|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( u6 W, V L, M3 d' I$ O: m* E# h. A1 r2 }: `$ H1 e4 G
一.准备工作: N: f T; o+ R" J$ ^ i
3 A0 B4 [5 i8 l系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0* x& g0 J5 D# g4 t" o3 u0 |. s
9 R) Z* O0 r" f2 s& L. f
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ @1 J7 X' S z6 q4 T
3 [3 T; m( J7 N7 E3 l- b8 ^, Q: cmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 F9 K0 r9 p! e1 y% Z3 Q& g9 J5 }5 }- B8 k) ~4 ^) F8 `
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: k1 P6 u8 y, h$ v. d- r2 G _1 ^" l, {5 Z
依赖关系:( W1 j' K8 x* A
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& P6 Z6 F& Q8 P4 \' R' s5 h
, A' q3 M7 X. \. c
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel _" _" C6 K) {$ p0 B: v
modsecurty依赖的包:pcre httpd-devel libxml2 apr. h# o j1 k6 ?% M
: q: O' S# L% V/ e
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ o) K% n+ N6 j6 D- W* c
二.启用standalone模块并编译5 a$ [# r* @$ i% @$ K5 o( ^) B' Z
. ~/ {/ L" j& U下载modsecurity for nginx 解压,进入解压后目录执行:
d1 I+ R3 |1 G ?% S
' @% @7 }3 |4 H' @./autogen.sh
( B4 u1 M4 V& p& \9 z4 x. o./configure --enable-standalone-module --disable-mlogc
+ v- r2 K* F' _! r2 m$ v% Y# d' imake B v/ }$ I1 ]' v/ s/ Q1 w/ p3 J: h
三.nginx添加modsecurity模块
2 t$ b9 R5 d0 x, ~4 |: u M& P, }$ R; U) D6 Y9 }1 `0 \
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
5 x; `6 h. Q6 b! L- }; H% R, g& _# S, e( }
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine/ D! J; E/ s8 O9 _/ m5 ?
make && make install
5 C7 y& e; h( A四.添加规则0 s& d4 |2 t2 J7 | f
" k+ z( n( b( ]" R$ amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 F$ R; E& L; i% D7 H' n
% }. i7 K# {2 n! E& W: L3 K1.下载OWASP规则:7 x0 b0 ~" Z+ L: m
5 T# e& }4 N9 K. T
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 _* J, F2 D. w0 h; S4 B2 Z5 f8 m5 Q5 w( t
mv owasp-modsecurity-crs /opt/tengine/conf/1 ^; P) ?; }/ u* p
0 @* M* {' k* i) A* n
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# j, I/ o. M e& }$ D
2.启用OWASP规则:1 Z& n/ m" g" v
- g; J9 `# o. J8 l/ |复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。! c$ F! z) ?8 ^) Z# c& }9 l
/ k$ e* s; Q0 I2 q' B$ N1 a) m编辑modsecurity.conf 文件,将SecRuleEngine设置为 on, J/ ]+ l+ T) B9 L
% J, j3 ~; E3 ?owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
5 Z# S8 k6 g$ u: ]/ N+ \0 t
0 }" A, {: H1 P2 q2 w# xInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf1 s* M; r* g0 w* c6 d5 t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf n7 d1 _+ O+ E' W
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) p* K8 E2 C0 i0 O2 |5 XInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" C9 m' f9 K& F/ I! \% z
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 S+ ?! {: ~; R' tInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf( ~4 c5 l; V: H5 a
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf3 e! `# J9 |* @; m R& ^6 v# z; v
五.配置nginx
H- [# ^' q: d# n8 _! W& o k9 a8 R6 k& R7 I \ c
在需要启用modsecurity的主机的location下面加入下面两行即可:
# H7 q0 @, n* V, K" c1 ~# q8 ]3 a2 J9 P C, S) F
ModSecurityEnabled on;
1 J$ m5 i; W0 b x* M fModSecurityConfig modsecurity.conf;
5 n" [. c& b2 z下面是两个示例配置,php虚拟主机:
( E3 \( \4 t0 T" j. k' U/ s, r7 S/ D. }4 Q; t j8 C
server { G! D" b5 T6 I+ n( }
listen 80;+ I% D8 ~/ Y2 ~6 M8 P" J! a
server_name 52os.net www.52os.net;( |6 i, Q( ?2 n: d+ \: y
1 R: i* U3 q& }0 N& U7 K# m
location ~ \.php$ {
1 M8 S" Q8 T* y# F ModSecurityEnabled on; : b; L5 i8 W4 }5 Z1 l. ]3 m S
ModSecurityConfig modsecurity.conf;
+ s; ^4 l( n' @& ?- N9 s$ E. v! ~
! h5 O3 ]+ w; V root /web/wordpress;
$ B% V0 w" s$ t5 I& u4 p- y% j8 [ index index.php index.html index.htm;# x, |$ v* j' V" X! f
5 X+ @5 ~9 N G) c6 c G fastcgi_pass 127.0.0.1:9000;
, ]7 p. r+ @/ T' s2 G! p/ t fastcgi_index index.php;, ?- D2 }2 T/ _& a: ?+ |; D1 x9 [
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
6 ~, a, |) \/ S6 d7 q8 O: C include fastcgi_params;+ D- b0 E5 J3 U; s$ _
}
' J2 s$ r5 v9 y+ k6 @ }: O$ f1 o$ Q+ s" e
upstream负载均衡:, o; J+ n3 F* }
( z& {2 }# ?0 {/ J2 a* r
upstream 52os.net {
! ]+ | @9 E+ o; M* Z server 192.168.1.100:8080;
1 P4 w, D: U1 f; Z server 192.168.1.101:8080 backup;
5 x, ^% z9 `& @" e+ ]7 d* z! K}
: b0 P% c6 L- a2 k. L- R; G& V+ N
: q$ n# R8 N; W' S7 Yserver {* q0 B0 \2 V) M: n6 C
listen 80;
$ I* `$ y, Y( v' ]& C( E& k5 wserver_name 52os.net www.52os.net;
7 @ e' \. _+ I4 u
0 r, D- ^& _' C! o5 M, s$ Ulocation / {% c' ?! _6 z5 |& A5 b
ModSecurityEnabled on;
( U: w& u: r1 i8 {: y1 f ModSecurityConfig modsecurity.conf;
8 A$ m7 C4 L% j* k3 _0 i
& M; L' z! r: p proxy_pass http://online;9 ~( j; q1 P b8 Y1 w+ O
proxy_redirect off;
" r8 _* v$ y6 x8 J proxy_set_header Host $host;; B; L( m2 c/ d9 S# H' t
proxy_set_header X-Real-IP $remote_addr;
! A" Z7 p1 h' `/ b. I+ m proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% h F& }" }0 ~/ W* O8 t- }( R- |0 y- } }
* `. z3 Z# N# D6 O8 m" B}
" j* M3 p/ X# h六.测试8 M- i/ ?2 G2 ]4 g
: `. L5 ?/ j8 R+ y$ H2 i
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& ~2 Y$ S" d. O0 T7 V6 y
8 r1 {! t/ p: E( F<?php
6 M) C" x& L/ a/ v phpinfo(); 1 X% P# J+ u5 O" b- i! W
?>1 N+ O% W) ^+ i0 g! K. q
在浏览器中访问:; O3 M: s$ Z; d7 q; ~' d
4 @* Z- s4 H7 \) r
http://www.52os.net/phpinfo.php?id=1 正常显示。! @% \/ ?# d0 f: e2 ]5 y `* A
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 E E9 [/ L/ ^' A+ S7 o: R4 i8 C& g. mhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
8 }) D% ?8 z& h3 }说明sql注入和xss已经被过滤了3 I; h" c* g/ Z4 E9 ~: {- K9 Z
& R" s- F0 G# O7 I2 Z- O
七、安装过程中排错
S9 i0 `& O* x% G2 K. {
1 R3 B4 s( l$ X# o! ^1.缺少APXS会报错
# ?. D0 [8 Z5 l t7 g7 `; i& B9 _* r# K7 w4 F% U
configure: looking for Apache module support via DSO through APXS
+ J& x" W2 ]2 q/ gconfigure: error: couldn't find APXS5 p7 F* u/ A4 m
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
( S3 ~9 F2 y, M, M7 n4 |: p解决方法:
; C# o$ Y* q, I& S! n" _# x9 ?9 @: q- P
yum install httpd-devel
Z& T0 H; G8 x2.没有pcre3 m& |% K1 d/ l" P
- x# t* g/ [, p* g0 N, h1 d% t
configure: *** pcre library not found. d9 A+ h4 d2 T; r* U& T* B
configure: error: pcre library is required4 a% @) R! s5 @' Q/ h( y. e: D0 P
解决方法:
- l: u6 |8 J( R6 ?# h
& \3 y' ?0 m+ H+ i: Y1 gyum install pcre pcre-devel4 N. w+ H+ S7 E7 u
3.没有libxml2
% S2 z; L c$ N: T! O+ w: W2 h
4 I4 I0 l" ~& T
, R4 m: V) S( z) p- r) D$ d, cconfigure: *** xml library not found.# r3 E; t' y% t+ }
configure: error: libxml2 is required
6 J$ ~- `1 q q5 k0 N解决方法:2 H( n B# g K* G) G4 s0 v
8 [" R' _+ W$ E3 N1 O: Hyum install libxml2 libxml2-devel
: M* v# ~ W/ e! [8 `4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 H: D: [# `: Y: m/ }1 J2 w3 u" N2 a, |# O+ m
Tengine version: Tengine/2.1.0 (nginx/1.6.2)/ ]4 H" t+ \7 J+ _ l
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 Y. A7 o! H1 r) t* a
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log! e, @) Q! r" L. M- A( M7 `
( D: k: g3 p0 Y, |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
+ E7 S; o# h9 X6 ~1 _# m1 T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9". w) m5 ?: Z7 O8 \1 f" N
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!! i( [9 c: x6 ^4 n7 Y& \4 F" N; L/ W5 `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"7 q9 V2 U* s; f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"' K( g8 @0 u$ ?/ \
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.7 ]" e. D4 M5 j; T
解决方法,移除低版本的APR (1.3.9)
' H1 B t) n- ?* C8 D
6 O: S8 @! v* B4 w" gyum remove apr
* \# c) D) x( K' G, Q5.Error.log中有: Audit log: Failed to lock global mutex
5 Z4 A" }( _ I6 r( b& V5 N; f" j' U2 s% { N
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
* M+ d+ z0 a( Y( h6 U# Uglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# u/ C: M: u( M1 P
解决方法:
4 O. {$ `3 d7 x" ?& w编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& ^0 q7 M' Y9 p, ~. y0 S
: i- i1 C' V. n- O5 x4 Z9 E
SecAuditLogDirMode 0777
0 J, u6 @& F6 M# N/ p J% QSecAuditLogFileMode 0550
3 D$ M3 |' D2 w- u: c1 f- H) pSecAuditLogStorageDir /var/log/modsecurity
, A2 [4 G4 d0 o' x; ~. P) ]SecAuditLogType Concurrent' X4 }/ Q0 V. y. ~7 w) K+ q
参考文章:8 Y8 T5 v d. ^0 h8 q1 l# J
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 P- a$ [! s% }/ T H; a1 L
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡