|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
: z# t' F4 V1 s; p
; L5 y5 p6 r" d一.准备工作' F, J) P; q4 v3 J2 \. k
% V2 R$ l* T' W' i1 }* }系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
- L- A- q) p9 l W% }% B0 |' D8 t2 ~* G! t' t9 y e' |5 d
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz* g* Y$ e5 }# P2 e3 N: M/ Y
3 ~3 A& W7 k- i: ~( C
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz' }7 z4 t1 D* V+ R9 {/ @* K
4 _" X- C$ |- V: R5 U& YOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 _6 U% Z+ a) P8 { x
p9 s/ i4 _* v8 E* [9 @( H0 {
依赖关系:
3 [6 R4 S4 ^$ h. @7 B+ Otengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' n* K; t( t$ M$ u4 H- _; Q" b* u3 ^( S; p- r
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) C" m) @0 y% Q5 I+ Gmodsecurty依赖的包:pcre httpd-devel libxml2 apr
8 A1 L3 a: S; I* J0 G+ L$ g, h- B& u- x7 Z+ t0 M
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
( R/ _+ P. x3 C$ T/ ?. P二.启用standalone模块并编译# }0 a+ }% k) y$ ~ X, {0 y
; f) h, I5 I& F4 B, D2 b* }
下载modsecurity for nginx 解压,进入解压后目录执行:
. `- z6 L9 s$ U! @5 `1 ?: ?- T9 r) i5 L* j& F. b
./autogen.sh
0 [3 Z: m1 z. Y# }% Z3 s3 z./configure --enable-standalone-module --disable-mlogc
/ |- a( B* l( }2 Z( l) Nmake ] i$ B9 I. B/ W
三.nginx添加modsecurity模块
! p* w* C0 z: k( q2 A2 }8 U2 o, v7 ^5 J; d& s8 d
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:# q5 L1 b; J* X( M2 P
& o" k2 p) j. ]
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine6 w% H5 z- o" s$ @# F( q
make && make install
% S6 s5 v2 `8 M2 `" y四.添加规则
1 X- M1 f0 Q* E- d9 \; Y8 A4 v5 z7 C# M7 m9 u$ w% u' o
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
5 \# G j$ _4 c0 Y$ R5 C
: S9 V( v* V" Z4 s L1.下载OWASP规则:
0 W+ |8 x6 s% F( [& o! ~# G, p' M* _' J7 @
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
! y" H( {5 G0 {9 J) e! e3 b# k* l, V: {
6 U% [0 f& k }% t4 E# A& nmv owasp-modsecurity-crs /opt/tengine/conf/$ j9 W/ C" V+ g4 `: v
/ J( _4 z1 d% J1 {: W+ B
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf' r6 N i7 q% J3 P) V- R# R6 A; r
2.启用OWASP规则:
# l1 g$ h& X6 }' f
+ I7 d3 |4 i% s& P% y0 M复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 r# ^' `# B: Q% M) H _
" }) {; l8 ]$ s/ x* C编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
7 q0 z8 M% D# ?' u' ^9 N
2 T+ E8 |' n5 K4 h; H0 Zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
5 y" d6 f* Q: ` B
9 N: X7 r4 E, R+ T% O7 R4 F, c; RInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ T. [' T- T6 l- n; [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/ s7 }% o. O2 R# V" `1 t" E* fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
! Z4 C0 x) F$ B/ x4 hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf2 Z0 y* A; ?1 h; J6 x' B
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
4 V; I' C3 X$ E: {( L& b4 v" fInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* t" F& v0 } z1 v- }) Z* \
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf% e) ^4 ~; W5 K' Z
五.配置nginx
9 Z n. |6 a8 ]5 B( ]2 O9 b I3 k+ ^/ J5 h: i
在需要启用modsecurity的主机的location下面加入下面两行即可:4 z' C, V5 B- E9 h
* U' G4 O7 W1 } UModSecurityEnabled on;
+ \* l2 c. ?3 _ModSecurityConfig modsecurity.conf;* F, G7 j8 r" d6 B& C, z
下面是两个示例配置,php虚拟主机:& F; o H# j6 [" K- s
- Y3 H& `; n; f4 B5 Q5 ^
server {& K1 c! N* ` F/ `( f
listen 80;' {+ U( E% j1 F6 a& X' }- L0 R
server_name 52os.net www.52os.net;
! h3 d0 f- W1 q' i$ i: n8 ]) c - S$ e* a6 D+ u: e+ v
location ~ \.php$ {9 V7 b5 L6 _8 Z. n. @, v
ModSecurityEnabled on;
8 _& r* f: x0 y4 F1 |# R. D) t$ F5 |" X ModSecurityConfig modsecurity.conf;
, A9 n4 e6 S- [! p1 [- m. O6 V N8 Y9 u0 d
root /web/wordpress;
7 }$ I7 ?5 l% j& I index index.php index.html index.htm;. O/ k8 y" U5 @6 W' F6 Q ] J
" e- c6 ]2 S; h- m: K# @2 [
fastcgi_pass 127.0.0.1:9000;
: K! o7 D" S0 z8 R3 b; P" B' i1 P- B fastcgi_index index.php;. G) v! h) f% V w6 s. D
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;; l7 Q# e7 T: C L3 p
include fastcgi_params;
& N; ~- W& o& i" T, U4 X }
! a0 r; C0 q" n) c% l! V% P4 H2 @4 h5 m }/ O/ z" H- N2 t6 {8 V* X+ D
upstream负载均衡:( ~2 H& s5 q6 H6 H8 H* `7 }
8 f$ E$ l- q. {. H& y
upstream 52os.net {
8 E) _) o; \9 s h; h7 |+ y server 192.168.1.100:8080;
2 E# N& u8 Y6 K7 ^' b' ] server 192.168.1.101:8080 backup;
& I5 I, Q* Q4 \5 v: m6 `1 x+ h$ i9 K( P; q}
; r/ `' X1 O9 C4 P/ F g, x
! k! {2 c4 Y* F5 l9 h5 g) u* vserver {
4 i# d' ^5 O$ b% f7 V. U2 Qlisten 80;
! h$ V0 |6 `1 ]$ _6 jserver_name 52os.net www.52os.net;
* b, }4 \' u1 ]$ W& S& V, P& {& E. U" ^" V6 w7 H
location / {/ \1 A. }' _& G" q9 l
ModSecurityEnabled on;
0 A5 W: h1 N) ]3 d% [- o; T ModSecurityConfig modsecurity.conf;
0 X+ z9 D, V" j! C; y. i6 o, `5 O" l2 J) n; ^
proxy_pass http://online;
, }; ~2 G7 T/ Q# l# K% e proxy_redirect off;
0 u( a% H2 x* d& \6 E proxy_set_header Host $host;
. w6 Z" _0 }0 D/ l# k proxy_set_header X-Real-IP $remote_addr;
& U$ }1 Z/ z- Y6 G0 O- j proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% N. l% r% D; _" N }' B& Q8 r! d! o, o
}, K; s# V. r8 |
六.测试
- V0 O2 X; T7 `! u" R- b, o6 [7 N; M9 _* y5 l4 c
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:. m/ r; c- }4 a" v# R
5 S6 A9 x& O5 W/ {<?php
I, K% P8 R- p! N- k6 N phpinfo();
9 ^! [/ v" }$ J" `5 |' |# ??># Q; ~7 Z$ p/ N5 h! D
在浏览器中访问:* {$ N/ ~% t0 r- d/ p
# X; g$ T0 U* P8 I) {( L4 q ~http://www.52os.net/phpinfo.php?id=1 正常显示。
; p2 R" R8 c& K4 p% S( mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
# Z2 I) u4 @ o9 h3 dhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。# l2 c# _5 M. k4 Q' \) D
说明sql注入和xss已经被过滤了
4 i" M2 `- Z1 ^7 d6 m/ S
7 L/ M0 S4 N, g3 v2 C6 ~; h( j七、安装过程中排错
- I! h5 K, \; C/ z7 s0 L' W9 H# E
: S% A8 g2 W, Y- D w, b2 e/ U6 r7 l4 c1.缺少APXS会报错/ g' {, H8 ^) s5 E8 G1 }8 H5 Z
6 I) s% y& s( e% B x7 }
configure: looking for Apache module support via DSO through APXS
/ z, d# j2 r; |. sconfigure: error: couldn't find APXS/ N- c% G ?, [
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。' g0 }4 f+ h- g2 Y% A
解决方法: L5 R8 g9 ^+ o$ [/ O+ {' c
; x' K% H( D$ {1 w n
yum install httpd-devel
5 P% ]5 F1 d9 O2 v2.没有pcre& q/ u" [* W* F! Q7 i
) x9 T/ p: Z! n m. t* h. t
configure: *** pcre library not found.
. I6 M- l% V u4 E2 Y; I2 s& ~1 s8 Xconfigure: error: pcre library is required9 e- G) H! M* ]% O9 {
解决方法:
& X7 b+ ` o7 ]8 t
+ C$ E# l$ a4 a2 B* D; M, Jyum install pcre pcre-devel
/ M, V: m9 y; ?! [4 a/ e2 _6 \( U' Z3.没有libxml29 P& _3 N- f' |5 Q* n" F% R: d
: d& p- E3 g1 D5 K5 s1 I- K: a; l
configure: *** xml library not found.
: t" _- }% Y; M2 A+ ]configure: error: libxml2 is required
- ^' f% t& Z" X8 s" s解决方法:
" m3 C# ]; _% h' y% D- ]; b# S8 ~" Z$ A. x
yum install libxml2 libxml2-devel/ x0 [' ^$ R5 u) ?" K
4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 ?7 h) G. u2 X# b. Z+ s$ h, z7 g
$ m% N+ U4 v; r& e- n$ Z. [5 h. wTengine version: Tengine/2.1.0 (nginx/1.6.2)4 G p! i* ]( W6 w
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!. L9 M: i3 x4 a
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 e6 G( s8 J, i" _9 Y9 h& {; B
9 J& i, P+ k ~# S5 f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.5 w+ ?, j8 I* ?6 l$ A1 ?( ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"5 F0 s% R( F" w
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!3 l4 j6 a% N) n6 j
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
# @0 [2 m6 }' u$ n' X2 p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
# U5 `4 U0 N) O( x2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.- n/ c" E5 S6 e. ?! j& \6 a
解决方法,移除低版本的APR (1.3.9) r4 n# `8 \0 X7 O
) P. \* j; Z% y$ P2 B3 ?yum remove apr% j+ J- p6 L5 |; Q
5.Error.log中有: Audit log: Failed to lock global mutex) u, Y. G/ a9 d
0 H% N, l- {1 r) E+ Y6 I# E2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 8 k/ Z( T9 @9 C2 f2 L9 D
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 p3 T" L4 W6 k8 X9 B0 f4 e
解决方法:
4 m* X7 P0 }" `5 Y编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 h [( D, i! y; j- Z& Q' f+ n7 [/ c4 M% ^
SecAuditLogDirMode 0777
1 T3 C, p2 h) h& Y8 [SecAuditLogFileMode 0550- ]: g" c; e! ]4 I a9 y/ Q; a
SecAuditLogStorageDir /var/log/modsecurity% G9 V6 C1 b* i
SecAuditLogType Concurrent
7 X6 Q4 E6 ?: S5 a. k% m% Y+ {参考文章:
, ^: a* G1 L( v) Y( d" ?- Hhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) h& @; Z5 B6 F5 }, U; N1 b0 V4 }http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡