|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- E4 h2 }$ ^$ b; ]- H G
) ^2 a( A! L% I+ {4 \ j, _; |一.准备工作
G- ]3 f) y$ L4 L" Y1 l: O" ~) e
3 I: h. j* I! b1 Q6 `8 S b* K- r系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% x8 z. c z- S! l. a* h2 B$ Y: M# m) b9 Z( n- L5 C5 x! o
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz* p* f; b, A. a9 z) h
/ q# R, w9 A( A) `' f- a# h- N& T
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz m+ r2 ?5 ?' ]$ {* n
/ f& I) U1 C ROWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs5 N- M4 w( u! o9 x# v
6 O6 m% M8 y0 @6 y1 M! r, q$ ?6 r0 {
依赖关系:9 T0 o( P$ e3 m/ Z0 }( \2 T$ e7 U
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
* [& x7 b: l$ i# A7 e# I
4 _: ]! ?. ?2 ]6 r+ u0 Uyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
- I/ ~, F$ f9 d- I l+ tmodsecurty依赖的包:pcre httpd-devel libxml2 apr+ k" x8 ?" H: s% a' h
0 v& v6 C( @9 Z) t( c
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
2 j: \ h$ ~ @4 Y# Y& N* @ G二.启用standalone模块并编译. w- |3 w5 b+ u
+ Q4 _. c; H6 @' \6 D下载modsecurity for nginx 解压,进入解压后目录执行:- ^: S3 G% c# h5 X
/ e5 Z+ O. J" C# `1 {
./autogen.sh
' y. O; h2 P/ I$ W5 f./configure --enable-standalone-module --disable-mlogc/ x+ u: h" w7 e0 _/ K1 Z' Z1 g) o
make
( @# k6 t- u1 b" P三.nginx添加modsecurity模块4 x# `$ r8 b% Z' w1 u5 f
0 l \, L" O7 \. C1 N
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 [! q' A, A8 M3 b8 D& _
9 Z( v7 ]2 l! _. X4 i0 b: J" u5 J
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- D( y8 \- |( g/ d2 T- q
make && make install
( o3 B1 S4 _/ K0 ?四.添加规则! u( Q9 ~& [% T$ q5 I' z
$ \9 m: J3 a' ~- Fmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。; u* A5 m* R9 m8 I4 t9 z
3 E5 R* N$ Q& f& e, M1.下载OWASP规则:% L) w* ~1 `! X/ J* U: o& l
" {3 R/ K- A" G3 M
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs/ c7 y/ Q: I: p7 I
9 B( Q5 D- M( Z K6 t9 u2 m( ]
mv owasp-modsecurity-crs /opt/tengine/conf/5 @3 n- L4 M6 F% p; D* M
' v0 ]0 p# W* R7 Q. zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 \( S5 |5 B3 w0 E' x, [! r: T2.启用OWASP规则:
; p9 P3 i$ x4 q& q: X* G7 f# Z$ }
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
+ U* t+ g2 ~* z! d" z5 h4 N2 e8 c2 U. X) f& s( I" J; `1 d: z; X; l* o
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on4 r, Y+ Z0 S6 m5 G: A9 M1 w8 b, B1 H
& I- O+ E& ^4 Z7 U1 powasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, d+ p' X. M7 Z/ \) j u+ D8 k9 s" V
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
4 `+ ?8 c" @' C1 I9 A% k/ KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- h" H: {% `! `. ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
6 d) [: V1 Y2 |# q' C2 }" t |Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
( U" W9 D- u T9 W9 o2 L# t. zInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 D- m+ X! i$ \( r9 y, `3 n
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf( |5 y+ ]0 n/ p. p4 E
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
! @4 n$ D" J# @: a. C+ ?五.配置nginx; c4 z" T4 m4 {8 E [ _8 X
) m* X, b7 C6 |5 C# Q在需要启用modsecurity的主机的location下面加入下面两行即可:" c" y4 v( _, ]
$ v5 O! D9 |) f- v8 R' B
ModSecurityEnabled on;
0 f) r0 I( \" I' ]. j5 d: cModSecurityConfig modsecurity.conf;- m+ Z. Z7 ]9 K+ F; `+ U3 J7 C
下面是两个示例配置,php虚拟主机:
: m5 ?* P0 r' Q8 O2 V; n5 B/ w3 n: _; S% O6 o
server {( A5 w4 p4 t" Y& s
listen 80;
$ x, H# |# _2 [/ g server_name 52os.net www.52os.net;
7 Q) q9 O; W9 V8 G' c# p$ A' I
# m% |0 I$ T, c) W location ~ \.php$ {
; s+ Y+ g3 p5 m9 A5 |6 b& \ ModSecurityEnabled on;
1 j, H, [# L+ ]$ V2 G$ O! V ModSecurityConfig modsecurity.conf;* o4 N. ~2 q0 H0 P" \0 Y# a) k
. I& e6 \1 T f! `. _, Y/ ]
root /web/wordpress;
- t& F8 B' p9 N% H index index.php index.html index.htm;
; d# n. c) Y+ l9 p0 k
+ G/ s$ x3 F1 Z2 g; N. \ fastcgi_pass 127.0.0.1:9000;3 k5 ~$ a# J& B( q1 X/ k( k5 `
fastcgi_index index.php;1 O) b$ w$ b/ t: a" X
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ t+ U1 v5 |- v# H. `3 k
include fastcgi_params; i( `! H6 W) q; h) V, d" ?
} P2 ~' M1 _( M; e6 }% P
}
1 p' g! S* f7 Z5 A9 r. E2 F9 y3 Gupstream负载均衡: L- L" b, t+ X% O
' b; J B( g( K" o: p3 R9 g9 `7 uupstream 52os.net {; @- N) m( z Y# @5 @1 S
server 192.168.1.100:8080;
1 o5 \+ G. T% ? server 192.168.1.101:8080 backup;- C2 N' |7 c, S! r2 }: {! w% M
}0 L5 c: r5 b- a$ G/ V& Z3 V
9 ]! ^: \9 ?3 Q. H
server {3 U' O# q) t( ]2 G
listen 80;
7 _$ Y E& Q4 w' h( Yserver_name 52os.net www.52os.net;5 v1 Q8 @, P& J* @
. h! G) r# l2 G) j" W; k: j( {location / {
! m& r. k# v& |0 x6 ^6 A ModSecurityEnabled on; % o: h3 S2 i7 j5 W
ModSecurityConfig modsecurity.conf;
4 v" }- `$ ^# ^9 V: Y# `6 o% x" ]& d# E
proxy_pass http://online;: P" }5 R0 q$ {- ^6 h; Q& N
proxy_redirect off;% Y0 P( Z' g1 o3 i* D5 N2 ~8 \
proxy_set_header Host $host;
. C6 X( x d; ]8 I4 n( k5 q9 ^ proxy_set_header X-Real-IP $remote_addr;9 M; W( V9 Z, o! A" @% Z3 n
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, @/ ^% B0 Y2 N
}& i3 h @) Z' G
}7 g$ w# r" P3 p6 F+ T Y/ \% L G
六.测试' m2 i7 I6 K3 [! h* j; m
& Z, L" ?! y/ q7 o& X$ o$ l
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
) c) c% d. D0 G! }* d& c
( G- i, X- }2 i: p; ?<?php
& i( _: i# A" W/ N' @9 p6 Y8 B phpinfo();
/ u3 p3 Z9 E( d0 B3 @1 l) S# W5 |7 K?>
/ \7 ]4 ^/ p' M H在浏览器中访问:
& |& ^/ A, i0 z9 Q+ A, G8 `: @7 r2 N) N/ u4 b2 l
http://www.52os.net/phpinfo.php?id=1 正常显示。
% f/ s. U4 C" q* q3 ~http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
' T" ?' O3 ^2 V( yhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
4 o4 M3 D b0 O# F说明sql注入和xss已经被过滤了5 J X# e# l% l3 d2 A
, i B& k7 N6 _3 \* w. A8 v七、安装过程中排错 ]% _: [: H5 _4 t! e; L0 A
% x! C7 Q2 Q! @, W* I3 c) R/ W
1.缺少APXS会报错& N9 W( h" U3 @ w6 d6 g
( v% E0 |* ?. G0 G8 Z8 @0 kconfigure: looking for Apache module support via DSO through APXS
5 ?* M* l( Q% O4 s. Cconfigure: error: couldn't find APXS
9 ]" W$ W( W/ W- s7 mapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。 {5 G) i$ x7 Z
解决方法:
: Q& c5 M# H/ [4 {. n! U. f. [' q9 J5 t |. s. g
yum install httpd-devel7 @$ E- \" _, j8 g
2.没有pcre
, }$ r* p" R, ~% l) l) X% [4 `0 u5 @; C N# e4 H; F6 x$ j/ V
configure: *** pcre library not found.3 s4 W2 I' g8 [- a
configure: error: pcre library is required
( [% [) l- k+ Z( v解决方法:1 v" j9 {% L6 g& o8 P
5 @4 R. {4 W0 @/ e' ]7 Cyum install pcre pcre-devel8 E& B/ v4 H, W( k* @1 Z
3.没有libxml2
# o* Q9 p% { k9 D- T- y) w, p K* Z6 C) v& O/ l* Z- \8 N% X/ F
; N) ]0 v4 P+ y5 pconfigure: *** xml library not found.
/ V' A$ o% ~1 r$ \+ Aconfigure: error: libxml2 is required
% b# m6 Y" F/ n. \; r/ m解决方法:4 Q$ c0 e# D _$ C1 `& `' g" S0 `* d
8 q8 M5 Y9 N) Z, T0 y3 c3 E2 t6 xyum install libxml2 libxml2-devel
! |9 t+ A; ?8 Z( C3 k4.执行 /opt/tengine/sbin/nginx -m 时有警告
% Z9 ~$ @- V: {( r7 e9 |; o$ r$ O, V" l1 W& r
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
8 v) G" t2 S# w$ lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!/ v3 V, |( Q: B6 E
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log7 y' \1 b: k# H: ~' x& r
2 }# R0 X7 _3 r: U2 }5 B. o! B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, j: j7 U% x; N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
3 y7 l' D$ {! z) M6 [ y2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!( }" F' T& p3 \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 X+ v: x; l; ^* {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
8 g5 D5 D* k7 `% [# p2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
9 Z. f3 C) S$ H+ G0 l1 x解决方法,移除低版本的APR (1.3.9)
3 x" c) Y, W$ d1 h$ H2 A; o8 Q* ?' d" F; B( D; Y* n
yum remove apr- L+ w. T& J( }! S6 |$ H# U
5.Error.log中有: Audit log: Failed to lock global mutex- W! ^' d- G6 C, O2 _
1 a0 C/ i% P, Y/ ` J3 c L% r& I% J2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
1 ]3 W& p k4 g Jglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; {3 o! u# \# b" ?6 T4 b/ R/ r解决方法:
4 ]6 D+ n: M* ~; y% t5 a编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
2 K: c5 q3 x4 D- ?) k* L. N; L( ^9 K/ r" T' e
SecAuditLogDirMode 0777# v5 x7 E. \' E$ q( q( J6 c3 F/ a
SecAuditLogFileMode 05508 _: `5 Z. B& {
SecAuditLogStorageDir /var/log/modsecurity
; Y$ [8 ~- i1 g( D1 G" _SecAuditLogType Concurrent
& }0 o1 V0 l, m, `! M2 }参考文章:
' m0 s i$ K& `0 E( Whttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
/ G; z: `" e2 o r& J6 Vhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡