|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
) P+ d9 I+ J' ~2 t4 ]- a* r( a# D% \3 b
一.准备工作
7 l* V) B1 y6 B& l) H$ D% L7 u
; S7 k' `. R# J- d" T系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.02 D9 M" H c! d
( T) F8 {9 g: B9 t* ]$ P5 o! D+ ^; @tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
( J" Y' G9 R# Y9 M) e+ e4 X! J# v' l1 n0 Z. R0 t
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
3 x' a2 q4 _' L* H: O
4 Y) x2 U, S0 U/ [1 f$ aOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* ?6 D3 n7 t4 O7 F7 @
, z3 f, B4 D% b9 V0 C. F: y0 H依赖关系:1 c0 y8 h' z7 ] k, k# i$ ?
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- ?) H5 x' c# K( V0 y0 }) o D4 @6 r, ]
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
2 S0 z6 u8 L/ r$ j, N$ ^; Q/ Omodsecurty依赖的包:pcre httpd-devel libxml2 apr
3 K% t; Y2 T$ H; ^' R; T Y) Q7 h4 t- o: o5 e4 A. ^, Z1 v) s! F
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel# _) ]% A$ `4 ~7 h+ s
二.启用standalone模块并编译$ Z; [5 B5 b9 H( F3 Z
3 u4 j2 t0 S7 N8 C* T
下载modsecurity for nginx 解压,进入解压后目录执行:
' N7 S; K1 g$ {$ [( \, v" u/ ?1 \9 \) [
./autogen.sh6 Y `5 i6 M1 K' d& z6 n! h3 {7 t
./configure --enable-standalone-module --disable-mlogc. Q; e( m* ^* x# l% d
make
# M/ ^/ E# e& f1 c2 G6 g! W三.nginx添加modsecurity模块1 C0 O0 q+ h* ~( o0 q* E
, M1 p- A1 x6 v8 @" ^5 O7 }- Y5 Z" |在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" i3 m6 t: O) s) x4 t& A
+ X6 j+ ?( f( W( d
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
, G/ r2 E) ]# G6 lmake && make install
! L3 P. ?% w+ J. G9 d ?2 A四.添加规则( ]/ s& q! }! T3 t- c. H5 [
& `0 [2 T% N" t+ Amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
1 d; E0 }7 c1 ^7 X) Z1 ~
% D( _" \ B3 E/ k% R* l. L" P1.下载OWASP规则:
6 g S. \0 l! B2 D* ~4 M& V) v3 X$ I; \7 t
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 i- d5 A3 S2 B/ l
2 l5 T2 K& N' B* |5 ]
mv owasp-modsecurity-crs /opt/tengine/conf/; L/ W( a( }: \5 ~' z, `% b
. R7 C) f* f5 n1 t4 O
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
$ Y8 y4 j; H& M8 k" T2.启用OWASP规则:
; p- s8 T- d/ v" X' `
3 [! |3 t4 U7 a2 F# i复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。" g. |8 C4 d( j, E1 E- W
# J+ ~/ r4 V4 M6 a编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
4 V4 u, A; `6 P3 T( H' P) \9 W
6 p2 D4 G5 j* towasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。9 p/ `5 u, a. f0 i
& z7 q- v: t& H: l6 D
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ c6 ^1 X7 w! ?) j( K4 a* O* _+ r
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
( W. n9 N* o/ k0 U' o/ r) OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ J& i4 F, o# d( e3 ?4 Y gInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
G6 ]. j& o; ]1 W1 H/ AInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# g I9 S) @: B* q7 MInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* m0 v# U* ^' B- S* |
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
6 G6 V7 T. Z) A- t6 I) V" [五.配置nginx% X5 [' B7 F. u- T) l
+ P( ^( L, q- A& G, O( O$ Z( ?
在需要启用modsecurity的主机的location下面加入下面两行即可:) D' y* {' C' B1 F5 p1 g8 g
1 c% ~/ B+ Y E6 L) ?
ModSecurityEnabled on; 7 ?1 C1 g7 K) e0 ^, J
ModSecurityConfig modsecurity.conf;" g. F: J* Q- `- V
下面是两个示例配置,php虚拟主机:
* N, I& U& f: T0 f: J9 z/ u2 o! ?! g( ?
server {3 b* Q3 W" ?. V( r, d; s
listen 80;
# H* q, ~/ ]# K% z server_name 52os.net www.52os.net;
G$ y/ l1 G/ m/ ?) n/ [
* @5 l1 e; d9 ~. c m! R location ~ \.php$ {
: u9 U% ~+ t& i) M' A ModSecurityEnabled on; " H$ u/ q( l3 Y5 e2 z* X
ModSecurityConfig modsecurity.conf;
2 p# H3 f% F+ N- P
/ l, A @' D! R3 |4 _1 Z root /web/wordpress;
+ |; C* b2 h: C8 A index index.php index.html index.htm;- c7 c# ?; |. z1 _
7 A+ \6 \8 f0 z* m% E+ L
fastcgi_pass 127.0.0.1:9000;& H) w1 @1 i6 W, ?, m9 Q" Q9 c
fastcgi_index index.php;& d1 c8 V9 A3 D
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;0 T( a. O) o+ L: H, m
include fastcgi_params;0 Z& I# R8 Z' ?7 l1 \3 X1 t
}
) U7 O% q3 |5 e }
2 i8 |" {6 P9 l5 H# U* Tupstream负载均衡:9 I" [8 G4 ?& s# w' _
, K3 N5 D9 Y% w3 h/ f' ~( _0 j N
upstream 52os.net {( c5 K0 C1 y1 m- Q
server 192.168.1.100:8080;
9 Z% W; M* `5 S server 192.168.1.101:8080 backup; g$ j* j' F' O7 V0 p. j
}
- @, |7 d+ r8 ~1 H _
5 G6 v. g# c4 `8 iserver {+ \2 J7 T) H! c" ^ }5 x' y, |
listen 80;$ ~' b9 D. c: q% W
server_name 52os.net www.52os.net;
+ J0 ?& y; q# ]
' K$ y. b0 {3 P( n! Y$ ulocation / {1 h. U R0 o# e- C5 {. u3 k2 M5 D
ModSecurityEnabled on; 5 o0 [3 z& f( c! I! r! f- o
ModSecurityConfig modsecurity.conf;
: u( a6 f# r* ]# m+ l; H6 P, q9 G* N# d j T! o$ c- k4 G
proxy_pass http://online;; T4 y- P5 l8 K+ P& ~% W) ]2 g
proxy_redirect off;
) z- T, @. d3 j. r: b proxy_set_header Host $host;
0 ]) z% o: J' s. m9 G proxy_set_header X-Real-IP $remote_addr;
4 L# X" o( m& q4 z; [, _ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;2 U& `: D, n% v/ s5 X) ?" z: E
}( N4 q0 D, I$ B- h* ^9 V) h
}
1 T; a8 k+ a( W" N" O* ~4 _六.测试+ h2 F5 S# v- _' h/ v( p9 d
( p9 n2 y: P3 k6 }我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
6 r* n+ _6 R3 f. u# N
, S4 O' `0 e2 S0 w3 ~: I: l9 I$ q$ \3 V$ z<?php* C: f7 n# o* X5 N* _7 k
phpinfo(); 6 M2 o0 n) \/ f' T5 m R
?>
M: ` c- I6 Z/ w在浏览器中访问:& W: |; y6 l5 J ^6 g2 C: l% e* K
; k0 D7 ]& F' G9 Y' B' M2 x% j
http://www.52os.net/phpinfo.php?id=1 正常显示。
: h5 b- C5 X7 Nhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。# u% u: k! L3 b: V8 t% w
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。* |8 w4 S3 t0 ^: r& m' S$ d6 G
说明sql注入和xss已经被过滤了
2 ?4 j3 r% q8 N& \" b
* G: s3 a4 D: m! k' H' W七、安装过程中排错
t B- p3 d& X5 I4 b0 s2 [
0 ?! ~) b: H2 b. k6 e E. W1.缺少APXS会报错
' w/ K- r4 {6 m/ q- ]' F% U0 s" b& `- L
configure: looking for Apache module support via DSO through APXS' U- S1 P' D7 I2 [! H. I* ^
configure: error: couldn't find APXS. _5 i% \$ E5 {% H, \4 g
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。/ y! ]5 \, l7 n+ f
解决方法:/ f6 i: b9 d( c: |' U& O& G+ H
+ m% ~: V* t3 A$ |
yum install httpd-devel0 e7 }$ f7 U) u% t0 |' ?
2.没有pcre# N+ A5 K- @* C6 `. L2 s
- C6 C E/ p* i* a8 Zconfigure: *** pcre library not found.9 z- b; |) Q4 z+ T( T" J/ N
configure: error: pcre library is required
& s; `, K& l# G5 g0 U T( a* b解决方法:8 Y* W( j) X4 w# p- i
8 ?2 y0 N) ~) O0 T( l
yum install pcre pcre-devel
. J% M# y6 Y0 d* y c" O# D" Q' b3.没有libxml2
$ F; X& R; M7 v( a/ T0 {% d% m k" h W0 @3 ?3 V) _( L
; `4 U5 m, a' `8 O) sconfigure: *** xml library not found.1 w1 t: h( ^. T) f1 Y' c
configure: error: libxml2 is required% e/ _3 A8 I" i9 x6 v
解决方法:
3 j [& R& u# Q, Y! P* y/ E$ V( i* L8 S# l. @2 b0 `
yum install libxml2 libxml2-devel+ l6 q! D7 n6 {5 [6 S- w, H3 O
4.执行 /opt/tengine/sbin/nginx -m 时有警告& E* N, N7 h* z& ^. ^3 ~1 z8 m
" l; y" [$ q& [9 L7 c
Tengine version: Tengine/2.1.0 (nginx/1.6.2)$ A" G: y! |! Z
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
0 [* @: p5 n7 B k4 d3 t0 G原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
g% j' V8 F: v0 U. j& B+ `! r. x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.% ^3 J4 E. n/ [$ ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"( S! j9 O8 t y$ v
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
O* X7 U2 \9 Z% F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: H6 g! p$ j1 ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
4 Q0 ?0 S& |! l# T2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
+ U' R' M) Q0 e% P, c |解决方法,移除低版本的APR (1.3.9)
E% h+ y0 Y8 c& s* h, F6 S# z7 J; ~$ H" ^0 o. ^
yum remove apr. T2 @% t! f3 s! V" Z" {( V, z
5.Error.log中有: Audit log: Failed to lock global mutex- M7 c) _% a/ u- h9 k, E
) l" b% L7 |& k3 b0 w
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
1 F: e1 A2 ~0 ]( D" q: Q. Zglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 X" l8 k! d" v1 N0 O解决方法:
& o, F8 u6 I6 _( e8 t i' U% M! r) q0 z编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:; b+ I0 ~. ], t# M% h+ h- q! i
; o% ~/ w9 z8 x) H" x7 YSecAuditLogDirMode 07779 T ]8 b# A. i3 f
SecAuditLogFileMode 05509 y% g! u9 W7 A5 E; w' e
SecAuditLogStorageDir /var/log/modsecurity$ k& d$ c' g4 R
SecAuditLogType Concurrent
/ J+ Z% T: x0 K; u$ a3 d3 l参考文章:. b U: a& ~: u( U# E- M
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) W0 M$ q f" I% t6 n/ Nhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡