|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, e; d) {1 {! t5 b: z" S& t# D
$ x/ T& a& N4 j一.准备工作3 M2 j! A8 h8 F; C
: x1 ]' O# x2 [ Y) k, k* i) Z5 r( U
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% I( {/ I! {$ Y7 G8 i' C1 e5 x5 o5 \$ i. K& g3 J5 W
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
) N% f k @4 b: g6 a6 p, H. g" E- K7 }# ]. ~
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. F: X3 |- A. K" A9 r4 x2 E' |/ Y( r* W$ [
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs6 V+ |% `; u! Z2 U
' D4 O+ T+ T3 R
依赖关系:
) W# s9 ]8 s! Wtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
) M$ ^" Z4 _4 q+ i, ? g4 c3 w6 P! s3 l: {6 K0 B
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* b6 q8 s( a- C5 P7 _modsecurty依赖的包:pcre httpd-devel libxml2 apr
) A: r3 \8 {9 [9 W' T; }
9 w/ k4 F3 d- Uyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
. [% V: N% E) }. _6 G$ G# Z6 l( t二.启用standalone模块并编译
+ T4 G( F% @- B0 @' y" U7 \# N1 D1 `9 b( a& q( m9 e8 K9 u
下载modsecurity for nginx 解压,进入解压后目录执行:
. r }* n9 O( o% c; V8 @
. f" @6 S, w( @8 t* L./autogen.sh
, n) O" M3 V* J; ]./configure --enable-standalone-module --disable-mlogc" T y2 b) Y- }, m0 {' Q/ a; ^) z
make & [- ` _3 l- I! m4 j8 s) H2 d
三.nginx添加modsecurity模块4 a3 ~2 ~+ W5 H- r$ P1 f: t# d; l
5 \4 K3 S1 k8 C4 a在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块: H' @: ]7 j' A s) a/ {" p* F/ b
, W/ P2 `# t k$ J' F./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
3 [, M6 D) f& ]4 @make && make install) y. J6 ], ]$ `6 D9 m0 N: V: u
四.添加规则
% e3 F; V1 }2 b$ e5 m; ?& f
& }3 F1 s) [, cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。9 G+ r. @8 L8 d3 i2 e
, [; u! F$ x7 q4 ]$ q8 ?2 a
1.下载OWASP规则:
3 ~8 O$ q# O: ^5 s+ c8 N6 Q& Y/ V: R! h+ N- c3 V0 a4 k
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
9 [2 N8 X% E; Y F+ k( ?2 i; \$ I; z% h! g P4 M8 F9 g: l
mv owasp-modsecurity-crs /opt/tengine/conf// \" P1 p! t% P. a
- f) ?6 ~0 r; c& ]# [) [9 ~
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: I) N9 B% O# s" f) [0 C( Q$ `2.启用OWASP规则:% I8 }* x; K) s* d6 z
& _& j- H* x! S5 D& S+ o/ \0 {+ D. {复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. ~, B9 V- c0 {9 U
5 G$ n" D* T0 N% j! `编辑modsecurity.conf 文件,将SecRuleEngine设置为 on @8 D5 ?: q( V+ i& A
% G! m+ u* N9 E3 E9 _
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
+ G6 x- }* L2 m
9 \4 e5 [: r$ W( @, r; ^& GInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
- q2 w4 d& ?& I$ N$ \& iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/ _, S6 r- Q7 G: h" B* FInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf: T# b, {: x6 o& }3 w R* Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf; F# g& p0 W4 ^' E3 _- \% r4 y8 r
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
$ b+ a2 P; k/ `+ k+ uInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
" U3 e# J3 @7 {5 Q- J, `! ~" {/ qInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf( I7 k+ F+ n$ A- u8 k
五.配置nginx/ _% ^- ?$ h" N4 R
1 b9 E5 Y7 p' x( H/ B
在需要启用modsecurity的主机的location下面加入下面两行即可:
$ X+ h. N7 i1 V1 a: c
: X$ ^6 W& d( DModSecurityEnabled on; 3 Z* O Y, b+ j0 \
ModSecurityConfig modsecurity.conf;5 u9 }! S8 ~- y6 ~5 @
下面是两个示例配置,php虚拟主机:# R0 ] E0 R* s& [' t6 T. v
( q! ]' ^& `4 j; q6 Mserver {
* z( t1 _# D1 S$ j listen 80;
; c4 B9 {2 D4 ? server_name 52os.net www.52os.net;
, t9 p5 C( M! C4 h. z5 O/ k1 P, F4 Q
6 O7 o+ y$ P5 N/ w. |- S location ~ \.php$ {
' o2 }0 Q0 Q0 r% h, X$ [ ModSecurityEnabled on; . n/ N+ @5 M+ \1 K. ]# W
ModSecurityConfig modsecurity.conf;
! c& X L) _, i$ t0 p; R, E `! [, `' d, h/ l
root /web/wordpress;
$ n L3 S* M6 }. \, S index index.php index.html index.htm;. _' R, ~4 o0 Q* w2 _! V; ~
; K( H# G# p: Z; K& M1 S5 P H, g fastcgi_pass 127.0.0.1:9000;* ~2 `9 ~ E3 z4 c2 t
fastcgi_index index.php;9 U' F$ d) a9 o8 U. h7 N
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;8 r% F2 ` ^. K) o0 ]$ o7 S8 m" t: Q
include fastcgi_params;0 `' m& |" V3 H
}: w- c9 U$ V! }
}
5 ~) i- P+ K- J! x+ Supstream负载均衡:" G q, R P( s. M B t9 x2 Y$ i
' a& |$ ^' g5 T. G l; e
upstream 52os.net {
6 }8 E( \6 V- w4 l; |8 ~ server 192.168.1.100:8080;
: F! V- L7 ^ O' s* f server 192.168.1.101:8080 backup;- \3 ?+ ]3 w, P& n+ m
}3 u) }; w2 v/ |1 G+ U& ~
; D- u" w. Y! k1 r0 z5 Cserver {5 h0 Z6 B2 T( n) T6 Y9 F e c) Q
listen 80;% X( U& N) m b( ]* h
server_name 52os.net www.52os.net;1 ~! M7 I5 Y2 C2 d0 J' @' t% y: D, l
) b4 Z4 s* K$ v4 hlocation / {
$ z1 a! Y4 m" s3 b) v/ \, E4 b ModSecurityEnabled on;
$ ^2 w0 t8 u- H+ j$ i& e ModSecurityConfig modsecurity.conf; ) {+ y6 o F5 d+ B% K
) e5 J; ^3 f* {3 S& l, ^ proxy_pass http://online;
' }3 W9 T: |+ H- o proxy_redirect off;
4 M6 I5 T% ]+ d proxy_set_header Host $host;' H. u# d+ a# I( a& ~9 ]
proxy_set_header X-Real-IP $remote_addr;
* G" [1 r7 T) |8 L$ j; S proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
& i% C9 Y7 |4 u: w0 F. n }8 g5 e- c* t4 ^4 m+ F+ N) V9 T
}
7 @# z9 K- e0 y1 a六.测试0 I+ H/ p& x5 j ]2 G: L8 g
4 r0 h8 y* E9 X, u我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ k, B8 ?0 l" @" q3 {
& H) u6 i& u3 \: R" e<?php
, d- x% C4 R/ {8 } phpinfo(); 5 F9 Y/ w# _8 {: X% Z) _8 k+ q
?>1 p/ T4 @3 H5 |) r9 U
在浏览器中访问:
9 V% h6 m. j8 c# ~/ |7 x) u
" B- `% A& e# F% j7 s4 Q& Ghttp://www.52os.net/phpinfo.php?id=1 正常显示。
. ?+ L, F. K+ k4 N# d1 hhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。3 a; q. H) S8 c7 x' ~; a% M
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
, a0 m9 s' P* E* |$ [, W7 z. ~说明sql注入和xss已经被过滤了$ d* U: K; J; T( h% }5 d- }
* f' U) R7 ^2 M( } x七、安装过程中排错. P+ U' n! g2 Q2 B3 \* d' M, t& H
! P$ f5 j+ U0 W/ @& ?
1.缺少APXS会报错 b9 q3 F& g, g% A8 _ `
* A+ C% A C% i( v7 }. g
configure: looking for Apache module support via DSO through APXS
8 v! d- g& G4 ^% K# N4 @) rconfigure: error: couldn't find APXS. i: _7 V7 Y6 F( Q; F; F
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。( b/ h3 E9 \4 m, n3 k3 m7 }
解决方法:7 ~6 U% ]% a5 P4 z4 K4 U# T
& C# d6 R' k8 D; w' y i6 Ryum install httpd-devel
4 j5 Q* d+ x- F I2.没有pcre* F$ \+ }" I* b! n2 z, e7 k+ t
& {6 ]6 x) S2 Y# S/ b! Econfigure: *** pcre library not found.
7 M* m; y1 V4 C2 u" B& V2 `configure: error: pcre library is required
: F! B3 z9 h9 x. ]- K8 [解决方法:
( r0 `2 @& Q- o0 t( V- w; d$ Q8 ]0 e; Z, R. R
yum install pcre pcre-devel; q1 `4 W2 P# n+ y4 D
3.没有libxml2
3 ?6 e! V7 V. x. Y% a; u; m- F( k* y2 y- ]
: V4 J& D9 i* J: {8 s4 r" f+ lconfigure: *** xml library not found.
! m3 r* n" S* f& M! fconfigure: error: libxml2 is required) f& Z% ~6 }* L% n# N {
解决方法:' j; a2 Y' n: F
! E5 C9 \" ~2 a5 wyum install libxml2 libxml2-devel' j0 B" w7 {; g2 [1 I. b, ?2 ^5 D
4.执行 /opt/tengine/sbin/nginx -m 时有警告1 c/ d: U7 ~% |2 \
* m% O. W0 W9 tTengine version: Tengine/2.1.0 (nginx/1.6.2)4 x3 J, Q' H) Z9 U! O) z% ]
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ }! C7 ]4 E% m* d原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ _% g! e4 Z2 I6 |8 ?" l( |( c
$ Q N2 \+ X" D9 a) E+ _( }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.5 m. T7 S$ l! P l) |' t) F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 V: ~& p0 F' P7 V2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 b# z# k8 i9 [) F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
* R+ A- X! [6 p: n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 j+ C& i, f3 h/ S" z* ^
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.- t4 P$ K4 E5 m) y
解决方法,移除低版本的APR (1.3.9)
M; C: C/ o: V5 ?6 L" h0 y' y. [. H; x8 d) I) o4 I# B
yum remove apr
, f% N) U- e! {& e5.Error.log中有: Audit log: Failed to lock global mutex
/ m8 g& s2 {) N* j C: E: D5 ~" ?$ k+ t9 Q0 I* M' _8 e1 e
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
$ J) P; n |( N& Q9 O rglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 M B: ^0 \+ A0 y% n3 I解决方法:
* R9 m/ p+ N; |% }7 ]. J' w编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:) v7 T' H, U& m$ ~1 i
" G2 S* S/ |) ~$ p
SecAuditLogDirMode 0777
9 F! r7 y+ p- F4 {' qSecAuditLogFileMode 0550" g3 E, d3 I2 U3 b+ |) c/ E
SecAuditLogStorageDir /var/log/modsecurity
7 f3 H7 M/ a4 b& _SecAuditLogType Concurrent6 _( Q6 ], D }! o! `9 S& ^7 \
参考文章:/ }. P8 V' f' w
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# t# P+ }3 x* Y5 z; {) W& i
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡