|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。* V- b$ ^8 t4 F% d/ U# s
/ e! y1 X- n- }7 i一.准备工作1 ~' a; F8 ]8 T' g6 k
- i- j* w, M, k' D& Y3 I
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.05 k, H( E8 H' u9 W
j' M8 L0 X/ g3 y9 f
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz3 k% R( Z% m. s/ u9 `: i5 F. A* U
7 p' C8 p8 M% y3 @3 V+ omodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz% _; l( d3 o' j1 z. t8 R0 m
/ ~0 ]9 _$ W# i/ a
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 O; J" U7 ^& Z! E8 U1 _* N( I2 _& k$ S3 b" q
依赖关系:+ R1 `0 l3 W1 k6 r) ]' H
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
/ w4 Y; w! L3 D8 u5 \5 h6 Y! D/ _* X" V, F3 R
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
- d3 U k2 r3 Z0 `9 `: Hmodsecurty依赖的包:pcre httpd-devel libxml2 apr( M4 U7 j/ B5 J$ x* P
" n- _; `$ y; s: Y7 F5 m5 c
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel6 o' T2 x# \$ \4 F; h8 p* O
二.启用standalone模块并编译
- R" f0 x/ ?6 C2 w* C y" m) Q% B; D1 A- |+ O
下载modsecurity for nginx 解压,进入解压后目录执行:
9 e5 u3 H( b1 h- R3 Q3 {/ c' K0 b
./autogen.sh' |" J( G, S5 y" Q
./configure --enable-standalone-module --disable-mlogc
: |5 H- ?4 U' Q ~, Omake
7 H( @2 d% i, g! { L/ l' h三.nginx添加modsecurity模块
, ?* A* Y) ]2 E6 x5 B( O! ~0 h5 i- K
; V/ {' ^% s' I' Q3 ?% e4 t6 v在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 q/ \" f) c6 ?
6 W; f- _* i: M5 e./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine! n* n' H( H* |0 ]0 b1 S
make && make install2 j+ v. }3 n1 ~; z% V
四.添加规则
+ i) w3 _( V2 Y7 k, c5 O/ n: F- r- C+ `: ]4 x s, C; B1 C! n
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。4 C1 @( Y8 n# X( G& C" R' |
B3 u9 @) x6 T; @
1.下载OWASP规则:
6 S; I3 {3 E `$ k! |; o
4 l9 i [9 H7 zgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs( T2 m) f! ^! c) f
4 z7 N+ [& c" H8 O( Fmv owasp-modsecurity-crs /opt/tengine/conf/2 F$ c$ Q2 X a- k' u1 o
4 U- x$ z6 U: m$ f$ f0 C- F- R
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. y8 q% l8 g' g5 p7 x5 `2.启用OWASP规则:
! D- L9 A2 Q% z
' ]. ~: G$ S1 W- G( ]复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。1 l9 y" U! R2 l7 v9 T" o& g
j7 a5 h6 x/ `, M' g编辑modsecurity.conf 文件,将SecRuleEngine设置为 on' k$ D. L& B3 u# T$ O
+ ^ p8 M7 |/ Q
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* S7 S0 W9 p9 `2 O8 K) p8 E& u
. o8 m5 ~; S9 K; A, Z. v- nInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf+ F" ~! n, V0 d9 W9 {: b$ u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf8 I# b V' J. T
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 \" ~* }5 V. |
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf x: d3 @. H) T5 n& ^+ k8 }% E$ S7 @
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf$ c& w* |$ w& x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf! O* F" E3 W8 \/ b: g
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf/ I) e& M% M# X4 ?! x
五.配置nginx4 c+ g1 Q/ V' k/ B9 y( s; e8 a
7 C4 e. C; s+ k' ]
在需要启用modsecurity的主机的location下面加入下面两行即可:
( g' j. [( V) A& ]: G! x8 y. G
- t ] _+ e$ e+ P2 J" [ModSecurityEnabled on;
9 A: c! r, a4 e6 g2 Q$ }ModSecurityConfig modsecurity.conf;
( e( D* ^+ s9 G9 ~5 r' u! ?下面是两个示例配置,php虚拟主机:
0 p- P1 E9 T& s: r4 x
3 D7 o B; d8 y% O+ Gserver {
* t8 h* N. N5 I' }. v listen 80;1 o: S# `3 V x# z
server_name 52os.net www.52os.net;- K _) d; F' B0 H* I, \, s# X8 v$ X
6 ?. z2 Z' ~/ a% F' E. W
location ~ \.php$ {! Q+ X4 g$ H6 I3 F7 [6 t* C g: F
ModSecurityEnabled on; $ P+ n, p5 P" e: C
ModSecurityConfig modsecurity.conf;
5 E1 c8 C* F. U+ p/ S: S6 d) C1 f6 Y3 m* c. d: m5 e: }' i
root /web/wordpress;5 @: b( W l& Y/ U
index index.php index.html index.htm;& }5 Q2 S' a' \
1 b4 R, ?$ g( Q# P c% h" K k: c
fastcgi_pass 127.0.0.1:9000;% Q- E- a2 | ^8 D d' v& m
fastcgi_index index.php;
0 C/ Z- y* ~& v4 e fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;- W9 Z6 S( [- S0 O2 k
include fastcgi_params;( F% U# K2 {) t b5 [- Y& [
}/ X, j! R" g* j
}* @. V, l& |$ Q7 [5 Z
upstream负载均衡:" z0 }7 o3 }+ @7 T
7 q6 H3 v; v1 [! B
upstream 52os.net {
' [- e5 V* a7 @ q5 Q7 P server 192.168.1.100:8080;* F4 @. Z8 Y s# { X/ V
server 192.168.1.101:8080 backup;
( Z* W- L: w7 s. n2 s5 u. v}0 E% \" K) h* q/ L/ G
9 O' K2 d |0 W% Z/ i/ Z2 Dserver {' x1 O. ~3 M$ x+ O
listen 80;
# p6 R6 ^# u; g# A; x) U5 i+ H3 T' userver_name 52os.net www.52os.net;
! ]4 d% N0 [ J8 y/ a
, |7 z9 f5 V- k: \/ u! S3 O# tlocation / {
; j+ s! x5 c# T% d( m$ } ModSecurityEnabled on; $ k% a9 ~7 f8 S
ModSecurityConfig modsecurity.conf;
% d& `1 H) |$ `& l1 b5 r% k/ o8 ?& f4 K- j' y* i
proxy_pass http://online;
8 N& G4 w/ j8 D1 ^4 V proxy_redirect off;& F# d! f1 E C- ?9 i
proxy_set_header Host $host;$ T. r5 u/ ?1 D$ n1 N
proxy_set_header X-Real-IP $remote_addr;7 z# n% Z, B! U
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 v6 d* w$ P/ m- w. F" ~& p }
0 t1 R2 m& ]4 ]+ Q- ^" @- g}
0 U, x1 G$ n4 o* y六.测试5 d q/ o+ s# n5 x9 x
. ]3 T7 w/ Z, y* A8 C. }/ _1 `0 k我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! Z5 I4 ]( e+ b, ]1 ~# Z' ~
) x+ o. d9 i! w/ v+ ` m+ R<?php/ E) q* q( |# e8 I
phpinfo();
3 p, C+ ]) C+ E2 ~2 r?>' X& P! v! X/ z3 z3 @; ^% \! e* G
在浏览器中访问:5 p3 A" R& b: x
3 ]3 n( `7 s5 I" W# W# lhttp://www.52os.net/phpinfo.php?id=1 正常显示。
/ _4 w& {8 y. z1 ohttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。1 n* Q k: _; I
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
' i" N, a0 Q, C3 N, T( Q说明sql注入和xss已经被过滤了, i/ I1 t6 T( s& T
- g7 z N8 _$ Y! o
七、安装过程中排错
$ J- Y8 ]/ I( V; ^( E! H$ c* r
- Q. s7 Q4 p# Y1.缺少APXS会报错4 ?) ~ H6 s+ z
2 V9 I: v, F2 T4 x- ^( E" kconfigure: looking for Apache module support via DSO through APXS
4 ?0 f3 K+ o3 v6 v" Iconfigure: error: couldn't find APXS
) X! X/ E; H- h; ]. r7 K" c) s! zapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
x) U s# f& ?) Z( P解决方法:
& Z/ [. ^6 I) X3 i
0 i. W' w3 K- P, P2 Nyum install httpd-devel
; J# ?1 G" u, f2 U9 i2 N2.没有pcre" a* T7 Z4 D# I" }
! D' y/ s+ C" o" n, S8 y$ Xconfigure: *** pcre library not found.' c# L0 r6 c) E4 ^9 @7 R
configure: error: pcre library is required
( u5 e" o9 L$ C& z解决方法:6 J- X8 T6 ` K
q" _4 Q- X, h) t0 i, l3 cyum install pcre pcre-devel
3 s2 z& a/ F* l# l) y4 {3 u2 ?3.没有libxml2
' q" S9 h0 X7 l- j6 ~ j/ _- C, x# l( E$ o: h
6 p8 ]3 Y3 ?. H1 ]configure: *** xml library not found.
! H6 m: F/ d( ^9 ]configure: error: libxml2 is required6 f) g7 s5 g6 B& Y
解决方法:
3 l$ t7 S! s- y' Y+ O/ P8 c$ g' V% e! p H0 B+ c
yum install libxml2 libxml2-devel. j8 e* a% s; I+ X
4.执行 /opt/tengine/sbin/nginx -m 时有警告
! j- F1 V' w+ j6 O y* A! p; U( Q, O6 W/ d/ x
Tengine version: Tengine/2.1.0 (nginx/1.6.2); d8 |# |2 E; f2 e' |; ^; o5 I
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
% j3 t. D! j4 @& f) I1 Z0 t原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
' }' d* @) G! f- T7 o8 S
: O# _# b5 c" Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.( s9 G) Y) @( ~; f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 ?5 }. {7 b. v
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!* W+ I+ V$ B Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"! F3 C& V" a6 w# t8 S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
# N* W9 q) e9 ^+ Z6 U9 s w) n2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.$ t1 e/ F3 u4 b1 p5 R( E
解决方法,移除低版本的APR (1.3.9)
( j, ^& F) a! k O9 n7 T+ S" _2 ]* l$ J" g$ W Q4 ^
yum remove apr
4 P% m f' H2 w+ U0 L$ |5.Error.log中有: Audit log: Failed to lock global mutex
; M6 c; A$ ^% c. P- i. g9 Q) V0 j6 F' x
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
- n9 B3 @) W& hglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 A- W' w4 {" t. W. }* }解决方法:
& P( B X4 }1 }& S" E$ X, R. P4 R编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:* @5 N1 m% o. n" c# ?
# @3 D' q! D8 D7 zSecAuditLogDirMode 07779 ^4 ?* M: d" a: H2 F+ n n5 H
SecAuditLogFileMode 0550- I2 a' C$ y! k% q
SecAuditLogStorageDir /var/log/modsecurity
' M) b5 Z( l Q1 B& M4 {& F8 x- W& M4 _SecAuditLogType Concurrent, X: o# N% O' G$ H e* x% P- v
参考文章:
& L# \7 G6 C' n3 b: k/ E# D9 ihttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
/ I. k! p' d( b9 a) V, u+ |4 t' `9 ]http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡