|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。7 R7 y" a. e2 }% @( }9 V$ m
+ U% a( F/ J( O3 O$ V
一.准备工作
) j. m0 p2 M D; K; D; T
) X9 V( g; m7 h系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0* S' r5 @2 b8 R* i
' y' ~% X: z" d( }" ]: h9 D
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
9 r' k7 ] H2 O# s ^3 Q! n. x. L1 e( s8 O
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz& J/ u- m% p' q. w+ a; z, S0 {
" s, P, \# Y( l% p& f: J9 |/ w9 |7 iOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs( |. ~$ }( I/ V; f- c0 H4 H, o
; \5 o0 h- B1 Q Y/ z依赖关系:
3 M/ L1 \" c9 r$ d! F( rtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' [& v) N. @- S$ F, x0 I$ l5 T
- m- B3 K$ z# J: i- kyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% C# G! h1 A2 X& ], q+ |
modsecurty依赖的包:pcre httpd-devel libxml2 apr
( `. U5 P" S3 A5 {3 V, T: \, k
& v9 Q- N; f# ?, D/ V R8 kyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel! F. k; q$ t3 ^' v- e
二.启用standalone模块并编译: y. w7 h6 d( G, b. v! R6 k
( o( m- F0 I7 D0 j( |下载modsecurity for nginx 解压,进入解压后目录执行:
! t: L( i" p+ d4 U
. D/ \4 z: }" L) Q+ A% p9 j7 |./autogen.sh& v0 L- k) N- }% T
./configure --enable-standalone-module --disable-mlogc+ |4 N5 S! u! f2 |) O; N" g
make
# U& U4 f6 \; W7 ^三.nginx添加modsecurity模块- |- R0 j. \. N% R" c+ f. e( U
2 O1 z: L. Q2 y
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
# }! [8 z) [* t2 f0 `
! j% R( q h8 {& U( X, q& z./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine( L& w. z( s7 Z( {2 ~; ^, w
make && make install
7 i2 E& _/ w; e8 p' {四.添加规则
0 x, ]' j! k3 v7 ?0 t: f9 b! n2 U5 C0 b% ~/ F
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
! r6 q& E y; D* b9 {7 {
8 q1 _2 h; u, f5 j q/ [1.下载OWASP规则:
2 s; ?. ?9 T# H4 y$ B/ ^ X- ~: \9 R, n
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
6 _1 Y) A, j0 ~5 d2 A+ `2 ^+ o0 H7 Z: m9 F8 x+ Q: R( t$ o1 y
mv owasp-modsecurity-crs /opt/tengine/conf/4 C: ]/ ~, u3 N8 B" n
) |$ ]6 r6 Z( X) x" F/ z8 F
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf) k7 ?$ M7 ^! c6 B$ W/ X
2.启用OWASP规则:( p6 K e+ e8 ]4 U5 F2 U: u1 q$ l
+ I2 K, n! {, v1 u
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
4 x5 k2 m# N Q& s# \) v( }" w, O W/ @+ q
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
3 j6 m- d i& E- s8 b9 H- c* e. K3 _# _) N8 O* n
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
6 F7 \& ?7 x/ {9 V1 |) n! y# J: W. g$ }' S4 ?1 ~5 @
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf) {1 _0 x% @+ K$ p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
7 {5 S8 f9 K) w( w1 O9 wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
3 j8 p' p9 C, j/ E G0 p$ u$ WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf, n& R1 {1 o7 f
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
- X4 t3 Y& E2 T& U' H8 E7 tInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf) p& x' D* H5 v5 d2 y. {
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
; k/ m5 @: [/ P+ G$ E五.配置nginx
! u$ ^0 J3 d1 m. p6 P; D' A/ V2 ? B6 W% a0 o/ G2 Y
在需要启用modsecurity的主机的location下面加入下面两行即可:+ j B+ t! N% T
4 j9 C2 Z' ]. l- p8 cModSecurityEnabled on;
& x/ q s! X! ^9 H3 u! Y. k9 {* xModSecurityConfig modsecurity.conf;
* U! i$ z9 r$ P. P+ d0 j% [下面是两个示例配置,php虚拟主机:
4 o4 K8 f2 |+ ]' Q9 ~$ L9 h* Q$ f) O" | }- L
server {
0 k3 Z# f. h7 o6 U2 i listen 80;
7 |1 E* n* A K: X( U server_name 52os.net www.52os.net;1 K# F2 o. @0 e3 F5 B2 ^# q% R/ y
6 l3 ]3 i5 T4 G8 ~
location ~ \.php$ {, H! i: n- V# p6 o( ~
ModSecurityEnabled on;
' f/ b& @5 _3 M: O _8 m ModSecurityConfig modsecurity.conf;
4 H8 Z$ ]% c$ @! _, M% K+ q$ C! W* ~$ w" [" K6 A$ Z. I
root /web/wordpress;
7 U6 f7 I5 Z: M& ~( f index index.php index.html index.htm;
- I! L6 m1 [" a& [ % q' \# p$ ]8 }" E6 B& J+ c4 J6 L/ Z
fastcgi_pass 127.0.0.1:9000;
! L& _( [) p+ r0 n0 d" U6 G fastcgi_index index.php;# F# H2 L1 [) i L
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;' e! V2 e' Y$ T7 I3 v
include fastcgi_params;
9 k8 `9 _* i( a' w% C) \ }. K( {. W% Z+ C9 |5 ]! G
}
\ Q7 U8 _1 _" V2 a' Kupstream负载均衡:, d! o; s! Q- {' w, q
/ r3 d4 y5 h- F# hupstream 52os.net {5 j5 Z. `% p9 B- R% \/ q ^
server 192.168.1.100:8080;
* Y3 s! w3 F8 v, h2 j, E8 ~ server 192.168.1.101:8080 backup;
) B p4 H5 a& v; d}7 q e8 J1 X4 j3 u) _# b, P
6 p. i9 t+ J" V3 K7 e8 Gserver {! m( l/ z2 X; V% @# x
listen 80;
- P' Q. e& P: Eserver_name 52os.net www.52os.net;
8 A( ~4 I* m+ N. {, g w7 e
* ?: s: d- ]) E8 |" _* b% Elocation / {
7 C6 w0 l- U" R" w+ \9 \2 A ModSecurityEnabled on; 3 l J# w8 E9 m1 t
ModSecurityConfig modsecurity.conf; 3 c% x* a# C: s0 i' B
$ \4 \( T/ v- B _ proxy_pass http://online;" E. Z4 Y: U" R$ V3 s
proxy_redirect off;
# p. V$ N/ D" y: o3 o) I) n; f proxy_set_header Host $host;2 u, Q" y2 g5 \ [3 ? V! _) ]
proxy_set_header X-Real-IP $remote_addr;
; y- }6 c2 v* P0 K" k: P" F proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) G- H( n9 V- g+ C5 ?' | }. R: f; `2 V- t0 ^
}
+ R5 W; O! h Z, Q0 U0 M六.测试* J0 K" R/ V9 i# r* X
6 v, x* o$ n6 B
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
+ G; W# |; j# S5 Y
: s, n: i# V& Q# S5 x<?php0 K$ B: l" p. \1 [' J4 ]) G+ s
phpinfo(); # X- R: I, w: n! n9 Z4 @ H
?>
+ B" F8 ~% G3 Z6 F/ k( n% F. W在浏览器中访问:
4 u7 K( k" ^2 u' Q+ x& `% C
c* E, k) h$ {! Dhttp://www.52os.net/phpinfo.php?id=1 正常显示。; X: u3 n3 ~* J% x) Y4 N
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
( P7 ^+ G: q0 E- ?6 S/ T9 ghttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
4 W1 f X9 V7 v& w说明sql注入和xss已经被过滤了0 a! }$ c* {4 Q3 e# ?" v
. [3 |6 H r* a七、安装过程中排错$ P% V6 Z+ X, e/ e; a! J
+ D& Z* {7 m+ @$ c) h. V2 f
1.缺少APXS会报错& _3 D9 j( c+ b
+ d8 e9 }0 ?+ R& @+ }configure: looking for Apache module support via DSO through APXS
/ _$ M7 q% y% M! K' F j; F- j2 E7 Cconfigure: error: couldn't find APXS( W- V9 C/ p5 v8 ~
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。: H) Q+ ^/ b* ]1 r
解决方法:
! C* G6 v- _' _, t$ N0 g3 k- R
# i! @2 e' I) w' Z: byum install httpd-devel
7 L$ ^0 K0 W1 |% R! D( t2.没有pcre
; q5 w" o! V8 u% g" J0 M3 S O$ |/ C5 C& K
configure: *** pcre library not found.
- p: ^; j; f" E+ L3 f7 h D6 Qconfigure: error: pcre library is required
0 q$ O3 i- x/ Z& b6 i0 W- Q解决方法:: Q# K7 ~' ^- o3 ]) \* `3 W
1 ^- ` F7 S @* V$ @* p7 [yum install pcre pcre-devel
! n: B3 r3 t. h! m3.没有libxml2! N& o: n! S: D% X4 V \
1 L0 J+ T0 \8 h* g4 p, e6 C8 D0 }3 s2 H( S
configure: *** xml library not found.# O6 k0 R* ^- R0 S# N9 i
configure: error: libxml2 is required" N3 X8 ~7 A- v3 P; |9 X$ X" k
解决方法:
1 @: i% c! y' A) e
" R* d/ [# J1 N$ q7 Z8 ~/ qyum install libxml2 libxml2-devel
! s- n7 Q0 }& r+ g* ^& e: m4.执行 /opt/tengine/sbin/nginx -m 时有警告# Z+ _. [ b t. q& m) ]% P7 y/ q( O
0 R" b4 W/ \( x! ?* V7 F1 c
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
) p' P' Z$ n1 O6 q3 g" V6 T2 qnginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 i$ R! _( _( h8 I3 W
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# \0 k0 c9 J$ K O& D* S9 n0 i
% f3 S- I z; |* M$ _: d" n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.: T" _9 p+ A1 q3 w/ a- j9 N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ j* j+ N6 q; [, Q( m j& r! b Y
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!: I4 n4 r9 M; F6 t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
# {" ?# ]) A: i, m# o# D( S+ M3 l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6", B1 E- K: ?4 N" `1 ]2 s+ W) u
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 ? m6 y4 k7 w: O1 n解决方法,移除低版本的APR (1.3.9)
; Q. o! Z& w: g9 w: D$ e9 ?, @/ M" u) N* H5 v: `$ {( N
yum remove apr% }1 L1 ^1 q9 e; z+ T; Z
5.Error.log中有: Audit log: Failed to lock global mutex
& O, ?% ^$ O* M/ |; ?
" u& b2 ~7 ~" p0 t0 C2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock # x/ k( d* B! K/ H) [( ^0 o
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]2 v. @( z$ \( I0 F7 T& |. n# J
解决方法:* n( D/ X& o5 Z7 H% @# r! S
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
( v5 Y' ^9 D# M, U( W. r+ u
2 b6 `- m t Z9 d1 {& gSecAuditLogDirMode 07779 [2 s% k0 F1 h; Q R. _+ e+ x2 R
SecAuditLogFileMode 05507 s/ O) L- u; H
SecAuditLogStorageDir /var/log/modsecurity' |& b, K% P' ]/ c
SecAuditLogType Concurrent1 W0 c2 `1 P$ T6 A8 [; ]
参考文章:
1 D( o+ _" y1 O( Yhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
% q5 e& o f5 n; S& Hhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡