|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
5 F' J% M; c4 V- N
/ c2 i& a- s9 z一.准备工作
4 E: @' j/ e2 h' G8 q& y) G W: |/ w# H
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0& w7 Y8 k' P* ?+ P$ O
0 s4 M, j7 O7 l+ X, W; G$ j9 C
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz! q' E9 B- K: g7 Q- t; ~
3 f6 R6 {# p0 P7 [. mmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz8 V/ [& I5 L5 t4 p8 f8 c0 Q
% C+ D" x& C: J9 _" X7 W7 A( G; [! COWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, S7 q1 \7 r% ?2 s
1 H( ~( h7 r' N% J& D- m
依赖关系:/ N' j) u, I/ B' h3 h) E
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:" @4 _# l2 F4 W
& P7 ^5 _1 q; A" ?- Z4 P: v7 P# J
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel, X- ]5 W1 \6 C: f6 S
modsecurty依赖的包:pcre httpd-devel libxml2 apr
6 P8 A* f& }* [8 T2 P2 g& \# \- [% P1 N1 m6 I( m- p1 Z. L7 W9 g F) i
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
# H+ U; o8 y o" R二.启用standalone模块并编译9 |% {, l' v/ C4 a7 [ `
& `: }$ ?0 i6 }, _5 |
下载modsecurity for nginx 解压,进入解压后目录执行:
4 a2 v. w6 n$ {6 Q
9 l" S0 @4 i6 A8 {( e% X./autogen.sh: [' i& J7 T3 M; a u) ^
./configure --enable-standalone-module --disable-mlogc
0 h. L3 |* O d+ h& ~1 C- mmake
3 ?: W4 B L; `8 \( j三.nginx添加modsecurity模块: B, ]. K1 W0 k
8 a: j. @* [6 ]. V9 K3 P
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
1 w( k) D# v- u
9 j9 T) D7 o+ c6 W4 |, s& q, @; d./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
; R2 y* D; i+ ~. L8 Q+ emake && make install6 |% m" E( {8 Q
四.添加规则
# D! Q6 ? S" [5 V$ C7 E; \8 N# z7 D9 Z8 a1 G- g' n
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
) {5 i! n' c5 x
% @2 {# ~1 k) t* Y1.下载OWASP规则:( G z1 q7 H" H% J
" ]$ z% J' a: c3 v* K$ ~& r) b/ N% N
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
6 _# g; Q" L1 C) v6 o! K: _6 ?
: g0 n; o0 u6 xmv owasp-modsecurity-crs /opt/tengine/conf/
+ L+ P, Z4 X! Y3 J# b4 V$ b7 N; k, a! |# y2 p1 N4 S# i) N1 T: _
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# f+ s/ p6 E# L0 L3 o* M
2.启用OWASP规则:# u5 G, U* {- E1 _& A( P/ o& m
0 M8 B/ f0 U; a$ u. f复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。& L( l- M/ k7 j% S$ { I2 w
( X, A, c, O, e/ q$ Z- M! x! w/ L编辑modsecurity.conf 文件,将SecRuleEngine设置为 on# M/ n) U* k7 z8 w' D
3 p, I# G. c8 Z" q( P2 y5 m! A
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。1 c* Y- |& x& F) Y
: B) x2 j$ Q* D# B. g, w& W
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
9 Z7 O3 ^- v# _) S, Z$ x" j7 N$ P, TInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+ m' J" S; Q4 ?! F- LInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 x9 \, A1 Q, C; ^" G+ y& O
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
+ T8 H, Y2 A6 t, G% H. @1 ~Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
- d; }1 S. T# O! CInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf% M- Z; d7 V7 h4 O& A4 ~
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' `/ r* F. p* t# ~6 H; c& P7 C五.配置nginx& U2 X) ]% j3 M
/ F: l8 s- O- u! b5 T' M1 f在需要启用modsecurity的主机的location下面加入下面两行即可:
& g5 i% b* v- X2 o- x" p6 z( y2 q
6 `6 [ Y8 I' E& l" E0 z ]1 x" nModSecurityEnabled on; $ D. _" F/ J3 ^ J( j
ModSecurityConfig modsecurity.conf;1 D, Y* q6 S. A- R" R0 f
下面是两个示例配置,php虚拟主机:* i6 S% P$ C+ q' t" e+ H9 P
" x2 A+ Z: l4 C/ v4 p' _server {' M- w1 s- N5 `+ [. t( x
listen 80;4 F/ T' n, X8 y( i
server_name 52os.net www.52os.net;$ U2 T+ N8 d! K$ n
5 L: P( Q- s- H2 U% X6 y
location ~ \.php$ {% y7 A$ a+ Z) j
ModSecurityEnabled on; . A3 R( r3 m" L, S& J" \" q
ModSecurityConfig modsecurity.conf;
' h+ [5 W7 |+ @
3 {. I/ B1 ?' i: { root /web/wordpress;
G& K4 h! C/ o# [9 c. H+ S u index index.php index.html index.htm;$ l, o, t% r+ d" i7 H* S1 u
3 F+ U: b4 @" y fastcgi_pass 127.0.0.1:9000;9 x) Q* Z2 b& r P
fastcgi_index index.php;- I( s/ s/ q2 Z* H5 T6 l$ T: {" q
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name; P+ Y/ M" n7 q+ m
include fastcgi_params;
* E' U, Y; H/ J }
9 Q# N( o/ q6 f+ w: s; c: @ }
% O" W& v+ q7 p8 hupstream负载均衡:
5 J! n! C4 U, |6 J7 N/ s8 g$ q( @3 }% x6 R( e
upstream 52os.net {
/ I4 x0 f" |" r! t7 Q4 M- B server 192.168.1.100:8080;
* t [, ^$ e1 N server 192.168.1.101:8080 backup;/ s" n1 ~$ U5 L* r( k
}% K( M( h. I; P7 O3 s
4 K+ \: I$ l. z) yserver {& |& M! e$ s. i( g1 E5 ]
listen 80;
, @1 _1 K0 o+ `* N* y/ vserver_name 52os.net www.52os.net;
/ M4 |9 C) ~+ b5 b+ X* g& q
2 C7 X" f1 k, h) D& l& u. D ?3 N; `location / {
5 K. ?- H( L) T) K. u; N0 ^ ModSecurityEnabled on;
: F. I0 C' g1 Z: }0 Y: p& B ModSecurityConfig modsecurity.conf;
2 M7 V @) f& j, L! N7 V
3 l9 q3 R/ f3 [- x; E proxy_pass http://online;, |# L' R: x! q* a! B
proxy_redirect off;
V+ z* l( |- c2 z3 N- ]( z proxy_set_header Host $host;
0 c# {4 k1 ]% R% ^9 c0 w. z proxy_set_header X-Real-IP $remote_addr;
7 ?7 y7 c1 L, f proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;3 i# Q) D8 M. r' y* `* {5 k5 I. J8 W
}
0 v- ~( S2 i+ n0 A9 U}- j9 m" m4 d4 p$ {" L& J- D
六.测试3 c" d* {6 P5 m2 E V. F
1 E! Q; {0 c5 z. M我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为: j/ T# @* [. N2 X% A" U: c
) B1 u! d( [$ |6 A4 B* x
<?php
( X4 S0 Y9 s/ S( R' z phpinfo();
) P: n e7 C$ ~) W& L?>
8 p5 F# u& e Y1 j. E L+ T在浏览器中访问:+ Q" O2 J% Z# f5 A5 q' F9 i8 Y
" `/ [" H4 {8 k' z6 u
http://www.52os.net/phpinfo.php?id=1 正常显示。
! A) M( N+ I9 u: N4 c4 S+ Nhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* C# u4 i( S( _4 v- } Ehttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
/ _$ z2 E: x* n9 w0 s, o' I说明sql注入和xss已经被过滤了' r$ y V$ f) M
8 ]; |8 `# U" o3 ~9 d七、安装过程中排错3 u7 D4 v" G1 h- r; Q8 P D+ Q" v8 Q
* n4 K4 I% {2 G* R, N$ b
1.缺少APXS会报错
! h a# l( o: c3 W, e& m7 |0 n
1 | b) \. u K* \' A' T& Hconfigure: looking for Apache module support via DSO through APXS/ e; @9 B: Q- R9 h+ b# }
configure: error: couldn't find APXS+ _2 h) l& Y' R
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ @- }4 a( N+ c# I. }0 N( o解决方法:- a) j$ i/ @/ |
) a, `7 }' G' \1 y* n8 `. Byum install httpd-devel
2 X' H5 n3 a& t3 ?6 `2.没有pcre$ ]' F0 \% L5 c- I
6 A$ N/ n1 c$ n3 ^4 x8 C
configure: *** pcre library not found.9 [- l; i$ p3 S4 w7 A
configure: error: pcre library is required
6 S# P, X! e# f3 e/ E0 m4 ~+ |解决方法:% r5 v" D w3 p5 ?3 Y6 n7 y4 \# f
/ K0 z0 N4 ~2 V* q+ {6 ?yum install pcre pcre-devel" k, P9 F5 O: U! F" P% t
3.没有libxml2/ C* z+ z m# n. ^. v: j7 l
% b7 d- g+ e- ^. ~+ [/ y
! F+ _& U0 o( r; O' K" W
configure: *** xml library not found.3 p( O' [1 v4 I- [, w' Y3 J# o
configure: error: libxml2 is required
+ d2 C, L: k7 ~6 p1 c. D0 h1 O- C解决方法:
3 I( [( F" c% H8 Z+ E* G3 g' P) ?2 e) v
yum install libxml2 libxml2-devel
7 f: _ ?7 |5 {6 ?4.执行 /opt/tengine/sbin/nginx -m 时有警告
3 D$ C+ Z. v# Q* l, i1 p* H8 w, b5 @
Tengine version: Tengine/2.1.0 (nginx/1.6.2), S' v1 J8 r; ^; V0 [7 G5 j. N
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
6 h/ e2 Y% x' ], g" z原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& G' l2 x& z r! J9 d
8 _4 q, P- n8 m# `% D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
3 Z' r) J( y/ J1 D+ j& y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"& D; G3 Q4 o5 U9 n
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
) X1 A* `. M4 {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
' E; g* u: T1 E# k h% v w2 `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
' o7 n1 ?- N1 Q o( o( H2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On." y- H- l0 ~+ o0 Z/ L R
解决方法,移除低版本的APR (1.3.9)9 d, y6 E' p4 T/ r1 x
" I5 l3 b4 q* N( I qyum remove apr' n$ u& |# s" L( A* v5 p
5.Error.log中有: Audit log: Failed to lock global mutex- V5 ]7 x% O2 X3 J; i
& { P' P& b3 x- ^; R2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
8 v7 {% O, I5 g; ` G+ B" }global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]( K; _/ g, D6 y: ?3 g% m% [
解决方法:2 b& T7 } ~+ s5 s
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:, _1 i- ^7 r, d) F# c4 \: M; O
$ p2 }( {* t$ a2 o" P) w" |! Z6 ?3 kSecAuditLogDirMode 0777
8 F9 H4 Z+ B) r8 |) s, ISecAuditLogFileMode 0550
/ W) A* r6 Z% P& p0 TSecAuditLogStorageDir /var/log/modsecurity& z( a k: g' [5 u2 W: l
SecAuditLogType Concurrent
3 C2 t% F0 b/ _/ j6 ^. e# N6 A参考文章:4 ?6 J- s6 N* M! B- H
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX- [( ?, Z6 U, N+ ~
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡