|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
. o) T) W2 d3 M! J
3 G9 [! L5 w, c一.准备工作
5 X L0 |- \5 {; R T
+ C! P. I% A1 F" M: s+ D5 U系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0. K/ z8 @# S" u4 P9 e! z
0 F2 c8 x( I, h" @- f: b
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ y5 |2 M% y5 `+ s; d
! c2 h0 m1 M+ u6 Y5 J8 r! ^( Qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
3 y; U; {$ }; A9 w6 o! c9 T- [3 f$ _8 ~5 F1 v7 W) t& S
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
! f+ e5 S$ y( z1 P8 g( e
/ R7 D- Q3 X/ o- P" I% s依赖关系:
3 o8 {1 |3 e) u4 ] Rtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
# x+ V) G& t+ b* J3 M
& k" |. m* v8 C% L% fyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
1 N$ p2 _$ K4 Rmodsecurty依赖的包:pcre httpd-devel libxml2 apr
0 O6 r. [ |% |, {& a5 i
) Q+ N1 a1 l- E5 @, \5 eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel; _6 n3 Y) S7 v# `! |
二.启用standalone模块并编译5 w- u7 k6 I: O" r5 G" r8 C$ x
$ e- I$ R6 Z3 w- a1 [下载modsecurity for nginx 解压,进入解压后目录执行:6 j1 a9 `5 d0 j
' l/ w2 L, z% d
./autogen.sh* N* y# K! d$ `/ h$ p0 z
./configure --enable-standalone-module --disable-mlogc
% l& P) a& C! l5 [* R9 Jmake 8 P9 {& ]: O8 C0 f1 f3 I$ Z7 M2 c) j. o
三.nginx添加modsecurity模块6 b8 E& |0 G, l, T
% | O/ Z. k& [在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! D4 X2 I8 N$ T& J! l
; K. E) F; E5 \% W1 p' e2 x./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# L: ?6 z" s* q4 A: n0 wmake && make install0 N5 q- m1 C: n9 H0 [0 O, r
四.添加规则
$ o* {- P7 D# @. |
, A. N3 L% \; [0 K" V3 W& a5 Cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。$ m( x3 R% Q2 m
/ t4 Z3 u1 I2 s' S+ x1 I& A0 q1.下载OWASP规则:
( X! [% [- i& ~; C4 v$ D6 y) ~3 ]' f& U7 v
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ L' [, f- P/ J! C/ Y/ l. Y0 N
1 M7 A3 V, B3 T+ dmv owasp-modsecurity-crs /opt/tengine/conf/
9 I- }0 @: g6 D8 T2 M' H) ~- m5 }4 k' T7 w6 S* d
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
( w7 K0 x% w$ D" x1 [) [# J, |$ O: X2.启用OWASP规则:
$ f! y3 e' g& R' V) F9 }' _ H) _) f' B& C" S9 e; D! c
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。! v1 i' P6 ?( ?
4 j; S J6 h8 A) A8 Y( Z5 g2 u; ]编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; g8 U7 |6 b; D$ G0 Z l M
' `7 M1 P) `. Howasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。% E9 r4 \) U7 z% j% J; t1 S" a
9 i# q# B: y* A7 _, r
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
# | Q4 m; B" @- j# {Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
; S# p! {) v, L) G( Z5 A; bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
/ j$ t8 r I+ F9 VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" I3 n2 F4 D9 m$ F) ?7 I7 ~9 j" o
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
( A. h$ y( F9 {- z- A7 y. `. j, aInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
[+ i0 r; b# \3 f5 N6 g7 hInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
5 G( O4 N, M7 P5 f五.配置nginx
: `2 A3 z3 l4 V$ g7 T
+ `: P) Y( ^# l6 s在需要启用modsecurity的主机的location下面加入下面两行即可:" k% e' D8 K7 _
8 a, W9 X' m1 JModSecurityEnabled on; , Z. X: D& z; ]
ModSecurityConfig modsecurity.conf;
" b V5 y8 ?. t }8 M7 H下面是两个示例配置,php虚拟主机:
' w" L5 e5 k7 v9 R8 j) U- I+ _' g9 D6 o
server {
( x- V. G* Y% F& g$ P/ P3 y5 m) X listen 80;- H& R" B% r% T: A
server_name 52os.net www.52os.net;6 T) }! S6 C8 @4 q& a2 @
1 J; X( @$ `! l4 g% L location ~ \.php$ {( G; z: [ {# L7 ?8 O& Y
ModSecurityEnabled on; ) H) ]+ C7 F; _. |) i) S0 p% s3 Y
ModSecurityConfig modsecurity.conf;! a: @" _, n" z- T
$ E8 t( H* ~% v# d. c root /web/wordpress;
5 P0 i# [3 Z H- i$ a5 R index index.php index.html index.htm;
9 i' O: l* m6 w: Z" K6 I2 I+ \
. r% E8 m6 H" V7 G fastcgi_pass 127.0.0.1:9000;
. }5 W6 N9 s6 s& J fastcgi_index index.php;. t/ ]7 d8 j7 j0 A0 a: V( Q
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;/ ` X) \8 D9 g9 V' D
include fastcgi_params;- g; y/ N9 `6 ]- A+ E* W D
}
+ I M# N: U/ h2 W2 w. ? }2 F1 ?' ]" c, {/ J9 @
upstream负载均衡:
( g8 o5 W$ O5 A9 P, H$ ?) F5 d( j E5 r6 n! C" {9 ^, T2 w$ B
upstream 52os.net {! w0 ?, S G N. x0 W0 r9 ~6 Z
server 192.168.1.100:8080;
- e7 d% n+ e/ q0 N: K. }% L server 192.168.1.101:8080 backup;
7 y& y/ A2 D$ T s& M}* ]6 w$ O. q; I8 c; q5 n* G
. ~: ?, M4 Z& E1 Y0 l
server {) u& m8 ?$ i! c/ k* f" m
listen 80;
* H! ?* y- }/ R5 B. B) @# ?server_name 52os.net www.52os.net;) U( \& }4 u2 Y- Q+ O) u- G# [
' G9 G+ l% @! G( ?location / {
" ^$ j4 y& p6 h% P( Z+ f ModSecurityEnabled on; + J' ^) O' K5 A: H( O
ModSecurityConfig modsecurity.conf; : |( W! J8 N* W$ U
5 s0 _! S) ~/ _& X7 l' T! T$ s proxy_pass http://online;+ D. x5 e: A$ |0 \2 z1 D6 M1 P
proxy_redirect off;3 u+ z$ t7 T/ q1 ?# A+ H* d* w7 d& ?
proxy_set_header Host $host;
1 K5 R8 |4 D7 ]4 [$ B( s. [) Z proxy_set_header X-Real-IP $remote_addr;
1 u5 e* U( T3 s proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
5 N3 z8 K; Z" D- ?; q1 k6 u }7 z: D) Q, p! H; O0 P9 q
}
+ u, u8 G0 y% n* n- H, a7 X+ B: s六.测试, a' u) R o7 S/ r9 _( v! h
7 O6 ?# ]. J( C! U4 r) h. n5 C我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) ?0 R: r8 d! j; P; d7 [ |
+ F4 s$ V% Z5 l( z: E# N<?php1 j& Q1 s$ f( m1 u
phpinfo(); ' Y$ @9 @3 H1 I' n" D
?>( g9 f/ U3 {/ s/ \7 b( e
在浏览器中访问:( _' N4 K; P1 w! g- Z
+ K- k7 {: b! Q2 ]7 ]6 L* A$ A, Phttp://www.52os.net/phpinfo.php?id=1 正常显示。) c/ t' G% X* Z. Z. O- U/ ~: J
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
7 Z1 K6 f- Q4 g( f3 shttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
- z5 U8 Z8 g( Q& @说明sql注入和xss已经被过滤了
0 r# Z% f0 p1 e; h
5 o3 t/ G: w: d* t: v7 E# q七、安装过程中排错
- w, s1 \. X, [7 p$ D( L
1 v% T# V5 S( r7 E1.缺少APXS会报错
) [$ c; |% @% C/ S2 I+ {. D
0 L- X! P4 [! w7 ?configure: looking for Apache module support via DSO through APXS
) l9 E2 ~0 L. v V& h4 d* aconfigure: error: couldn't find APXS
5 _8 ?7 t, \3 S* E5 `2 fapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。" v" j* B1 M0 \
解决方法:6 q- E& X% @$ a/ N8 y& S
" ~: G9 l: \/ R; o
yum install httpd-devel$ P3 ?( t, ?) }/ P, k0 s" a5 b
2.没有pcre
. ?; q ^" r4 Z; m2 a; A- R3 t
% I4 U" L! X. j! u' F: M \% Dconfigure: *** pcre library not found.% w8 V& ^" Z0 Q% r5 k
configure: error: pcre library is required
. G$ S& U0 z1 ^解决方法:
9 x3 h# Q$ b1 z
" m y7 ^0 }2 }5 H$ N* _: Vyum install pcre pcre-devel2 h' L& ?/ G2 I9 @3 \ ]
3.没有libxml2& l r6 d' r3 \2 Q
' V0 W2 O7 ^$ |/ Z: X( H
# @' R" ^0 W$ y- |configure: *** xml library not found.0 V( R6 C8 U- A
configure: error: libxml2 is required1 z4 N5 g6 V( P J3 `$ G" f* [! @
解决方法:
' b2 L$ n0 V6 L9 O# [! Q4 c( V# E8 Z7 i
yum install libxml2 libxml2-devel: @$ R5 M3 G1 o" h6 V! T& e
4.执行 /opt/tengine/sbin/nginx -m 时有警告
/ v' s2 n2 O) S( S6 W e+ z
+ Z' N% x9 i$ m: ?Tengine version: Tengine/2.1.0 (nginx/1.6.2)9 s4 E+ E" q4 _* @: j$ A, T
nginx: [warn] ModSecurity: Loaded APR do not match with compiled! I8 `' b- F) m. W/ O
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log% K3 Z, I' G8 B G7 K4 y5 C- M
+ K: P6 R" S8 @& J1 r m, \9 F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 f2 \! |9 R6 b. }/ ^" J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
, o0 j. g. F: u4 h' a& g3 o3 P2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, l6 X7 o/ C% l5 B5 y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ P9 d1 ]) E. M b. A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 s2 w8 m+ |" Y, e9 `: q( u! V
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
5 u7 Z, D g% L( P解决方法,移除低版本的APR (1.3.9)
9 Z8 K% L1 D* Q5 V* z
/ h) q1 I. O+ x, l3 f3 yyum remove apr9 P6 ^, T5 Y6 A/ T* p/ W
5.Error.log中有: Audit log: Failed to lock global mutex* d2 N. z/ W$ @. L( n5 |
+ @$ Y" e$ K/ U% C8 V0 {5 |( T. B! D1 T2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
, ~4 V+ N0 z7 y; Pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
1 o1 u+ |" J8 P# l, {% _2 G解决方法:
" n5 s' c$ r3 I" u* a2 \9 W+ ^" ^编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( [* N5 l) e) i* `
3 ^5 b$ l* ~" F( T( {! pSecAuditLogDirMode 0777: {6 I% e' O1 ^6 o
SecAuditLogFileMode 0550. v; d+ _; ~$ z `9 e) U5 H
SecAuditLogStorageDir /var/log/modsecurity) K4 C8 `- P+ m9 v0 x. z+ Y
SecAuditLogType Concurrent
, d1 o- e: Z6 u) C, ^# A参考文章:
& R( r# T) x5 ^$ z6 ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
: c$ H" O' @. E& B; }4 H9 I' ]http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡