|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。* k% E; W) z" _# c: y# k! [5 ~* k4 ^
- g# j: E. m( }4 _) s9 |一.准备工作
: X& q& A1 O1 w' t* J" ^& v3 M) a# ?" m( p5 p
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: F- b9 h3 q/ ~! [; n9 {
- \ k; d7 N( d! p D0 {: vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
- K7 q$ s% |. ~5 n7 X2 I U
9 ~, `( C2 y3 M8 l. S1 }modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
! D3 z7 X3 B; b: a$ `' G
( r' k$ ]' p% B! F9 E8 fOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
`: \. H, x# J5 E
9 `2 o- h3 l( i3 {* k, F依赖关系:) A4 d" c9 v( U1 G; A8 P5 L% r
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( q3 [" i0 X4 ^9 j/ C, Q M" g6 Y' ^+ s( J
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 F8 f( c/ \! e. F; T! v, H5 |modsecurty依赖的包:pcre httpd-devel libxml2 apr9 j$ b5 }' _; U. X7 Z1 w' H
, h1 S- H. N% s1 q6 C) g F; A& Ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel+ d1 g0 b$ m4 r
二.启用standalone模块并编译
7 m5 I7 N3 G' ]% n/ _) N5 m0 k- R, ~3 L" P8 p& J% w# t
下载modsecurity for nginx 解压,进入解压后目录执行:
1 I7 r) D9 l& p+ h& E! J! n5 v" T2 [% z8 \
./autogen.sh
2 l, K, l$ B4 x/ ?0 J./configure --enable-standalone-module --disable-mlogc
' k+ J4 [: ?9 Ymake * V6 L2 s8 b- f1 d8 r
三.nginx添加modsecurity模块
. V9 {' S2 E* K) S9 E3 f! C- J! {1 i6 J
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ F: f" g$ M+ C2 T. h
( |0 _; D+ E( v% z/ {/ Y% f./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ W! x( j J7 u% v; ]- v s) _
make && make install3 }( X A1 b9 T7 s# w1 b
四.添加规则2 R6 N' V/ D, N
+ g" V, o$ l8 a5 y mmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。+ d0 F* C. {/ w \4 f
# ~* H* }9 Q9 {8 X! ` h( r1.下载OWASP规则:& O' Z, ^( n+ r+ f2 o
, G' Z L m' A! K2 N% p- `
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' N/ J+ Q* K4 u/ N1 Z4 e V* G9 n9 U
mv owasp-modsecurity-crs /opt/tengine/conf/5 w5 Y4 I' i, f) J( v: M" `
/ }0 f% B& K9 x6 w' A0 a, s: mcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. s' E/ O6 o! c& M1 B& F3 `4 E: j
2.启用OWASP规则:
/ U3 `$ p6 R( g) P3 D8 e2 |, u' w& z! x4 M/ p9 q3 o. U, ?
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
( d$ K8 i5 E" |2 `- K
& Y' S1 I4 [& _* x5 Q编辑modsecurity.conf 文件,将SecRuleEngine设置为 on/ w+ J; u( {8 I: M4 Y
- H* f! o- t* \$ C9 N( d! ~/ g kowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
6 Z- u) _! w6 e
8 L N7 a' Y! Z& Z# JInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
7 A! p2 n6 X3 z3 r# Y% |# G: k: WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 q$ E$ v7 g) G5 `! i" X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
7 O( Y# Q; i. zInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
% i" W. [( {/ V FInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf |( j* Q, s7 \$ N c2 f
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
j- B7 D5 Y! D* V& v- X% E* ~Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
/ e$ H" s% X4 b% W7 M2 T8 a H五.配置nginx
3 c/ V1 D% C7 n% K% t H8 N) b9 N3 p
在需要启用modsecurity的主机的location下面加入下面两行即可:. f+ d: a5 Y* e! p) k
# p" R. V/ ?- @4 {* o% JModSecurityEnabled on; . m3 N( @, G- U
ModSecurityConfig modsecurity.conf;) t* v+ M. t5 Q- N4 e1 `& Q1 h
下面是两个示例配置,php虚拟主机:- ^3 I7 f4 `: R4 K8 N
6 Y7 J7 {% K+ e% l0 b$ w! userver {
l: F/ J6 s7 i H. L, p7 \ listen 80;
" f. B$ N y# C server_name 52os.net www.52os.net;2 J7 r8 j, c3 ^: ^
' R% g+ n2 L( v. n4 Y1 a( P location ~ \.php$ {4 p F( b' s7 ~0 K
ModSecurityEnabled on;
4 Z9 d* G; j, b1 U ModSecurityConfig modsecurity.conf;
/ R9 w; O+ v5 T z. o6 @
8 J0 ?# g4 H- t root /web/wordpress;
( u6 r, b8 x7 S I- b8 n+ X index index.php index.html index.htm;
! U5 y) y" I2 i* V X/ y
$ J V* L" \, q4 K fastcgi_pass 127.0.0.1:9000;, ~5 O& K- U1 q
fastcgi_index index.php;" i. G1 W! M0 u; ~5 R
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 T- H+ X& c" V" `; A9 U$ B9 T
include fastcgi_params;: {5 L* _/ [: p
} i& P+ O P/ U' Z1 R9 q- X
}
# b1 Z. O4 t% [ K9 q* F1 @ uupstream负载均衡:' {7 s% C; G! j* S( f' p
+ \" e, r) y( K( F9 C2 B3 }upstream 52os.net {
% x( H- y+ s7 i. S! [2 m server 192.168.1.100:8080;
3 {9 ]: s' b2 O, ?4 H server 192.168.1.101:8080 backup;' p, V2 v. I( q7 E, B) u% z
}" q% v4 q7 g: P ]9 u% B
k$ a, A: r- ~( A/ Gserver {
; n! B, e. o% y+ j2 i8 Zlisten 80;5 d, F' v& m, \ {
server_name 52os.net www.52os.net;
- b4 d. K9 ^: z& w) {8 g: x6 ?. v* y$ v2 |
location / {
5 S! L+ [4 i9 |: N ModSecurityEnabled on; / y5 y$ V4 }- z& Y) F5 B. P
ModSecurityConfig modsecurity.conf;
" ^- G9 O/ [9 L4 p% a) d* j" j8 ]" Y$ m: |
proxy_pass http://online;! J. h. D+ G; c0 u3 _! n( U6 M
proxy_redirect off;. x3 D, Y9 W" c! J- z( Y2 y
proxy_set_header Host $host;
2 i K! T2 Y7 i; F% l proxy_set_header X-Real-IP $remote_addr;
. G, N& E4 ]7 ?- Y2 z$ M! ^ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; t5 Y* U3 A" O
}
4 k/ o _# o# x8 r' u( A' Q9 _8 V}
) \- x m: I( ^, o+ c$ e六.测试
/ V4 P! e4 `2 i" h. P; z6 P; J& D9 p% u
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ ~/ ?( k9 W9 G9 }# T: u# U$ L; C
/ e* v; q: D# q. l<?php
& ~; b; c. r7 C e& a- \: j phpinfo(); 4 A. f; i6 u0 p1 X" i
?>
4 ?9 f6 G" d2 |, p& J- V6 s在浏览器中访问:: J3 t1 F ?5 ]& w- K! t$ S' h
9 }/ @5 i& G4 Phttp://www.52os.net/phpinfo.php?id=1 正常显示。
+ D: a/ d9 B4 @8 a8 V, x4 fhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) d) m- d {7 g! U Fhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
, `3 c# [8 |* F7 T7 M0 c' {2 X$ n说明sql注入和xss已经被过滤了
; d4 i) {* j$ I! s, S e
5 e- Z. |0 e6 M0 J( B/ `$ c( C( `$ G七、安装过程中排错. s" {0 E# A* P; S; A
* O# E$ t: |, X$ K# _3 Y1.缺少APXS会报错, r% {6 p- B* w
$ v" a6 i; }/ [/ J9 y% I; p5 [configure: looking for Apache module support via DSO through APXS
+ d% \) d( K* P, g6 ]configure: error: couldn't find APXS
/ \- q6 r' b: M$ T/ D) t0 u$ x, Kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 {/ J }8 r, d& Q; K, q+ S$ b解决方法:
1 r; G' G7 Y0 m2 G8 ?2 u/ q
; q& J- m( t1 ~" p7 c) B* h# syum install httpd-devel: ]+ ]3 x" s! i, ?! K
2.没有pcre: ]9 F9 _& M: D1 U
/ |( {* p/ U* ^# B3 G( c' bconfigure: *** pcre library not found.3 b6 \4 C, H+ y" P+ x* {
configure: error: pcre library is required
+ P6 \8 }# \2 r# W7 ~/ Z解决方法:, a, ^4 s6 C* d. O6 F
6 ~6 s f0 A) {, hyum install pcre pcre-devel& x. w& X5 ~. s! t+ O2 t) \$ U
3.没有libxml2
7 L% _8 b0 m) A1 M9 L8 V# [/ Z. b# ?5 K* q( x
, ^5 {! P6 `- y' `0 _& q5 O
configure: *** xml library not found.! O. [ i; _, E3 F7 ?# H
configure: error: libxml2 is required( y; U4 m; b! U4 q
解决方法:7 R6 W& U: Q% b. [. ~1 U) ?% H D
" E% v/ I9 B5 X x5 s! U
yum install libxml2 libxml2-devel
9 n; U4 ^6 i9 ^" M" Z' l" h [2 T4.执行 /opt/tengine/sbin/nginx -m 时有警告4 o% A3 I9 t2 Z/ r3 ~
7 E' d9 v* V+ H3 v$ U8 zTengine version: Tengine/2.1.0 (nginx/1.6.2)
+ I6 u. r- M7 b, J3 K( I3 l5 c+ xnginx: [warn] ModSecurity: Loaded APR do not match with compiled!( V6 U0 X0 h0 ~) A |4 \
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ C' [; D8 }. f+ j& f7 f6 j; _/ Y% [ \3 h4 A; y3 x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) P1 A! O0 Z3 R# ^. F9 e4 o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"% v* f M; P& q C: n
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 u. Y% |* R9 j- a& m( f7 G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
' y/ X& A; E# x# l% W. e; h& @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
6 Y L, K% l* J% g* h& H7 V8 A2 E2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.* t, h% J$ D% F
解决方法,移除低版本的APR (1.3.9)
: q) ^2 b4 H- e/ `9 `+ ~5 _' K. P% v
yum remove apr
1 e, S% Y! z7 |" @/ r8 [5.Error.log中有: Audit log: Failed to lock global mutex
, } f4 e. f9 T. H8 g# v; b8 U4 y" G( J; K4 x
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock $ B0 p# u: M. X7 T5 p+ Q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]& n% a4 J& M& F- `9 @7 S+ w9 ]) b
解决方法:" M1 B/ i; p4 e0 m y0 e
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
( L6 y* s/ }" z' g% P1 m: c! Y1 I( | Q! Z b
SecAuditLogDirMode 0777
" i! r3 q( F4 ~! t* |# `' A( bSecAuditLogFileMode 0550. o! k, ^5 e# p$ v2 ] @* K; `. R
SecAuditLogStorageDir /var/log/modsecurity8 O( u# b9 J6 {" j: X
SecAuditLogType Concurrent U5 A9 h1 |; V0 f
参考文章:
) {0 z( J7 i: P8 ~; Vhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# l4 E+ }4 {' e/ g6 `9 l
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡