|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。4 i! g" o* m7 D$ |
! J: E1 h J; A- l- Q. q' {$ A% R+ H一.准备工作3 g1 W0 i6 j" \, w9 f1 A
3 H6 _ f: t6 l6 L+ q. Y+ l `
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0- t7 F2 i4 ^9 i, C8 M: R' Y
- C6 c1 a' `& o7 |4 v4 jtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz4 C4 z) P8 Z- ~
. W/ J% T- B& k4 vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( a2 \7 z2 e; ~- m" t
6 T4 O$ x( O; e$ }; M( |OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
% e9 }2 [( D. E
6 I1 R! M! l8 Q$ N& m/ V6 n依赖关系:
" i8 A& s3 [0 V5 r1 stengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:8 l7 n) I$ y9 H w
1 j$ j# |, I& c& _yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ X) O/ L' T; u6 _modsecurty依赖的包:pcre httpd-devel libxml2 apr
' w3 p$ ]% @( n) T0 f2 Q0 B9 E
" m* `; Q! w( Eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( @5 {5 Z3 N/ w- R3 |$ H
二.启用standalone模块并编译
: C/ s) M$ Q! [( m% _1 n( x2 J5 q2 T0 A7 h- ?6 a$ b
下载modsecurity for nginx 解压,进入解压后目录执行:
& p5 N* x/ @; K1 b6 b6 T' I8 H. e% h8 s
./autogen.sh
+ k. h+ T/ p- w/ Q./configure --enable-standalone-module --disable-mlogc% q% H+ g3 n( \' c2 r1 e
make
( L& A" ?* t$ i- E; e J0 U三.nginx添加modsecurity模块 V7 Z3 D9 i! ~8 h
0 H' I0 K( _8 N Y& ~6 L在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:! Y5 y6 w3 N5 _- b4 p7 m+ [
6 h$ N! ?& f" F# C+ h' y H v./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine+ M% B3 o+ m, V4 K1 d
make && make install
9 k- ^0 J6 g o四.添加规则
9 p2 m! _; j T6 J& p. N0 ?5 k# e
5 t2 Z S+ u* Z+ Emodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。3 l( [: u% Y. Z# u1 |& Y; `: c' `
; U T" `: ]0 K$ ?9 h1.下载OWASP规则:
6 i% [3 F) ~0 @& e% E0 z
9 p& O+ G. J' e% M3 u. dgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs1 G1 K3 t3 }$ a
3 C. c9 \/ l6 z' V }mv owasp-modsecurity-crs /opt/tengine/conf/
/ R- u9 ~! n- f5 I# i1 x
; D# m* s" {/ V$ Fcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ j( ^% {- \5 h2 |% i' W
2.启用OWASP规则:; x$ |3 L1 |9 H# M% G, X2 Q+ e0 |* q
, I8 M6 ^' O0 C" m6 P8 y复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。8 y- r) _" H* U
* S$ D& ?2 Z; V1 p5 U1 J( E \1 H
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
) Y: p; }; H `5 j9 J+ G! u% R- f
# }+ X$ x6 G. X7 L: r: gowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: p5 G) B3 i+ O) N2 L
# D) e4 c# U( D( L) s c; U
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf; Y+ T8 {( p) q% S" G; e! g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
" Y3 ~5 |) M( P" O0 i5 KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf8 V; p/ Z. N: l; i% O
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' `7 H1 s# _! F' s9 u! N( i
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) V8 Z$ s( q) X9 s
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' k9 \3 F. Y. J' x+ AInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& y0 F2 [5 W. G) Q1 m) C6 N
五.配置nginx2 }* K; c" d: `5 n" d! X
3 G* ?" D4 j3 ~3 L1 U
在需要启用modsecurity的主机的location下面加入下面两行即可:
& F; a/ |; A& c' F: ?) x: M! F& k/ h# W) P7 b6 p
ModSecurityEnabled on;
1 O. h4 b$ F- o* aModSecurityConfig modsecurity.conf;! B# v/ _$ Q! a: f/ Y7 M
下面是两个示例配置,php虚拟主机:. N, M' Q$ ]( B3 J" {* G7 s( r/ \
0 N' @. x% o7 ?- q$ gserver {
- n2 X7 k/ Z* V$ d5 }2 l, b* ? listen 80;
1 K5 _6 W P: Q2 t, U7 j; \9 L* @ server_name 52os.net www.52os.net;, ]' N* l+ x/ z9 n
+ w" z0 x4 F4 Y location ~ \.php$ {7 h. D' j3 X2 `8 J& [) I
ModSecurityEnabled on;
- T2 O9 t% W; F3 f V' m* s1 ~2 ? ModSecurityConfig modsecurity.conf;0 T+ w8 q4 {$ P) F3 C8 J0 w, o( q3 ?2 S
9 R1 t% n3 |2 |; d) _6 P
root /web/wordpress;
! w+ I. B/ {5 K( u7 T Q index index.php index.html index.htm;" R0 v$ `/ O/ j$ m. s) ~8 ^
. x/ {6 H$ ]: `% j
fastcgi_pass 127.0.0.1:9000;; h0 _6 d+ }8 C) O
fastcgi_index index.php;
/ b) x: J- e8 i; u9 Q# |* K+ M fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;4 `/ ^) c% K# c6 O9 b: A
include fastcgi_params;/ ?8 d4 d, I* _/ N3 y
}
4 ^5 Y' p/ l' v' S }
2 K8 a6 }$ }6 u5 ^6 d4 q) kupstream负载均衡:
6 n8 R u* S! Z* W8 ~! L' w) ^ ~
upstream 52os.net {
_: h. z% z6 o; P! l, P. r! o server 192.168.1.100:8080;
4 h: [* A9 l& Q+ Y' l server 192.168.1.101:8080 backup;0 [# |. |8 I/ ` r- L
}& g* { f; X/ F W
3 e K7 w9 n; P% Fserver {
; |6 u; y4 P4 u blisten 80;
( L6 r2 Z' h1 v& U" T* u6 vserver_name 52os.net www.52os.net;
$ s; I; ?5 n- V* C8 e3 X& z
p# v1 E! b- Qlocation / {
4 g7 q0 v U, N i& s% i ModSecurityEnabled on;
* V% r5 `9 C) ?& q4 T/ ] ModSecurityConfig modsecurity.conf;
/ h7 e: k, @. f5 g# J1 C/ f( L
7 @6 K0 V% w7 A3 d" ?% l% v5 F) X proxy_pass http://online;* @- p& C% o s* R) U* s% y/ { ~
proxy_redirect off;3 U1 D( x; h( G" ?2 ]# {
proxy_set_header Host $host;" w0 Z( i# s9 V4 `
proxy_set_header X-Real-IP $remote_addr;
5 d- T+ r9 [* f, g2 ~5 g+ F proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/ C, a3 D# i x, b0 d, A }
8 N5 e1 ^& H/ a* |( g# q}
2 L5 U D" y$ `% ]. E0 {$ B3 T六.测试
! @' j9 [1 g% g! b& t4 j0 y, H7 |3 J8 g6 p
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:, v6 O) R9 ~8 J" ]
* O3 N( z: J |4 _% `7 s4 ?<?php
5 |: Q/ [" h" K2 |3 u, y phpinfo(); " K! `0 s+ n( D n* `7 C
?># Y% X+ x, E8 ]. S. G Z2 A
在浏览器中访问:* F% u% k# g# K8 u5 V
* m* X* F/ m) T% q
http://www.52os.net/phpinfo.php?id=1 正常显示。
) p: I+ l P: |3 N: O8 Z9 {* m! Lhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 i# u6 }4 |7 q( V$ Nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。8 u& }1 c5 _. L7 z) s
说明sql注入和xss已经被过滤了
5 k Z0 `% k6 F d6 q& G
: }- G* a9 [- m3 r七、安装过程中排错
2 Z. g) y+ Z: ^# X7 z5 H: r) }. n6 Z! {9 _. o
1.缺少APXS会报错; w& [# Y7 U0 y# N/ r2 r4 a! R
c% I6 E: b. B* y( j- [) t& \configure: looking for Apache module support via DSO through APXS1 T0 y# ~/ p2 E% X5 {
configure: error: couldn't find APXS
+ @; l" p' u( D7 a0 g, ?; Gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* F0 Z9 q" d" s/ O" P/ e0 k; C
解决方法:
0 R. X$ N/ E( j3 Z3 M# J) _* [! l* r
yum install httpd-devel
5 B6 } T" x! m* m4 ?* u( V2.没有pcre, A1 _: X" F2 c, ?8 |0 N
! E0 p& v/ M/ ~) T1 L5 y
configure: *** pcre library not found.) Z# @# @) }! c; }( i, v
configure: error: pcre library is required
+ ?' \0 [# Q @+ n解决方法:
" o8 y2 P$ c* G; `! v8 h% o& M; p, \# [* n$ R! Q' ^, P
yum install pcre pcre-devel
+ Y% f5 z! ]% ~) c- B3.没有libxml20 ~- D8 f( J. t: T
0 Q- Z5 c9 |8 i) f6 P+ Y: p; v) `6 T" v) H* S- t- A
configure: *** xml library not found.1 J! h+ x5 R4 i7 J- b
configure: error: libxml2 is required
/ o. J! n- l* B8 k4 g解决方法:
$ P; @" b! E/ E, x, I+ L% m% E7 t# g& W& h2 T
yum install libxml2 libxml2-devel" e7 D( l5 L- T& V
4.执行 /opt/tengine/sbin/nginx -m 时有警告9 p$ {( x! P; q& B' y5 J6 F) {
4 H: |, ?1 }. K, \Tengine version: Tengine/2.1.0 (nginx/1.6.2)
" L' F9 G; i; D4 S7 |+ {/ y3 Mnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ D1 Q# @. ?& w* |' }% t; x; E原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
- g6 X$ h/ k. U3 \6 l& s+ d
3 u; J9 J5 x2 y5 t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.1 U+ Z: q7 C9 ^$ n6 J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
$ _. d" W! `. s3 o/ f7 Q& @: j2 \2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!8 G/ l. {8 y' F4 a$ i- e3 e" R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 {7 T/ z4 o q, D& B3 W6 f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% P+ Q8 P8 v- Y: u% T2 c$ G+ z* `2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" s9 i" J, a, c( Q6 ^$ ]: U; Q: m解决方法,移除低版本的APR (1.3.9)( v4 D+ F' Y3 y
( V. M) x& {0 N5 @) c B% y
yum remove apr9 c% ]6 d+ F# S2 k m/ H
5.Error.log中有: Audit log: Failed to lock global mutex* L+ _+ r6 l' t' w3 ?
5 e$ q8 `% W s U
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
! e+ k* \7 b$ oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ c D1 v1 |- [+ H/ t$ Q解决方法:
( n. R) v( b7 J- }% Q. ~2 S& \编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:; s- `" i7 H7 K- M8 w
7 Z" l' R4 E( ~: L, PSecAuditLogDirMode 0777
$ G5 f; j4 c/ lSecAuditLogFileMode 0550
7 Q7 Z3 L4 ]- @) K4 E4 YSecAuditLogStorageDir /var/log/modsecurity
5 k9 `. Z" T y7 w1 [SecAuditLogType Concurrent
# k' g9 [% s2 _0 I参考文章:1 O, t. }% j* Z, Q
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
# a* U1 k: n0 Z! ehttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡