|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
N2 E. g' v* O! ^$ }. z* V. ?
( ^: Y: A' p9 w# G! m( h一.准备工作" t. \0 S( l" r+ Q, b
. [" h. `- L C2 m; Q9 P3 d) s' Q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
- t: |+ P; H* X8 w# S; L# ]# [
8 g! C, i5 I, d4 I( _, u; w* Y3 ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
9 X3 P: [! k; b* {- }9 Z0 p4 J4 a& G
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# n: y4 D9 _4 C/ k: Z# ~, x
6 D, G/ {6 s* Z6 x! c. W# V
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs/ ~: ?. y/ k+ E1 V2 J& Q: ?8 k- G
# Z7 k+ j4 W8 ]# r依赖关系:* o7 \6 ^) u6 j8 O% T
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:1 j9 {4 t( `& _ j h6 f+ N
" ~ {( S! o9 A% u* \' wyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 z8 p4 L# ~0 m3 k7 ]modsecurty依赖的包:pcre httpd-devel libxml2 apr
( O. f5 p; p V6 [) z- H+ I( b/ j i8 v; M* d2 G. `" z4 S K+ K5 S
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
- Y9 Y6 f6 M6 [" ~0 K: R二.启用standalone模块并编译
! r' I1 l% Q/ Q, b& x
- Q) j$ \4 t! [4 n/ E6 E& T下载modsecurity for nginx 解压,进入解压后目录执行:
9 u! F! l" Y1 @6 Z* z" P. ]- T
: j/ u9 y X" d& M./autogen.sh7 t( X8 m* v( }/ L
./configure --enable-standalone-module --disable-mlogc m. u3 {, `6 d
make
7 R- x2 P2 D M5 t* {三.nginx添加modsecurity模块
& f% n% u8 }1 G4 C
0 }; x. v- P+ E1 ~* L在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
5 E5 ]" |$ p1 u. M) F) |+ z2 ]; N5 d$ w+ o2 i( \" X1 J0 C$ P
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. z, W1 _) ]' q4 z, K& Lmake && make install" Q8 d/ n. |( }6 { P: `1 ~6 c: a5 I
四.添加规则8 [8 _! ?- Y3 r; ]0 `' [
+ `2 y) @5 T1 S' i0 Z( k5 C( g
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。9 r) `8 j% [( [5 @1 w* N) O: M4 ~
5 k% d/ B, o3 `) v& c
1.下载OWASP规则:
+ b) d3 U, |8 q
9 |3 L+ F. A8 Fgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
+ `" o6 Z! t# {0 P( L. Q! ]7 J' u3 y$ f4 R3 a' n3 X
mv owasp-modsecurity-crs /opt/tengine/conf/
% e, A1 s3 h; i) ^5 x1 a' `$ h1 A- R3 c" g: W& E
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf5 p1 R1 B: N- {8 o4 f6 u3 L
2.启用OWASP规则:1 D( k( L1 ~5 l0 P
5 ]. N: v* `: h) h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
& q0 d. y$ `& [( ]& c: a% l0 p7 X' T6 ~9 S: }. K1 b+ E
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
9 Z$ ~8 J0 o2 a+ t5 t6 M0 X' s+ |0 f; c# ~
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。% O7 d' a: w( y. B
; Z3 F$ |$ q: s' T6 _
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ f0 `8 J# S7 ?4 N+ w2 RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
8 u5 z) I% d$ ?: d* D7 T7 H- vInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 K5 P: A# {; \5 _4 ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 |* [+ B3 w/ M, ^Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
" q8 I" y! k- G6 N* H1 w( xInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* D# r0 ?' Z# p. l
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! f1 J1 k0 k0 T
五.配置nginx: y# K" `' f) d1 O: Y
^/ d" C X3 d/ Z7 l' `4 x在需要启用modsecurity的主机的location下面加入下面两行即可:
( ~$ w& F, O' k- p( X1 f% u( Z9 @" N
ModSecurityEnabled on; ( D! W* o6 x* G# @& L
ModSecurityConfig modsecurity.conf;
+ Z6 T9 j2 B+ N# D下面是两个示例配置,php虚拟主机:
- w- P4 _, |2 b$ s8 F* G8 Y8 \
! M# Y: ]& K% gserver {' [% a1 v7 n. V3 v0 a3 W
listen 80;! |% Q& [4 z6 h5 R# t1 t @
server_name 52os.net www.52os.net;3 G; T) h, g' \4 r( p0 p7 p
/ y. S# t" q! |
location ~ \.php$ {
- e( r9 c# Q: i4 r0 D/ k4 W# D$ u ModSecurityEnabled on;
- H# N" r3 G) B/ _* h: z+ M& Q' k1 [ ModSecurityConfig modsecurity.conf;
# }* B$ e- V' S* o; d) E/ x5 z9 A9 J0 f( ?4 `
root /web/wordpress;
2 ]/ R' v* ?8 y2 n0 \1 _- n index index.php index.html index.htm;( n) P' z7 P5 G& D
8 R$ z$ z1 ^8 }$ H0 `5 h$ | fastcgi_pass 127.0.0.1:9000;
/ \; l f: E+ V. E, F" d fastcgi_index index.php;- h! D. i. T1 M% w: X. ?3 a
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 R* t! l0 d% }. H6 {* h- d include fastcgi_params;
- G* {" U8 E. r$ z( x6 ? }: o% j# Z* j H, M2 A! }9 R1 ]
}; b" u/ f8 D9 M3 C- a) b
upstream负载均衡:
& D# z7 ?& Z% H0 C* u# T7 D" R+ E3 W0 A. W! d5 ^
upstream 52os.net {. ~& @8 C0 s. ~
server 192.168.1.100:8080;( I& C' U8 J, F1 |
server 192.168.1.101:8080 backup;# Q4 h, _8 ^1 F0 T e, P" L7 ?9 y
}
) N& D( ~8 Q( O1 A9 m7 N! k- G/ e
8 H& b! M- U- ]7 nserver {
v& y( X8 S- y) B; Q' M& _5 Ilisten 80;/ v+ ]- I) }6 K7 v+ C
server_name 52os.net www.52os.net; T* `- |- z! P; C/ A/ A) z h
+ \. w& J$ h- Ilocation / {, _; j2 |( u$ {2 M- a& f q
ModSecurityEnabled on; + E4 T& F+ h, O# W/ }- B: n
ModSecurityConfig modsecurity.conf; : ]$ a; E' q' l* ]
2 k6 u, }. D0 ~: m; ?
proxy_pass http://online;
* ]. V/ ]' D H: f. B0 p% ^% l& ^& Q proxy_redirect off;* h5 B& L. ~( h# L
proxy_set_header Host $host;6 v/ F& R% ?# ~* E; `1 H
proxy_set_header X-Real-IP $remote_addr;
! P/ a% N# ]3 a/ | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;) E2 f" f. I4 j8 c* @8 y
}
) N. Q" T/ M, ?6 U}
. e# U9 b; l% J7 v+ A" ~. @六.测试* Z& a; M! ^! I3 C! F
/ e& d% o) O1 x- d5 W* U我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
( K5 d* S" N% ?3 J- u% V! T; S
: Q! I4 f0 S% S9 z9 G" ]7 q<?php |7 W7 x t: p( T/ C9 f+ t7 W
phpinfo(); : H+ ]1 p, k" y2 R0 ?1 e5 X6 R- t" z
?>
' z$ v7 }0 v4 X0 t# Z2 \. q4 F在浏览器中访问:
* e) ^& V' p# c! C! o) ~( z/ q% i! n
http://www.52os.net/phpinfo.php?id=1 正常显示。
. K( j5 z( z$ Whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
6 |; x( F1 l! [3 Z. I4 M' C- Mhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。+ N) a) c+ K1 J9 Y I
说明sql注入和xss已经被过滤了3 ?, B3 u1 Q$ z: G, I
* Y: @9 V1 R; i1 W, n1 B七、安装过程中排错
. j- K( Z# F) N2 |
/ S- m* K( _3 ^1.缺少APXS会报错
: u' l. M3 t' n0 N2 Q0 ^
, H9 M- e, Q- v* o4 qconfigure: looking for Apache module support via DSO through APXS
3 w* q+ ?5 m7 P/ {configure: error: couldn't find APXS4 V" c, \6 m) V. J) A: X* l
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。7 R3 o7 w4 N: y% j- k
解决方法:6 h9 V" {7 ~% n2 @: l1 N3 P
! a, |2 R2 q7 d# r' C9 s% f' oyum install httpd-devel
q- C) S2 E7 m$ E2.没有pcre/ b- a. A& N- `0 g/ a2 Z1 @0 N" j. J( q
( q8 O5 U8 E0 S
configure: *** pcre library not found.
5 z9 ?2 D5 U# C, I" kconfigure: error: pcre library is required
' a! ^7 W' v( h解决方法:
2 n4 N2 f% _! Z6 Z2 P/ \8 A1 n$ s1 ^; a: h, ^6 s
yum install pcre pcre-devel
% z! D" w3 |' C2 i. R9 g3.没有libxml2, {: }& p3 l* A4 b& o
8 _ v. v+ l7 M* K% b' f& o
9 m( d' H# P; H6 r4 Dconfigure: *** xml library not found.+ h9 `/ E; N. u
configure: error: libxml2 is required2 }9 \( g7 {6 f- _4 q2 G
解决方法:# T" r' b% l4 g: r
" M/ Q; b+ Y3 J
yum install libxml2 libxml2-devel' f9 g) T1 y( _. H+ h
4.执行 /opt/tengine/sbin/nginx -m 时有警告* e3 n4 J3 [# T
* j6 Y" t: Y# l0 g% d7 E
Tengine version: Tengine/2.1.0 (nginx/1.6.2)' s: G3 a' W$ p8 u t% U3 N
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 U/ a" U7 N" n- z* @原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# g5 |' |8 D6 j" \
% `7 t2 g- s3 a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.. a& S) c" W; X$ z8 v- s/ v" T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"& `* o, Z1 c* X% K; C0 C2 o3 b
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!# Q- m; b" N% R; S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"8 {4 ?* T/ O4 l1 k$ f( r& P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
) ^ h( ^! q1 t1 v/ Y) X D# \. X2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! G& M1 B3 L/ G8 v$ d% T0 v# b
解决方法,移除低版本的APR (1.3.9)5 Z1 c( z+ c6 {+ O8 x) K
! I5 r; n4 P3 X( q( q
yum remove apr
* Z7 X4 Z1 g; S& a, l5.Error.log中有: Audit log: Failed to lock global mutex( W0 z, u; f( G9 o
! g* g+ e, d+ K* K" |" J
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 ]: _+ d( W) |) m) l# n# Pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& ~0 Z7 k3 ?0 D8 q$ O/ q+ p解决方法:
( x0 K7 j6 F2 y: Q5 Q/ w: n. U编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: A5 r1 a% ?4 a# s# k
& J C! h u6 T- b V) @4 }
SecAuditLogDirMode 0777
: S& ^6 ]6 [3 Z+ ^; ] F, dSecAuditLogFileMode 0550) |+ d6 v" F t& Q: e" J
SecAuditLogStorageDir /var/log/modsecurity9 u( f; q% D" a* z' R* P( w
SecAuditLogType Concurrent' G! ]3 X+ `# z; I7 i6 s+ ]. O' E
参考文章:: O0 z/ j* U, _/ c' ^: ?- b6 ~) n, `
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
7 D: U/ ]* V$ L! h# Whttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡