|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。/ C2 h6 B# r2 L, A% G
5 v. i! G" u" b
一.准备工作
8 l( F9 N$ a7 i% n. T7 m6 ?4 p! e% C# O0 W
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
5 {2 M/ \( k1 \ X, A; A: ^# c5 i7 i5 y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz9 I: v3 T7 _/ y- x# W: ~1 Z
/ P$ b! d/ h4 U, M
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
7 Y* U" T- y1 y
8 V# p: h) Y+ C% [0 wOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: p4 V4 C- J) h ]8 m) V6 \# G3 n/ [. Z7 ]* d& }0 J
依赖关系:: k! j6 Y& U1 k5 l+ q. A
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% m4 | J# n% x8 [
8 N: N2 N# y8 ]
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel5 b# ?* M4 B# d1 K4 d* `0 p
modsecurty依赖的包:pcre httpd-devel libxml2 apr
! U9 Z4 H2 F2 L; K3 b6 \- e3 m1 j i. a, ~$ e. v
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel& \6 w( Y8 L8 e
二.启用standalone模块并编译
1 y; N; I" H- n. D
& P7 s: {; w8 W5 H7 R/ T6 A下载modsecurity for nginx 解压,进入解压后目录执行:
5 B. S, `. H9 p: X
7 V% Z8 k8 I. o- k- V./autogen.sh- E" v% A. c. t, Q" C% ?
./configure --enable-standalone-module --disable-mlogc) c& |6 U/ s( X: N$ W
make 0 ], x5 m! e m9 C) G7 H
三.nginx添加modsecurity模块
, T/ u( o0 Y" M" [* \
9 y- x5 F* F( R2 V% F在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:& g* l" o: @9 E0 U0 z1 Y/ _6 f' F* [
# s5 F1 g+ F$ V$ X9 F./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 v" d) X) L1 Y6 W6 p
make && make install
4 H U) b: _2 X四.添加规则
- G1 m! q! N# Y4 Q, z; l2 W
9 C: V! d1 p: imodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
; p) R5 X. B0 q J& E/ r$ b. C- `1 m$ w
1.下载OWASP规则:* C4 s( v" o# Y
/ g0 v' J& o/ n# J; g/ E7 Ngit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; [1 C& j' t6 e4 b$ O/ E- H% A# j) C8 P& d# D1 H7 T
mv owasp-modsecurity-crs /opt/tengine/conf/0 }+ Q3 j8 V. P6 r
1 ~" V7 V5 H; `cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. z7 K- S) X9 |9 y2 s: J3 ^
2.启用OWASP规则:
# g4 Q* Q- b9 O" }0 ?' }8 J8 k( u/ g. b4 B# j' R5 h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。! z& m& `8 _2 |
3 t. j4 b" @ Q
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on# d5 x" }; t% Y
/ \' N0 d8 P/ ~/ N
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' L; P$ ], n) s9 V' M' M. n/ u* d% F" `2 s) @ D4 h+ r/ p
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf! g+ k% A% t4 W9 c p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
1 g/ h, m5 \* g1 k7 @ l8 jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
! ?7 O/ A* ^2 _/ [. jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf8 ^4 s) O. y2 c; {
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf' ~- F: a0 p7 A! x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; x* q, Y+ Q, u/ |, Y+ FInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
: J" d9 y, ?' R$ a% {7 f; V! c( m五.配置nginx
2 o4 B/ X! _6 \7 ^
# T8 V$ x6 K$ L, Z' V7 E) p在需要启用modsecurity的主机的location下面加入下面两行即可: F: _- ^8 f0 t6 u4 k
# j4 x/ T; g+ \% |+ O9 c* W1 x/ M8 @; BModSecurityEnabled on;
7 a/ K+ X) P& t# pModSecurityConfig modsecurity.conf;
. X! s+ d6 e. b! x下面是两个示例配置,php虚拟主机:
- k$ D7 m, \4 S2 ~/ e
! Q, t. U; @+ c0 X4 nserver {
% I/ w* w, l5 r/ r listen 80;
" W7 U5 [* @ d/ G" m B server_name 52os.net www.52os.net;
4 [6 Q( R/ I! {- H
: q- ^& F& X5 O/ G location ~ \.php$ {
! Z% |$ J$ t9 U! X+ a9 Q ModSecurityEnabled on;
6 W% ^* r9 s) J' G6 u1 K- m1 U ModSecurityConfig modsecurity.conf;
6 Z7 h! k, v" r) i: J
, Z9 j6 a9 _$ l3 J root /web/wordpress;
6 e/ t9 \0 i; [. L, }4 ?8 I index index.php index.html index.htm;& P! `& r7 S; `; x
8 _ V) E6 N# d9 m/ j5 |+ [$ j fastcgi_pass 127.0.0.1:9000;! K8 B- S/ z* v2 k0 g$ \
fastcgi_index index.php;
+ G, h. z1 v" l" T3 t1 @' ] fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 B8 m0 X4 S m) R9 W include fastcgi_params;
5 J, a3 F$ a2 P! l7 n+ e0 F& S" B }
* E4 G6 x" j* M1 i }& i+ }- m, k7 c& w3 r4 E8 r
upstream负载均衡:
C7 O# I; u8 G6 z8 c% T
+ M$ v/ l1 K) {! ]upstream 52os.net {! X; t3 O; b5 C( E7 q8 u
server 192.168.1.100:8080; u1 w6 L8 p4 @' `+ ]2 r" R
server 192.168.1.101:8080 backup;% _* J8 [% a" |. Y
}' Q3 O! _4 G9 }$ g
3 P5 a9 ?: R2 k: V+ s" Zserver {
; }; T- F8 x: c e# J& blisten 80;4 y E8 E1 A% Q
server_name 52os.net www.52os.net;
0 ~7 ]- o9 L6 z) w* P; ^/ t7 R9 z5 @% H. a) F( [1 m5 J
location / {0 K2 `- d6 B$ Q% ?
ModSecurityEnabled on;
# V0 h' n) O6 p8 T6 k ModSecurityConfig modsecurity.conf;
% Y9 O( C6 m% X0 i: X2 E7 I3 A$ V) E/ t: @' x. d `8 L2 G
proxy_pass http://online;
/ V9 |- u1 P' a3 j% L& Y9 W proxy_redirect off;
& Y. q$ F) H; e7 x0 ?5 f; y1 ] proxy_set_header Host $host;* h1 M3 k8 m- T
proxy_set_header X-Real-IP $remote_addr;
4 k( S1 h0 i& N5 ^ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
. M5 ~. G/ l- L% j6 _4 A$ B }2 n/ c/ i5 D3 X( Y
}
3 O3 N" \. x7 c( p+ D六.测试
3 O9 |+ \: P5 u% D
" ]9 U4 Q8 w A' j e' k* m我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
) D& H5 V+ W5 `; R4 O8 {" c- K4 W) ~3 ]# B4 w* K# ^+ Z
<?php* k, F/ Y& y! J+ Y! j' C
phpinfo();
$ ?* F9 L7 E) [?>
( H% C6 f/ @1 c' f7 r/ P8 E在浏览器中访问:# m2 I0 G1 \; @1 m/ O; m
# b3 d3 a- ?: w9 A3 a* {http://www.52os.net/phpinfo.php?id=1 正常显示。* D4 f }5 `+ [! f9 D; v4 m
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" ]' f: P; @) Y2 y( O
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
2 S, z8 Q7 T$ f# y说明sql注入和xss已经被过滤了& O0 L4 b9 i" S, t9 W" d8 L* [: o: J
6 v# M: B( ?) T* {0 ^七、安装过程中排错6 E) r4 d: y4 Z! T. F. _
, i; A. ?) d) @9 c: f1.缺少APXS会报错
, e0 x: O6 q$ N3 t ]( t2 P. U# ?6 |5 P$ ?9 y' M) }) N
configure: looking for Apache module support via DSO through APXS
( m3 @' x& Z' _1 o3 O: sconfigure: error: couldn't find APXS; L7 C* C$ I& ]+ f
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
- G% m5 e7 A8 O0 L0 H解决方法:
7 s$ @! q! f- [+ c/ _2 ^2 x3 N( u4 I6 ?1 R. @
yum install httpd-devel
& y5 V$ k f8 L7 L7 E4 _# D9 J5 f2.没有pcre
! a! j6 }# d9 W8 G5 p$ i; y* t8 v
configure: *** pcre library not found.6 L; ]8 T u) R% B" x( U. p1 t
configure: error: pcre library is required8 S8 r: F8 s$ W% ^3 u5 r; z- j
解决方法:
2 h X, b+ v& g V
, u5 m, m: a& E) g7 `yum install pcre pcre-devel
% f3 x/ G% s( q Q' O- X3.没有libxml2$ U# n% X$ J: G3 e, f3 R, N
; Q, G1 T, w* u9 p" c1 ~5 X0 Z. T/ a1 g V
configure: *** xml library not found.
( R$ n. a/ U2 @+ C5 Yconfigure: error: libxml2 is required
3 B6 @* A9 C) g解决方法:
( P; g. n1 X1 t0 i. r H9 }, ^- s( m, a
yum install libxml2 libxml2-devel; K3 w) W# g% z
4.执行 /opt/tengine/sbin/nginx -m 时有警告( y2 P' J( X5 b) S! X3 d
9 ^$ a$ H+ x! ?$ c9 I ?" ^; I- @+ Z; B
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
! c* c4 }/ I& y: inginx: [warn] ModSecurity: Loaded APR do not match with compiled!/ K: i) I3 A: K& g& H, H* @% X
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log- @ Q4 o( I( X$ Z
0 o9 T6 ~% ~3 b0 e& o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 A& ]; O! C. \- Q* r9 D4 C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 _" v# j0 ^. |$ W& G2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
* V4 @5 u+ D" P( y N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
$ z! t8 r7 r. H' i8 j' k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"0 j" l3 q& L7 Q+ j: h
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 ]2 U- ?* E1 ^$ M$ i( F
解决方法,移除低版本的APR (1.3.9)$ V8 ^; b1 Y3 J+ B: Y6 I8 H
3 x* ?# l& n" ^- t$ y: B+ Q" g6 @yum remove apr
$ t9 f7 R$ x v2 k5.Error.log中有: Audit log: Failed to lock global mutex; I. r; v% d1 _/ C' a
+ d6 _1 I$ S; H$ R2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 t) y! N; h4 ^9 uglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]$ k% C1 ?5 z5 m6 B* x
解决方法:: D, }- e) H! G/ K+ Y6 ^5 G3 j
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" `$ q/ N( H& ~% o# T( F) q4 A
+ S2 x) @$ B; y; v4 M$ @SecAuditLogDirMode 0777. j1 l/ J0 Q9 p- a. q+ i: w/ I
SecAuditLogFileMode 0550
, r9 o& B) L; gSecAuditLogStorageDir /var/log/modsecurity
1 B3 _6 N0 L: A. j( Q6 s6 RSecAuditLogType Concurrent
+ s' f" G$ \' C% G参考文章:
3 Z$ Q' v, j- B% a0 Jhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
" ~) C& r ^, T8 k3 n2 Uhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡