|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" S1 {) }" g( O& c& g1 }" h6 Z) y1 Y0 ^6 o0 K
一.准备工作
: v0 o5 ?- p4 S! F$ S$ g S$ g" l# Q; Y6 ^2 w
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% H$ w" x; Z6 }+ U8 Y6 E
* \* V# g7 I. R& Ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz) J* ?0 \* k5 k9 u& ~: t0 m$ g$ _
; Q. P+ ]; Y, m, n5 Vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz6 R. u8 F0 E: u d6 P
; c9 y' X/ |2 g6 p6 T4 X9 r" G% \
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs M! s/ y. n; U8 U/ X5 }/ }
0 U/ M' Q# f) T: E' C7 x
依赖关系:# C$ {/ {. Q. y/ X9 b
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:: l; ?# A+ S- P5 D. Z, b
1 z! k( k6 A: F" D
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel2 e; F& S, u& c" u' L
modsecurty依赖的包:pcre httpd-devel libxml2 apr7 h+ ?/ ^% a7 P& |0 P5 z- h8 I$ I
- F: `' I; Q( wyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel# p$ j! t7 y1 A: l
二.启用standalone模块并编译
1 ]7 S1 ^) c% }$ Y* T2 T# G
6 I) {; o$ _# K* O下载modsecurity for nginx 解压,进入解压后目录执行:; A4 ~0 R4 z5 ` }+ d7 e9 }
* w* n. j: @/ ~
./autogen.sh' I1 V+ V+ \7 T
./configure --enable-standalone-module --disable-mlogc( O; s# S: ^6 h0 f
make 9 V/ u6 C, f& R( H
三.nginx添加modsecurity模块
! ?1 m t" Z- A( L" S+ { O# s2 W3 t0 o
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 O E; S5 x8 @7 W3 R! s9 o( j+ L# b: f
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine6 G, }1 V: X+ m7 W2 |7 r5 ?9 g
make && make install
2 ~' L) Y F; n! i2 {# c四.添加规则4 w$ @7 O+ e7 B% T' u6 K
" t! O' J0 N: X: P
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
5 ?2 ^& c0 H$ a: g2 }" y0 z( H/ @: b, e, {5 A* Z: C. t9 c, J
1.下载OWASP规则:7 r- U% ^; ^+ _" f! r% }
$ e& |: S, j G+ f6 W
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 V8 D0 r# C% R E$ K3 b, G/ o O5 J
Q( J7 T. i! t4 Y
mv owasp-modsecurity-crs /opt/tengine/conf/
5 b9 C0 X( `0 g$ A9 k5 W$ }6 w+ }7 I/ v; o6 j6 j# J! J
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' h, t' Y# U* m; ]2.启用OWASP规则:! I- X2 }5 W2 p @$ J4 r
2 I/ R/ P" h" n, ?5 L, p复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。7 D* u$ m4 U4 l) P) S+ Y. e) F
7 {5 x5 O- V+ y( W8 M* N) v编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
9 U7 K: b+ v7 e* a4 |( ^
0 |0 y* r- K& }; Y+ P9 |# V) D# howasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" r3 H8 \6 G V
2 Q, m8 I4 ?; JInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
# R1 s5 {6 D( c' VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf/ j1 P! X L# _. v" }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf0 H: j7 L* K0 i" ~5 P2 }$ J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
$ n' w% t4 J! u6 Y/ E% tInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* C/ ^" G, f* d7 o6 G/ F/ g- D9 sInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
1 E7 m5 ^7 W$ r' w# x8 s6 BInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf" ^) y7 L0 E2 M" t% b. |- ~) c _
五.配置nginx! K/ I. l3 `3 E* m8 ?
& r0 p/ K: U8 C9 U2 v: u. ]: n! `
在需要启用modsecurity的主机的location下面加入下面两行即可:
( X2 q8 J( E2 _# o: r4 m
' p n f' J7 f' A1 i3 |: SModSecurityEnabled on;
! g1 F5 z3 o' m/ ^' C3 ?% l5 ?. rModSecurityConfig modsecurity.conf;) |/ |4 I$ w4 g1 H+ d0 y) Y
下面是两个示例配置,php虚拟主机:; @; H: Z$ B& k" d( C
' u1 Y$ t- @) M- I0 i7 hserver {
: r p+ n! |7 {3 r listen 80;/ k+ |/ w5 {8 n8 ~9 {
server_name 52os.net www.52os.net;3 ^; [% S5 c6 ?
* ]; n# R$ I$ u" n location ~ \.php$ {
- ~6 Z3 U9 D4 p( s g ModSecurityEnabled on;
' Q( B; @' G* ?2 a ModSecurityConfig modsecurity.conf;' _/ S+ r) u {6 i# m0 U, P8 [
7 A g8 Y* H+ r" G root /web/wordpress;
# b7 x$ [' r/ I0 H; R, u index index.php index.html index.htm;
- r8 j5 h! \% Z# i( t* F! ^. { 8 U' p5 s6 s/ e$ `8 D
fastcgi_pass 127.0.0.1:9000;
# }0 n3 x+ ~5 M, h fastcgi_index index.php;- [7 M5 B7 i' j7 r5 x% j
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
" x( n. |+ o( ?1 W% x include fastcgi_params;# {. p( n3 B# l+ B
}5 d7 ^9 g3 }0 A* s
}/ n/ M, C- P8 ^# y$ o# k5 l
upstream负载均衡:2 Z8 h: E" i$ Q- R$ m- c
2 {& o8 q t! t- P( Q6 A
upstream 52os.net {8 e: B; f7 a( L4 k
server 192.168.1.100:8080;
' F: ~' H1 R2 i: `. f1 L% @: r server 192.168.1.101:8080 backup;
2 @1 [5 b4 l# L5 s1 w1 X& H. N Z}. W& }$ g: ?% H
# L! L. P6 E2 v" ~7 Vserver {/ A# }# y$ b1 \9 R% O
listen 80;" O; Y0 H* y7 d7 W! t$ t
server_name 52os.net www.52os.net;
% z- n; A% {1 ^ C- m! ?: L; n1 D3 @
location / {6 j' A- k9 V E8 S9 Y8 A
ModSecurityEnabled on;
8 k/ a# U+ [9 R$ R1 ?! i+ I2 W# r- P ModSecurityConfig modsecurity.conf; 6 L) v; M8 y1 X7 L
& \4 H6 J; o* Y" I! w- j {
proxy_pass http://online;
8 U/ Y1 A% l' K) j, D4 y proxy_redirect off;: P8 Z7 j/ h0 P5 |$ i
proxy_set_header Host $host;# @+ v3 [* W* k3 h5 E0 A
proxy_set_header X-Real-IP $remote_addr;$ p$ k: r1 b2 g, a* s- s
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
; F/ ~( q6 b, p) S G/ ^ }
4 O4 ^" o: V/ _+ {( a; ~}2 J0 l( {3 E j: T
六.测试
" M! N$ `% C: \& {. {: j$ m6 c4 ?2 M. Y {% T
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
7 I( i4 ?2 H7 I! R8 y" |0 k W+ l, { M! _$ v
<?php! J& T7 T4 R/ @' t2 S3 c% v4 j
phpinfo();
% I0 q3 m/ ]. ?( ]* C?>/ g. y1 m. X4 [+ S! k7 N# j; v
在浏览器中访问:
, z" P+ |4 c7 l0 X* v; M1 j% U2 C# c/ x% }* M v6 U
http://www.52os.net/phpinfo.php?id=1 正常显示。
/ M3 u/ _* h! Phttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 Y+ q6 o/ \; j Z7 I9 q
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% ~+ u: o5 _: g% p$ z1 b3 Q2 }说明sql注入和xss已经被过滤了) M+ y( U) [+ A* ^
' @! a: U) E9 V& _% |9 b" G7 L
七、安装过程中排错) p/ O! Q/ X& x
+ h0 `( H0 h* p. |' A( J
1.缺少APXS会报错
4 x! M$ B' @6 q! Q
/ W9 v C$ ^3 O+ C. h: F- K9 D% zconfigure: looking for Apache module support via DSO through APXS( p+ q) M0 B6 N
configure: error: couldn't find APXS1 I! k {( E: H* d
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
( D6 R1 t- E8 m% S解决方法:
. ?, i' h R8 C; H* B; a6 ~' }: A$ h0 d8 L! w3 y
yum install httpd-devel* S1 Y$ G; ]# I5 _! x
2.没有pcre
0 R5 b0 I+ r5 r% B
5 z. _. }- ]) Vconfigure: *** pcre library not found.
9 e3 B/ A P8 v( hconfigure: error: pcre library is required6 e5 j6 y2 t; I$ v* \2 C0 p
解决方法:
, i/ H2 C1 u. Q$ {2 `" J9 X: ]! z, g( M$ m! `4 \# V4 i E
yum install pcre pcre-devel
T, p5 K4 _ k0 T4 @3.没有libxml28 Q& W: |+ B) I! N6 i1 d' @
0 o8 W1 n: Z$ `8 c, k& v. q
0 J) k3 M0 X+ H0 [
configure: *** xml library not found.: h/ j7 q3 f1 L# _$ R
configure: error: libxml2 is required
, j9 d" g4 D; x5 w' z解决方法:
& G1 N0 k8 R1 Q" e/ M* L; v# T4 n+ a! S" ~1 G
yum install libxml2 libxml2-devel
) C' f B* I5 |: @4.执行 /opt/tengine/sbin/nginx -m 时有警告
$ L1 ]1 R8 \ }4 q# H
% L3 ~6 N$ q4 j' [& KTengine version: Tengine/2.1.0 (nginx/1.6.2)
! K+ D5 l$ n' F4 d9 _nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
7 j# n1 t! @0 ^" m3 L% s5 ~原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
4 d- s$ I/ k4 E4 v7 C: ~) N/ X" c$ H
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
4 _- _ V2 r/ B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
% N8 i9 i. u# t2 w2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
B j; C0 B8 S6 U* [* w2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
1 o$ }5 F+ \2 [0 `# I" p2 `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6" n% ~% w) k9 h; n2 Q; I
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On." L3 C6 u: K! ]% I2 K
解决方法,移除低版本的APR (1.3.9)
) O7 E0 |# h* v1 r& W6 n" }! ~$ j; A" ^6 d3 ~& @0 F
yum remove apr
- ` N9 F: j$ l" _! j8 F% C! T# v+ u5.Error.log中有: Audit log: Failed to lock global mutex7 R7 J4 d$ ^6 o5 W% \7 L" L* f- m/ t
5 }( ~3 d) S2 q% q) l2 o6 v2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
: t1 _2 J2 V/ S' P- Z- @+ S rglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' k5 X/ M) g' ?7 b: U解决方法:% d! y0 A. e1 E4 L$ X9 v# [4 ?/ e# s0 v
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
% t0 \% R7 u% L ]6 L+ \2 m2 B) }7 Z. G5 U/ K
SecAuditLogDirMode 0777 H$ l# t1 Z. `: ~/ J* Y8 W
SecAuditLogFileMode 0550
* B; t! r3 U6 P. M' lSecAuditLogStorageDir /var/log/modsecurity, t: Z* b% }1 L& O* ^1 R
SecAuditLogType Concurrent
4 v* h e% ?% M$ n, s! I/ ^4 K参考文章:
- ?. A4 }& b9 j/ H' \2 m. nhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX- W$ n' X& M6 `* c, x
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡