|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。( Q; ?: a7 ]# P# Y/ {
# o5 h& W9 B! e/ S4 ^4 @4 Y/ N" z一.准备工作* K, U7 D* O* V( v
# I& {, m0 k5 c系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
9 l2 R! Y* C5 e9 s1 I
) r' x; v6 @9 y; s) g; ~5 Ztengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
$ s/ `1 e1 }# [
! F8 u$ l( s+ Smodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
7 J0 Q$ B! O* n. K" _5 A& x% y/ s/ ]
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ i8 c/ g8 |; }- g8 F
7 e* L$ `5 O8 {# ~% k依赖关系:
1 j0 f) r; J% |% c+ T9 v- ftengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:$ ?& H' X( J$ D' H; m
; {6 N% g$ z8 k2 _( n- I
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% `) T# m& p" C- a; |; T. pmodsecurty依赖的包:pcre httpd-devel libxml2 apr! L& e3 V' Z h
, K3 R1 i4 z! r" ?. s) p
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
/ a0 p2 Y& {6 N$ o; \& O2 G二.启用standalone模块并编译
1 e- X y, D' J$ o4 N% o W0 I. b% v. b9 G$ P2 r
下载modsecurity for nginx 解压,进入解压后目录执行: p( f2 q6 @3 J- M* ?; I" K; S6 k
9 v. E) C. x: a4 b8 ~
./autogen.sh
& x1 q3 O& _9 _1 U6 `./configure --enable-standalone-module --disable-mlogc
/ N* ?# z9 X* C% Lmake
: k) O5 F" y' \* f6 l0 ?, {三.nginx添加modsecurity模块
2 N2 }' Q. a6 G& c/ Q( P8 t, E/ {5 x
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
0 n D- s+ v8 g$ ]+ m9 P
+ w) `( `' U. A& y) m./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine z. e6 p0 i8 c$ x& F* Y0 z1 G; s Q
make && make install
, n& X* |" M7 l& W6 Y; F四.添加规则7 J3 z: o6 G4 s( ^4 g
1 n1 z! B. `4 J! A! Q% @: I
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) @2 \/ s3 E7 \, j4 e
7 r$ {% \/ @) V# W( \; B5 c
1.下载OWASP规则:5 m9 j1 j" c1 e2 ~0 a- t+ x
6 N8 r& V% q% X! b- y+ n& l" R
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
6 q. S3 l6 @- q% \' s3 m, h: c+ O
mv owasp-modsecurity-crs /opt/tengine/conf/
( R% @3 b7 H1 P3 I$ E; Z }7 t# Z2 B9 m+ E; G( N) _. a
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
8 J F M/ j) O$ n6 y2.启用OWASP规则:9 C0 h- T+ V7 ]3 C6 R; v
0 Z7 L3 l9 A: \1 L M1 V$ Q I
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% n: I# d" y/ N5 h+ J
# S" v+ l4 X5 T% m3 T* {( x
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: R/ ?) ^' z+ \' I1 _
+ R! I/ L+ A8 Y: f1 aowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ M. p; }& ]7 Z# R; D4 E
2 T3 h' Z: b) [4 T4 W, Y. Y v
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
# L4 D+ Y P5 [5 L. z* M5 vInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf6 D8 h4 F& Z2 u! R0 F# ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 d3 Q5 _* j$ I, O
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 l/ n% U+ P5 w/ aInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ e! C. ]6 Q# B0 z' z# h% z/ X
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' c/ m% Y$ }9 a9 ]0 RInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
* U" A* s! G4 \# l: C/ N五.配置nginx
2 ^, i. m6 r. M) W5 p& h1 y3 U: E
y* q0 U3 Q2 { W9 \+ k: h3 A在需要启用modsecurity的主机的location下面加入下面两行即可:
- S- k( L4 \7 K& X- D- b. @, c
' Y4 W0 }) X; M- p4 TModSecurityEnabled on;
3 R6 T5 ?3 J8 ~9 e; VModSecurityConfig modsecurity.conf;. ]: f# c. Y. ^2 ~5 q+ D* U: x; F
下面是两个示例配置,php虚拟主机: {4 A/ l% o$ K0 H' a; S5 ?
( p% E% S, d* F* T. y3 nserver {
! C: T/ D. \2 Q2 P# p2 P; C( X6 j listen 80;3 D7 ~4 _" I# l4 n+ h1 I
server_name 52os.net www.52os.net; W( k6 p# b4 S9 z
9 ]+ q$ U. `$ o+ W! L0 L
location ~ \.php$ {) A- |+ o: t; e7 D1 m
ModSecurityEnabled on;
- \8 R& \" `4 e8 Y$ r7 z ModSecurityConfig modsecurity.conf;
0 y3 E% T6 x+ z, z9 B( x) q8 j. S5 ~& H
root /web/wordpress;5 l! j% t s& G/ _: X4 V( D: m6 c
index index.php index.html index.htm;
! J" {! r ]/ K- u0 i7 J% E 1 }1 C" o2 N% K" g$ v1 m# J& r
fastcgi_pass 127.0.0.1:9000;
& [! q* A; K. F5 P3 } fastcgi_index index.php;
8 `6 o3 x0 n- \5 D$ H- S fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;# j) X: k4 z2 h( R# l; S9 I) }
include fastcgi_params;$ `9 q8 Z, ]; [0 Z n, k
}3 ^. w. g. U$ m/ J; h) Q
}
5 {7 V0 ]8 O& q' X" a. y$ @3 vupstream负载均衡:+ n2 f9 g$ S2 e+ g5 q, W
+ a1 e+ i' r9 ] g
upstream 52os.net {
' L# z. N# L' I6 X" E3 x P server 192.168.1.100:8080;- h8 n) x$ `% n: f3 T
server 192.168.1.101:8080 backup;( F3 J* X1 V4 p9 S+ }
}
7 X( K3 N5 Y, w1 M+ x) k- x6 R: k0 ]$ }* j. l. n1 o
server {7 u- K ]) z w1 q$ O
listen 80;$ _. e; w# W# C% O. R# N* q
server_name 52os.net www.52os.net;
7 R1 {+ w: m- l( t8 r. u5 `0 T* v: @
location / {7 {1 b% r' x$ t, Z# v
ModSecurityEnabled on;
" N% Z9 S+ F' g' W& `: k+ y: Q0 Q1 o ModSecurityConfig modsecurity.conf; 1 ]. y* H8 p' q6 }9 v: w
! T- p" }4 `! e
proxy_pass http://online;
& P+ s! u) v: I* Q i! |2 I6 I proxy_redirect off;
% @ g) q( L f7 a proxy_set_header Host $host;6 b1 _7 H2 I" w1 N4 U
proxy_set_header X-Real-IP $remote_addr;4 n% L- D2 y: {! c. h
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% d9 u+ a# {. R+ M7 A8 w) d }
|% O2 Y& p( h1 z! P}6 b! v% j3 z- t% A2 o
六.测试
4 ~& F" O6 N* S$ r. u2 a5 v/ ]) b4 C2 _6 @8 h8 K
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:/ g- ^' V6 g" j4 Y; d' |/ \5 T
) @/ R$ v6 ?- o; H3 T<?php
/ n8 a, n2 N9 K/ O+ w* e" p$ _1 k6 W phpinfo();
v5 V$ s% l. v8 x: s& }?>6 D$ s; i* _% [3 |' G' P# C v
在浏览器中访问:. |# h. g( p% S9 i
! H5 g# H* d/ z7 E: U) \4 ahttp://www.52os.net/phpinfo.php?id=1 正常显示。8 n5 f$ w! D y
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) J$ z' Y# N$ Z+ Z: Rhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。$ E. F/ V" W! {" S- j* C( U
说明sql注入和xss已经被过滤了
h( ?9 R$ }! Q; D% I$ l& O
0 H5 A, v* `6 ]* M a七、安装过程中排错$ A. M9 e: F/ I X2 u
# g9 S. g, O+ m0 \" V7 |: ]' Q
1.缺少APXS会报错
/ T4 i5 p9 P7 c
$ K" E" ~# n5 Mconfigure: looking for Apache module support via DSO through APXS
4 e, t2 Z2 Q. S$ d: Hconfigure: error: couldn't find APXS) S# Z4 K, t! L, t I# L
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。! F; h+ ~8 y; W0 d+ c
解决方法:
- z1 P" r# X* [0 _( |$ r; u5 r! O# k; P, ?
yum install httpd-devel
* `3 u' h# ~- M6 X% v+ W$ b3 w2.没有pcre& x* i0 [9 a v
, C( `/ E% k$ x1 A6 b: y
configure: *** pcre library not found.& T2 ~% K/ P& ?# h
configure: error: pcre library is required
$ V$ {8 e2 [$ o7 b/ \% {/ C: [$ S解决方法:
: }& R: f5 k- E l1 ~2 q
3 y' T2 _5 f& L M0 ]yum install pcre pcre-devel) o6 M. v8 m, S# q, l
3.没有libxml2, `0 J" l: V. s) E; [( q+ F2 x1 I
( ]" v% ^/ l' G- n% p& y# {" K( ^
0 V, I+ n( e) x& ]2 v8 {configure: *** xml library not found.
C+ B. }. u! w7 e6 c% Mconfigure: error: libxml2 is required
2 O/ U5 q# [* C: k- F( t解决方法:( F4 X; Q$ R# i
& I* }: Z+ a. s" f4 [2 s' a
yum install libxml2 libxml2-devel
& v! E1 B) f1 Z4.执行 /opt/tengine/sbin/nginx -m 时有警告
- ^7 Z' ~7 O! O# j1 d; f& }* W% ?. L; E" B/ s9 A4 H
Tengine version: Tengine/2.1.0 (nginx/1.6.2), F1 c& G2 Y' r% V
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!: D- W5 c. J) B' K% f# G4 j" i b
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
# ?. {5 Y) C, t2 p2 O+ u! y# s- U1 \1 k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 Z- l8 x3 ~' u4 z1 v3 W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ y* k! ?2 r# O, O( n- U9 P
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
, K! X8 G3 n5 c4 c! X2 y9 e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ x: A$ e5 Z4 B. ]+ y+ m2 w2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
/ C% \* [& e+ y9 N% l7 n9 E2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
- F I+ S) @& |$ V) @1 H解决方法,移除低版本的APR (1.3.9)
6 a' C% ]5 d& c3 t- A1 N% r, C/ g5 W* z7 n
yum remove apr
% y- R; g" M: | ^2 D1 E5.Error.log中有: Audit log: Failed to lock global mutex
1 Q' N% `# V8 v+ e# [( G3 i5 u) j6 Z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 2 C/ B* z& q8 F" \7 n- b) ]
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]4 E' f6 J$ E& O
解决方法:* O, J5 o6 c% ]1 W) M8 K
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
0 l& e6 g) f) J j
& Z, d9 E/ ~* Z) c- @" x; dSecAuditLogDirMode 0777
7 f" l& R* r* E4 b( I" C, u$ USecAuditLogFileMode 0550; b5 k. \" D0 I. I2 c7 h
SecAuditLogStorageDir /var/log/modsecurity
0 ]0 g( \4 h' O; M1 B0 y& VSecAuditLogType Concurrent
4 D3 d/ t* r0 B: z参考文章:
4 q4 I8 u# |) V- ], z; jhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX& q' B% T5 M* i
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡