|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
, f: \2 g* m5 x1 K% O+ p7 g
# A: C( b/ d& V一.准备工作
$ E7 y8 e: C6 a5 }- \8 Y4 u
# U0 u- k1 ^2 @/ C( V; h: S7 d, s系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
J$ x' F' H X2 t4 A) R. e
+ C* G- Q. h, a3 _! d) c- s. rtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 Z% g- A$ c* R
9 C' P9 }5 o3 i* x ]1 Nmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz7 S: a& v1 O$ m! |
) i; N8 I) s6 {2 a- {. U% d& bOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, x7 S3 c- t4 M4 h/ S1 Q% ]4 P1 v
Y' e, N0 p/ C; q2 n依赖关系:
]" L& v" r/ i( f/ rtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:7 e$ S) ]7 t/ i) @$ b
, @! C1 k4 ^) L
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 O" R) ]0 S: bmodsecurty依赖的包:pcre httpd-devel libxml2 apr
2 |* o$ |. y( K6 f3 Z9 W
" U8 x4 c6 r+ L$ g- W( Eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
5 F" e, A: P, Y4 s& r' @二.启用standalone模块并编译) X" w0 F2 {' V5 V4 S
]9 N2 P7 Z T P& O下载modsecurity for nginx 解压,进入解压后目录执行:3 P9 t, v& f! A1 s
; [) K/ V; R- r) y
./autogen.sh9 l3 ?. R7 o k2 Q/ b, E% f
./configure --enable-standalone-module --disable-mlogc
4 ~- s# d# { V7 S3 p+ Z2 n, Q# [make 4 ?3 S9 J6 V' U& ?, ~% t. |
三.nginx添加modsecurity模块! C, ], ] K* m% U& m$ J
8 ]: c* `2 u+ \, I' m
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:- @$ y2 G8 }8 V7 L" c1 m
8 z+ _$ k4 b G
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine# V" r' o2 C" K3 _5 y2 i0 l' S8 U
make && make install5 I7 w$ V* t+ C; r+ w9 ^) V/ B
四.添加规则: d' S4 [) B1 V9 V' B1 r$ F5 V
- i8 x- X# ~9 }4 g+ O- x$ M& w$ Ymodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
& M0 ]% b7 _( v Z: ^$ n" ]5 L8 P/ L, t; q4 h+ S4 i
1.下载OWASP规则: i; a% K/ w4 V6 i
7 k# g" n) |- j3 x+ R2 Xgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs1 M9 n) S6 R/ G7 X* |# N/ x
* p' i5 |1 R* ]7 t6 Hmv owasp-modsecurity-crs /opt/tengine/conf/! m( C) ^6 \9 q5 y6 K$ c8 b
1 S* z7 f+ b y& r
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
7 X( V( a; K7 P2.启用OWASP规则:
! Q) {0 d- g- ?- F* G2 ^! r% g8 |$ A: x1 X3 i6 M. w7 \1 q. q
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。# ~6 D8 h- l3 J4 |9 w3 N# ]
7 x- D! {- l) W) u
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% @, k7 L6 s% r! I# M4 g( E- t3 v2 n) g( G9 R9 m: Q, B
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
0 k- s* K4 f( _$ w8 j! }& X: M( A7 Z6 b/ j4 O0 e; Z
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
$ @. t5 z* d0 F1 x7 F3 NInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf# {3 Q8 e0 }2 C* J3 d# n$ h5 H, p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf1 T' b* w T. i% |5 f6 r# b' G) K# o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf0 W' w3 M/ k% V$ [0 U
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ u$ g9 {8 [/ y4 A! x, w3 b
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf' L0 L2 M, r+ U8 N$ S {6 w3 y: Y
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf+ X* e. z% T9 P" r
五.配置nginx
, i9 e8 f2 b6 g- a' \
! M! r; |6 j# j8 d在需要启用modsecurity的主机的location下面加入下面两行即可:
0 z9 w' T7 L0 p1 h3 L, k
! C: d4 W y" U9 y. M" mModSecurityEnabled on; ! h" z% A% r; r+ m% l+ {
ModSecurityConfig modsecurity.conf;2 _$ l3 @; |" n, Y6 w
下面是两个示例配置,php虚拟主机:
4 s4 Z3 S& ?% j" c' C$ Z) U6 ?4 v; W& I0 l) R8 c4 |& z
server {& U$ S- R1 x3 ]% B* s$ T+ |
listen 80;8 b$ B- ?9 c0 w0 |# f) p& r
server_name 52os.net www.52os.net;
0 W9 d0 Z: C/ I, |0 n. Y
& K& d: v& \# E7 Y6 z5 q: \ location ~ \.php$ {4 a O# Y- T5 k3 g8 I, J; K1 M, Z
ModSecurityEnabled on;
$ U2 M! f5 i. M! | ModSecurityConfig modsecurity.conf;
1 a2 h( }( G; C6 J' v& H2 \. M5 A4 ?- N1 z
root /web/wordpress;: q" L# i) x( S$ F
index index.php index.html index.htm;- @7 X$ y# L, E* R: R6 n$ j/ ^
% T2 a+ }! ]0 B! k fastcgi_pass 127.0.0.1:9000; G, Q# I, @6 { Y
fastcgi_index index.php;1 X, y$ s% |: ?1 c
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
& l8 c6 P& X' g. }9 J! V- L include fastcgi_params;+ S- x) q" Y, {2 L
}
5 @/ X& m; p7 V ~; l6 | }
; b! q+ f: O9 ~5 ?upstream负载均衡:
- f, }) a4 L- F" y7 y
9 Z0 r& b7 v3 V, i! supstream 52os.net {+ S5 r0 V: @- y$ E, k+ y+ [& e
server 192.168.1.100:8080;
5 D0 A/ H5 s% p2 y server 192.168.1.101:8080 backup;
- d+ M$ \* l- e" B3 Q* |" u, O3 \! }}8 W7 [: @9 V: F# t
$ G" b' Q* ~7 |
server {
1 K* d- h4 i! Blisten 80;
. b, z/ n, @9 s! O: R" Oserver_name 52os.net www.52os.net;- a3 I4 F$ U; t& F5 Q4 ?4 R
; d v, b6 [3 p N$ G
location / {
7 u. u$ K& t( O% R, P$ Y* Z/ D ModSecurityEnabled on;
( N% X a" _$ z ModSecurityConfig modsecurity.conf; & ?2 M5 M7 b; t! r4 E0 R
w: `* u$ A# c
proxy_pass http://online;
7 ?$ R, b' V8 t proxy_redirect off;
7 M4 C+ k. Y2 s3 y( o proxy_set_header Host $host;
8 ?7 J3 C2 Q5 F+ U) C1 P proxy_set_header X-Real-IP $remote_addr;, X8 W" `1 ]1 T9 M( \& X
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;) ^ j; l/ a5 d" n7 U
}" ^ O+ e8 p1 x7 ?/ C
}
# ?. a P, z$ }六.测试9 J" Z5 r; Y3 h8 W5 t
4 J, v: |2 a; N# Z9 h$ E我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& Y6 \. E7 l& E* ~; ?% j9 l; d
2 ^% }9 C L# h9 e5 @9 M" e
<?php
0 T: `3 q: x) N+ M q: D phpinfo();
& |* @8 T7 E0 F8 W7 n; V?>
" e7 v( a1 L* X$ R在浏览器中访问:1 s' r4 V# K( g! w* ^+ [
- M/ U; D9 c* x( n7 ]' Bhttp://www.52os.net/phpinfo.php?id=1 正常显示。
2 ]( l* c8 c" s2 u8 bhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
. ~# p4 Y: z) | G' Vhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
' }6 d+ z# I1 J' r+ r' t3 Q L7 {说明sql注入和xss已经被过滤了0 I: `; r X1 r% g" u
& b; g# e. z& i& ~
七、安装过程中排错) W) E" V& {! s
0 _: i* f; e" T- G3 d+ ~8 I1.缺少APXS会报错8 N( F6 H# T. U6 g @5 |) z+ @" a
% V& E4 z/ ]* x) J4 r) lconfigure: looking for Apache module support via DSO through APXS, x. }0 y, X2 w- v
configure: error: couldn't find APXS
! z( n& y- q9 R. Aapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) ~ d! @+ B/ J/ h4 z6 [- U
解决方法:
2 D( m) W1 b* D. W/ s; b; w
8 j! k& D* T Z v) P- Pyum install httpd-devel) |, G* t9 A' D7 H3 V% a1 B2 f
2.没有pcre- o& r; c- E5 q
2 w' P+ u; h- S) }' g' rconfigure: *** pcre library not found.
3 y8 q2 n0 z7 h- G8 m/ H' S. n- w% qconfigure: error: pcre library is required8 v6 N2 ?; y" U! a: a# R5 R* a
解决方法:
& K- y& a$ _: C6 U2 i
, E' R8 |8 _/ e* K* U" jyum install pcre pcre-devel4 ~( t/ ^6 ?7 k6 Y
3.没有libxml2
- ?0 H! t/ ^5 q1 @& L
9 ^4 Y9 P1 l t6 W L( `0 U
; h$ x" A7 y4 u! {configure: *** xml library not found.
/ K4 n) Q9 L- M2 Aconfigure: error: libxml2 is required9 E1 f7 Y9 p7 W4 Z* w9 M H
解决方法:
% v8 b: Q+ }* t2 d. l. _, R
, C5 I) c% K4 Kyum install libxml2 libxml2-devel0 Y* G! j/ X- H) U3 w
4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 u7 K! A6 d, R0 b0 V0 d$ j; h
/ {3 N' ]0 z$ eTengine version: Tengine/2.1.0 (nginx/1.6.2)
% I8 K6 p+ i3 {$ Bnginx: [warn] ModSecurity: Loaded APR do not match with compiled!+ W- g! ?) B* [6 Y0 w4 `9 F" G* N! f
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log' _7 Z; |/ d- Z9 k* t4 e
+ x+ n* m( P7 T2 B7 P; d- M! L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
+ G0 F4 c: v9 w2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
$ q* o5 p- z4 D3 i* r# D6 |2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. n' y6 G' f7 B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
n; I0 ?. `% C1 f2 S( Q% x5 l6 W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6" r) G0 x/ V6 }
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
0 h J, Q$ ^0 r! k& _解决方法,移除低版本的APR (1.3.9)/ x( q+ k* x: ^- {
) z3 x" G# f, }7 X: C7 P5 }yum remove apr
, A+ T& a0 |2 v; t1 |2 _5.Error.log中有: Audit log: Failed to lock global mutex
7 E- ]! g2 C! A' q8 s! V' U5 f5 V+ r0 Y1 _/ k
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
: X3 v& P5 _9 C+ Iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
4 b. {8 Q+ R9 O: j解决方法:8 g) `% O: q7 Q& E
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 A" [3 d' u& K" }% h+ C
% S. y8 ~0 U, D4 d
SecAuditLogDirMode 0777- `' x: q8 C& ?; E# D: h- x
SecAuditLogFileMode 0550
% p/ M0 U, A* L0 sSecAuditLogStorageDir /var/log/modsecurity& D+ [* w. D1 N: |' g. Z5 Q
SecAuditLogType Concurrent
) z. T2 |. i) B# o1 f9 T8 v" M参考文章:7 i' _" |5 j& P9 D
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
2 U8 L% B1 L$ q" Y8 ?; A) ^- x, k! a! Z) Uhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡