|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 X8 J, s1 [% ^/ ]$ Z" |, b2 q' J! S. k3 o! v
一.准备工作) ]0 J. v. s' i% j, T
$ v7 S, E% k7 ~1 W系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: w( w6 [% z# Z s3 [5 Y. n
! S* j/ Z! F; ^+ P4 W
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
4 j% y q* n. \5 l* B3 O# v% |2 _2 u' d& n# |; y* H7 K4 S' E
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( C/ X" }! d. o+ J" U; }
9 p" m1 y% F& L& y! v1 a6 k$ \
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
' A9 i- S7 g9 {9 W$ y7 A7 a8 }. Q3 g9 O& _$ M1 o
依赖关系:9 ~/ y/ ~/ \1 o/ O( W
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:' D% U3 l# q2 y; `( z4 T8 e9 h
6 P+ b" G7 \. S) K2 i6 @" m
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
" q: Y3 N) F q' h/ zmodsecurty依赖的包:pcre httpd-devel libxml2 apr& y' w& R$ p& Q
5 H4 M0 \, H# t8 \7 n+ z8 Zyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
) |6 k0 Y' i; U! b二.启用standalone模块并编译
- D/ x- f+ B' z/ l: v2 e$ o$ k. ]" |0 J2 J4 I4 q
下载modsecurity for nginx 解压,进入解压后目录执行:2 X* r4 o3 D. N. q' |
3 X7 S2 n; x. o1 K' d e
./autogen.sh
/ ]* i# f, @9 [2 J./configure --enable-standalone-module --disable-mlogc
% I, _+ |& d8 i$ e: \make
' _, ]9 G) E b* u三.nginx添加modsecurity模块: a* l: p7 R3 b. L5 ~* r" j1 t
2 ^" b# J: \4 Z: _% O
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
1 U/ ~; v0 D a
& V* @% W& p3 ?./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 m: h$ Q7 p: e- k" `5 E( j$ `make && make install
: S! _: f, V$ D. m7 A" S6 D四.添加规则/ ~) c" b9 Q& K
) E4 Y8 v* Q6 ^5 @- [% T
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。5 t" \# ` Z* U, R
0 `% Z7 g7 i& i* ]7 E6 W1.下载OWASP规则:) D6 R- M3 s7 E' U
% m# x" O/ w; z+ `
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' d: p9 }* X& r; F+ P9 S1 E2 \) w* j2 ? A: U: g0 A& C
mv owasp-modsecurity-crs /opt/tengine/conf/
& \( L, o8 D: p, C
, Y" W% ^3 N: ~, Vcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf) Y* q5 L0 h: k1 r
2.启用OWASP规则:- E# Y* x. f: z2 i. p( F: ^
+ R$ n: L7 E/ ]0 f2 u
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。5 _1 S# a% N$ j
; V7 Y; J& O5 t7 R9 Q# |7 m, e0 S
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
7 u9 c, n. n3 x5 g$ \( Z8 Z( o% x/ e! o# |$ B* \5 B
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。7 u% W, X. w; ]. l' p ^$ k
7 z- |1 I# d9 L& KInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
% R' z, q9 v! p) b! Q+ xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
. ?# |: f1 F! F9 v& ?. s' V% EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf/ C8 g2 b1 Y& B+ m5 V
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf/ q4 ]2 H! M, X: W6 w
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf8 e4 A1 ~! ^) b; M
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& g. r8 a) O P
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; C r8 |- P7 q6 O. ~7 a
五.配置nginx
& ]: J- \$ B4 o3 H8 ^* m$ q1 X( \* Q1 @
在需要启用modsecurity的主机的location下面加入下面两行即可:1 @0 s" h3 C( m I8 v8 ~
; C1 v6 _: F% W- [, Y( L2 q5 Z# O- g
ModSecurityEnabled on; ' v7 j9 ]- i$ V" Q" M3 r
ModSecurityConfig modsecurity.conf;
" T0 Q ~+ W8 l% m- a下面是两个示例配置,php虚拟主机:1 Z: W& p, p, f2 F! P. a
* ]' P9 J+ j& z. Q' I' v* Xserver {
1 }0 _) K9 F" @$ C0 J listen 80;
( ^) V/ ?) i' G0 }3 e9 F: q server_name 52os.net www.52os.net;
! c* _1 O J$ ]& p% |7 d. u# D7 i * X4 v; T" [* w* m
location ~ \.php$ {
+ p* t" A- `0 B& S8 q ModSecurityEnabled on;
i6 Y6 C ^0 v. m2 m ModSecurityConfig modsecurity.conf;3 T, i: R0 ]. g
6 M' j$ B+ d9 ]4 v1 [# f root /web/wordpress;
9 S; Z1 m/ ~. x! i7 z index index.php index.html index.htm;
E* U( B/ f0 |% s1 h5 _" y/ G; d
( S9 r4 a4 _: g$ V6 \1 a fastcgi_pass 127.0.0.1:9000;
$ Z$ v2 R. v, o/ T1 U fastcgi_index index.php;2 d+ b, O# c; @. R
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 e; C, t! C4 a& k* Y S* r8 m! F include fastcgi_params;4 c+ O1 E" z* D
}- c0 `/ ~- L4 G) X, I
}
; F& [* z4 ^& \3 j4 pupstream负载均衡:
$ g+ Q; F# Z+ K3 T% _2 m3 @9 ~4 O D2 z' g* @0 S( A* M
upstream 52os.net {
+ I$ \/ Z; m1 W" x6 H! R server 192.168.1.100:8080;
6 x$ [4 L" d/ d) W% r* [/ u server 192.168.1.101:8080 backup;$ [4 j: [# a0 M: H
}) d1 l: N% Y1 W& @4 ?0 |
2 _- H& g+ K0 D2 _# J5 ^
server {6 y8 H- q1 B3 b; t& Z
listen 80;
v2 Y& u: t- Y4 s( E. B- _server_name 52os.net www.52os.net;: H! z' V6 T4 D8 R3 ^, c0 q
/ [/ z. I3 I' Y/ h' @6 Y0 S( @location / {
' i6 P; y3 i2 f) K, b ModSecurityEnabled on;
+ \: G! Z& C8 _2 l ModSecurityConfig modsecurity.conf;
$ h$ f% u) ?2 h5 b K+ ?: r2 X, I! x& N1 Y
proxy_pass http://online;
|. ^$ r* \% a. ?4 s. X' y9 c proxy_redirect off;+ Y1 B j+ {# u
proxy_set_header Host $host;# }% r) ^: P7 J
proxy_set_header X-Real-IP $remote_addr;9 b+ R2 r/ C- h6 D9 L
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
2 G: a" N! b; E1 u, u }
5 Z" G8 m5 C# u% E, q; K% ~}# k7 w$ O/ n6 n0 A
六.测试) O5 F8 ^5 i0 v; u$ m
0 D* m1 k0 G6 S# t1 D' r
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:% S: c* D/ b+ S: o# b1 Z
* K, v$ i" z: U0 P4 g( ^/ w% e
<?php1 U! p8 D: {4 ^# D
phpinfo(); ; G* w3 H8 ~0 L7 V& j9 u
?>- f+ c9 {4 V- U: \* I0 N. K
在浏览器中访问:' F5 [* T! c' J! P
. j7 ^/ I$ t, s: ]http://www.52os.net/phpinfo.php?id=1 正常显示。 n' ^% |/ b: M! z1 V: a; j
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。/ P L. W( U% ~4 P; Q
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
6 G! A0 u/ ` Z* ~( n5 `说明sql注入和xss已经被过滤了
/ v7 N$ h1 T; g8 b9 h
8 g3 L) p% e3 Q7 ?9 Y4 i6 U七、安装过程中排错; @+ ?9 y* F; f8 T6 t! A5 C# Q N" S
. M4 H+ J1 }* e9 k
1.缺少APXS会报错6 f4 ^9 k0 [+ P" Q9 \5 C
% ^. T& u9 ^, Q! G8 x
configure: looking for Apache module support via DSO through APXS
; p# A3 w; I" J- }configure: error: couldn't find APXS4 D( a2 G) \, H2 c
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。7 Q& |$ b% H' g& c$ Q
解决方法:
/ f6 P; @5 [' ?/ w. |' o1 T! V p7 K% ]2 `* N! {) {* y
yum install httpd-devel: Z0 G1 R" A p
2.没有pcre
3 q6 s1 u; C3 E% J9 N3 h- T2 |6 A' {: Q* L+ x- ]
configure: *** pcre library not found.% E' o! o( ]: O3 S' b
configure: error: pcre library is required
) P" N; D8 B6 F, O& p" v解决方法:
1 m; b/ X0 I7 i$ [
& ^ A3 U9 R- X3 s1 _& m8 wyum install pcre pcre-devel
: C& h. c6 T! Y, K" Y# ?" m3.没有libxml2, F- a; y" i; m! B! v6 [
) P" A* f: }: N ~
1 U7 j5 c7 Q) b/ u3 p2 d- f( `configure: *** xml library not found.
2 S; J9 o+ m0 v: B0 X# Kconfigure: error: libxml2 is required
& |, |6 S9 X8 y8 p/ T! E1 i; _8 x解决方法:
8 x+ p# ^" R" E3 F/ h
, }8 W+ y# s3 R" T5 a) _yum install libxml2 libxml2-devel. ?* g4 a9 f/ {, ?. G% h7 n
4.执行 /opt/tengine/sbin/nginx -m 时有警告
% X; H) d: N1 M0 t" [$ e% z4 x$ h1 S
* {, j7 x1 u0 ~Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; N4 b$ C. r7 r8 @nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& ?4 L! p9 t5 }7 k0 l原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log. U- G- G, i1 w1 _' t5 F
& _9 J" E* _ r+ a+ |# A$ }3 p/ u$ e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.' G7 q7 p- F/ K) |
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", T5 j+ N. N% B3 t1 E( `) {; Q
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!) p, `) s* F/ V) h+ N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"! ]4 Q5 S: ?' j7 G0 z3 l) a8 R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"# J9 \2 R3 p( ~
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.% j- L( \. D2 v3 C7 h$ ^
解决方法,移除低版本的APR (1.3.9)
/ ]9 b! B: [ C H7 v7 y4 f/ u# S3 Y9 J4 x* ^0 v( i$ U: g1 O ~
yum remove apr
6 C+ {6 E3 Y, N+ \3 x% S% L$ W# J5.Error.log中有: Audit log: Failed to lock global mutex: F0 S, n; W2 [' J4 t/ v8 [) s; A! T7 L
0 f/ g5 N) E2 m: S
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock + e; K5 e( E" q) G# H, s1 A
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
% w; u7 {' ~: c$ D+ b3 h& ^/ l8 R& U解决方法:5 S D, Z% o* H' [
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: R/ n# S' s$ \; t. M3 H% @, M+ d
" D; i0 V9 s: [7 i& C/ i; A
SecAuditLogDirMode 0777
4 P$ {* l0 }' Z$ a8 s* USecAuditLogFileMode 0550
% o4 ]% w: n# c1 i/ K) P& GSecAuditLogStorageDir /var/log/modsecurity
: {- c# F. A4 G) B2 c8 fSecAuditLogType Concurrent- ?/ H2 a: ~! d( L, H0 n
参考文章:4 q+ m7 M+ a. x: J0 {% u
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX5 I+ W, c+ s/ v3 T3 w# k% g+ B
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡