|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
! l) a' w0 G+ a: `
$ H) l! d) [1 G% C一.准备工作0 k8 D: X5 d) {
7 l* W' d" y! w. U& J系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0' r, ]- T5 o/ r' V
; O" b/ D7 l9 ]& e: |( e- u9 ?' R) h
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz6 ]( ~( i9 X' C0 ^1 b( }
( T5 H$ f; X+ J) _ \% I, D8 U \# I3 |
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 g+ }6 ]8 Q7 @+ H# Q0 y4 a: N! J/ Q* g, R
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; d' K4 Y( W4 [- y, q. N9 L
1 j6 ?0 ?' D) o! q6 k依赖关系:! c8 o5 A& p$ b; O6 z
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
% S. u* _% w2 e2 S+ p( O7 V
3 W! m1 Z! U5 P" v9 ?; ]yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
- @0 k5 h0 ?( J% [: k& P- mmodsecurty依赖的包:pcre httpd-devel libxml2 apr: K+ x4 c! {" M; }* T+ ^
$ N& n/ ^4 D c. J. m$ v
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
. R: A w+ m1 C {+ ^二.启用standalone模块并编译5 X4 \* Q! U3 K% g9 y) B9 N; J
; w/ [, u! a; ~/ _7 Q
下载modsecurity for nginx 解压,进入解压后目录执行:
2 E+ s! b# c( u- E: H
: z) }3 F' E) M0 K./autogen.sh
+ ~: @' [' `) [+ P2 B& @* y9 [./configure --enable-standalone-module --disable-mlogc7 n4 J5 ^% T- l3 m7 x0 f
make + o3 L; N1 @% w* k9 i; Y
三.nginx添加modsecurity模块
2 V0 K& p9 A8 F: ~; u* \# U! k/ N0 M, A0 D2 K9 \
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 M3 h, Y4 m" i+ b
$ ]- g# o" U0 r& U% Q./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 X7 L* m$ ?& d7 s9 ^make && make install
: M, N* _& v, s四.添加规则
+ V4 W/ J6 Z7 R7 D5 n' J5 r- f, U; z
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。3 O$ D2 t# F }4 h5 D
/ g8 _8 q& p/ W r8 _, R; ~0 d1.下载OWASP规则:
4 ~# R2 m" X9 B5 D% J; b( Q+ b1 L, e: p
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs3 q+ r* z' r# n
: x. \5 }7 s6 k2 t
mv owasp-modsecurity-crs /opt/tengine/conf/ f4 C& Z' I0 K* @6 _: V
9 K8 ^+ M; Z3 c5 I' G: Gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
* u& [/ D# k& X9 i- ^+ n2.启用OWASP规则:
( C' u; F+ P* h2 M9 e; j: Q
" @; C4 h( I( [( m3 a复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。$ M% t/ W, a5 z% _6 v
. T F Z7 ?) @& _* ]4 L; F" ^, _编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
+ v' A* v2 m8 x; D2 v: ?
- d) W: {" l; Y) k* r' |: {+ Iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 C7 V2 W0 b$ v+ v& p. v
9 e7 e7 m% N0 F- Z: c( NInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf, Q% T2 J1 m8 x) [2 ]( Y7 H6 ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
7 l, d7 M+ L2 P7 \! c2 wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
& I" y0 m0 f" i5 {8 s. I$ TInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
& O5 q G5 U: `% ^( ^Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% i0 b3 z2 A' \) ~8 kInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf+ W" n. e3 {* G; Z! g
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
5 A: B9 D: z9 F; B3 n4 `五.配置nginx
; F9 |* H, h3 x( ]# a% q$ \6 t& u7 L& d0 o
在需要启用modsecurity的主机的location下面加入下面两行即可:
$ F' G- I: }2 N8 V3 ~ M
: X H) D; n2 q/ i i; S$ ?. CModSecurityEnabled on; + b B) k/ ~ L1 x6 Z. S
ModSecurityConfig modsecurity.conf;5 S; G8 c8 ^" v& X
下面是两个示例配置,php虚拟主机:2 b2 n" i: L1 i6 R4 K& p9 n
) ]+ E. ~( g. |5 t) f: |; Q
server {
3 x# y# p* V/ B/ m6 x r7 G( Z listen 80;
3 M R+ r- y9 s1 p* t1 @ server_name 52os.net www.52os.net;
7 s$ I: p1 `; `" {
1 X5 b( |; c2 e* N location ~ \.php$ {
u6 I1 N1 Y. V4 O ModSecurityEnabled on; ) N/ d) d+ H0 H
ModSecurityConfig modsecurity.conf;! r5 l4 I5 w1 H. F2 p
) O. Z3 g/ ?- G2 n& X& d+ b" f$ S
root /web/wordpress;. Z8 l5 b3 g! I
index index.php index.html index.htm;
! T% P; L' F2 }! { 1 a( W# b. [" v% e% c5 U. n' E
fastcgi_pass 127.0.0.1:9000;
1 ]+ D& c. Q4 @) x3 {7 S fastcgi_index index.php;' d2 O4 V# z/ L N1 W" ~
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
3 g% h* J) C, ^, | include fastcgi_params;/ K" v- Z* C2 z" Z- Y) {
}
1 [8 y: d7 }8 P, l }
7 ?' P, w& l" `2 q7 p; f6 w/ Y2 \9 tupstream负载均衡:# z2 `1 _) m9 [- X
) H; y" i6 u3 ?1 O
upstream 52os.net {
! m8 M& y# J. t w server 192.168.1.100:8080;
( W" c* e/ D1 P: m r server 192.168.1.101:8080 backup;) r& O# d$ Z( D, _2 K H
}
$ |- c5 J1 ]8 S2 B3 G: A& @! i/ i' q4 ?. O: b$ K# |/ X
server {
A1 x4 |) S6 klisten 80;
) N' p0 p2 A: c! |+ a3 `server_name 52os.net www.52os.net;' M- d R1 x6 [
, x6 y3 i2 }% ?1 B. olocation / {
% I9 e8 z j: N: {1 e ModSecurityEnabled on; - U5 I, x' q* t% _3 }1 z
ModSecurityConfig modsecurity.conf; T ?" y+ g# q
) D" {# h' a0 Y" T/ J. a
proxy_pass http://online;/ i* l9 n6 _" Z6 g; q3 B7 `& C5 I: k
proxy_redirect off;
' J+ ^; V# l$ Z9 d& h proxy_set_header Host $host;* i+ e) R8 u- Q# f2 e
proxy_set_header X-Real-IP $remote_addr;) y( S4 \7 E2 x
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 k7 F; R8 z* C+ T- ^+ x0 ?
}
! m, W7 i# I, a9 Z5 Z}
5 h( t1 e& {4 R六.测试
7 G; ^. d& y# ?- g4 Z) u. ~( d; _) A6 ~- S$ }, o# n7 `# z s
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
4 i5 i8 N/ s9 `. U" ?9 h/ Z0 F2 V; |+ d
<?php
{7 I5 W- T7 E5 g, J6 ^ phpinfo(); $ A- C6 r% {& E! k
?>( X* L% `9 @& m" {: B0 c4 r
在浏览器中访问:
6 G4 V7 M8 M: P* W5 r8 s; ]/ c; `4 J# G( q# h5 ?
http://www.52os.net/phpinfo.php?id=1 正常显示。
) C. @% Z8 [9 r8 s3 G& J& S$ \http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
! K' d$ ~9 U3 ~: @& thttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。/ J/ [+ n) J0 F. a3 E: a F: Z' r3 r
说明sql注入和xss已经被过滤了 c" Z* y, n% v2 ]1 n
0 c4 ?4 g `) ~) Z% t
七、安装过程中排错
9 n' r' m: s7 d) ?4 D& [. P5 e
& l) o) j; h9 m. Z. \- b6 F& ^1.缺少APXS会报错2 @* v: f5 C( e# |' p( v a1 J
3 Z* z j1 p& R1 J6 uconfigure: looking for Apache module support via DSO through APXS6 {1 y* m6 U' i m
configure: error: couldn't find APXS
) i* v& A1 L, japxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。$ p& Z& M8 y2 W: L
解决方法:8 U$ X% C; H' T3 J
w+ i; }; D! V2 A8 g: u
yum install httpd-devel' n' @3 ^+ L* V; c
2.没有pcre6 Q1 h7 x) ?7 ]; v
: q5 \3 Z7 B$ P4 wconfigure: *** pcre library not found.) r- p. x3 F3 l) e7 N# @' f
configure: error: pcre library is required
/ w5 ^. C8 N( Q- ?解决方法:
4 O" M1 W% h b: H4 i( x4 b! H
/ N# I* R0 E- v4 A) \9 Z, {' hyum install pcre pcre-devel
) y) D9 { c( V4 S" v6 ?8 A3.没有libxml2
" f- _( Y9 B8 s
, B( ]! f! {8 ~5 K8 {; ^8 ] G" n! C1 L* t
configure: *** xml library not found.
! C3 ^3 j) S, \configure: error: libxml2 is required
+ l) }: U& g' o. K, a/ t9 {解决方法:
& k& g5 o! l! G; p5 G. j6 g% E3 F) |5 |" C5 Q
yum install libxml2 libxml2-devel
4 ~# o/ f6 p: S# Y, u; M, R( o4.执行 /opt/tengine/sbin/nginx -m 时有警告% K& d4 l* G J+ U/ b( b9 a
# [, F3 V3 ?% Y3 ATengine version: Tengine/2.1.0 (nginx/1.6.2)) d, K) H( y5 s! O9 R" {
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!* }% B0 L3 e6 \
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
" E: w6 G) W9 a7 p/ W: } Q& D$ h
9 I+ ^% u8 ^& g" @. ^# K7 Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* r, Q* V* \# q6 U. K2 p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
( i& g9 n, U9 R, X9 [2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
; v; N% i, L' N+ B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
' Y: V2 V1 t M. }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ F8 R5 H' @; j. W; e5 b
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
# n r& n/ N- P. R! m解决方法,移除低版本的APR (1.3.9)
! e4 N6 }$ D* I0 _! U8 h
) X9 h3 f% v& N+ B2 U0 ^) l& cyum remove apr
, o& }& D4 j7 R/ Z3 W9 R5 G$ t5.Error.log中有: Audit log: Failed to lock global mutex6 `& u8 ]8 J ^. ]3 ^- w+ V
, E' A+ t) t6 F5 v" K, @! g4 i7 }
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
' D6 p7 [1 e9 x+ e) ?" W+ c4 Wglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' i! k4 S4 W1 I2 k* e7 ]! `
解决方法:$ |( p3 \7 ?: y& q! M, i$ d4 [
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
7 Z" ^8 u7 `' n
: x5 x9 N0 _, h0 b. GSecAuditLogDirMode 07774 g p8 }# O. A- f% L( t
SecAuditLogFileMode 0550
1 o/ Z1 y7 k( s7 Z8 uSecAuditLogStorageDir /var/log/modsecurity
& G# L# K2 L' {4 GSecAuditLogType Concurrent- N1 q& c1 Q, U) T' X
参考文章:
5 h/ m ^) N8 Y: E. c ihttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX6 i: [0 H+ {) o7 @& y
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡