|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
. F. g' U* x' [# Z7 b' C
$ o- @2 Q+ W) L; ]一.准备工作
7 \; [+ K) v1 R/ ?: v
# ?7 l7 e) v) c1 z+ O系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
) L% w3 L6 S/ r( j0 ^9 A7 K2 F, j
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 m q) {0 E4 D. N. o7 q4 I$ z, v, U& X
/ e, r+ M8 r( q6 `; D2 [- C* Pmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
6 a# x* M+ `& P- F- ?" D% P# C" X+ W# ~0 w2 p2 ^7 w
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs ]9 j! `% x! T; Y& Z
P* S8 Z- R' F3 r2 D' h' A! B依赖关系:
$ q" T. s. g) d1 j7 S$ etengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:7 v: W* ^& A- Z, T
* `# N; N: Y) v [: x4 _yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 ]5 L2 V1 p7 Omodsecurty依赖的包:pcre httpd-devel libxml2 apr
) m. `( ^8 W7 n, U U1 J$ q
/ n8 z! n- h* A3 }, }+ b6 j4 fyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel1 w- L. |" i+ N
二.启用standalone模块并编译
8 U* [+ }" T7 Y8 W
- } S; j4 P" L9 @1 N& e下载modsecurity for nginx 解压,进入解压后目录执行:+ h/ F' d& ^+ }0 I, ?0 }$ i
( e+ b- E( I+ v1 k0 a./autogen.sh! b5 `2 u. R& I }. v5 w9 N1 E
./configure --enable-standalone-module --disable-mlogc
6 G8 {0 ?' V* \; {make / E+ ?# ?: F! M& X& l& ^5 ?( Q# P/ {9 }
三.nginx添加modsecurity模块! h; }: |0 t: u' h* W" D+ t
, ]2 w- i, P1 a2 C5 [
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" i% M5 ~7 n) b: J$ `0 r% I' [
& s) z! ?& I; ?, d3 q2 ]' q2 O, K: d./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
0 u9 j9 T& \( Smake && make install$ ]1 B4 l/ G% t' ]7 _3 p
四.添加规则2 v# ^ T1 C) w! ?: T3 l4 z
! L5 I* L- @9 d/ O/ L9 \
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。# z" g! `3 k7 s7 R) Y
: j# _9 Y7 X( X/ d% Q U C; H/ E1.下载OWASP规则:
' V [# ?6 h- S2 K
5 A; N t8 E5 e5 q; @$ D! o( }git clone https://github.com/SpiderLabs/owasp-modsecurity-crs- P* Z2 C0 }0 ^- Y
5 b) L0 ^6 G8 {. b1 S% }mv owasp-modsecurity-crs /opt/tengine/conf/8 ~. N5 O' V6 E Y, ?( i' v
) s( S1 j c4 E, p' n/ K
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, S; m7 L$ c( x, c2 A" D) L2.启用OWASP规则:
& l4 u* S/ J/ e+ ^, G' @) e- h8 b" \) a3 f1 B2 w/ i
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。, Y/ k ~9 v8 ^$ P) Y
( V4 e/ \$ S1 K$ b, r, F) s
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on! }3 ^. u3 K, M: N
0 J% R; ?$ Z$ B, V8 howasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。4 N2 Q0 @' I: o: ~" M
9 k8 T1 V+ n, P+ c1 a$ }6 K) V) uInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
0 ~( D8 _! t f+ s9 D& KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
; i$ ]/ x% o& h% m3 y. SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ x1 P/ {! W* H: y$ H$ b: h8 ^" \! S$ jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf0 v. P! k5 f5 O4 |- g
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) g9 R) c6 A( z) n, M5 F- q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ f F X" E4 H: c) ?Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf3 X9 C% }* g; F
五.配置nginx3 P0 M% W- Q+ _+ Y% [3 s# D
) G$ S$ r; P, s, \/ g- X
在需要启用modsecurity的主机的location下面加入下面两行即可:
: t+ G" Q; R/ A- b L5 M! a# c; N8 B( T. y3 h+ J; Y. d
ModSecurityEnabled on;
, A0 ~$ B& S5 L4 ~ c4 d) SModSecurityConfig modsecurity.conf;
. ]* g" G; K: F! M下面是两个示例配置,php虚拟主机:2 K" q' X& L8 @3 H
: e/ J6 s5 S+ _0 v2 Xserver {
* l; f" ?+ W, i- `" R, k$ s6 ` listen 80;- Z% ]' n# {; d l! |
server_name 52os.net www.52os.net;
3 H2 I& D' {1 t! N. x1 T6 Q
$ `6 \' S/ R8 t1 |" D location ~ \.php$ {
! m1 W4 h! R% P% M: L# A, j0 ] ModSecurityEnabled on;
3 g5 B: B3 V/ E ModSecurityConfig modsecurity.conf;
* R, M# U( {' H0 b% N2 i' R- @* Z Q
root /web/wordpress;
E$ b, Y- v. s" j, ? index index.php index.html index.htm;
( Z- W5 h0 h |4 S9 @1 {; G5 k
, Z0 k \0 z1 I6 t$ _2 A$ c7 f fastcgi_pass 127.0.0.1:9000;1 v5 E3 Z; a+ {. ]+ ~
fastcgi_index index.php;4 b5 n7 ?; W6 d. I9 V# V
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
+ O) s9 m7 M8 c. W0 R include fastcgi_params;
' M' I2 S n) t: x }8 E b. U' ^' V
}- V% {! k" A3 u8 W7 I7 c4 M" m2 Q
upstream负载均衡:3 g" ]2 Q, W. P
p8 H0 X, F3 R: h( nupstream 52os.net {. ^2 ?( |: A! v' V
server 192.168.1.100:8080;; l- N* n& K; c3 U1 }" d: m% ]
server 192.168.1.101:8080 backup;/ S/ H& d" ?0 N9 M& c+ E7 y/ r
}
. w: ~ y8 u: i9 S8 t8 ` ], D o! L
. n0 f. W6 R# _% B; oserver {
! J) D/ F, v4 D/ O7 B$ Wlisten 80;7 X% O$ s! m, h C& N/ v5 u
server_name 52os.net www.52os.net;
) L# A. E) f) \7 j% V* K
) }7 u/ W- i' L4 l3 x5 vlocation / {: y; `$ }3 Y$ y: B- Y' ^
ModSecurityEnabled on; # o3 b9 u. ^* ^% i% g* s
ModSecurityConfig modsecurity.conf; & R6 I# y8 k4 Q: ^/ f
) y4 Y- s) |5 d! `& B proxy_pass http://online;
( u; u# c% \8 N- H$ s' b$ [ proxy_redirect off;
9 |) r2 C( I3 R: d7 B* \& ?* F( N4 ~ proxy_set_header Host $host;+ r! m0 }% b0 ]* q9 d u
proxy_set_header X-Real-IP $remote_addr;4 ~8 {, q" w; P& N z" q
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# U2 ~* r' f$ k+ J( G8 B. a1 B }4 C6 v" j$ L, [8 s7 J
}: [( W) }( s( q/ E T3 k H6 t4 c
六.测试
+ B1 d+ c+ \) h
/ G r: H' d5 b) q我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: W9 \+ `, d* a, O* [
% ~9 z% X& j# y9 p1 e0 y1 @<?php, I+ g* z/ V/ c+ q# `4 Z) Z
phpinfo();
# {3 H6 y7 G, t?>
8 K$ {" q- k& I* O+ u在浏览器中访问:
2 e* r. |% i8 W: d2 e4 U5 p1 E1 [ v* ~
http://www.52os.net/phpinfo.php?id=1 正常显示。
. P" f6 k2 x+ o% N. xhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* P% U/ }5 ?8 Whttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。$ n* i$ U2 r+ n2 L
说明sql注入和xss已经被过滤了3 Q5 W# {% o6 H4 P
9 \1 f9 ?# t/ H: Y8 G. u
七、安装过程中排错
4 R$ N7 e4 ~: a+ _# }
0 Z& x% Z/ f' J% v9 R9 e( k* `1.缺少APXS会报错 j7 Z% G9 J+ B5 h
$ n5 z% M1 ?* k; {! I1 I: {' gconfigure: looking for Apache module support via DSO through APXS
" Z6 L6 B7 n: `8 |' Cconfigure: error: couldn't find APXS& t! k/ s5 _! ]6 k
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。/ S' `8 b6 f T& l
解决方法:9 Z, d& U, f6 y6 V# ^
) X+ i7 M0 B" U3 c1 |' t
yum install httpd-devel T+ z1 R5 g ^% d% D" M3 U
2.没有pcre
7 z# y+ h' W4 }4 H, c }5 c# m2 w+ z+ T/ S$ ~5 Q
configure: *** pcre library not found." s: b, P% ?' n
configure: error: pcre library is required# D2 D3 O: S4 \/ u
解决方法:3 d& }+ N Y" j. |
: y) w/ w- W Z: u- X0 S; z+ L
yum install pcre pcre-devel4 T+ b6 `$ C4 \9 M$ v* ]9 ^; R" j. K
3.没有libxml2& U0 K. t; ]2 t9 X v$ A9 v
! C0 {, J# S2 y7 J" b0 l
" q9 M0 s: d/ N7 `8 a
configure: *** xml library not found.
9 y" [0 x# i! w- ~) Yconfigure: error: libxml2 is required
, \3 |# Q8 K. ~+ i) {解决方法:
' O* |7 t9 [- \, g, I/ @! N* B% d2 ?. C' i% V
yum install libxml2 libxml2-devel5 S ^" [, E# V3 @1 l
4.执行 /opt/tengine/sbin/nginx -m 时有警告
$ j3 N3 J' t# G5 E( ?' p: k9 p' h) L
Tengine version: Tengine/2.1.0 (nginx/1.6.2); M. x: K7 |% \ n
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
' ` J7 c' ^3 T1 H原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 @ B6 @( F5 t* u
: f& v- V+ G( g! [1 c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 X* g* Z5 K/ [4 q: ]6 L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" ^/ t" n2 q" S0 [. m2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!: m' y/ H7 s( }7 V$ G8 V
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"0 J! ^) |& q6 D+ ?
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
, w" T& R! K2 M$ S/ C2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
0 i7 |, s7 B$ p, C3 p解决方法,移除低版本的APR (1.3.9)4 z' R9 t# g# @
1 H1 A& D6 A( d- r1 v" |1 ~yum remove apr
! q# n$ o. j, o1 b7 y. A" R; z5.Error.log中有: Audit log: Failed to lock global mutex( Q$ E9 j p/ X5 c9 A/ v( ?& E
* Q4 d* U; n' n: H1 I |4 j# ]& s5 K, z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 4 Q1 t5 ?( }: |/ a7 |
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
! r& M/ x; [; j# L8 q, B1 ?" }5 o5 n; F6 R解决方法:
, D; _* d7 [2 { A! \编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
' Q0 }! b. m4 ^# k/ L' y* T$ X% M9 V7 J
SecAuditLogDirMode 0777+ s0 I# y$ {7 {3 P0 c. a
SecAuditLogFileMode 0550
1 b' T) Y# `, a! i, hSecAuditLogStorageDir /var/log/modsecurity
- H3 Q" ]/ ?/ |1 o, y* CSecAuditLogType Concurrent9 t6 T! P: @4 _# ^% Q' d9 l- {
参考文章:$ F1 \* h* {+ f
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 L6 ]0 s# H/ \' j5 }
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡