|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 i1 ]9 p5 m6 f/ N0 i; w$ V1 T2 n4 u8 E8 R4 @! {
一.准备工作
4 M4 }) [4 m1 i/ t0 b8 C" E% `( ^0 I4 t- ]6 r
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, E0 ]5 z4 {- h( k( _7 b, M/ `* @" ]) y/ W& R: g6 F
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
, N m# N: ^2 d' F* I0 w% f. l! R# h0 j
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz1 y0 C) V) M% t
2 s- E; X7 |. K7 A1 D ]
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; D% H1 v& i0 d. c! H- o0 ]- U$ ~3 \* O: q4 ]/ M9 n" b0 \! m
依赖关系:; n$ A4 h- B3 T0 }" I8 V
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
; j6 k8 c4 w/ M+ s
" j7 c) u" e( _! l# z& k+ {0 [yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
3 e% V* `; w) bmodsecurty依赖的包:pcre httpd-devel libxml2 apr
0 |' o; t/ n: N5 ?! [* D/ P
( h; Y) O& }5 x$ Y% f# a$ b7 E8 iyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
" q/ O9 }7 x2 {, z/ ]! v二.启用standalone模块并编译6 |$ V* Q: i9 P2 R7 j. R
2 e3 r2 E5 S2 _, K4 C
下载modsecurity for nginx 解压,进入解压后目录执行:
_+ g" ]2 u9 c" @4 _5 g( N
! B5 u5 j D B/ a( ]./autogen.sh- |( o* O4 E" E/ _+ n6 H# R) N( P
./configure --enable-standalone-module --disable-mlogc
/ [7 a3 x/ T+ r; a: \make
6 m1 E' Q# c/ }三.nginx添加modsecurity模块) R7 O2 B) \: o* X
0 l, j+ W6 t. J. |
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:+ Z; W, v+ B E+ |; u4 i0 V: ]
4 S9 }; ^8 A' V2 F3 L4 ~./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
1 g8 g3 m: D8 B$ B5 S* u( Bmake && make install
/ g; i+ a: X" W( _四.添加规则
" Q1 j& W: s3 l7 { M
& y4 @+ O- V' \modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
- W$ a- G- G; o& J2 M4 W+ B( b
6 a8 E. o6 G8 f1 R: |1.下载OWASP规则:
6 r X$ h. u! h# u) ^
! |0 [ z5 {" C( @; J6 Pgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
& x2 k. ?' S+ \! g
3 D1 P0 |, R8 R6 t+ v$ e' Qmv owasp-modsecurity-crs /opt/tengine/conf/
6 e+ O$ D/ b8 V! R8 N# J5 x
3 z! e" j. n1 r# ~ Xcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 ^) F+ M+ }. T
2.启用OWASP规则:
( n( d0 U! C5 S+ t* j: Q8 I& u# U; Q b, ~0 z% e6 t
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
' b9 y) n) B: d {# d
. } Q* K8 R* `/ D编辑modsecurity.conf 文件,将SecRuleEngine设置为 on* ^8 I* v2 a- D1 R2 c
/ E6 S6 s- }* f9 c0 N2 @$ t/ E7 xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
9 N# O2 p* o5 I- M+ f% K6 v7 A
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf# A% q% }: Y! {0 E7 I+ \
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf q( n" }4 O9 b5 s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
T6 ]' ?) j" s- D. z- v8 YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
8 s( C- c* H: D- r x# Q$ |3 z4 hInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf! I' L- ~4 s0 Y$ y, n
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf# d4 `2 J" J! R4 V _. {
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
7 y/ ~) b' D( p五.配置nginx
& v5 f, \! M( f, w0 y& ]( N, V, u. c1 z$ K( f
在需要启用modsecurity的主机的location下面加入下面两行即可:) O, z7 f) w% W# z, K" ]' J. v+ a
; j3 @& s9 H8 A7 n- L
ModSecurityEnabled on;
1 W+ G9 F& s# i! F5 s& AModSecurityConfig modsecurity.conf;
7 ]; w+ b2 o$ S! j. w下面是两个示例配置,php虚拟主机:5 _0 g* U9 j- |9 e% N: f
( X, {8 o, A. \. Z5 r7 M
server {; g7 o' S* ~- ?! w: n) r6 U
listen 80;9 g( F v2 J) H4 ~$ J
server_name 52os.net www.52os.net;: j9 y: {9 W, f. I$ g
- I4 d1 w1 A j# H& T4 i
location ~ \.php$ {
6 f" L- b3 _ W5 L n; q* y( C ModSecurityEnabled on; & D3 v9 y+ |' y! q
ModSecurityConfig modsecurity.conf;
4 l4 P! A# Z' s/ P
) U( O9 R1 e, X0 N root /web/wordpress;
" N6 ^( e9 l0 a. k index index.php index.html index.htm;
* s& w$ f( [9 i+ y! u! i I( {- m, f% J
/ D* _7 h! d+ x' A fastcgi_pass 127.0.0.1:9000;
& @5 ?& ]. f+ c4 n9 U6 f1 d& n fastcgi_index index.php;$ _0 x% O' H \0 a( Q4 ~8 E
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
5 W' O+ n; f' ^" f1 m include fastcgi_params;2 E4 _. l) I: i j8 M/ I% }- v
}
- U8 f% ]& {1 k9 D }/ j2 U& `; T* [8 T! d: h
upstream负载均衡:! A& W7 ]6 Y5 P! z: k2 b0 Z& [
" U2 x+ R% i3 kupstream 52os.net {* X0 s9 r% V; {) t0 K& u& n" j
server 192.168.1.100:8080;, o Y1 v" g' k) K5 s
server 192.168.1.101:8080 backup;
! `9 h$ g; G! m2 s}
7 N$ w8 c5 Q$ D) p, |
+ ~5 |- C2 Y; u# x3 Lserver {
# L; s2 P1 q8 N4 q7 f$ g! K0 nlisten 80;5 P# Z; y- b: M8 b# y/ l# }+ |2 j6 L+ l: `
server_name 52os.net www.52os.net;7 O% ?! Y( D3 N6 w) W6 |
' q0 e: w) U5 F2 u
location / {
) \% Z8 g1 d; _+ ` F4 g9 m ModSecurityEnabled on; # _# Y- g7 {1 C( X1 B5 N
ModSecurityConfig modsecurity.conf;
9 o7 x6 Q0 U* m/ w# }0 k3 C
6 p. n+ E0 v E2 i/ | proxy_pass http://online;" N) L; ]1 w3 d$ `- U; B
proxy_redirect off;
8 Q' F4 S8 ?5 p, e- K# Y proxy_set_header Host $host;% _3 Q7 r% y1 J/ o
proxy_set_header X-Real-IP $remote_addr;
) X1 c0 s; @, A/ [* b, T proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
: \2 `' G, s$ C }
4 U, y1 q+ ?* \1 }}
/ v4 h8 v4 e7 I8 B- [ x六.测试# ^/ S( A: G& k7 ^# s6 G) E
8 p3 P+ }% [, H, }/ Y" D
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:3 y$ n8 z1 I$ Y. o& B( q6 p
/ q6 F$ B( a: A" k u# i* \<?php
5 x+ V6 ^" X1 B; m3 u4 i2 q phpinfo();
+ f1 ]' z$ n+ P; T C) X2 i?>+ l2 p. d' U8 Y4 }( N8 F
在浏览器中访问:4 C G4 @% Z7 c* r3 f& _" G
N B! c3 W2 L! t- W
http://www.52os.net/phpinfo.php?id=1 正常显示。7 Y# y3 r% W; d# q. N/ R
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。0 ~8 F2 X/ N2 p/ F: C7 G9 P& d
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。/ g9 e5 N% p" |
说明sql注入和xss已经被过滤了
& M, E1 y; I, x# }" Y; X: d
/ u0 [1 P1 z( T8 I七、安装过程中排错6 c, h3 n6 v. @
! o* i; b2 |# [/ \1 Q* J9 j3 @6 X* s1.缺少APXS会报错- F8 ?4 e) K% I4 J6 g+ g
9 r2 ]7 ^4 x+ |* L
configure: looking for Apache module support via DSO through APXS2 }, W. G8 e& M5 R( s! m
configure: error: couldn't find APXS
2 }0 b/ W: B+ T- g2 `1 zapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 {' h* {6 v5 U% V/ b# I, K5 |
解决方法:0 B( A. h4 i5 w( F R3 r# m/ _' U
x4 j% P! [' h% L, ?yum install httpd-devel
" V8 |; w+ z3 Z2.没有pcre9 _; p0 Z8 w6 I- r0 A- o# X
: X. T& n' w3 T1 q0 O9 gconfigure: *** pcre library not found.$ K c- q2 n& g) S2 L& O0 G
configure: error: pcre library is required
, x% ~% {7 s4 }; q9 j# s- Y解决方法:6 b: W8 e7 Z$ ~. c6 J' E% _) \
; K0 b" c% ~; V( z5 a6 R5 cyum install pcre pcre-devel& [/ K* W b K- |% @( _
3.没有libxml2, K, H8 {/ e' ?0 _7 q* }9 k
: ?# M4 W& H8 L6 ^( u7 J5 T1 l* O
4 G0 b3 j3 J" S% x7 z) p+ _
configure: *** xml library not found.
3 X0 I5 s( @+ J6 n' w2 I H1 }configure: error: libxml2 is required& f* y8 ~; c# X2 u0 D: E# c4 b
解决方法:
3 e( B; _! _9 O) Q8 m e4 ]
% a- Z' ~! M! Q4 ~( U5 yyum install libxml2 libxml2-devel4 n I7 b& Y5 m4 K( x
4.执行 /opt/tengine/sbin/nginx -m 时有警告# U4 F% I8 |/ ^" g
9 i8 z1 A$ _" M
Tengine version: Tengine/2.1.0 (nginx/1.6.2)4 }/ r! U0 E) j" s. _
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& S! R9 P [4 a: ~9 o原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
& [6 m0 P1 x2 R( ^7 g: {7 m+ O7 y. x5 O2 r5 \6 N1 h- i1 `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.3 r- |6 l' m5 H& O* g* c& E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
3 G) ~/ M6 y$ z6 e6 `. F t2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!2 u9 ?6 F- j& ~( V; J, v# }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" \7 |( o/ N% s3 w, j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6". T1 } ~* Y* y3 ]
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! C ~$ U7 i7 y0 V1 w
解决方法,移除低版本的APR (1.3.9); v) T( c( V- Y$ J$ B }( `
$ |! T% a/ {5 j# n& e, g* j
yum remove apr* u" d: ~% t# u4 G. V& Q
5.Error.log中有: Audit log: Failed to lock global mutex/ {; \% M4 A: w4 L+ R9 L2 e$ F
# B6 k) Q5 K+ A% W% u7 B! h
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
; O$ p7 Y6 q5 S3 t* o, jglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
$ J9 N0 n- \. q4 a+ R& b解决方法:
( P* E" B1 u% O! s% R编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& R% T1 z% h. G& v
; K, b/ q6 Q7 _2 a/ \SecAuditLogDirMode 0777; [1 \: L3 R r3 e
SecAuditLogFileMode 0550% O1 k& {& s8 ~
SecAuditLogStorageDir /var/log/modsecurity
: f! r# S7 g# V8 }5 s9 nSecAuditLogType Concurrent
7 C1 S* ?) o6 z& c参考文章:0 o0 N0 F- ]7 Z
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX4 o3 h) |$ U9 p" h1 H9 @' S8 I
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡