|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
- @5 d1 m! M; r2 q( c
) I* ]5 K/ Y* i, X( {' X% D一.准备工作' R. u4 O4 ]& E- X$ M# P e
( N0 ]) [6 Q" x( W系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
- j; P3 X C$ j3 g! {5 ^/ [
9 R9 Z/ U( d( H" T0 }' `tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz+ ~) j4 G% a' q3 e1 A# ?( Q
, a0 |/ O% l8 G/ Y7 I+ E# `9 P$ vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( _9 X6 q! G u
. @$ g/ I0 P* j+ OOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
1 g2 d* W! x9 Q$ C
, i @# `/ A2 X: o依赖关系:
7 M" I' m: d7 \: L% ~' gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& j0 D0 k5 M/ L" P O/ C' V* n- m
: K* C7 [( O- I6 @* u* vyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' X2 a4 S6 M5 \* l6 H
modsecurty依赖的包:pcre httpd-devel libxml2 apr
+ Z8 i7 u/ ] I, m7 }9 v
4 T1 q9 C) U! R9 {+ N$ y- iyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
|# `3 a8 e& @ s: K二.启用standalone模块并编译
' l( n5 c/ c/ F! N* [. O! p' j& J/ ? p
下载modsecurity for nginx 解压,进入解压后目录执行: J G/ t8 q) l- Z
+ s4 k9 [& K8 X) R" w./autogen.sh& o/ s% R ?. d, s8 U
./configure --enable-standalone-module --disable-mlogc
! P# r( v! T* T5 S4 w4 H$ o! umake : u1 p R8 e- O3 ]5 J2 _
三.nginx添加modsecurity模块% k+ w! }0 f( _$ R1 b
1 i* K' O1 n) K* _在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 m6 s& D5 P$ _5 Q
- E: z8 O2 `0 ~+ `3 ^
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine% y- I7 @+ \. U. v# I. w
make && make install
! t7 ]4 V1 X8 N! X2 Y四.添加规则
: g( k, g6 M% R! Y& s( A2 }! ]
* S7 H1 | l1 X3 H3 n" r: f; Tmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。+ u+ C7 g2 ~0 i# T% Z% M
! K' }. g) s/ J* z, S
1.下载OWASP规则:. S1 D+ Q( Q" ^3 T! _. I# e/ q
+ ~ h9 y. `2 }' x% H
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
0 D3 a; P' O# D$ T9 u3 V% K) ^/ r1 N X3 U( e
mv owasp-modsecurity-crs /opt/tengine/conf/
' i& X4 Z1 L5 O8 X4 R' ?* I5 C. F' o, ?) V8 j F
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
3 J$ L) x- ]5 G) @7 m' P9 a2.启用OWASP规则:( N2 P% i6 ?* `3 |* ~
2 T1 n3 q+ g5 X3 Z; z1 B5 s
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
% M+ L; a: c; u, A0 ]% {
* c- _# y) P3 K; d- T编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& |% a% h) W' C6 G
3 ~) }2 g+ f6 j3 g: G( ~# y# ^owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。( B# w2 j6 N! m- F" D0 F
# J0 u+ Q' ^- l* M' n( P9 ^: H$ r
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
! S2 C* \& t \! I# o5 _Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf# R; s8 E# u: K+ L8 U5 Y) ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf% M" u. d0 I4 ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 @, r. l; `. T5 _( lInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
' ~2 v: Y) r& _! JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' k p- D, p( NInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 p' q- J; ~$ V
五.配置nginx3 H! l" L+ E) r8 v3 R$ W
7 v. F6 g# h7 q* A! Y* O
在需要启用modsecurity的主机的location下面加入下面两行即可:
+ {$ _. L- q; s) T
: X# D$ G" Q% m4 K# N! xModSecurityEnabled on; + S' A: ~8 O+ B* _" m3 w
ModSecurityConfig modsecurity.conf;
3 |& m" O! u9 M: o7 W: v下面是两个示例配置,php虚拟主机:4 T0 n4 H+ g8 n
4 Z Q! `8 Z7 o0 A5 sserver {+ c; ^, E& @3 H }
listen 80;
: i V! \. ^1 p1 b9 B2 b server_name 52os.net www.52os.net;$ R" p% G5 k. U/ ^: g6 P, Q
* {! X0 W3 C% [4 n' I# f! J location ~ \.php$ {1 p/ v$ s$ w6 Y
ModSecurityEnabled on;
2 m2 I6 n" V5 W6 } ModSecurityConfig modsecurity.conf;
$ H5 b+ c5 d& @5 _: V
8 I; S5 G, t* I1 P2 `. o4 x9 E root /web/wordpress;
}0 U; q0 E2 Y, h! t, t index index.php index.html index.htm;5 h5 y9 |, k7 a! s1 Q: g9 q( w/ s
! U X! Y( D( q fastcgi_pass 127.0.0.1:9000;/ g' V" t! F) ~6 m0 p$ ?- M
fastcgi_index index.php; k$ N" O, e4 k8 e7 X0 K8 a
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* _8 U* F( P1 ]! J7 ?: Q
include fastcgi_params;. c8 Q* ~3 o& J! @
}
, c' x. x; H5 l) ~ }
( d8 `* E/ ]( K: wupstream负载均衡:. a3 B7 Z9 k3 q
1 D. e% M1 V+ v+ B( R
upstream 52os.net {2 R m, ?, a* T+ j1 [: F: E8 s8 Q) G
server 192.168.1.100:8080;7 J# [. [ ?6 k; |
server 192.168.1.101:8080 backup;
/ Y5 Z) g. y r0 z3 S}
, B+ j9 E" P4 ]3 K1 a- h
2 A2 H O4 b0 a7 ?2 Vserver {# C' {7 e" Y+ f6 |4 x
listen 80;
/ `7 Y9 H E$ ^0 R% r2 Bserver_name 52os.net www.52os.net;+ P% y x3 s# N) b
5 p) r( A7 U( n& q4 E* Z
location / {! ~+ r6 C5 T2 N' r) [
ModSecurityEnabled on; 4 d2 r0 z4 p3 p5 U+ X. Q) ~
ModSecurityConfig modsecurity.conf; ! K- n) e' j0 O6 q" k
, ]1 m3 [/ E. ?$ n G2 q) S& g4 T proxy_pass http://online;
0 V6 p3 N7 b9 R. |2 s3 u W proxy_redirect off;
! o. O: f) k s c& ^( W) D proxy_set_header Host $host;
9 F! b0 V+ ~1 G1 N8 j proxy_set_header X-Real-IP $remote_addr;7 E }8 F* i/ L; z5 h( h
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;( h! _- b0 }( d. C* O: a5 v) x1 d
}
& ^) \3 `# Q$ U1 X4 {' Z7 k8 j}
: o8 }. B8 D$ A) q' N7 S( [) X$ k六.测试/ S- ]* L: w; F( E( F8 O2 D
) V0 o2 Q' }: R8 T$ \9 _我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
- c: M$ O* b8 P& M1 H4 l+ ^6 \5 Z# r z! \
<?php
; R0 A: \3 M: G phpinfo(); 3 P" a) u/ F4 r
?>
6 n! j' l) x9 G& i# A/ o _( V' u在浏览器中访问:; t6 Z# s4 T* f g9 k
7 h9 Z/ Q4 I( n$ Ghttp://www.52os.net/phpinfo.php?id=1 正常显示。
p' |2 m/ q5 e; Y y' ^* Zhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。) Z, O& H& Q6 u2 O% R* {
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, ], x o9 m; u" [# J* n/ W# ?
说明sql注入和xss已经被过滤了7 {! X& W; e+ V$ F% y. A3 x9 K
! {# G. a: T( N; [$ `, A七、安装过程中排错
, _0 a3 r4 n8 d* P4 |$ \; J( v# u' y$ M9 q5 [+ H
1.缺少APXS会报错
2 n% ^$ s. M* C% Q, H# w7 h" p; ~% v5 X# j) I8 Y$ ]
configure: looking for Apache module support via DSO through APXS
. S# }' o+ d. D" q6 lconfigure: error: couldn't find APXS
) I% M" j8 U S/ H0 W5 p5 papxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
7 q! O5 }$ m) @) o$ w* U$ |解决方法:; n+ u5 k7 r7 D8 @& j
. |0 m; w. F8 ^) `" W' J2 Byum install httpd-devel% A) F* a& X x
2.没有pcre
; b5 T) O _6 Q7 Y8 s' t3 m" y9 \1 ^: o9 `% k4 Z
configure: *** pcre library not found.
+ k$ ?7 P, ^8 a' [% Nconfigure: error: pcre library is required
1 X! w! S( Q) S, Q解决方法:
% i8 L7 a* \8 `! R
$ b2 f1 O+ j% {% B+ ~yum install pcre pcre-devel
1 M( D d7 e* G3.没有libxml2" d4 U; n4 ]- q) Q6 n
) v! {* w$ |$ x: g( M) G* L
2 |7 Z5 i( D- u! X0 _
configure: *** xml library not found.
+ N( p4 k; I1 J2 m7 ~. U4 j) Bconfigure: error: libxml2 is required/ q3 I# b6 O9 d+ Z: R$ a
解决方法:: }7 T" W. m& @( u1 F2 r/ u
# A& u# V, @$ d5 G
yum install libxml2 libxml2-devel
3 H o2 N/ y5 N" e$ O4.执行 /opt/tengine/sbin/nginx -m 时有警告
! V% n2 p3 x3 |' l
4 K2 e# ] W5 y* t6 ? lTengine version: Tengine/2.1.0 (nginx/1.6.2)! E( J2 K: ~. v5 h0 {
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!! q) T+ S' u' Q0 E3 \ f/ O
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
7 p2 t: y( H- |* t* P$ R# I; P5 }" t/ u4 O6 ~! J: a& e2 K5 v+ M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
/ f+ j/ D8 l5 t% E0 _' H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ @) r( U8 |! V7 Z- n/ ~- K
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
+ F {+ a- a" p/ q' C X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 W) u- A: \5 W- Z; {7 f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
- C1 |( j Q; _% v2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
; @* c$ A4 b7 A# W, h解决方法,移除低版本的APR (1.3.9)
3 {$ a. g. {7 }1 b8 Y3 B8 D
2 {9 `7 l: ^; K( G5 ^: ryum remove apr' J1 f2 x! t5 T( Q2 y
5.Error.log中有: Audit log: Failed to lock global mutex" ]' X( c6 C; H" m8 \
0 L z' _7 `9 H* X2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
, k; A4 W4 {1 l& _global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
6 B4 B5 q. P9 Q; S解决方法:
% e, y5 o* b' ^% D编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
( w# n. @/ [' G% j5 H' Y3 P ?8 N. q3 b
SecAuditLogDirMode 07778 N7 q( F k/ K9 y" _
SecAuditLogFileMode 0550& |1 W w m0 U' `3 H/ ]
SecAuditLogStorageDir /var/log/modsecurity
, h* s% k* F( U! [7 q0 YSecAuditLogType Concurrent, k7 l3 Y g1 E7 J8 R/ d# i) _; ?
参考文章:
v( c' S5 u; A5 g8 Rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX* y" j. z. c) @9 N. T, H
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡