|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。) f8 m9 w; V9 s- c( X- r
. w, J) J* ~: [! b; u h4 Z9 K& p
一.准备工作4 N* Y' S% ]; Z! E+ m
' k7 t6 y5 C0 m: u8 P* y u系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
7 ?- X. F; k' e7 B) |9 v* H. r& J5 l0 J/ K2 z5 V# c P k& \( F
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
, v* e0 ~, x+ R% Q! h) V: S# U
. f" f8 I" ?8 u* P+ g6 W" @7 Kmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
6 B- T! ?" J2 t; ^+ j) a9 h% w$ ~- ^2 f- r* x
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs% ]7 v: P9 v, c' @6 f6 u3 ^
! u7 S0 g! Y9 M" s# d+ A7 L; D依赖关系:* h$ ^5 S% Q$ r
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
# t/ x6 S& |( S% J: z& \4 f
7 R+ _% W( `, d. L. W9 Hyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( p% e0 Z5 D+ Y$ e' t; v: S" d
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% ?! s7 E3 m. S' ?% j! y0 ?1 n# e& b* s- t- `6 c! s( j
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" V! X" n# Q" G% ?* }
二.启用standalone模块并编译% ?4 L+ S' i1 a& H
5 I; `6 J% y. V, s% b3 }- n
下载modsecurity for nginx 解压,进入解压后目录执行:; N2 k- u3 C; g8 k2 e7 `
# j ~" ?9 c2 H% P: C./autogen.sh" G: q0 I9 M% [' e
./configure --enable-standalone-module --disable-mlogc
+ t6 |" j( O* w# W+ F/ z6 fmake 2 E7 f: l/ `6 B1 M
三.nginx添加modsecurity模块
" `7 w' S! x9 F! \8 }" l, u$ R
* P( A6 D% R: ]% |6 @4 {在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:4 \ m$ r( `+ a4 B! b
/ z+ ~3 u! A, n: x( Y( w
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
u' k$ Z W& w0 n3 |8 @ I: nmake && make install
8 g9 E/ j2 v& N, \ b" c. y2 i! c四.添加规则$ \2 U, A B8 r9 }
8 t: Z, M" e/ b2 y0 ]- B6 _
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。; @- d6 g3 `/ l$ U& C. b4 P
7 I e8 l6 d, W6 H" Y2 ?1.下载OWASP规则:
- i3 c) b% Z4 _7 W
$ b3 E" T) E3 [, ^4 q& T$ A6 Lgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs: r& d, {- B/ Y4 f
5 O# t( R# p) `6 \# e! hmv owasp-modsecurity-crs /opt/tengine/conf/
6 B- j9 W( j$ f- {9 r9 U
1 f+ a% Y1 D$ E6 V' t$ ccd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: b8 o5 v4 } v; ^- n- ?. ~2.启用OWASP规则:
M* J! X* K1 j6 L& b+ {
* i8 r3 M2 u b; a: {复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ q+ o" z: c* A2 D9 u6 i, G) }
7 h% V& u; B3 ]1 q. T& _编辑modsecurity.conf 文件,将SecRuleEngine设置为 on% T% V, k% q: T6 D& Q* a
, Q) v* n; c4 T2 d3 }" D/ |
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。& I5 Z+ \4 `: i$ \/ `6 v% j
+ z4 J) b* [# F8 \5 _7 n( b
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* s, S% f b5 i+ R& sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf% i c$ E% k: N& h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
\; R) k- }1 z( S& {: ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
- K- x3 k+ b! j* c% y/ _" d- jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
9 l! o! u2 u! ^$ [! r' I* \* EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
1 j- Z: _, N" @8 `2 ~Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( \" j3 d9 \& c5 Q: A4 n; d# E五.配置nginx2 y% I2 L) V% v5 X# i7 a
9 ^0 k$ E' N8 M0 ]9 r
在需要启用modsecurity的主机的location下面加入下面两行即可:
7 d9 D K5 a3 i# W" _1 _
$ R+ E O. H3 f/ AModSecurityEnabled on;
6 U+ i7 e7 a" `9 LModSecurityConfig modsecurity.conf;) x! m; v( e. a! B
下面是两个示例配置,php虚拟主机:
, ?% w% C1 T! R% h! u
% F4 j# f0 \+ I7 q$ Q6 I' iserver {1 j9 i# O5 P8 X5 H7 A o& s& e7 }$ z
listen 80;
4 f- p; f) l: j/ A" H. D server_name 52os.net www.52os.net;4 e) G5 l9 I! r! ?
* W; t! c/ i$ l3 t6 |
location ~ \.php$ {$ C! t, U1 Y% `# T) ~
ModSecurityEnabled on;
& s _$ m; B* y: R4 I) h ModSecurityConfig modsecurity.conf;) X! a: P# ]. @. i: g
% \ ]# [+ F, M- h' C9 q root /web/wordpress;% W6 x, s1 c l6 u0 H+ w
index index.php index.html index.htm;: U- x$ H5 q F: }8 L& ?$ F
4 ?. [8 |3 }6 X b- a2 _/ ] fastcgi_pass 127.0.0.1:9000;
- [. ?( U! L( \ fastcgi_index index.php;
+ {" u5 d8 W+ ]5 \; {* z3 c fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ ^0 F) d) z2 [& O8 r' V: r4 R/ h
include fastcgi_params;
0 J# ^- Z2 n4 i0 Q* S }; d: e2 T4 [" K ^3 K9 P5 e H, D
}
+ [! f" }7 w$ n% d; O3 A% zupstream负载均衡:2 U) n( X* j2 E, \1 h3 ^
8 L# E' F5 Y h; Y- P- Y4 {
upstream 52os.net {
$ r# m( V$ y9 Q2 Y server 192.168.1.100:8080;
" g8 A% u! w5 } server 192.168.1.101:8080 backup;
% M/ {; ` v! J$ ?5 F! @. j2 \9 y}+ j* \ u% I$ I. @
: ~" E1 G G, V; u% J `) J
server {% F' E/ ]& T, H) G/ S3 Q$ T/ ?4 b
listen 80;4 E' U C* [& ?
server_name 52os.net www.52os.net;
* O0 L$ ^0 r7 }( w5 \; C! @; X1 m! c( E8 ^6 ^
location / {
5 ~, }; s5 \9 ]- l" N ModSecurityEnabled on;
" j! [, X) G! h" Q3 f. {1 o ModSecurityConfig modsecurity.conf;
- \% ^0 x8 s/ I1 M h" P$ k( K2 c6 `
proxy_pass http://online;
3 e8 e/ |8 j q$ b2 Q1 R proxy_redirect off;6 q1 m" {3 E9 L7 U' Y# k( y4 H
proxy_set_header Host $host;
1 k' |/ \" [0 \, i proxy_set_header X-Real-IP $remote_addr; T, f+ t+ e' c& }+ k7 D
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# N/ e. ?; Q2 F$ S: x6 e* C8 G }
# l( X* r, j( T. }}" t3 p( B; E$ {1 ^- J) }5 {
六.测试/ i4 l. X/ A6 P$ u K' b
# T) l4 ]3 l; }我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 @" U1 T" Q: |! m+ \& U+ c! }
1 K2 n% B N# P S# F8 N( a f<?php7 ^; N1 y$ X9 \* N
phpinfo();
7 s, @4 N$ Z5 Y9 L1 s( t# n* y?>5 @7 Z5 E1 w5 M, d4 X5 y
在浏览器中访问:
5 F# q0 s0 f+ a# q& p: _: N" j& N8 K3 P
http://www.52os.net/phpinfo.php?id=1 正常显示。/ J! A$ Z( U: k* g
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。3 V/ e; I3 d! V e& e2 m
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
+ i6 s M* a6 |- p* f说明sql注入和xss已经被过滤了- j4 b' s8 w& o% V$ F
# D, S3 X' I S8 j" P0 m7 F% i- e9 H七、安装过程中排错% a& T" y! c- ^3 v2 G) Y
/ T% j- e! Z) J, L1.缺少APXS会报错1 J0 K; j/ f1 s& a+ Z( b% O$ y( {
7 `% ~- a7 s1 S) aconfigure: looking for Apache module support via DSO through APXS& v- O, g% t& n" q8 J
configure: error: couldn't find APXS
& p, I8 ]' E0 `6 h2 H( K+ p2 aapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。0 L @0 G- H' D4 Q: n
解决方法:) a/ ?& b) ~/ I
/ \9 s2 `4 d- p6 [
yum install httpd-devel
( Z* s+ \7 K; C* H: M* `2.没有pcre+ A! K% {7 Q5 W9 r4 Y4 c2 A; }3 ^
1 f3 u# R, D7 x. ?( c5 h/ U
configure: *** pcre library not found.; a' V: h. L/ b- C: j8 Q
configure: error: pcre library is required
' P2 z' V6 _6 H- h3 C9 a解决方法:
3 w3 W+ P( O5 O1 V# {; {
: T7 `! M3 S' B1 y$ B x! O' q+ eyum install pcre pcre-devel! b: b! j0 J% m/ j7 m
3.没有libxml27 T( X, j8 P3 i9 [' Q4 l
' I5 l' O0 t7 e2 a, P, C
% ?; d- N% G% ]' X. Lconfigure: *** xml library not found.' j. Q- @" T- v$ t+ r
configure: error: libxml2 is required
# V# v+ p8 q, l解决方法:
9 o6 O4 {; Z: Z$ L3 b( A
4 b) ]3 C0 _ x* n1 lyum install libxml2 libxml2-devel
; V6 X8 t* Q3 ` }4.执行 /opt/tengine/sbin/nginx -m 时有警告
1 N6 D% z5 n6 p7 ]/ ]" O6 h! o
: J% O5 \8 U: N7 {Tengine version: Tengine/2.1.0 (nginx/1.6.2), G6 a/ e7 s, M9 j9 m% Q5 p( U
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 t8 Q0 s9 g9 ^8 I- K) A% u
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log$ F5 [: E# A. @
% A# K& ]7 z; u
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.) z; G4 A0 q1 P7 \% ^4 u' U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"! f3 ~# l( ^1 y( P V7 K5 p
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!6 D* R7 P3 }9 G% `8 A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
, o* Y; {4 ~, l4 t# L, L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"4 }+ P3 J( Z) T+ e9 X& V3 ~/ o! s
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.% s8 @- L5 X/ N e& A' z
解决方法,移除低版本的APR (1.3.9)
8 \; @ w4 D! D% {" ^
/ ? t% G: G* e- s# ryum remove apr) W3 \) ~, X* }. Y" g
5.Error.log中有: Audit log: Failed to lock global mutex0 V: R1 c: M5 N- h* c( ~' k
* N# A* ]8 F0 {0 d/ H2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
. a! R" D/ g1 K9 [: o. F4 [& hglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 Z& f/ s( G$ f" @: I- w
解决方法:
* \* O3 S" {2 z1 Q1 [$ @- h! R编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 g+ j4 ]7 M/ |! x! I! A a' e1 E/ r/ U3 G
SecAuditLogDirMode 0777
5 Z$ E3 u$ z6 h5 S, BSecAuditLogFileMode 0550+ W" b2 `1 X; Y+ x/ P
SecAuditLogStorageDir /var/log/modsecurity- m, e9 W' o( a$ W/ B: I
SecAuditLogType Concurrent" H& b, m1 N- e3 G/ m( J' L& `* ^. C
参考文章:7 P: F# X) @: y: q, J7 k$ X, h
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX* f. w" P! Y+ Z
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡