|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 j# c4 A% I8 A6 H* T* D6 e1 D
% k; M7 L' p5 ?. h6 O) T一.准备工作- o" @) w6 `* Q, O2 B0 l
! D6 f; j2 ]( X0 E系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
' |. Y$ }0 G$ ~% l# W0 W5 e2 ], P, C& [ o% r% M2 E
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
" @0 [: H6 r& T: S! o3 r6 V2 W; r w) R% T) A5 @4 M( h% ]
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 J( A! @9 W6 M8 q+ E, {2 P c$ h r8 L& S* @# X
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs* ]* f" U2 U- d! f; x$ F
: W4 K9 T2 Z+ o& U; [9 K依赖关系:5 Y& S$ h+ P1 h
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:' e: t: r7 [7 f; D
# C8 m5 |* @& X8 t G
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
0 X9 j% s, w/ \9 Qmodsecurty依赖的包:pcre httpd-devel libxml2 apr" b, C4 }' p+ s7 Y
# P, j! Q# o9 L4 t" X" I0 p, H6 c9 myum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
. h1 w2 A9 A2 q/ @) }9 w1 T二.启用standalone模块并编译( u6 ?2 M8 i$ X
& b+ K [. b& T+ @- y
下载modsecurity for nginx 解压,进入解压后目录执行:
8 R2 ?, R( @% `9 _
1 z4 X& n0 V- W0 m; ~./autogen.sh
( _1 m: }% A6 t' ]2 M2 l% t./configure --enable-standalone-module --disable-mlogc ]7 n1 C6 d2 H* {1 E& ~
make
- [5 _- p& W! L! A三.nginx添加modsecurity模块
9 S$ ^( r/ J ~3 k- s% J$ m& Z3 V( F0 V
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:+ S" ^! h ?: u! `# \: B- [
8 M1 i# R. z k
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 V; ~5 _% P: E% a& b& n1 p8 J
make && make install: j& M" M: h$ t
四.添加规则" r% n$ J: `" O% U
. Z% C, n' k4 U4 {2 r/ p
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。# D% k1 a% g' _) H6 S. t
, A3 C5 v n( V7 f* p) m
1.下载OWASP规则:7 Z9 k2 u' ^2 ~$ i2 a
; J K4 S5 p# P- ?
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs2 j. ^5 M" r3 ?0 E' l$ i
% l; Y) d1 H/ I, F5 }( h4 L
mv owasp-modsecurity-crs /opt/tengine/conf// z# L( ^* C$ L' h
_1 @- p& K& R; K7 Z
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, i5 e2 W! E+ a+ B2.启用OWASP规则:
0 ^- _8 l; \6 q t$ s) S! b* m7 _' g
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。/ W3 L! X8 Q w M& X0 l, e
( l% ^- x! B8 E! q7 |+ p' w编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
- ?$ \$ u9 b0 }6 q1 A' E" s3 `- @7 v" i; H5 y2 S5 ^( I
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; h9 p3 d' R. f7 r6 Y. L
7 X5 I5 o+ Y5 v3 _2 K& K
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf/ U8 W$ g6 J2 M# Y1 F3 I- O5 @
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf/ H* \, B) F W
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf: q% m- K# d {8 |- j" b e
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf- t' r' s: m9 W- _/ U! x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
) v. B: D/ o0 V+ x1 HInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! z Z0 q1 t) ^4 U! DInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
; ~( v$ h, H' |' p5 I' i/ @ \& H五.配置nginx
5 c. e# h3 M* U/ L2 w
1 ?; o( Q! G, \/ d" F9 p# b' v在需要启用modsecurity的主机的location下面加入下面两行即可:! L. w/ [- u; N4 L. W" F
3 T! `, G8 U/ }% I+ G" qModSecurityEnabled on;
7 B% R2 i6 L( I. Y: M0 ]ModSecurityConfig modsecurity.conf;8 y, c& Z4 h6 t v8 y
下面是两个示例配置,php虚拟主机:7 [2 J( o6 s0 k/ o1 D
) G9 J) O* x% m. v
server {
" g' T {: \; k/ P1 w' ^ listen 80;4 \$ [5 b) o: T/ ~
server_name 52os.net www.52os.net;
: P, I: h# D5 _4 n$ }. P
" A+ e+ t; Q8 O B5 J location ~ \.php$ {! n* X) f! _4 T
ModSecurityEnabled on;
8 {; W1 k$ \2 t. s ModSecurityConfig modsecurity.conf;
, L3 r! D4 b: W7 \& d$ e; P, f# _% ^1 I2 U7 B$ @5 J$ H
root /web/wordpress;
$ }7 u) Z" S. e7 U. A2 U8 o. S index index.php index.html index.htm;/ b) H% {1 j) {% D/ ~. G: v" P
: B% J7 \+ L5 ^
fastcgi_pass 127.0.0.1:9000;
2 F5 g! k5 v0 y; ?6 W8 Z4 A* z. r- D fastcgi_index index.php;8 \' i" h8 n( N
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
# [8 Q1 \% T9 `. _ include fastcgi_params;
# n0 J0 U: y# t6 H& p& U }+ r" N# K) \# k: l7 \# F
}
( J. h N: L8 @ g) e9 M* A) K! rupstream负载均衡:# p, `& e+ R5 S- e7 }
- j- H; P2 Q. d3 j6 aupstream 52os.net {
+ P# W1 p% \1 m8 e3 D* p server 192.168.1.100:8080;
- _% M5 c1 G6 Q/ H0 ^4 Z server 192.168.1.101:8080 backup;
3 F: L4 {% K; p2 F5 X0 ~- i}
, w: A" K H+ {! f* d; c
% o* j4 q& _# I* I% G% W% Mserver {, w: }+ e2 | e B: M
listen 80;: O3 v* I& O5 N, k8 L
server_name 52os.net www.52os.net;6 w! i6 L$ Z0 l6 l M; \5 n
4 R+ x% M' A" b& ~4 zlocation / {( c. s6 ?3 D/ Q& P
ModSecurityEnabled on;
, g( j. K+ t( f; y+ P1 n ModSecurityConfig modsecurity.conf; # c( Q) T+ L K( _ S
8 E6 x8 T" \' |& P8 O proxy_pass http://online;) j+ K' v, w4 L# A
proxy_redirect off;
8 r* v5 p+ `6 O( F( t proxy_set_header Host $host;
- r% w$ q0 D2 _ proxy_set_header X-Real-IP $remote_addr;0 ?7 U* @' [# ?* x- w" u
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, W& Q; G& V, Q' N3 r }
8 g& C5 Q) F& W$ U7 C; w+ H/ G9 O}
3 F% S2 T. s* F+ r+ o1 w9 q六.测试
/ j$ P& z% S1 z6 s; @* v. U) r) q) k e( T4 z9 r
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
1 x; u9 @* _. g3 O3 R* D* i& U, ]
0 |" i8 d3 b# h3 f<?php
" t9 d3 n0 ]6 d7 ^8 c" q phpinfo(); 5 {4 t8 h- ~; y& _% R
?>1 e3 C& U4 L( N2 ^
在浏览器中访问:! O3 |3 f1 ~ c
$ o8 x; ?& D3 Ihttp://www.52os.net/phpinfo.php?id=1 正常显示。
& u: l F1 Q4 j3 ~http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。9 }" ?4 Q, l& x4 t" k
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 e( \9 U0 D+ u' i7 I
说明sql注入和xss已经被过滤了& K) y1 @+ ^9 J) R1 `/ O6 w! X* Y
- ~) I% ~) ]0 A( E
七、安装过程中排错
5 D2 T( D0 P9 y5 j2 j1 Y0 M6 S7 U4 l* K" u
1.缺少APXS会报错
w& V& p& m4 s
( U# C# c- f& Pconfigure: looking for Apache module support via DSO through APXS% Y: n( j" [+ C- L% p. S3 \
configure: error: couldn't find APXS
; Z, P+ p$ S2 p3 tapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 X' K; M! w( u- E' w
解决方法:# [! ^( o$ V) K7 u$ a$ m, D8 c
, A+ e4 N. Q+ b
yum install httpd-devel
0 i1 l# M" r* g, h! \/ I2 T2.没有pcre- @4 C+ K1 B* B, d5 \* U1 C0 z
0 c9 K8 x$ G# R0 h
configure: *** pcre library not found.3 E- X9 U& ~* {, v% b3 l- K) X
configure: error: pcre library is required9 d+ T1 o7 Z+ a6 ~2 F6 f* ~9 A2 g
解决方法:/ u! y; z. F" @9 b4 }1 m
( \4 p$ `4 g. ~7 o
yum install pcre pcre-devel3 ^( d" z& f* P3 Z& F1 `9 ]
3.没有libxml2
( t: Z5 b+ _7 ]# I c
! \6 S3 N% T$ c% B5 P
# L" \7 Z. V( z+ Rconfigure: *** xml library not found.
" b/ F. T, Z0 W5 uconfigure: error: libxml2 is required+ M4 Q4 [4 N/ i% ]; Z
解决方法:7 m& h% `* M# N" `1 U
" L) ?' s' [+ lyum install libxml2 libxml2-devel, _ T1 I' V' E! G7 l, b- K
4.执行 /opt/tengine/sbin/nginx -m 时有警告' M/ M* j2 |- Q1 ?& O
' a+ c1 w3 ?4 l7 ]3 f
Tengine version: Tengine/2.1.0 (nginx/1.6.2)+ k4 P- O6 }, ~4 z. C7 b$ W, [
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
6 D& ]5 ]# U+ x* M原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log! I* e/ J0 [' ? W1 U
, N. ?7 h/ W! [+ K6 i" d( @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.5 [( R/ r- b e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
) K+ Y7 i# T! P: k8 D* N2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!8 R+ `* ?5 }$ r+ i3 m" G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" R# D2 r" ]( {0 d' s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 z8 {, q1 m, X8 U" M# N7 W# v2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
& V7 ~; ~' X1 s# S" \4 z解决方法,移除低版本的APR (1.3.9)* s! U5 {7 W2 X; D6 B4 B/ o
4 E( m5 `( f* _8 l! |
yum remove apr
$ x7 A) ?) ~- r) X5.Error.log中有: Audit log: Failed to lock global mutex% t; t$ u1 B/ h6 U) ?
" u f) G3 F/ F1 }3 H
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ! x p" a' j: d
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
% X w0 B9 [+ O- W& X解决方法:
6 C P5 x2 b. ?- F' j3 ~编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:9 G3 W4 T, V! |0 T
3 a/ d4 e# E) t- FSecAuditLogDirMode 0777$ Q- \! Z* c y+ E$ X, I; O6 U% V
SecAuditLogFileMode 0550( U( {5 |, ^) J4 D
SecAuditLogStorageDir /var/log/modsecurity" t R+ x# a1 s; X* j; P' k# x
SecAuditLogType Concurrent/ _# P+ t1 ^0 C, C+ Z! {9 ~7 d( O. X
参考文章:
6 e6 Y, j0 j5 ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' \# ]5 r* P( D3 M+ q/ D$ d3 F" ` b
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡