|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
3 w+ s) A9 |2 e
, X/ \8 r. E/ c; e& e1 F一.准备工作( Q, y5 ~1 t$ Y, P7 a0 o) ]- d
" N( N3 X% b8 j! ]# ]
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# L2 S& n* e6 i1 W5 z$ }9 u [5 ^
) G, g, M7 j% Q2 z. `5 X. s4 Rtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
- s# ^2 B* o" S' j: m6 k9 U# r2 l6 ]( J' u/ x; H- R0 [
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ `+ o3 I9 Y6 u
3 N' F o& Q2 d0 i: o: _2 ~
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* b1 e T& }6 v% Y1 i ^/ y( b! `" X6 ]9 m
依赖关系:
) w1 e7 F E+ L1 Etengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
# i8 ]. ~+ V1 p. ~. E5 ~ G' V3 S( ^, e0 J- S
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 @0 u- [9 U9 c0 W9 Q. [! kmodsecurty依赖的包:pcre httpd-devel libxml2 apr6 Y! K/ L0 \$ n& t3 T2 T
8 q4 r. D& v7 r' Q- }6 D
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel% T1 [- l0 A7 o
二.启用standalone模块并编译% z+ U5 g5 |8 x% [/ `
8 }: g0 E% t% G& s- N0 t ~下载modsecurity for nginx 解压,进入解压后目录执行:) M. Z; }5 O. L" A2 e8 N* p3 } }
1 h, m! l# `" B$ g# B6 c- I& g( a
./autogen.sh9 \; `3 Y$ h7 m% z# n
./configure --enable-standalone-module --disable-mlogc
# {! j& Q8 Y6 `4 L ~- K: nmake
4 i2 u }& J7 E3 U6 e! X三.nginx添加modsecurity模块9 f3 ]5 h6 H7 t6 z' I- x# X @
n' q+ y9 a [8 k8 J在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
S/ i7 N2 P: Z# v/ ^! i* A% W0 }- K
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine; t2 M1 C- Q7 {7 m9 e: m
make && make install2 u8 l; i- b- B0 A, I% D' R
四.添加规则5 z% \7 j2 \3 d$ G8 b: W$ m R& U
2 q4 G6 F% l' S0 P5 o' K7 }) F3 ]* e
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( K+ q& G' f- A
# _7 y2 m: o# z! z/ h( L
1.下载OWASP规则:* P7 C: Q4 N8 X4 Y' I6 t- }% r
, ~0 j$ \ o) {; U8 F sgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
* P5 z; [( }1 I, R# t' X' O/ N4 D6 U6 F. P0 y" t/ |7 ]
mv owasp-modsecurity-crs /opt/tengine/conf/
0 }/ p: f; s# i6 e. E0 z! _; i/ u$ }% M3 ]$ y( V. |3 g
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf1 ?4 P# i( x( m9 P3 A. c, q
2.启用OWASP规则:
& e8 Q! I' c# q% Q C
% V7 X: q! q7 @8 M7 U1 ]; q复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. f* @( i7 L, X
' a+ W0 j! B- e( A9 n' O
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
3 |% W( ^" \+ |7 s/ F4 y6 w3 J R Y, D0 t% ]
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 C& [6 r4 T& ~# j3 E% A2 e
2 n8 U( h3 [4 |/ D/ L5 ?Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" }3 C. i* H/ }% H2 A2 h! w! JInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf, p* S6 R; v3 ~% ^. L
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf/ }* G! `, B! w4 N" z9 g: u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
& L5 Z9 |9 Q! ?( @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
4 x* {$ c' S! k6 q" [Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
4 Z: D( T, v6 g* h9 _Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf" i, D9 D2 i7 s0 C% Q
五.配置nginx2 ^0 `* f) e. [
7 h0 J$ W5 h) B& ~# f6 E在需要启用modsecurity的主机的location下面加入下面两行即可:# W- q# Z. w' s: {
* u( q, V5 O% e+ {
ModSecurityEnabled on;
+ y& B0 P. [( C" BModSecurityConfig modsecurity.conf;
; g) q4 o* `$ e1 i( V- v! n7 U下面是两个示例配置,php虚拟主机:0 w( v$ T- H6 t0 ^
6 G& ?) c4 n; r( }
server {; @! H' q& `7 X* Z7 I" ~
listen 80;
+ p( W1 l/ Q; X# B+ P server_name 52os.net www.52os.net;
- n/ L0 L5 f3 d ! L8 O7 l. E7 c# Z; w
location ~ \.php$ {
/ Z6 V% D; f3 q% n ModSecurityEnabled on;
& _8 r; Y! ~6 R$ U2 O7 h0 F ModSecurityConfig modsecurity.conf;
) E9 W; A0 J8 ^' a; q% x: J1 u9 z
root /web/wordpress;
* {8 a( D8 t: k: k4 [2 n4 w index index.php index.html index.htm;
. e9 o, u0 g6 z' c
# k4 R" `# T( O fastcgi_pass 127.0.0.1:9000;4 p/ O1 O/ k* ~# [ S
fastcgi_index index.php;7 D0 ~) V) }* S9 B3 m; W! E5 Z8 z
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
9 [$ S! D8 r3 { include fastcgi_params;
( R& C3 V- j% C4 D }
( ~/ |% Y' \: W' e' j5 z9 |! i+ b; u }
+ A8 X# R2 ^% H' rupstream负载均衡:
6 |$ _9 B% u3 z: u. s6 ]3 a: V! j# p/ Z
upstream 52os.net {7 k5 d, J& m& e/ _$ P
server 192.168.1.100:8080;
* r8 }/ r9 i( ?8 E server 192.168.1.101:8080 backup;
. C3 R1 a2 _2 I: G5 t}
G3 D" w/ d% g+ h5 m! E$ f2 K' L. X8 _
server {$ U1 r) ?' ?' W& t8 u
listen 80;, G5 ^7 H2 I7 m e( R3 B! z
server_name 52os.net www.52os.net;4 v+ \, @ g7 x
6 b) k" E. S. p5 w* V9 Vlocation / {
& J$ Z2 u! l! e6 M" i. Q ModSecurityEnabled on; * E( z5 E+ o5 I; s8 L# A' `8 n
ModSecurityConfig modsecurity.conf; % q8 J' _7 s6 g1 y- G" x
$ i; a7 e6 F5 g5 g/ A# @$ z6 ^
proxy_pass http://online;4 O/ N: o9 V1 u1 l2 D
proxy_redirect off;- A* y3 {- }/ x8 \5 @2 C: m/ ]
proxy_set_header Host $host;
) K, Q1 N1 E3 V7 u2 ~( L2 Y proxy_set_header X-Real-IP $remote_addr;) j( }& R, I r& r
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; A# F4 H4 a% ]
}
/ k% q4 n* P: r o7 C0 D. G5 a% i* t}! J9 U- C) L3 i1 i/ @, X& {% q
六.测试+ L2 U3 U) a: e( S
% a3 b+ w8 N- `! E我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
0 {9 d# D. a5 a. F# s; ^ x+ C
3 Y; b, I& P5 L/ @: Z' M8 N& L<?php
% b' `! y0 n1 ?5 _ phpinfo(); & W0 m+ J6 h. k) v! X
?>
8 ?# I3 J9 z7 }" P5 g: [+ P+ P! ^在浏览器中访问:
/ b* ^( G. }) N9 k; r" b* `0 h9 H
- u$ K1 K' n7 whttp://www.52os.net/phpinfo.php?id=1 正常显示。
% P" @/ d+ Y' n( N0 ^http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
& X0 _" B0 O! D/ whttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。9 a; u+ m, S) J8 O
说明sql注入和xss已经被过滤了+ X0 ~9 a3 l4 |+ y: N; I5 }2 r( U, Q8 |
0 K+ U& U5 i9 H1 B" Q七、安装过程中排错, ~1 R5 f) C! x
0 S& v0 P8 Q v' N5 O
1.缺少APXS会报错1 G$ A$ y* S ] U6 u
9 A/ O3 X) ?' nconfigure: looking for Apache module support via DSO through APXS
{1 G% L+ Q6 fconfigure: error: couldn't find APXS
) b& F6 X" x* P E! l# xapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 w: W2 I& E$ S/ M. t7 y6 m% e解决方法:9 }7 s: m! R2 ^7 h" e
' _0 Y# O) L: p3 `. b. A) F
yum install httpd-devel9 O/ ~8 y% V' K) W
2.没有pcre
2 ~) T( c+ l# W) T% T9 D: \' q& g3 L; t1 r
configure: *** pcre library not found.
' k# {% e- f1 `: w& ?4 `configure: error: pcre library is required
, h, d3 [& Q% Q8 a a x解决方法:+ }3 h. K: v2 w! b
2 v* ?' ]9 R' h* k4 \2 Yyum install pcre pcre-devel
( G, R! R% r6 v# o% k3.没有libxml2
- ~+ E( y, @9 k' m1 G* [2 R. ^" L/ E
- T- _1 Y. g# C0 D! x5 l
configure: *** xml library not found.$ Z; y' ?* a2 b- K$ U6 w4 p
configure: error: libxml2 is required8 N, }5 Q' W6 m4 _: { b- G$ c
解决方法:
8 z, u# F+ m) V1 f; f- L
, @/ Q: Q8 m& |2 V: w* j; ~yum install libxml2 libxml2-devel
( F; @; |- S ~+ o4.执行 /opt/tengine/sbin/nginx -m 时有警告1 \5 z( H# m4 p+ _% T
( X# [: n* {; [) c0 O2 k' W8 D
Tengine version: Tengine/2.1.0 (nginx/1.6.2)# G( \* n. i* R$ b" s' H
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
( B/ Y+ q/ w( z6 b l原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% Y F* }2 c" j1 q: |
3 H% U u) a" G; d8 @6 t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.. P4 s( a5 n7 ~& P( C |/ Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9") T7 Q$ D( j) K1 e
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!& j( D* Q8 D0 g" }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"; u9 e9 O- `9 v8 T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ Q) f" _1 `% n2 r
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.: Y& L9 @# Q1 X" X0 V
解决方法,移除低版本的APR (1.3.9)3 h& | r! v4 c. {8 @) R3 `
" M* Q, z7 T! g% v: X: t" w" x
yum remove apr
0 M5 }7 V1 L: [% y( ?5.Error.log中有: Audit log: Failed to lock global mutex
& y; k2 B# O9 U: D) s( K: t+ r/ D7 Q, H4 t6 [
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
6 [5 M0 y8 {/ j( @global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"], H3 g, U8 K; ?# w
解决方法: k+ \, c$ \( W8 y* [8 G& \$ c
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:2 t7 V2 o" X- M) ^8 U
E4 T( z+ O( @
SecAuditLogDirMode 0777
7 g: A! c/ x9 m8 j8 ^SecAuditLogFileMode 0550; w8 f1 d" |" a8 K4 _, w
SecAuditLogStorageDir /var/log/modsecurity
' K9 K3 ?( a) u1 x. j; Q c, _SecAuditLogType Concurrent4 H: ^+ _! H5 r1 o! i( o. K
参考文章:0 k$ |& h( m* `) r
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' B: w% U: B/ H" V' S0 z
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡