|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 w# h. R7 _4 I# y% G4 x
5 t; e% }0 e0 P0 a
一.准备工作7 r6 H8 ~. @3 g2 |( J
2 e4 B! w! n$ D+ b; }4 F$ B
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0+ p& j) T' Q: o* O: g" P% y
, Y2 T& ~: i3 m" P5 ?0 _tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. \: d' Z( k+ ?0 A) p
; s' m( Z2 g* \& v1 N' K* Hmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
! H7 m+ N- G C. W' p2 Z
0 }; I% n5 ]+ IOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
! ?5 d3 ~) K7 H. ?: |1 } q% ]# E0 `+ n
依赖关系:
h) V, c, g3 n8 Ntengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:8 n5 a, I* B/ o7 c& j+ H
( X" `5 j! O2 L% x. C6 Myum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
P- [3 l+ y v @* s& P0 \3 Smodsecurty依赖的包:pcre httpd-devel libxml2 apr
: W. b& q) L: l
, g. |, u c H) m9 {" A& cyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
1 I( d( m6 ` \% @' s3 v二.启用standalone模块并编译
* P# \; M. S( }6 P3 t4 D8 F" l: P0 `
下载modsecurity for nginx 解压,进入解压后目录执行:
) j1 E7 x0 x6 Q) P' N6 ]- w
1 D2 Y+ J g( n4 W; k./autogen.sh2 l/ B9 D$ F5 H* l" X/ ^
./configure --enable-standalone-module --disable-mlogc
8 M6 B' V E" m( bmake 5 ]2 v ~0 @( l5 t4 `
三.nginx添加modsecurity模块3 A4 u c" q- U& h4 m4 d
: j7 I% P2 S- O0 j在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' M# e3 l! a2 E2 I4 ?: ^& T/ k- a3 g& x, a, f
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ ~8 k! g: t& G/ v& Gmake && make install7 ?8 g& U7 g O
四.添加规则* i' c3 N# O. n' k i/ {$ T+ f, g
/ c1 F0 \1 T1 Q
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
7 @, l4 G9 I. ~: k2 Y) C% l6 c: x- Y1 n# ~+ y
1.下载OWASP规则:
2 \+ Q9 H7 t6 v$ q: R0 L' m! T- d- f& i( N: s
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs' K: g* Y% L0 Z% W8 N1 m: F# c% E
# O! J# v3 Y) Imv owasp-modsecurity-crs /opt/tengine/conf/
. \4 S, F6 \3 a
: n9 I; k7 @- f- e" ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf1 m+ j3 h) s( u4 J
2.启用OWASP规则:
, f: b; f* V& Q6 i7 N6 V& B& ]5 ]: T+ B% y/ M
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。 K: m# ^& r( f6 e2 O) z
: R" x+ I" F5 Z# X! f
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
) D- m3 Q1 m( U5 P A
7 O/ X3 I% V2 g# _) }owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
p ~: J2 i; n; V- U: [" g: j5 M
1 W0 r$ g- X0 \Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 }" K5 b6 O! N O" jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
# `+ U0 Y4 G* ^$ T8 j; F7 VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 O/ J. @# u* W Z5 }$ t7 @$ D
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf0 d% w# g9 \! s2 A5 G% c, @
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
3 s4 G7 \: C- S. b) QInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
( C N( [5 H* p$ P1 aInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf4 z: X z0 |) M0 s4 v" g: h/ ]
五.配置nginx2 y) p4 M4 o+ x5 K6 T
! i! ?# |3 B: J1 S6 O在需要启用modsecurity的主机的location下面加入下面两行即可:/ _9 M2 Y: w y; t7 w$ o, P
4 a4 T5 [6 O9 h7 M( g2 I0 G
ModSecurityEnabled on; 6 @5 ?4 V8 Q/ z; s
ModSecurityConfig modsecurity.conf;
; E K2 Z" e3 `5 v I q! U下面是两个示例配置,php虚拟主机:
4 i/ D4 g# z M' ?! E8 `+ A2 i' E
7 T& E3 P) Y6 y8 ^' Hserver {
) M0 ~3 ^/ `& h) _* r listen 80;
. M3 Z3 R7 ?( d0 [ server_name 52os.net www.52os.net;. s" _: ?! C( e) X/ k
2 O9 u" g3 A& R4 w: M' ~9 o. m
location ~ \.php$ {
$ ~8 l6 I9 E0 O! f ModSecurityEnabled on;
# I3 I+ I$ x0 e$ @. t! A ModSecurityConfig modsecurity.conf;" K3 `1 {' s/ B; F% D) r; _2 z
1 w U' m; J& v6 V1 I/ l1 x3 i- ` root /web/wordpress;
! Z1 \! C+ Y6 u% `4 l. ?- o; F index index.php index.html index.htm;
- G7 M' { `: m( ~! J% a
2 n5 H: K" h! i fastcgi_pass 127.0.0.1:9000;
1 S, Y% L5 w$ z0 b7 k) ` fastcgi_index index.php;
3 V2 K3 T0 x# ?/ H* G& w% V fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
$ j/ Q$ U& g6 x% `+ N include fastcgi_params;$ O5 K. ~4 o6 F& {1 j2 z+ j
}
; j9 k8 p0 ^4 h* ]- `4 t h: H }/ W5 F, ] y: r
upstream负载均衡:# c2 i* L8 I _! f3 z
1 f9 j8 T. _+ y4 ~2 s4 mupstream 52os.net {
7 c- Z/ h3 y" z; T! X" h server 192.168.1.100:8080;
* a+ K+ i8 ^% d3 ~8 s: Q4 x6 r. C server 192.168.1.101:8080 backup;/ h- @' I7 |/ \! m. q; j/ s
}
& t+ K" h) n! l& l; R* r" K& y9 Y0 J4 k0 X/ C
server {& G# {5 L/ W6 V+ h; d6 `+ \8 y5 [; _
listen 80;; P0 |+ H' t/ B E9 a4 c0 ]
server_name 52os.net www.52os.net;0 @5 T) t l1 j+ m7 @
9 C# ^) Y# S' M+ Z' rlocation / {% a4 S( s5 y9 e) B
ModSecurityEnabled on;
* _0 g/ O7 |" ?0 w! I! e ModSecurityConfig modsecurity.conf;
# V' H* p$ K( F: y& \1 W" N: \2 p8 O3 G s) t
proxy_pass http://online;( ~! s, O* K0 s2 c+ ?' i. ]- Y
proxy_redirect off;
) N2 v: l8 B% _. @9 z/ R, P j proxy_set_header Host $host;! l$ k. C7 X$ K8 }; E6 F
proxy_set_header X-Real-IP $remote_addr;
1 y9 }& o2 y5 `2 I$ `1 A proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;2 u7 J7 {5 z* e: x
}! h" j- K% W- Y- m
}
# d& o1 g v1 S$ F) @4 f, T六.测试
1 p; x6 Y2 e- e6 T
/ l. C. ~3 w# G3 Z6 v3 A我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:( [, `3 j) b: X
9 r7 R8 v# Q, Z( f<?php
( |$ c" ]0 G# M: H phpinfo();
1 M7 A2 @5 f3 e/ W2 n# u0 o& v?>" f$ O+ O9 ]+ ~/ G( Q9 j
在浏览器中访问:: _) d) W6 s, w. U
! U* V! e+ ?) q6 y y$ M
http://www.52os.net/phpinfo.php?id=1 正常显示。! Y1 b+ B) e: M9 S7 W! o9 x
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
; F5 ~2 I( s8 \1 J2 Hhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
4 e4 u; E& S! H% l1 U$ K1 J说明sql注入和xss已经被过滤了
5 v! b" ~8 x7 h9 ]2 f. O( [0 ^, T; s- l1 |1 Y
七、安装过程中排错( _6 u, c; w+ F5 J4 r
5 o W' N1 y( h6 Y. B2 I; |1.缺少APXS会报错
& ?) Y# B/ }- z- o0 g0 m7 B! k: z3 T" M1 t% k
configure: looking for Apache module support via DSO through APXS
8 E& p( T9 h& X- b |# d% a( _configure: error: couldn't find APXS# A c6 s9 R$ w4 x( }
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 A, k4 M0 d5 M* c2 p解决方法:8 J: V# ~: c. i( U" I8 V4 M9 a
1 M- j+ V8 Z0 Y& ?/ {: Iyum install httpd-devel3 y( ]* Z% W8 s( t% C
2.没有pcre
* {8 C5 a) o5 j" m% {& d9 d4 \6 Y- }5 y/ H( [
configure: *** pcre library not found.9 b# h3 g1 B( ]: X3 i9 S2 D( Y/ [( n
configure: error: pcre library is required6 ^5 P, c6 |; U, A' k' x9 \
解决方法:% m7 R9 L& h# z- o- O/ _6 ]" h: s& z
& p) ]( R; A0 _1 q2 [3 fyum install pcre pcre-devel: `1 w1 W& j7 z8 Y1 D* A0 J8 i6 h2 [
3.没有libxml2
1 [2 Y# {- h9 w! R5 n8 w9 h! {: P5 g( t! T
9 F5 x8 S: |3 ^4 @' [2 M! w/ f1 Qconfigure: *** xml library not found.# J) Y. } X9 u* y z0 p* A
configure: error: libxml2 is required0 L9 b/ w9 x+ E( X
解决方法:
; E/ m( y2 U1 ]+ I, B% Q, x) n$ g# b) J' i" J. e- e
yum install libxml2 libxml2-devel% O# X; \4 u* R* Z3 t
4.执行 /opt/tengine/sbin/nginx -m 时有警告9 k7 j ^& F. P% p- z% O& B. ^
% a$ T" R- S5 n9 I9 G) c' q% I
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
: {+ z4 j" y6 |! ^) Wnginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 H! J e7 h6 \
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
* R6 }& O8 Q* Q8 [6 \: r" z+ R% k& i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured." b/ d) q- u8 ?4 [; ~" d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
$ j4 i Y" q; D: J2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!) ?. T0 ?% M' a0 n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" ]2 w/ V* {* U2 w5 Z y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"( s! n" F4 ~& h) N K
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' J; ~- b7 z, ^2 g- ^解决方法,移除低版本的APR (1.3.9)1 A$ c- y, X- C, D Z: k, C
9 x+ I- v: X4 Yyum remove apr) W8 f7 z' b3 o. H$ `$ W4 k: O
5.Error.log中有: Audit log: Failed to lock global mutex
' y3 }8 n0 O' E$ t" q! S \! s3 x \! X* j" B& \7 a; b' i# ^7 r
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock - n( D& `; g" e. |- p7 \9 d
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
$ z% L$ ?. Y7 C7 ?# c1 E. r- Y; U解决方法:
# y' ]+ O" @- `& }编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
+ _( C2 m7 M1 w* F& s U2 _+ E2 B% [' y+ }7 H
SecAuditLogDirMode 07779 V" _. o, Z/ G9 O6 ?( b* y/ a7 J6 T
SecAuditLogFileMode 0550
8 ~0 x# t6 Z, G: K6 `8 S8 USecAuditLogStorageDir /var/log/modsecurity% f% H$ Z$ M, t3 q( Y
SecAuditLogType Concurrent
+ }1 I" w, }5 x8 l8 {9 s) M, I. V参考文章:
( P) z2 L: h$ q$ z. N+ W8 c' ?https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
( h5 K& H, q0 i7 f1 j) w& i/ Chttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡