|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 l _1 ^1 ]2 \( ?9 ?( N, |) ]4 x2 i5 F/ k- O6 u8 {
一.准备工作
! m1 N5 S+ J. v3 n, }
$ a" O3 @, @/ R/ T b: }3 o# a) E系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
4 G* C8 @+ p& ^2 v4 n: ?5 p: i4 `* s# h4 N
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
. b9 g; R" _" B- j$ ^9 L6 R
0 t# `% \) q8 a1 x5 Tmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz" R3 j% a+ b5 |2 f, x, ~3 \. O" u
5 z& a2 O5 E& w3 R
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 D; p( [* ` k/ L
7 C2 w: c. z4 s; @' a* k: N
依赖关系:
1 s/ N2 I# l8 M2 q2 ]9 Vtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:5 [$ H( R7 H* f/ b. ]( \9 f
# W- W4 x: A( M* J. pyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
0 `/ E9 j3 F1 j$ m0 Dmodsecurty依赖的包:pcre httpd-devel libxml2 apr- \+ J( M. M; E
& @: j8 \4 K- {% E `, T& \" |
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel; |9 Y m3 O- A8 Q
二.启用standalone模块并编译8 P& ~6 ^5 W( j/ A: ]( `
+ b: V4 @' K6 M. M- @. V" F下载modsecurity for nginx 解压,进入解压后目录执行:3 w/ ~% l$ n7 X
5 [! q0 \# k$ ]& m% n; E
./autogen.sh5 P+ i' A1 u4 T$ A% }9 g- q% O
./configure --enable-standalone-module --disable-mlogc
5 K( X- j" H# Q# `make
8 B, O5 J$ a: Z三.nginx添加modsecurity模块
T7 l6 P( e1 v3 W* u" J* n- }4 J0 r- M$ |+ m5 P8 w( F
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
# }( c6 @3 U* x2 l) j) W* \
: d0 b$ g( |* j8 u./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine4 j5 j' l9 h* e9 Z: | g
make && make install* l6 {6 j$ H: n" V% B. J
四.添加规则) m; N8 j- B; E: T
% y' G6 s' Z1 d) O2 z4 h1 a0 @
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。4 N) _" \* U% j5 o- m: Y
1 M# x" }; z: s. C7 y& C1.下载OWASP规则:
7 A$ d, I/ ]$ _* @- B8 _
v8 a4 V. l. D1 _git clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ M4 F( L2 y. r
) g# z! ?/ C+ y- `2 }
mv owasp-modsecurity-crs /opt/tengine/conf/
: p* v) }/ O; C; @
$ p) J, @1 Y% F* ^cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
% a3 u2 V/ v) N8 U _; W. z2.启用OWASP规则:8 t- r4 z4 T" N: O
6 v* Y; V. K0 g复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
3 `1 y$ ~" Z" o6 W2 B' T- V9 R- [8 Y$ @ `% N3 T) O
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on9 Z2 ?4 U$ z, u' x! |4 s, ? w
6 Q: I4 k- |0 _. a9 X" _ w. l) {: Rowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
x! o- y$ ?1 j, D0 S& p/ M4 Z
/ B) D4 M6 c, J* M. O' @3 qInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
! b+ `0 \) s2 }, {+ F [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 F% i# Y! X- K8 P8 w# x1 Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
5 r/ _1 ]- M0 S2 ?0 ^9 JInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf v- L: l* A* d( Z# k; q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, J# {- P8 p% S* q& gInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
8 Z7 J0 P! a; T0 wInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
0 |' D( \4 C) W2 y* e5 [) Z9 d/ Q五.配置nginx
# B/ V0 a8 L% Y- A
- D1 m& c/ s8 ~* u9 L在需要启用modsecurity的主机的location下面加入下面两行即可:6 o1 A7 S- r- i' [
6 x3 ^5 S, v [ModSecurityEnabled on;
, p X! ^! x+ W6 i& M* UModSecurityConfig modsecurity.conf; g( G& o9 Z- j& b I
下面是两个示例配置,php虚拟主机:
7 T/ a, F# [) Z Q+ E- g; R% u* B* c5 E6 c
server {
. O# N7 f7 r$ a3 s5 P& B listen 80;
4 Q+ x3 w6 q% d! i server_name 52os.net www.52os.net;
: k. J7 t. R* ~6 X! E2 t
# t# m: `9 _( ~ location ~ \.php$ {3 q% w$ t8 q6 \2 U; A$ y- e5 W- x
ModSecurityEnabled on;
- J! m2 N: A$ |( E5 v ModSecurityConfig modsecurity.conf;' t1 ?: l& B: T
1 D, u5 E0 F$ U# j
root /web/wordpress;$ z7 d9 K$ L+ U
index index.php index.html index.htm;, R. t! s0 G! ^8 V
3 _: J a C6 p6 E+ X3 T
fastcgi_pass 127.0.0.1:9000;
/ {: T; [" \2 B) U5 r: l fastcgi_index index.php;3 o& d5 X) J% g, u6 i4 r! c4 p+ ^
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;. k- V) g9 W2 I+ H' M) ~
include fastcgi_params;
' ^/ M: N! E9 V v! ~ Z8 R# v }" }8 e( a* m" U6 t3 W
}
# n1 ^. h( S' B7 M, I0 \& [: ]$ Cupstream负载均衡:; s; Q$ f7 r4 P
8 C9 v; e0 v' Z; b1 y2 l. }upstream 52os.net {/ u4 L* T3 S# |% f- y& B5 W* G
server 192.168.1.100:8080;
9 Z4 _1 @# j% O+ W% B* D+ _; f% A server 192.168.1.101:8080 backup;6 q; H4 }/ E+ n
}; s+ z% D/ h9 [# l j6 Y5 Z
- H+ Y: t' f9 C7 W
server {
+ P" q* O# F! F8 @; g5 blisten 80;1 J1 z; O' _4 u( N6 Q" w& \$ a! O
server_name 52os.net www.52os.net;9 w( I* o6 a8 v1 v9 c0 U% e
8 y$ Z) g' f' t% e" w( u
location / {
( J7 r5 p$ X% p. k- b ModSecurityEnabled on; # [ _1 o6 ]3 x" y
ModSecurityConfig modsecurity.conf; # s0 X$ u# G9 c$ q/ u) Y$ h
5 j2 @& \0 Y+ r0 A7 ^4 v
proxy_pass http://online;
/ A& g! K& G! _+ l proxy_redirect off;" u3 S: \0 g% b! ^0 y, h" q3 n" a
proxy_set_header Host $host;
1 k9 J Z( ? P/ w9 c proxy_set_header X-Real-IP $remote_addr; a/ @0 i/ V+ }9 s) d2 b! ^* t
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" P$ ]% z! p& ]* p
}
' d1 x; n& G7 h7 C* |* i}
3 u X$ H/ F" m# Y2 x( O2 e& E; g六.测试- g: i1 E- a, ]' q" g/ D2 @; h
8 q2 f% ]- B2 {! D
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
' t( |- S+ h/ D. u1 f& a, T: S. b( f1 R, K3 j, T
<?php X/ D, Y8 r+ F9 B |" N$ K' e
phpinfo();
1 R5 g% G3 i# T. _6 |5 a?>
4 [1 [7 {8 R. @ J6 } u5 y# J在浏览器中访问:
- _ d6 m' P; v9 ]3 D* Z, l- Y
$ U* X3 E* w; h5 b9 y) |http://www.52os.net/phpinfo.php?id=1 正常显示。
) F$ |7 I$ s& {( ~1 h8 r% O; ehttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ ]7 [+ h2 X& ^- s7 _" x. ]6 nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。& X z* M+ @9 Q$ s C
说明sql注入和xss已经被过滤了
- I: ^" S0 P a3 ^9 d I S0 t; ]- q
七、安装过程中排错; z( Z0 s3 G, ^* M& Q. L6 w
( W) ]/ s3 ]2 w( Z1.缺少APXS会报错
; Y5 ~; J. m7 [/ Q5 l0 T. z$ e* j: v
configure: looking for Apache module support via DSO through APXS1 @4 x" [ y0 j }
configure: error: couldn't find APXS( m4 R( l9 T3 v! y( a! }
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ N. r& a/ A" z( g$ s解决方法:9 \; j! d+ j# c: I+ s
7 u6 n, B6 _7 z) Z2 i9 Xyum install httpd-devel" D% J* m% X- Y- k2 Y. H
2.没有pcre
6 Z! \+ F" |5 I* K6 @
$ n- H) S4 K5 a% ~& u/ b6 econfigure: *** pcre library not found.
/ w. x5 N0 G; S* M, Nconfigure: error: pcre library is required/ V, D7 ^0 G/ u* x! c
解决方法:- @" J) C' l% M# W' v
' J. f- `( X6 e) Fyum install pcre pcre-devel; @/ c. r6 W) E9 C) t e0 E
3.没有libxml2
, a9 U, H+ [2 F
8 p5 ^) ?, [+ v/ P2 Q- m0 J6 ]; B" u$ k/ a' M5 @4 t/ d
configure: *** xml library not found.% W Q4 j6 A6 N2 p- G9 F
configure: error: libxml2 is required0 {! ]( T" Z. x
解决方法:1 g3 Q: f7 W$ u6 d6 B R; M
- m8 r) _8 c8 r" {yum install libxml2 libxml2-devel! R H \+ L: V# K% d
4.执行 /opt/tengine/sbin/nginx -m 时有警告6 L l2 A6 _; y0 F
( u/ a, x8 n9 JTengine version: Tengine/2.1.0 (nginx/1.6.2)
# Z% Z$ g7 m, W% o9 ?nginx: [warn] ModSecurity: Loaded APR do not match with compiled!* \5 Y6 l R" e# X5 ^
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
" `7 {* {4 k9 S7 x+ ]5 W
, C7 \7 u* }1 o/ d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured./ v/ _7 _% q" I# S% R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"4 [; \* e- H+ x/ k
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!. v1 R0 r" [9 J# e% Y+ \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"; h# P& r) l" ~: J# k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"+ |" n) \3 D( K! g% p0 v: g
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) ?' Z7 A( [+ @, N9 Z
解决方法,移除低版本的APR (1.3.9)% A% J- T; {$ H5 A2 f8 S
8 T. ~$ n6 G$ _1 jyum remove apr6 l% E, H- P$ N$ c
5.Error.log中有: Audit log: Failed to lock global mutex
' B( e0 b& i0 E' e* B. G. E& s& i Q: i
+ C) ?* ?) P( x3 q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
* L6 h' P0 ?; U( W5 r9 n7 k# B2 oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]: n2 A% E% G% Z- j5 D
解决方法:* P8 Y% j% x( a$ F
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
; `' ~* K/ @) @7 S7 W" x/ x0 }! k6 g& Y3 g4 m
SecAuditLogDirMode 0777
2 I' @( @7 Z/ ?$ }9 }SecAuditLogFileMode 0550
; f+ I0 g2 q }: D, l2 XSecAuditLogStorageDir /var/log/modsecurity: ]0 a! P. W4 C/ S
SecAuditLogType Concurrent4 T% W& S( S5 y, O
参考文章:
1 o: A/ U$ Y! H5 @https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ D8 k. U& `& M& ~2 C1 w p8 |
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡