|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。/ D, f6 \6 F: w& q" |$ c
# \% U( X" j8 u1 e/ U/ T* V一.准备工作
2 }; c8 l& j' y# ^
. o: \" Q; b3 i7 ^( A5 H系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0. ` X7 T7 p4 X. k: T
) X7 W8 R0 _' _
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
) \$ w, w/ Q2 n! ^
- k2 l' }4 \$ S! g# g( r6 v9 i, Smodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
" L5 f1 h' u: T- C; _$ V7 T+ P
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
4 Z6 G% L8 H! `/ F* y$ e x+ X+ a- C# c' A/ k' s0 W
依赖关系:
* F8 R; S2 }) z- @tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 G- l# g1 s% U1 x; B, N4 f
7 S }: Z1 D) Q) \yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
& `0 @5 z2 c% O9 L' Tmodsecurty依赖的包:pcre httpd-devel libxml2 apr
8 y- m8 N$ {' ?4 ?
! \9 i& s+ C. `8 eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 T5 X1 ]7 }1 V0 r* S4 L& A二.启用standalone模块并编译; z" U! E1 i2 d4 y2 Z. i% i
+ }% D5 P' p* ^下载modsecurity for nginx 解压,进入解压后目录执行:- x: Y) M0 x: g
1 w- }5 t# E2 N./autogen.sh
, S- X' [$ B$ R./configure --enable-standalone-module --disable-mlogc7 E Y* S$ j- a2 M' A+ W1 d- I
make
0 `# x4 E8 t+ F7 ^8 \: a6 O# t( T三.nginx添加modsecurity模块: z$ ~7 ~) B" q+ N; }! [4 A6 x
/ K' h! c9 D) b/ W9 N在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:) m+ h+ x- q9 \2 T% H$ A
: F& @* L" ^& N
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
$ R. F# i/ k" i$ @/ H! |make && make install' D% z1 S3 U+ Z8 q9 j
四.添加规则& e* a( d/ n0 Y
0 s% G2 d9 W% }4 v. h7 _
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, X7 A# o* j" w
. X9 y' q. e' m/ {! e1.下载OWASP规则:
/ r& v' o+ G2 e W |+ y5 g" e" g: v8 {# P
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs0 m8 o1 ^* t* Q. i9 F' ^% x
! Z$ V3 g' a, u/ R/ e' E6 N. Y
mv owasp-modsecurity-crs /opt/tengine/conf/
/ B7 b8 l4 }9 R4 C+ Q' {% @( \; w. f- L3 R# B4 n2 V' s
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf! x7 N+ l$ }8 |7 \- I$ g6 I9 t
2.启用OWASP规则:7 _: ]3 U# ~0 O( D1 a, S/ C
/ D3 x2 I! p' J) @2 S$ i4 [0 F/ ^
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。' g8 |8 i# \2 t
, l+ U3 A4 K# A# Z! w7 U编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
# y$ o; _8 ^0 u# \: q2 i& d
9 \$ y9 L! x8 h% zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。9 S8 }+ B/ Q7 ^" X w9 w, l
t" | T/ S0 s0 p$ u0 O3 VInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
: t, H- R4 g6 a3 x3 I. d: ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
: n( z8 B, e. o( g( `Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! K- g3 V/ `' `, B; B+ H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! C- C, D& A0 m; l+ P }
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 A- s+ p7 h9 eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* g+ Y# e' l2 @( P" m5 n
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) a" @- {# N0 k# F& t) C五.配置nginx; R& v }9 Z, j# z0 L: S- M. N% n7 c
" w3 d3 b8 L0 c1 b0 a& n) z在需要启用modsecurity的主机的location下面加入下面两行即可: V% f1 T/ `5 Y' n! R- t' Q j6 j
( j. T. D" n1 q8 G6 k. S: K* V# R2 KModSecurityEnabled on;
. p8 ] P* Q2 _$ hModSecurityConfig modsecurity.conf;
$ S+ J# e4 u% ]* k' \7 y* Z下面是两个示例配置,php虚拟主机:
r+ n; D; s j, e P: g8 G0 O3 e, E/ o" k) T& C; L t6 p
server {; _/ y1 [7 F) z) d, G* X! g% E, {
listen 80;
+ g# V" w" T+ T1 ], P3 P server_name 52os.net www.52os.net;; Q6 j( @; Z/ b" `3 p' y
) l0 C. B7 N, c
location ~ \.php$ {
6 B+ L% G w+ v9 h ModSecurityEnabled on; 4 `2 D6 ^7 q* ?; m$ J
ModSecurityConfig modsecurity.conf;2 l2 V1 r c: N' J! w' e8 H
& n2 y1 y* [% {1 t9 G* j/ g
root /web/wordpress;$ X) u4 s' m$ P" X6 _* {$ M
index index.php index.html index.htm;: Z/ g# \9 @5 v- Y
* g* ]" z. I- k8 v+ s$ H9 j. ]
fastcgi_pass 127.0.0.1:9000;
( ?+ e( f$ L; M3 t5 _ fastcgi_index index.php;
1 f; `# O5 Z2 W: T4 S fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 C5 [- ?9 o( s/ B include fastcgi_params;6 I$ C5 Q& E5 R$ A; [6 _, K
}+ J Z) n4 c2 J6 E/ w7 ?
}
- ^; T% _- r! `. ]# Uupstream负载均衡:8 }, b) W5 O' N% _( G/ p
8 P$ h3 M3 X1 v6 h* |
upstream 52os.net {+ p, \1 y; v0 t9 Y( r& f1 Z
server 192.168.1.100:8080;
1 K4 N9 ^2 s' g- [ server 192.168.1.101:8080 backup;% M: P& N3 M. O. l3 Q. ^8 q$ ~1 Q _
}
d, o6 R& O1 b9 l. V
+ E. a) F5 ? s& M: Gserver {
: ~9 z6 {3 G: X* Q2 Jlisten 80;
$ K) D& Q6 M' a, V* j6 s0 l( i, T/ Bserver_name 52os.net www.52os.net;
/ z5 p t& N) ^
7 _# a" Q, g+ E/ k/ c4 t v2 Z/ ^location / {
" a {& ?5 B) s( Z& q ModSecurityEnabled on;
3 i- t" N7 {- Z; _ ModSecurityConfig modsecurity.conf; & ~+ I5 a% t% b% y: s) m! ~
& o7 Z$ P9 G3 E+ Q proxy_pass http://online;. I4 j5 T- ?) E
proxy_redirect off;1 a7 |. _% v& g9 g0 e
proxy_set_header Host $host;4 p, S6 w& _( S3 p
proxy_set_header X-Real-IP $remote_addr;) h8 A' u0 I7 U3 C
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) o% q' l- g- J- L/ m- M% m! Q5 o+ X }' f( L, ?0 Z* i; t
}, m# }/ X' v/ i, z
六.测试8 g* d; F, Q2 C
4 L5 o% y3 Z0 A- O* Q
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:; D g; }* o: x0 j! C0 S3 u
) z6 [( G# h) T7 T: D/ N6 Y
<?php, t, o8 P6 s; d+ Z. U' W
phpinfo();
" x" N- t4 _; X: H2 s8 w?>
, J- P5 f$ F1 }/ [在浏览器中访问:
/ J2 n& S( ?3 x2 e# c
+ J) x% v; m4 d; ]* K5 {http://www.52os.net/phpinfo.php?id=1 正常显示。
( t0 M& `- X# O$ khttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" A2 R6 ?; S1 P2 t9 H7 r
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。$ }3 g7 `3 o5 ?$ \+ @$ e0 U
说明sql注入和xss已经被过滤了9 e% N& ?: y" _; o% j
9 Z7 [5 o! b. j3 i
七、安装过程中排错
% t* q" V* S) R3 h3 _
6 Z, k+ a9 P7 x1 n/ D1.缺少APXS会报错
3 |0 s3 ]5 |4 I( P3 ?2 z5 ~5 z' \# z" Y& g
configure: looking for Apache module support via DSO through APXS
. }/ M2 S" i9 f; _& Y( }configure: error: couldn't find APXS
3 `; n# {) o& N0 Y" qapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。8 l- p% O: T/ r, S, v( N
解决方法:
- u; X; a+ {$ j1 {: N7 u+ i% r
yum install httpd-devel
- c: {# N y& c5 W: M& x4 F2.没有pcre6 F4 |1 x9 X5 O0 l
" C, t7 k6 U! G* C$ \9 @+ r
configure: *** pcre library not found.6 p% ^3 \' ]8 i K8 W7 G- v7 @
configure: error: pcre library is required
' z0 Y. A2 U. P解决方法:5 o! x4 y' l- s. q
- S% M; G) j8 k' {2 G$ nyum install pcre pcre-devel
7 v- o3 `$ T) f" M( [$ U3.没有libxml2
' b4 R& D6 _+ U8 ^% _ c2 ~, T1 }2 j, i2 x( k' F- k
2 X3 [' H. \5 F) B. [ F
configure: *** xml library not found., n' O6 {$ p) K
configure: error: libxml2 is required1 D! l( h# H$ \/ S, }3 ?- ~8 ?8 ?0 N
解决方法:% y- a. t. \% i( s f) c' C7 ^
+ B3 A1 r$ \" P( v3 nyum install libxml2 libxml2-devel
) J, c& Y, I7 t9 O5 x5 h4.执行 /opt/tengine/sbin/nginx -m 时有警告
; U |2 ?8 L- N0 H! `/ @: M& T+ I" F$ \! Y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)) |7 S* Y+ {$ |; C
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!' I( ^0 Z+ A* n* Z: `+ O* E. V; |+ O
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
, d; o' |9 w! K: q' \' y! ]4 ? F0 _5 c7 C [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
/ ^* P: \; i# a7 P2 e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 x9 i H& E" z5 V$ W+ ?2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!6 j- r6 y& j; d! C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 L" `8 l2 S1 P/ {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 S" p* A8 P0 f, W2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! }; I G; m6 s. U+ C0 I& M
解决方法,移除低版本的APR (1.3.9)
5 q t: v) `3 i. l3 W: h" h2 t
+ t) I7 S, M2 a) l/ I% cyum remove apr
( [0 P" @# L& G' x" s5.Error.log中有: Audit log: Failed to lock global mutex0 L/ u* p, K- c! ~. }7 a/ I! F
# w' C+ Y1 N$ I! d
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
/ t. j$ f: d' Y* u8 f) }global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
1 @9 N: U$ d+ i$ `0 a0 Q解决方法:
# M! h) H: O6 G5 [/ |- R: S编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
( m3 {* F$ \3 b* @; F4 n2 s; _# L7 k5 e2 ~4 X
SecAuditLogDirMode 0777
+ C+ E- v8 ^: c7 _SecAuditLogFileMode 0550
8 i* d+ \' F I/ ]. j, CSecAuditLogStorageDir /var/log/modsecurity
1 V @2 v9 A8 `7 q1 x2 gSecAuditLogType Concurrent
0 C1 O. s1 d$ L7 P8 q. j+ z% \ z参考文章:6 T3 p- i# u! k0 I6 {" s0 [
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
- Y% A- ?5 J8 U' _1 ]+ b) zhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡