|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。/ W3 @6 y) F: {4 X
+ v- R; y, q. g: U7 N: p$ a
一.准备工作& V* M+ g5 _; P+ u
3 r$ _+ j8 I0 H) b+ f& P系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
5 U. i8 i4 C% _& D
, `# Q$ j8 |& ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
( H, U$ B* w, Q8 e
: m/ Q) ]( B! G. i0 k( @; o# }modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz) b: [ n% d: r( Q. m5 \/ A
8 d: N/ B5 }, u8 ]0 S$ J0 ?OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
6 u5 ^4 q: d& V6 @& q( u4 g" e& ~5 h, K- C- Z" }
依赖关系:/ ^5 t; {* {4 n
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:* q7 p9 \. s% h, x; O' S; d. F
7 Q3 c7 D+ k0 T2 c( C* T6 ~
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
, m2 s% _6 W. J' I2 m) `! dmodsecurty依赖的包:pcre httpd-devel libxml2 apr
7 ?3 h' m7 e. P% C/ Y" w3 v9 w" c7 b# m6 g* X# V6 L$ _ e
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel8 M( I8 C G) o& W
二.启用standalone模块并编译
# f4 m; z9 |6 J, s" V7 v" K* V3 ]
o @+ W$ M }9 w$ A下载modsecurity for nginx 解压,进入解压后目录执行:
J; B' d7 D% \9 u+ b" c9 M' g2 W( e/ q
./autogen.sh# D; |( }) ], C) m. ?
./configure --enable-standalone-module --disable-mlogc
9 b; M5 h, E% v) o! Jmake 4 X4 P# R9 _6 }
三.nginx添加modsecurity模块. p- s* a! R7 o, H" E
/ H' k/ W4 N* N3 c在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 Y3 Y4 U( H% E5 i1 ~& U$ P6 e
' i9 Y' J0 {" W* i1 J! G( V. e
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 t% J9 s" X9 p1 C/ z) o' ~make && make install8 Z( Q7 t( S* r/ V8 A; I/ m
四.添加规则8 ~& A) V3 s! C) O4 E% X8 H4 h8 j6 s
! S% m/ Y( O9 V( o' }" T7 _" imodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' r" z& l- r9 d
" `9 j4 Q$ s4 h \. ]6 @1.下载OWASP规则:1 X |8 @" t. |7 h. z
0 G& ?; \8 |( ^) W7 B
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs) y/ L. y V$ ?# N- w
! j" V3 ~3 c, L4 d7 k
mv owasp-modsecurity-crs /opt/tengine/conf/& Z# O! j9 M9 x9 R$ c( w
6 g+ A9 @ E; O/ p7 Ncd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf4 P9 y7 Q9 }$ y) r1 |& G! e6 L
2.启用OWASP规则:
1 [# L5 z0 ^. z. L
* M2 K' ~3 i, I, A- I1 w7 J9 N复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
) O" b) k) G% V' U
3 N0 R! h4 R; f3 }) a编辑modsecurity.conf 文件,将SecRuleEngine设置为 on0 G1 N4 q. ]7 m$ v3 y
, a5 ^ g# a' Q* S& ?owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
$ g/ y! ?# D0 U7 Q" k$ Y- o7 I
; r. ^# d* p- P! OInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
. Z Q6 w, }1 \Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf. T$ r$ Q Q, I+ N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
* O7 B9 r t0 x* bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
; j3 `* y5 `: G5 F. Y& X/ w6 r. Y7 TInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf" Y y. C/ C" ~8 y# c& F
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 ?! r8 c9 _- s. k8 Z7 U* lInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* B2 z; ?; q2 }# T' b3 h& r$ A4 k- ?
五.配置nginx
* z7 x, X' @9 k1 ?- M2 O* B) v$ m0 e6 h
在需要启用modsecurity的主机的location下面加入下面两行即可:" [2 r9 b, G* W+ u# g7 Q# F
9 Z9 y1 Z2 m0 ^2 e: ?3 O
ModSecurityEnabled on; 3 \& q2 O% o( C" R; B( d2 J9 M
ModSecurityConfig modsecurity.conf;
1 u& @' s: F" m" ^+ U. C下面是两个示例配置,php虚拟主机:, \& o7 D0 }, e3 h1 V5 e5 Q, w
4 M; B& |! m* r1 r; |4 v
server {6 a" [. z# X+ i1 q
listen 80;
8 t, V* R2 |! a8 b# r server_name 52os.net www.52os.net;3 O1 G& j+ A0 [: t: [/ x
6 I0 y% E/ G# L
location ~ \.php$ {' e6 I" v. L. F
ModSecurityEnabled on; 2 M0 X4 p: S& W1 ~- G! i1 }
ModSecurityConfig modsecurity.conf;! a$ d: p8 v. V( a
& k& t1 E2 D) Z; E root /web/wordpress;5 l; }3 U+ g# r& l
index index.php index.html index.htm;& I) K5 y; V [
2 p" ^ U" X, B3 T+ R9 v5 v6 n8 R fastcgi_pass 127.0.0.1:9000;
0 @. n1 m9 x: `! j, `" x fastcgi_index index.php;
5 n3 q8 ^# A& o: m; a fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 z$ R, a+ ]6 K/ v# o+ h) @
include fastcgi_params;
1 r5 W) g( {; U2 k5 J6 M }8 H. `' w( G8 c8 B! R9 c: T" F: N
}
4 g, j! c5 i# e7 Bupstream负载均衡:7 t, }+ X( x( y8 e; M9 x5 h
; P+ u& [( ]( ^/ O9 W: Q2 O' U* h
upstream 52os.net {" A$ @5 G$ p3 a" W
server 192.168.1.100:8080;2 C! r, B* E ]' \2 k5 o, c
server 192.168.1.101:8080 backup;
+ L( A, V0 @- N6 F}+ \1 t4 U6 _3 h) |
0 y/ _% o6 d: E& jserver {
$ X4 d2 _: Y+ F/ _" l( ulisten 80;
) x3 [: b, \) E6 E5 o8 Nserver_name 52os.net www.52os.net;- y2 V* J+ X, w2 i( _5 ~" y
' |# M; u1 @3 e. [% Ilocation / {1 G; s0 @1 S1 U6 ~5 ]9 Z+ x% f
ModSecurityEnabled on; $ n+ V9 N4 }5 C: ]
ModSecurityConfig modsecurity.conf;
9 ~8 W% x6 l( a
: ?# @" k4 u5 { I proxy_pass http://online;
) t. |6 u' R0 ^% V0 R proxy_redirect off;
# F& o5 M$ J5 b! x" Z# p proxy_set_header Host $host;
5 T) k% V% B. p ] proxy_set_header X-Real-IP $remote_addr;6 K) q3 i! v& e0 d$ g. [0 j
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
& d5 [$ Z( V6 v1 R. S! e }
; H3 }6 ~/ ]$ Y}
4 E5 G) x5 |* _7 ^: L六.测试$ Z9 V" m1 Y& W y2 S
& @9 }- ~* ~8 J
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; G- |/ u2 X% C3 P# D, R5 }3 g7 @( Z+ U
<?php- Q5 f* Y8 n( w% v8 Q5 H+ z
phpinfo(); + i) o$ h0 b# h
?>
/ y% v" M5 T3 a# h; N& \- f6 [3 B6 H在浏览器中访问:
, T# c# ~/ m4 l9 c; G) S0 C: d
7 V! T& A5 Z8 J$ Xhttp://www.52os.net/phpinfo.php?id=1 正常显示。
$ ]" _- @9 E+ l* Y0 \; G8 rhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* ?* P+ g. Z6 w) J/ e$ Whttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。6 j( u5 n% A* N( w& O$ |
说明sql注入和xss已经被过滤了' U9 `6 m& r3 B- y5 V8 ?
5 L/ t+ B/ d3 w$ G( O# t, k9 F七、安装过程中排错) q0 g4 s, S7 x, J% L
# ^ S5 J% N: U5 ^2 S! M
1.缺少APXS会报错
, Y0 p9 |, \ [; w* P$ r
' f9 x& m! x( `/ bconfigure: looking for Apache module support via DSO through APXS
" R' [1 Y7 S' w% x2 M* W2 \' p Cconfigure: error: couldn't find APXS
! w& e2 k6 ~+ Y3 L3 Rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ z+ X& x5 }3 o+ r% G5 S. G$ M解决方法:' e) K5 c F7 n+ j7 _; k7 I
8 ]8 q+ K$ L% hyum install httpd-devel
/ N6 N+ S& F' {2.没有pcre
! l5 B; V+ W( E) o# J. }
- c" b1 M8 `) ] aconfigure: *** pcre library not found.$ w2 h; p) E/ X G
configure: error: pcre library is required' m) T3 w, o/ l- f( S
解决方法:
A7 y1 v& _+ I0 H* z) @& o& [( A5 R# p5 t, B6 h; w ^5 Z3 w/ M6 e" _
yum install pcre pcre-devel9 F+ ~( D8 k9 y4 q) s' _, C" j
3.没有libxml2/ l- N; a$ k: O6 C
4 o- Q' o0 [5 A. R
3 |$ I8 H& n x! V& \( n5 ~8 G" qconfigure: *** xml library not found.$ j* W. x# I3 r, n. i; q7 Z/ ~
configure: error: libxml2 is required: _: S; z0 g8 E+ y" `, g/ t
解决方法:: _3 p/ `$ N) R/ i
2 U& f" K- U& m; |
yum install libxml2 libxml2-devel4 \) ] j% R. r, I
4.执行 /opt/tengine/sbin/nginx -m 时有警告' O. R4 |$ A; {3 U
- }" R1 _4 D& m. ^4 yTengine version: Tengine/2.1.0 (nginx/1.6.2)
& j: w8 W$ W0 s/ N' E$ Rnginx: [warn] ModSecurity: Loaded APR do not match with compiled!$ j5 v- m O' N7 Q( E5 T
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
8 e4 J" L7 Y+ n
. B" C& b. G, D, y _( `& D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured., g5 y( T% f- _/ x5 w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
; T+ x }6 v/ j. W2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
2 q. k) s3 l% N# ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 o& m. L! @9 y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
- y& Y4 i' f* p2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On./ m. w* R+ i5 I. v' {* T# a' a* D
解决方法,移除低版本的APR (1.3.9)
. k, C1 A) G* l) ?2 W( _" i# ^5 u
5 p/ ` j( {# H6 V6 qyum remove apr
; T9 w: J" a$ N7 d5.Error.log中有: Audit log: Failed to lock global mutex
. l+ `: W; I6 q4 J1 \/ m
' P, M+ q1 w1 i! U1 |2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
6 ]' ?/ [( D" @# D; nglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 O W" _3 Y0 v/ L' N7 J! g1 F解决方法:, ~" Q: D6 p2 `9 o
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
j! a; U) k9 D, c# b) {
' G/ S4 v7 U: v8 Q9 O9 X/ s, D4 \! ASecAuditLogDirMode 0777( v2 i- K2 ~6 p! D
SecAuditLogFileMode 0550
7 n* F; J2 p* Z$ f9 P$ f2 QSecAuditLogStorageDir /var/log/modsecurity% U0 p3 G( c3 w, [
SecAuditLogType Concurrent
) }5 T0 \" d% _" R; M参考文章:
* z, k2 W' S1 H3 fhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
- Z V3 G$ K7 v/ P1 Z6 n+ Ohttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡