|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 o$ m+ _7 i Z# _
8 ^' z: ^8 A* O' F3 E一.准备工作6 s, Y" N1 i1 r! r( C3 D; H: h
1 T6 {$ j- f+ d0 B! Y% S" g/ l- N/ g系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.05 q: ?! M7 A6 o# k$ i; F5 G5 H8 C
+ C6 [6 G, y, p. R- rtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 @5 S" m& [+ }8 k- T( Y/ {
9 `, ?5 f2 w# j: i! Xmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz4 L9 i; N+ R n9 ^5 i" F
8 N& B5 v: x6 L/ iOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs- ]8 {9 u3 a( e* C
, B* b4 u* ^7 i; ^6 y: S, Z
依赖关系:
( v6 @* v( x" l4 l/ F$ |tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- @$ r" B. |* _. n5 H8 t0 s6 b3 ~8 f! x- A+ I/ z
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel6 I f0 K. C# M' J! w
modsecurty依赖的包:pcre httpd-devel libxml2 apr
1 o7 }! O( V( w- T2 Z' g+ h& g" j R
5 P/ l3 h9 Y& }$ gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel6 g# K$ Z2 h! b1 f1 F% ?$ x$ i
二.启用standalone模块并编译
# M4 [! ], b( t& t' X6 F
; s+ u. g# F0 H- k下载modsecurity for nginx 解压,进入解压后目录执行:
0 v+ S; ~) S# P1 O( F# ^, S9 f
7 F9 V3 y5 U2 r. p) D./autogen.sh8 Q& W+ R0 q8 \
./configure --enable-standalone-module --disable-mlogc( P1 [( m2 g. A7 N2 s6 ]9 e
make ! |7 j, m# c( t' r1 x
三.nginx添加modsecurity模块0 |& [3 K" e7 \3 t; k1 m
5 @3 e, |& C" Z2 c$ Q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' ~) B- O# K. U
2 u9 B6 a: L; S* }0 q. ?5 G./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 ^' c; }8 |' \7 I* ?5 A+ s, [" `make && make install
0 Y1 C$ j* R4 T$ @; @. Z$ v四.添加规则* ^- ]6 ?/ h& D' w: b- Y1 W) ?
0 U+ F1 j5 w L. }' gmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' z g n' f) v/ b5 @
% d! O6 o: R7 n% |
1.下载OWASP规则:' ]8 E' h8 ~: k! j. }: _+ r1 J2 J
& L" t& M' w1 V5 y2 W6 kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
: U9 X: j5 X7 A% Q/ k
3 V6 E6 T1 z' v3 m7 u- C/ qmv owasp-modsecurity-crs /opt/tengine/conf/
! W4 _: t/ R) I3 h
- \8 v4 V# D9 Z; `4 p6 V! zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
! W0 [, D7 \ J7 ]2.启用OWASP规则:
* r1 k# Y: V" e& M
1 t$ E' K; V5 [' }复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。6 R: n, `: @" f. A6 N4 l
3 C& ^1 \0 Q$ p5 _9 g# a0 A编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; j9 h q T- t) D, v
9 F& U9 v1 |2 b9 D/ a% F5 z1 bowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, z! i1 ]* b, I* P& J
+ e' S5 k$ D* u) v% j; ]Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
: e! g5 @) H+ w: [ YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; ~# D$ f8 X+ O/ r( I: t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% d2 {1 [3 B' w0 M0 i- xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
' E- q9 Y- ^1 n* G. pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf* ^# A9 g- j9 Z9 W9 V+ `8 N, e
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& y% K0 T- J& }9 B" S H. P
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; d1 P, q7 \3 M& {( g. Q6 g6 m# U1 Q. }
五.配置nginx6 `" ], h( V/ i
) `; c X! P3 D在需要启用modsecurity的主机的location下面加入下面两行即可:
' y8 H. A4 z& i% s, I2 n# b) @% e7 b+ Y5 c0 i- b6 l+ S: n/ d1 N+ t }! d
ModSecurityEnabled on;
9 x: K# \8 b5 P! y2 J. YModSecurityConfig modsecurity.conf;
. s9 L3 ?" C* a7 q+ v0 g O下面是两个示例配置,php虚拟主机:3 v* y2 y* l( q7 Z, d% A0 w
/ {2 r0 c) h2 ?% a1 s* ^
server {2 ?; q6 b+ b! u& Q6 O0 ]
listen 80;
2 z# P6 P; i7 i# D9 m% K! l$ C server_name 52os.net www.52os.net;& U" X3 l4 B' j) w6 \$ j* l$ g
. r' ?7 ?5 [- D location ~ \.php$ {5 F7 L' L" [2 S! v/ y, v) V; M
ModSecurityEnabled on; 1 ?. V( W. n; m
ModSecurityConfig modsecurity.conf;/ S6 l1 D. k0 ^1 K a
) `# _! q6 P! z" E: g" v
root /web/wordpress;
" O5 z8 B2 `( j9 g1 s+ C/ T: u1 W index index.php index.html index.htm;- L- a. {9 F* Y; v# u
0 [+ a0 F! B! V+ A+ w fastcgi_pass 127.0.0.1:9000;
7 G% t- m+ C0 F# ~5 z# y4 ] fastcgi_index index.php;* A4 d- i( q5 y; s( E: L4 C
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 i8 [4 @' j r+ a include fastcgi_params;% j& Q' p6 J3 x; g* A0 X
}
, H# T7 V2 _1 S8 W$ x; N; H; Q& l, n }; {# s. [3 J, E& | N# w
upstream负载均衡:# d% e) f) F4 e3 S
$ p' K4 l& ?% b5 {' S% v/ Nupstream 52os.net {0 ~6 i# O. s$ A. R" g1 B$ G
server 192.168.1.100:8080;2 M+ t3 _! @% K! O) h0 k6 A1 @
server 192.168.1.101:8080 backup;
5 \- m& X3 R) A+ d; j; k$ i& J}, x/ p+ F6 @' A! H9 P/ o
4 w- C# ~# @7 N
server {3 _9 \% _/ Z2 i" G$ ^' r
listen 80;1 i% x# @% t/ n- I
server_name 52os.net www.52os.net;- _; b% y N% q) b% y
8 {/ m) l, }# h/ s/ [location / {
H6 i; C1 [% E" c0 C ModSecurityEnabled on; 9 }( p# B8 H) I+ Q* r. a
ModSecurityConfig modsecurity.conf;
) d2 p; J$ P2 k0 P& ?( F7 e9 [
. J/ G: {$ P- V" [8 V proxy_pass http://online;6 X. f& M- Q- M( H+ X! D6 Q
proxy_redirect off;
7 S8 }4 Z! e& J1 N4 o proxy_set_header Host $host;! W, u2 D! ~ ?3 u. W4 b- C
proxy_set_header X-Real-IP $remote_addr;% ^, F) T4 i g g1 K6 d% e
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;8 k! N' G- u6 \0 y
}8 C* ]& t% S6 n8 ?% m
}* g Z' t; u9 H+ _8 E; M- z; F
六.测试5 ~) r! I* Z: P7 K9 E$ E1 ^2 s0 g
% d. r, m3 H' b0 q* h4 ^
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:% @! F/ q1 i2 @- g) E3 E( h
" t6 y4 N" I) N$ j' \* c
<?php/ {5 ?! x: E, I7 ^5 U8 G. L
phpinfo(); - f- K# [1 m, q# ~0 G
?>
I: H2 a: \1 B: u在浏览器中访问:4 w' q" |7 Q+ A' Y: i+ _
) n& h9 U/ V, G9 Lhttp://www.52os.net/phpinfo.php?id=1 正常显示。) ]8 ^7 B7 E7 Y8 j
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
a" h5 C; q2 X# _0 I. \! Nhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。# L5 ]) Y' `: t( s/ {( g
说明sql注入和xss已经被过滤了
7 K4 I/ Q7 e; B$ L9 K `0 S1 e( U v) B2 Z! F1 H! M6 ^3 }
七、安装过程中排错- L& @1 [0 P8 D
4 U6 }9 q1 Z5 G
1.缺少APXS会报错
( D+ ]" `+ C( a/ _" U; Z* c9 ?
& |, s# ?$ i, b# M( p0 Bconfigure: looking for Apache module support via DSO through APXS5 p: g: p1 m I+ e7 G
configure: error: couldn't find APXS5 b# h( h- `- b7 X0 m3 Q
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。. m- \) m6 ]7 S W
解决方法:8 x+ ^0 S3 k3 X& M5 M4 C0 h3 H" I
! L/ l" |4 o' i. Oyum install httpd-devel
6 P: l' Z2 ^" s4 n9 |2.没有pcre: a% [ _ C9 }9 g- J* h8 S& F
- o- |& c0 r/ t; A8 kconfigure: *** pcre library not found.; H; [/ w) L, t. ^* {9 {5 }% _
configure: error: pcre library is required
- o* H' n) p; A. K4 A& ^解决方法:- G3 q4 m& d. ]/ R$ a
; e7 N* p' s' D4 D
yum install pcre pcre-devel, U) X; ]3 b/ y7 c7 ~& O& d' D
3.没有libxml2
" L4 R+ `% P: a+ \, I8 r W/ p) F7 {7 G; J2 Q9 ~6 W
/ n" @: N( j% _5 [1 A nconfigure: *** xml library not found.: k5 E+ _3 x( m: k7 [
configure: error: libxml2 is required
" y I, i/ K6 W) P9 A/ f M解决方法:
6 u* J% J. S0 ~, `
; }' Y/ l! I- w) ?: \yum install libxml2 libxml2-devel1 z& c7 S( B: J. c; s6 |2 ^
4.执行 /opt/tengine/sbin/nginx -m 时有警告( {# u. Z( F$ z6 c
8 P* N3 o0 m* Z* k- a1 n
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
8 z1 m; u8 L; `! x# A* T2 I/ x* ^nginx: [warn] ModSecurity: Loaded APR do not match with compiled!/ b6 Y& c3 R$ d. n! `
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log7 L4 H% f2 l/ n) J& A8 @
+ w5 U( e/ S% }& h% ]* p2 i' ?
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.9 {6 U' o+ ]3 e' ^& }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
2 @8 P i# j0 n# h1 n d9 ~2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% _) | n. t' O7 I% n% p* N) I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
6 x1 u* u8 _6 M0 x" z3 v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* z, S0 I% u, w- j M$ ^4 l2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
) z6 a6 T8 t2 k4 G5 Z6 h8 Q) O解决方法,移除低版本的APR (1.3.9)% v8 K4 r8 m, }9 a6 a9 m
" E4 r3 e2 J/ [% N! byum remove apr2 A) T7 H# a( x9 ~0 {
5.Error.log中有: Audit log: Failed to lock global mutex
2 V% B @, X6 ~. B$ ~$ m: ?0 h& {; S: t9 @" q3 b `
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
5 h, J: d$ }# q6 {5 Y& q8 L `" O, zglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
" m+ y, i0 T( ]: [, ^/ K$ G7 e8 ]解决方法:: X- H3 x; _; c6 {5 V
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
( l9 ]5 h7 ?% v6 j( }% c* n) b% U3 |+ {/ J8 x) j
SecAuditLogDirMode 0777' N0 |+ U4 ~1 `2 N: \' R. M
SecAuditLogFileMode 0550
9 U! P. p2 x) Y0 I# H2 P3 `SecAuditLogStorageDir /var/log/modsecurity
! U! I* j8 T7 E2 y* HSecAuditLogType Concurrent
$ e& F; z& c% Q0 h9 l参考文章:3 M; d6 M* Q+ r
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
! }, P( v. {! ^& U' ]http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡