|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& r0 q5 J+ D0 j8 [% r
& w: W# A6 s! L一.准备工作
; ?% P4 n$ c. r+ G! }8 \3 v- g! N/ V- l E& K2 A: Q$ K
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 {. W1 `/ E) r8 O4 Y- D, L7 I! s9 s+ ?4 x
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ S# H- z- I8 @4 G+ \; e
. Q; c, N4 h. n& n: n0 Y7 _& a- Hmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz: e1 k) W: M; C, Q; p3 J0 ~& }! }; n
# v1 B, k! @! A3 m
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs G0 o0 F6 B- C% T8 ]8 O' C
3 | v+ i- T1 I, O2 d5 n
依赖关系:
7 \7 X$ C; F, X9 L+ Rtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 G* G( T+ V9 }' x
# G; R! b5 |' p9 @
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel6 ^' ~6 u3 Q% m) V0 i# [
modsecurty依赖的包:pcre httpd-devel libxml2 apr
$ k3 g5 c" I( ]7 G2 m( R
9 [, i2 K# i( u1 dyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel* M6 T% s9 F8 h' r9 M
二.启用standalone模块并编译- @, J' q! Y5 `% y' f& }2 L& w$ b
/ A$ S" y0 |( C3 `) C: h5 [( K
下载modsecurity for nginx 解压,进入解压后目录执行:! W; ~1 `; Y& s2 L6 P! b
+ F- l% r/ M* n P4 f' }7 e6 V, N./autogen.sh
& `: M7 g( O+ D/ H+ r: ^./configure --enable-standalone-module --disable-mlogc- J, U. z w( B7 j
make
6 s$ E1 d( o7 y: @三.nginx添加modsecurity模块
/ b2 A) C( F0 A9 W) W+ c% ~3 ?: r+ u' Y1 x2 W
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:, F6 F8 ~# S! a3 \3 m2 S! }+ ~4 a
$ _9 q, N1 y' T# J- R
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine4 w. Z+ s' H3 k/ y+ T. g0 x4 w7 r2 Y
make && make install
: m% z) f5 ~; [% H四.添加规则8 V& G1 w; g. G
! L! _+ B8 L1 c: w! \+ V# Tmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。4 J, g3 l7 f0 N* X2 w6 W
! k) l! I4 E: }* p8 d4 _2 W7 H" z
1.下载OWASP规则:1 t/ F/ [5 X4 `, ~$ j
; h, `. g, p) e
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
7 e2 K+ E z& b- t6 n0 S% v- |% L
mv owasp-modsecurity-crs /opt/tengine/conf/9 m# Q9 {' j! i/ G1 |7 e" ?$ K
, T- x0 K5 [/ V9 l/ f
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf5 S, ~& D1 ~1 X T8 G0 e0 X* y2 r
2.启用OWASP规则:( l" i7 G! u' V! A% S4 a
7 D3 G. Z9 u8 U, H
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
! G O3 u* K2 e( n
& j+ e" C3 v+ I( @编辑modsecurity.conf 文件,将SecRuleEngine设置为 on+ T# `+ ]/ ^ G7 d3 r% Y
7 [! h+ D- D% {9 }) x! Qowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
8 V2 }) L+ Q O0 m) a" f3 n0 l, S
2 x) n* ?" T' E( ?1 _Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf5 r0 Q9 K+ N; n/ b
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
2 @/ ^$ _0 B2 c; E- ]% MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf" y, e: J1 A% z/ c0 T$ f: V' @
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
0 c q P3 }# L/ i: A7 V1 ]Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% I: G0 c4 ?/ H8 g( wInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf$ i4 ~8 W1 j9 Y: L. d
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
* B: k- |3 ]/ Q7 j9 i4 H6 \五.配置nginx- l' b( }: @- O# |
3 ?, S4 @, \; _( F5 c$ \& H3 S在需要启用modsecurity的主机的location下面加入下面两行即可:
* s7 I& z( l3 n! p1 q7 C5 R
9 B( l* Q e1 t1 o2 T% S: AModSecurityEnabled on; 2 X U$ U6 J; g# X8 m8 R W1 j$ R! n
ModSecurityConfig modsecurity.conf;7 Q' W; q9 ]+ o1 p
下面是两个示例配置,php虚拟主机:
. Z# l8 g5 f# c" O+ M
3 s" V# o1 W! c8 Z& o% Bserver {
: ` N* \) O1 D& Q: Y$ H listen 80;" e1 R, ]- d: ]0 T/ S" L4 F
server_name 52os.net www.52os.net;
, L; \) ~+ }& P- ~; J' X . }8 C {: c* G: P, h) v4 ]
location ~ \.php$ {! L# n' L" [5 D5 c: x; B. G. v3 X
ModSecurityEnabled on; ) W4 y; P$ k5 y
ModSecurityConfig modsecurity.conf;( b- D" U- d' c9 f% w
^4 B3 U. L4 p% D% d
root /web/wordpress;
% H) W4 R; W1 k( f index index.php index.html index.htm;
4 f% Q( h- K3 ] _3 [ 3 F" ?( V6 h& o# v; }
fastcgi_pass 127.0.0.1:9000;
3 V! n! F; a/ E0 s fastcgi_index index.php;- |" e2 ? H; U! N- }9 K2 G1 M
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
& ~+ g9 r# u3 S! C9 I/ ^8 o/ Q* \ include fastcgi_params;4 W7 W, Y! j; t0 Y( i! \& t
}- A2 @: Z) U% A" p2 _
}
+ J7 n: ~7 \* E e! A7 _, `$ bupstream负载均衡:
3 O, N& F/ }% F1 ~" M+ F g
8 x) W' V+ t2 s1 _( Z8 `2 ?* G- [upstream 52os.net {
, h% G1 @* n4 D7 C server 192.168.1.100:8080;
. D2 f6 ?8 f: i2 L8 a server 192.168.1.101:8080 backup;8 E" s0 q3 e2 Q* A4 g
}
/ g- \# ~% i% e4 D6 V, K8 ~/ L" l! C* I2 p" j( v+ d- i% B, h
server {) B) F, H# v& A
listen 80;/ g$ k4 x# a O5 c5 I0 J( X
server_name 52os.net www.52os.net;
! l: e1 S( r; b/ x* _+ h# q6 Y; j% @- ^: U) V
location / {/ g8 r v o: ]4 n& C
ModSecurityEnabled on; 8 ^% U, ^7 ?( P. v
ModSecurityConfig modsecurity.conf;
! _! ]2 U, g8 N6 B c" Z8 @( F7 G- ^
proxy_pass http://online;
# f( O- g6 h1 t proxy_redirect off;
& }* q' \3 G5 }+ e0 r; } proxy_set_header Host $host;
( F4 D3 \" B+ k: p" F; D proxy_set_header X-Real-IP $remote_addr; c& n4 _& t* \
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
g$ S q/ ~8 Z6 E4 v }, F* Z* ]. [0 z
}
+ {0 p9 b0 o- W8 \9 l5 W六.测试
/ R) `5 ?# ?8 J' D- Q' p9 ]- G+ l! @2 M& V2 b% F
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:( {# i; P# l" n8 z
X/ i" ]8 @4 r! l9 C1 X$ W<?php
/ C/ j# y9 W8 k phpinfo(); + B0 k$ F6 x' C# W Z7 C0 w
?>
. \0 D) O- ~- ^- K7 u' _& `. x在浏览器中访问:1 V5 ~5 g3 \5 @. w
% A) a9 _. Q3 ?% e \! c( N
http://www.52os.net/phpinfo.php?id=1 正常显示。
( S1 P9 |, C3 z; |# |0 @6 n% ahttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
; ]: a$ ~+ z9 W. m1 M, ahttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。6 j# n9 w" ^! G7 a
说明sql注入和xss已经被过滤了1 G. v- b$ T K8 I+ C/ R8 j/ y
, E" _9 ^( m" X% \1 b
七、安装过程中排错( g( ?8 k0 P5 d( q& A4 U( k9 M
& x$ P' c4 p! A8 V6 b1.缺少APXS会报错" ~& l7 z" I, P/ W0 ?
1 u) k- p8 [9 g5 f) l/ H( Jconfigure: looking for Apache module support via DSO through APXS) j* U" Y% g; c8 }' j" p3 m
configure: error: couldn't find APXS6 H+ h9 X5 F9 k& P$ H
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。7 j- I7 u' w- H0 z
解决方法:
: G2 y0 h& b9 B7 j, E1 t/ e p
9 b, k- s, t7 I0 {yum install httpd-devel6 e* x# E: D# N* P- N$ y
2.没有pcre* |1 m( D' Y8 t1 H0 s& a
1 y. `( `/ S: _& E9 G: N
configure: *** pcre library not found.
: w4 u) z& o6 R( O8 uconfigure: error: pcre library is required ^9 J! ?- |; R" x
解决方法:5 s( C1 L. h& L0 S6 X- n; E
& Z6 C" ?/ g- N# a: w. V5 N& ?
yum install pcre pcre-devel
) G4 Z0 e( ~5 B4 v3.没有libxml2# ]4 r/ e& Y3 O' F6 @
1 T/ C8 C8 C" ^5 G8 _
( i# v% | \; f5 qconfigure: *** xml library not found.+ B& A" w% ^6 k7 u" D1 ]& n" P8 W2 `
configure: error: libxml2 is required
+ ^; a# l5 s" Y解决方法:. G: L0 w. b" M% |2 y, k9 G
- e4 d! z; }/ ?1 Y8 T& @2 N; C/ ]
yum install libxml2 libxml2-devel
/ N/ `. c2 U% F- {7 a6 ]7 [4.执行 /opt/tengine/sbin/nginx -m 时有警告
5 M) ?% S x q% i
/ ~& A3 U& o* b. `: cTengine version: Tengine/2.1.0 (nginx/1.6.2)
9 [! m+ h3 T" c& Onginx: [warn] ModSecurity: Loaded APR do not match with compiled!
: o+ Y/ K. Q2 r+ |$ F% }( j" @* F原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log8 ^6 N( |/ Q" k1 s+ W5 M! Z
5 T! L Q7 p. _) j+ Q* m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
+ l1 {1 s' k1 K3 x+ @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
8 i! O; i: S1 y+ T! o& ?2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
+ V6 a2 H+ y7 c, Z& w2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"4 l1 r* h7 ~# r: R9 Y+ j7 N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
O( ]8 Q* c- Q3 @2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On. Y+ c% w; {+ I F) F6 I
解决方法,移除低版本的APR (1.3.9)% m6 q; U, c3 n$ }
- U( H4 n5 w7 T8 v+ {% H- q5 | p6 b5 P7 ]
yum remove apr
: o& b" H5 {& H5 M4 A$ G5.Error.log中有: Audit log: Failed to lock global mutex: z. Z& t4 N% Q$ F1 V
" A3 I" i( G( J% S& |. d3 P2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock : ?$ s: F2 D0 {' I( g% A! ~
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
3 W0 ^' v+ ], \! Y解决方法:" Z0 j; L2 _9 t& L& n. H) l
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:, @: |, L0 v0 G: ~, x1 F" O E( J
# A4 I8 ?( [; q6 [
SecAuditLogDirMode 0777
( ]" ]8 f( G* h1 ]& A* ~$ V8 ~2 SSecAuditLogFileMode 0550
* @& \" G9 d! B5 D% f, hSecAuditLogStorageDir /var/log/modsecurity
' }$ E( F5 \& l2 h$ Q8 d- @* XSecAuditLogType Concurrent, f2 g0 z; j0 W! A) R9 B% A6 f
参考文章:2 \4 U. Z2 N/ [5 e; R% e
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX( V2 ]/ ?. j5 c1 F
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡