|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 h% B5 Q- S( U& z4 W7 C, i3 K' Y0 f' E
一.准备工作
' F% f" k: F1 ?) L0 I7 ?* K0 k: R3 X3 z: F! [& v
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0/ d/ C0 V! c/ |
# z' |( F1 g/ l# h/ @1 vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. L- D7 y! q6 c2 ]* @; i& {6 V
2 E, o4 v% ]3 `9 }' P0 [modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz2 C0 q5 p2 D( ~: y5 N' O
* [3 C* a7 B, F) c' IOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs# j c; C! w" C5 v7 G/ g, Q) I
# B: x" o; A& m
依赖关系:
+ d- c# c0 Y4 U! L0 t: v2 Etengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
" D& c) F! y( I' |* H
& P2 C/ F) X, gyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
! a+ T3 i! C( C) Z+ ?# ]modsecurty依赖的包:pcre httpd-devel libxml2 apr
6 Q X4 F. G0 ?% p8 z# }
6 r( G [ u \6 g6 }yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel6 s. Q4 [7 Z' p, e0 q
二.启用standalone模块并编译
9 C0 v3 a) H* d% M) I' P {8 N8 O8 g1 | b \9 h
下载modsecurity for nginx 解压,进入解压后目录执行:0 o) I2 A/ C% O, P" r
/ u1 A. m, X3 Z+ X7 }; [! s+ p./autogen.sh
) P$ X2 l& b& }. Q+ _./configure --enable-standalone-module --disable-mlogc5 ]: O3 u4 s- F3 k- e+ D$ Z
make q$ v/ |# G- E, R' _/ [2 n
三.nginx添加modsecurity模块
1 S4 F3 L' l q, Q4 d9 n' _' ]' r& B: g; W i& }) {: j: |: {
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
+ ~$ Z& Y- P% s1 {4 s B
, C) p5 v8 ?4 {2 T. T./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine+ o- B1 ]8 @7 B
make && make install% Z4 {, Q& y, O
四.添加规则# L9 b E2 F# D; l; k* V. C. X. w
/ P$ m. ?- z; a7 [0 b; c- Xmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。4 K/ t# g& A4 T+ L. ?! Q! v( [) Y
: J4 B+ l8 {. T3 q: C; D0 E1.下载OWASP规则:
' Z7 F; i' f# s5 |. f% _& G0 v; e% @4 Y
1 a- E5 w6 t# W# u! i3 |, Wgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
+ F0 [& R( ?' M
/ g# P" d* O, G' _$ ?mv owasp-modsecurity-crs /opt/tengine/conf/
1 f3 g$ s* v8 G, t6 U, B* {6 T4 t, j& i% |2 K
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
7 z8 `( L( [" s9 S f9 p& a2.启用OWASP规则:/ C8 T+ A2 C- \- l0 A2 m/ Y0 k
& `! T, }+ P n) \复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。/ b3 a) T! M, y0 y7 [: f
2 n$ L% d0 E9 @+ |' J4 }
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 Z+ R# p" u& P0 z! w! K
' u( M2 Z+ v) ?- F ?! U5 J
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
7 |1 W+ k D+ @2 b
$ _$ ]! B" @6 ]5 R" VInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 V6 l6 z! j0 p; Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
J" b( w1 m; [, c+ d7 R1 qInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 m: n+ {8 J1 j% H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" z# i J V0 tInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf7 {: `9 F( Z# c+ V1 q0 f+ v& X
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 g3 N5 r' I. i
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf2 D( Q& [, ^( L+ R' H6 ^7 U* b
五.配置nginx
' B# w6 b! J0 J0 D: o! O
$ M2 t3 d8 ~- G8 |8 X0 M在需要启用modsecurity的主机的location下面加入下面两行即可:) |2 L* L. b1 [% C
1 y7 s3 K+ k; Z, j) NModSecurityEnabled on;
' X: T8 h; T9 S r% M" O1 yModSecurityConfig modsecurity.conf;
9 w) `! _9 D# q' [8 B2 w- |2 u下面是两个示例配置,php虚拟主机:# X. k# \3 j+ i x$ Z/ l1 E
) E8 f! H+ A2 j4 ^; T1 u0 X5 ?
server {7 W1 B# c+ ^3 y2 w( A1 _( k, y
listen 80;
& @( M3 _+ F+ ~" N& T1 q server_name 52os.net www.52os.net;9 L, ?* S' O( y" H6 C+ B& h
- ]" t" y: Q p" n5 V
location ~ \.php$ {2 c- u' l5 Q2 m! X; y3 {
ModSecurityEnabled on; ! ]* D) D) {* _9 }# {
ModSecurityConfig modsecurity.conf;. k, M" @) ^: V' N. Y% y. L; J
6 |1 \4 A {5 }) \9 ]4 g/ z
root /web/wordpress;" {1 d5 N. c! c8 g- G
index index.php index.html index.htm;
2 }* v+ O; _2 G . K8 ~) }9 K q2 I/ I
fastcgi_pass 127.0.0.1:9000;4 E6 A1 O2 Z" F4 n
fastcgi_index index.php;+ H9 l" `- l7 Z$ ^9 _
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* i" G! R# N. ]$ @9 V( }( x
include fastcgi_params;4 O" w H& L }, ^/ D6 t" n
}
: `9 ~! x7 Z1 w* e6 S3 O }
( F, j4 L# p( j' \+ q9 {upstream负载均衡:
1 q( H5 W- W0 c0 I" P3 s6 \$ X, u
upstream 52os.net {; D9 R+ h( y3 y4 E l
server 192.168.1.100:8080;4 |8 z5 Z' k; n# N, v
server 192.168.1.101:8080 backup;
, q; h1 ^6 R }, m U T}
* g v6 y1 J; `: @. d2 w2 ]% d; Z0 p9 y$ H$ L- h- ~( w
server {
& i7 I. U2 ] I% ]$ W+ ]+ d9 D; llisten 80;7 R9 ?7 {/ C( m* Z6 [" s. \. @; r
server_name 52os.net www.52os.net;5 x# [" P& o4 e( |
( i+ R9 Q# l) i2 V) Olocation / {
/ t: \3 A5 o' f5 t2 k# L4 n ModSecurityEnabled on;
% S: j$ F0 ]8 }* A7 g ModSecurityConfig modsecurity.conf;
2 v8 w0 {" l4 b( U; z! s2 R6 o# k& o. L A9 e' g, B
proxy_pass http://online;& H: R- w: Z2 Y5 X! M. C' d
proxy_redirect off;8 T9 D1 e; z4 G& f$ C
proxy_set_header Host $host;
* D2 K; f* q/ I$ p proxy_set_header X-Real-IP $remote_addr;2 V' U2 g( h% _& b: G$ ~3 O
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; T" a# B* T/ d* K4 S
}
- |3 y% q, Z7 A( `}' ]) ~9 [ ?( x0 O' J+ R/ A: \
六.测试) o9 A5 u8 Y% \: m. n: C3 G% V
- i7 s; ?, F6 D- o- t$ L
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
4 P5 R# j9 {: c( D, j ]$ g
% Q# K" F- a$ {, t+ j. x' A: ~& i<?php
7 w2 k) ^' G, d! a: ~% z phpinfo(); + z' Z& x! p% u! r# T, ?
?>* U4 f) V8 `, a7 e& i k
在浏览器中访问:$ C0 m+ t$ b$ m5 i
6 E- [. f( x! J! Q I3 J
http://www.52os.net/phpinfo.php?id=1 正常显示。( C0 Q$ _! e# s! j
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 B# g. s6 j w1 X( ]+ Jhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 G" m4 P; m u1 }/ b2 R. Q说明sql注入和xss已经被过滤了3 p# R% j0 I7 @& v" W
: ~' A0 T. C9 D' H5 }
七、安装过程中排错
2 T7 ^/ L3 p; V% b0 X
4 |) u5 R. O8 h1 h, r9 {/ z$ U- ~1.缺少APXS会报错
; W: m! ]* y1 [
8 [0 p# ?; D% I, j3 @configure: looking for Apache module support via DSO through APXS
! ]7 |, W: o3 @7 J0 \configure: error: couldn't find APXS
5 U9 X" q0 r" e/ bapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
p! v/ H* Z3 b% D7 U解决方法:+ v" w7 U; L. C4 {. p' i v
3 w" Y a6 y/ z- F. e# b8 x, z
yum install httpd-devel
5 Z% h x3 o# w% o/ \. l2.没有pcre
4 n F- `) }3 Y2 @# G5 |( i, i/ `) T/ l9 y
configure: *** pcre library not found.) W" g9 I0 E! z
configure: error: pcre library is required0 y$ @# u9 ^* J6 W8 R% j. ?' l
解决方法:: s, o/ e$ E, V: [
& ~- d1 B+ ]/ syum install pcre pcre-devel
5 b! g6 X q2 V! F5 n3.没有libxml2! E1 J# i `: |0 y1 R: B
# |% Q+ u! j$ i* e( U$ _ W
! Z# G+ n" J+ ^2 Oconfigure: *** xml library not found. b& i$ Z P" M# u/ j& N
configure: error: libxml2 is required3 v& ^+ W2 s; I2 z: M
解决方法:# e( H0 w0 H x
' O+ I ] Z- e6 d1 g5 H
yum install libxml2 libxml2-devel7 m9 a) [2 b$ R; o
4.执行 /opt/tengine/sbin/nginx -m 时有警告# r9 @1 `3 ?5 `- N2 d! C5 _, N
8 ?) o6 a H7 s. vTengine version: Tengine/2.1.0 (nginx/1.6.2)3 C( b7 M" [* u( z9 g
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
3 d2 o* K1 H! d' m% o5 u原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
9 W& B6 y* _) f3 S% ?# Z& O. N9 z) s( r5 M! ~% r9 s [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.5 V* V8 y2 ?- \! {. h3 f3 G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"6 q9 H* M+ ~9 q& X6 i% I! D
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( n1 b( S3 ?, ~: A$ U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
, o8 V7 t- `3 N" D% }% }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ [$ y. Y" _8 t n# E7 s
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
: X) k( ~6 r. M5 L% E& N" q解决方法,移除低版本的APR (1.3.9)
2 G" g% w. L7 H5 T
/ N2 b( |/ O7 i% M% A! Zyum remove apr' o# T. ?2 r! R6 K8 e6 e( c
5.Error.log中有: Audit log: Failed to lock global mutex
0 E9 \1 J6 O& c- K x. o
3 k0 W- @' g# \0 s2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( U$ L% b' F/ b2 j# v+ @' P1 l, M' r
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]3 h8 `; j' { N8 K- A
解决方法:
+ R1 U ^2 t. b7 g& E编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- T+ ]" Q: \/ K0 P1 G; {7 k8 l: J% z+ m! N/ p2 `& H
SecAuditLogDirMode 0777) @0 j9 ^$ W$ I ~! j7 G5 ^
SecAuditLogFileMode 0550
+ \9 F) ^% P) ]& ? ~) ZSecAuditLogStorageDir /var/log/modsecurity
4 Q* X9 L1 `! b8 ?. mSecAuditLogType Concurrent
2 h& k2 `: Q5 M参考文章:& s5 z- v! E5 `. n3 a' f0 A* _
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX, e7 B4 M& h8 x! F I
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡