|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& T8 \3 T& X3 c/ j& z2 d5 `5 t
) H8 I! Q6 l5 \ V& ?; d+ a8 @0 D一.准备工作6 z W" B( I+ T7 r( D
# D* `" t4 N: L1 U; J$ l4 t系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
1 z! E( F3 G' L7 {0 j! W; j1 v
5 p5 e j3 f3 B/ p; N$ ctengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
, I+ e( C4 a1 u/ c; Z2 |: D' ]# N* v% w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( F7 \) }3 ?* ?+ U7 Z- M- [6 n" V5 u" |+ B( `
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; k& D3 K9 c1 O5 a. u
& k% f- i' R! f, j4 }2 g
依赖关系:
" F# J* e1 g/ ]) j* Ctengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:' v, `9 [' k A3 S- m
8 m( I7 P l5 q' z! P; v- y. s8 Ayum install zlib zlib-devel openssl openssl-devel pcre pcre-devel; J6 T+ M" r- g. _/ E& x
modsecurty依赖的包:pcre httpd-devel libxml2 apr4 V7 W* S" y- |9 e) b
' V8 O! N8 v" g' ~yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* l2 S$ v3 V5 [' D二.启用standalone模块并编译
: k; p* p! G2 t! o+ \- W& F2 Q0 ^' K" I1 `0 r7 T
下载modsecurity for nginx 解压,进入解压后目录执行:, H( L' X$ _1 \* N: p2 L
- g; O& t! G5 `, P& u
./autogen.sh) t$ V6 X! ^) q/ I& d
./configure --enable-standalone-module --disable-mlogc
+ B2 Q( k! w/ H4 Q% A: A% E4 Kmake
4 ]. {; @0 I- W9 c% d- M三.nginx添加modsecurity模块2 H; ^+ b0 Y: H% X& X
# [" u0 u5 }. L8 z& k在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
7 ^' d* R* ~* M* A: a$ z- V1 j- b2 I
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine6 |9 h9 a3 K' P2 Y5 s
make && make install, S7 x8 V' ^, i+ T) @2 S8 O, Z
四.添加规则
/ `( [/ v; _3 z* A# B* v
$ U$ U* u! s6 h" l, _2 m9 jmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
& T3 [3 E: c5 `. S, ~5 G) T
" I2 p( r9 J$ i y& d1.下载OWASP规则:, q, Y5 S: M r/ K
& W, w' r4 @* _/ l6 }5 l" T# Pgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 [4 d) f4 V1 {6 ~+ X: O% U' j4 H. K8 T
/ a' x* l3 [% g' smv owasp-modsecurity-crs /opt/tengine/conf// S2 Z) y D: U% j
6 P1 T2 d5 s3 N+ {1 ^1 zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf1 R4 M1 _$ p8 B7 H
2.启用OWASP规则:
; v* R- E2 v8 Y# L
1 R, e/ D2 r: i% }3 ^6 X8 m9 r复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
( W) c% Y, ^9 ~# o4 w/ a" u
^0 m7 w8 h* S编辑modsecurity.conf 文件,将SecRuleEngine设置为 on- P! D( m+ b3 b: E; y( w/ {
) w& K: J- Q. l9 \0 j. X
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* \' i: ^4 V; J
! |; u" q- D2 p% R
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" H6 F0 j/ n: bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ W) G2 S( ]- g: A! j* v l5 |' Y7 K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 M& x( j' G$ i5 h* ~4 j+ d# ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf/ ?( g2 J! R2 d, L2 L; a
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# ~$ ]' a6 S9 d1 M* JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
9 x K8 w, H$ kInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* ]% _8 Y0 O! B1 |% n. g8 Q
五.配置nginx
- a7 p! U6 n2 _" h8 x4 ~1 b* h6 `+ n& S' _) q7 M
在需要启用modsecurity的主机的location下面加入下面两行即可:$ b! M) `& o7 Q4 ^
/ P; J. c* J9 sModSecurityEnabled on;
7 T/ \ g3 J8 |% S/ QModSecurityConfig modsecurity.conf;6 W. {& @, ^) E) F1 g* `
下面是两个示例配置,php虚拟主机:. C( t7 u1 ?1 }* y: D4 ^: O. ?9 ?
4 K# `5 E6 i( N7 pserver {
! z1 A' E' d& s listen 80;
1 a3 G6 E1 ^' ]( `/ [/ u6 A# F1 _ server_name 52os.net www.52os.net;
U; D( T1 D. V7 K& d: J4 P W. }5 I2 t
6 W( @' F5 r, ^6 h location ~ \.php$ {( V. _2 N! ^' X; k
ModSecurityEnabled on;
, d- N0 {1 g7 r+ o) W ModSecurityConfig modsecurity.conf;0 h1 o0 S& h6 b; H% D" t
* Y& w0 \. C$ q y: l
root /web/wordpress;
) \0 o. c- A$ s" u index index.php index.html index.htm;
) v }9 y2 c- t5 ?4 w& Q
Q) {' l% z1 t$ @ fastcgi_pass 127.0.0.1:9000;
9 B+ |! ?$ L" [; J& u( X+ Q$ r' P: G; P fastcgi_index index.php;3 }8 R/ z0 n0 E4 l3 I- k+ Y
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ g5 n' v6 A( d
include fastcgi_params;4 `6 ?5 @7 W5 ^( b" t
}
8 [6 z% q. v6 x5 Y& I0 ~ }
$ z+ N, a7 m; f+ U3 oupstream负载均衡:% Y9 Z' s* [# @' y5 N9 t
/ B, R: m) M% b, }* {/ C
upstream 52os.net {) a' q7 O% Y& }9 b
server 192.168.1.100:8080;; n* f' `/ W4 s$ Q- L! h
server 192.168.1.101:8080 backup;% P) Z; _. G6 c- T( M
}8 B% Q e3 W4 b7 E' }( d, N1 Q
, m2 ]( ?( e! A( d& X2 m4 C& V2 {" Z
server {
. C6 X: S7 ^) q2 H) L4 U$ Slisten 80;
! C' z+ x# }6 [- M; \5 Qserver_name 52os.net www.52os.net;* t {0 Y y Z7 ?9 g1 V
/ s# U. p1 f% v4 t! r3 C( L
location / {
3 p. R# _# a1 f) h. L1 |/ ?. [ ModSecurityEnabled on;
% n( @' K: W# u5 P5 v ModSecurityConfig modsecurity.conf;
- Y6 U+ U: `: `) P. d. Y$ N( L) O2 B" ~
4 V5 _- Y$ b' L4 T+ v: e proxy_pass http://online;
2 q" Y" N' \1 W' h: n1 U proxy_redirect off;# y' ?, {4 V- m. D
proxy_set_header Host $host;0 ?: p; ^8 d7 D8 x. P7 @
proxy_set_header X-Real-IP $remote_addr;3 [: Z0 j6 ?" X1 }( d
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 p+ K5 w# r! }2 A }' h) J/ P& J: m! G- j
}# b* Y1 k. J) w" T
六.测试
7 n1 z( c, o: Z9 C2 T" A6 o9 W% |, j3 z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:2 v0 u: Z3 l( v- V& L' @ _( V' I @
0 I: [3 m7 U/ M) H( T. l9 H4 O
<?php
$ H& M: C; c' R3 M, J phpinfo(); ( e( m' }- [& D$ q; [+ L! c
?>
! _/ e* g2 n$ t( u, W H# Y在浏览器中访问:
/ |( h, C; R( b# q
. H, {$ B- F0 h3 V7 V/ ~http://www.52os.net/phpinfo.php?id=1 正常显示。" j6 L# G8 k( n$ T( J
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。- M9 P: i9 X7 l* m
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。- K7 `$ e0 d, l1 u3 P s
说明sql注入和xss已经被过滤了. Y6 a" n0 r& d, x+ W! f) p2 g
4 V: W) k5 P! l七、安装过程中排错+ Q9 `2 u' E: C9 u4 O9 F
" @8 i: D7 Z# ^* g: [& R: A) B
1.缺少APXS会报错
# O% \; y! u8 d
) w: ~# D _- ~8 c; J' iconfigure: looking for Apache module support via DSO through APXS4 ]+ e6 {! k9 x* ^+ p; U! c" y
configure: error: couldn't find APXS
, { {4 N n' t$ I; D. Q, dapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
* {2 X! h/ ]8 g" {0 C7 u解决方法:" f$ j; a* ]' {
7 ^' Y+ F% d$ l4 I- N! L) Q- L- T
yum install httpd-devel1 F4 E8 O$ F. p0 h6 v
2.没有pcre
+ x! m; u* w/ c2 o/ i$ \! u9 v l+ w* N/ z; y# Y1 m
configure: *** pcre library not found.
6 r1 p8 s b; Gconfigure: error: pcre library is required
! o% t. z! k) n$ r+ g解决方法:/ V8 M- p+ O4 \: G q* {7 Z! W6 y
! Q# e. d+ r D0 }% e2 n
yum install pcre pcre-devel# A4 r; l( I# z" A2 m0 h1 Y) p
3.没有libxml2
, a: X T! Z0 S6 u" R% t8 J# w9 r! n2 D* ^2 g# W# H0 B
U8 B" `. ]- m2 I+ e0 E* M* j
configure: *** xml library not found.5 s+ A& f. o1 O2 p: A- U
configure: error: libxml2 is required" J5 K# P( [* f. t
解决方法:
, h9 O1 G+ x; n y
( f6 |- F" d3 M9 L: Myum install libxml2 libxml2-devel
2 d" Q8 L8 G# D' J" e4.执行 /opt/tengine/sbin/nginx -m 时有警告( a+ v0 Z. K6 e7 t) |( o" X
3 s# s9 s& h& Z" m$ W g+ @
Tengine version: Tengine/2.1.0 (nginx/1.6.2)& F2 I0 X$ b. U: n
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ [2 Z$ V J5 E2 ~' ]原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% }6 h! T0 S: f9 W* @2 p- p4 W5 }: Y. A) G9 c' r9 z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 u6 \3 w: E$ i6 D3 }: E. m3 X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9" B7 {: g4 E, ?
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! u+ Q3 j1 z6 C1 r' |! E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" D4 v% P1 q$ T" v& H( @' O1 O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
; l0 d3 u% K# p; s' _' N1 `! z2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.$ V7 s% Y5 `3 b; O/ m! r
解决方法,移除低版本的APR (1.3.9)
. y4 w$ M4 C2 [( c+ w3 u% }) g6 F7 Y" W7 C |' l
yum remove apr
* e5 B! ]' ^* |0 E. N1 Z0 P5.Error.log中有: Audit log: Failed to lock global mutex" z0 r& W, \2 H, D
* i" E X- ?4 K7 Q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock / ~. U: I0 c5 n; m! u7 v
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
* a& L p& h, A( j# F9 e0 s+ e解决方法:. c9 F% Z" q! }0 E; O( o! {
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:8 G7 Z( m* H( T" y' _
) U3 ]4 E/ \2 n: Z3 B2 P; e) mSecAuditLogDirMode 0777
8 q ~1 W9 J& ESecAuditLogFileMode 0550
9 o0 q# Y' n- L! L7 O/ pSecAuditLogStorageDir /var/log/modsecurity
$ g5 c5 d8 L& p$ v: h6 lSecAuditLogType Concurrent- z$ g$ B2 y( C- s4 C6 Q6 F* C
参考文章:
6 _8 o3 l# G4 w. ohttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
k7 }2 Z+ j6 N# ]9 C E) x0 M2 rhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡