|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。+ ?9 \6 J6 ^" N
+ j/ A- k+ d. w' E一.准备工作
- W. w+ ^: A8 Y4 j X+ V
; q v, ~7 j" c* k1 H1 N系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
& P- V6 Y9 \1 }+ N; U4 Y2 ]0 F
. d" k; x* t) }; O ?tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
" q" Q, }9 @. A* {9 Q& ?0 [, A. z) [: b) b7 f K( ]
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
" r% P: i7 X/ v3 {- e
3 i( d {- W5 J2 S# j& |5 wOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
8 K5 m g; N1 \4 k0 b. A: q
2 ?4 T6 v0 R, L依赖关系:
% M: j1 c2 f. P, n' a. Htengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& Q- V3 j3 r* l6 O
0 N+ {7 O$ n7 B9 o7 b( u' `1 x
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel! O9 O M3 `2 S" N3 \# I( ^- C
modsecurty依赖的包:pcre httpd-devel libxml2 apr1 C& E. a# w. t/ p) Y# t# q
1 o5 v E+ T+ k) ?yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
9 D$ r2 y) Z. U: M二.启用standalone模块并编译& a' R. `& p, Q! c
7 F0 Z1 S* V' V p% T+ ?
下载modsecurity for nginx 解压,进入解压后目录执行:6 d9 q4 }! q0 J! m+ Y4 ]/ k
% H& h+ f; |7 e: V" N./autogen.sh
3 i0 `9 @* o: L./configure --enable-standalone-module --disable-mlogc
( o# U7 I9 s$ o, hmake , `6 V0 J3 z. v8 Q
三.nginx添加modsecurity模块3 K8 v% s. P7 k0 [0 M9 p4 x
6 g4 K6 g1 h; ^在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! q, G; j2 @4 I1 L* E7 _6 n7 S: o! y% z- ^6 r# y' f
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
8 r( C' R0 I R) X* Hmake && make install. m3 d, I2 S' j8 B0 v+ P
四.添加规则
$ ^! @# W' N- W# Q
( |! ?" @6 X5 F! m) Qmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。% C7 f/ s J' v+ w7 Y& s
) `8 _1 ~; G" P. i6 h
1.下载OWASP规则:6 \& S7 g' C' d& S, C
* C* {& l6 h0 P7 C
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs& {( L. u( {+ G4 T1 R
- x% e8 A- }% D: d; kmv owasp-modsecurity-crs /opt/tengine/conf/
6 e6 f' S7 K% c% a1 l1 U1 T7 ^% H5 _' N u1 ?
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
& n9 K1 V+ T+ E2.启用OWASP规则:
9 ]- \ }2 L6 z) p
) F; |5 c) t) t- Z9 P( w# _3 l$ ]* |复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 R9 ?/ J6 x5 L1 R8 M4 F6 Z/ K" s% m! E: m) M: J
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
! H' k! J, L5 n
6 I4 N7 d) X. H0 R8 ~3 iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
) c9 w Q+ z, s( O/ y+ g
" D; W9 [7 V) f/ R3 [% eInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
. j- Y5 ^. q# h1 R! a- g& [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; j' }# k0 X. @& q1 X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf* x! b' A( R; V0 Q# A
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
& U$ F) w+ c$ v( W1 {1 PInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
) f! x9 [1 r/ G5 F- PInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; h" V" i b9 T: x7 W
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
9 Q) v9 S u' @五.配置nginx
- N; j3 r \* W1 M6 C8 i# L8 J
7 c9 d) {! B# r9 Y4 l在需要启用modsecurity的主机的location下面加入下面两行即可:
0 ^( B4 f% n) x* S! ?. g# U8 _; }$ h( t$ n7 M
ModSecurityEnabled on; . g- o G) @9 [4 F! o. Q9 D
ModSecurityConfig modsecurity.conf;
% m4 H. I# k1 v& H3 M- O0 v8 E( M下面是两个示例配置,php虚拟主机:6 O2 n0 E4 z: J1 c/ V# q
' b8 B! F H5 v" p. P6 vserver {5 I l( N+ {9 @8 _, \$ W2 F0 C7 g
listen 80; Y3 ]! }) b `( I3 B' y0 }
server_name 52os.net www.52os.net;! |" u# s. n/ \# N; m! x
5 A# e# q/ T: }5 \! p location ~ \.php$ {
" o _4 V& K2 r1 ?) Z ModSecurityEnabled on; % o7 v6 z# b( `7 R
ModSecurityConfig modsecurity.conf;
. i7 B* J2 Y/ `2 u" q( m
: [+ ^& B( o. ^. x! J0 o/ A" F root /web/wordpress;7 z* m3 l% }0 g! E* J3 ?
index index.php index.html index.htm;
; W+ ]: I; w C# _; _, z7 Z* s
8 ^3 S: s0 T- Q% ` fastcgi_pass 127.0.0.1:9000;
+ s9 D- m7 j0 ]& a; n$ r fastcgi_index index.php;9 o6 l) N) R. ?# c
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;: ~. j! q; p3 k Q$ J
include fastcgi_params;
$ Y; T; a) q& [% j( ~# z }8 y1 q) A2 F! B) d
}2 ^: e! y+ \' ?% G
upstream负载均衡:
6 g- u3 F5 p7 N/ E& b& P7 v
& S( D6 \2 s8 lupstream 52os.net {* `* n; C/ |# u1 x- r
server 192.168.1.100:8080;
# P6 j: x' Z4 b6 {: D3 f$ I$ u server 192.168.1.101:8080 backup;! R" l' Z. o+ b$ a4 \: N
}! a; W' r' U5 O; M' c
, t. G) f: `/ S5 M. W; Q \
server {
8 D3 A. d \2 I3 O% X9 l8 [2 e2 }listen 80;
8 }2 e1 R! o8 X' g- R& zserver_name 52os.net www.52os.net;' _4 r! l2 [; M" H5 x
2 R3 |# b" }! j! P! \, ?( plocation / {: q2 [ Z2 F# v9 s% z7 O5 A
ModSecurityEnabled on; ; \: W4 P+ f8 Z# m( u! v
ModSecurityConfig modsecurity.conf;
: i3 t' f$ f5 u0 W
5 a: k3 v) k" a proxy_pass http://online;
4 W* ^6 A7 W# P proxy_redirect off;" H! |9 \6 _" M* x0 I2 D' j- P1 E9 u
proxy_set_header Host $host;
" ^- V5 y- ^. p7 V7 n proxy_set_header X-Real-IP $remote_addr; V$ o! j8 I# j
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% N; i* Z& J0 l9 ?) ^, _ }
, i5 V& c9 r" U% J}/ C7 D' z* F3 F3 J7 T: M. ?9 Z
六.测试# c* `6 x+ u4 R6 Z
: G. o0 J6 h9 c7 }我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:, i% w/ K% y4 f
: p4 R8 n' X, M8 Q' Z% r<?php0 W6 [9 D6 J# i- Q; F
phpinfo();
* a: O+ ~/ w" J. Y2 A5 Z?>/ a# j* t9 B! V) z9 C
在浏览器中访问:/ u5 e, c( u" ?8 @8 @9 n9 B7 E4 ~0 v
; N, T9 W: H: o, S& P. I" T& E
http://www.52os.net/phpinfo.php?id=1 正常显示。
& K7 m$ l) Z7 ^7 O* whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。1 X- \ p4 G5 \3 t' T4 d! Q1 i
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。( Q, F2 X) k& b) }! B: p
说明sql注入和xss已经被过滤了' n6 p+ p3 n6 e
1 i5 [% K5 n _ J3 |' D
七、安装过程中排错7 _. _. t5 K4 K! _; f
6 W# S4 d) ?# ^% Y3 U1.缺少APXS会报错
) `2 L, ?0 c7 `. w3 m) C1 b; y" `9 y" d3 B; w
configure: looking for Apache module support via DSO through APXS1 j& d, e6 V; @* f
configure: error: couldn't find APXS0 M( x8 A* g; `( \
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。3 o5 ]% Y1 B' W( F: A
解决方法:- \' o' q- O0 r5 I4 O# C4 c" P
& a- ?! [; v8 a3 ~
yum install httpd-devel3 |2 q# W4 M+ X# ^: a8 M+ D, d3 h
2.没有pcre: Q: n3 W9 {' B) A, _: {% `
$ Z. Y1 W; ]/ h0 [! j2 g& {configure: *** pcre library not found.
$ |0 C7 O2 W0 r4 E* O6 G8 Yconfigure: error: pcre library is required3 T- `, k8 p5 C/ d
解决方法:$ Z: Q" V0 ?8 G
% [& Q, X5 `$ t7 r) T8 N+ ]3 V' Tyum install pcre pcre-devel8 w; ^1 D7 R" Z1 i0 W' j* l
3.没有libxml2
) a* B5 S+ u7 x# r
) e- W* h! y$ B/ f1 v* b% f2 P; s
configure: *** xml library not found.
6 X) Q: H. K' B7 n# g* fconfigure: error: libxml2 is required
. @9 L1 p2 R- k解决方法:. E3 ^2 B/ w1 v8 W& |
( l1 m- T- v. p4 T# ?! R- I
yum install libxml2 libxml2-devel y3 M _- \. C1 M4 }- {* l
4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 s# z9 ^7 u0 T% P: L! Q- j( y. O4 |! ~; q
Tengine version: Tengine/2.1.0 (nginx/1.6.2)# A: F% T: i; W7 m! O1 J6 M
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!" |8 ^5 }0 }5 S- D( P' l( q
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ q; ?3 C5 v5 h7 X- C# k- C( Z* {6 E; f+ |5 I1 m7 `5 r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.8 |8 |) W" w4 w* D. y2 Y% U, i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"! H4 M" Z% Q8 [% q% H
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
& _3 `6 l9 ~0 w6 R" D; P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05") x6 o" i& }0 n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! v0 E/ \, b+ s6 W/ U0 d/ N4 j+ D) ~9 K2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
. Y6 H; E. c2 I4 t# n8 {1 t) @/ h解决方法,移除低版本的APR (1.3.9); C4 x6 d1 q" o. G
9 Q2 X1 @6 {, d3 z+ xyum remove apr' r8 d8 }1 p! q6 Y4 p+ @
5.Error.log中有: Audit log: Failed to lock global mutex
( Y7 c! l$ f* d4 f6 r( R* {" }- i# N( B# J0 d+ Q/ a: T& g
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
# F6 B, M7 v9 f# U, n" A8 bglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 W- g* X5 U/ q- H& C4 ~5 Y' C8 G
解决方法:* ]' i! X, o# B% d. C( o
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:) \2 U+ F' L6 A5 A$ U8 Z
6 h3 p+ c) Y/ \* |SecAuditLogDirMode 0777$ X8 N3 j1 d) H1 x- C4 w) w
SecAuditLogFileMode 0550& n5 b/ q6 S/ p6 U! ]* n. N$ e! N/ [
SecAuditLogStorageDir /var/log/modsecurity
' `" ]- D( R( H" z3 D; qSecAuditLogType Concurrent
1 o- F) A2 M" b p参考文章:
, u' y. m& B; i; xhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX) m$ G$ I, E# [' [% x4 R" D$ Q5 r
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡