr
$ I C2 D2 u# Z6 u4 x2 d* {* T* K+ z& k" } c* q0 W; w% K( w$ m
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel1 D% f# ^7 z) W
二.启用standalone模块并编译
- d Q8 \' f# H' p9 @3 J2 l3 c# Y
1 D, }) H, P* q( k$ c4 ]下载modsecurity for nginx 解压,进入解压后目录执行:# g! E; g# H4 U5 Z* l% k
( C; ~% H H j' {' f7 A( R
./autogen.sh) O, Q( l7 J% l$ j4 [/ q# T
./configure --enable-standalone-module --disable-mlogc
, u9 G+ [! T9 i* amake : V) R$ L+ O! k8 R+ T8 S
三.nginx添加modsecurity模块+ F" A$ @+ ` r" K3 R$ R
- [/ T) I N! R- ^) G0 ?* k
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
# l" j1 w9 I- ~: D5 @& G, g! x0 P$ x# ?7 U' k7 W
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- m# i* q6 b, K2 ^/ S% M# G
make && make install
' F) U0 V9 F# ~四.添加规则
: d8 c( R5 A) V0 O! \
! H- W) Q/ l. a" I" Smodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
% w' V. g# a4 X& ]
6 j4 G. t4 t6 @1.下载OWASP规则:/ o; q+ H1 e0 G, a' o- e3 R
7 o+ r6 c1 o( T ^git clone https://github.com/SpiderLabs/owasp-modsecurity-crs9 {2 B$ o4 q+ \
0 _" O" q2 V" {% o! zmv owasp-modsecurity-crs /opt/tengine/conf/( E' S! F" N. c
% G4 M5 y* l0 K9 r: v; m( y# D
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, S. y2 B) g Y4 s2.启用OWASP规则:) H, Y/ ~6 o& v6 v
4 u. q* H: j+ O0 V1 x
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
3 c5 `/ {2 b2 { Q4 t8 M7 i& d1 ~* o8 I7 Q( Z/ q# m& p: ]
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on( k" h8 n$ R8 z( d& X3 `5 ^; l* L! I
' E8 @0 y0 F0 g' b5 l* x+ _' Cowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。0 C- V4 C, [! `2 F9 d2 ~7 Y, o
; \1 B6 \0 v$ v9 v
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf. j, { ~, D6 K) ^: o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf( O4 c3 n6 q3 I. a; m8 v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
5 y$ N, M5 O0 j. z) WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! G: V1 I# h$ A' ]+ u' _
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
W/ o8 T4 n% aInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
: K3 [- z) {" d& kInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
, G$ [9 i0 C, R3 X4 I五.配置nginx2 ?# c' q8 s; P5 i/ |/ v
( E) _& P9 G9 Y$ D! l在需要启用modsecurity的主机的location下面加入下面两行即可:: c# z( f: T# ?" Q+ o( L
2 ]! U+ {# b/ C) Y8 M9 f8 B
ModSecurityEnabled on;
! D$ j) U/ ^# a/ D4 \6 D, |ModSecurityConfig modsecurity.conf;% u+ i$ @2 D$ B$ a$ y
下面是两个示例配置,php虚拟主机:* B! A% P% A3 \0 ?( }* Z3 t
# m; O0 d& D# X8 ^$ i6 r- qserver {
2 u7 {7 z% G3 i( E' \) m, Y9 V listen 80;
! q$ i: R7 ~+ V3 I server_name 52os.net www.52os.net;6 c, @* j& s; F) ] k
9 M, a6 g1 p) X- I8 i& _( h location ~ \.php$ {
2 g: ~; s+ K( W, C8 a6 F( V8 g; H* S ModSecurityEnabled on;
% m+ W$ V p- \8 M5 Z- k( t ModSecurityConfig modsecurity.conf;) Q7 I6 |' R' ^. o* a
3 I/ @0 Z0 I! s) p V root /web/wordpress;
% h T. Q% P# B! Y# T, V2 P index index.php index.html index.htm;+ J/ ~! `8 R1 N( l4 p' Q6 U+ V
( ~( u# ?# g q: I8 j! @$ B. a$ R fastcgi_pass 127.0.0.1:9000;
# O2 Y' a* n0 z fastcgi_index index.php;6 C, D* i9 V, c: c; o r# }& x
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 ]. j2 p% j" o7 ]0 g _& }, V include fastcgi_params;# @: V* |: J) y. {0 B
}; P9 {5 o5 [* i' I% O
}
5 N+ t, j% d) ?- `upstream负载均衡:- x8 \2 _+ O2 Q) b' O3 g6 e
Q* _+ G/ b) G0 w1 s
upstream 52os.net {
4 v2 l/ q: T: }6 N/ @7 Z3 k" x server 192.168.1.100:8080;* |6 [4 w& N" d* s( p, ~2 j$ S
server 192.168.1.101:8080 backup;. C) n* S3 `$ V1 h' M; K4 X$ ^/ ~" F; N
}
2 R- F) T7 t L1 [/ X$ Q
' b* j# ` L3 h( _server {5 l; X! c0 u% T |8 O) S
listen 80;
0 H# b2 B: o# d. F `$ |. wserver_name 52os.net www.52os.net;
`9 K5 ]3 e0 u& v( t& G q# }: n' e1 B
location / {
6 p/ j' ]6 K. ?" k ModSecurityEnabled on;
! t, G; M, L5 i$ \$ i8 q7 n$ G ModSecurityConfig modsecurity.conf;
7 D0 M7 D0 [- G/ ~: ~! o
/ T& Y& F2 h, A proxy_pass http://online;
& f: [6 y u9 h k$ z1 ~6 R( n proxy_redirect off;7 U: ]% p' r: f' |& p) F4 I
proxy_set_header Host $host;
; _. {# t7 \9 @! Z$ E) x9 K/ L proxy_set_header X-Real-IP $remote_addr;' P8 O: i( Z; A3 _+ ]" ^1 Q, p
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;: U* r* l# l A L
}0 [! a' c4 Y8 B6 @/ F' w5 M8 H
}# u2 r; x- d& w! t- i
六.测试
# F" z5 G' f7 P# [, w* u! M# [/ J9 g3 f- |
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:6 M& {1 ^" P% G! j; x
- U' `$ F6 n0 r. i( Y" c) x' k
<?php% G+ [4 A7 L0 H9 q; Z3 [% a
phpinfo();
8 }) o/ E% U& H?>
2 [' |# t5 X) S6 o在浏览器中访问:( o' h2 S) s4 k$ z4 `
- H- y& K" u' K5 P- U7 u6 ~$ t* z
http://www.52os.net/phpinfo.php?id=1 正常显示。
1 W! Z+ F* c4 K+ h$ khttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ S0 y* k' | n& \9 E) `) H6 Jhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
1 V8 B6 |3 Z9 A3 M: i1 R b说明sql注入和xss已经被过滤了
: b% P7 X! S8 o% f- t( W
% i% B- ?" b6 O6 [七、安装过程中排错8 v0 C' l4 B: R0 u3 b4 a
% G: k& b8 W1 t4 Q/ {& e! q: d1.缺少APXS会报错: ~4 e' E$ E2 Y0 }
1 ]" J$ o9 j) X& D$ W
configure: looking for Apache module support via DSO through APXS0 S$ x: [- q+ j2 B) L1 q: I
configure: error: couldn't find APXS
- O- r8 c8 [. b- N' M' _/ a% d$ Yapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。0 y$ [" |! \( [" q; [0 m3 x0 y
解决方法:
) t# n# s+ R1 M! t" T4 A7 s$ b& i; ~- r- y, e0 `
yum install httpd-devel! ?* K4 `) _8 A( s# b' D
2.没有pcre
5 F/ H: E# x) h4 g/ O
8 y" d; \9 _$ }. o; cconfigure: *** pcre library not found." G+ O: t5 r( s
configure: error: pcre library is required, Z6 J2 C6 `1 q0 q! r' E
解决方法:9 i7 `$ A/ }$ }& l S- z
2 b$ V$ s& t- t1 p: M% `5 h Nyum install pcre pcre-devel5 }$ J' o2 v, C: _. m
3.没有libxml2
2 \8 X, Z M* Y3 E% V. O
8 z/ |. J, {- Z$ }3 G6 w& L, e
! \4 W. H6 d m6 S1 b& h. b! ]! Xconfigure: *** xml library not found.
* x9 ^$ y3 q/ S4 D. w2 Jconfigure: error: libxml2 is required# [ @$ a9 o5 W- b, z: x# o$ [, `
解决方法:
r" A2 g, ~7 o {" b" ~1 X9 `
! {7 t. Z: z0 F4 m8 uyum install libxml2 libxml2-devel- X8 {+ [& r: K/ @/ S
4.执行 /opt/tengine/sbin/nginx -m 时有警告
, |$ g$ ^- q/ {8 T: _
. K+ W+ Z7 I4 z( j3 RTengine version: Tengine/2.1.0 (nginx/1.6.2)7 c+ n' `$ s6 e2 q& H
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!1 b# O1 @" z; k' d' x! y
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 M3 `# u; v& C% s; d0 Q/ A( I$ u# M; X C" l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.7 d) M/ e! X& `) o# @. G5 Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9") H! g4 I3 X& K/ _
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 x7 H* V: J2 [' V4 W( E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
6 l4 ?& K' U% ^/ x* p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"( M3 r0 g; X8 c+ P6 C3 i
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 x$ R: G S$ J! h- ]解决方法,移除低版本的APR (1.3.9)
' K- ^; Z& e |+ L! Z! j
# r, k1 X7 p" K: Nyum remove apr
* X$ y" m8 v9 }" G5.Error.log中有: Audit log: Failed to lock global mutex2 x( m$ [, F* |( p/ W9 a2 ~
1 \& O& X. s& p5 g" q, s2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
+ [' @0 S. Q( u3 u0 \& V6 Wglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 z& W1 A# ~# U+ E" i9 j8 v解决方法:
, w6 M0 w2 o1 |. u2 @9 q编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:) V4 e- K, Z) Y- @; @
4 F7 p3 o" c9 ?' t T# j9 S" }; @ qSecAuditLogDirMode 07770 z* R0 Y$ a! F' r, p( s$ ]2 `
SecAuditLogFileMode 0550' D; @( O7 H5 Y. Z( U9 D n; k! ?
SecAuditLogStorageDir /var/log/modsecurity( P& p% Y2 L& ]5 O0 K
SecAuditLogType Concurrent9 ^ O4 P! X9 r. {3 T! _
参考文章:
% V9 E; x) `: ]https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX: ?6 Z; Z# k- W. F* `
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡