|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
# W% N( D* h; R* ~/ _4 x8 j" d1 T7 c8 s5 ^
一.准备工作4 C- p* n" ~7 J; L; W T; {, |% b
1 ?3 a/ W; j: s' ?% G
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0' S( _6 C/ T/ n1 d/ u% [2 A0 \
1 i8 Q6 a* D; l; s! r5 ^
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 h3 I& k; m" L9 x2 ]: S% D9 D) m3 K/ H- ]( e
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz4 A) R2 D; b0 {6 F6 y" `2 n. _
; @/ D9 o2 Z: lOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs5 z& O' B1 s9 j0 \5 J' ] t+ x/ P
9 a3 y. T: `3 u3 v( x7 ^
依赖关系:
- d9 b( u3 h- n' y& `tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:, H' w3 {3 |3 @6 j: @- X- u
% _+ U# O" |. N* h! o9 C
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ \& p* B4 W! e& {modsecurty依赖的包:pcre httpd-devel libxml2 apr
" ?: p, h0 }# B- z O* ?/ B3 r# [6 ~/ S- S. [5 P! u
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel. u3 p7 Z- J/ j, ]( o
二.启用standalone模块并编译
! ?) i: W5 W ]: [9 @$ e( D( C2 }1 C" K7 y( U6 K: x$ a
下载modsecurity for nginx 解压,进入解压后目录执行:
9 l9 j" B$ ^1 ?* i m; h
- w2 y. L4 i2 ?# x5 M./autogen.sh' I$ [5 e9 p+ X) @
./configure --enable-standalone-module --disable-mlogc+ h& U9 `0 ?! g9 d0 t8 ^2 Q
make ! A% X+ D) L1 e: ]
三.nginx添加modsecurity模块
: a( I4 C2 c9 b- n$ A
9 T0 e5 ^% C! ^# `1 Z# l在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ e- b. U, p& |! f2 u- g$ _, |3 `
$ y ^5 K l2 e./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 ?3 a+ r( ^# |, @
make && make install
5 A+ [( A# H5 P- x四.添加规则( A" E% V: b' D7 N
; l% O0 T0 d- _+ e) e( T1 G2 I* @
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。/ v+ B) J5 L: A( z
3 u4 @5 D( s9 b: A+ F- g
1.下载OWASP规则:- f* O0 J. ?3 m
2 L8 K7 p8 ]+ D6 @/ f7 ?. X
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs# d6 v4 p; Z* ]6 E9 H$ |4 x ?' I0 N
+ }% y+ b+ ~7 D Z8 u/ R ^0 O, Nmv owasp-modsecurity-crs /opt/tengine/conf/
6 w) f3 F$ `; ]
, Q7 k z% R2 r: n1 P5 ^cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf& j8 ?: E, o1 g- X( l3 U
2.启用OWASP规则:
3 A6 C8 ~0 Y1 }; g; u5 _1 f' x5 x$ P" i# H3 D
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
* e; x }% V6 v, m4 u5 F0 E9 {/ V N+ l% ?& }
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
* W h- f/ `* Q8 `: t8 [$ I" a0 U
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。- c# F* \' h( g! N v% M
+ R5 M: X/ q4 | QInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
3 p& @/ K ?, ? f( ?1 `/ r, E! vInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 e/ F N1 S( X+ r: `. s* D0 X* A, |
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
: p& E% O6 \; p/ y# m" E% i! rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
- a( ^. L i8 c$ K) u: v' p. BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
2 b- r( o3 Q1 S9 E# i; W$ _Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
6 [4 y: o- u+ h; FInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf/ i! `: R o4 p+ A) `& a
五.配置nginx
; O7 S! t8 ^ K* M# B4 `) D) R( Q C0 A( v9 U7 C' N4 b( j
在需要启用modsecurity的主机的location下面加入下面两行即可:5 G6 m( Z3 }. L. p
& v7 r/ |% P& q- W8 UModSecurityEnabled on; " \. b& G a# U' P9 z# s& V
ModSecurityConfig modsecurity.conf;% v9 [. j9 o$ j2 s
下面是两个示例配置,php虚拟主机:
3 v, d1 W; c: s9 b8 s8 O8 k- {+ _
: R8 p5 g) a" E& I7 Rserver {
" ~" I% v* h5 J listen 80;
) C9 s/ o3 K, x3 @0 T server_name 52os.net www.52os.net;
$ g' A1 j& z6 c6 \8 ~' u # ^# r; Z% { W% B* d5 ~ T
location ~ \.php$ {8 s8 j8 Z/ @2 C6 X5 S
ModSecurityEnabled on; % q/ X: [) X3 r9 u( P) t4 A1 T, {+ c
ModSecurityConfig modsecurity.conf; e. a0 Y2 }/ [& a7 G
' X W) n8 e# |$ a. w, `" E/ A root /web/wordpress;0 n' _* G* a2 u' i9 ^! Q
index index.php index.html index.htm; j! J/ ^3 r& S
6 \* \, J' F, ]; V
fastcgi_pass 127.0.0.1:9000;7 s1 I! p7 W/ {, M
fastcgi_index index.php;
& q/ C2 K7 {2 _5 {. O H2 s fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;4 U. I& N0 E. v
include fastcgi_params;
7 S. h% X* T7 t8 O( x }
5 Q3 S" i- q% Q: ] s7 v% H }
4 }4 Q' k6 u+ tupstream负载均衡:
' p1 \9 P. M4 g" L3 A) C. t3 ^* T7 L$ A! ]
upstream 52os.net {6 N& g) r, K" q- l" j( l7 v
server 192.168.1.100:8080;( m6 h6 q0 |, p2 R% O8 l
server 192.168.1.101:8080 backup;1 s) g/ a5 j' H! s) p
}
! N5 ^9 m; q( N/ C7 i7 u5 V& A2 _7 M
server {0 ^3 n# t7 E( h F+ t' j
listen 80;
* B; g; j9 w/ D% d7 ?' wserver_name 52os.net www.52os.net;- s& B8 j( l) z4 j$ b5 T
' ^" K5 r. a" Z c$ h7 K
location / {# w4 P7 [( S& D7 ]
ModSecurityEnabled on;
4 F/ D: S* ?) i/ r ModSecurityConfig modsecurity.conf;
5 A6 l* d1 m0 ]* ] A1 w4 C9 ^; B) t2 v3 g1 Q+ R; T
proxy_pass http://online;
1 s# K+ b, N/ b( O, I" ` proxy_redirect off;
2 n7 h' ^* v) [ proxy_set_header Host $host;
f" G/ v% A6 H( W0 T8 V proxy_set_header X-Real-IP $remote_addr;$ Z: c4 _4 Z" H: ]8 s: g5 n# j
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;7 w* W: u; [8 g: l
} i$ p! K/ a3 c! a6 d) F5 U
}
8 B" }' U, b- Y6 U8 @: o六.测试5 q9 @* Y: y/ n8 c
) k# E9 d; C! D8 f我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
0 Z- h$ Z- \- E4 g7 V0 c
9 f" e3 |& v4 _<?php. P/ \: S) Z0 E6 y0 P w0 i
phpinfo(); 0 x2 X, f& S( P9 a# o" W8 Y0 ^' T
?>; t) D# n8 E( Y! y" C) C; H* m, E
在浏览器中访问:
) d9 M w1 Z5 M. Z/ U# }9 Q6 v
http://www.52os.net/phpinfo.php?id=1 正常显示。
) d0 T2 P3 k" u5 Ahttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
" y6 S% _' M% x0 G% c" m* Vhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
- M7 N. k! A6 G4 I说明sql注入和xss已经被过滤了. |/ O0 p2 m D& N0 m' y6 p0 C2 X8 t- f% Q
& n% R* T9 q/ p' R
七、安装过程中排错1 H1 ^4 |2 t9 C: M, o- T
; v) K$ _6 K4 i' g
1.缺少APXS会报错, S6 e: r3 v/ ^! `
1 {! J# d5 E. H# s
configure: looking for Apache module support via DSO through APXS
9 M8 o" s. c3 y; a1 z& nconfigure: error: couldn't find APXS
" x% |" ~8 g5 @& M5 a& Wapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
' Z5 ^' S, j0 b& p; l7 L# h+ ~解决方法:3 e- f7 c l- ]5 i6 [6 |* b& a
+ z, @& V* A, W$ T% myum install httpd-devel
, ?% N$ ^0 a) e! l& x2.没有pcre
! A8 [* |9 a& L" j+ D' u! g
/ E; L% ~1 V0 F6 u' U( [configure: *** pcre library not found.
: `+ h6 D* ?! m! k. u9 k" O0 nconfigure: error: pcre library is required& I/ l* y b6 F
解决方法:6 U0 {2 c8 ^! l+ ?% E/ {& H
7 r( [; R4 |) p* b; ^/ ^
yum install pcre pcre-devel( N7 m. j+ b% a$ I; R3 U
3.没有libxml2
( C$ L4 q2 {5 A: B- i- h
6 B% F& { x' I4 Y( y
. G* U: K% R% H# wconfigure: *** xml library not found.
3 a! Y6 O. B! |; m2 w7 v, [6 Mconfigure: error: libxml2 is required) S' i' j) ]9 d, O& w0 c
解决方法:/ f7 e* |' r$ ^4 m2 Q- C0 Z6 e
- U6 b, g! P% t `
yum install libxml2 libxml2-devel( [+ O( w& B( W' B8 L2 z
4.执行 /opt/tengine/sbin/nginx -m 时有警告
. p0 C% [) L/ E5 _+ E& S% t7 T$ b
- n; H7 Z# j4 J1 {) I% h% U! ATengine version: Tengine/2.1.0 (nginx/1.6.2), _8 x/ a! H* D( p
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!+ N. z* ^, W6 x
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
) s$ t- Y9 k3 \) t) b9 V& j1 |
$ ~2 |6 K3 C9 r! U- W! ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.0 F& o- ~# o, i7 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
- [+ h" u& `9 M( g; ]/ ^( Z2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
& I: _9 G8 Y$ {' V( V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"( K1 c- q" h8 p2 v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": V U* J/ A& r& T
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
+ W" A) N. s, X* {- [解决方法,移除低版本的APR (1.3.9)1 i5 X3 d3 R; ~, \' q9 s
0 o% J8 u/ F. d9 k# nyum remove apr
' \6 d, \. y) ~+ z+ c, {2 q9 T1 d5 \5.Error.log中有: Audit log: Failed to lock global mutex! E3 u0 v8 T6 L8 T
+ ~1 Y7 d }7 z6 j- `7 }# ^2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 A) Z8 {$ W6 w8 v/ Q' R
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 L7 b% P) a( w! |* B" C. b. a解决方法:
; i/ c7 `: [+ k/ K! f* u编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 @0 L# L6 P! u$ C
9 X9 X; y6 i2 X# ASecAuditLogDirMode 0777. U& z' l: o0 [& x
SecAuditLogFileMode 0550
* z' K. K" M- uSecAuditLogStorageDir /var/log/modsecurity2 ~3 y! _) u+ ]* @- x$ @+ H
SecAuditLogType Concurrent* X! ?7 F4 N! n8 P
参考文章:
; r$ a6 C! S+ Z# zhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX _/ E! [& Q% _# b; a
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡