|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- w% l8 E# |: X: ? e; ~8 b
$ n; I' i4 u3 o9 p
一.准备工作9 g* v' r) I) u0 A; F4 |: _
+ o4 V7 D6 L9 {1 K8 F% y! u6 A
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
) E8 n: Q- i4 W2 I; k- [# I2 S# V. m; F8 \
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ }. Z4 l& K- ?4 ^
6 Z9 d+ ]( a9 {% y# u
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz1 q7 q% i! J% T
" _+ i/ R$ e, d6 m
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 p. T% b% p: p; ~( Q
! Y% U2 ^* Z+ |9 D- x( a
依赖关系:: n0 W. s% k! {8 l5 @9 y+ a$ A
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 @0 B: L4 O& V& {2 p2 }- N8 ]# }, A9 e7 M: G
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% R( |% q% @- P' Tmodsecurty依赖的包:pcre httpd-devel libxml2 apr
. s0 F3 Y/ U A A0 y9 ?2 }* L! z% s* x+ f5 \
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
J0 N& L6 i' z4 s8 [3 E二.启用standalone模块并编译
6 I8 \' y# Y0 T+ h/ r* {( R* }+ n
下载modsecurity for nginx 解压,进入解压后目录执行:; w0 B" \2 D$ L) a0 @- [
3 ]. z" Q* R" h. [, h# m, O% O2 x
./autogen.sh/ ?* K( q/ y" y& e+ j& J5 d
./configure --enable-standalone-module --disable-mlogc
8 c" V( ~6 v- b, mmake ' T4 J+ x0 M% t+ X3 S, u( W; h3 ^
三.nginx添加modsecurity模块
+ ?1 A3 f7 I5 y; ~; ^8 J$ `) a D
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 }3 ?( c% N+ _. v$ F+ [+ k f) X
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 q* o9 |% Q5 e
make && make install
$ r, |" m) ^. O2 k四.添加规则# |4 o! Q. l3 Z( `9 q
( R9 f. A- F" e4 L$ J7 K2 Gmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。- V3 |0 i6 U+ d7 d& R+ }) h
9 K& j: [- D0 b* p1 q8 ?
1.下载OWASP规则:8 D+ ]# a. `6 Y/ c
. V* N" R; O+ _4 y/ K6 \- y! A
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
" y, c9 S4 }9 n0 a: G- |/ m" q
l x8 O' ~3 C7 v7 K/ o% @mv owasp-modsecurity-crs /opt/tengine/conf/
) n( i n4 X3 {; u4 P! W1 Z4 H
" N1 k. z& Z* i3 {- ucd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, ]7 p6 X0 q8 g5 V! a2.启用OWASP规则:
6 T" p4 L6 H+ G/ Q/ G, ^' @6 O
2 J& _% O; d8 c复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. j! }+ G$ d+ U6 x) ` Y6 ?. T. p8 {/ k1 M; z- J
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; R) ^5 F2 {- y- I4 x1 W
$ }6 F) Z9 A( r8 V& uowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
) ^/ `2 `- ^+ V( |* K9 ~4 r, g/ m9 |6 ~/ a7 M2 w7 h8 @# V
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf/ C" V/ X- R3 d- R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf# ]* }0 p' `5 Q% _- i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf$ z9 h! Z0 m1 \+ Z- N7 O
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf C+ e. G; W( i. V n$ Y1 x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf `$ A0 i# A6 P# s ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
+ U0 t# ?! O/ V3 ]" @# AInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) f- c: i; ^7 X" Z! B7 ~& |五.配置nginx* I- e5 C# w) W6 f V
- I# }" `: m. N5 G3 d, l, Z8 M1 F
在需要启用modsecurity的主机的location下面加入下面两行即可:
: a" O h/ i6 F) X
; }# s9 E6 a# [0 i' ~ `5 ZModSecurityEnabled on; ; C' _; _3 _; S' {
ModSecurityConfig modsecurity.conf;
k# R2 ~5 U) P% c: i下面是两个示例配置,php虚拟主机:
0 R& ?+ m: K: s/ I( U6 y) }: n" j0 |' c
server {& v, N/ ?5 h8 J
listen 80;
3 I2 }0 p, A8 y0 `! c7 y9 H# w( s7 e server_name 52os.net www.52os.net;4 V+ s' R: [6 I5 t& I7 x
2 V/ K' Z' S% f0 v# ?& H& }1 c
location ~ \.php$ {( E9 E* A$ q+ \- i' j
ModSecurityEnabled on; 8 J& F$ a) ?, g I2 V
ModSecurityConfig modsecurity.conf;
/ {1 j1 Q' {1 J1 d* r. H% q/ c" g$ H" s" Z
root /web/wordpress;$ L( ]; Y( {" H+ X V. s6 X
index index.php index.html index.htm;1 g( e( {. c3 {3 ]( I2 n" U
$ J# J" d* J- p; ]! C! \% [7 t- G fastcgi_pass 127.0.0.1:9000;
M3 J: c' V3 V6 L1 `$ g fastcgi_index index.php;
) q, y& n3 H' V' ?3 L! K fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* y S! j+ }5 |& T+ ?
include fastcgi_params;2 C0 ]8 B0 Y' l) i
}1 e5 M5 `# O4 U1 A7 W
}! ~0 c: {5 [5 W
upstream负载均衡:
" Q& O1 N8 g9 r0 s1 h2 @. {& _3 O5 H0 U( @; z& k+ U) I$ h4 _$ h
upstream 52os.net {$ P+ y( k2 @7 {3 Q
server 192.168.1.100:8080;
7 ?8 Q+ Z9 I r' N. Y( |8 j$ V* K' E server 192.168.1.101:8080 backup;
! x( X. o& @4 o+ D; Z( }}4 w v* i8 O2 K
: l7 b$ F- e7 v! X! Q. yserver {
9 a5 g3 U# Y8 b M) alisten 80;, f5 r& m6 c/ p
server_name 52os.net www.52os.net;
# I; Z# s7 O( l5 s
1 M2 l: _) o- ]location / {
, ~) M3 r% `+ x6 c. W3 w* Y$ }- ^ ModSecurityEnabled on;
/ d( g/ o1 X+ k! [0 ` D( x1 O ModSecurityConfig modsecurity.conf;
$ q& e+ o3 s$ e) _4 e9 a K
j$ m, Y C9 \! t/ L* n+ o! r proxy_pass http://online;
! p. b* B; k! I+ D9 u proxy_redirect off;
, I0 Q0 K5 E; K4 @ c4 C0 H5 m proxy_set_header Host $host;7 R) J4 ^6 M& l1 g
proxy_set_header X-Real-IP $remote_addr;8 \5 G9 |+ f! C- K6 r
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;( w% b9 A' o: r# y( j
}
' B3 y% W- A9 Z8 `. b}
Z: G7 B& E; ?$ q5 F六.测试
' ]! U1 ~- S6 Y( I* y! w4 p. }& [- e' f" A5 X- D
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) ]0 B& d' K0 S1 ?3 P) H8 n4 b- K+ B/ I
! a# Z) s0 I+ Q8 q. c, d# v9 b4 k
<?php
% i9 M E8 Z( Y; i' t phpinfo(); + I4 m) c$ B, K$ c
?>' [. R1 ]2 I6 T. P' `7 T
在浏览器中访问:8 X5 f' T: V+ Z, {. C, j0 k0 I9 i& A
$ }0 H" ` i: u# r+ {7 L+ z$ o& N) Khttp://www.52os.net/phpinfo.php?id=1 正常显示。
) c. \ ~1 V" Thttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 F# \; @- D4 w4 q$ uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
/ ^9 U3 g9 ^* J v6 j+ L$ {说明sql注入和xss已经被过滤了3 N0 i- b2 D1 p) S5 ]% J, J7 D e
: _- A* a" c4 `& x& S r! L七、安装过程中排错
D" L- X) U: N5 [* f7 l$ u ]" q7 r( y F A" y- r# |( Q
1.缺少APXS会报错
6 X/ F, |8 p* {6 d X |
! K! P2 `+ D6 r" Kconfigure: looking for Apache module support via DSO through APXS
2 k t$ S, ^) C& P( a5 |6 Q- A# fconfigure: error: couldn't find APXS7 G3 A$ u7 s4 {; T% K
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
' h0 h7 {5 d4 [. z8 x解决方法:# U7 ]2 Y3 G0 a( [4 g( V: Y
' Z5 b$ Q% i' b* |0 Y
yum install httpd-devel
5 \( a* m. R1 T6 z; S9 {2.没有pcre9 K% K" s/ y: }& ]4 M8 E
- ]: {9 S" L0 R& V! O" k; z
configure: *** pcre library not found., Z8 \- \0 O3 ]
configure: error: pcre library is required
7 E1 P4 u. M& s, B- `解决方法:
- q* e. S7 X3 o! w% `& C9 P
, T# t1 A9 n9 m! F6 p2 i9 _yum install pcre pcre-devel
7 O" k- _, D$ ~. A3.没有libxml2" t! Q( o' l: `
1 r. j* C( y6 H. ^; C
W$ C! q. P5 Z3 ]configure: *** xml library not found.9 v* p$ u. R9 n. G3 r4 h/ {' I
configure: error: libxml2 is required
4 h- ?9 {( `7 s f解决方法:' a z+ K" D* Q) m# T! l
" h1 s% t6 k. E+ z$ Wyum install libxml2 libxml2-devel/ z+ o8 O/ T8 Q
4.执行 /opt/tengine/sbin/nginx -m 时有警告( N$ k) E# N0 e) u1 v3 s
. I4 H" p3 g5 C$ Q
Tengine version: Tengine/2.1.0 (nginx/1.6.2)( ^& V# {( S& ]# k) \
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
5 k: r7 _; ?4 H7 d1 C原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
7 a0 _" p/ G( q/ X" P* W2 l6 ~: X) c9 U1 t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.' T. W. d3 r. I0 s5 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"5 X% n( f, D2 a/ [8 \0 W4 T
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
; W6 y$ h/ x. d9 A. q2 V! r5 U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" x' ]$ F2 N. B( S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"" W+ J& H' k' K" C: {* [0 c2 Y5 u
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 j' A+ `( T3 s) Z2 X解决方法,移除低版本的APR (1.3.9): ?! b7 ~: P6 S- A" l
% W/ V/ z( x O2 h
yum remove apr7 Z- F7 g/ u5 |9 ]( B
5.Error.log中有: Audit log: Failed to lock global mutex
! a3 D4 c( U2 r& ~( l: Q
) y. E% u- ^. g4 z8 I1 K2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
4 K( K2 z! @ l1 r3 A+ t5 N6 V$ Q$ dglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 q1 M5 ]: q9 `8 H7 W
解决方法:
* V6 \/ S4 }8 g* J7 n+ K5 b编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
; S' J* q7 b$ R* p; A
8 p @2 W, x+ a) p' r3 BSecAuditLogDirMode 0777
( c/ Z- r1 q, W( x9 sSecAuditLogFileMode 0550
! p' P, V; j% N/ hSecAuditLogStorageDir /var/log/modsecurity0 v& c8 x) s8 \: j2 F ]
SecAuditLogType Concurrent
- I3 P5 ~& p# U K0 p& D- [% u参考文章:
/ _$ i6 D% d( s$ R5 h9 ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) b0 G4 T, ~5 f# khttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡