|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。8 |* u# o9 j( S: @* n
9 I2 _; D+ @; C7 O一.准备工作: s4 r d* K$ a2 L6 d# m
5 h% \& R+ P* g! N7 v( g1 H: M5 ]$ p4 b系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 l3 l1 B8 z# v0 M+ K6 Z% a) W/ h$ s' l, [
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz" u4 b0 |; W; y/ ~
7 \7 [: c/ B) l% o# H+ x
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# W N% Z# I: y# S9 A+ Z/ I: k/ D* L8 P
6 o: U0 `5 ], @
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 ^& }) O# W" F9 R
5 K! Q, j/ A% G% r1 ~, N5 A依赖关系:
% q5 s7 A1 T7 Z4 F- ~; Htengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; O' A/ e+ M7 D! r) M; t2 t
! ?# K: l$ v# u8 {yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 v7 E$ h" c0 O% pmodsecurty依赖的包:pcre httpd-devel libxml2 apr- q/ h7 S8 `2 f6 z
# k X! Y# _& @# o6 S$ c9 i6 ~yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
! k2 w4 U- h7 s2 k& n; l$ ?二.启用standalone模块并编译: f+ Q- x, b/ W6 c( D |) ~/ r
: @* L$ ^/ s" i# m# g3 n下载modsecurity for nginx 解压,进入解压后目录执行:
8 Z/ r( z7 a8 _% q- t; D8 D) u& e) ]5 p
./autogen.sh8 |4 V" u; c+ [+ u! F6 K. G ~
./configure --enable-standalone-module --disable-mlogc3 B K/ U4 `1 P% I* Z) o/ ]
make 4 h5 r! s+ _* h }5 O' x/ r
三.nginx添加modsecurity模块
% i8 R9 C7 ]. M, p0 Z1 {: g4 _! K* ~1 S/ l2 ^1 P a' I6 \
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 M- X2 @( O, l3 p; \8 [9 L/ F6 r
8 d7 ~- k' j* ]# h./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine! K3 V+ O) u t! Z( f _% |9 @) ?
make && make install
/ u/ z9 j0 b4 P! U四.添加规则
j% [9 H- ~7 l0 j O( ^& }( g) |
& g+ @1 S0 D$ E# s7 D# I* ?modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 s6 @! S* N' v0 r; Q( h( b9 O1 I
5 x P2 K& v {4 y4 I
1.下载OWASP规则:
) F2 c1 x. h: _) k! S, d+ z2 Q
9 ~- g* |! C$ o6 E& rgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
- q7 j% Q% z! w5 `/ ^7 e3 W
$ B& U: b5 Y$ e7 Gmv owasp-modsecurity-crs /opt/tengine/conf/8 p( G6 T: S6 h- \* o- ]
; x C: z; O, W1 @- Rcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( }! ^' [' ~0 O) G
2.启用OWASP规则:8 @; H* S+ |: c
# d! d: s R0 w3 R7 G5 f6 I4 x
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。4 j0 Y4 p. E9 P6 ]0 }
7 E# h R" J7 a7 b' M编辑modsecurity.conf 文件,将SecRuleEngine设置为 on+ ~) r0 f2 r2 s. A' G2 K
: w/ |. J$ z4 M0 U, f1 _4 v9 Fowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。0 o& q' x) \ K x$ Q
" U; P5 i2 G# g8 mInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
8 O( s- {7 b" ?4 n+ _9 ]0 bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf6 i4 S4 m7 h/ H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 C7 Z. d$ W' b: G2 b" [" _
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
# L0 Y. N1 n+ T' [+ X% Z% g2 s9 e bInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ g w8 L4 U5 `- z' {
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. Z0 m" e. c6 |( \; r. n7 p
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf8 C. _/ p- i4 o4 o* `6 C
五.配置nginx
3 B! b; r! i4 B# _) \0 E8 h- l5 _9 o+ S) q: p5 F
在需要启用modsecurity的主机的location下面加入下面两行即可:
# C! w' ~% w4 K" {/ s5 H# T3 ]
, _7 F. q6 \$ D9 dModSecurityEnabled on; % f2 r$ Q# {) S( Y2 e3 g$ `- ^/ F
ModSecurityConfig modsecurity.conf;- _9 A$ i- Z- }7 L
下面是两个示例配置,php虚拟主机:5 k5 X [/ j8 y1 U/ n/ H2 N& k+ c, h
8 O7 C) \" G0 o8 S) p ^2 S, Pserver {
: b/ B* P* h% A( u6 q listen 80;
4 s. W$ M2 k; t( q server_name 52os.net www.52os.net;
8 m$ |6 J; H$ q( c) i2 g% X! }
9 b' h% T: c8 I location ~ \.php$ {( N! c5 @! N4 }# E$ n# c3 Q
ModSecurityEnabled on;
* K; j2 U! p& x$ [8 | ModSecurityConfig modsecurity.conf;
: \& o ~+ A; t/ m( P9 u2 j7 B7 j& @, `# }6 F
root /web/wordpress;6 h" Y1 Y# f- J9 ~/ F
index index.php index.html index.htm;
% |) f) Y& O% Q) H" }& T! Y' k1 B3 c
" [( Z) p# S, I) s2 ~/ V fastcgi_pass 127.0.0.1:9000;
. t1 o1 _( T5 `, i fastcgi_index index.php;
2 t$ R8 z( z" B: n( k fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
' C, y* n( p5 V* b) g7 @ include fastcgi_params;
. n. k% G0 `3 f, _, N" P }* \7 g J2 o( c# }: V$ r6 y
}
* f1 j' ^+ Q2 {" oupstream负载均衡:
! R# H. C6 p# f* ?$ H) w# }+ h) i/ e: O1 n0 U) \) @5 l
upstream 52os.net {
% |% Z+ A" s, G# g/ N server 192.168.1.100:8080;) i3 `6 u" R* K7 H7 H0 G0 {
server 192.168.1.101:8080 backup;( B5 K4 X4 ?0 G; i7 ~
}
0 Q, l# k- _7 o' [* N9 o+ y: z! H
server {
5 t7 ?- A) e2 dlisten 80;
' e4 ]% `2 c4 \' Z* Lserver_name 52os.net www.52os.net;5 F! e1 \: G$ x1 p: Y- x
0 J. d4 k, Q1 g0 Q: o9 a
location / {5 \, _7 f( Q& a; r/ ~5 G
ModSecurityEnabled on; $ ?7 k$ p$ O, P) R) ~
ModSecurityConfig modsecurity.conf;
0 h5 B k0 h5 J6 T
! C6 S) Z/ g2 V. K proxy_pass http://online;! B/ Q4 S6 X: P9 P( N
proxy_redirect off;
* G1 {+ ~& b2 D" ^9 a, z' L proxy_set_header Host $host;; ]: }- ?1 L/ D8 Q4 d h; U; r( {
proxy_set_header X-Real-IP $remote_addr;' F" v$ X% t3 A$ j: g
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
$ d9 E* v# g r7 `) S) H0 e7 A# d* S }: f' \, D+ ?, d n1 _" b9 U
}& d" Y; m' Q$ X' O* V" |
六.测试
; U% ^$ \1 J' \8 Q! r
* _5 c) x- x, `. e f! }我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:1 I, t, P1 O2 f' c2 M
9 A* l8 s! |# m. J8 m) f. T<?php
e& {% G2 S6 U' B) L/ V& ~- ?* a phpinfo();
! H# o/ M4 i l7 W?>
7 p* A1 q( Y5 W% m* S在浏览器中访问:
2 l% a8 w4 f5 q D" }! C: s& o
7 ~) J+ W4 B4 F2 yhttp://www.52os.net/phpinfo.php?id=1 正常显示。0 Q! u* Z$ Z4 c
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
, Q% W$ |" C) V9 K- K2 whttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( W" A1 c- Y6 R% w: W: E: P2 v说明sql注入和xss已经被过滤了
/ x1 ]0 q: D/ |2 a& M
; y- o/ r1 ^3 ~( }6 T3 B- F7 r七、安装过程中排错! Y9 w- v& `' W6 T: K4 }& g! K" ^
! x- w3 |2 A$ \; A* }- H1.缺少APXS会报错
/ L, W$ u8 h5 i8 k7 U
) C( D4 h$ Z. }/ Y3 M" G7 c. nconfigure: looking for Apache module support via DSO through APXS6 L V0 M' a; L! p- q7 n9 J) z% N
configure: error: couldn't find APXS
, }8 w% p0 i5 Z6 W" @apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。$ ]' {' t' x) A. g9 U0 k9 U- s
解决方法: V! j1 J" j. W! G# ^* G
0 u, r% Y- y' t# l0 M8 Z$ ?* Fyum install httpd-devel. \3 L3 T) p. S
2.没有pcre
6 ~& Q4 i, e& ^/ i* { Z- ^2 o) s9 }
configure: *** pcre library not found.: W$ k5 w# ? Q3 P/ W
configure: error: pcre library is required
3 g! o" K* C* p2 t+ ?/ Q解决方法:) i; M; S w* S* I
$ |& v" _7 C# n2 Fyum install pcre pcre-devel
! S6 R, h7 s: V4 ^3.没有libxml22 g6 D! r7 O5 s% Q: D, P; T* a" D6 |
2 Q5 [; I( e2 V, w
% ^+ K- O8 c4 l5 L- r* C6 nconfigure: *** xml library not found.0 i; M7 a- E! s0 A: E2 V3 H
configure: error: libxml2 is required
3 l& _1 q1 `0 F0 k0 P! }解决方法:5 j6 @. b( \; N8 R# Q P% R
9 ]* y, }1 h. e# _9 o; h
yum install libxml2 libxml2-devel
5 M! O8 l+ P+ ?! k2 I4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ b3 X* {; n J; K/ M0 {- {+ Z
& }% j4 x' Q, JTengine version: Tengine/2.1.0 (nginx/1.6.2)3 c3 q0 ^ j4 j$ ?
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
7 Z6 h) S/ l- U* E) m( ^原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# x- o) O% q: Z7 H) K N% G' u2 i z' x
$ j0 j6 q8 C6 K7 G1 n& [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.0 s. F0 @5 Z; b9 g8 v5 U/ T! O+ @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"- d6 a8 J! J$ ^% B' ^4 R
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
/ p7 i( A$ S+ s% l; b8 ]% t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
7 m$ M3 n2 S4 u, o! i h; e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! ], t8 y& P, q) q2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 f( Y5 }& ?! M2 i, c
解决方法,移除低版本的APR (1.3.9)
! r Q, V* ]9 L5 X1 t
4 }; L" J* g9 q; ?yum remove apr
0 e" }7 n' {/ w* b" G5.Error.log中有: Audit log: Failed to lock global mutex
6 A) r2 g& t: d" s4 p7 P7 @. b0 X( c Z% c7 J+ A6 d+ @
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
! v# F- E1 v8 D1 n6 A: ^$ aglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# E1 y# x% z) t. k. n/ o& e6 F
解决方法:7 H9 L! ?2 z* H4 Y" q8 m# m! K
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
* ?3 \! {! A! U o2 A, _; R+ r+ o4 j! s! I( y) p S5 t/ M& e% `/ R
SecAuditLogDirMode 0777
/ F3 K" } U: D% |9 ?/ K) S& FSecAuditLogFileMode 0550
+ j/ x0 e" k! t- D: c, {2 k: T" JSecAuditLogStorageDir /var/log/modsecurity
, m' K( t$ }1 |$ a2 W, h6 ^! qSecAuditLogType Concurrent$ j1 Z: ?% [3 l) G, x
参考文章:
, |- _3 y6 X8 Q' p' {https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
; h0 W; L0 f J; b' p' }. _http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡