|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, e+ `4 V1 v$ l/ b
# m( J& P" f8 l$ z& X6 F+ y
一.准备工作+ _& ^5 e& w4 x ^
1 I# F2 V( o, \7 z* A; f系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
: D, c; Q, {3 o+ v2 m3 y$ }3 j8 G, y4 `( b Q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
! t" ^: \7 A; y7 w' N
. u' d- O2 S+ M( o( X- h# K L. J+ zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz2 y' I5 W6 l+ Y, [
) `: y- c9 q+ p4 g- D7 KOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs5 b/ g- A4 Y. {; E) T9 L
% x8 P- ?' R; N$ x$ r4 N D. q依赖关系:% }7 C9 J- M" `1 @" x; @* l, R
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:: k) F$ V- Z6 Z0 p% W
2 k6 A& y A- ?2 Byum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 m( H1 n+ R; S, z! K2 ?) a
modsecurty依赖的包:pcre httpd-devel libxml2 apr1 u$ E+ j3 O6 f& {3 H
4 V7 x% R2 P9 ?: b7 m7 W( I; ^
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ W: c( ]. A- w+ D. i. U) q二.启用standalone模块并编译. p) h- h7 g4 R- e- c. T8 \
8 u3 F0 O- O7 N) Q9 m; p$ Y下载modsecurity for nginx 解压,进入解压后目录执行:- L. j8 Q: n9 ~7 p5 G5 X( g' r
9 c) O) b9 b0 I1 S2 r2 d) `
./autogen.sh
# W" |/ r, Z+ n' r./configure --enable-standalone-module --disable-mlogc! H# R' b7 @: t) p3 y+ B- V: s
make
1 x& i6 u2 T& E5 T% A, m# M三.nginx添加modsecurity模块
! ?/ C: F) s0 ?! i9 _2 ?7 A) S p
?7 I# v/ X3 U" _4 ^7 M" h# g在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
, C3 O% {4 y$ W: W! q. F" t& r
0 Y4 H0 o0 [( M! C- r2 w; ]./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine5 w7 O! ]7 `3 S
make && make install
$ Y \) o5 T# [四.添加规则
8 _% |# X. p% A+ G. A" x
, i0 P! t* j% I& j- \% H: @modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
g8 R( h6 }6 O. l/ M5 C! L" E
& D h7 y1 }. O1.下载OWASP规则:7 ^2 C2 v' Y4 {5 l3 l/ e: W3 ^' m
" b2 | E8 e9 G% S! L! U, O" agit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
4 A' k, P6 i T; ]
& |* W" x2 \+ G% x( |2 U" z8 dmv owasp-modsecurity-crs /opt/tengine/conf/" G6 f( Q& `( t. D9 y: b
5 m/ i- Q1 u$ Q& X; E2 F, S$ Scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: h) n+ m2 ~5 i% |2.启用OWASP规则:
% k0 r; u" [# W" ~2 p% U$ Q* P3 c9 A4 ~, D
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。& C* u7 R4 S0 j7 l: v9 s
2 X, X# T2 ~3 ]. u6 N
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 j$ z$ C5 B$ f5 u. ~4 z
9 l8 `% \, z3 a. xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。( ^ p* d* D. Z; M5 [; }
- M' u: R4 g% |0 V4 ^" ]Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
9 }3 A' I: a& `# L$ RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ R6 o# B+ s" K# M8 B2 h7 y( B
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf; \0 r+ J6 S. `6 j# S( H9 Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf) O# M' O2 W; e9 P! V. }4 p* h
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf5 k! |# Z' [- Y' R$ f2 |/ ]( @& j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
3 _, r8 O7 G- MInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf3 @# D" J' N# m7 W ~2 H! y' ?: T& x
五.配置nginx
9 H3 X* B9 b1 O' l: ~
: e4 N8 _- @+ C% y- U+ x$ s在需要启用modsecurity的主机的location下面加入下面两行即可:
& B8 T2 t: S6 I0 }5 L) j/ g2 M4 k9 b& Y) \% `# }
ModSecurityEnabled on; 2 X' A- n) P! b8 s* R, k
ModSecurityConfig modsecurity.conf;
# h" c0 C @9 l' ?: |) y8 R& e下面是两个示例配置,php虚拟主机:0 C9 K+ F: L( z$ a4 E( O/ F
% f$ N6 E% K! g4 Z i" p# [ D; k
server {
1 C( P4 G/ M$ s; ~2 B, N4 o listen 80;( ?# r# j/ I2 B- G2 N# r$ g6 g
server_name 52os.net www.52os.net;
1 P" n, _$ h# Q; k 2 n+ b7 Y- t2 v7 ~
location ~ \.php$ {' ]! O+ C! p+ F7 O# M
ModSecurityEnabled on;
: m! ^( x1 y8 N ModSecurityConfig modsecurity.conf;
4 n0 B! ~- y5 \4 p0 U& l" K1 _5 j' k- ^2 l, r/ _# N' B. q
root /web/wordpress;, ^9 N7 h6 t$ e6 r* q: H7 Y
index index.php index.html index.htm;8 P4 K5 g2 O1 d4 h) c$ ?! \; U# h/ ~
/ K; d) @' }/ E( [/ |/ B
fastcgi_pass 127.0.0.1:9000;" v0 {3 T$ _% K2 c0 m- ?
fastcgi_index index.php;7 I `: J& ~% V! N0 H" j6 v
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
* V+ j; W& f1 |5 L- L include fastcgi_params;$ o( E8 Q6 o; g, B- \3 R
}
1 r' Q* t. A b }
7 Z! h" R) e! {upstream负载均衡:
! ?/ x! b/ E! |2 c3 C% \0 H" T; }9 F, b5 X o( q
upstream 52os.net {3 M. O }9 S( x: B6 }$ h! y+ n
server 192.168.1.100:8080;
3 M. `& {: t, m# I9 [8 d. C: | server 192.168.1.101:8080 backup;
9 J% `( j- z# i5 O* @}+ d4 ^: s/ d, q
K# e* F* ]/ e1 b5 Z/ X6 f
server {
. V5 r7 p/ z: }9 Zlisten 80;' C& x1 t2 D( l
server_name 52os.net www.52os.net;
6 Q: I ?% M5 _
7 n5 x" x Z& @: s7 ]location / {
+ f% A3 U0 Y( g( ~ ModSecurityEnabled on; * [4 |, p4 l! J( J5 T) Z
ModSecurityConfig modsecurity.conf; 5 X& _2 G9 M9 p+ Y$ h
0 ?0 d, ]0 M6 F$ N% x: l4 r7 {
proxy_pass http://online;
* q8 B l- V& U" S' L9 z2 \) k proxy_redirect off;& C; o- L3 M' k
proxy_set_header Host $host;0 T" x7 K" h5 K# s/ _
proxy_set_header X-Real-IP $remote_addr;
% c9 D0 e. Z9 f0 p- o f' D proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
0 ]) E% A7 w! A% h7 `( ~+ ^# v }
! N) f* ]; @# H/ g}1 P0 U8 h! V- C. {$ K k( B
六.测试
4 W; y: j" f/ r; C" s1 ]3 E' F+ P# [4 ?. p, y& x, B7 A# A4 ^) f% q
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
. W- G, q+ N) _3 B. o I6 Q- f& m; b" ~8 \! L
<?php. P/ f0 v0 S9 Q$ `# Q _+ q' d% M
phpinfo();
& \1 t: L* ?# ^* w& X?>3 e3 W( ]" P: b" `- k G
在浏览器中访问:
5 p. Y# y- g( I
2 |3 q2 x, |( u6 F: Q9 d1 H: N8 yhttp://www.52os.net/phpinfo.php?id=1 正常显示。. f3 ~$ ?# H3 q4 ]0 E7 O& \
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
; n+ B9 V Y4 L7 o: E* o% ~4 l ihttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
- f0 n2 A {* t说明sql注入和xss已经被过滤了
' L3 D- x: o( Z: ]
1 s& e2 n9 h1 K v, m' z: o七、安装过程中排错
6 j# d! o; ]* d: b
: z! G* e" M- c8 \1.缺少APXS会报错
+ K) c1 e! [3 t2 L: v* U
7 p0 d2 `$ n2 [' n- _% Yconfigure: looking for Apache module support via DSO through APXS
: n& C( ?' J4 K& Y0 `# Aconfigure: error: couldn't find APXS) u k4 ~ w9 c, E
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。# L1 x% @+ ^0 y
解决方法:
" N' {$ Y) M- G m4 A
7 ~0 F2 t$ ^$ [7 b7 T5 o: syum install httpd-devel: E! C) r( g2 e9 [& P9 x
2.没有pcre2 M5 E- M; A% @' l: V# n0 ~' @
. w6 |, J8 G( A& k2 g. V( C8 U
configure: *** pcre library not found.
4 P! y# L8 i$ S" W0 _. t7 a: e* l% Lconfigure: error: pcre library is required
+ B( h7 A/ G$ {1 W) x5 H解决方法:
' Q* Q. ^1 E2 u+ H3 b- ?! @* d/ i6 U& V7 t- J& o
yum install pcre pcre-devel. z( `3 M( ~( T4 L. r0 }# E; M, S
3.没有libxml2! B4 u- v# _5 m$ ]0 p; L7 b
8 j" A/ x9 @ V3 ^, u) u
/ _! T7 w4 [" G2 }+ r8 S8 S8 Gconfigure: *** xml library not found.
9 Z# B1 W- d8 X% G+ Sconfigure: error: libxml2 is required
8 M u/ ~7 h, _ U. X' j. N- m解决方法:
' `6 `1 B1 y) L# H3 g: G, S6 g+ t: `$ I4 D' D T
yum install libxml2 libxml2-devel, A' W, i# H9 M' I! c, `* s
4.执行 /opt/tengine/sbin/nginx -m 时有警告
5 z( a+ ]$ y8 |0 z5 n/ `- R# }: }6 v' l- d. k- u: _, h
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
$ D0 f4 _4 T* U# J3 d. Pnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
. n! ^( e: x$ G0 Z, o原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log e2 {. P0 P3 ?1 @$ C0 S
! M: j, j# Z D' z% D8 ]! I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 W" l, \3 h6 n5 S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
4 I' O. A8 v) W' X E* ?" W$ G, l2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
: P9 f/ U7 ?. [- v% }4 I* t( _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% o, I, c, ^- m* d6 ]! p+ }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
# t/ f0 _* Y7 N/ T/ x0 Q2 m2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
3 B: `2 Y/ M# B8 s+ A解决方法,移除低版本的APR (1.3.9)
% j/ _2 V1 v5 b- F& j: e
5 Q. Z# s" Q8 D1 n' ]: @yum remove apr
) K" E0 o1 V) b2 q; i5.Error.log中有: Audit log: Failed to lock global mutex }' s+ B' Y6 ?$ c
8 K0 r" z, j4 s, u2 n2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
4 m7 c3 x" m& J2 ]4 Wglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]- `% e: v% v7 Q7 I4 t
解决方法:& z- Q+ d/ P( L' K! q( e7 c
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- F: A$ T: R& l8 N! S3 v
* ^& e) K- h: H9 XSecAuditLogDirMode 0777
, z5 t) O. p8 V( N2 v; O3 @9 e9 SSecAuditLogFileMode 0550" ~- F6 Y: B# @% H/ ?+ f
SecAuditLogStorageDir /var/log/modsecurity
3 J8 R. J+ R6 n+ R# nSecAuditLogType Concurrent
6 p- G' ?( y5 h5 D7 b/ S4 r参考文章:
, t, P8 Y* S5 A% Z r1 w3 whttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX" {; b1 Y( n v7 j# D+ z I! L
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡