|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" a' N/ ]* f6 ~$ [0 z
! y! Z" [& f' I; P* @9 Z; q8 Q一.准备工作
4 m. z# |8 [. l0 p) F2 t
0 b' [/ `2 M2 y5 e5 g系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.09 [( A: @2 s, o0 v) f
6 E* O9 w2 {0 X7 P( d# ]
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
9 { q- O% W$ O( Y
+ W$ T! k) }5 r: y* C4 nmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
R8 K; ]- V2 }. h& k
- E6 L* n' ]2 EOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ b/ a+ i/ @& A1 T" P* e' D
, f |& x3 i" y( V$ I依赖关系:8 K6 }8 u% K) ^; c$ n
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- P5 B' ~- y- s3 l( N6 c% Y7 [: L" D( J. B6 t. e9 ^+ w
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) }' N @* ^% E! zmodsecurty依赖的包:pcre httpd-devel libxml2 apr0 q$ P* D' c- H: @8 s+ j% \3 U3 l
( i$ z1 W O$ ~& ~3 ~8 ?2 Q( H
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( |9 ]# c: N. W% ]: ~
二.启用standalone模块并编译6 g0 M) c: z( D) D5 p/ y8 Q& t
r1 a M$ l/ N( g
下载modsecurity for nginx 解压,进入解压后目录执行:
. I/ _% E4 ^2 x7 a( m. Z6 q! f/ S2 j0 g
./autogen.sh v/ T. ^8 s2 E: d
./configure --enable-standalone-module --disable-mlogc+ E( r6 t2 k% K* @
make
% {0 z" _% ]; Q8 z三.nginx添加modsecurity模块
6 }" N) m {0 Y& A. g$ ` ?5 I- ^5 q6 I
9 R* g# a* \6 O2 q b在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 _3 f! c2 D$ Q2 Y. ]
0 {, w. R2 w; R4 P./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine& |& `% K# F+ B* F7 }+ g
make && make install4 V) p( _1 S8 B" A& U# T
四.添加规则0 v! ] {$ W$ _; x$ j
& h' g; }, B3 F! |3 F
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。. d$ ^: R, P2 i* k# Q( L
! s6 ^0 v( M/ S$ {
1.下载OWASP规则:
0 n d% l$ L, _# _/ r- P. d) V: u1 V& @; _: ]
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 m. i3 ^3 C8 L( [& f- D
- c3 p' [, Q7 r5 omv owasp-modsecurity-crs /opt/tengine/conf/
2 U; K. ^2 `5 \( {4 `: \7 e5 _
( [/ @2 C; x! d0 ]- O& Gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: L! \, j: B5 C1 G0 ~2.启用OWASP规则:7 g7 ~- y1 _! J
8 g7 y6 @7 J1 E- i3 P: u复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。" M7 S- q# i/ O, ^, ^3 b! h& ~, n- n. s
( E6 M* a2 W: x- F* P2 Z
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
, b9 u" U( D1 [
1 C7 Z% t" m1 N4 fowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ H& U. g. z; Q) a5 @+ n
' @4 w/ B9 D7 W8 `# ^% I8 L
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
, o4 g" B0 R/ b, s/ V6 \" ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf0 m. A, L. ?9 `- K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf* @( K. P) h; d8 n. x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf+ @9 a0 j$ J8 t1 N6 S0 h4 l$ s
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf7 V1 ]# }% i4 V a8 I
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
: K& R4 \( j3 H- |2 h) eInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf2 T+ n f' S2 W. y7 q8 T
五.配置nginx3 ?. n$ _7 I& I x( T
) d( ? H4 B. n: X. _在需要启用modsecurity的主机的location下面加入下面两行即可:+ h8 P& M* B' G$ G6 e7 x
. d( l+ J$ U6 n7 i, M5 @ModSecurityEnabled on;
# a# P. j& K0 K+ [" K5 ?# LModSecurityConfig modsecurity.conf;
% u# E# B+ m; p7 c下面是两个示例配置,php虚拟主机:& d7 O$ X" F' o+ W
) @1 s1 F* m% a
server {% T; j# e( U) ?( M. X5 A) Q
listen 80;
" ?1 U2 |, F, B! M" Z5 U5 j server_name 52os.net www.52os.net;
. B# x4 U' ]' B) F
8 w' ^9 f; O/ _, s- L; b J' B+ u; a- g location ~ \.php$ {
: M3 i( s' b8 U2 b4 |) E: ~& O6 j. v ModSecurityEnabled on;
[* H" R/ X& G3 M( q ModSecurityConfig modsecurity.conf;9 `0 B$ b, G3 [
% [* } g* }& [* u8 B) _0 @" L) V
root /web/wordpress;
' o" q* k) z" t+ e8 l& P& R* I index index.php index.html index.htm;
" U- j. U: j3 Z! a& Y6 ?
* C g( X/ W0 C2 F fastcgi_pass 127.0.0.1:9000;
6 a( R; d) U. j% p0 |( T& C. @; P fastcgi_index index.php;
0 C! }; ]$ Y3 [5 e5 ]" R fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
5 Q5 B% \8 [5 _; h$ k3 \. B) b% m include fastcgi_params;7 p- h' M0 ~- Q( s$ D
}4 A0 a/ L; L9 S; E' [' h% x
}3 _- |4 j5 _2 X6 k; Z
upstream负载均衡:
' D, h1 O H. Y
6 B* C9 H7 y8 e# B& V1 R" rupstream 52os.net {
9 e* u* [/ o$ X) q: x# A) h+ o server 192.168.1.100:8080;6 U& B; P: p# Z. K
server 192.168.1.101:8080 backup;% V7 S4 [2 R# L j; Z( C8 _! i0 x
}
9 X% n A( K9 A* m f# N0 A5 S4 K3 c( H( ~) A: T2 z! n3 X M" d
server {
' N3 x, H4 T6 z/ M/ e" h" t! Alisten 80;
. u2 g' M9 q4 A& C t. g" v ]server_name 52os.net www.52os.net;& U1 G3 b+ m3 X( y1 J* c
2 w( ]% L; O$ Z Hlocation / {8 n- T/ n) o. `! e) y
ModSecurityEnabled on;
0 P* k% _& K9 {# C: a' T7 w ModSecurityConfig modsecurity.conf; 8 @3 |& x5 j7 v c9 h
, [/ s: k9 [. Z$ ^8 v) J: l
proxy_pass http://online;1 z/ Z+ L+ a/ l# W+ [0 M$ O# L' d, [/ a+ C
proxy_redirect off;# _( }" |" K5 W
proxy_set_header Host $host;5 [, P3 M- S. u5 N6 `
proxy_set_header X-Real-IP $remote_addr;1 v+ n3 w9 L% C
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;2 v+ H5 F8 t2 M0 n: v. N
}
- e; d; d5 k* e4 K}1 O; {. u% M4 T
六.测试9 ~8 M0 r6 L" j: A9 w! x& _
' K) ^8 d4 r6 f& w- v% n1 n: V
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, T) N5 A+ U+ n# z3 ~% K8 n7 {" _0 h3 e _
<?php, A( E$ H; I9 H: Y' `* s6 V! l
phpinfo();
# x3 j& ]* @5 G?>
$ r% E2 Y: V D+ N2 }在浏览器中访问:
5 x8 g9 m+ i ~8 \7 E" y9 I: ~9 p2 t
http://www.52os.net/phpinfo.php?id=1 正常显示。
, @* d$ Y7 w+ ^* Z; m7 i. lhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
6 s% Q/ y8 z1 P2 F$ E! ahttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
7 l. H) q/ K% [3 ~说明sql注入和xss已经被过滤了
' A; f$ j2 g: W: J- J7 r3 `
8 @ W3 R% z7 \+ _七、安装过程中排错
% X7 V* _$ @7 x' i# k$ f" M# S& Y- F) K3 f. D) r" Z d( o7 S
1.缺少APXS会报错
% j; p! {8 y- l' f8 h3 s4 A
4 c" w, d- d4 z6 ], i) x4 sconfigure: looking for Apache module support via DSO through APXS
! ~0 S; T: D% V- ~8 `" l% u* Oconfigure: error: couldn't find APXS' [+ E1 P6 B9 X- E# h5 z
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。% h8 l- o" k7 K% R* Z
解决方法:3 e* _+ ^! l! S. `: ]9 `% a
, a% i: @$ u# e# S7 ?% g6 j
yum install httpd-devel
. @8 q& x0 h! @2.没有pcre
5 ^- @: H7 w7 d( q3 w- e7 \) B, q3 u7 P0 g9 e6 D
configure: *** pcre library not found.
$ \- N& E: @6 zconfigure: error: pcre library is required
. Z0 E- F- I4 I解决方法:6 u0 R7 h- p: f0 s0 [
( Z9 [8 N, @% j6 T! P+ E1 q+ G
yum install pcre pcre-devel1 h% M$ |" C' B/ z
3.没有libxml2# n( C0 r$ j$ u+ m
2 r* s4 @& L/ A6 W4 ^6 Z8 h3 F
; u5 P/ j9 S0 Sconfigure: *** xml library not found.
2 d1 O! v& U% x z/ {' cconfigure: error: libxml2 is required
X& }- W$ _, V2 I. g解决方法:. z" H, k; X8 J: @: t+ ?
" u0 w% i$ k* Yyum install libxml2 libxml2-devel
/ \) T! l J( X' w, l) X5 |4.执行 /opt/tengine/sbin/nginx -m 时有警告
0 x$ E: e) @, F* l! {+ X+ I/ x' y8 j5 }$ f" q
Tengine version: Tengine/2.1.0 (nginx/1.6.2); }" j9 i9 L6 g+ G4 a; C
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!6 y9 j9 G; p* \, a! k
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log4 k/ r- [9 Q. l% ^
. s# a" L! o' n- `0 a" ~+ A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.( ^5 o3 s! l6 A0 R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
( `, O& _5 S- f5 q8 F' B* [( @. T, M2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!- r7 @0 G& b* V# J7 C$ r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05", q/ ~4 F) }! k- B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": R; I( S8 c8 R; Z8 I% s
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 P* @9 J1 s8 S8 l8 ~$ H2 @
解决方法,移除低版本的APR (1.3.9)# Y5 f* X% `6 n" ^# c
- C" q# V, e0 y4 Qyum remove apr
& c/ c; f/ ?! e( D% _$ m( S3 c5.Error.log中有: Audit log: Failed to lock global mutex# {3 ~* v5 l- c7 \+ }7 o2 L
- `0 {3 S& s. \" }2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock @# c( C o i+ G1 A, j5 N( j
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"] K) |+ G, G( H) _+ [
解决方法:
5 g6 L; V! q! ]1 g- G8 e2 t1 v/ |编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) B6 ]4 n- m ~2 e* t0 P
4 ]' m) U$ i: G7 s, USecAuditLogDirMode 0777
z5 g* j* U# F! p. l2 t1 _ L) PSecAuditLogFileMode 0550& K0 [, ~6 h: m2 }: a
SecAuditLogStorageDir /var/log/modsecurity4 Z( U% x; @$ d D: s4 b
SecAuditLogType Concurrent7 r1 q, o, ~! ~! r
参考文章:
- F+ L. l+ H8 ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX$ _; f3 W! v! Y" }0 X' G
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡