|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& E0 s- d2 m8 s, c; {2 m6 q
! _2 }2 s& _9 V( N; N- l8 N2 I9 z; t
一.准备工作
" F/ m: w3 |$ }2 W' `; {9 O6 |# |# B! Q/ G- f5 N7 S
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: K( m% I5 M+ U" x, v
# A9 X# N, I; |- ~# q! N- C8 Btengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' ]- e# [' U' ?! d d3 k1 {2 i; l
# y( Y9 {+ v1 O0 Umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! o) W, Y' H, S2 v" ?' D
3 M3 l" @1 u( K+ Q: t+ N
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs. R5 @2 D. _6 k7 ?4 u; m3 j
$ ~6 N1 L9 l5 h5 @6 n t, y+ m+ m( O! k
依赖关系:9 X: {7 v% q, t+ v' ~
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 ]9 m& a$ u5 C, L) ]5 e- e$ k3 _/ C
5 Q' _8 [7 S u9 S$ l7 _yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ ^0 G3 H- M3 O& \, y+ J5 @modsecurty依赖的包:pcre httpd-devel libxml2 apr+ A' F2 c: ~8 ?7 F4 g& y7 |
3 j/ T+ D7 J2 x3 |7 X
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
, g, H+ Q1 C# b# n8 W0 b+ P二.启用standalone模块并编译3 w/ D, w% B x! C9 a( `( D
& L5 E! Z# a7 `下载modsecurity for nginx 解压,进入解压后目录执行:; N0 o! D* `6 i. m% ] C L
2 b- g6 b: S( B5 }) d" |: a% I
./autogen.sh6 d" z- ^( |0 P t) b) e
./configure --enable-standalone-module --disable-mlogc
( e) `3 _+ ?$ l) gmake
6 V; u) U( ?! `: P( N# k三.nginx添加modsecurity模块, x; S( ?, c: D6 G+ }" \& m
2 J3 h$ h, D& _, z4 b在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块: l& t4 A% m7 L- l2 v
% \2 @( G5 N& z$ p S/ r
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
: S7 R8 o! I: d% I0 h5 N- Zmake && make install
0 J5 R6 ^7 f8 X- B% P4 y2 w四.添加规则: Q& g0 ?9 P& m' [, S: N! R
: d1 {( r5 {4 G, h0 t, ]
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。! U6 |! c2 ]. h' ]3 @
8 i0 i1 H# e9 x/ K( [' E1.下载OWASP规则:
. u* u! i$ [. p6 m5 W: x* X3 y! G: k$ ~% D& h8 f/ H
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ V) J/ T+ }. C9 |8 p
( j& w; Q5 \& `6 S+ u, Fmv owasp-modsecurity-crs /opt/tengine/conf/
/ U f$ L/ a. V/ t
; l& R" U+ b; k! Q9 O: c Z& ecd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf! c ~( z% e6 b0 }) q( `
2.启用OWASP规则:( f# {* J' o- U$ E, ]
! F2 W! J& I, J$ S- N! _) s
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。6 V" T' q" H- V# \: Q
2 X3 p3 W- q4 ]6 g
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 q7 w' H6 Y. }4 o/ Y' X
% G2 S5 @, ~2 @. Vowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ d, H$ u1 y- o4 C
: f: q3 Q' I$ G* A: g
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
8 J2 I, S0 B; u( o: ^$ l3 \- ]8 Y' hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
1 O. H6 a/ ?. t6 M/ }. [, @Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
4 P, g7 `( _7 ]- s' WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf, H S* |- l/ m6 G! k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
& i2 [8 w o! z+ a7 g4 |, ]Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf7 k& U7 W+ B- l! C2 b D
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
# A1 U! S% e7 n五.配置nginx* L3 j& m' s5 R I
H# }% i! G% H! R; R9 K在需要启用modsecurity的主机的location下面加入下面两行即可:
, K3 Q0 U" Z. [7 b$ j/ _% k. C# k5 e5 d8 K3 {
ModSecurityEnabled on; $ q* x! }( Z; I
ModSecurityConfig modsecurity.conf;
' ~$ x2 @1 G* b. x下面是两个示例配置,php虚拟主机:% x5 C" e$ F2 P
4 `/ K c. Z: l9 g0 A% e! K8 [0 iserver {0 o4 F* X. m0 |# h% `: t
listen 80;
6 q3 }1 {$ X% M, G4 @) r9 e5 r9 q server_name 52os.net www.52os.net;2 ]9 j5 X" P7 K2 c, _/ s
- k, ]" N- F7 p9 M# \8 C- t! E) r
location ~ \.php$ {- E2 j# H) H6 L& @* E7 e0 J1 d
ModSecurityEnabled on;
?4 _0 J0 K* H4 b8 a+ y! r& X2 H ModSecurityConfig modsecurity.conf;9 W+ C! h% p8 S0 D6 V7 O
$ e/ a) Z; N: ~5 {: g3 l6 l
root /web/wordpress;4 x# O% M+ m/ Z2 G
index index.php index.html index.htm;
' z7 u5 [/ q2 _% U/ E& i, K& C# P
1 b8 Q# v$ ?! [+ J6 q0 ^6 P | fastcgi_pass 127.0.0.1:9000;+ w! Z& z% O# l/ L5 ^
fastcgi_index index.php;0 T+ y- L, s1 z& B
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;( q8 G3 _. l% H
include fastcgi_params;
% J& }1 Z% a1 E- q. `" ]' i }
* D' U; o. X2 m. O% C }
# ]: d/ [8 F0 b* `0 hupstream负载均衡:
/ J1 a/ I/ z# ?( N
' w: C0 `/ U5 [# b& }upstream 52os.net {
* V5 a5 X5 Q6 h* ]- F server 192.168.1.100:8080;
/ W- A& C( L( i6 @ server 192.168.1.101:8080 backup;
" o" T0 [3 z4 d+ [}8 r9 @& v- C: Y4 T
: c( c! u3 P! a8 ]server {
9 W3 q4 B4 G* @$ K( G! P; `4 ilisten 80;( t3 H$ g5 ?: |5 C' Z( o2 Z2 i* i
server_name 52os.net www.52os.net;" @2 c/ e- }8 y3 x* T
- z( D0 k% }. Q3 z
location / {1 Y! Y( v$ q; e' R
ModSecurityEnabled on;
6 A- d4 D2 b7 P, M ModSecurityConfig modsecurity.conf;
. ?- {: P& T! ?7 j; ]
8 o, d, l0 b9 `$ o( T proxy_pass http://online;
& T2 p3 X4 e" A proxy_redirect off;
6 V# i% r$ u y9 P proxy_set_header Host $host;
" T t( n& w) S. n, o8 T proxy_set_header X-Real-IP $remote_addr;
7 B5 G! r# M: A proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
& u0 W6 e: C2 c' q5 y: D8 q; r: Y }
% U, I! ?& f: z' X2 W" I}
2 t7 `2 c( ]2 y8 i4 [7 C# U# u! a* \六.测试3 S2 a$ y. f# k/ ^2 t
$ ?* e+ l! d7 V% g( x; A8 s
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, i, a3 I1 g3 j( s/ b' e4 {+ p# D! L
<?php) ^5 l9 M; _/ m4 e3 V P+ Q
phpinfo();
4 m3 Q0 u' @8 ~5 J3 A+ F' U?>
/ B7 c% k6 i3 d$ R5 e2 i: K在浏览器中访问:
: u2 ]1 b% [( {7 E5 n% C5 o4 d
http://www.52os.net/phpinfo.php?id=1 正常显示。 ^' v& ?( @6 J8 z. A* q! s
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
" |" K1 {/ _ n0 Dhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
! i' n( B% K6 }) Q说明sql注入和xss已经被过滤了
0 ?; k3 n _, g: K v% ^( @" L0 ]
% Q I/ i; i& P七、安装过程中排错7 p" j% p2 z9 ~2 [% D4 v, R
/ d( H: D% O: |1 B' F+ d& }& c8 ~1.缺少APXS会报错3 C6 W- C/ l) `" [, ~+ g) C
. ]7 v6 j, P4 w. l5 Y3 t+ k1 j! nconfigure: looking for Apache module support via DSO through APXS
! V5 y1 B! t' l0 N4 n0 wconfigure: error: couldn't find APXS
9 A7 w C% i. m+ T1 L) {/ {. Iapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。/ @9 o0 h( b3 ^7 s- x- c
解决方法:
7 J) d& e) |8 m: ]0 y+ N, X. ?, I6 i" F) v: [3 }! G
yum install httpd-devel+ }& i0 {. [( O* S3 Z: y
2.没有pcre0 [' u5 g& s( |+ p' k9 b; I1 R
$ D, N+ T5 m( E" P( h9 ?, B7 @
configure: *** pcre library not found.. ^& F- ~: s7 ?2 P, q
configure: error: pcre library is required
$ j- E" E2 P, w9 u; S: S5 J: I解决方法:
2 L/ ~) ~8 R# F
: P; p1 H+ F. Fyum install pcre pcre-devel& b1 A5 M& e) v2 p
3.没有libxml2$ u' i7 o; O B" _/ Z2 ~5 F4 B& g
2 x: i) D. D7 h, u
7 X1 k; t+ C$ x2 c9 _5 @. b$ Q
configure: *** xml library not found.$ ~- W. L5 g) V7 L" S0 S$ s7 M
configure: error: libxml2 is required
$ ~5 L2 e) a* e* d' J7 G+ M# G解决方法:. m4 _9 y$ }# U
9 c0 O# w% C1 D1 Tyum install libxml2 libxml2-devel
& ~9 R; A7 S( d9 m1 i1 n! Q! F' @) q4.执行 /opt/tengine/sbin/nginx -m 时有警告
; C9 K: E4 o8 W6 C" b( O4 Z( D0 ?% Y+ Y4 Y1 w) \' y9 X
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; T' R; X7 j# Z0 T9 I* c$ Onginx: [warn] ModSecurity: Loaded APR do not match with compiled! d8 y- n* K+ e' D5 a3 T8 w
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 T+ C9 W* A) P2 }* `$ x! n4 N7 u! V0 k9 f+ O+ t2 b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* q' ~) b" [' B- Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ b% Q$ o+ J6 c
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
: [! Q* M6 X: @: E" i5 o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
* p3 _+ h) b% i( o& `+ _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"- B) v2 e, b3 G. n
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" u4 r+ ~. ~( Z8 L7 C/ a. Y解决方法,移除低版本的APR (1.3.9)
7 S* h/ K {( q$ ~& ?% K% Q! s; a8 |1 p6 `9 ^ B# r
yum remove apr
. ?# l# L9 Z, F+ @. g/ n5.Error.log中有: Audit log: Failed to lock global mutex4 ]; U8 E" {9 ~
6 _! u; s' C; a# I/ r$ n1 }. h
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 V; g) q; }. O- k: Kglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# K8 E' W. U: w$ U6 e& w
解决方法:
% H/ d6 y- D4 T编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& I( O7 t& x& ^2 i% f
9 H6 _! E, ^2 v% W% zSecAuditLogDirMode 0777
7 V1 r G6 r5 g! dSecAuditLogFileMode 0550, Z! _# E3 N& ?' H
SecAuditLogStorageDir /var/log/modsecurity
% l- j; a+ I0 y. g- ~' L9 aSecAuditLogType Concurrent
: E- K! W$ w4 l4 k2 J, ?6 l6 j参考文章:' _, ]0 Q; i: M: e) s8 I ]$ A" T
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 n( o4 b1 B" B& I7 c1 n s
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡