|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。4 j# n) A+ N1 _& R
" s: e: \! x0 Z& a! i
一.准备工作3 E; v. S6 A* F' e2 g1 i
! {3 a$ f# k \/ [系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
0 _4 U9 @" t# }+ P5 C) h" G3 l C5 X
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
* ^: I- m' t& Z1 g$ f8 ?
2 U9 G9 T3 e& t2 \$ `9 N2 }# } ], @modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 |+ A1 l' y% e; Y5 U" ]: B$ i( w1 ]9 g- F
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs" V: B# @' D5 \ ?8 R' Z
4 }3 } Z; ~7 i
依赖关系:
) A) g4 ~9 k) Z u( p2 Ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:( g; r" t; }2 L) A
- g. ]: p Q0 H" m# l. J/ {* Q& yyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
. X# \& g, P- d5 Rmodsecurty依赖的包:pcre httpd-devel libxml2 apr- ]9 y! z6 a/ L# r7 q% O
% `7 C9 K8 z: B8 F) b# _7 f: X
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel; X1 K+ \ |, u8 I& w. {
二.启用standalone模块并编译
\; i+ X* u4 X7 |8 y& | S& n p: j4 H2 B+ E: E* t& B
下载modsecurity for nginx 解压,进入解压后目录执行:. u3 \" g% S8 W7 _' G
& j8 ^, ~2 H3 M3 |( v' r! J./autogen.sh6 d* i# J) b4 U/ i
./configure --enable-standalone-module --disable-mlogc* H7 v1 z* J3 B8 m8 {
make
& j$ i0 M) m1 `1 d2 f三.nginx添加modsecurity模块' |) B& x" l8 s0 \ L) u9 r
7 o) r9 y9 ?: A# M
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
$ c s. ? D9 f/ U2 W0 J- m% l* r7 g6 u4 Y1 Y E1 Z. V
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine0 p$ L* d9 ]% }$ G
make && make install
, o# ^& h! D5 \四.添加规则
, w% n; F; E& H
/ _+ U5 ?8 v; M1 ]2 ^modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 A" Z3 M4 ]" e* s9 p5 k; }
! B% j$ h) T; E1.下载OWASP规则:
6 S* c/ A/ H {, Y6 n' v+ f# M8 ]2 @6 U9 D, \+ D7 a) ?. Q
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ E& ]! k' S \2 D A
" ?: R4 Y: }# v/ e
mv owasp-modsecurity-crs /opt/tengine/conf/
; [: e5 M- i8 q( H3 X2 o9 h. I
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
9 d" h4 I8 b; D" Y; N2.启用OWASP规则:$ L# O6 |' R4 D4 m6 M
) q! N$ O/ q. c6 j3 u( \
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. q% m+ q8 i& c
& y+ @1 p$ O& N) U1 U编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
$ [3 I7 ?# K3 y6 {7 A2 l: N( X2 ^4 h& T$ m) h# k
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。1 o4 L: c6 P7 D
8 O5 \! h4 f! U9 u( h7 W0 c( f1 P- g
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ P4 i" h6 H7 _+ n
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
% u2 f$ Y9 W3 r; y/ Y6 kInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
! o* A# K0 r/ a( ?5 I' M9 x3 MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf: _: Q7 k6 w9 X, f r/ ]. o
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ x0 A! @9 d$ Q0 g1 f, I4 i
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf1 F# r1 S0 Z j8 [8 R3 [9 E. v
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
/ G, ?* o- n0 {' b五.配置nginx' t, F+ m2 N" ^+ @& n
5 h# x* L4 F. { _在需要启用modsecurity的主机的location下面加入下面两行即可:+ y4 ?5 t2 e2 z3 p- ^# m5 @
' D O6 s8 ] N
ModSecurityEnabled on; , ~/ b8 y. T/ J4 l& t
ModSecurityConfig modsecurity.conf;
! D' k+ g1 p6 n8 {" H; D下面是两个示例配置,php虚拟主机:
+ _; B( p. V4 _1 A1 q/ U. t; g# x5 J- R5 B
server {+ v% M- L/ \9 T7 I9 C
listen 80;- Z: `& v& E9 y+ d+ |* B
server_name 52os.net www.52os.net;+ y% A4 f+ w2 V3 `2 q' M
0 l0 S, y* Y4 a0 Z/ M A& g1 j
location ~ \.php$ {
5 ^, d+ z H* U ModSecurityEnabled on;
3 U9 J8 x* i2 P) b! k) X6 O ModSecurityConfig modsecurity.conf;) i! O- C J& \! E$ J0 U
% `( U1 {8 N8 e2 ]
root /web/wordpress;
$ |# O* o$ H5 C& O+ p& J5 t index index.php index.html index.htm;
8 o3 ]4 F7 [" j6 h9 K9 t5 z 6 E6 C* N4 _3 W/ C, W
fastcgi_pass 127.0.0.1:9000;6 h' v2 i% C0 h
fastcgi_index index.php;" b8 b8 o; A7 A+ A$ u, l# A
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;$ ~+ M0 T2 ~: K( J# Y- l2 t7 F
include fastcgi_params;
m- \! @5 a* N, Q. M/ v }4 ]5 k; n9 _& k. K1 J, O
}' W: V* H8 m5 c# U0 }! k$ V
upstream负载均衡:
* R* J( i' I; ?8 w3 Z; M
% N6 ]) d1 M5 Xupstream 52os.net {
" x3 S9 ^# Y$ d server 192.168.1.100:8080;1 G" @3 N# C, Q2 U& y
server 192.168.1.101:8080 backup;
, f7 S/ N+ F. `7 s}
' P& h [( q$ C' |% E7 T/ D* G
: n+ K+ R: T$ w9 l6 hserver {
/ B6 Z8 Z& d5 l$ \4 @' Blisten 80;
t% T* i% a) u% o* Oserver_name 52os.net www.52os.net;
( e8 M) P( }8 G1 X6 j/ I" M
" ?1 S# n$ p" L/ a7 Plocation / {' e# g1 e% b8 U- b' Y" |9 l* u
ModSecurityEnabled on; : w- v! w' U+ n) f1 b0 K6 R( I
ModSecurityConfig modsecurity.conf; 1 X3 h+ t: p' W
7 @/ R% J" G& w
proxy_pass http://online;
. u; u7 F: T* `8 G1 E+ X) G6 b proxy_redirect off;
2 Q- ]% I% `0 e S% M proxy_set_header Host $host;+ _7 }$ G" v/ m( |: r. e7 g
proxy_set_header X-Real-IP $remote_addr;5 e. N- a2 W3 ^' z, b& U9 g
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
1 [" t9 y0 j$ V" V. G }+ N; x" ^! X. B$ r. K
}4 \- [2 v* b4 N, I4 X. r3 _
六.测试
9 J- D0 F( n. B! b& F7 l/ }8 P& V" B7 T) u( `/ G2 }0 U
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
& J: \0 V) @9 L$ ~& g) T+ m* j0 h1 }. p$ s, |3 v
<?php
6 q C- s( f, p- w: x/ j7 U- b0 d phpinfo();
2 l( f. M% ?' T- B. K9 H& w?>5 Y% j8 S" @9 B. T
在浏览器中访问:* w% h' Z! Y+ ]! L( O5 o- h
6 f; ?9 W, H2 o! s
http://www.52os.net/phpinfo.php?id=1 正常显示。, r6 k1 r+ Q4 h" K. I; T' K
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。- A+ ^, N m- e" [3 v( L3 r1 `
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
7 Y8 ?8 [' {/ N4 L说明sql注入和xss已经被过滤了
6 T1 x. [2 k1 t' p7 D
6 Z6 z v# t/ Z% ]七、安装过程中排错: u* P4 b e6 J( r7 n
" K$ L, B' |+ Q) @! t! S2 ]
1.缺少APXS会报错
$ n, g- Z9 e' l+ Z
4 F9 I0 ]+ c% C. s# u. f, I( @$ gconfigure: looking for Apache module support via DSO through APXS/ w' l$ j4 g% }" O7 V6 e
configure: error: couldn't find APXS7 m3 I6 N( N9 R$ A1 @6 k
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。- Z: O' a: \7 N1 j
解决方法:
: |) v0 d+ O5 V9 u* {& I
3 }! L! @3 J6 M, r7 C, C" oyum install httpd-devel
6 ^5 w: w+ j8 `0 n& S% }3 V; a2.没有pcre
# j! m. J) Y1 V# `
/ W: j# A; g/ q' F2 C8 Iconfigure: *** pcre library not found.
" |+ g& @8 l1 u! [6 O$ econfigure: error: pcre library is required# R1 W; y* e+ X5 q9 Q+ D& X7 k
解决方法:2 w& }% S8 S4 @
9 ?% s- E& q" m* P# _+ ^yum install pcre pcre-devel+ T( r( a4 A& H# A4 m: s* Q
3.没有libxml2
& Q; U, m2 t2 K& s7 }1 X1 I* G, N! I/ e7 H6 v
; m; x. O Y* K( P1 X, ^! H& M3 ^configure: *** xml library not found.1 |- N! H4 Q/ I2 \
configure: error: libxml2 is required
/ C( K7 [6 [0 Q# u) ?0 o- B解决方法:
9 M8 J- [; q1 S& n1 N W/ g5 z' U/ c* z& n) Z m) n; E9 H/ g
yum install libxml2 libxml2-devel' A% |6 C. c% @& I8 R" k' X3 g7 F2 I; O- e
4.执行 /opt/tengine/sbin/nginx -m 时有警告: A t, g, m% N! e9 U
& L1 |( h0 G; h) A% ~; H' y+ d
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
* i- ~* [4 i. Y' n9 xnginx: [warn] ModSecurity: Loaded APR do not match with compiled!" V5 u( h% E6 W4 Q v" a
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
: Y7 g2 S: p3 e' M' c F. ~# t
0 i B, y$ H9 S" b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.. u5 [' q) }3 _7 E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", U0 x1 l# F7 q3 S# l2 s' f, q
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% S) ]6 ~, {- m, M! N2 h" L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"8 h& }; o" Q; B, f1 u
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 ~0 l9 X5 E* Y# L6 ^8 b5 R9 p
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On." X3 \5 `7 i% d) W& E0 J
解决方法,移除低版本的APR (1.3.9)) L, U" F' e' g/ M! g/ q
; f! a/ Y7 x% K4 U6 s' s8 t4 D
yum remove apr& A5 g* G% h: a; f2 N$ Y4 j! R$ q
5.Error.log中有: Audit log: Failed to lock global mutex
2 c6 ?. R$ }* K7 i y* Y Z2 P* N; T4 K7 {/ G9 v
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
& O& S, d( ~: X8 l+ gglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
/ o% k' ~5 F g2 C3 Y解决方法:
9 j, i- K+ Y. b' l( w6 V编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:. @# y) ~, v/ Z3 E
) q& G$ t2 F% S" z/ O. YSecAuditLogDirMode 0777
R2 o' Z) {, P; k* B. hSecAuditLogFileMode 0550
% ?" g( g P3 h, I2 i' aSecAuditLogStorageDir /var/log/modsecurity
6 l# {5 X; Y6 sSecAuditLogType Concurrent
9 O% E$ L5 F6 c! g参考文章:
' f/ {+ O& p( g8 Zhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX9 [) b9 V8 X! d" A: n, R
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡