|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" i2 t, v P9 r
2 {2 f' \7 D V4 N8 W& c一.准备工作) P/ e8 }0 t% f8 p2 i' }
: o c6 R' i- w& N- q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
! j- n- O! F o, B. l4 y; [5 N5 ^) a, J* |; |1 H6 ?% b* r$ |0 ~: Y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; L9 G, P2 x! e. F
2 d" ^1 S) M6 ]3 r" d- }modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
, Y# G2 W( ]" V1 ]2 a/ \9 f3 ]$ _
7 N& f# c$ A3 ]# ]$ i# e9 \) YOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs( n0 v; [; ?: p7 L
% Y7 m. b/ ?1 s. w依赖关系:4 t. w, v9 l: y% w* H8 _( l3 I; t3 r
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
; b/ ^3 |) c% @0 J" }; h1 K9 {
0 c8 C) P; N6 [yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel. J; Z1 N" r& i
modsecurty依赖的包:pcre httpd-devel libxml2 apr% U0 h: x4 H7 M3 Z; h- [
+ o' U6 n# H/ F- {yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
4 E; w6 G% U2 j% C二.启用standalone模块并编译
5 Z/ Y, \( H4 a- v/ W# k, W( Z
+ B+ ]* d" |) U3 p" f' ^下载modsecurity for nginx 解压,进入解压后目录执行:
$ N- L0 B) ?- |& C5 x
8 z- ^$ F9 F- `7 ~$ [" Y./autogen.sh
* |4 e, p: e" I./configure --enable-standalone-module --disable-mlogc
, J5 \) x) q8 N( v1 nmake : Q* u! b+ a& O% k
三.nginx添加modsecurity模块
' U2 s N+ x. M
& u/ {* G9 r7 o0 w* _* Y8 Z在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 D! j& H" ^) T) g
( Q; g9 l* N2 a: q3 S6 f
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine! X4 ^- z) g! c' }, J
make && make install
, x [3 E/ G0 v* f9 W: G7 @3 O% T四.添加规则8 W+ R/ H' H- [4 B4 V9 Y2 u
3 v8 V* W' l! q2 c# D# I3 p' X7 cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。0 m8 p3 i7 f5 H8 E' A1 M$ J# i* h' S
3 t; q5 X" r% {. H9 F7 I
1.下载OWASP规则:" \& H- V3 V" U ?/ x6 s8 \- [: `
" L+ B3 L! I) W7 P" S5 [3 Ugit clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 R. H5 w, j' m, l( R# W
% i2 |( n0 K4 T. @
mv owasp-modsecurity-crs /opt/tengine/conf/# i O* ?* H. {% i) F) O
4 { T' F9 ~. C$ I6 T- Q9 Tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
* H7 @% z# M. y9 v% h2 P2.启用OWASP规则:1 i2 T9 k* N. n2 p
/ G8 M8 f% k5 [复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。1 P9 l; z; q/ n' y3 z
V v; ?6 ~/ p% ?. j4 u编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
0 w9 C# B: M$ m' @+ T6 J7 @. m6 i: b2 Y7 r8 \4 y. F( C9 ?6 {
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. q8 }$ i8 F$ U9 U/ Q0 }, }' V! T9 }2 K
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 ^3 i. d1 A; P$ L( i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: |( A( g+ C+ i' w/ ~+ W" P8 v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf0 T& e; k4 }- Q$ Y. `/ R; U
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf7 G7 g' l' Z+ D- C! B; [
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
- P( h, w( N n' z( fInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf# x5 ~, X# T* e' ?+ d
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! t( j$ \9 n2 a6 O2 O
五.配置nginx
2 l4 f$ [1 P- M" Q7 x, Q/ n# j% e$ c
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 X' G9 b2 Y4 ^8 r: U! Q- I" ]1 g! F* r* _- e" A1 p+ J3 B6 ]
ModSecurityEnabled on;
/ K3 U# _) R B! ^7 UModSecurityConfig modsecurity.conf;2 H9 L4 |/ K8 v
下面是两个示例配置,php虚拟主机:( `; f) _$ e$ e5 h0 {8 U% Y
" c7 [$ Z6 ~3 b" h' q* Y& Nserver {
) y0 Y5 J# K3 D, d; G1 Y7 ?% f1 v listen 80;
7 \ k! ?8 }6 v5 K0 z! Y% @6 Y server_name 52os.net www.52os.net;
) S; C# B" j0 } c% \9 B& R
6 I5 b# n" P2 F) U& `) X3 n: i* h; p location ~ \.php$ {
. r% I9 Y9 A; o- ?& W% j4 A ModSecurityEnabled on; t& Q+ |8 z( g/ w1 l! |
ModSecurityConfig modsecurity.conf;
0 T8 ^8 ?! l4 d$ d+ o1 d
/ e' [& B- _7 f W! Y2 y2 I5 h: x root /web/wordpress;2 t- ~# x8 K% X& d* `, k9 }7 L
index index.php index.html index.htm;
' w3 f- F! ^ X x R ) H4 w. s) v* o
fastcgi_pass 127.0.0.1:9000;# b1 M) c* i( X+ M6 y! w
fastcgi_index index.php;8 X1 r5 v9 M. k. @& g
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
* p( \& N6 y& W: j include fastcgi_params;+ |( F3 h$ H; \
}
+ U0 X. Q+ G* K& o# D }
( T7 T, o; G w+ m% s/ X& X& Bupstream负载均衡:
0 x- T9 u$ M+ |& @ E
6 H0 b- J/ b2 I3 E# {2 N5 bupstream 52os.net {4 x `# \ j9 Y: `* m
server 192.168.1.100:8080;
6 N: H. U8 d# p0 Q$ l0 Y/ Y' { server 192.168.1.101:8080 backup;
, y, R" b/ Z/ g+ Y/ j, x3 w0 F- c}7 e/ w8 a2 K2 p3 _0 J
5 ]4 L5 j8 [: U+ ?& U$ t
server {$ K( ~/ q* W' P( x$ L6 D
listen 80;5 d7 z" u1 e/ r5 k& H: k
server_name 52os.net www.52os.net;
% |8 h/ G$ u3 T- h+ [: b+ \. C
( p1 H: p* u' v1 N; @location / {
1 r% D* s5 m; f! v: G, N6 z S ModSecurityEnabled on; 7 g/ K1 P2 }& M
ModSecurityConfig modsecurity.conf;
( Z7 b Z( O# T0 r2 J
9 c1 r/ m v1 ] proxy_pass http://online;
+ W7 ?6 k5 b! C; ^; R2 I$ Q1 c proxy_redirect off;; ?4 E$ h: }' v3 }/ [! J
proxy_set_header Host $host;& c1 _2 E: R- W" ?# B
proxy_set_header X-Real-IP $remote_addr;
( J- | W, O* l proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
" ~$ y9 G1 w9 c. b- r& d }& r7 s0 U5 ]0 {# n. i1 `
}
4 C' p! G2 h" \( F6 ~/ t六.测试: H. c/ H% E ]2 K" B, i1 P5 F
% K( O; V4 |1 h! L
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
4 N/ x6 o% e* y, [. v* q0 q9 K4 C" p! x T
<?php1 Z& I4 ~( p% `/ w
phpinfo();
( p1 z; ]4 r" B4 g# m) r' c?>
2 G1 |- I4 ]5 H$ n在浏览器中访问:7 q5 S O D( [( G
3 e" ~7 Z3 A8 {
http://www.52os.net/phpinfo.php?id=1 正常显示。" Z1 w% u% J: m5 }
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 w# h5 s+ s$ G( f0 uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( u0 c) y/ E( Q说明sql注入和xss已经被过滤了
5 C# n+ y% U* c6 w2 J
; C5 y7 ?- ]9 U& X- @( k( `2 H七、安装过程中排错 ?/ I6 T- k1 v R$ X! {
$ c3 Z" _/ k; G6 D
1.缺少APXS会报错. P* }, t6 Q ` O0 b
7 i) b5 Y" Z4 z3 s5 w) n9 z: L
configure: looking for Apache module support via DSO through APXS0 M! V# g' l. h" `4 p
configure: error: couldn't find APXS: {0 U6 b; E5 H' {
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。' l: p- r: Y; ?" _
解决方法:
' U+ |' z% B2 E( T
( ]+ q* b* V+ n# i( Q' `yum install httpd-devel
" B9 Y& O7 G( U0 X1 O2.没有pcre
, ~) ]2 u! ]! P4 ^$ |: E1 W; D
; h; v# M: U/ `% `( n% r, b6 Jconfigure: *** pcre library not found./ X' K* ^! u9 O5 I% Y& o6 t9 [
configure: error: pcre library is required
! W3 J, u8 k$ R' U5 w解决方法:
# N# Z; D) L& P& k2 ]
% `' Y: `7 b/ L9 w F- _! c; j) P+ Jyum install pcre pcre-devel/ ^& {, q7 S6 r. [* z( M I1 w
3.没有libxml28 j1 K2 J0 g9 q9 h: l8 C5 a p4 e
' D( q& i: [9 ~" T) |5 E2 R
v8 N/ ^- |% i7 M; }' {* C$ Sconfigure: *** xml library not found.
# M+ C; d9 ^" v7 cconfigure: error: libxml2 is required
& ~# E2 h- u4 H, t7 y# R解决方法:
; y- S$ Q# t, j& ^' _" s( n) a( n
yum install libxml2 libxml2-devel+ E$ a% s5 i9 y/ a2 y8 K
4.执行 /opt/tengine/sbin/nginx -m 时有警告
`7 ^7 E+ r. `4 k4 w4 R( P f. z
* k; H3 [5 B; ~- hTengine version: Tengine/2.1.0 (nginx/1.6.2)
0 X% K, C' s% g- H1 Qnginx: [warn] ModSecurity: Loaded APR do not match with compiled!- @* Z. h# F9 l& b0 S+ ]2 k
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 N ^% Q0 l# U4 f; w! I* o) }
/ q9 @& w5 z/ V- \5 e1 p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured./ L5 u3 z- ]; i/ n/ u, d, A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"0 f8 K) G% Z+ f
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled! X5 \3 P4 Z4 A5 e% \9 \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"/ ^" E# A" Z" b/ X6 i! q1 E J& t: H9 t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 u% L- o/ C- I8 a' F3 Z2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.% ?/ O$ J% v1 q" y3 d6 n
解决方法,移除低版本的APR (1.3.9)8 \: f+ {( R& t
9 a, O; F/ Y7 l- hyum remove apr* Y( K& l4 V6 K# X- O! J
5.Error.log中有: Audit log: Failed to lock global mutex
8 m5 J% I$ ^- e2 Q% O( L a7 ~# n& `
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 8 B R( U9 T7 u0 C
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 ?) p6 }0 H9 i3 `9 C
解决方法:
. z" F6 f8 Z+ t0 E" M编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:8 Q7 @4 ?, {) \! n" _
' B0 n+ t- J& G
SecAuditLogDirMode 0777* \! A: S. x+ B4 A
SecAuditLogFileMode 0550+ m F- z% q$ g( `- L8 J2 B
SecAuditLogStorageDir /var/log/modsecurity3 [+ j' t3 f7 u' p0 K8 D
SecAuditLogType Concurrent: r$ _4 ~, D2 Q
参考文章:; e" L1 F6 I. q% d( Q- j1 [& ?; m
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX3 u9 {& e% \$ ]6 T6 M' @% a
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡