|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& h& ?( ]# K* y
) Z8 x* A& |$ b$ l+ S x) V一.准备工作
: ~ q$ r( P6 Q A! Z! r& |/ ~; z$ `- D" A3 C2 }0 s
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0% d6 |+ j0 Y$ a9 C$ E, g' \
/ ?6 o3 m' ^: {4 ~tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
! a/ O. @9 R5 m. Y' ]/ | \5 s- E( Y% U5 Q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) z* o' z2 v1 {0 P9 y- i9 ^) G* c3 E; L. U, }
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
8 ?) ?* L) _' f" Z' W6 m
+ j8 q3 K; g! S) @3 j依赖关系:
9 y; w" i9 J# t5 U* T! Q5 C+ m: Jtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
6 ~7 ?: T* T. r T2 \7 G8 w2 {1 J$ s) p1 [% Z
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
( m! q9 Q& D6 ~/ W6 _modsecurty依赖的包:pcre httpd-devel libxml2 apr
* |# U4 n8 T6 R( n
9 y$ N* @: Z; Jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel2 \( P( h C* P! m
二.启用standalone模块并编译
; U6 Y6 G. q( m) @/ D! ~2 A! e' a: F- M. o* _2 p
下载modsecurity for nginx 解压,进入解压后目录执行:" X$ c. |5 X, m8 y
* M( A0 f# n& {+ }. A$ `
./autogen.sh* |' ?7 z7 ~6 \2 V0 P
./configure --enable-standalone-module --disable-mlogc) L7 X2 [+ z- C4 R0 {/ L5 n' I
make
5 p% ?! [+ g# G2 y三.nginx添加modsecurity模块$ A* x6 ^ ^ ?5 g3 \/ r) O
, N5 ^' F; n" q' M1 @! k9 N5 v; \
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块: L8 T* i# J/ @- J6 ?& V1 R
. c8 j: E3 A s' p/ A./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 j, `8 l: p2 M- S
make && make install
* r/ t( s; _* U* P( W四.添加规则
) e' I. X% P2 S! `/ d' J# d4 P4 [. Z8 |0 f
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
) } U# ?9 b# [8 Q' t5 H& |* |3 ^$ m9 D& m8 s
1.下载OWASP规则:
: q( f1 Y: F) Y. N; W2 L( y! i/ M3 ~2 b& M( @
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 Z, L- v9 I/ b; E
7 `" A3 A: @ Z$ ?mv owasp-modsecurity-crs /opt/tengine/conf/) _7 ^4 e, s& M
1 S. z1 V v8 S1 Z! U
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. H% ]' Q' b- J3 |' |% W: A2.启用OWASP规则:
# m. I8 u( g! a- t: }' L s( e4 v! K+ g. D ?6 c. e: `
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。5 z; R! {% W( E- T% f
: T Y" j( O0 L9 H) z
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on I* s; [7 G" `4 Z' i
- o0 u2 i! n3 q) y/ }+ @
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" r. r, w6 e; ~6 ^( I5 s2 j4 U
5 P' _; u) R8 j7 d- o+ HInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf5 q# p. A; U# C( K" F: Q; u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf$ y4 g# F% `( m2 ?- Q) w6 o& S* ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 e* a. P* e. t7 N( c0 S8 m- c
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf1 C% b# W( N: K9 \# i" b& C7 Z
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
! ~5 {0 `- d$ S3 a1 @+ o1 ]Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
5 N7 U: y# m2 TInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
# [0 x. W. u+ z$ E. E* _9 A0 D五.配置nginx
( f3 c: R4 E- z5 ^, y0 M
/ `0 \. n0 ^$ F9 x1 g4 g C在需要启用modsecurity的主机的location下面加入下面两行即可: |; n7 j0 p$ X$ \* o
' Z0 C4 R7 @% k$ d6 { ]0 HModSecurityEnabled on; T8 w* M: F7 \6 D* G' j |
ModSecurityConfig modsecurity.conf;; ]9 g$ H4 W) Q7 |; k
下面是两个示例配置,php虚拟主机:" u; l$ h u) ~, V
$ j N8 _) f1 Z- B- A4 |server {
: D# n; x" m9 Q listen 80;
& r! F! Y* v: ]8 s* \) l server_name 52os.net www.52os.net;5 U. l& i8 N& m& v# }
$ ~& l+ C* M- b, o: Q( \
location ~ \.php$ {
4 B5 i1 O6 X J- ] X0 I4 o* a7 f ModSecurityEnabled on;
* `# C3 N# Z0 l( Q1 y ModSecurityConfig modsecurity.conf;4 w. i$ x$ R k
/ d& {; R' }/ O- N0 H. H& G6 x3 c4 G! S6 F
root /web/wordpress;
6 E% \2 D1 s" W3 c3 K6 } index index.php index.html index.htm;
% e8 b- h+ w" e% q; b 2 s4 \; @1 F" |4 O a
fastcgi_pass 127.0.0.1:9000;
! v3 j" l0 P0 f1 _" s* P+ h% C; S0 } fastcgi_index index.php;
' b; [) b; {5 [" r% Y( v7 q- ` fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
& N7 N0 d" q5 l1 [- j8 f4 L% o include fastcgi_params;3 R0 l% [ @1 F" a8 O/ M
}* j# F, y0 z5 U
}
6 d+ y+ Y" C9 f% l: s X3 Oupstream负载均衡:
; R% N1 p. {. t2 ?" F& @2 b0 \# u: u7 A+ q9 @( }4 M3 T, v
upstream 52os.net {" _) L% E9 ^2 z7 p$ k
server 192.168.1.100:8080;
1 d0 W7 P6 ^, T" j3 T! e, V server 192.168.1.101:8080 backup;) e7 h4 ~% h2 J/ g
}8 { |/ G$ |4 O% H: I6 c
. ], L. S& \ g& lserver {1 Y4 {0 W P' |: H2 k! D M9 c
listen 80;/ R3 C7 ]& ^$ X u0 K* t
server_name 52os.net www.52os.net;
' Q4 _+ Z/ R( f$ l4 r' h
4 Z4 ]2 V9 Y( s6 k! F1 N& q* glocation / {9 T% r/ t* g* m4 {, J2 g
ModSecurityEnabled on;
- I# Z$ o B. C. h4 _ ModSecurityConfig modsecurity.conf; ; n6 U; L/ M2 g* W
- P$ I& z' M8 R I& c- I# L5 n; Q proxy_pass http://online;" S( M9 [* V( k
proxy_redirect off;) j. k `7 V: B# S) k
proxy_set_header Host $host;
4 Q* H( A6 c4 t3 h& p# h7 P7 W proxy_set_header X-Real-IP $remote_addr;
4 J/ t' r! [- ? proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;- s# b4 s8 J5 F
}
5 k! _" ]$ a. q7 E}
( U: v1 y! d9 [2 v! u六.测试, s: X( N" J! f9 i: c+ X. E+ R
" t1 R, S" I% x0 u8 o. D
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
2 `0 B" m& g3 z4 L- l9 b- ~0 r' ^& S
<?php
1 J B4 c& p6 Z- G4 v' e1 M phpinfo(); - v! x* s/ ~- \0 f" }5 _, C
?>' S. O q. e! u3 @
在浏览器中访问:
d7 w( q e" U5 w4 i3 x' ~3 _% }# f' b4 _
http://www.52os.net/phpinfo.php?id=1 正常显示。) r" X* r g" L0 A2 @) }
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。4 a4 R) u& O8 K1 o! S+ B
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。: L; i3 v# {( S0 k
说明sql注入和xss已经被过滤了) Y0 i4 Q3 [4 U5 o, [5 }
& x+ @# I0 C5 a, x0 V5 U
七、安装过程中排错3 O7 e h4 }1 v: e+ ~
1 Z0 v, ^4 N8 O. A3 [3 C( p; z4 ]
1.缺少APXS会报错
6 D3 D. i9 N) @& H' @& I1 B6 R$ A$ i' i" M2 y+ w6 t* ^
configure: looking for Apache module support via DSO through APXS. [0 V- E2 A* B
configure: error: couldn't find APXS0 a( |6 @3 ^ i; ^7 q7 U/ j4 n
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。: {& h/ [8 i1 Z) @- g- j
解决方法:# K- X6 r7 B8 c9 g% l, t& h- v% T
$ y3 M$ Z( Q) ~' o1 x9 Z
yum install httpd-devel
* `9 M4 Q& }. z* u2.没有pcre9 j- o6 Z. t: R* g+ B1 J
3 X- S' ^7 L5 X- D! _& ^! m$ P5 c P
configure: *** pcre library not found.- K) N. V. D5 z: H" @, k2 a
configure: error: pcre library is required
P/ }: l0 O% t3 ~4 o7 S解决方法:, z- [* g6 I5 J
+ T2 I! h% H$ k! q8 Fyum install pcre pcre-devel" o4 t3 e4 i1 P. I0 u
3.没有libxml2
& I5 u2 E4 U$ e0 I( a3 k
7 O% g. ?& ^$ E1 d5 l! M* W t s6 I9 H. H6 c! }, a
configure: *** xml library not found./ a4 Y3 a/ d2 ~
configure: error: libxml2 is required
9 @3 @( X4 s" z9 J7 `8 d; n8 ^解决方法:8 }: h( ~" }8 F2 J# B k9 ]; e$ {6 I- ^1 j
' m/ B, x8 v5 I0 `: pyum install libxml2 libxml2-devel7 O, |! a Z% I0 m; d$ B1 Z9 C
4.执行 /opt/tengine/sbin/nginx -m 时有警告
$ `- d7 A/ ` N; [$ J% S
0 l# W/ P6 }: U5 A& n X6 qTengine version: Tengine/2.1.0 (nginx/1.6.2)* ^4 A; {5 S6 L
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
8 L+ @; p* i2 _2 h5 L原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
. q2 E1 ^- ^- P, w. r) Y% m$ q4 K2 d5 n5 x6 P+ M/ M# t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
" F3 R1 F$ w- n7 Z+ y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 T( t6 s0 w9 R1 c' G4 h2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!" |+ o1 [& H w! W& x* h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
! o. V1 L5 w- h, v% g4 s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"" A$ N; c; B. x+ `
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ y% q/ x; A0 R! l& \2 T2 s9 [$ [解决方法,移除低版本的APR (1.3.9)( w3 Y+ A9 g5 V1 t
/ a' r+ K( j/ @) @# a, @
yum remove apr' _0 d2 _( p* v3 y* _& D. f
5.Error.log中有: Audit log: Failed to lock global mutex+ U. B' r9 j, s* z o
+ X8 Z* O$ d' T; G2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock " |2 Y8 n* G% p+ D2 u
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
: T9 f' d. U) V# p7 k( d7 J解决方法:
2 Y9 L6 P9 ]' B8 J编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
/ A r5 N$ J) }* p+ u. x* z4 r3 X; i+ U+ X" @$ i$ ~4 e
SecAuditLogDirMode 0777; [( X Q! G) S0 ~ N
SecAuditLogFileMode 05502 O k9 O1 ?+ |! `1 P/ `0 _- p
SecAuditLogStorageDir /var/log/modsecurity1 S7 v0 f8 f: c- b) P% L. X' f
SecAuditLogType Concurrent
- H9 t) n( | Y8 m参考文章:
" J% i& |0 T7 m8 q* n7 j( j5 ]; rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX G/ G2 r+ r' U8 h
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡