|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 r9 S6 i+ X5 U; z4 p8 W( y: m
B( b2 _8 z- R; l* `; S9 y5 v2 ]
一.准备工作
" l" b7 ]1 T% [6 [+ ]& G& I7 m6 ~5 P+ T2 Q! ?1 L) A% K
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0. ?# r4 D% L9 H- i& m- D1 v
! {' x; G% Z3 q% H: o& ]! a$ ztengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz+ v9 Y3 o. y8 s' x- {4 V
) R! v: v/ o! f* U8 W
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
' i) H2 g) G$ L+ k) r+ `" C
- x" T" ^9 U6 ^7 m/ v% b: pOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* p w* w- C* L* W0 l8 O ^! p5 n- p& y, y
依赖关系:1 q( V. ? G, h) ^6 k
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
. q/ N( F& g* O; ?4 ^+ @: f& V8 \4 N, x6 H$ [! ^: `
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel# g5 ]5 d; O9 ]" V" U J
modsecurty依赖的包:pcre httpd-devel libxml2 apr
|; \% t* {' m2 D$ b3 }3 H9 X. W# {% f: b
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel) f* _+ f& S" {0 W
二.启用standalone模块并编译/ b0 h3 [9 r8 U
' h4 n( q4 a! ^9 x下载modsecurity for nginx 解压,进入解压后目录执行:9 [, b8 i/ j7 v3 m a8 _
4 l3 e2 N% a6 ^./autogen.sh1 {6 a$ m+ P8 @& z( \8 c9 h2 ^2 @
./configure --enable-standalone-module --disable-mlogc
5 A3 V5 [; |" y* F' f3 C; Tmake ( q- q d$ E1 d3 h( y# c
三.nginx添加modsecurity模块8 n& @! l' ~0 x4 j3 R
- b+ t5 g w) c2 x: ^4 z) n4 o& V
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:. T4 G" ~3 b5 ~: e% o$ [
/ j* T4 M3 ^, y; \7 L./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
, ]5 e8 ~, h# V: v) j/ c! _make && make install' }! u% o! w- K
四.添加规则$ E' q& t, t7 E* [* y) S& q
2 {, b: m' M& w
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。5 t' c% p, F% X% d
2 H1 C, f8 G' y( c; T/ S7 z
1.下载OWASP规则:
7 X" a* \! p+ ^, E9 S/ b% r, Y j [# ~! N; o: `( ` j I% r
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
" G( @: z2 K6 z& f( x1 _( x$ o2 a3 X2 O8 O1 L
mv owasp-modsecurity-crs /opt/tengine/conf/
6 u; J4 @6 q5 G, M) y' r o+ D L0 g B
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ p4 s/ u6 L+ e& d% L2.启用OWASP规则:" s$ t8 [* h& g
. ]( `( a6 Y0 Z6 n+ S" [
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。$ |: Z' f) j# f- m! X) Q" ~7 S1 y
; n) L% Y% `( ?编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 a' N- T/ A4 Y" [: a, g. C5 p3 j9 c: _
( P9 ~0 |) Z Z4 [' h
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
9 W p! [+ j* Z X1 S! s2 f; P8 w! C: [8 ~2 a% F9 B
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* f7 l$ o/ e, h3 m/ {; `Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf( q/ g3 [5 G }; i3 g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" X; [' r$ I$ \0 X. J% Q1 rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! N9 }" A' M+ @ t2 ~1 @2 c) s; S
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 E( q/ ]/ x) N. h+ w" sInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. A) U8 c6 M4 e' t4 g' \, ]
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf @: J4 k) E; [
五.配置nginx, F( X* i$ V7 A1 u( h5 k
7 o, M7 O0 D7 z7 `$ h在需要启用modsecurity的主机的location下面加入下面两行即可:/ ]8 [( g/ ~9 E1 y: @5 B0 o, ]8 E
/ y. ]7 k( W2 i q5 aModSecurityEnabled on; . g' e6 B% O" K* A$ V3 v
ModSecurityConfig modsecurity.conf;
2 \6 P+ ^, n5 B# Q* I下面是两个示例配置,php虚拟主机:
: }$ J5 i1 P6 I# l' s9 ?7 }+ w U% [
3 T! s" U! Q% [) ]; G6 r( ^5 Y% tserver {1 G5 P/ `2 S8 z
listen 80;
) g) V. n! g/ e! N# z3 A0 Q server_name 52os.net www.52os.net;
: @0 ~6 o6 M4 }& s- J) _* ~5 l
1 z2 G0 j* ~* X1 `6 j location ~ \.php$ {
. X0 J1 d5 w/ p* D9 }8 A/ ` ModSecurityEnabled on;
8 _% g; @% p4 }9 C+ t ModSecurityConfig modsecurity.conf;; T5 R# b' ]1 H
l: _. R/ o5 P5 ]* I
root /web/wordpress;
. m+ p' l ^; O( `7 w. \/ ?" L$ e8 E index index.php index.html index.htm;
3 B* [' s, X- V s' ?4 b' a
& U# d& r' x1 M* Q: b& O fastcgi_pass 127.0.0.1:9000;% g7 S1 }- U/ ^! G- G
fastcgi_index index.php;
: U$ _/ W0 [1 d fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;" H' l, d: Z) @; w* f
include fastcgi_params;5 X) u6 w8 W( K0 Y& |& O
}
( n' G$ h& C) V+ m }
4 u9 E) ^; H4 o) {9 Tupstream负载均衡:
0 g, `' d& `: }+ M
; d' F8 U4 d/ pupstream 52os.net {
w3 W4 ~/ P7 @* j2 j% h server 192.168.1.100:8080;
) m$ z9 ?8 c9 ~9 u# T/ ^: Y server 192.168.1.101:8080 backup;
/ i! A- L$ ~2 S1 W}
* {% Y: _ L! {9 E, J
+ y) ]: [ p9 L; m% z: \! Pserver {# P% s4 s3 M6 w5 e
listen 80;
# j$ A; D, W. ?& y/ sserver_name 52os.net www.52os.net;
9 D) a; a4 ]. j" T; s$ ~( |, p' {4 N, T* k @% P- `& F
location / {3 n( y; t. v" u g: g2 S* F# ^- G
ModSecurityEnabled on; ) B) n3 t8 Z4 T% P- n9 B1 Y
ModSecurityConfig modsecurity.conf; 5 m8 v- K/ E6 |
/ d& t$ d& U8 k3 B proxy_pass http://online;
% q, d& N/ D3 w' I proxy_redirect off;
+ ^% b( g/ `5 f% M5 }# L' B% ~3 z proxy_set_header Host $host;
: i# |9 _1 Q- @$ J+ t- @' ^9 A proxy_set_header X-Real-IP $remote_addr;
+ H0 g0 }3 l1 f0 m proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ X9 Y( F0 A6 |& v; \' H
}
' B. c6 N& B& B* X' g8 y}- R9 K7 z! c J( [6 C: g! g6 [$ x
六.测试9 X" v1 s, d& O/ G1 ?4 w, S+ i
, G! z0 G/ Z {/ V
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& w/ i0 p; Q( @! d
* h$ F6 W8 Z; `, y' |
<?php ^4 T! n+ Z3 z3 R3 c5 E
phpinfo(); 7 E6 M ?# u# V. z2 c% g* C
?>
8 R0 e+ c l! _* M7 J! q在浏览器中访问:
# q: r8 d3 D t% Z! Q; g4 X9 g& V9 x. p7 g; `6 G% \3 z
http://www.52os.net/phpinfo.php?id=1 正常显示。
$ J% v: x+ O" F% E9 Mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
7 U% Q- _! g& Z7 Nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。+ q$ a. [6 G) c5 |4 T
说明sql注入和xss已经被过滤了
3 f' g# Y1 E, E2 U- y% Q1 {$ ^9 C2 Y
七、安装过程中排错! u; P: S) r8 d4 W
- V4 }% H3 S- S( q
1.缺少APXS会报错
+ \; Z& H3 k. x
' d" `6 T' q+ y! W+ r+ |configure: looking for Apache module support via DSO through APXS
4 L- {! e' A- y+ D( U' x# uconfigure: error: couldn't find APXS/ ]: M% O0 k+ N: W* d
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
- w4 z3 Z" o7 j; J3 W6 P, n解决方法:
8 c1 P4 ~1 N3 Q+ o, e& T- e
3 T( Q! P$ e/ [% C2 fyum install httpd-devel0 e! l s, D% y0 T& N
2.没有pcre
% M8 x7 o- V7 u: y5 b$ l4 {# d( K$ a- b7 N- I
configure: *** pcre library not found.* s; b% f5 |* }1 u" m
configure: error: pcre library is required
$ e6 D# i+ E/ c, ` s+ K4 I2 z解决方法:
9 n+ I/ E$ @3 M3 Y. S- r
( k# g, z+ U2 Y8 hyum install pcre pcre-devel5 n1 m3 r0 L! |3 H* k+ {! N9 q
3.没有libxml2
4 V4 [- v% `$ ? m/ @$ a0 k2 E
& z5 c, w3 t0 V* i" H
; N6 E6 ]# n& m" ^9 [5 gconfigure: *** xml library not found.4 f0 t1 k* f- V% r
configure: error: libxml2 is required
1 _- b8 B0 U6 \9 {解决方法:+ W( G. m' o3 O; `- B. [% v; Y) S
. l6 a$ R' U: r7 h8 t3 }% Myum install libxml2 libxml2-devel
. |9 h+ [: F; x3 J- D4.执行 /opt/tengine/sbin/nginx -m 时有警告
& a( u: P/ R; V2 L' f( X
# I# e. k q1 n) @, MTengine version: Tengine/2.1.0 (nginx/1.6.2)
: c& M2 ~. `, Enginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& @$ O( r% e# b6 I原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 i0 m. C0 Z( u9 q j, S& D0 F) {0 w
: w, v2 \2 A* a% j# R2 W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
$ T4 K" I* m( N* s, e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
( V" V' x; D' B4 _; f2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! v) |, ~5 s; h4 B) _. c7 ?, |2 g' C2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
1 d" B4 B8 D' P5 n/ C% c& |- n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
8 L$ M V' ?3 N) E% \5 Y2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) f2 \1 p V% H* V# } b- ^
解决方法,移除低版本的APR (1.3.9)- j; ]% C4 O# `
% j' J! I& }4 U: ?1 j kyum remove apr, V3 ~! D5 h9 Z6 W
5.Error.log中有: Audit log: Failed to lock global mutex) A, I# F' N: d; m4 K* t* x2 \+ L1 i
+ Q3 h8 ?; b' N4 t- X- j
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
8 U; v; l$ I9 |8 P, o6 Gglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& J2 \( e5 i7 P: d解决方法:7 D8 }6 S8 [- K, g
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:% \ i2 s8 {# N+ u V
! U. U, P5 z, M0 p( a/ i! X* MSecAuditLogDirMode 0777" V4 V9 U; `& ^; b7 O
SecAuditLogFileMode 0550
/ |/ M/ V. R K0 |! t: C0 b# LSecAuditLogStorageDir /var/log/modsecurity
9 w' U* `5 Z0 R U* o& i$ N& |7 DSecAuditLogType Concurrent
p2 e) Y) Y2 o2 L2 ]3 v7 f参考文章:
# J G+ N, L( A( ~https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ s: m0 V! g/ N! q+ p( H; {
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡