|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。" w$ v* S3 A, O9 q' R* T2 `
1 Y: K0 M; p+ W( O) M; i4 g" M9 F
一.准备工作
4 @$ ]! @2 R" x, J& v3 Q! a) q8 t+ R) z* R( i% ?8 ]# C. l' M
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
1 o7 b3 t' T1 {6 |' i. l* x" O2 Y0 f, O/ @0 |9 M
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
! u6 [1 q- P: o
5 [- L5 R* |. \& M$ I: `modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz% B% T# N; _' v: E" F! U4 u
) P! x4 F* i" Y/ ]
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs/ \! ], z! F+ U* r9 a- P0 x. U
' q1 j. t3 r; J6 J0 [! @* W
依赖关系:
6 `/ N/ U. m+ otengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
$ ?- z" Q2 x$ m8 ~; @6 `' g* l; Z+ C/ b1 p& d/ y
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel- `: ]2 {, h- c5 F
modsecurty依赖的包:pcre httpd-devel libxml2 apr/ k" V! s& U$ E/ f
/ P' x- n6 A$ ^8 cyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel# D! Y8 g# f% K4 o* {) D2 I4 a
二.启用standalone模块并编译
& K( D) h: B' S" A B: F% q
" V' a4 E" f, R4 L/ O下载modsecurity for nginx 解压,进入解压后目录执行:
/ r% L* f+ ?2 R3 \, K
0 G5 r, W7 i. @ T./autogen.sh1 i$ a% l9 K5 C# ? m: e6 P4 {5 \
./configure --enable-standalone-module --disable-mlogc
0 r& h8 |8 I: Y9 x9 d: \5 Xmake
; G0 V$ T) P& Y. I2 o8 _三.nginx添加modsecurity模块6 r; u' X; e! J- j2 O; t: {
1 B* W( @- b4 \0 T" `: n
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 |+ {, Y, C/ j6 z5 I3 B( _) s) ?
) M% d" E* [, S9 O! N) z, n6 G% I
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 K4 [/ y& w/ r
make && make install
) C$ z7 L+ P3 a i# t* L四.添加规则* g( q6 Y! r/ T; v& c
5 Y. g i1 w; A, [. k* ^0 U( C
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ ]& D9 D6 u. S" o# ]
+ P8 k( C4 L7 d, H7 A. ]- p1.下载OWASP规则:
6 }) {6 c' A- _% L( M
/ b, i( x. L0 P D3 K* mgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
) O$ P5 D4 W5 [ N. i# N0 |) e
3 K) @- b3 g' C# emv owasp-modsecurity-crs /opt/tengine/conf/
" R( u0 R! ?$ [- P; f1 m
0 g( x7 B% |% u3 H( Vcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf6 K, F" a! q) P. ]* K6 l
2.启用OWASP规则:
5 e- _) N- D7 k$ I" [9 L6 f% v- r. @) V$ I0 v7 }
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。3 V e+ T7 C. B) }3 `) _7 v
r v0 }9 R& {( t5 S
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; a7 M5 K- j" T) a# v$ ~* w: t8 X; e! _' R- i
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。 W# I) q2 U) d! r {: i5 v
" D$ p/ |. f' X& X
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf: W' t- J' b; E) N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf2 G9 k1 e w; V+ l1 B% o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 s7 M. E! o3 w" Y2 R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
9 J! L/ G+ h4 Q$ x; Q9 jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf* D r: [, M, G5 e# H
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
# ]/ _7 o! E; u/ r2 X/ g) hInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf$ s0 }; J3 f7 d
五.配置nginx& [1 d9 l6 @; O7 @
( [. r, W2 d: @% s9 r$ p
在需要启用modsecurity的主机的location下面加入下面两行即可:4 T9 y- s' X, s0 v7 P7 g: Y& |& Z0 \& e
) \& o0 F& g2 A4 f1 [# C' |ModSecurityEnabled on; . F6 x9 v0 I6 c6 b! P2 C
ModSecurityConfig modsecurity.conf;( W& B0 E" l/ j: \
下面是两个示例配置,php虚拟主机:
% z3 s* v6 [( k" G4 s% ] Z+ B( v& ^5 v
server {; W' v: `3 E6 u
listen 80;' q0 R3 H" S" n4 h" Q% S* m: z
server_name 52os.net www.52os.net;4 t6 k, d* V/ W; N1 t, s
( H: S' B& Z2 O: u! J0 U
location ~ \.php$ {
W6 K4 {2 J2 ?9 I; L" [ ModSecurityEnabled on;
* x1 \8 a* F/ u, ^+ { ModSecurityConfig modsecurity.conf;( r @$ A f5 {& h! S- c- m: @
3 ~! G. c; s: ] I9 {
root /web/wordpress;) S0 [ d9 c+ @' ?+ y
index index.php index.html index.htm;' w7 O9 [5 Z+ ]5 u: n# {
% e) B# m1 G# ~" B' k4 G4 T, C
fastcgi_pass 127.0.0.1:9000;
8 V* H$ W* I, T fastcgi_index index.php;+ V. R: o* a( e9 |! J5 k
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ x$ f" M M, K& L+ U9 ~
include fastcgi_params;! w3 Y) x7 K, A2 u+ R8 L& _
}: g) E$ k3 B3 h: A
}
" N' Y6 ]( ~ t4 O0 k; I B. }upstream负载均衡:
v; h1 m7 D& A( N* @# V- q1 O+ Z# J5 A3 V& h" V, `
upstream 52os.net {, ~0 P! F+ B& }9 _8 C, X
server 192.168.1.100:8080;
& i0 U* g; A3 ^8 u7 Z" j5 S server 192.168.1.101:8080 backup;3 B5 V" c' `4 U4 E: G
}0 s/ i/ y$ h. F
7 x; r8 q% n. O% P1 P, D; z* @server {
: e. q* J* `7 T8 alisten 80;: v! z2 D5 M7 y, x( _+ `
server_name 52os.net www.52os.net;
+ U" L- a7 G* j0 g! R" W/ n, _) K% G5 t0 e6 V
location / {
& t+ f) \" P; _# E ModSecurityEnabled on;
$ c. w+ C- y: B) N$ k" ?9 ` ModSecurityConfig modsecurity.conf;
& `# O3 f9 A. i: }3 H, `* B" t3 p
- k+ j1 E6 M# W: q1 W proxy_pass http://online;
% v+ Y8 y0 m2 s( D& h proxy_redirect off;# J+ K, I3 }2 D% o/ f3 Z) m. K
proxy_set_header Host $host;8 K1 e n5 g/ [, k. e- O
proxy_set_header X-Real-IP $remote_addr;% e! I' a7 ^0 [% ?9 F+ A( o2 V
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
5 s0 `- t0 [1 d7 Z% ^9 L( P+ J/ T }; q' l' c1 ?- l' ]# V, k
}- z; _- b) E- F6 \9 i1 q; I
六.测试
: I/ N2 K8 I/ C7 [/ m( c# x. g# F2 Z c7 u( d2 P
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
G8 S; o% [" k/ h
' i) X' C% i, o' a) E9 |/ I2 V4 n<?php
+ N7 R. r: R/ B. M6 _. Q& L' J phpinfo(); u6 w8 h* y+ D1 |
?>
9 y' a4 }: `$ B0 Y8 v" b: z在浏览器中访问:. A4 N- Z0 x5 Q% T& N- L/ s* X
: U) p+ z# `, {* E9 e
http://www.52os.net/phpinfo.php?id=1 正常显示。
) \, } m T# w4 jhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: F" w& W8 ]) k/ F0 W/ Whttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。1 f' R" ?! K8 Y6 }/ P. ~: m8 }6 Y+ Q
说明sql注入和xss已经被过滤了
3 `5 F/ a4 F, i
( |" I0 H8 r. I1 f% z' S七、安装过程中排错 X3 f0 `" I9 ~5 y" W" i- D* J. C# [
, Z9 W; {* w2 C, e3 ~; K
1.缺少APXS会报错
, Q2 }0 r3 H- i5 w' l1 A; o9 m/ i: g M" y/ o
configure: looking for Apache module support via DSO through APXS
w/ m# v0 C# l% g: [! L. h* Q7 zconfigure: error: couldn't find APXS0 ^3 l! y) E" E- V) E( z2 U4 z# G! F
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& L" o' N4 N5 E2 d解决方法:$ s; b, a" p9 W5 v7 m H8 m% v4 d
! P2 ?+ Y* Q+ A, B# r6 L5 ^yum install httpd-devel! o4 S3 _: L0 |: D W; I V" T+ \
2.没有pcre
5 `1 h" w( F5 Z+ `
5 @4 ?7 h# {6 l4 ?; Uconfigure: *** pcre library not found.* s" l2 j# G# @ Y/ F& {
configure: error: pcre library is required
- ], ]2 [ i% B* q- D解决方法:
5 s% e% k$ K y# S' v$ @) D. j0 f* v W7 e0 l
yum install pcre pcre-devel
7 _2 E0 B* n6 U3 R, T3.没有libxml2
5 w4 D) I9 C! `# P
# T; Y4 {3 P: v. Z# E$ b! i" Q7 G# N
configure: *** xml library not found.
# P9 O# G& e) Y1 v. s2 Pconfigure: error: libxml2 is required6 i; x* `# X: b
解决方法:; c- H& u! [; x; B# {* V; k
3 T2 U! q$ s+ x0 a- o+ B( myum install libxml2 libxml2-devel
. V+ E4 |( |% ~9 u: h4.执行 /opt/tengine/sbin/nginx -m 时有警告
( y; J+ J7 B! m+ Q) X" b+ Y% ?4 a% i1 i
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
0 }6 J% x* d5 g" \& x t6 C5 jnginx: [warn] ModSecurity: Loaded APR do not match with compiled!4 g# ?6 F" r6 `9 T
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
3 s6 V6 [4 \) D( p" U" A% _ {- h# a
" b; e7 y& ~) F- C7 T) x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
/ D( h( p2 i: k) V2 U& D3 t5 E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 b# z( ~. t0 P: i L/ a' l- g2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
2 u% f2 C# y0 ^7 e7 f5 K, {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
, } @; Q% }& U" i, @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"0 ?5 M8 M: x' W" X& g4 \3 a& u
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
5 Y ]8 `: s1 l& [解决方法,移除低版本的APR (1.3.9)
9 E1 v4 P3 k) [
6 J# b3 C9 M( w; @6 J/ @yum remove apr
6 J+ s. T$ N5 R$ |5.Error.log中有: Audit log: Failed to lock global mutex, {) T* e. W! d- [3 s. x% X
; \6 ]1 i+ w) o! l4 C2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 6 o: h0 O# Y' o$ Q. N- |
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 F" ?7 i5 K& v
解决方法:. @3 y" Z' G! a7 d7 ^
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& S% Q% |* ?3 V) B- w) o: I& \1 Z
2 ~1 A; [9 w G6 fSecAuditLogDirMode 07777 f+ o3 E% A) ?3 F
SecAuditLogFileMode 05503 q, H, U# L3 ~ W, Y
SecAuditLogStorageDir /var/log/modsecurity
8 I% E q5 C4 r% f% ^1 G! o8 {SecAuditLogType Concurrent
" B' `7 ^, d& h6 _7 `参考文章:- c; d$ `: u$ m( z8 L h& w: L
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
9 Y: `! ?1 g/ l/ {' x+ ]6 shttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡