|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" ^6 V/ W/ }+ B. j6 r! L9 y+ ~# C6 l9 [. N3 t2 K; }
一.准备工作+ H2 v" S$ M% [- D3 B0 F
- j% N. {$ N. u系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 J& u3 Y9 _; |; X- F8 k- y& x4 e0 a( v: f
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz7 o z. U; `: ?, \
/ A3 \. s6 n) s" w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( o; K0 x. C9 Z4 z% ^ z; u( R8 y: z2 o3 m
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs( ^ L, A( w0 K2 t
8 l/ O: g9 s1 N$ Z7 H o依赖关系:0 D7 a7 ]# y& N" ~0 J. @6 o1 t4 P& T7 t( w
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' `' `1 w( z3 r ^- s' u2 k% m/ a- C$ x3 S& e; Y: X
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ e* D% r0 Y( x b+ g3 imodsecurty依赖的包:pcre httpd-devel libxml2 apr
l, s# i w! H( k) h
2 s! U2 w& J6 \. E" |. @# S# Q& I2 Iyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
1 [3 x# \9 [& }, Y# O+ S二.启用standalone模块并编译
" c7 ^4 z) S+ D& e% ~+ ?* }6 W
下载modsecurity for nginx 解压,进入解压后目录执行:
! e. w& W5 r* p7 y, h! }+ h
k8 w9 \9 d; c6 v9 R5 ^, _& \5 o5 q./autogen.sh% s$ e' ~8 \( S' J
./configure --enable-standalone-module --disable-mlogc: o7 k# h& o9 Z9 y; t& g7 `) W# T
make
/ e0 E! P, k0 d3 q% o% R3 Q& P) t三.nginx添加modsecurity模块
+ B5 \$ W' n q/ t" }& c9 @6 ^% ^0 c! j% ~( X
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
* F4 G' v' k( p9 x# L2 B( w1 n+ C9 `' k& X8 L
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
P6 A9 Y# K: z3 r9 gmake && make install
. ^+ `8 e: l8 D& r {四.添加规则
8 r6 {, F) f8 ]7 {* C' I
4 P/ T/ D0 I# xmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。3 K0 v7 b* J' P. q" n
8 A, T. @5 ?0 \1.下载OWASP规则:. u- B4 v8 Q5 U( O, M. I6 S# P' L
+ c* z, @1 h0 L# C5 A7 K p+ G
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ ?1 p V5 E0 ~
y% I. c& }9 K: ?9 N+ ~2 X* A' [mv owasp-modsecurity-crs /opt/tengine/conf/
: c2 D7 \3 G+ K- i1 l# M' X. _6 e, x
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. {) _7 S' M6 B8 K0 q
2.启用OWASP规则:- j* x0 r9 c1 m6 v) U
* p3 l. r" m2 J) }" E8 N, @( R复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ a% U# m, y8 [: p9 x) E
( L, x. s( I/ R% c编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
% F0 k; c+ B9 ~3 `5 C& D( U
" \0 L5 o; s7 }) k- ^owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
( `9 A; t, d& `8 P5 Q3 L$ z1 `5 o& I, c0 {
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
; Y6 h9 k, l6 o1 t6 l& fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
1 Z# f4 g' U$ q3 n$ B. ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 t4 D9 `$ e3 }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
- j/ C! m* v$ c! b/ K6 cInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) m+ I1 W: A' x: u0 `! u
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
& s- z& F; L/ X5 e/ b5 ~Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
3 q2 S5 \0 h( r9 F五.配置nginx
6 O2 B6 J" a& V. B) S
0 R6 y6 m( N8 f3 J在需要启用modsecurity的主机的location下面加入下面两行即可:8 ]$ Y4 z* s6 q" t9 O3 I
" d) U& W$ X/ H! D% p
ModSecurityEnabled on;
. {8 M X y+ e' E) |1 \. e0 QModSecurityConfig modsecurity.conf;
' f" U. b/ H# X下面是两个示例配置,php虚拟主机:* N# B0 R# o9 J6 _7 O; x
/ d0 {" Q0 R9 M; K; c3 ^server {
. N4 Y2 u) I- W4 D7 i/ t listen 80;
. P; d' t+ g: B9 D$ A. X server_name 52os.net www.52os.net;
8 E6 f* Y# K+ }1 g ! Z$ @1 N/ j$ _ _9 I$ H8 h1 J
location ~ \.php$ {1 Y) {& ^) p; _ J. q. q+ r7 P
ModSecurityEnabled on; 7 q2 v- ?% J. y
ModSecurityConfig modsecurity.conf;
5 F3 h2 u$ m) d& }3 L- |7 ?& i+ u4 }# R' o+ F
root /web/wordpress;* l5 D2 x# k, {9 r) F6 Y9 S
index index.php index.html index.htm;7 G$ c& o: ]( d7 S; `5 D8 A+ m% m
( F4 t* o1 g7 k7 W0 @) [, L* E6 ^1 P
fastcgi_pass 127.0.0.1:9000;
# z0 b6 N$ O6 F' _0 [# S fastcgi_index index.php;
0 V2 q; B# q& a fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;# {: g0 R' T9 f' @. m) {+ Q
include fastcgi_params;* B- K, O) S( L7 O. x
}
7 \, w- G- { Q' y0 y }: D' T }9 b1 [9 [3 K3 l& \0 W6 S
upstream负载均衡:
1 P3 `! h: N6 b1 x# |
; k( ~+ P% ^+ ^8 e0 |# E, ~upstream 52os.net {
" B. R2 s; ~3 J" c- ~ k server 192.168.1.100:8080;% M9 D* [% a' o G* u# J
server 192.168.1.101:8080 backup;' \; W/ M$ L! D8 h- F s
}3 Z8 X* o( ^, o9 B
! s8 u/ T7 Q+ D; S2 R1 k9 jserver { T: Y! m l" ^& k: ^3 J! D
listen 80;
) o8 [; ]0 I) y6 q9 |server_name 52os.net www.52os.net;
2 ~1 N# w a( v
; f3 X) J; t+ P$ L/ w$ L M* Llocation / {+ C0 o2 c* f% P
ModSecurityEnabled on; C0 ~1 e# R: z( {6 K( D8 m" Q
ModSecurityConfig modsecurity.conf;
+ `2 m) c4 ?4 n
y' D. ?) ?# K. T1 S proxy_pass http://online;* d' k$ ^5 q8 ?3 }, f# h
proxy_redirect off;
4 F' ]1 G% L" y+ ]* P p1 u- W proxy_set_header Host $host;( e! p; f7 j( q) N3 V( L
proxy_set_header X-Real-IP $remote_addr;
; s6 G; l/ G% P# E- T( Q5 Z* q proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) }$ [9 y6 a# }' U7 J }, C/ o% M8 R' U9 @! A
}* \0 P% R; d9 ^+ I' C z* A" i
六.测试
c7 Z8 V$ k ?8 o) U
. r6 m* Q+ N! q3 }& ~3 i- N我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 _& H, t4 P: _, b7 _" F
0 b) T0 X) n7 E+ W7 l1 n
<?php5 V5 s) N8 C5 E/ `& E% G
phpinfo();
! x- \$ u7 |, z* C* A" b; l?>* o, U. R2 h$ v V. T5 e6 @$ W
在浏览器中访问:
* r& [+ z: C( i
0 l' O3 |; c: E" uhttp://www.52os.net/phpinfo.php?id=1 正常显示。% X" A6 _3 ~0 [3 x2 Y, J5 K A
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 B0 J" K& x' H' x" X1 Chttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。 W2 W. r" J. T* ^6 k
说明sql注入和xss已经被过滤了
# \! m+ g0 v: e/ P, d( \/ D
2 G0 ]( I- H. z" H7 n+ ]# Q七、安装过程中排错
" A$ z' m3 _6 G" n
% ~* k& }5 f; R$ B0 y& c& z1.缺少APXS会报错( O% ~# f' o7 X, ^
: C% h5 P7 p( f5 A* o# g
configure: looking for Apache module support via DSO through APXS
2 x% r$ j1 ~# ^/ @7 bconfigure: error: couldn't find APXS
1 @0 Q2 `3 V, s( [9 _; w. R0 Rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
1 f2 R/ ]% W! Q$ s解决方法:' ?5 l. L+ H A# r
+ J; E2 ~( |1 r8 o; _/ c0 syum install httpd-devel
. y( l! E/ h$ ?4 I$ ?/ x2.没有pcre; R0 d% J" g) x, C. j; U
& l9 }8 L# y- V% T" @
configure: *** pcre library not found.
4 p2 L& G0 a* g9 T8 [configure: error: pcre library is required
$ G# t. F' Z( }/ ^% ^6 d8 O解决方法:5 J6 R: v1 u$ x. m
. [$ d5 q% o7 y1 z5 Wyum install pcre pcre-devel7 b% H! {/ C8 n3 \
3.没有libxml2
: _2 U* |) y4 I% M0 O- [. o' x2 e" @+ b( C; x% o9 W
# I$ y4 w* P6 K! H. w/ Z
configure: *** xml library not found." E1 i8 A: A' h
configure: error: libxml2 is required# V/ q; v8 ?1 z9 P3 A) t# B3 Q$ n
解决方法:6 I- r7 @8 s c3 o# j
: n, F. q0 U0 n! b' Q2 v( A+ E
yum install libxml2 libxml2-devel
1 i2 ~6 t8 l w N/ s# v2 V/ r' t: |4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 F0 k+ V; f0 N" c( p2 D! I# B$ x% G
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
) l1 k3 W" @' l/ q) ]* T$ E7 \. Tnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
# y: }8 d( p, g原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
* T. N, @: J2 D1 S9 d5 p' S3 U9 H$ K, `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
( _6 r( \8 ~' F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
- b/ s5 ^6 J) _2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
5 R( d% ]5 D, Y& ]) E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05": p l2 x, o% \- a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
, N# o! D9 e5 r+ K2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.2 j# p M8 L6 Z' n2 {
解决方法,移除低版本的APR (1.3.9)2 R' X7 v9 |- G7 }1 R
: a( v3 A# X8 v! X" p5 B' n( d0 ~
yum remove apr
' r L, N5 o* @6 E5 b. K5.Error.log中有: Audit log: Failed to lock global mutex0 p0 G" v% }4 a2 q
( y u6 j2 N# o9 e" F: I# \
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 2 O6 |6 q* n: [$ M* Y3 r' z r
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
- [+ @/ E/ R+ \0 s ^解决方法:
: n( V8 f# W1 p, q编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 c; S- L+ ] N" B
4 H0 J: d# R& H7 c! ^) H
SecAuditLogDirMode 0777
% P: l/ Q) b7 h5 E' M0 k \8 LSecAuditLogFileMode 0550) r! y4 X- ^: E
SecAuditLogStorageDir /var/log/modsecurity
8 X9 |% a7 u+ F8 o4 }3 t/ LSecAuditLogType Concurrent# Z3 K# s4 Y2 E" E2 A
参考文章:) |& z2 I; ?& Y1 Y
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX( [+ W* U0 F0 F3 G
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡