|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
/ l* o" q; ~% I/ q5 O
; n8 k) ]6 {/ W( [5 g一.准备工作
' V8 M, S; x$ w$ ]8 q1 y6 Y5 f2 h. S# d% d! G& A+ w
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0% [0 G( x" Z5 m7 q2 b; e Q
& }* t/ ?2 r: \& [% k
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
# {7 \( W& P8 \4 \4 h7 f6 g3 M0 \: `1 b; n$ f0 Q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz" c' O( r* L) T5 o" }0 D) O
e3 a, } H3 O4 q5 f
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: u; ?" ~- x8 G4 D
- k! W# ?4 p: t8 b依赖关系:
1 ]: F& G* Q3 m+ atengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 c z4 e) G+ f6 [( [
/ R; D* y2 n. ], k4 r1 uyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
8 Z4 t; t$ J8 ~, C7 _: smodsecurty依赖的包:pcre httpd-devel libxml2 apr
( [. Z" z; U# ^
8 d. q! q/ E7 Xyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
1 a, T7 Y/ T1 h" R B二.启用standalone模块并编译 T1 ]/ |$ G7 L8 P3 B0 T; _8 E
! u/ F- s! F4 w4 L) D4 k2 ]2 T9 Z下载modsecurity for nginx 解压,进入解压后目录执行: d5 S+ w B$ Q% b
+ L# J& j, F5 f, p& r./autogen.sh
) J: g4 p Y- r1 b: i./configure --enable-standalone-module --disable-mlogc! M/ p) U% S0 L& L S
make $ Y# ]- ]; m9 o& ~9 \! g
三.nginx添加modsecurity模块. q; p' o9 T/ ~1 Y. T" v
$ Y. y! d! v! o$ ^; v在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:- o' F( R6 |5 L; g$ H
/ E4 |( ^, B" g./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine9 D4 h$ s) n$ R+ I8 D( ~
make && make install
9 r# ?3 D. U8 d! H8 Y四.添加规则7 [7 f5 ]- k8 n& |, m) B8 d
8 _; W& B0 P$ O5 q3 `4 q
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
4 a# z+ g4 E. e1 b( t# N: p& N3 q7 W) ]; p6 h! e4 _
1.下载OWASP规则:8 A- w9 I) x" }; C' K( W; C
" `/ o. U# j9 V% kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 q, S4 s" p5 o! m1 a
: k7 ~9 y, ^' u* }" lmv owasp-modsecurity-crs /opt/tengine/conf/
: g* K% v1 a: z
$ o8 Z* |3 e5 a# Q0 {cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: c( m3 ?+ k) m, e3 h, X2.启用OWASP规则:
! \9 X+ \( E/ p- u) |
. g n' s# P0 z. z复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。1 h' j: K9 k7 r
0 _. @( P% }2 U8 |9 D7 s# c! @编辑modsecurity.conf 文件,将SecRuleEngine设置为 on) q9 @4 B# s: c( e& W; L
7 h: u4 j% w5 a
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" x+ ]1 r- t" U h' U+ @
- I4 D6 b7 A+ E$ u$ l! [Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
9 c& f4 G- n7 t2 U3 cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf* j) l( Q. ^6 Z& C8 z/ d% J# G0 ~% _
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
# @7 b+ k) c- ^7 h( V' j% h* QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf2 a4 O4 i" @) @( o& A
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
) @2 c; E! i) l& Z% C% @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 x$ `) t7 q' O( s3 g: A: y* J* IInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf2 q# o$ z: d2 p! t2 s$ ?3 D! C5 _& J
五.配置nginx
$ v9 O8 I1 w- P& ^: X# C/ a8 R1 S" Y7 l S( ?
在需要启用modsecurity的主机的location下面加入下面两行即可:: L2 O8 W# Y/ ~0 W$ `! n; C. j
8 A# E. R" p/ O( X/ LModSecurityEnabled on; : q4 U7 S6 ~+ }1 \3 o& D
ModSecurityConfig modsecurity.conf;
2 ~& F* o5 d1 \- A0 @下面是两个示例配置,php虚拟主机:
8 V2 L* K9 G- Y8 }& k% \) Z( n& s J6 j0 ] l
server {7 {! b; B* R( x6 N& A u
listen 80;" S8 E5 K' Z1 g4 R' S
server_name 52os.net www.52os.net;
+ A+ m0 n4 r$ d- ]6 Q" A5 ` 8 Q( S: }' I! ]! p* ~( Q4 K# q
location ~ \.php$ {% L4 ?3 p( {5 B; m& e! y# A7 r
ModSecurityEnabled on; ( S) s! T, M' z. c! h9 V9 v
ModSecurityConfig modsecurity.conf;7 u/ f, e, M/ I3 ?0 w
$ J0 ~# k, O" y5 E0 Y4 G/ X: n3 Q root /web/wordpress;
& t2 @8 S9 ^; @% ^: Z: [ index index.php index.html index.htm;; J* t# v6 ?9 p
( x9 B# ?* [( I9 p. U4 Q
fastcgi_pass 127.0.0.1:9000;$ |2 _8 l1 Z7 ]4 h* x/ B
fastcgi_index index.php;
: j0 [8 M7 e, Y$ A3 ] fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
6 r8 R1 ]3 g0 E2 d/ W' i- j include fastcgi_params;) W7 Q* }0 U1 B1 ?4 ?, \
}/ p0 T! g! n8 w, `( z7 h9 j/ y
}
& ^7 |( x/ u8 D9 o* V& W' s, Y# r) Zupstream负载均衡:& m! h* y( A6 X# K5 v0 a. X4 g
# W% C! `& ^) G3 D2 W$ I& l$ aupstream 52os.net {2 l. }' l( O( Q ~) j
server 192.168.1.100:8080;
. B4 g* m" @2 f, w$ `) c- ?4 O server 192.168.1.101:8080 backup;' p1 u3 J1 G' _
}
1 H& x& M* c. j$ T# k: H( |
$ k7 ^2 H$ A8 Y8 j p ]server {! _2 @4 q+ d/ j1 o d
listen 80;
( _$ V' M6 y3 E+ C9 D& qserver_name 52os.net www.52os.net;% I" R$ a9 {8 D$ n
' S3 }" Z6 A! g. Z- E* h: K
location / {1 p; \+ p3 \: |, g% Q) N: ^
ModSecurityEnabled on;
' O) }; {# B# ^" D ModSecurityConfig modsecurity.conf; & V+ y& I1 n8 I9 v' s' w$ f
$ i ~" I$ h# [# ]' I' Q: b7 O
proxy_pass http://online;4 P8 C- m! R2 Z* z$ y
proxy_redirect off;) D$ W! e& N9 j) ^0 H+ n
proxy_set_header Host $host;
! V" F# |! ?( d& G; t, z, `5 C' f proxy_set_header X-Real-IP $remote_addr;+ A/ A2 W& K8 R, \, ^4 V6 z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
( k3 Q( u% ~1 I# i }
& L z; F+ C+ ?' F}7 ^* c; P" ]1 D' V0 y" P& x
六.测试5 g1 r* q5 t% v6 f; |$ F/ L
; O1 d' j0 c a2 C8 }
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
0 J/ L3 g2 R, `3 f# F
, I- {" M O) Q0 ^5 `<?php
3 Q% k5 l7 L' ?8 [) h; b) h! b phpinfo(); 7 B z2 M, q9 n0 l. t. I+ `
?>
9 C& {" H: l2 m' g- r3 Z在浏览器中访问:
+ y0 _+ I4 t8 Q. b6 I ], |5 v& @4 s# I# A8 d3 y
http://www.52os.net/phpinfo.php?id=1 正常显示。
- b% o3 e: P0 A8 e* J3 lhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。) T: R r1 Y, R" P+ r% X
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。3 `$ ^# _, s: c' r
说明sql注入和xss已经被过滤了
3 a7 b" u; }" }: K+ g' b9 K
. |& E+ Y$ _9 X6 D; X2 h七、安装过程中排错
; i: K H+ R. { g- Z: P3 h+ h% w
/ t* k% C2 L7 u2 k1.缺少APXS会报错
( R# d/ J- J1 r: }( w7 y- G
% @2 C# d/ b7 H9 rconfigure: looking for Apache module support via DSO through APXS0 G; X1 q4 a1 V O
configure: error: couldn't find APXS
0 v% e6 Z% `+ u; z; l" V( P# Y8 _apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ c6 F, r4 e+ }% W解决方法:% k/ Q1 m( L! Y" U/ o
0 S7 r" p5 {2 J: }yum install httpd-devel
( J" y' }. @ }3 H( B2.没有pcre5 `; Q1 G" B" I
. p% |; k8 i" ?( _# A5 y6 n. cconfigure: *** pcre library not found.
- C) p U' q, F% j$ q4 p( f# Xconfigure: error: pcre library is required8 p- r' E8 W9 f5 l2 `8 R
解决方法:& i/ J3 ?4 q o- _4 I+ }5 H/ b
1 }5 Q5 a3 K' K
yum install pcre pcre-devel8 f3 K. @% A8 }
3.没有libxml2
1 \& b2 B2 c; X/ ^, @2 {+ d$ {% [! C# ^. ]0 B* T8 o& f
, m- f e. h) o0 v+ }& U6 [- R# Bconfigure: *** xml library not found.
0 i% s! |* H6 P3 e. z! rconfigure: error: libxml2 is required' R$ {. J4 J. J0 ^
解决方法:8 n- {. y$ I) J2 C& E2 c4 A! o1 ~
- R+ @9 f( N- t( Z' W
yum install libxml2 libxml2-devel
3 f0 c1 d {2 y# U* x' X4.执行 /opt/tengine/sbin/nginx -m 时有警告0 A0 l$ p" X5 ]: y/ W
- f B8 `' i- t5 i! t( j2 `( J
Tengine version: Tengine/2.1.0 (nginx/1.6.2) W& n9 F! y0 M# O# R9 Y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
6 W6 ^! @: ?5 w- _7 F! p8 J原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
( E: z, s5 i H2 `) a, m/ s9 I
/ ?1 a# U; \% z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.8 c6 W, ]! ]; R: K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"9 \" z P, N m$ B- r9 T2 o1 D
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
* h* s+ ]4 @7 n: @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" b! i! I+ [7 E6 C% x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
- y# f1 M7 y/ i$ }" _2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 P# h2 Q0 C7 w k8 g$ O2 |% e: `# j1 k解决方法,移除低版本的APR (1.3.9)
5 ?9 ~& |) x- X6 g" u2 @) x0 b n" {& [% c0 J# J. A: b
yum remove apr( o( s! h6 p: V. S
5.Error.log中有: Audit log: Failed to lock global mutex, {- t. O3 G, m( X3 r( T( R9 u6 A% {
0 k1 S! E- F/ S; u8 B% }
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 |/ f0 }8 Z" {8 U6 O/ jglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]4 j9 m% U' Z& t
解决方法:
0 i* k# c. o+ I2 y Y$ T编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
/ W* Z6 e6 i5 u$ [) k2 f
% R: x; U5 ^! ]% QSecAuditLogDirMode 07778 `, S$ e: o2 i% b* K4 L k3 Y
SecAuditLogFileMode 0550
5 |" h! z% l0 n8 z5 u( |; `- LSecAuditLogStorageDir /var/log/modsecurity+ l- z% Y `6 w8 B- L* ]% c
SecAuditLogType Concurrent9 d* V9 n( w+ S
参考文章:
; {! a7 o* d) _. ]# ?* d' Yhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
; a, I! y+ z) l3 B' q Nhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡