|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。' s3 g: E' Z8 }# a; L3 q P# s( [
1 P9 _/ o) z1 S9 M一.准备工作
4 N( t7 x$ q$ @1 W1 \# W; X
2 B: Z4 H9 M3 z) c系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0+ R3 Y; ^: J9 |/ O
4 B2 k. [/ t1 K2 [: W5 Ttengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
4 a2 F: f& y) j) _2 D8 F. l( p% I, }4 Y3 I$ U
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
# l% e. ]# U" ?1 d9 Z& O0 ~3 b4 i8 X: j6 `7 ]$ y- `
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
# @, `, i7 F9 W1 \0 Y
, ?% h$ ^3 q; b/ B依赖关系:8 |3 ^; x6 U) u' D1 \
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' W8 m. b6 f/ a9 a& ]1 |8 _) a1 Q1 @, R8 N
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
' u6 s% Z/ \$ rmodsecurty依赖的包:pcre httpd-devel libxml2 apr
7 f% w: n5 y+ k( _" |" Q- X. s; y9 s/ u' O8 ?* T8 N4 j
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ m5 ]0 [. c& A' @- D. z9 u5 |9 G
二.启用standalone模块并编译
) A1 ~- e8 L# B" j% e
$ }# a) f4 @7 W" `8 q! \下载modsecurity for nginx 解压,进入解压后目录执行:
! G" L! c( F& F2 ~: Z! h& R; L8 Y/ Y" Y' d0 O
./autogen.sh: J4 |5 f% l( V& w
./configure --enable-standalone-module --disable-mlogc% i! [$ s* z& [8 a
make " A" z( [) F( I1 c
三.nginx添加modsecurity模块
) z6 s8 R4 o2 R! J* x8 Q
% U9 \' F8 a$ D" a y: F6 V在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 Y8 _$ h! J9 d, v U- p2 S: y/ U+ `- q+ H# C
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine, z' N) R; T0 E4 w/ Y* _
make && make install
$ u' X- m: w6 W& C) E+ k. ]5 O四.添加规则9 N" U& D. ?; H% D
; r% Z" u5 S* r v$ z$ H n: `8 |7 i
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
& B$ n) j D w- z) K5 T9 `1 F# {; p+ ?$ H" q7 _
1.下载OWASP规则:3 U9 u; }. P3 `6 J" ?, P
2 D: H2 I& b! x$ @- _! Jgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; m) V8 A+ L; l' E
( T! L$ j, G+ n- _! a; e/ {2 umv owasp-modsecurity-crs /opt/tengine/conf/: B8 v2 ~2 l9 O8 L" c! p
$ q+ P( D9 q0 s- dcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: W: v0 k. c+ W( `2.启用OWASP规则:
4 B' K- ?0 L: Q+ J; `
5 ?# K4 D+ g! @. D/ v. p% F复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
`: i$ p. E! g
+ ]7 X2 t; \. ` J$ t& {2 z9 v/ Q编辑modsecurity.conf 文件,将SecRuleEngine设置为 on$ L& ~2 F- C0 N! O
' f* q" w0 f$ t/ n% Y2 K/ dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; B( b3 R9 E/ D- }# J
2 `9 `* Y% D. E4 O; P' _# IInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
! M! b8 Y4 R) D! w: ]/ w3 o! t) u7 aInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf! z( c& |. W% U' R0 G2 Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf/ } [* h' e7 ]( y: \5 F p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf/ |1 F$ b; O, A' L% _$ [
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 ~3 S7 R/ Z* q9 f* M3 T9 VInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf2 _4 w8 G- W0 s4 p+ r) s: f
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* g; x9 S$ r0 O+ u2 Q6 u2 Z0 C
五.配置nginx
% P2 Y, s* @3 i6 F7 z3 p: H; Y* Y' f9 u) S$ ^
在需要启用modsecurity的主机的location下面加入下面两行即可:
2 x/ c' p2 w0 a2 k2 J
% I* W% H9 l$ A* {! c" nModSecurityEnabled on;
* E% ?4 S$ X3 e% c7 eModSecurityConfig modsecurity.conf;, O9 L0 t6 r& S% ]4 ^
下面是两个示例配置,php虚拟主机:3 E m' V* b! z$ \9 m6 b
7 ?5 {+ t4 o& j+ w* L( N, R& wserver {! i. P/ F& X' H+ {
listen 80;# {# F$ y: B, P3 t1 z8 V
server_name 52os.net www.52os.net;* U+ V. L2 z, \& c
) T$ n+ j& C$ E. {/ N$ h
location ~ \.php$ {
; d; q6 O' o/ o* L0 N# ~, a2 o ModSecurityEnabled on; ( [. g- P! M( Y# [7 `& S% v
ModSecurityConfig modsecurity.conf;
7 m3 w0 F' \0 p
! f0 w* @1 V8 n6 l# R root /web/wordpress;: Y/ O" \* M( o J2 u
index index.php index.html index.htm;' N3 y6 B! o' d0 w3 H
0 Q4 p& w: m' S" Q! d1 [ fastcgi_pass 127.0.0.1:9000;2 Z0 _6 G2 o' B2 u$ O
fastcgi_index index.php;
l* q6 d) Q7 X6 K6 ~, J fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; c9 C- N- p7 h( r9 q5 V include fastcgi_params;) \6 g! T6 v+ k$ z- K, A8 P
}
6 _3 F! R/ A2 l# ?- I3 J5 d3 [ } {0 Z0 @7 Z1 V3 t# Q
upstream负载均衡:7 G H3 W7 `- M/ S
/ i; A8 e2 q3 D/ u. \1 E
upstream 52os.net {
9 m* s% _( n6 j1 V server 192.168.1.100:8080;
! \! S, U! _$ Q/ \ server 192.168.1.101:8080 backup;+ V: |0 ]6 L4 p4 K4 t
}
2 v3 ?8 ~2 T0 N* l" l4 k: v
) C( d& L" I# `0 H. R' a+ Y, ?. r" kserver {$ K, }5 {% F! T- i
listen 80;' w* b8 u7 O7 q* k7 s; l
server_name 52os.net www.52os.net;
# u, E8 G; W, E% a% b$ ]. e
; v2 ^0 D; u3 j. `+ Plocation / {
, ?- j c0 T, k* j/ l8 X ModSecurityEnabled on; 3 N5 q' L; V, ^7 f: x* _
ModSecurityConfig modsecurity.conf;
4 L+ q w' p Q( v# L7 [' L% j3 f9 M; e& B# V! M- I( {, Q
proxy_pass http://online;
* z, S2 h5 g; c) L) B( Q: R9 [ proxy_redirect off;% q' Z5 _# I B. w6 ]: ~
proxy_set_header Host $host;3 |& t$ b% H. T! t2 F
proxy_set_header X-Real-IP $remote_addr;! `" l8 F L# M! s. k' X% T" N
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, D: T! t/ L% `/ G( g
}- G# e$ K; \# ~# @% g$ M
}+ Y) n) p" h' c
六.测试
4 i2 B- n. a( x6 x9 s4 F% _. [' C% \ y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:: y3 q- x3 Z" F
V' |% ]- T# L4 [; q7 V
<?php9 D9 V3 q! F3 |7 p* i/ m8 N1 G$ E- N
phpinfo();
, p8 f" X& ^+ @7 ?4 r?>8 W, y- U b- S5 z% X1 ~/ J
在浏览器中访问:/ }& x: G- w0 a2 Z- C W5 F. U6 D
Y/ Y% _6 _; M: r. f8 D# O- zhttp://www.52os.net/phpinfo.php?id=1 正常显示。" Q& k8 H: v; @) W: m0 ]
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。9 f3 k9 W/ A2 O f2 G, ~
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
+ j. p- L) H3 T( E; M7 y说明sql注入和xss已经被过滤了
" e t8 z7 |( K3 v
! @9 V( ~! ?9 p4 `七、安装过程中排错
8 T7 D1 J' Y) q, q Y& u' g) q7 G, A. |' S% ]5 ]/ \" X, X
1.缺少APXS会报错
# C; h3 I8 _# t5 x6 S* {
. M2 E5 @, T2 ]6 Oconfigure: looking for Apache module support via DSO through APXS
: M! B; n0 |9 m. b9 o, V& a8 sconfigure: error: couldn't find APXS
( P H9 G% u: L; D5 A* g7 j" Papxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
. e( o% }. U2 g/ S, o$ u解决方法:3 c7 B6 m7 G$ E2 ^8 D7 R: ~
% m' S* g6 Q) E5 G
yum install httpd-devel
: U/ P- Z! Z- x) e% d5 S) v2.没有pcre0 r2 g, s$ e6 y8 l
5 M9 N1 G4 e: ? t/ P; uconfigure: *** pcre library not found.+ Y& @ M0 Y& h; V# a% `$ I) O
configure: error: pcre library is required' p; \. A7 m5 K( z2 {* _. w
解决方法:
w% x* `( A. X8 H$ t
0 U( o8 d; x- P4 h( K# Vyum install pcre pcre-devel
6 s- O2 {1 D1 L* D* R3 }1 {7 S3.没有libxml2
9 A' k1 ^ f- h% ^: _: @
8 @3 T; x9 h' i( F( ~; |; w9 J$ Z) H) v% F4 S2 q/ @3 u+ _2 M
configure: *** xml library not found., a. Q, i+ v* p. F) }! w. g7 i
configure: error: libxml2 is required$ M6 J. G4 w2 Q# a. F
解决方法:# z f$ x t& q, m3 \
7 D: t7 F/ p; x9 L6 X
yum install libxml2 libxml2-devel$ |$ o2 W1 P6 G) Q- x
4.执行 /opt/tengine/sbin/nginx -m 时有警告
6 D6 s' |1 c8 _# t. E, w
% Q/ ]! D0 \$ i( I4 cTengine version: Tengine/2.1.0 (nginx/1.6.2), f5 v9 I4 c( Y* @& h! i# k
nginx: [warn] ModSecurity: Loaded APR do not match with compiled! U1 |0 ]3 I: R2 W, a9 ?4 e, F
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
* O) L8 m& Z. |) P) s! J4 Q" T4 u* ~0 J/ I$ h, Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2 M# k0 T+ m/ o; V( b+ S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
. j5 ?8 F4 B) a, g2 m: ~2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, d! P4 ]$ {. L6 m% n9 H3 R0 r2 ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
; M# e& R4 w& t/ F0 w2 \; E) e a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"5 @/ n7 q" B% \9 h
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
3 l/ {$ z5 ]( ~. T解决方法,移除低版本的APR (1.3.9)2 o( |6 M9 s+ W& f) Q
2 T" s* N( \; {* n- H: M$ M
yum remove apr1 j; k2 y. P' Q0 C- Q& w
5.Error.log中有: Audit log: Failed to lock global mutex( E$ n, N8 X! l+ ^
: [1 y8 u- @ ^3 @% m: y
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock / Z U1 \7 R/ S k' O* A. `
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]" ^" _& d4 K3 k* ~
解决方法:
+ D- O i, ?+ S9 B编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
# B+ W% ^! G- h' j7 y: v$ |: U! ~( a2 I/ c6 i/ s* L; @
SecAuditLogDirMode 0777 Q' t8 ?/ X% L$ ?* ~) T" n" ^, Y
SecAuditLogFileMode 0550
& K* |' a( y* d! aSecAuditLogStorageDir /var/log/modsecurity
! ?1 X2 b3 V* V u H# _SecAuditLogType Concurrent; A1 a- Z5 u" T9 x1 X: ?4 r
参考文章:( \9 D" X b; {0 k+ n v5 A
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
8 S* x5 M! M: G" ?6 E% bhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡