|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
+ r+ i! x, F4 b! d2 p8 v* v N1 ]! t1 _- h
一.准备工作" g; q/ q8 ~8 v/ N" T, o- Z9 c
* W( ^7 {1 b& v J( P; Z
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 d: C' {- B) s. x" U! C
) V' g* V5 e- \& }- \tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
E0 e& h6 M, ~; X N0 \
8 ~& Y8 o! @7 ?" E$ E z4 I. c, amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
* I. v% _7 Z) \ a( |' P! k
4 L+ w" u& O/ C! _OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
0 }: w) @% k" t. w9 N& K6 r) C* t6 ]3 E4 f
依赖关系:# b$ P- R, x! r8 q; S
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
: o: D* c0 K1 X/ \9 I( o
0 K& ^1 e& R" `yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
7 [9 Z; e& _1 R$ E; ~modsecurty依赖的包:pcre httpd-devel libxml2 apr% M, r* R* S" b% A% p
- {: _, k O5 C/ {yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ Y; [3 n/ O3 D: ^$ Z1 |% K
二.启用standalone模块并编译4 R( t m+ l8 G1 S9 v% R
1 U9 p) H% }& {下载modsecurity for nginx 解压,进入解压后目录执行:; z9 k) T8 n0 f4 j2 s6 G7 u# P' ?
, U T J' E# x" W
./autogen.sh$ u3 C$ j5 t- h7 o# A. p
./configure --enable-standalone-module --disable-mlogc
- d0 f$ M: b$ N/ v2 j) Dmake
% y A1 k, B* \" T5 g" _5 r" ]三.nginx添加modsecurity模块2 c% d' [3 |+ x- }3 N. }
. D1 P) i+ Y2 T% W g3 Y
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 ]7 S: V9 A1 X. ?0 q5 L, { w; G4 A1 T0 F& J" c( l( V) y
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 w8 n4 a' j7 f( o$ hmake && make install( `+ p) w4 P+ U' |
四.添加规则
) T8 D7 n2 d7 C, }' r5 z3 _% K2 K/ D2 [& u& d/ A9 | [- e
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
1 o s4 L# x" B8 S
) N1 s: u0 l. k$ }' p) v: E& B" [7 O1.下载OWASP规则:- s- F5 k) b0 R/ a3 {6 {
; t& F1 ~) P3 m; ^( J' N$ Kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
: ]( c- `0 `3 I/ r* f) v; m k3 I2 {. F9 H) r6 I5 v% {
mv owasp-modsecurity-crs /opt/tengine/conf/, C; v) y% }3 B9 ]& A, K' a, A2 P
1 F) u/ z. [1 t6 N8 [) Y
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf' v0 Z, }+ f# u( _* O" Q
2.启用OWASP规则:+ B0 [8 p2 j/ U
6 o/ C I0 M0 A5 Y0 X复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 h Q: l3 E" p& z5 G2 ^
' E4 T: t$ _1 `6 J: l3 L编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
|2 \% v& F+ F( v, z8 q0 N
6 t) r6 z0 P; k6 p6 v# L8 j: v8 Wowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. c2 F8 t% U3 X) x
- `& \4 e0 J5 Q, p9 CInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
9 F' e6 }3 [% E+ O+ wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf, D1 S8 x' z& J) S) }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ Y7 ~( K4 R! n1 CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
4 O6 t/ @2 V6 ^1 J* _+ f; zInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf. y8 S, y: M* N9 d9 R
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf3 a# I5 r Z( e* K O& I$ z$ _
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
. D, P4 i! i% F4 S8 V+ j, |% |2 A五.配置nginx" S s: m) W- p$ b1 m- {9 N( X
) l/ s& V/ P8 u; M在需要启用modsecurity的主机的location下面加入下面两行即可:1 i( G- E3 h% m
4 y3 H. O) q! a. v
ModSecurityEnabled on; # x8 d# @" l/ j1 n+ h) V
ModSecurityConfig modsecurity.conf;, ~6 n) _6 ]' I- C& N- q3 E
下面是两个示例配置,php虚拟主机:
3 Z- ~0 Q* [3 X( U* F! z# f
9 n0 J0 w* H) ^( t6 y4 J* M" tserver {8 _- c& k3 B8 I) ?7 w7 M; C/ X
listen 80;
c( g: q: d& z6 d server_name 52os.net www.52os.net;8 m7 j7 }9 K4 H$ @' b* [
& Y3 E/ K4 U) Z) R; P location ~ \.php$ {) o4 l( O( v5 ?5 w
ModSecurityEnabled on; 3 H6 A9 M: P! j+ {, D( I2 x9 @
ModSecurityConfig modsecurity.conf;
/ m" l. w2 u' V, q1 y* g+ z6 j' i2 h. p
root /web/wordpress;0 {3 V: v1 H$ p3 ^/ d
index index.php index.html index.htm;& a/ N4 u! m0 ^! z' b
% `! s6 A$ z S5 e fastcgi_pass 127.0.0.1:9000;
: V: K6 ]' T) m fastcgi_index index.php; o6 U. i+ g: X6 t8 W6 U+ m
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 Y5 F. W8 S$ Q) H0 d( b* R. i* q include fastcgi_params;
. m: U b8 i$ B }
+ D& |8 v3 g7 |1 I$ F6 | }
$ }- d& y" Y2 A) m& x8 I1 E6 A5 V( cupstream负载均衡:5 s# R6 }& \" ^2 A" o8 J- X6 |$ A
* q) l) W+ r6 F' P, X% i
upstream 52os.net {
8 W+ A9 i, }; H3 q5 F server 192.168.1.100:8080;% ~* j* a5 n/ W3 q$ f
server 192.168.1.101:8080 backup;
% W' z/ U t* i5 E$ q( i- }, Y}
( g% N+ z" E- u1 S' s% o( g2 D, e9 w" u4 N: [. i
server {
& j' M1 ~% A: Zlisten 80; u1 k" |. J) |2 y- B
server_name 52os.net www.52os.net;1 w2 x" y# R1 `' U
& k# R! B. A# X/ i9 _2 Y9 clocation / {( t) h I3 I% j
ModSecurityEnabled on;
) Z# t* O* \- A; h! ? ModSecurityConfig modsecurity.conf; 1 k3 F8 m) Q/ ?. `3 X+ c
8 p/ b5 l* G' n- h proxy_pass http://online;
3 E2 M2 Z1 s1 X1 w proxy_redirect off;" {) ?5 a- X, E3 E& _' r
proxy_set_header Host $host;( P3 C [/ i' ^2 C# A. v1 J0 x
proxy_set_header X-Real-IP $remote_addr;' q! S: T6 \/ w+ w$ E! I: x
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
& `. V( ^. l/ D8 E& D1 x2 J }: r7 t/ J1 O: m. A
}- z, p' N$ ^, K0 u
六.测试! W; m$ h- H, i. U6 ^
5 F2 U3 i# |/ i8 k% F3 A; s
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:2 O7 C/ T V0 A& [. J1 h m0 w
0 l. m& H# w6 d+ ^2 Q* L" y5 g<?php
- ?, V$ u/ O0 T: W phpinfo();
6 H: o6 D; }1 m7 }6 y3 M1 O?>
2 ~& B! W. e% {7 c1 K在浏览器中访问: O8 B* j' A8 I* c5 }3 c
) U7 T& s2 C4 Y3 Dhttp://www.52os.net/phpinfo.php?id=1 正常显示。7 N# A( ^! Z- r
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* F" d `5 S" S8 {( Bhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。5 R; m/ o# j6 \3 [3 X+ v
说明sql注入和xss已经被过滤了
: O- d/ I/ y* u# c2 r' l% |8 ?$ l5 H& W- e3 B
七、安装过程中排错
$ o/ {& N2 P1 ?' \
: q0 w& E1 k4 M4 _1.缺少APXS会报错
( K( @6 W& }6 N7 L _5 v v3 Z# j. R
configure: looking for Apache module support via DSO through APXS
; `) I; s+ `4 N% _: @% D( H; }( \/ mconfigure: error: couldn't find APXS
( O8 K1 F$ M. g1 a6 bapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。0 R6 o6 S' C C3 y5 C8 u
解决方法:
& o% A! g. ~6 W6 |4 G
0 @# t T0 J+ J" ^. d. nyum install httpd-devel
2 L5 u0 o' z( A; F0 N' S. R2.没有pcre: ?) v }4 u3 T7 u6 e
, a: b, X- d) ^9 b1 d
configure: *** pcre library not found.
* ~! b. U6 s' T) x3 A) M, Q' \! {! xconfigure: error: pcre library is required' j9 ]" U7 \0 }6 G! `
解决方法:
$ `& m! ^2 v% ~* A
+ q1 M; S2 v4 r. eyum install pcre pcre-devel
, ]% k; h4 R5 h. O8 z% {4 n3.没有libxml28 h! ~8 G3 L$ J! v! z6 w/ W
% Q) f. V, e( b+ {( t0 C7 l& g& \: y! a# {0 V
configure: *** xml library not found.
) t- D1 Q4 Q5 @' Z$ V, h& yconfigure: error: libxml2 is required
5 N6 A4 r9 U! z* g# J& ~解决方法:
+ N6 x7 C, r4 L2 P, ?* o/ v2 I) ~/ f q
yum install libxml2 libxml2-devel9 G, S0 {9 [. {3 B% _
4.执行 /opt/tengine/sbin/nginx -m 时有警告7 P4 D7 f( |. b+ H8 f
7 y `4 V4 f, b* T8 c
Tengine version: Tengine/2.1.0 (nginx/1.6.2)! q8 }) B4 p7 M
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!: A/ \2 k5 F; L
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 q' _* X$ T3 X* B" [
/ ]- V$ _" _) l' J+ q" W
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.1 ~. K: \! s) Y4 g* S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
1 t0 i+ ?& c/ a/ k: A- o6 G0 X! d2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!6 n8 Z/ ]" z3 F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
. b, e0 o/ J; Y& x; N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"2 g$ y, p1 x% p2 W+ |9 k% t
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# d: g6 D3 |0 I8 K! M+ a
解决方法,移除低版本的APR (1.3.9)
4 \3 R: j% E9 I- E3 j; y- _( z1 [0 w E+ F
yum remove apr
$ [$ k: w* G8 L: V8 E% t2 p5.Error.log中有: Audit log: Failed to lock global mutex
; u" i8 a6 |; P( N* M/ p
* X, I0 @9 O# W9 P/ Z& A2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock - \ w( _- Q2 x
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 k5 A$ c1 ~! j T" E" G& y
解决方法:
: D& b8 u# h1 f2 k编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 Z0 Z5 R& a* p6 |' I
7 t8 e! q* r7 |/ x2 @
SecAuditLogDirMode 0777
) g6 P" X8 l& O. s( l6 ISecAuditLogFileMode 05502 q8 E0 s% G+ a5 n! G" ^
SecAuditLogStorageDir /var/log/modsecurity
- q( j% w2 N; \. ^% E8 ?SecAuditLogType Concurrent
" L/ ^% [ W, l6 h) c7 U" @参考文章:2 u8 E% A! y& \' B% h
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX, k% E: L, X0 U1 G
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡