|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 [) c2 v' L1 g: n0 e
# {3 a$ Q' q6 ^$ d! S4 t1 q
一.准备工作7 j: n& I" }0 V/ J6 u- T. `
' l' t+ ~! z# E& l3 @. x6 g) {% Z
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
: ` ^2 q' F! o- J
+ `4 p7 u; ], U5 f& w- E# Ttengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 o. W* s. O- a7 C2 ]% N% r9 h( _' l8 o' X
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 P2 R; k) j! w: w, |9 |& N. j# V$ k" A, L: V
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs( A8 R$ ]( p* V9 v# C) O
; ?! x% S5 n3 ~ k L依赖关系:
% S! a" J% v X" _3 A! j3 ntengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' g8 y: G$ g" r# p1 }
5 X4 w- R% Q" l. G5 N0 [# Zyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
5 `8 i5 q! B$ `+ Fmodsecurty依赖的包:pcre httpd-devel libxml2 apr i# |/ X; m& S9 {4 N v
5 |8 i2 e; {9 x) z3 R& Jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ X6 J# F$ d+ | c6 P9 X
二.启用standalone模块并编译% E2 s, Q: ?, _6 l7 ]" O
. U2 {. T; t& n
下载modsecurity for nginx 解压,进入解压后目录执行:/ B- X5 R% O+ }+ r3 Y# o4 L
8 e9 S+ A8 c: @./autogen.sh0 \0 |! ^1 f3 q8 k6 M2 K
./configure --enable-standalone-module --disable-mlogc- l( q" a6 Q& k6 D7 [
make % A( }" s6 c* R' P$ I: F
三.nginx添加modsecurity模块
6 ~ ~8 n4 h9 t9 R4 n1 F: t- u3 o5 _
1 t- {" x; J# S6 c3 w2 y5 z# e在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! _ D" A( ?8 G. J% w9 m4 J
; E) y/ V! h+ t& _0 U3 M) I( R./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ f+ m7 a5 Z$ U6 c
make && make install: t& k! y D4 r2 V1 v* `/ g
四.添加规则, \. q* k5 S9 H! @' r
) _# F9 w9 W4 p
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
6 r f* ^1 t& W: w' ~5 P: a9 L& q9 _3 G! H' D7 r& \7 X
1.下载OWASP规则: O& T, _9 O1 R8 |
! ]% ]4 H0 ^& A$ S$ q8 Pgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs) Z9 e6 \6 J) n0 G' R+ b8 V1 Z
' V2 s8 a" j( y) ~9 D
mv owasp-modsecurity-crs /opt/tengine/conf/
P& Q0 p( ~" D/ j3 H8 z, k9 J* W; J" ~7 s$ r: U8 R% o( h! Y
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf; A0 M" a. Q y9 r* G
2.启用OWASP规则:' k P b( @* R9 i9 Y
! f- l% i+ @/ d0 H. [# w" ?
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
# k$ a- d4 Y: }0 k x2 U/ w# M% e7 f$ c7 A. Q9 {: y7 u
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 Q8 m8 S# j+ ]
Q% j, S9 l+ \- @owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
0 Z; |, z& g% G: X9 \/ f! _
( x6 s3 p) o3 `0 aInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
E( ^; [2 z# W/ v- _Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf" R1 X `" y) I$ r
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf& o; X- v/ A& s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf* @% u$ _" b4 H3 d8 s) ^; \
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
/ w' D4 I- g6 I7 QInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' f. @4 o( [0 Z1 [Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
* ^2 ?( X" U# A五.配置nginx
& K) w" J; X( K
* {- I4 S# G9 j+ ]在需要启用modsecurity的主机的location下面加入下面两行即可:
6 {; H& R9 F5 a& ^! x1 c- n5 k& C8 _, k: C
ModSecurityEnabled on; 9 q! F6 j& S( }: O0 i
ModSecurityConfig modsecurity.conf;6 I3 ?: P F3 W$ [9 \, l& ~
下面是两个示例配置,php虚拟主机:$ U& p) e% }7 N
; u4 S7 L: A$ O: }" M, b0 N% L$ R
server {2 I, h, M! u% w$ R1 j$ F
listen 80;
; Y4 o) m* z8 x" Z. U server_name 52os.net www.52os.net;/ U% W8 R: T$ G" O
( n' Q& J8 P* f+ x' W8 e- _ location ~ \.php$ {/ h' y s4 ], J/ r8 x
ModSecurityEnabled on;
- i5 t( J6 a6 @ ModSecurityConfig modsecurity.conf;
8 e0 O& t5 B9 N% }: }
% I2 P2 b7 r% r2 K# x5 h root /web/wordpress;
3 g$ Y c( Q7 V+ ~ v" l$ a index index.php index.html index.htm;: m0 i6 L$ l+ A
- _, ~% Z/ J' y( g% S- G fastcgi_pass 127.0.0.1:9000;
* b8 O4 J) ~- Y/ E" V* Y fastcgi_index index.php;4 H6 i" R' B5 m& A, N: _2 N+ K. g
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* K8 O! p' }: U& ]5 L/ R/ t
include fastcgi_params;( u: a! V) u' y* x" t1 |
}& q# }1 I, O7 M. \8 @- J( p+ h k
}- W! `) z k( J; E
upstream负载均衡:
% C, Q4 D' }# ?) s3 |- R _3 M/ O6 [8 O# w1 |7 a; O- H4 o$ u/ D
upstream 52os.net {4 B& |% k4 f" d! p
server 192.168.1.100:8080;
; Z/ r7 }$ E5 ?8 P# k/ N, _ server 192.168.1.101:8080 backup;
- _) v/ u0 b% `* U( g}( ^: Y1 J- H( E3 @% G/ q; c
7 M( ]0 N( J2 Q( \" ^4 {$ t! O/ b
server {7 I9 t& e* J6 B) W. u
listen 80;
4 a Y( n) X. n m+ Eserver_name 52os.net www.52os.net;3 y/ \0 ]. y p( b& I
2 L# V: z6 Y& x# w1 A- J k/ vlocation / {3 ~/ y* ~+ t! j$ X) @2 @6 D
ModSecurityEnabled on;
% s z( L; C- b- [# C6 a: R ModSecurityConfig modsecurity.conf;
+ _1 a4 k" U: e1 m0 j
) _* u% N! T) k9 s5 o1 F proxy_pass http://online;& u: \2 r2 k2 H0 \
proxy_redirect off;
5 i/ F. x: x% _/ @! r+ f5 l' s proxy_set_header Host $host;
- F! O' N# o& J+ a" n: `5 B. B proxy_set_header X-Real-IP $remote_addr; o' j% R6 V; K' B6 _9 c6 Y
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;/ M }9 ~4 Z) o: Q2 f4 w
}
6 r0 N5 f0 \( d9 G) A}3 R, H: J. P" `9 Z. p" i; h
六.测试8 v) b) s$ O7 P! X9 D8 n9 t0 t; p
; n( y. X: u+ q- l我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:. k) i* i* a- Z) g- e/ o: ?6 F5 \
. q. U3 {+ g$ V* @<?php
8 I6 G5 c" }) b5 R9 b: H' ~# S& ^ phpinfo(); & e/ u' W; D Y7 s9 N' C. ]
?>
& ^* K) ?* l, v9 d在浏览器中访问:1 |* Z4 {3 X; E4 N
- H$ g w9 Z( [
http://www.52os.net/phpinfo.php?id=1 正常显示。
* y: ^7 S6 L8 Zhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
. P7 d7 Y- O2 G' w, ihttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
* b. Y) P; n: T: i6 v& p! j说明sql注入和xss已经被过滤了' W8 C8 L* \( o% K8 V: D2 q$ g
4 J- Y( ~! `9 \/ h1 r& a
七、安装过程中排错- q/ x0 N: F, L& {
W2 j( x9 U8 R Q1 |
1.缺少APXS会报错
* k0 C& G9 ]' @. I+ x" m1 k& g& \3 |* w
configure: looking for Apache module support via DSO through APXS' f) M, _) W6 a, X) g/ b' m+ Y
configure: error: couldn't find APXS
& }/ u; X' n+ w6 vapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
* s. U2 g# H1 V2 {9 n: I) u' P# p解决方法:
1 N3 T+ O% \& _+ c: U1 X
) `5 j, O! Y) H3 b4 ayum install httpd-devel
6 {) O: U1 r0 m, ?2.没有pcre7 F7 N o+ ]# l1 V
7 x/ s/ L$ Q* S5 A2 j5 Z% p
configure: *** pcre library not found.# c' L e5 B' g0 G+ o
configure: error: pcre library is required
& Z% Q; H" w( T/ z* V. H o4 Y解决方法:# [$ _- E/ E* X5 |6 o- P! Y$ ?
# x, v8 i, X% Q& D3 p+ P7 L- `) b
yum install pcre pcre-devel
7 M6 ?/ c9 k8 b: L4 k5 ]* o) m3.没有libxml2
! ~: Y4 ?; k# j* h3 a" s5 `0 u0 [ l# F4 [3 U
1 B6 ^5 C; m2 O
configure: *** xml library not found.* r9 N( }7 F& L7 R
configure: error: libxml2 is required
' G1 ]! C+ y U% j解决方法:
% p8 U& V* I( X
0 ~; v! q8 u. `% @% y5 b5 [yum install libxml2 libxml2-devel) L" w% ]: p! Q
4.执行 /opt/tengine/sbin/nginx -m 时有警告 ^8 N5 r9 X8 }. W
2 x2 D5 _0 \! a F# ~4 D
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
0 ]$ |1 q3 \( A3 bnginx: [warn] ModSecurity: Loaded APR do not match with compiled!( z( g9 A, A; i3 [
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 y7 d4 C0 w! S- k
# v- v3 c- T: T$ W7 S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.2 {. M) D A) b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"5 [$ r [. n9 g5 J/ s2 s( C
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. @( H! a2 }% a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 P. }2 s) x1 i( o. M0 T, s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
9 X6 K9 q6 a; M2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 A, D. {; ]% ], Z解决方法,移除低版本的APR (1.3.9)
9 f. O- ?2 H$ A/ j- D/ h( y- \
n5 U3 Z0 }0 o3 Q% Fyum remove apr* I" Q& D" |( X+ Q2 b( E' `
5.Error.log中有: Audit log: Failed to lock global mutex4 w$ \6 D J7 C: o9 s
( P+ m# k8 z4 d' X/ W
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 4 ]( X' ]' x6 i3 D8 V2 [7 B" |
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 i8 @) c. C: N) m1 R$ D- X
解决方法:% o. I( e5 H3 K, J
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ H1 K, R- w; k2 T( |$ u- Q5 w1 P. F" f4 G3 T7 Z) O9 F
SecAuditLogDirMode 0777. d9 @, i3 r; ]' U9 F! z( _. N8 s
SecAuditLogFileMode 0550
- P. j: i+ X4 q( ySecAuditLogStorageDir /var/log/modsecurity
; C8 U3 s' x# s! bSecAuditLogType Concurrent4 G A& u* q6 _
参考文章:
2 W# ~" B- \" v) W% p9 ]" jhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, c4 r7 V. C% v9 R( h% m# b) H6 U" Fhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡