|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
4 o' H' W6 v+ G- ^5 \) v
9 q1 ^9 N$ M- q% y1 e3 W3 o一.准备工作: F) }3 v! V" |7 }# t6 `
& T4 e6 H( `4 z1 @/ e* g系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0/ w) ]. F, y, F. L) b! O
?; j& z6 E6 G. D. l( Q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
/ X" G3 y+ i( D
7 c- F/ u# N* s8 pmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
7 z: N$ K+ f( ]) _; K, H+ [+ {) `3 D4 {. r6 `
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs' Y2 v& R$ I* T" ^# j: s+ J
+ C7 s" ~( O6 W m- @# [0 Y# m4 U依赖关系:9 f U9 e- G! A) r. G
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
: [- h- w' J3 e- ~2 b# P
) q4 J/ j2 D8 b8 `! W/ F, p$ ?yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
. }# M0 y5 m" u) ~ d! R/ omodsecurty依赖的包:pcre httpd-devel libxml2 apr+ [" O5 m/ t0 p, L5 i* g& g- |6 r
' Z$ l. ^) b) {& S9 d
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
: g8 i) p$ a8 i; Y: f二.启用standalone模块并编译9 y. X, J3 }, } ^6 Q3 \, f! X8 h
, Z( M j* Z6 g4 B5 A h2 @
下载modsecurity for nginx 解压,进入解压后目录执行:
6 X0 }8 @. W3 A) I& W6 x C
1 y/ [* G9 ?. B ~./autogen.sh
- g: k! p" O/ j7 ^" W% P5 j& w./configure --enable-standalone-module --disable-mlogc$ W, w8 ] b& M) b* N, v
make ' }8 b& P7 w; M$ Q
三.nginx添加modsecurity模块' k' A. G5 a2 b' q% D
/ W+ Q4 G. i. p1 P. p在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:. k# L6 S) M% h! c- l
2 M2 y- F# a" h/ C; N" M! X8 d
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ N3 P8 W1 u/ O
make && make install5 R' z. D4 l) j1 X
四.添加规则
) B; X* M0 j# T! f* r2 `) w/ u
6 y c6 [1 h6 t" \modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
* j2 M/ N* _- z- F2 g! W1 |- X" c, z$ b3 s0 I& g3 H4 |6 V, m% s/ s" l
1.下载OWASP规则:
! O& d7 ?5 S8 i l4 ]/ i. l% \! u1 z
! T4 g1 M Q( X1 Xgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ O: V! c. G1 H
2 e. K! ^( y6 B" R. S/ d8 I
mv owasp-modsecurity-crs /opt/tengine/conf/, O$ b3 @' ?$ j9 I4 {. i
% E( v6 ]" C- U% E) Ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. q* }( q3 E2 `7 \( G
2.启用OWASP规则:$ f& K8 S: |& o2 p* v# X# y+ f$ T
8 r/ x$ j1 m. n% R: J5 M( X复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
5 @; }, a- P( V6 E, W7 V# G1 H# G
' z* d5 A8 } T/ r6 p! n& L编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; Z2 o9 r' F0 [: K( z) s
7 s. C' I' e% t; R9 _7 U* I
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ X/ A$ K* }& [+ o( ^
+ x$ \# P( _8 e# l3 G3 b! r
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ r, y( D: x+ lInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
( {0 {2 A) a5 [) s, VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
; K8 B: @0 X/ d) lInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' Y1 B' n' C5 p3 ^, g
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
! [& O/ ?% S. i7 d3 vInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
- N9 x8 `: d; B* `2 k2 D- t+ J+ TInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
! X" u, Z9 ^. M五.配置nginx
" v; ^+ R( c, c. F7 E B8 g9 A+ J% K
在需要启用modsecurity的主机的location下面加入下面两行即可:! Y k% w3 P7 }0 W. ^# C4 p
! q5 I2 k. N/ G8 }. U- k
ModSecurityEnabled on;
2 O1 F- P5 a. ^" G1 @' ]ModSecurityConfig modsecurity.conf;0 h. u6 S/ O* b! X' E, j
下面是两个示例配置,php虚拟主机:
+ w E9 f7 g. [+ v+ B7 l7 }7 J& b
server {7 \" Z" _; X( K M, r2 H9 Y9 j
listen 80;
, P+ {: Z3 W3 t3 L4 l3 C+ k4 ~ server_name 52os.net www.52os.net;
4 l ]4 }4 ~1 U, W/ S
+ t @% f* J+ h) v location ~ \.php$ {
/ m$ M1 a, @$ G3 V! F" U) i/ B1 s ModSecurityEnabled on;
6 E! k# Z, _7 g% W; I% ~% `. E ModSecurityConfig modsecurity.conf;! J$ @' w8 O/ A. m
2 [; ^6 E3 T0 r* H$ G* n
root /web/wordpress;' y; B% L5 h; t% |0 o
index index.php index.html index.htm;8 ~ _, s+ r- M, O4 \7 ?
' e' x! q0 \ ?9 }6 n fastcgi_pass 127.0.0.1:9000;
* T, N9 _# k* d/ C' } fastcgi_index index.php;
5 m3 P* `& `$ W% d fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
$ J( e5 M) Z) e! g3 t9 f- X include fastcgi_params;
2 B; h* }$ ~4 S8 `2 a }. ]+ X, Q1 r2 {, U2 W2 a
}4 e! D! u3 T4 R2 L. F2 n5 u! x
upstream负载均衡:% d& o3 R* K- h+ W5 ~# h1 }
+ F+ U1 p7 z' Y. k( N ~1 Y
upstream 52os.net {
) D/ ]6 ?5 f e server 192.168.1.100:8080;
* D' f* h6 N) Z( Z H! K# n- a' d server 192.168.1.101:8080 backup;
4 e4 ^1 m! g; U6 r1 I}
7 G* U/ Z( F3 Y2 c6 Z; ]
+ v8 ~* W0 W1 t3 h u; F& T2 eserver {- G& s) t& |3 `7 ]! F
listen 80;; C8 A6 e2 T; `" g* G- X
server_name 52os.net www.52os.net;
( ~3 O* i( g. R1 ^- z! S7 X6 i
2 l8 E' i& Y" m6 rlocation / {
; i. x' H3 S6 l% J) m$ H! U ModSecurityEnabled on; 1 _, S5 z1 ^& m$ }7 i5 \- ]
ModSecurityConfig modsecurity.conf;
( a# k; e* w( c" b. P& w
6 ~7 q" e: l' B9 K proxy_pass http://online;
. z+ ~ e7 c( Y proxy_redirect off;* E3 ?5 \: _# @9 y" Z1 U
proxy_set_header Host $host;/ U6 {* b* z6 f% U6 j s% P$ ]
proxy_set_header X-Real-IP $remote_addr;4 ]" v% W) Y$ ]5 y
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
. \: C7 X0 t. w! W }0 k8 L# i7 j5 F5 B4 H
}
1 Q& s6 o% R- O5 D. ^六.测试( C& o6 D a4 }+ T1 d% N& N
4 U* G' L1 s( F4 G- t8 P: a我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
6 l. n, d6 v* N+ T
9 m% F( z) v7 k# }<?php
; D* g/ H' d9 J0 ~- p% V phpinfo();
( h2 L: l, Y( v0 l0 }+ d0 i2 G?>: G" ?6 g/ w S; s3 d0 P3 A" ~
在浏览器中访问:
0 Y% j' k/ V+ N, X1 m& c* Y" g! d# n& D
http://www.52os.net/phpinfo.php?id=1 正常显示。
3 x9 V! E; K9 F2 K. k$ _http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。: u$ y' w- f# r4 z$ B: J
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。3 T+ y8 D. `/ _! F A9 ~6 Z
说明sql注入和xss已经被过滤了( D, D; ^; j* C% g4 Z! s# X/ I; C: b
! `3 w1 |) S8 D! g. j
七、安装过程中排错! M p9 {/ j2 ~. L" I
; h' e& O5 c6 w( a& n1.缺少APXS会报错
. f9 x N" P# j1 h; U1 A! n) `4 K9 e4 a o$ D$ Y% O G8 m7 D; |4 J
configure: looking for Apache module support via DSO through APXS
4 w7 G) E( M! t/ [' E' Oconfigure: error: couldn't find APXS; {7 N% E( K6 u- h
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
) A9 j% N) j9 R2 u5 i# y$ y解决方法:
; _* D0 u5 \2 P, l% [
: B1 Y8 `' Z5 n3 y; L1 @6 ryum install httpd-devel
, Z9 g5 `7 Q* X( Q# x) y2.没有pcre; w; ]( M8 B0 c! S; ~# z4 O5 L# W& g
! i3 H1 ^ q& [/ }; zconfigure: *** pcre library not found.
" r% |; Q4 ]4 H, P* S3 hconfigure: error: pcre library is required
2 e4 X% D; ]7 p3 f# r解决方法:) D _6 L$ N; {/ R. j }
0 k* I3 w- z8 G
yum install pcre pcre-devel% f5 y6 R2 O+ k
3.没有libxml2, ~- o; J. i/ p
D6 i$ T' |0 C; n8 z9 C9 a0 p: |3 e9 w* U+ j
configure: *** xml library not found.* }2 x# R/ e% q
configure: error: libxml2 is required0 D1 _' a8 d% H, f! m2 r
解决方法:
7 J' j& ?' G1 m F# u' Y! @6 p% d
' ^3 H! W. t5 ~" Y8 l4 l, y7 byum install libxml2 libxml2-devel1 I0 Z1 `# Z1 G5 a {
4.执行 /opt/tengine/sbin/nginx -m 时有警告" e k! J; c+ L0 m
/ [9 Q8 I+ t8 j' e4 u% |
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
6 s! P- M+ u5 S3 Mnginx: [warn] ModSecurity: Loaded APR do not match with compiled!' y: \7 u$ Q2 }$ k
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log, y4 X6 [& `7 A, N. o% M9 M1 [9 |
( \9 J0 l6 e& S! P `; `7 ~' f, p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.1 {: i3 H. |. a9 \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"' A9 c [- _" p
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% K- ?3 J7 q- C9 s4 n: O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"8 c" A3 C7 S" M; e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 `1 U9 X4 V$ a2 |2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.' z* `6 J- {5 B5 p2 J9 b) G
解决方法,移除低版本的APR (1.3.9)5 C. i. J4 w# J+ N2 e
3 K/ c8 C! Q6 {5 W4 V
yum remove apr
$ I/ E( t9 r5 T) i0 ?; H5.Error.log中有: Audit log: Failed to lock global mutex# O0 w- ?( S& K- E2 s" G
+ j: f" j L! z6 R/ S
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock , w1 W7 u/ o; U: i2 _* }$ R' e
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
- S) s3 X# K. p- @# p; h解决方法:
' z4 @+ O4 a! R8 N( [6 j$ K编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
2 @" v _, R( F3 h2 l+ Y2 |6 g+ J0 @& r, V6 E2 L- @$ J
SecAuditLogDirMode 0777% S9 }" a" G' D/ m& ^, K
SecAuditLogFileMode 05502 |% [% r6 l3 t0 k1 f" v* H7 c3 g
SecAuditLogStorageDir /var/log/modsecurity
; |. V8 B# @1 \! k6 LSecAuditLogType Concurrent
5 W' d' p& ^! ~ ]' O6 H6 b' O8 w参考文章:- T6 t' C5 W6 W) l% v
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
8 u% X% b6 A& `: qhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡