|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。; ]5 ?4 K/ t4 e# t8 ~
) h, x t- G1 j* _: a" k/ w7 H一.准备工作
# f9 X5 b$ ]) M% X& e, I+ f1 x* p2 N
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
* O5 C$ O: z' \# h0 m- h& z) ]+ w
5 p2 I' n6 j2 q. w1 |" y7 C' b/ ztengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz2 ]" G7 r/ |/ y- T
( T3 [, Z4 h0 `' A" @% G8 t+ P9 smodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz0 t3 y% B! S6 V
8 O+ `+ p- w, s# HOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs4 D& R9 L3 B( W2 Q( t5 c0 J- \7 o& O' u
5 b2 C' \0 e/ p依赖关系:# {2 z. [- O9 c) \6 m
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
% W i4 v7 M' H; B4 n3 F/ m
: a& k; ^7 c/ H8 p( kyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* d% l- y8 x* ?: z: e5 c1 H% g
modsecurty依赖的包:pcre httpd-devel libxml2 apr; D, H: h7 E- c: s( k, ]; O3 |
1 N2 Y( w( W- Y8 h; l) a3 n* w
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
5 O, N9 U" m! a+ J1 ~7 G( p9 L二.启用standalone模块并编译
) I# e& J! [2 `9 K" I' [
3 ^! m; G' i W& J V下载modsecurity for nginx 解压,进入解压后目录执行:5 x3 ?: I3 n8 [ N! k$ ^/ ^9 {: |
; O, x, @1 `3 L/ T+ h B
./autogen.sh
+ \0 L4 d" P$ z& R./configure --enable-standalone-module --disable-mlogc
2 r3 C+ R1 u% Xmake 5 w- h, P5 Q8 j+ W L
三.nginx添加modsecurity模块
( |% j/ s6 M8 u8 l3 v" w0 @2 A) l1 S3 s2 X4 R) G' |( l2 {
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" {; {" [* R. B! }$ F- K% @
5 D4 A V% S4 R8 a0 Q6 ^7 }./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ c5 o2 k+ `2 l s, o& u
make && make install! q5 L; r7 o5 a2 m# e; o2 Y* H( s
四.添加规则
0 ^$ q4 z" G. V- R3 g1 W
! u6 g: N. w) fmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
~1 t$ N! [- G* O* n$ J
- d% U4 A6 v1 U5 X' C) W1.下载OWASP规则:
# Z8 ~; B/ ?1 [' \0 F
1 Q3 W* m8 U0 G; Q `git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
0 C) x0 i8 u3 D0 H9 p5 y' V* \, O8 b2 X# {
mv owasp-modsecurity-crs /opt/tengine/conf/3 R! \; G3 V/ K# ~
# ^1 ?, K( W& |2 r' K4 H* |
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: h" C5 W1 S* W, k4 W2.启用OWASP规则:
, A. z( C* p" C# b5 u0 Y) v& H6 W( P- z8 m( D* B
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% k, b0 U9 e9 p; y0 C. `6 O% {% |
. i, {; u ]* m, [0 K# D' h4 A编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
5 Q, K8 H4 ?! i5 {1 N
" K9 X% K: q& s- iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。1 S( j; \% Q) J" Y
& T( K# E5 w! W5 w: X: I6 \
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
) v5 K" m$ j" iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf6 x: `$ q" y- Z0 R8 s4 M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
7 O7 L5 e1 D$ Z6 K" L! U( V3 ZInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
% y/ W! z1 k9 }Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, E" K4 ?( s& m( V" G$ PInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; n* O3 r4 V' q; y* |* \8 e
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' b0 x' l g% h, B1 S
五.配置nginx& }/ ?. ]- M5 Z' j0 c+ L: l
. Q* f* k) y' c0 ~在需要启用modsecurity的主机的location下面加入下面两行即可: J& B( r8 P" x6 R* J# S: Q
' B/ [& j7 Z) K! g( eModSecurityEnabled on;
9 o$ ~7 a1 B! l5 w5 AModSecurityConfig modsecurity.conf;
5 w4 |- R$ V+ H* Y( S) _ C下面是两个示例配置,php虚拟主机:
* A1 k5 {8 |$ D# P5 l
/ W& s4 P+ a6 g( D; Fserver {# H% e4 _- a0 q J7 O
listen 80;
) f8 p2 f1 l9 K/ t# Q- p server_name 52os.net www.52os.net;0 @- r2 @7 e5 S |/ c K* N
" o/ I" Y- ]3 |
location ~ \.php$ {
9 ?8 L/ H. v8 H Q& R$ _. m; } ModSecurityEnabled on;
+ y2 ^9 _; r' B4 @0 |$ p7 h7 n% G ModSecurityConfig modsecurity.conf;
" L8 e3 z0 u" {& D
8 Y7 y' Z6 h" Y( d root /web/wordpress;/ t, V5 s& T& L4 _3 E; K- n
index index.php index.html index.htm;
l/ Z3 z5 `" k5 A2 f
9 K& |9 h8 K- ?4 w0 g$ ^3 u fastcgi_pass 127.0.0.1:9000; O6 i* k9 I7 h( B: z, X! L1 i
fastcgi_index index.php;+ d: r' p# W; a% Y+ E+ q
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
( k% F: O! ?7 K- K include fastcgi_params;: F9 M: a) v) \
} B; i/ c4 J5 `8 i/ w
}3 }' G: n# L" |, L3 B9 T
upstream负载均衡:
: u; k) t- q' V+ r" W/ c3 V$ i3 F8 K, ?
upstream 52os.net {
; b6 \" G2 M7 N( _; s' F% f' } server 192.168.1.100:8080;7 M/ `4 ^" z7 J2 o( z
server 192.168.1.101:8080 backup;: G/ B0 R$ c9 W9 L% G4 F" E
}5 `7 C7 I: k% x4 m- S/ `3 c+ M: s" k+ r
u" L R9 i6 M, q6 H0 y9 a5 A
server {
! C% C+ `" G6 j0 M, E* xlisten 80;
|1 Y! ?; H0 S* _ A# E: Iserver_name 52os.net www.52os.net;
! q, o0 r" [* k* Z. m9 P1 y4 ?
# z* D! y8 D* a3 `) R4 zlocation / {: }4 J& c) t" j" @
ModSecurityEnabled on;
9 ]. x6 a) c6 c: C6 i ModSecurityConfig modsecurity.conf;
7 {9 S- K, v2 B+ Y9 Q, @6 l
$ _9 g2 c: C: M, X0 ^9 X: c; m- y! b' ~ proxy_pass http://online;
$ e! ~( H0 F' r proxy_redirect off;
' Q+ E2 F8 Q, C proxy_set_header Host $host;
" b/ P& I% e4 c proxy_set_header X-Real-IP $remote_addr;- K5 A0 W. z) i6 ]! ^
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
" G f9 z V" t: j. ?' y( g }" b: p. ^* B4 P- _
}
5 S- l8 {; C9 y! |六.测试* |1 d! d# V% l2 i$ e8 W
# F% v! B1 {# }, s我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
( }3 o8 I0 K/ o/ n
2 C. _) B& t5 F! J<?php- _8 n1 @& A& c4 E4 r7 l
phpinfo();
3 y9 ?' w7 {* C/ _1 Z! J?>" c' N( t% m) K& O2 X" H9 p
在浏览器中访问:+ ]) G6 J( Y7 q- N: |, M
3 N7 t' v' q% H6 J
http://www.52os.net/phpinfo.php?id=1 正常显示。
1 Z& e' K& f) W0 g3 L' `% @- f% Nhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* r+ ?, ~, Z/ X7 a7 \http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' H* m4 b$ c1 ^4 w# B
说明sql注入和xss已经被过滤了
) y( `; e% _1 P5 ]* D
+ B: r$ ?) |9 u' ^9 Q( h8 q2 n0 Q七、安装过程中排错
9 `. f" V+ H. V- z) s, Z! E/ B0 ?/ Y1 L1 t+ Y" I
1.缺少APXS会报错 o# x( A# u! ~
$ U7 ?! {3 K6 mconfigure: looking for Apache module support via DSO through APXS) N9 n; H/ n, Y0 U4 b+ j
configure: error: couldn't find APXS- f+ F8 c* V& U0 j' F1 C, j, S2 y* O
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" H4 Q2 o& R0 j/ k1 f解决方法:) ]7 E( [' _: s6 q2 F1 o& J) L$ b
; b8 V2 F5 V2 P" ]9 ~* C' @yum install httpd-devel: z, w5 \: Q8 L. s
2.没有pcre
- X9 Z& B q$ v
, K5 F7 P6 O9 b: @& P! h% _configure: *** pcre library not found.
8 m) w I5 s( z! w) o- Mconfigure: error: pcre library is required1 v6 Q5 F2 N9 S! k
解决方法:
6 Z( v! \1 i& g( D: y0 f
, n/ _0 @' D# Tyum install pcre pcre-devel
) V5 T( F8 P9 u& ~% U3.没有libxml2
& G% e0 N9 c) q* A `; E$ z, l* D B
7 ^& n' E7 C, Y1 Z' [, \configure: *** xml library not found.
5 u: H9 e# P; }5 {configure: error: libxml2 is required
! Y* j/ R' j# @& `0 B ?解决方法:! J; L! x/ e( O' c2 K7 Z" s4 `; V
. d0 B3 _) ^% _) Y
yum install libxml2 libxml2-devel# u0 F n5 | g! O
4.执行 /opt/tengine/sbin/nginx -m 时有警告
* k0 I! ~! i# _+ o) e) `/ Z* v" Q! S8 A: \9 ?
Tengine version: Tengine/2.1.0 (nginx/1.6.2)! I( ^) R( W, e8 ^$ V# n% M
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
3 j( e/ N; O6 w8 a. j2 }原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log- x y) ], P" }6 X+ H! E! H
4 v; {- ?4 U: k% V% _3 [6 p/ H' H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 ~2 [) C+ I" u8 f4 ^0 j2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
, ?( i, a4 o; N2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!6 X5 ^. A% K. o m* X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
( C) ~- T% V1 r- j) D, X& y3 |& \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"* I8 X5 s' _, n% Q5 L' e
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
5 r e& d) E. ^" o# r/ \解决方法,移除低版本的APR (1.3.9)
6 P$ D* W( S3 q* _4 N2 @- }7 x0 \7 F1 u8 Y C& ~* j8 f
yum remove apr
+ ?. R" `" w% i% N- I5.Error.log中有: Audit log: Failed to lock global mutex
5 {! a, D9 l% x8 D1 |0 D' x' Z; [, }- u' ^9 U
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
0 T( G* T" y# rglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
# E: a- n/ \7 D( t" I2 _解决方法:
, E, B& B% Q# j8 U编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) \9 A3 k6 q" V. m. T1 Z5 c; `4 _! d3 z+ M0 e
SecAuditLogDirMode 0777; v6 A1 A. d5 O* N
SecAuditLogFileMode 05501 a' r1 e$ Z* R
SecAuditLogStorageDir /var/log/modsecurity
( |# `8 F( G" l) I& eSecAuditLogType Concurrent+ U" h) Q3 D; ~2 r0 _% c% U
参考文章:# o0 _) }5 q/ o" z/ |. I
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
: G; [. T9 |( |' l& Q9 P+ D, L$ Mhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡