|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
0 A# t7 A9 A" M: k) T
: h" B" N; r$ ~一.准备工作2 S2 w! B; V) G4 ]# @' ~! _( J
9 ~ b4 p7 n" l% M5 l系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.04 A0 H/ y I, u
8 n |# W3 c: J. y5 L- N/ b# l9 h: ^
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz; l& r. v( p' ^, o5 y* n' m0 p
# ~9 ]# ?% X# {! v
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz+ a8 _3 m- S' M1 z4 @9 O% b$ @
6 P( T& _" @$ ?) O3 _1 w. ` ]# L$ QOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs% d2 Y3 z2 ]: u$ x3 m
' n/ Q/ C. |1 S7 C- s1 j
依赖关系:
! a5 o4 `- W; W- ntengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:, j+ c; O9 p: j; g7 c( j
6 @: r9 U2 L+ ~# }1 @6 m6 u
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 |. n% F2 t# e+ umodsecurty依赖的包:pcre httpd-devel libxml2 apr
8 v/ W! ? b0 Q0 L# O' R' W' K; a" _5 j& r# Q' w# u6 |
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ h& @1 L/ ]6 O: ]! d- N
二.启用standalone模块并编译
4 s6 B7 j7 U7 Y: m6 Q/ x4 e, A! N2 g9 _$ t) g
下载modsecurity for nginx 解压,进入解压后目录执行:
. i1 p' f: B% U2 e: q" s2 f+ i7 A
./autogen.sh3 m p( b) l4 f# p
./configure --enable-standalone-module --disable-mlogc1 `" g$ R7 S; Q3 ]
make
& e5 ?) q+ |2 y: X2 G5 F. a% [: C三.nginx添加modsecurity模块
0 n& h- t8 P! y+ |1 x4 }( U3 J# V# `" D0 u' R4 \& N$ [9 E
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:5 o5 `; {1 H" I# A8 T1 d1 i! B
- }7 z4 _, R& s$ K./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 `" Z0 v$ _/ j# h2 L1 z
make && make install; ]5 M4 f# [% T/ k6 ~
四.添加规则) x/ I4 h) n% R" B
4 ?% Q+ c# i: y- J
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, `: g) V; P1 p/ q
' b4 _. I q$ @# Q9 a# q1.下载OWASP规则:( j* N9 i* q, t
9 l4 z# u( y! N' z' c
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
& ~+ u% a" a& M
, R5 ]" ^: o6 ]" F3 h$ q& _8 b6 Jmv owasp-modsecurity-crs /opt/tengine/conf/
; F0 T4 @2 l9 e7 |
3 ?$ i3 ]. q( W! ? tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# x# M8 H5 S! ~9 Y! [2.启用OWASP规则:
1 \% a. [) `+ d# k, U, ^0 `
* ]" j$ Q8 H2 n7 s+ g复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
) z% z$ v/ }, p# J& g$ J) Z8 E( }6 b- K; U% K
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on) o* A$ \/ f& k. @0 b6 N0 q
% z2 K9 {4 i7 p0 i
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
: U& h3 h6 X: c$ N+ w5 D3 @- {) Z6 C1 B' Y% O8 q4 H
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf8 b$ m. A" V4 m/ F* ?1 b2 V. k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
) E0 q; x# i3 f- J9 W3 \: e" i2 LInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
( a9 t2 U. V( @1 ?2 t/ zInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
$ U L' T; ^ S# x' y" jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 }( G$ V, ?8 X# O; e/ z8 M) x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
# J7 T. O) ]" x* [' n4 wInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
6 K8 A0 |$ |3 k. T/ l五.配置nginx
`) H# o: D. D7 x6 ^( k; U$ N, Z. y( f. v* V0 r! X4 g
在需要启用modsecurity的主机的location下面加入下面两行即可:
" X+ o$ W' A4 {7 A
, l1 y% @, M* x. X5 \ModSecurityEnabled on; 1 r4 d# b) H. L0 a# |& _0 J
ModSecurityConfig modsecurity.conf;9 }5 C, t2 L! ], ]) a7 Z. K3 |
下面是两个示例配置,php虚拟主机:
0 p! R" l1 g7 h6 k9 n
6 `9 v, V' k* o: x6 g& A2 ]/ zserver {# X- q" K4 `, V1 T1 ?
listen 80;) Z# x% w7 H: j3 t) A
server_name 52os.net www.52os.net;3 L7 [: z1 f6 c6 U
% z q+ e* p* k
location ~ \.php$ {- W$ ~! L/ \ X1 p: g
ModSecurityEnabled on;
' i" t1 M, b7 c9 |3 i7 A/ d3 C# O ModSecurityConfig modsecurity.conf;
7 M& c; s+ z5 d8 k; a
; k: y1 I& ^6 m2 `% M4 k" l' k, E! m root /web/wordpress;/ {; O- L- l9 j
index index.php index.html index.htm;
5 W0 x( j: q8 C, l+ Z; t2 B
5 }4 u3 q6 V8 p$ b fastcgi_pass 127.0.0.1:9000;9 t* a1 Q* e5 ~$ l; D0 H
fastcgi_index index.php;
1 f- }. ?% V) C0 o* J8 n5 T fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;9 b2 @4 j7 Z: H$ Z
include fastcgi_params;, t# s: Y$ S9 y. ~8 h
}
/ Y( {3 H1 ^' |0 D" V }
" q \2 q" Y5 @& @upstream负载均衡:8 R+ ~- Q: V" d" M" u( H
" ]8 Y; P: Q9 @5 Y+ @
upstream 52os.net {
$ m1 O9 x; g3 ~ J3 e! J7 ] server 192.168.1.100:8080;
. M8 C* _7 g, u5 [: E, ` server 192.168.1.101:8080 backup;
5 o# H, B+ u! z9 E( j; E}
: J; s7 i5 R3 }2 j# r
9 Q0 s2 T, a3 ]* g4 cserver {
" D* y- x2 V' Z, Klisten 80;
6 L5 t# R6 x( O$ Qserver_name 52os.net www.52os.net;7 n! f) i3 F$ u6 x$ ?0 w' N m) I2 E2 p
* ]7 W' O+ z0 K1 t- s2 s8 n
location / {+ I$ N! Q$ O8 _$ c9 |' H- |6 r9 V
ModSecurityEnabled on; 0 w1 [ D4 V; H2 X% C! P
ModSecurityConfig modsecurity.conf;
9 D$ _; H: S: a3 I5 d7 s! J8 R2 n- z8 P
proxy_pass http://online;/ C: E) |4 W1 T# ^; N
proxy_redirect off;
: n5 ^1 d' i+ z5 ~3 }& J proxy_set_header Host $host;2 u b& w$ N& Y0 y8 F1 R. A# \1 f
proxy_set_header X-Real-IP $remote_addr;
/ i5 j3 i+ `: f" E0 u F proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
* p' O0 P6 T3 t ^( j }
& E$ Q* Y0 U& n5 M}! H0 X) ~3 m q% m1 d' B$ h) D# F
六.测试
' l% b5 W9 s. c, d7 Y* V/ g; l" Y0 R! {8 K+ ]
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:* z6 i4 ]( m: [5 T
3 E5 i: Q) h, B: f8 @<?php) n K* o% g/ o- P: ?
phpinfo(); T+ {9 q2 Z+ n2 d* {
?>
0 o5 V- A7 P8 a- k在浏览器中访问:( r/ D" t9 a# F/ x
/ `; k1 n6 r; w8 X0 `2 Q @http://www.52os.net/phpinfo.php?id=1 正常显示。
+ }5 t: u. b2 i: {/ @; Shttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。2 w4 Q7 ]4 N- A: r
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. ?" j& R% n" t2 ]1 |
说明sql注入和xss已经被过滤了
. V" B$ O" ~$ b0 z2 o7 i% W! r6 b7 o) d- | i n. ]3 g9 j% |( ~
七、安装过程中排错
- g: Y; j: G% s
% w3 n8 M' F* b3 ^2 c# Q7 o! c1.缺少APXS会报错
0 E8 n7 }! K2 O; p. j7 B
$ E2 t; G7 ^8 zconfigure: looking for Apache module support via DSO through APXS( W. w6 v* z4 t! z5 \
configure: error: couldn't find APXS5 L4 r2 M' q+ L/ Y x/ D* b* J, y
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
A. r1 o: x4 U- l1 H$ s解决方法:1 p* T! }. }! R2 X
6 c; O& M) r( H- E7 y
yum install httpd-devel8 Y6 v' t r& @# @2 H$ W
2.没有pcre5 U6 Y6 g/ E( y( u' y
# ?' |$ Q" R1 \$ I$ Q
configure: *** pcre library not found.
+ S; U b8 n8 L8 I8 a# i( zconfigure: error: pcre library is required- c5 T& k5 ]% V. ^2 G
解决方法:
! J& y* D, x1 h& I0 r
`, @! S( s& `- ?4 t' B: d- \1 uyum install pcre pcre-devel
- N, `8 n, X+ B! V3.没有libxml2
$ R4 z* e. v; X4 Q |( g6 t
/ n: i1 b A+ x/ G5 `$ J/ Y5 j3 w* p7 {: T- V. _
configure: *** xml library not found.
4 [- N- W, o% \- [/ }configure: error: libxml2 is required
( t5 ^) j' n6 {解决方法:! l/ f* ^0 ^" x# j
" s4 `3 F( O% ]0 T
yum install libxml2 libxml2-devel8 t# a" W8 A) u0 {8 s2 f) W6 a2 n
4.执行 /opt/tengine/sbin/nginx -m 时有警告
5 Y. l" V5 g0 _0 x. f/ s' s% w5 Y8 V6 r7 |. p2 M
Tengine version: Tengine/2.1.0 (nginx/1.6.2)/ J7 |. k! E2 o8 x; U$ ^
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
% c) c. _& c: a9 ~/ I: F1 j原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
l# ^" _ |+ q8 I) s- S
6 j8 x+ R+ l$ L: s. B2 m% d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured., [$ N& o& r7 a9 H" c" F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 K/ m0 C# @" c8 k2 m6 K2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 q' E& D: ]6 y! j9 m* f L1 y/ @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"& Z' a! ?6 g D1 P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"2 ~8 ?+ h0 N" _
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ y" u4 ^+ X9 K$ J解决方法,移除低版本的APR (1.3.9)
" h% i: _* |% _$ b% Y p
Z+ @( b0 E* F3 ]& p; Zyum remove apr
2 C5 X2 B( ^3 R0 @. \5 m5.Error.log中有: Audit log: Failed to lock global mutex
8 H2 }" x/ x% o: O( D g9 {3 P/ K' j; z% ~# b4 M
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( S9 m! z# }# p* ^
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
7 n5 M* J. a1 q解决方法:
$ c: C, @9 Q, a2 z7 x* k编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:- y, x! H/ Z6 N. z" Q3 r* o+ j& X
; d$ o. x5 w0 a7 o7 o: d! tSecAuditLogDirMode 0777
' A+ F' ]) U# X8 }' ~! zSecAuditLogFileMode 0550
7 l$ c( D# N8 Y" }# q* F5 [SecAuditLogStorageDir /var/log/modsecurity+ c5 E" o& Q' {9 S: s/ t
SecAuditLogType Concurrent, h. X; l- K2 I" P+ `7 V3 P9 m5 A$ S- A3 Q
参考文章:# v" C9 Z% M2 F$ ?5 e" S
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX" U3 Y7 f, C1 d/ m& {# j
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡