|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
0 z: W/ G. U7 O; l7 i
9 U$ V8 M8 N; _. v8 g# {一.准备工作
! Z4 C2 C) m ~6 ~' t O$ Q& ^' ?# O. y" H. ~; f i
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0$ ]( b' |5 d, v' q i
9 j6 {3 f* P" m7 B: A ~
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ ]8 L/ P5 Z& e$ T' a& p
; {/ F( J" A4 D- E6 v' F9 Amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
7 c' S+ h1 q4 J( ]. B
! l$ M6 b0 W( p; s( G# K3 {5 kOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs ?2 ~( l1 Y" j0 n3 G
; E0 U# Q' V7 D+ M% g. h依赖关系:
# Q9 H" _) o( O5 e! }1 ktengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:, g; @! P. B m0 e4 y2 w
* y& v+ w7 m& v) R0 ?
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% `1 q9 C; D* x/ s/ Hmodsecurty依赖的包:pcre httpd-devel libxml2 apr
, u4 O: ^0 x- W% u2 j/ M2 f2 O' d9 G) ?7 f6 y; ~% }$ Y8 L
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
G/ w7 X) o$ M1 U' y9 F. j二.启用standalone模块并编译
* f- ^; t0 E3 M) S# t8 c% w; ?# e' a6 x) W
下载modsecurity for nginx 解压,进入解压后目录执行:5 F$ p( z% q0 @
' e4 N% A2 d. c2 V
./autogen.sh
" p& j# V8 g+ V$ K: i/ s( |* q./configure --enable-standalone-module --disable-mlogc( V3 a7 p' o( U. D A
make
2 m) W" y1 B# k' X' N% B8 c# P三.nginx添加modsecurity模块
8 H. S1 S; I" o" c* F
) K' `* M: P5 v3 Y. A5 u+ J; M在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:) Q8 P. ~4 |: g4 O7 x: J
- w @! n. v4 E, f
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ h6 x. a) @1 X
make && make install
/ {& c0 W* z+ s9 }2 f四.添加规则
# j, z ]& H2 f- M3 h' G! u1 [# U0 X8 Y. d
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
2 Y# I; w$ `& J- |& g
1 a* ^, `, z- [3 t& m. {1.下载OWASP规则:6 H. D9 h( _; I% K/ x
}3 p3 ^: C- `( Wgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ Y- {% L" f) l9 G, V+ \* L$ ?
5 D1 _9 {/ J: o$ R+ ]9 \ W* F
mv owasp-modsecurity-crs /opt/tengine/conf/- k( H! B* Q. q) _5 |
% I% S8 M0 O4 B7 R A% @: m6 ?5 Vcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf" t5 |& E5 j' E
2.启用OWASP规则:
( Y% }1 F z) @% k, ^
3 i6 v: O( j' \) h0 d- e复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。$ x% Z* ^' F: Z7 v8 e, b2 \6 f! e7 O
- G7 w& B, X% u% r5 X2 [& d. M, A编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 U( S3 a' |. M& m A3 S, l
/ I, r* Z6 x3 x0 Fowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
5 t, z* w6 G% Z- ?: h7 `
& @ g9 c+ m: u8 z+ GInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
% V" |3 V! S. g4 {9 aInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
0 v! y- V" A% m: x9 i* ]Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 x" J" c7 q6 h; o- M/ \ xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf8 J, W& c- x% |" `4 A m
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf5 f0 Y: s# D |9 s% q, h& g
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 \ n7 F, e7 l
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
3 W6 Z/ p5 m, g2 `; i五.配置nginx
9 j5 v$ p! V8 i, W4 m7 K; u$ y
/ e% S" G1 E9 R2 K. V8 T* }" l5 c" _在需要启用modsecurity的主机的location下面加入下面两行即可:3 A' E# t* D9 C E: V
+ _& w# [/ T/ N: ]; D! G2 R' _ModSecurityEnabled on;
{4 x4 O5 @. M: M+ g, ?0 ]* MModSecurityConfig modsecurity.conf;
, C% m" T9 n) W2 O8 j4 c下面是两个示例配置,php虚拟主机:! @. o3 T) K/ b6 V! D" N# a
6 J- G0 H4 G/ j5 `* rserver {# p+ k/ Q ?4 R! K8 E
listen 80;
- F; G$ ^9 n7 ?) S server_name 52os.net www.52os.net;# m f( J1 S/ m. E( Q% y
& p+ G( G0 F5 d; I location ~ \.php$ {) \1 P9 ^) B6 X b- I% s
ModSecurityEnabled on;
) k" @' @ b9 a, I ModSecurityConfig modsecurity.conf;
& [" q& G$ I1 s+ b
. f) u7 G7 y/ K* s ] root /web/wordpress;
, x6 j: b) [# I, J index index.php index.html index.htm;$ b4 V9 U& ]% J [
, j q& E# z- {% D- D9 `0 e fastcgi_pass 127.0.0.1:9000;, B( z( @: s0 O5 K* p" ?+ ]& T
fastcgi_index index.php;
$ u4 g8 A x4 d# {# C: h0 A" } fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 c( u! S; f! `/ j$ r; ` include fastcgi_params;
) D( H1 `6 z0 u9 g4 J( c& I }
0 K6 J9 x: r) _# Y% E& t) w' d* q }* g, ^9 b4 J; `8 T
upstream负载均衡:6 f; g3 H3 Y1 D2 q) G; k
# J3 F, {. y. Z5 l( `6 `' }
upstream 52os.net {
( p2 ^; g Q( k server 192.168.1.100:8080;+ [, L- l% q. u4 _9 k8 S3 G- I
server 192.168.1.101:8080 backup;* F! ?! _9 C+ W5 G6 ?1 O6 N: e
}( ` d2 X% |( l, h/ }% }
. j( e! n8 w9 i* w3 \6 v3 I. ]
server {
+ _9 E" P4 z" {- C; `4 \listen 80;; ] f ~. i+ N
server_name 52os.net www.52os.net;
3 o4 p L4 X! {3 N( Q- s$ y8 Z/ X( @ x9 a# m' ~0 ^, s! r5 ?
location / {
0 J& s9 w* h, Y$ I ModSecurityEnabled on;
5 u: c+ ?- E) U6 x- r ModSecurityConfig modsecurity.conf;
% `' w# |' ], _/ A, W( x0 p8 R
proxy_pass http://online;
4 K, d6 L3 a0 q0 c7 ]7 z proxy_redirect off;
9 c$ ]9 X H5 E8 l* w proxy_set_header Host $host;
/ ^9 `+ s. A p; h# b! q. ^7 J proxy_set_header X-Real-IP $remote_addr;. e' \% W% _# _6 T" s( H D
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# L3 n9 T$ L5 `( b }
|, D1 f2 _: [4 R o7 ]) n8 `}3 u7 v- I6 q+ D" k$ s, _
六.测试
! ~" J: y. f9 L" C* l1 C5 w; k( h1 q1 @! m( m3 S. n
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
8 ]9 c5 k6 t8 Z6 ?3 t) e
5 [. q3 r( a) }+ g<?php( m1 ]: y0 u- f4 A% Z
phpinfo(); 8 B: o5 l* }8 i9 i) f' y# {
?>9 P& x6 p. S$ Z M1 u- {6 g# p
在浏览器中访问:' K( d4 G4 d4 T% Q. {( E8 e
/ e, h" h; y' t; f1 chttp://www.52os.net/phpinfo.php?id=1 正常显示。
' G! x" F2 U. r4 E7 Phttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。6 d9 |. { o! k. Y! _
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。) V# \& _4 \9 x( k
说明sql注入和xss已经被过滤了
: x* ~0 O0 y4 ^, l% m( U7 Y6 ~4 B0 k% \/ m
七、安装过程中排错8 k! r& b( {: m+ y# }
) p3 X4 g5 \$ d) e: D# C2 S1.缺少APXS会报错
# U/ X/ `& q2 m4 k% f$ v2 {0 h. j
7 E1 Q0 P( e- g* Kconfigure: looking for Apache module support via DSO through APXS4 H/ R- K9 ` r# U: U9 @' j& G9 `
configure: error: couldn't find APXS, r$ P% S/ A2 [# ]
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。; } V, x# p e4 r; F2 i. i
解决方法:3 i3 k0 v& D6 D9 Z f! U" d/ o
% m! I; O- [: o% E, H% \: yyum install httpd-devel4 \1 L7 H% e8 `! m" z/ o8 s
2.没有pcre
' J8 A& }& b3 n# G$ O# l6 d( O
4 {1 P/ E& { T4 m# j8 k' Cconfigure: *** pcre library not found.
2 j+ h. Q$ \. O; M1 t8 [& Hconfigure: error: pcre library is required
& y2 [9 D; I6 U4 t1 I# @解决方法:
+ F* k( r5 O+ H# E
! y% _: l% T3 h# z9 kyum install pcre pcre-devel
, O; j5 R7 S; m* E2 A8 u3.没有libxml2( N: m5 t) ?# V$ a6 |: P
6 o* _+ o4 q% U
/ i$ j' O& @9 O( L1 r/ n
configure: *** xml library not found.
- i6 h/ d% d, \configure: error: libxml2 is required Q/ s$ i0 n9 b% c+ @
解决方法:6 |6 i! i. G9 }5 C
k& C6 d, V% o, `1 s; Dyum install libxml2 libxml2-devel
c, Z% |' q+ C5 w0 F6 {/ @4.执行 /opt/tengine/sbin/nginx -m 时有警告
0 `# F4 Q d$ e# f3 ^) D2 ^' J1 A0 Z+ V
Tengine version: Tengine/2.1.0 (nginx/1.6.2)" R" \$ c. E, p, C$ ~, x2 s
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
6 Q) @/ }2 [6 ~) o# |原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log: V: s! [! s) m4 W4 o4 @+ t
, r8 W: _; Z4 \' ?
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
! {" Q8 W9 k7 S0 t* g( Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"& I+ H* ]: r% h" }
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!' U# ^! p5 X+ [+ K/ ]$ Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"' c9 D, p! l. n3 h7 U# G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% h K, B" @! k8 P7 j2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
/ ^" q; r; k) A7 @2 U解决方法,移除低版本的APR (1.3.9)) l% W K$ K8 Y, u3 Y# K$ {
; V$ e2 V' S7 t& c. e$ T+ Uyum remove apr- M) j6 Q9 [9 d* T9 x" n9 j3 J
5.Error.log中有: Audit log: Failed to lock global mutex
) [& g N* h5 t+ H3 v' u: h2 K, J
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
+ O2 \2 P9 @2 c% a/ Xglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' Z0 T( Z/ w* S* [: y. l
解决方法:
8 ?- o0 H1 g* y7 Q编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:1 s. C; {! [9 h! i9 P, r
8 t. F n( z' ?; k# ~9 a
SecAuditLogDirMode 0777
2 H5 T: e/ s& xSecAuditLogFileMode 05502 M( i: X3 I. ~, o
SecAuditLogStorageDir /var/log/modsecurity
" t# U& E$ n1 m- A1 Z9 q4 {! i USecAuditLogType Concurrent
3 T2 A! X' R$ u1 b! j. q& s参考文章:
# ?; g+ p H: b1 lhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) J2 l* R2 Y$ Qhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡