|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 o! `( q& q2 w6 c. o: Q+ g0 x9 @
一.准备工作9 s0 e2 C5 U3 L# l
4 P6 l8 }! Z9 y1 H. G- |系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 j* ]" F5 F* J$ Y5 W" j, b
# P4 v7 Z' Y: W+ |# D1 Etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
$ b; a* e: m) F5 N0 ?2 `9 \8 l& `4 q$ B- W
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz' f8 c, F$ z" Q, a6 o
% C t- A3 D" Q
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
# |( h7 m6 M8 o
' B- ?- z9 A n2 S% Y2 R- X9 F5 U依赖关系:
" U+ `7 S1 e8 F+ Ftengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
0 h$ W" S# U) ^3 g b) j0 {% S+ W, F4 a. }) t3 I; ]
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 h$ w. ~% P- u% Lmodsecurty依赖的包:pcre httpd-devel libxml2 apr
2 P( j. H- `" I5 Q. |
g! V7 X9 k& l/ Byum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel' g( [# Y& L" q, {1 x
二.启用standalone模块并编译3 n. K5 W8 G% R2 a7 b
( s" ]4 q9 P% F) J% z' j$ Z; V下载modsecurity for nginx 解压,进入解压后目录执行:
9 k/ P' d% ^, `5 I* a3 M; ^. I+ q) Q2 {1 ^( m" d
./autogen.sh) K. ?7 L2 O' G$ E/ T4 x: }) K
./configure --enable-standalone-module --disable-mlogc
6 G9 T7 w6 s! Y5 W7 ~5 {1 Amake
+ n6 b4 w/ o1 h9 t9 R& F, O三.nginx添加modsecurity模块
, Z. v( a: k9 l6 ~- T) Z/ b: s
! u/ _) N+ f! U# Z! G1 d ]$ ^4 ?$ v6 S$ p在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( S; d" l9 I" \; t4 s
p/ M9 T4 u5 ?- i# W/ T( w0 e./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
m7 n) a; e6 B: x% b5 W3 d( F; v& Omake && make install7 n V5 Q3 k9 u/ S# C6 d1 @
四.添加规则. {) Q6 X; V3 {2 z, f
2 Z/ P" Y* h. k! _modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。- u3 G) d1 J8 J
; i; c5 B0 b, n0 u+ e! f
1.下载OWASP规则:
8 l4 X/ _- h$ I: S8 `1 F/ H% I
$ v5 k3 ^9 {7 ]6 O3 J. Ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs# j( q/ R' B3 P$ ~7 g2 {* ?
# N* K f% B8 H9 J) p7 z0 c$ A( Smv owasp-modsecurity-crs /opt/tengine/conf/& E, [9 D+ M1 l: x0 B) O0 q
7 l. {3 Z: _! C0 ]; @
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
" @; L6 y5 Z9 B4 w) \ p0 G6 W+ g2.启用OWASP规则:
. W$ j: W6 s( D0 D* J. h7 V) d" O/ ?: S- Y/ {
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。) w9 E1 m1 R# c' q1 C7 B! y
. E E5 h5 q7 }编辑modsecurity.conf 文件,将SecRuleEngine设置为 on S+ l. ^" y( {+ Q$ D" w' ]
; k b" w# `) _7 u# sowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。7 t! B% r8 x K8 j: y
5 _( d2 e: q" J8 WInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( j# O9 }1 l; BInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
8 z- |# Y9 Q+ T% `" vInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
1 R* r' a3 y3 F; C1 yInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" }) T" Z6 J: i% W
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf" |, W" U) @: S0 f2 o7 N! Y) y
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* T* H O4 F' n' v1 T& b G& |
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf0 I: \' }# L; }
五.配置nginx |# v, A4 s9 k( ~+ ]9 o
8 X; O# H# Y" w+ P3 s( r
在需要启用modsecurity的主机的location下面加入下面两行即可:6 N1 o2 `* L; R, Y5 V
7 \( E$ c: ?" x4 C7 D3 sModSecurityEnabled on; % m& A1 K( \& d( e8 X2 E, ^
ModSecurityConfig modsecurity.conf;
" b: I) |4 F' A. L下面是两个示例配置,php虚拟主机:) `: u8 H3 M1 D- Q& P
( t2 S u, n( n$ F) T' x5 u0 bserver {
+ G7 P) A7 w# e$ {1 B. | listen 80; r1 t6 } m5 Y/ s- H4 S
server_name 52os.net www.52os.net;
: v' t' D3 l( j' _ 0 G$ n! W4 P+ x! v4 ]
location ~ \.php$ {+ {* i8 U5 p, s+ z' s
ModSecurityEnabled on;
8 j1 V9 [6 s7 S" L1 {- K1 K7 P5 A ModSecurityConfig modsecurity.conf;
8 B- D) m2 p0 J% ]2 p2 a, G/ W' h+ b" b3 @
root /web/wordpress;
" h" Y6 S, h" G; n# n' I index index.php index.html index.htm;3 J4 D" U! m% K( }! Z% O; i$ ~" q* c
4 ~6 l6 J. d% j0 }% `8 [5 o$ \ fastcgi_pass 127.0.0.1:9000;+ }6 u+ c" q! O9 X* ~
fastcgi_index index.php;4 o7 w( {* C9 L# ~/ _/ `" H
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
* O' T6 P# z* W- u% i" k: [ include fastcgi_params;
1 Y k# j( ?3 d! _! z3 B; d }
* M- n G9 `4 p4 c/ S, ]- V! m }
, E% h7 x& V1 S7 [! qupstream负载均衡:
$ C- P# c. Y8 i2 r2 B. x& M, f C6 t4 i5 p/ z2 a4 ^! J$ Y
upstream 52os.net {
3 i, G( n- Z: V4 ?$ V server 192.168.1.100:8080;
4 t* u/ j: V( V( ~ server 192.168.1.101:8080 backup;
M2 ^- w2 f) X. k, L}
) X4 s; E! c' O9 R$ \. N# ]2 F, f; V4 f$ [5 E6 o U1 }- e6 R
server {
7 O$ |. R/ w7 ~" p, Z6 Vlisten 80;
+ b. M! ~! f9 I( ]0 aserver_name 52os.net www.52os.net;+ i; b3 Y" m1 r+ p; y3 Y
# D: ]/ T0 B- l. j" Y. ^location / {
+ F# ~/ b+ X4 h2 Z8 H6 |$ [ ModSecurityEnabled on;
# A9 |! m1 D0 s- \ ModSecurityConfig modsecurity.conf; ; u! K& o2 L' m, D9 e0 S
2 z! P h `3 Q. G6 n. \3 t
proxy_pass http://online;
- m# B- } \- Z6 S6 f0 D4 o" `* ^9 v proxy_redirect off;" @6 I8 e. v. {) [+ u4 v6 Q
proxy_set_header Host $host;$ L. ~1 M8 n2 k
proxy_set_header X-Real-IP $remote_addr;* k* I( V+ X% |5 g
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, O# a/ b. f/ ]. {7 I
}
( ?7 x J, o# Z9 |+ F; U% z4 C' _}# v4 S" R; y8 \7 Y# S7 F9 z
六.测试
) X7 _" o0 q6 M1 g- W
! T: i, u; r! M S& T; {5 M我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:( {3 D, }' N3 ~6 q) L
5 M0 @* F$ B: l, w- f
<?php7 s* y+ R: l, p+ q5 O! x
phpinfo();
# a- N7 t9 U4 B7 a?>* X; r. J6 n3 M- {6 x; t, p
在浏览器中访问:, L' f( k) ~1 \8 m8 Y# ?
. F" P# [* c% R) l* W8 phttp://www.52os.net/phpinfo.php?id=1 正常显示。
- D( I5 y _* Z. Chttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ `, y9 R5 V2 Khttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
, ~7 q4 `9 |& E说明sql注入和xss已经被过滤了
( @/ ^9 Q5 D+ v: v" @! Z8 U0 s! e+ Y8 g1 F2 c- g: `
七、安装过程中排错) R3 y* o* V1 p5 j
/ \. K) ~: |. q% ?
1.缺少APXS会报错, S1 c E2 Y3 n: }" j
9 _7 U, y% ?; v
configure: looking for Apache module support via DSO through APXS
, T. F8 C! I& h" P( R. qconfigure: error: couldn't find APXS
! d0 Z2 f" y1 D3 @3 N- Z5 h- J" _1 ^& sapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。( H1 G; S J* r$ _; c$ Y; w
解决方法:) w3 `% m# u4 D L. C. ^7 ^7 T
8 E- O& b, S8 A0 L1 F; _; nyum install httpd-devel( w, R3 b7 N2 T
2.没有pcre3 i6 a8 ~: }% y: _0 j) H5 E
& m% B6 M) F: Rconfigure: *** pcre library not found.
3 q2 l; i5 t6 [( cconfigure: error: pcre library is required
6 W3 U* {; ^3 E; N解决方法:
, ^* n+ [: [, x4 v' q
' h7 S( ?* g* C! I* n* n4 C; _yum install pcre pcre-devel
, C/ B, H7 @/ P- C2 M" ]7 q3.没有libxml2
8 F5 v& o4 [6 y1 O; C4 i' ~1 h p3 \; [8 U" D+ h) y
1 y, X% K- l8 k- J' `+ B. Jconfigure: *** xml library not found.
) d' ~# y' i" econfigure: error: libxml2 is required" ]7 p0 U7 _- v5 r/ G; J
解决方法:) O+ U; R Z; s3 o
4 Q. J& ?+ J) Y9 P" o! qyum install libxml2 libxml2-devel
6 U; Y' K2 T( \4.执行 /opt/tengine/sbin/nginx -m 时有警告
' [" A0 X$ o5 M( D6 d9 }' S7 H/ X* I* d% Z4 y7 P
Tengine version: Tengine/2.1.0 (nginx/1.6.2)) d% a5 A/ Q x7 I4 U
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 v5 ] C2 Y0 c" k7 v, q/ w2 i4 \原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log* X1 v$ I7 @1 f0 ^
4 j! z- x: J2 a, |: \5 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
4 P+ @; X5 k' d! y: A+ m) G3 Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"' s4 `3 V' E& L1 B% B
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
, C: |: e' ~) P; b' U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
7 p% I1 t/ q7 Y6 Q& S0 x/ j# h0 ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
: X0 S5 i0 D2 ^7 X) N2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" \0 j# a- X; y8 K1 I& W, }; G解决方法,移除低版本的APR (1.3.9)8 c: C0 k) Z0 x+ b+ u
/ o) B3 F2 I' G4 \" Byum remove apr
+ c0 e6 B" l, G- ^0 I Q, _' |5.Error.log中有: Audit log: Failed to lock global mutex
% ~; L, X* m; |* g8 W& H5 j2 h. e5 D/ _* t( ^. X
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ! P( X6 E# x9 C# i z% G2 Y
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 v. W: w6 k! M* [% y解决方法:! L# Z2 E1 G% n; ?
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ w* ^1 v- r: W) K" d s# e9 \! Z& C ~4 v
SecAuditLogDirMode 0777, _5 K1 `$ z3 z: j4 R
SecAuditLogFileMode 0550' b1 z0 B2 Z- \9 R2 G* `) h
SecAuditLogStorageDir /var/log/modsecurity
) }6 [* v2 s# ]6 f. O3 WSecAuditLogType Concurrent
@: L" O- w* [2 @ Q+ @4 r7 X参考文章:, k0 ^+ o& U5 \8 k2 `3 K
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX3 w# q, G. T9 V6 W2 `8 k; T+ t
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡