|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
; V$ I0 [+ l1 P/ M; M- ?4 T
$ S0 j+ f$ F; t2 R, @) v( O6 M一.准备工作
% X W$ t7 o; O- E$ d9 S+ g0 s2 j! @
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
) V! B" l: W. ?3 I9 ?, G6 |' f; t) y0 y( D H: |
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz8 U& J. [* P3 c$ r0 z
+ L5 @: \- h- r/ N
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ p$ U& R% h3 U, u
) v/ Q; i( ? u: E) F
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs& S# Y$ L+ T( i" P
* ~% c. _9 j: b2 i8 ]
依赖关系:3 ]+ w8 h' S9 R
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 H* [9 ?1 { C( {0 \
5 X# m F2 b/ N$ W$ F* E+ g
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel M9 Y) z3 Y" B8 r6 H
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% K% X! Y( ]% J0 I- A) M2 _( I$ |+ t' ?# Y3 ^" d6 t
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
e( d e# `6 x6 \7 Q& X! K二.启用standalone模块并编译
[' |3 o8 C7 {, C. E2 \) Q$ t% x8 J9 J* O4 d. J$ X! z2 S
下载modsecurity for nginx 解压,进入解压后目录执行:8 G9 p+ B; Y: E- W, c
4 j! c1 R; E6 p/ k& a# G; g, c# s
./autogen.sh
% O3 c- [4 A, ~% S$ z1 V6 w./configure --enable-standalone-module --disable-mlogc% p! G1 X$ s6 D* O) h5 f
make 5 c, L2 H0 R# @0 ^, z7 y
三.nginx添加modsecurity模块
- R2 D; \" @5 H% o# |2 T- T' }# I; l5 U; Q: W3 \# {
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:2 S. V' h; z, D; {1 j$ @7 W$ j
& x4 R9 d, {2 l; b./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
( D# \+ V/ z8 |4 b+ ~" smake && make install% u I) y$ b+ Q0 l, m
四.添加规则
! D. _& I2 C* U1 U7 v7 c3 S, b2 X
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 J, ?$ q# i1 ^* _3 d! J
4 ~0 b$ ^9 H7 w/ y
1.下载OWASP规则:
( L. @5 {) H' D7 D- G0 x0 b2 M3 I) W- ~9 E
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs. n' z# t9 C$ W8 L/ {0 G. g
$ e- x& N+ I3 B5 |
mv owasp-modsecurity-crs /opt/tengine/conf/2 v; R1 o/ B/ a) x
" t' e, z" M: I8 Qcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf6 {( L% S% P9 I/ L, I" f
2.启用OWASP规则: b% r4 g! g' q: v" G! m6 d
1 l, }5 Q. t7 G& F% j/ s; X3 l
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。7 e, D! H: i4 L7 ?1 G( |
4 s4 ^3 }8 e( M3 r6 _0 n编辑modsecurity.conf 文件,将SecRuleEngine设置为 on1 m. T7 E2 v/ ?6 N2 S% q5 E. B* g
+ V! q/ M9 f$ M& l7 zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. K$ ?: v5 F+ \4 J
0 G: T% O+ D1 y
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf1 y. M% W" z, w8 S1 _$ U
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf! v: s; Y0 _/ g4 I# u7 y" J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
; L6 i, S6 d3 V8 }- d- SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' [! ?: p6 E% R7 {6 s% m, V2 j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
& T9 q/ I3 V. ZInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 Y4 B' }$ p0 k& k8 M& V
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
/ I6 ?) y' l* K7 Z; p# k6 U, a五.配置nginx+ X: m/ c( A) }+ z
1 a" @0 A* w F2 N" a- }在需要启用modsecurity的主机的location下面加入下面两行即可:; c2 _* |4 V9 d2 M8 F+ p# K' F
7 ]9 x9 _1 R& I, P0 }! m: `( jModSecurityEnabled on;
! `. r1 q$ t8 B. r+ M' x; u, yModSecurityConfig modsecurity.conf;
- P0 e3 n- \( q# b* F8 e& {$ n下面是两个示例配置,php虚拟主机:4 x1 ]9 w" A6 O7 C- l
- G- {6 \! f6 _server {9 n3 T2 [9 n# y$ S h7 |8 j( ~7 Z
listen 80;
& a9 Q- O! g* s. j9 d server_name 52os.net www.52os.net;
# S* @; M, m4 ]/ N m5 n/ Q3 w, Q1 @# K& K- d
location ~ \.php$ {
! a3 {5 y: j5 G5 L ModSecurityEnabled on; 7 W) P* Y" v3 ]
ModSecurityConfig modsecurity.conf;3 [6 Y( L$ [; n" q6 O; l: |% }1 M
) m) `: w) D5 y: ^7 x; t- o
root /web/wordpress;
0 W& V9 A; ^/ ]; `" b% M index index.php index.html index.htm;
4 _. \% s! q, H4 P# j5 u
! x+ n, h8 E( c1 P+ X6 k8 e fastcgi_pass 127.0.0.1:9000;
2 O1 N7 F% q0 `" a( c fastcgi_index index.php;9 ^) V7 g& F8 M4 P
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
) E/ _% K: K$ b9 w2 |! o include fastcgi_params;. T; U* n. g" W
}
: o: M" ~ O$ e0 u8 v( ~ }
; r2 [$ |+ m9 Y6 I" Uupstream负载均衡: M: Z' N! R. B% k
1 L8 ]7 V) x, b2 y) u: @upstream 52os.net {
4 f( o$ P! }, |; ?) \1 I% Y server 192.168.1.100:8080;9 D# o/ e$ q+ F/ q4 z
server 192.168.1.101:8080 backup;; ?% \5 g, L c, Z
}0 q% w) @. ~4 W$ l3 {& p0 x+ X8 q
+ r9 U O' g0 R9 v% b& P
server {5 }, z- y1 ], T" D1 ` U
listen 80;
9 x& E7 W3 H N$ Jserver_name 52os.net www.52os.net;
& A0 z1 J1 h) Z4 T( j0 R
' i% \1 l* p# F- V# F! rlocation / {
% a0 g, s0 a* {1 K; S4 |1 r ModSecurityEnabled on;
: _! |6 h- e: y i4 i, O ModSecurityConfig modsecurity.conf; : j$ _' _ o7 |4 e. H. ?4 J
4 G: h4 Y7 X* ?2 U5 t6 R7 L+ S proxy_pass http://online;
- X& g Z$ N8 Y# I proxy_redirect off;
6 W: Z( u; @( a( s proxy_set_header Host $host;( T+ _8 x; b6 U2 D$ i- U) A
proxy_set_header X-Real-IP $remote_addr;
/ g7 W: R! B. Y- V h% | w proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' C; n" V. z, P
}
' H! z) I9 F, ]5 L}+ R. e+ o5 q( g( w: W: a& c3 q
六.测试3 y+ o: U- r5 @0 z7 I
# H f3 M" n& @我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:- F: }: h$ L6 ~7 m. W
x |; t+ j5 w+ B9 n" E" p6 [<?php; _/ W1 Z0 n J
phpinfo();
[2 S6 J7 G" h1 g; x( [?>* g7 I# {6 T) Z/ {7 M+ q
在浏览器中访问:* K9 Q. m/ _: i% ]2 X- |* n
! |* @* T6 y4 i6 m$ j6 m9 d1 ?
http://www.52os.net/phpinfo.php?id=1 正常显示。
- I8 G& h% F2 X% ihttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
8 R1 R' d% h/ V) i, Uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
9 W2 Y$ D. M& X# x5 z5 i说明sql注入和xss已经被过滤了 u0 ^! w' ~- }! [, w
* y+ ?) M3 ~6 b) [, {3 ]2 A
七、安装过程中排错( N7 p+ `! H; U) F0 D
5 Q0 c2 ]: e) k& @7 x1 n1.缺少APXS会报错
! o; ]: G2 S# E! i
$ \+ T4 _# z" `: Z7 j* D! A; F& Gconfigure: looking for Apache module support via DSO through APXS# w* \9 P- P0 N7 N6 V/ Y$ k
configure: error: couldn't find APXS0 ?' r7 F$ ~. i$ s; X
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& |" }' U7 b. [解决方法:4 z- a& f+ q9 R' E. @, H
7 t& ^3 a: h: O! l$ P: q* |0 z c1 U
yum install httpd-devel
) Z& U4 }0 P* z2.没有pcre
% N' w% M, v2 T. x
7 L; |; S8 e$ X2 m8 o, a7 p* \" `$ O Mconfigure: *** pcre library not found.
$ C4 P" u: G. K$ Vconfigure: error: pcre library is required
+ F0 {7 c3 i7 y$ F6 [解决方法:& y: ~/ q( s' B1 P) j5 S+ s0 Z
) n# J2 H$ w' |; e8 l# p
yum install pcre pcre-devel
. n" E1 i+ K9 y3 w# Q/ W5 D3.没有libxml25 n" {% S Z) F% n) R
|; ?# `" {, ~. d& |
3 e3 \. e* K/ V- N" ?configure: *** xml library not found.
! A. ^7 {9 e4 r1 wconfigure: error: libxml2 is required7 @( ]1 Z4 f- I$ d+ u! ]
解决方法:
; h( i! J+ x: p: i2 E& `6 c1 ]/ X1 W: Q
yum install libxml2 libxml2-devel* d* v @3 |3 s
4.执行 /opt/tengine/sbin/nginx -m 时有警告
6 c3 a: J9 w' b: W0 K
S4 A/ C$ v. T9 }8 ?' u0 q. l8 XTengine version: Tengine/2.1.0 (nginx/1.6.2)/ Z/ b2 _4 i" P! _, G
nginx: [warn] ModSecurity: Loaded APR do not match with compiled! I# |. c7 U7 k3 X6 H- b( k4 S
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
3 h# K# C9 r3 l- r ], B) R2 j5 H) F* C E8 C3 b6 C: X m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 T* e& O: _% s0 l$ }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 a" `% T0 F7 W
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
O& m0 f: l0 _" w8 \- }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"3 X' Y+ I6 P* J/ d4 F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 H4 Q6 @4 E" v/ X
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
& }) n( E. N! s3 j' ^, t, Q解决方法,移除低版本的APR (1.3.9)
4 h7 ]8 P! v! C3 _8 a4 ]# L
/ y4 v# V3 t k& v0 t/ iyum remove apr
V3 v g, y; }# s! D" h) j5.Error.log中有: Audit log: Failed to lock global mutex
. p$ u" @1 F6 D1 c1 k( O! B" @
. U4 F% c! f. Q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
9 R. y7 Y' k% x5 w; I# Nglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
) e9 L8 }1 s0 n% C, e5 V8 e" p解决方法:
/ ~$ r5 w0 A5 w5 @9 @编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
: |. z( X0 Z4 l) | G' W* S
4 P5 ?+ ~9 a* T wSecAuditLogDirMode 0777$ g- P8 v" ^, R! t' }
SecAuditLogFileMode 0550, X( I6 s( a p/ V, E
SecAuditLogStorageDir /var/log/modsecurity
+ M- g2 v7 f% A) XSecAuditLogType Concurrent
& M# [( B, ?4 o4 ]/ ]+ a% V8 j) }参考文章:
% u4 _1 k8 i6 Thttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX* w0 t3 F! t- I+ m& X1 B7 r- r$ k
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡