|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
+ S7 B6 x. h7 c- g7 L
9 c" B- p. S: S4 l; t+ ]一.准备工作
; u, D9 ]* U, Z" Q8 W+ E
' j- h8 B6 [+ ]4 Z1 F* v- V, |3 Y. c系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
- U9 e' @7 r, i% {. q1 ]) {% X4 \9 m+ k B; i9 h
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, z, v* L2 [( a. V5 y9 `% |/ C) G5 O
; V: P$ g l$ C; L! K# {
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 v4 L9 l; O4 L x' [3 i, g( V9 g/ g
; c4 |5 m6 B4 _% h1 I6 ~OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
# F* r! I, u- ^0 l7 q, n- T L% |/ G/ U1 [
依赖关系:
8 D9 V% S1 w) A! Ttengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:$ C! J& w: S! y3 r
* M5 k/ c( k$ p+ K
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
; E( ~% S w3 k0 k0 |modsecurty依赖的包:pcre httpd-devel libxml2 apr
/ ^9 q0 X; m2 d2 }, _& O1 P8 O! S9 w( C! P- S: }" J
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
) N$ L/ f- z% E/ P4 m' Z& [/ p二.启用standalone模块并编译
4 E; H# y% D3 V6 [7 M1 m: g
' D0 d' G8 {7 ~" \, \8 u: n5 V下载modsecurity for nginx 解压,进入解压后目录执行:
0 W6 l3 S/ c4 U2 h
. S" T+ n- D7 W./autogen.sh) }" q) L* B% D$ {7 c! [+ x
./configure --enable-standalone-module --disable-mlogc; w: p5 N/ ?3 _! I, @! o$ c3 b5 m5 d
make 2 t( c5 v, ^, D8 }+ y5 x8 @
三.nginx添加modsecurity模块
8 }0 B; v$ D$ q* \: w/ _# |- n# v
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:& m3 w; X5 {# c& H0 @8 a9 Z
3 P4 G& b, U5 \- A5 g; Z
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
* W2 L& Q2 t* jmake && make install) G5 S5 q/ ^( l$ c9 h1 h
四.添加规则
/ i: P$ T; k n) g8 s+ Q/ ~9 E9 j' d% A; W! P
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 Q e9 Z& ], k B
; Y( \+ h- a' O( W1.下载OWASP规则:1 d4 L- P( K w
/ {# k& W( Z: S8 ?' N
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 R9 B& k, p: Y! Q" T% c6 R# M6 y
% ^6 U+ J3 }, V. c @" @9 Fmv owasp-modsecurity-crs /opt/tengine/conf/
2 U- B, p. ~, o. c; F0 ~' T+ w' z/ b
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
$ G0 |& v: m( ^; B2.启用OWASP规则:
- P6 |# Y& F+ b. N; U; E% V
: R9 e5 I& o8 H: r7 r6 D" p% v复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 ]- P+ ^3 A0 r$ v: x) j8 ~- }2 i/ o
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 G, d d0 d# g! Y9 @
% S$ S! t5 a) o& O& m. h; L
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 o1 u, X$ Z# d: W9 ~
: H M3 s' ^ a+ E7 F S& QInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf% [/ Y) S+ N6 O" }+ s1 M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf* ]1 R q! R6 F3 `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
7 \7 U+ v a& a7 c, `3 nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
2 `: V3 O0 v& t; a5 z3 b* h/ DInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf3 n4 ? h. T$ [, Y2 n. N0 A! v
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf4 P* Z4 ~* F# Q) ]% ?
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( k" ?1 Q$ [* |& f* d5 g五.配置nginx
+ _- W9 p% @/ b i; d
]" K! [/ n! ]% m( h) |" j在需要启用modsecurity的主机的location下面加入下面两行即可:
; k& v$ N& M1 z9 C1 O$ P+ U- y5 t+ c3 c
ModSecurityEnabled on; , r6 m/ J* |" {! v: K y& ~8 O
ModSecurityConfig modsecurity.conf;
3 ^* E; h* ^1 t; i1 V下面是两个示例配置,php虚拟主机:8 i! u2 v3 S2 L0 o% h/ U. `0 K
, X: u! z" z1 H6 j0 ~; aserver {- p3 o' r# z, M7 P
listen 80;
' v. b9 m$ C% Y) Q" I% n2 j server_name 52os.net www.52os.net;6 D, G* H, L9 w; w6 E
: y% y% D* b' N5 D4 Q8 w0 [
location ~ \.php$ {
! H+ o9 [) j8 E# r7 E6 ? ModSecurityEnabled on;
9 H& x4 U" ~( g. i7 B ModSecurityConfig modsecurity.conf;
& n4 y$ ^" x1 r4 r) C, H
9 P+ b6 y2 h |& S; C& g/ | root /web/wordpress;
' S0 D- c+ ^6 c8 L% z" e index index.php index.html index.htm;
7 x* {7 F+ u! E# j0 B , P2 M X/ L6 G! Q3 D5 P4 Y
fastcgi_pass 127.0.0.1:9000;4 z; D0 i+ d* K* a& ?
fastcgi_index index.php;7 Q( k: p% Q8 M8 `! E" e
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
/ [$ m3 B) f! q2 b' t" l5 n include fastcgi_params;4 n* P2 F2 Q1 ~! ?
}( p2 q" ^8 D" I1 @0 U
}
`$ i$ Y* m1 ]- Supstream负载均衡:
" C" g$ j. n( H
, L4 e5 Z' _$ K; R! Zupstream 52os.net {9 M; Z0 \' _1 D. g
server 192.168.1.100:8080;/ d |' q0 k( O* k# d* s) h8 [
server 192.168.1.101:8080 backup;
0 Q& R, E- n: N& Q' L; r7 k3 Y}
; X5 o' h5 [* }# u3 A- ^, k
' p0 j% L1 [: Z1 ?8 b6 lserver {
2 O, L" q. I+ J/ I$ V+ \! r3 U' L; _listen 80;
* j' a5 |7 d* P7 c. c5 Vserver_name 52os.net www.52os.net;/ I# L5 R2 T" p% N* B
; i3 ], \* V4 Dlocation / {
$ k2 @# I3 M& R, K- Q) V* K( C ModSecurityEnabled on; - `, o1 ]$ |. J& F1 L+ H' p
ModSecurityConfig modsecurity.conf;
+ W. L* z7 l$ _, s' W
- r3 C+ i; f6 b/ o1 a" O; q proxy_pass http://online;
; @5 w$ Y6 b& [6 D t, P, F) I0 G proxy_redirect off;: a) t( g/ ~8 V: P9 e6 ?7 [3 t a
proxy_set_header Host $host; Q, ?) O" m" @% | P
proxy_set_header X-Real-IP $remote_addr;9 w" L) U A; x
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# u# @# K9 w; f/ F
}
! q+ u; L o, i) y5 w1 r9 A! t2 t$ U}
" t# Y$ ^ V, C$ U. [- _; N六.测试
' L8 w8 H# F7 _
3 ^ L% @% |* D- g8 N5 F8 @( y我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
3 b( M( f3 i+ A4 J7 ]( Q+ s1 D# |/ Y) T% w3 \
<?php
. @5 c/ |) y6 P9 j; l1 W: [ G7 S phpinfo(); ; Q5 `0 m# {6 F' i' l
?>
' V0 _" R _6 l4 T. P( n' }在浏览器中访问:% Y5 R( f) V" t! X6 J7 v
2 Y" B; `( P: e5 t7 {9 b8 ~2 @. a
http://www.52os.net/phpinfo.php?id=1 正常显示。- c8 w( Q: R; T4 w
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
' \0 w# e* [8 f( Q( D& M! hhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. V7 Z) v! T# ^! B9 v8 Q! e/ \8 k
说明sql注入和xss已经被过滤了! A3 ^3 f9 n a3 V* }
& b( H9 G$ m! y- k6 H G5 J七、安装过程中排错
3 h( w; B$ T4 t9 q# N9 ~- [; A ^' a2 l- w( L$ C
1.缺少APXS会报错# h$ t- l: R, Q; s+ X$ q
, [& m5 m, f" \& ?2 q$ o+ N2 n
configure: looking for Apache module support via DSO through APXS
9 A! f8 p& a. d0 V# X s$ Tconfigure: error: couldn't find APXS
, X8 m' `( a7 M$ Kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
5 _% q, h; q# q7 _$ j解决方法:
' C4 Z5 q! k. k( ?$ W
. r3 f( Q; g2 |. R3 _yum install httpd-devel! X$ q1 L$ L: T5 p8 ^
2.没有pcre
; {0 x3 }1 T5 W8 D! Q6 }, `
) x# }- g, k" o3 C$ i2 j zconfigure: *** pcre library not found.) [ R7 Q/ f5 P# a$ y
configure: error: pcre library is required( M( U4 b5 L. l- m( W
解决方法:9 v Q- D" j; x( _6 [) e
! b% l. e! V) e2 [& F. V% w$ j
yum install pcre pcre-devel
! E! @: o( R! f! P- Q5 w0 y3.没有libxml2
8 F. c$ `( u8 p# }. e+ R/ l$ P X4 ~ C
& z. J6 P ]9 ?) n5 R" g& s" E
configure: *** xml library not found.' o) q; Y, w' {# Y. N5 ?, \& C2 r
configure: error: libxml2 is required
) r) Y# Z) r5 r( g解决方法:. X( J) B2 f5 y0 m
' q% q* w% O2 P- |
yum install libxml2 libxml2-devel
- r- P1 `+ F+ j, U( L4.执行 /opt/tengine/sbin/nginx -m 时有警告5 M2 _6 a) I0 d
t7 I+ x9 C6 H$ Q, J" s
Tengine version: Tengine/2.1.0 (nginx/1.6.2)3 O( l7 }% i& i/ r
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
) D) O( R. x) i$ R! ^原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
' u( ~( K# M& @9 u1 J: q: Q. U8 |; }. |0 V
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
A3 o' j2 `) {( l" B/ x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"! y( \* o# s2 R0 j6 [4 _3 L1 s" s
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
, v% I! x& `% L8 u. J: f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
! m m4 f3 x' l2 U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 G" h% A5 z- I; s9 Q# t7 K
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) K$ _, w" U2 b9 H: m) R$ \
解决方法,移除低版本的APR (1.3.9)/ W8 R! e+ |: X0 b
, h' T" i" `& X5 }" l/ Myum remove apr
( w( ]7 I6 w6 E' \4 @- r5.Error.log中有: Audit log: Failed to lock global mutex L( i* C3 b' _0 N1 E b5 n
0 b% w0 \3 Q# `8 p- U: N5 E1 I! l2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock . T, N% r' W+ m$ r4 J* @
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
7 h! N( h9 q5 n* t& \7 G4 t解决方法:% l T6 l- `9 ]# L
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) k1 v D2 q) M; L4 B3 e$ z, H/ Y3 w! y, C$ P
SecAuditLogDirMode 07777 C( N% B Q$ @6 L( p, d( B5 O3 e
SecAuditLogFileMode 05508 b) q' J' u9 n5 W O# q8 `
SecAuditLogStorageDir /var/log/modsecurity
: Y/ K4 N7 {$ R& B7 ^SecAuditLogType Concurrent/ R- {5 I. V( N/ k9 J$ }. P( k, N
参考文章:& l- C3 E5 a; U2 _% \" r
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX s9 k& h0 L5 w3 ^6 b
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡