|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。 ^* X8 m# V" W2 W% g
* a$ O" q* q/ L9 N% r$ ]7 f+ S5 c一.准备工作
0 [" C& A* E7 u1 ^! |. c, S/ o
* f" H1 D4 N. D% D3 O系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
5 X3 h8 N' ?. ~* n! H5 B
|0 C3 R+ T6 a# P- z! j( Y, qtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
1 _6 R. W3 U% G( }# ]: j! R
/ _. @3 a1 \( ^: a. H5 Jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! _- x, m$ m( I, D4 Y% e
& l# ?* [) m q& L
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs$ c$ w, z2 t' p4 l; E7 }: N5 z
I/ X* X4 }) c' Z! h ~# D1 g; Y9 \依赖关系:! U4 z' g8 o0 u h, G8 Q! X
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:" [+ g: Q9 g0 L$ ^) a, X( C" H; h
9 X- ^" ]9 s- V, w
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% |) c/ J, |& T( Imodsecurty依赖的包:pcre httpd-devel libxml2 apr7 C3 I; N8 f) V
3 _5 O3 I4 a3 R3 X% K' Oyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
5 t% a" q# P+ m& Z9 o! y二.启用standalone模块并编译. [ @1 A/ _8 R7 R7 q7 b
$ v, f& z# j! V0 U下载modsecurity for nginx 解压,进入解压后目录执行:4 S# i Z4 c9 Y* U- E/ X
# }% G$ q: n6 T" J5 m./autogen.sh
8 X5 s$ D5 U! V! J, _./configure --enable-standalone-module --disable-mlogc0 V1 x/ r7 Z" a% I
make
$ c0 Y, J! J; y" \( \& O5 P三.nginx添加modsecurity模块; R6 i% m7 S# j: x8 T8 p/ K
! g# }: j; K+ W在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
$ C9 m. ]/ {8 r' [" C3 H4 R$ _; }0 _8 r9 w% A
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% D; A6 `4 Q9 hmake && make install
; r- p1 y4 s( x四.添加规则' l) y* C( O5 x, k
; | b, F+ @7 X2 Hmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) u0 ~) {* H# N9 P6 n
! d4 T4 |% |# N! B+ `6 O- I: W1.下载OWASP规则:$ }4 K3 c0 O: \0 C, @, X/ ?% }) K1 A: y
: a4 ~7 _& a" Z7 x# z
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
% y! l9 L7 A; g @8 g9 n1 f q) R
mv owasp-modsecurity-crs /opt/tengine/conf/ b- j* ^5 u6 t2 H m4 ]' N/ c
# c, x' }8 c3 y f N6 F6 \
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf" f# C# ^+ ~. a. y0 n& c/ `+ W
2.启用OWASP规则:
8 Q. l- o) N. [, e. U! s* ^
. Z1 w6 l: z# M+ k, c复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. V# C) Z7 x; L2 X, G; r
% P" z9 {" m# h
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 r0 U( q9 G" n
; |) D K! ~0 p6 Y0 Xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. o4 ~; G9 J- t) n6 f$ @( N/ J; U
. X/ M# s* D% |( {7 G8 EInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 O7 J8 X5 O: D/ q5 w. D. o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: W9 ~; D7 m( b: Z# V- ]0 @/ j
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! k$ Q0 {, q; f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf* e* `( o; m( W3 o& |" z$ g- C1 J
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 Z6 G. n9 R$ W; d7 xInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
* x9 r6 @& g& s0 L3 X" XInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& y3 b4 u5 Z. n; {
五.配置nginx' E1 h% @. ?' X+ N: t) E" z
, Z; [5 @! h) Q! h在需要启用modsecurity的主机的location下面加入下面两行即可:
9 \+ O/ D: q- @+ ]. a7 l; A4 A0 C, [
% h2 i9 v; ^+ ZModSecurityEnabled on;
: d4 X9 m( m: U) v( \7 TModSecurityConfig modsecurity.conf;
; E. k# d5 c. m- V% V下面是两个示例配置,php虚拟主机:, }' n q0 _' l1 B9 M
' D5 B$ m' @" M7 O
server {4 J: G r7 m, q- c
listen 80;: ?0 E; {! r4 `. V
server_name 52os.net www.52os.net;
1 ^0 u3 @5 o! R% B3 Q
( w& g7 }/ O( G+ d2 L, |/ t location ~ \.php$ {
0 D3 M# b2 `1 g ModSecurityEnabled on;
7 S. N" I- H2 C. q9 ?: @ ModSecurityConfig modsecurity.conf;& Z! V5 ~0 u/ x Y( p0 q
' ^4 h' a, T: |! W" w
root /web/wordpress;6 t0 g/ G Q6 e
index index.php index.html index.htm;
6 H- p6 Y. Z+ c/ ~ 3 c5 Y, h- c/ w
fastcgi_pass 127.0.0.1:9000;" b2 [$ s0 d, N$ c
fastcgi_index index.php;
8 N H7 [& ]6 ~+ e fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& j9 k/ t$ F8 ~! ]# Z& g# t
include fastcgi_params;
7 M7 `: o# H! }8 K: E0 l, ? }) C1 G5 J9 Z1 E
}
1 w( Y1 B: p& U& C' _) Supstream负载均衡:
3 r1 s0 ^+ S! d& }% j: U0 ]" v5 a) W {, p! ?$ O
upstream 52os.net {
1 X y T8 ^7 [2 @7 R1 Z server 192.168.1.100:8080;( j$ Q6 W9 \5 v2 b
server 192.168.1.101:8080 backup;
" I( o/ k6 r% Y( r7 W}1 Q, _3 o9 q$ [6 g/ W
" }' h5 E6 ?. Qserver {% x4 F4 o5 d* `$ h
listen 80;2 {6 p- Z. v0 R# W. W
server_name 52os.net www.52os.net;
: e2 v0 w, t/ X( \
. k5 U1 @* J+ q& _* ^ a1 tlocation / {
8 O2 b* W4 S, w. \ ModSecurityEnabled on;
) S- Z$ W, c- w! \% l) u ModSecurityConfig modsecurity.conf; 1 Y, [$ X3 ?, o2 w/ [
3 l4 d* E* S E1 [* y3 o# ]
proxy_pass http://online;) G' q) l% @( H% ?' \
proxy_redirect off;% E$ ^8 G. K. f. [, s
proxy_set_header Host $host;+ `' q$ R3 P% r# f. R- X
proxy_set_header X-Real-IP $remote_addr;! l# R# h4 T4 n D9 `3 \! T' Y
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% b5 s6 W7 N/ a% ]9 C2 r8 B }4 _& ?1 W$ v8 @" |, ?$ m% f
}
/ ^# M% {" c7 `3 b( q六.测试1 c& b$ w, |0 ?, ?6 e- [& G
0 H# F$ M8 H, ~7 v5 f$ l
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
# V% T. u1 T) r- p, R) ?% k
4 S" M3 @5 H4 x/ U- K0 n& s) Y<?php3 f V. X; L) u. p1 D& x
phpinfo();
# P& h: m2 F: I" u: u?>
) f1 F& z$ `( {; \1 y! e* i在浏览器中访问:; S- H% B! V+ p) A5 x4 A
; v$ q1 H3 z1 d0 ?http://www.52os.net/phpinfo.php?id=1 正常显示。
' F! e" R! _0 chttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。9 B l. o, B2 q% v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
) e6 ~; W0 ?8 d( \说明sql注入和xss已经被过滤了/ p. T/ o/ P) j1 c2 S/ O. f
! d! C8 b# v$ L0 y. t- N& d1 x( K7 W4 V七、安装过程中排错
/ O5 D' t/ q# f, }# w J* F1 \3 Q1 X; `4 S' J) h& N& a/ l( k: Y
1.缺少APXS会报错- q3 Q5 h- J" {/ m# N* ~4 }$ i
/ e+ G, v# W7 y, hconfigure: looking for Apache module support via DSO through APXS
/ ^' t0 @6 h' j+ econfigure: error: couldn't find APXS) c: l2 d6 r5 f& c
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
+ q! _3 c5 K( p! n3 U( h解决方法:
* v+ H4 j, P0 j% x* l* J" ~$ j& m- E
yum install httpd-devel
- P* [! {) s5 v- n2.没有pcre
( S: ^# Q/ R, Z" A6 o D5 i, [, ^ b9 |
configure: *** pcre library not found.
! n( i& } `0 o' q, t$ Gconfigure: error: pcre library is required
4 K4 O5 d* g, u0 V5 A* R5 \: ?解决方法:! [- ^8 Q# ]% J- G: ?2 c% f- V7 F8 |
/ s# q ^! D& C* k3 o: H8 l" Wyum install pcre pcre-devel7 T- x- }; o. z1 p# ^5 r3 ]- W
3.没有libxml2
, z( r$ C+ I$ w o, q9 e0 J9 O$ h" P$ h- {' ^# H8 \
) l# m4 a2 I; L& e
configure: *** xml library not found." ^+ [9 w, Q1 W, ] _4 \' E& ?
configure: error: libxml2 is required8 j1 A. t5 }( N5 P8 y# n9 o
解决方法:
6 t$ o, n( Q+ e: R$ w; ?0 G; s, f9 K0 e5 o o' d6 J# g
yum install libxml2 libxml2-devel
3 `; ~; z* ^8 {2 B: m. k2 e( g4.执行 /opt/tengine/sbin/nginx -m 时有警告+ x* g1 M8 O, d# U$ ^
3 p% P" C* _( s1 `1 F/ q5 ]Tengine version: Tengine/2.1.0 (nginx/1.6.2)1 ~* m( D' v- D8 R
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!5 V9 @9 |+ `" t6 ~& V: i6 O9 `
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 c T1 f* A7 w
8 z% Z- Q9 a4 {: S% _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
5 O9 w. P5 L0 K; c# a& ?" P0 i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ @$ w* i) ?" n7 L+ H w+ u
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
# W* ~) i5 { S3 e1 @5 V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"! x) T5 x3 M4 g6 L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"' Y! N* J) P# W- Z, T
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 ?$ d& L6 U; R9 e8 t
解决方法,移除低版本的APR (1.3.9)1 E+ y E K2 Q' }3 o
2 ^' J8 e o, J: h4 gyum remove apr# W4 r/ x9 {$ M; _8 L1 y
5.Error.log中有: Audit log: Failed to lock global mutex5 V, l8 B5 {" X7 b: U
6 [: U7 c' ?+ G4 D% k2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ' x5 A" i2 L, V, V0 |8 p1 I# t: B
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 y' R( H' t, y2 b2 `
解决方法:( m4 {, G5 e3 N
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( a6 S% n' I Z0 j! Q$ B" L
% }+ h8 n7 z ^6 h# I, ~
SecAuditLogDirMode 0777, c _* B! @7 S9 g$ V$ R. E
SecAuditLogFileMode 0550! O, h3 u# i6 c& I/ ?! J, G
SecAuditLogStorageDir /var/log/modsecurity
6 f T, B1 j; L6 I [& L5 l2 |SecAuditLogType Concurrent" s, S1 J/ d! d. S
参考文章:6 {+ ]+ b$ y- M$ z8 b9 ]
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+ i2 L5 j7 L* X, phttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡