|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
5 G9 I6 F% J( {- X6 `+ W: I
" s \. A7 Q3 M$ f6 [一.准备工作; ~2 a/ L, ]: T
( j# a F4 t+ ?! Q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
5 G+ g& Q! F. X
! S$ @1 C4 ?0 `tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 s% ^% X/ U# `* u) B8 a. s1 X: p2 M8 X" N" w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 v+ s! j2 o5 l
) P2 w. I( {2 ?- p. I7 C6 v; X! h4 BOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
& E" W- b* N l9 T8 v5 O5 U! v2 q; r5 {/ d. n
依赖关系:
9 K/ U4 L: ] _2 X) B2 {tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 [3 T r# W7 R; `2 H$ O
! o1 h0 Y1 ^8 V+ g0 E9 Z. K* [yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel- e" ]: Q# u/ A. y1 } r2 I
modsecurty依赖的包:pcre httpd-devel libxml2 apr
* v( ^4 i V" O: I& f! G2 L/ C4 [( |) x8 o
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
# b/ b# C8 O3 q( v# N L y二.启用standalone模块并编译
- \" {# d$ T# X
, q) H1 L5 l4 f% _9 I" B) D下载modsecurity for nginx 解压,进入解压后目录执行:* d1 j1 q7 `5 h* ?. s; D5 H* [
7 S& i* X7 V1 \/ D./autogen.sh7 V9 e' n$ Z( ]3 Y# w* Z* o6 y
./configure --enable-standalone-module --disable-mlogc @, M% S' e0 [" z
make ( \; Z8 B t9 }9 R6 _) d" J3 {
三.nginx添加modsecurity模块( U8 a5 I) c3 y' f/ \4 p/ U- M
% ~1 F8 |5 ]0 b在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:: e& V! a P/ c- G8 P* A0 G
$ \' \ b7 I! o$ I% q0 H./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 U% x7 z9 }3 `: {
make && make install9 f( w1 f4 u/ b1 R0 d# V/ V
四.添加规则
/ t" _' |" r4 F4 p6 g* t% N( _' }& l5 ~5 @$ T
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 e# m, u9 x5 o1 X7 [4 f7 d4 B) y7 u
- Z/ O6 n% s& h4 }0 f$ P1.下载OWASP规则:
+ O, ~3 J/ ]; F! ?! q* c2 ]
: r$ D( L3 K: E3 _, \& r- Z/ |. tgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ b8 a* R0 h8 E5 s S4 {4 n
; W% g W7 {, b% \" j$ Z" bmv owasp-modsecurity-crs /opt/tengine/conf/# L6 Z5 N2 y/ D( u j% ]3 K) `
6 J6 m% U0 o$ q& b
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
1 e' F8 E- ~2 ?4 i2.启用OWASP规则:
0 p; K Y/ R! J# j8 a! u, n& W/ y% H4 v
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
+ S: E& q! G2 d5 r3 ^
3 i0 w! W# a6 ? w编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
$ r& v5 g% i9 M1 ?5 ^- P- B
" ~% D' o$ [* d. T& e7 @& Sowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
- ~3 q) ]: b6 a' C' }% {- Q$ [ C2 [
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' k) P b6 _) \4 l2 j7 ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf2 Z/ F3 V! i7 k( C# _+ k: H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
' w' G* |5 P% L! E ZInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" J5 G, T) Y9 n' ~& f2 W- j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
" x9 c& v0 c' XInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ O+ D6 S f8 v" h; \Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, ` H( m- K1 O. ]% J% H8 ]$ A
五.配置nginx7 r, _; t, t, x, \7 z N6 s
% M% ^) j5 c5 e0 Y5 x在需要启用modsecurity的主机的location下面加入下面两行即可:. C! r1 W+ f+ C% V' D) L2 C
' i4 m) r5 S+ b
ModSecurityEnabled on;
# Y1 I& N+ ]( y" VModSecurityConfig modsecurity.conf;5 Q `9 d3 | Q' y
下面是两个示例配置,php虚拟主机:
% @* C) o, F( {/ @' q& g0 k+ b4 C9 p' I6 A0 A' @# z
server {
F7 U# M, L9 n listen 80;+ X* c# }! g) O# }
server_name 52os.net www.52os.net;2 L- I/ B) O# T. {+ Y; w
: V) p$ o+ _! A5 N: K# u
location ~ \.php$ {! n' o$ {- H6 f! }! J5 O, O, q) |
ModSecurityEnabled on;
0 L0 w4 r6 [( n; Q ModSecurityConfig modsecurity.conf;
( m5 m; D6 r3 X1 C' \. y. q# ?0 {4 S7 \4 }, Y% g
root /web/wordpress;- b/ s( M7 G" z
index index.php index.html index.htm;
2 ~( y6 S9 i: {4 {: N/ L: M
1 D9 s* j- S- j& ~* m fastcgi_pass 127.0.0.1:9000;
# [3 U$ m) l# b5 _ fastcgi_index index.php;; _' w/ \& h# N1 {
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
- w( o/ O0 S$ O+ U include fastcgi_params;
: i: n4 A& o$ x( H$ Z# ?; O: ] }
1 \6 f8 z" I* n# l p }
7 x1 g W. }3 f$ wupstream负载均衡:3 P. _9 f, E7 e' L
& [1 S+ [8 G8 O* E4 j6 [: c* Pupstream 52os.net {
8 ^4 h/ T8 L7 \' N server 192.168.1.100:8080;
) \3 D/ s# w2 n. s- h L. G server 192.168.1.101:8080 backup;
r( h+ J6 Y) C! `}) [& Z, a8 U U1 x" z" N# H& T
* I* @$ P" f/ ]server {: @1 P! e" j. i4 w6 H8 W. D* L
listen 80;$ o: G1 L2 f9 b- C- u5 k2 S
server_name 52os.net www.52os.net;
, C4 {6 y/ w* F8 p5 b4 h
! Q. w4 d; K9 D3 U$ i4 V, llocation / {3 E$ V. Q+ S( Y/ G# m
ModSecurityEnabled on; & g! H! m; }; q. g- o8 b
ModSecurityConfig modsecurity.conf;
, L( b* S3 Q d7 k6 u7 K& U5 m- |3 q
proxy_pass http://online;
7 S3 H% W2 [) c proxy_redirect off;
6 G9 X! t6 ~ n4 c proxy_set_header Host $host;
6 |. C# s( n' i. L proxy_set_header X-Real-IP $remote_addr; w, [) I. i" X3 Z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; ^4 Z- h6 g% n# Z, } r; f
}
1 L2 s3 L5 T( I" \" n}
9 k/ s5 d* o. b0 |% _( r: ^六.测试9 f" `- U: G/ j5 c5 ?4 \
5 g& _2 P+ J# K W我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; i, j3 u, `" o7 i2 B6 i, j( @
<?php
2 H5 U% r' n$ H( w# I5 c( k phpinfo(); # C7 |! x. X1 ^: d0 e e, n; p
?>. z5 T4 T; k- z' w4 _: e' l1 a
在浏览器中访问:8 o% _. a1 U3 V1 X4 o$ l
* S6 E; H' |: ?9 D5 \1 chttp://www.52os.net/phpinfo.php?id=1 正常显示。6 z5 _0 ?; }! X/ |- Y0 x
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。% m0 ^- I- w# \+ C( m
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。! L: {* j2 R1 s' u; Q+ ?5 B
说明sql注入和xss已经被过滤了
) V- z9 G/ S: ]
( F( M" i: y. X6 h7 G0 i- m七、安装过程中排错
2 p+ \$ z5 q9 `) s3 F8 r
1 R7 q# c; s, H# f+ E1.缺少APXS会报错3 W9 j$ K+ i l
. F# F. h6 W* |+ `4 }- }" ^: o4 F' h# f
configure: looking for Apache module support via DSO through APXS- ` B) Q9 O2 Y3 e/ |6 T9 n
configure: error: couldn't find APXS( y: F# `4 ?/ p+ G9 O$ d$ P+ k, }5 j
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。# q7 U X! s9 P$ ~, B* p; Z
解决方法:
& I) y. H( q0 y% g- J/ Y$ a" }* l: n8 @" k
yum install httpd-devel9 S- A, h, e' D9 y3 R
2.没有pcre3 P; {, y! R3 u8 N
# O* r: k" }* A0 t, [2 T4 J
configure: *** pcre library not found.
! O- |5 L. v3 {+ t% M$ O Nconfigure: error: pcre library is required- [7 O9 o4 z8 S) \* {
解决方法:
' _' F% \8 B; x4 b% Z" A4 D7 F: H7 P2 |( A$ P5 n% M
yum install pcre pcre-devel
\( V: k2 V% h* s4 R! W) {. g' o3.没有libxml2$ w2 J* d9 c& _; J. D* q- ~& {
8 c% G3 B2 T' {& X
* c, [- m, t% p# w1 X P- o# Y1 S
configure: *** xml library not found.
* I3 @- R G/ I$ m$ _/ oconfigure: error: libxml2 is required9 L. X* d6 o: [
解决方法:3 A2 y r; y0 h6 i0 l& y" g
2 N3 q/ u, R* o6 fyum install libxml2 libxml2-devel7 g7 q" D4 _$ x' v+ b) p' r
4.执行 /opt/tengine/sbin/nginx -m 时有警告
. K( ]/ O3 E r$ R7 ~$ R* j* ?) [ A( T# m) M
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
. ^, H" g. K$ x) |nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, X+ _7 X8 N0 R, Q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 v5 {) v2 w' M5 E( i' X" d% s5 C& A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
' l( @7 o: W5 B- c$ R9 L* Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
2 P: t8 Y* F, W2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% ^3 G9 Y7 z- P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 B5 W# P3 ^) w) G# E! a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6" M4 w! \. I$ z+ m [$ z) t$ |
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 Y: N) {3 P% x/ i, }解决方法,移除低版本的APR (1.3.9)+ }: K9 D6 Z+ E
+ @( _6 o3 z1 F/ _
yum remove apr
/ v) ?5 e; J" t# V5.Error.log中有: Audit log: Failed to lock global mutex/ D+ S5 I" b$ t+ F5 _
$ E1 Z; E7 U) X4 Q7 `" l; f2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
$ i r' L- j; J! Z8 q# @; qglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- m0 D! ^- U1 W" k% @3 o4 H
解决方法:
9 x: K# ]. ?, K! M: W编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:9 N9 o6 Z# I; @8 R6 r# |
$ K% m( r" R) M" c$ Q7 ~; [% m: v
SecAuditLogDirMode 0777' Q$ B# }- H; v) |# B5 m
SecAuditLogFileMode 0550& p& b- t) M) a) _: Y5 U. y2 g
SecAuditLogStorageDir /var/log/modsecurity
$ O/ i: W+ y; a% wSecAuditLogType Concurrent
3 ^$ g1 C! W8 Q1 G! f; m% b参考文章:
1 n6 U: a- F" q- z. g# s; ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX9 `! l( h7 J1 _0 n& X) \ v
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡