|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 V( f/ @5 t' Y* y3 w1 _# B0 b, T/ P
一.准备工作
( s6 H# p" ]) I- E; H1 L s0 y1 _: _: @6 C$ ^% ^6 X7 E
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.04 Q( M5 S2 s) h! k d" Y
5 \9 \0 e5 S" i9 U- [7 Z! g
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( ^9 ^3 f! k4 F. s0 F3 y+ y
- S( V$ k' t- D6 _4 t
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
S1 l( R% y8 O9 u$ n. I1 b5 L) v: E' k7 N t1 h2 n9 I8 U
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
' V9 z, \+ a# I0 a6 s) h) O
. S9 {+ e/ ~: r/ v" F依赖关系:
: X& E0 Z: D+ c: O# xtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:( T( a, `+ O3 A
& m3 F( O+ P: g3 t/ }2 a
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% M/ Q# h5 l' Z. n Q' ^modsecurty依赖的包:pcre httpd-devel libxml2 apr
( n( Q0 N7 Z8 s
( H: {1 s4 C5 ?: T, |" Gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
& F/ G- _- w' f3 Y% ~二.启用standalone模块并编译
9 r& ~, A% }6 [8 m* B, F2 a" V
* o+ L: y: L. {# [; o$ b下载modsecurity for nginx 解压,进入解压后目录执行:
& }3 b8 a: G7 n) I- K" Z, Y6 e2 A+ f
./autogen.sh) `- J) t( ?; |
./configure --enable-standalone-module --disable-mlogc
; T$ F; M) T& Z# g% v/ Emake
5 ~8 x9 t5 |0 p# E z# u三.nginx添加modsecurity模块+ J- |9 X3 ?) l6 S0 w" k
: j! V" q1 v6 m# `7 j4 b7 s) _7 R1 w, M
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' `. K0 B& I% R2 Z* A& D" p, F( v. Z
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine+ K( w N. a" O3 p) X! g
make && make install
x2 }+ S. c3 i四.添加规则
" K: {$ v' [$ E. z9 A8 W7 C2 v% F6 Z5 F& ~7 Q
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: O0 E3 X3 B9 I! h! `7 x
$ m4 t7 n! T. N1.下载OWASP规则:* \, S* K) X2 R$ W7 W& i' U% R/ ]: n$ S
: H3 P/ G1 \% B9 z) m8 G
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs; z) k* u8 d* `5 ^! D) l
1 S, X8 i. |% T( O4 _+ ]- @$ Vmv owasp-modsecurity-crs /opt/tengine/conf/
: K* v& e, B" Q3 s5 P# V+ l4 J( a7 d, j
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf% q( J2 p4 Q6 i% F) _( }
2.启用OWASP规则:9 }+ S, n: l2 A$ s& k3 c
5 b4 Y+ y; z$ }8 y
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ f& V* \! |. l B2 H( O& Y: n6 Q/ a) {/ s5 J' ^
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 Q7 E, T& _6 A/ ?2 C: x
B1 j7 ~& j9 C* Y- L xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" B2 Q" `7 L- S$ j) z0 Q9 ]) H' i; j
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf+ c/ j7 a" _5 k0 s- ]1 y9 l2 k7 X, V
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& ?% ]) [2 |. v) YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
& n# ?9 T) I) l% k. T, ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 e- e, ~ V8 r ]9 i; |4 |1 |Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf4 z1 M, h" B! F/ v8 D3 h1 v- ?
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ g; t2 L* z) rInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
, v& z3 z% _) G" _. @五.配置nginx4 ^9 z; \+ r; Y& j& D# u/ J
$ h% z4 h* ?: j% h2 e7 ^4 q
在需要启用modsecurity的主机的location下面加入下面两行即可:9 w) x q5 `. G6 @
9 ~! \; Y6 U. Y0 `- u" k& d H
ModSecurityEnabled on;
* k u, V3 P8 P" mModSecurityConfig modsecurity.conf;
9 B- @* j* b- P3 N2 `$ D下面是两个示例配置,php虚拟主机:: p6 w- i j6 P" n! l8 b0 }: `
' V4 K; r2 p7 n# Wserver {& i/ R+ G+ t- O, |2 k
listen 80;
, W% Q; A$ Z1 C% Y. V D server_name 52os.net www.52os.net;$ p8 i) c e4 o! p
3 v3 l+ y& n: _ location ~ \.php$ {7 ^9 l: x, z, }8 H: C
ModSecurityEnabled on; * g1 z+ s ~4 `9 Z/ s8 L, X
ModSecurityConfig modsecurity.conf;% ], U) U5 D7 T
9 L; F! q& Q( G9 b2 i: d
root /web/wordpress;
; ?" E; _6 T1 s$ @4 G) e' k index index.php index.html index.htm;
8 i' N- @# m/ u( a 4 u& `" K$ B* ~% ]; S; |
fastcgi_pass 127.0.0.1:9000;. F; e# N3 ~1 l4 ^- [: |8 W. g/ r+ g
fastcgi_index index.php;9 X' u6 B7 H4 H0 N- l. |& n: t
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 g" s( C y. H include fastcgi_params;
+ L* `; f# J; t) @& a }( \$ k5 ~: U; B* f! E, c. v0 G- U
}: L- h- g" ~6 }+ Z. d4 m
upstream负载均衡:& Y+ _' t* G" h
* z, Y5 V6 h: ?3 J
upstream 52os.net {
& u0 x: K1 U/ R$ } d2 j& N server 192.168.1.100:8080;
+ d" \) Y# a2 H; Q j0 K$ Q- e$ d server 192.168.1.101:8080 backup;
6 n% D2 o; ^- Q4 y" {* T}; z i, M( U7 f* L( e: B7 G' O9 N
, N2 |/ i$ [) O, o H& P$ R r
server {
; o% j5 H* q& u, t' i% M1 z) j) Hlisten 80;
. M9 U2 ]4 F8 X. Y0 s* bserver_name 52os.net www.52os.net;
9 z; P' v, x! g, P
6 {' C4 u4 a0 \; L- flocation / {
) y& M7 |$ n* I4 F ModSecurityEnabled on;
) D1 P" r2 E/ n. O ModSecurityConfig modsecurity.conf; 0 T5 `) a' y9 R3 d- G, L
7 v5 X# E+ h& Q' h, N$ E# ~1 ~
proxy_pass http://online;; s1 ?4 C( X. \+ _- L' h
proxy_redirect off;
/ m8 f# P9 I) ^; h proxy_set_header Host $host;
9 F R5 H% l# _' u" V proxy_set_header X-Real-IP $remote_addr;2 Z0 b" i, S/ N* m
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# Q4 @. O9 P+ J$ m& @
}
* D* E$ \3 u" Z}
; L, x& N! w, n5 o, m e9 h7 T- R: O六.测试/ G4 ?! N! c d5 O# ?' _. u+ Y
6 J% \' _7 T4 J9 \, Q0 @7 @
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
- B3 b! G6 B* \7 I& h2 N1 S7 l0 _: p' v
<?php
! J4 U7 @9 O+ c: @, w: R4 N2 E phpinfo();
" X- w- k, W* R& U8 [" g. X?>
9 {0 F4 H8 e, J在浏览器中访问:
& N% U+ _) l8 U0 T4 S5 X
& t9 g+ ^) L+ P, W$ Whttp://www.52os.net/phpinfo.php?id=1 正常显示。
6 l$ K/ n0 v" \9 Q$ N$ Chttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
3 v2 F- u: T9 |3 w1 Ihttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。: r: ^# d! V4 q
说明sql注入和xss已经被过滤了/ O8 h% v7 Z2 c& d+ [3 ~" ]/ X
& e5 I! @) O- v, J" f+ T七、安装过程中排错
( z: a- X6 L$ I U7 n
& Q3 Z/ N+ i( ~# _6 M! w% k1.缺少APXS会报错4 Y: j- g" Q, k7 X0 s$ M' ^5 q0 y
+ r* [) q1 ]: p7 Jconfigure: looking for Apache module support via DSO through APXS$ |: S1 t# S( T4 Y0 |
configure: error: couldn't find APXS: Y8 l& M5 t& T3 |7 ]
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。9 Q6 y" c. |; c7 |7 U8 A; g
解决方法:8 x. U0 w" s& c+ Y1 O" q' H
. R' \4 M3 a) lyum install httpd-devel
; w& _% n; E# J2 R! Y! u2.没有pcre! }! J& c8 o$ ?
$ |" k" [1 p3 V: U/ ]) Y+ ~
configure: *** pcre library not found.9 Q: d) I: E0 K" z; H# O: ^
configure: error: pcre library is required
% ]; X! s9 o0 ^4 g& t解决方法:
0 E, l- H: i* A& L6 |# @9 S5 k( b+ A
yum install pcre pcre-devel6 T1 L' E$ Z' q- V
3.没有libxml2
0 O+ T7 C; r0 G7 e0 C7 v& V, d
4 w& e$ i6 h1 _ }" ~1 v0 \% t- B. ?1 p! {$ @
configure: *** xml library not found.2 J' p6 J$ }/ I! t C8 {% j
configure: error: libxml2 is required
& U: l. n+ Q5 @8 W, t解决方法:
; V% j& @0 V2 t& p5 q6 u' r- j) g; ?4 H- Q% o5 L" W' |
yum install libxml2 libxml2-devel
2 r- e4 V. b' W, i1 n4.执行 /opt/tengine/sbin/nginx -m 时有警告
; w- i0 i7 Z5 N2 J6 Q; u
5 j* u7 q0 _9 {Tengine version: Tengine/2.1.0 (nginx/1.6.2)
7 V2 U% y& e- w! Q' R5 }nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 X1 a5 m3 H* Z原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log+ C5 x0 n- `! C
2 `* W$ O1 Y2 Q2 Z+ S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; M, c! _/ E5 Q# ]- j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"2 O* p' H' P# ^/ I6 ~
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!2 i* j7 S$ ]- s8 F: X) [5 W6 x3 r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 Q) M2 A9 _/ ]. e) ~! y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"+ c$ G% U! W. @& L, G
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.' Q j# s0 g* p" }* H. h
解决方法,移除低版本的APR (1.3.9)4 }; z4 }- t4 o: c& Y% ~0 |$ V$ @1 t1 \
9 \1 v) j$ t W: _. R
yum remove apr
' h" H1 K' ?5 W2 f. ]5.Error.log中有: Audit log: Failed to lock global mutex
1 G# l8 Y5 t f N; p, l8 Z! y1 |: d9 [, [; V
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
+ M5 |) E% t6 O' kglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& Z1 R; W7 X$ `3 A3 D+ i( V3 s解决方法:7 a d. r: ]3 B
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:. x" G* J- S* `5 R# N
7 v; l' C8 h Y# X1 i" @
SecAuditLogDirMode 0777
9 o. m* ?* o) O* g, \8 bSecAuditLogFileMode 0550; Y& ~7 @0 L& B* K d
SecAuditLogStorageDir /var/log/modsecurity- n2 Z' m# l6 g+ C7 v) E3 Q
SecAuditLogType Concurrent9 v8 D* y* t. s3 s$ y Z
参考文章:3 E- K! v, K/ v. r" B
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX& x8 _0 X- h V2 {
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡