|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
; _% X3 G" ]# W8 s* V' k( D/ E
4 ]8 k4 }$ x, K" P& n+ z一.准备工作
6 I9 {; y$ u% ~* h9 f) |! E. t2 K
g7 P8 N. p, E- i/ |系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.06 n5 ?6 ?4 S/ F5 G2 [7 s
, M4 D! E [8 z# j( D) Ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: M3 c: f) d( A
2 e4 F u/ L7 }* B$ O7 a5 O
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz' ]( M9 X* t! k- ?7 x4 |
: c" c; c' X# m2 r: {: c
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs- w9 n& ]" O2 @8 B, Q# p# m
: [( g! Q$ F! ^8 V9 r8 U- b依赖关系: ?( D+ _: T2 a$ ^$ I
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
5 `! a# z( q# \" F1 R5 d
( h8 O$ K3 ?* N3 P) ryum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# j' I: c8 }+ \% E" xmodsecurty依赖的包:pcre httpd-devel libxml2 apr
/ L, V& K$ W n1 w2 S& l, i
! U/ F* Z+ ~% }yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
( e9 G" D& I& b2 \- X& s二.启用standalone模块并编译
- [# w. j0 ^) f" P% x: Z/ L- _ T9 }) S. z( \# l
下载modsecurity for nginx 解压,进入解压后目录执行:
) [' @. N" n U \& P
4 ?, K) O* V* P; V% \* d/ }./autogen.sh
+ Q2 V" P3 o; S4 C, W5 E; J1 q./configure --enable-standalone-module --disable-mlogc
5 l7 u- h$ v. o2 R+ F$ `& Imake
6 l5 q) T2 G' }, A2 t: W6 j* z! v3 ]三.nginx添加modsecurity模块
0 d) a# P4 |8 j! x
4 w% n+ G( C4 c5 `在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:' Y/ Z+ m, m- e/ g: W6 L' _( r* }
2 g' a8 I# |) ?/ B, t0 O
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 I3 H2 e' Q8 }# ?
make && make install
3 P8 j }8 R5 \: c四.添加规则
) H1 c" m% _' h3 f+ ^( e' B5 n$ y, |. D5 _5 R0 [! s- o
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
" W& F/ a& H# U6 S( G u. z) A, l
4 [, j: y: v* S' s1.下载OWASP规则:
4 j1 ^# u% L: u/ ]3 K9 E& T6 x, n4 a0 Z& Q
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs# O8 q; q, [% i- k3 o) P
" F+ H n b/ Umv owasp-modsecurity-crs /opt/tengine/conf/* z- }" L$ f! W, u, k/ Z
& F6 o) e2 L* s! m% ^0 @* c& Q& acd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. `( s' p3 Z5 x z4 l" \
2.启用OWASP规则:6 s: s0 s$ b2 F3 e' u4 K; w. Q
, q; x' {6 u; W复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ s) Q) h! K: ]; G+ z2 i1 S
2 D1 H2 G* i7 c7 M2 R编辑modsecurity.conf 文件,将SecRuleEngine设置为 on1 y8 n; U+ S! `% F/ E
- J% @9 Z! ~: ^) T5 p9 F; w* f% r' J( Q
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。& ]: y& F* e: D, H
7 { K0 H8 [1 H- X" A' yInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf4 q2 t( X b5 O' ]. {. |" X. M* b! ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 E1 u, c; E& g+ E0 |6 T7 E/ ? H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
: D6 V$ N3 l+ Z8 E0 hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf+ _* |! {& G9 H5 ~- w- Y1 H" K- N
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf* X# G o1 L2 f1 Z7 D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
8 x; {2 w% i$ m' O# MInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) b7 M8 U+ u# m3 Y五.配置nginx
1 o2 ^% n* ^6 q* K- ~5 C' E- J: X& g& L+ h3 n: y* \
在需要启用modsecurity的主机的location下面加入下面两行即可:3 |+ n" [( l3 B7 `: c
6 t+ P5 j: r" {
ModSecurityEnabled on; ( d* U( g6 e( P3 O* l% i, @
ModSecurityConfig modsecurity.conf;
, a, n% h( A) w6 ]下面是两个示例配置,php虚拟主机:
, |" J) R% z2 e- c5 Y4 ^$ e3 n. ]: V
server {
* e8 y& w+ \1 G& x: i# r5 {/ s listen 80;
/ u# q* o( Y8 N$ ~2 {* a server_name 52os.net www.52os.net;
9 D) o+ @7 [' G* F6 b! k
3 d% t4 T! A0 W' V location ~ \.php$ {
2 w7 ~5 c" {( S H! t* b$ v ModSecurityEnabled on; 3 q" J& J1 t% Z
ModSecurityConfig modsecurity.conf;$ r$ T) J- y" K
! _% n- J, l4 S, Y7 t6 G! g x root /web/wordpress;
( U4 y/ v# c# |7 n index index.php index.html index.htm;
7 ~+ M% M8 f# Y3 D# _ / T( ]; U* T' ?- I3 S5 ^) m9 N
fastcgi_pass 127.0.0.1:9000;
, O: m' C8 B( j fastcgi_index index.php;8 k" ?, H v4 |1 p: \8 ]* k4 V
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;5 z* _& B. c, ]$ D0 S. I9 s
include fastcgi_params;, Z) b- m6 ^' L. m- T4 d8 s4 i; ?
}
. \4 E2 y. r8 ~ S- Q# Y1 R" D5 I O. ?: } }
$ K2 A& J2 l. s4 W& k# Cupstream负载均衡:
( n* d2 a9 M7 ? T& ?% h. _/ k6 W. @. h
& [, v+ s3 } N' Nupstream 52os.net {. }. U2 C; J, V; n( b
server 192.168.1.100:8080;! N% ~5 c5 s/ W0 o! _, E: E& v
server 192.168.1.101:8080 backup;/ D% u& F/ z" x$ d# b7 C* p5 w2 o5 l8 H, K
}
; x7 Q, _6 @7 n+ r& w L S. a" ~
server {
6 R6 v' y& u) F. P! K' ilisten 80;
3 C3 s3 t/ B3 H$ [8 u- ^server_name 52os.net www.52os.net;0 I8 X) G) ~0 I/ n
/ Y' g! r9 A3 a" ?$ z' S( f) A
location / {
' S; ~0 m) E5 |/ ~8 y- S; Q ModSecurityEnabled on; ! y& W; ?2 I- l5 [
ModSecurityConfig modsecurity.conf; 4 L( H# v: m7 i! A
1 r6 M: g, v" @, P! P proxy_pass http://online;
6 L7 ]* ~/ J- ~$ m0 p8 V; G proxy_redirect off;6 K, W. { ~5 N* u
proxy_set_header Host $host;/ @1 u2 N/ A4 }- v' k3 n ^* X$ k
proxy_set_header X-Real-IP $remote_addr;
h) b- j2 Y* W! W" N proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
( {6 G# w) T# c4 s }
) y) j! p( y- U5 T9 ~# W2 N}
9 K& E4 N% k0 ?* f9 \六.测试
+ i0 F2 b/ m+ }# r( a& b$ t9 I6 q, \( M* o- D3 }/ |
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:( u4 t9 C/ R$ g P$ P
! H; i& F1 D8 z<?php
, [) U y0 H4 j) A- L phpinfo(); 1 F, }0 z" h2 _& @
?>9 g4 [6 g2 O% l/ m% ?% y! v
在浏览器中访问:& [4 h; H0 y c t* g* n: F
4 A8 \ s6 s9 \5 E- A9 ^& P$ A1 p* H
http://www.52os.net/phpinfo.php?id=1 正常显示。
0 t+ t- p' s2 [- S9 j4 jhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。1 K" z3 M7 c' r& t$ C( a3 A
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
6 P4 V+ Y2 x$ V, I( g说明sql注入和xss已经被过滤了; e. Q, s* a: q0 M
% m; i( f+ I( K7 R. I2 B) {* x
七、安装过程中排错: K. T" K1 J( n1 c# O
5 W) _1 b' N2 O9 a* c: ?2 p$ q
1.缺少APXS会报错
) B3 M9 a; C4 y+ T% [! n
$ u+ ]; J6 {7 ]configure: looking for Apache module support via DSO through APXS
6 y) n( J( w4 @. A3 b/ Kconfigure: error: couldn't find APXS
( Z& z; B. B) K ~apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
7 R V* ?% G' v7 k! i, j1 I6 B2 z解决方法:- M; ]" T: |4 f2 ` l* r
" W+ r3 O' E" hyum install httpd-devel
7 m! i' ~! X3 B, `' I) l2.没有pcre
$ u. G4 m* t( z1 P4 Z/ w
+ G. n4 Y! U! @, R7 Q" Fconfigure: *** pcre library not found.
3 Z4 @' q; ?: [$ sconfigure: error: pcre library is required
% e% f( @& `* x! H# T) w% J解决方法:. I8 U2 v* w5 T' ^
( e& K7 L* J5 G
yum install pcre pcre-devel
+ _2 o+ Z j* k# e3.没有libxml2
# O- w9 v( v0 j9 w9 d
: d+ `, a% ~5 D8 c% a) O, T) W) ^$ q' Y# a* c. }
configure: *** xml library not found.3 ?. W B9 j: |8 n; S( I! h
configure: error: libxml2 is required2 ?, q; R& V4 ~: t
解决方法:
5 B% o6 D" D( R# O7 e8 Z
) \ t: ^1 S- F8 Lyum install libxml2 libxml2-devel
, U3 M m+ _. m& P4.执行 /opt/tengine/sbin/nginx -m 时有警告
; u# w. P" n, s* u
( Y: q% H. u6 r( x: sTengine version: Tengine/2.1.0 (nginx/1.6.2)8 m& s% `( o8 a' N3 j$ B( X; R- o
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!! | `! \1 L4 [# c& L
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log( \' g! Z: n# O3 O7 n% R- Y
) m0 C% o( _( `+ V, F0 b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 s0 Q* c: A& T/ z# i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# k/ C# T& A. R y0 T) A0 m
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
5 }: c) h) F: N. c* K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05": @4 \1 ] w1 o. l7 f5 V
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
( _# u1 u& A: G3 w+ Z- x" N2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" b- K3 V+ Q0 N3 B& |6 P; a0 L解决方法,移除低版本的APR (1.3.9)4 c$ b* }, w d K" E+ j
$ }% e' |& u* p% z1 Z* _
yum remove apr
8 Q4 v& y7 T! e, S5.Error.log中有: Audit log: Failed to lock global mutex. u1 w h- V H/ p- r
: T, {" w2 E6 x! e
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 2 ~1 \5 R) q; Y2 J( M1 M
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
" ~5 `% F0 H' H1 E6 c# P' U2 w- j' M解决方法:& a% S. w i8 v# c& m
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
, V9 `7 @8 u$ r0 s; ]
3 o* \9 T4 k4 H! r9 u: q9 ^SecAuditLogDirMode 0777
# j% }$ T3 y% U3 O0 c6 z2 O7 USecAuditLogFileMode 0550
: v* l( d7 O) w( I+ |SecAuditLogStorageDir /var/log/modsecurity- o4 I( F+ Z; u; K: L. B8 y( T
SecAuditLogType Concurrent+ Y- ~2 W9 T4 t4 E7 h% N! T
参考文章:
|: q' \7 X# mhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 k$ y/ ]/ P+ Q( j2 U0 }/ Q! j* a
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡