|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 @" s2 N( N# t8 w k4 K
" e0 J3 r v0 [" h
一.准备工作) c) @$ R. ]' J) G( D
* b5 w" u# Y9 P系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
8 J% g* h& X9 b0 U: m; L$ O5 k$ B- G3 S6 W
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
: V; J& u0 O3 O ~6 i/ S
: k: w1 k6 e4 u8 r1 x' z! a7 ^modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz* H J" S. `- ?- Q2 G
) x) i5 [9 g$ I# K. S
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
1 [; O- L' T, o" F9 v' O1 |2 ~. i% n( Q& V' d
依赖关系:4 t& E7 W% Z4 G, ^6 @5 {
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% }" j. R* @4 o3 m% J# `$ g
8 W3 r# S' A( s5 W
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
, R( L2 ^# M% {2 jmodsecurty依赖的包:pcre httpd-devel libxml2 apr
% y0 m R4 a) Y0 X) U9 z" T6 H( x6 G; X1 n2 ~
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 {2 d I$ I+ f+ a8 J8 m: c5 B二.启用standalone模块并编译
* Q2 c- p# ?( D
3 B% h7 L/ G( Q6 A+ T1 ?下载modsecurity for nginx 解压,进入解压后目录执行:* L4 t# x- f' _
+ y2 X# ?& q4 w' }# [
./autogen.sh
. n+ ]1 K# T7 n0 g! x% V* d- m./configure --enable-standalone-module --disable-mlogc
5 L# W. I* x R* k3 w4 b- emake
, j0 A3 O% H% g/ l三.nginx添加modsecurity模块
& F' w4 e( A3 _- w# _! Z
- F* V- N( Y7 ^1 Y, G2 f5 ]在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:8 f, Z- b; V9 v" J2 m0 O P* [& c
& h; I7 Y; t7 d& s0 X# Q7 x./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine5 f. g7 r+ E- ]: e+ Y
make && make install. k* t$ b/ B, L1 l( K/ X1 f
四.添加规则
5 v( m! E, D' e% |: E4 q% o M9 b$ X" E% o; i8 p
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。5 L( _2 e; _% _/ o
1 p+ R+ } Y3 V' D& ]* W4 |* o1.下载OWASP规则:0 l1 A4 Z- ^6 Y% O2 _7 {1 V: F' W! X
8 w5 j7 W& n0 n9 zgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; M1 L4 z, \* ^/ C7 h/ f9 ~8 l; @9 n' q( _9 r$ @/ M
mv owasp-modsecurity-crs /opt/tengine/conf/, D; p2 _6 }/ d0 h* H
# J; g$ ^9 b$ f/ I9 C4 ?8 n& V
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
3 p) U- Z' x1 z/ X j/ ~' H2.启用OWASP规则:
4 b9 `' E6 T& r% {
/ L* V4 b% C. b复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。- c4 K5 j" [6 v" e8 o+ G0 G
+ D/ ?* m- m( V- S5 }编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
/ @6 Z* a" p* q
+ j' e0 j$ }, N& b8 q$ [* I4 Bowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
) _6 N8 |. p4 ~& w" P$ V2 |0 U
0 e! W. p" c6 ?0 tInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 j z( M5 L& H% G* P
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf0 W+ z$ b: y6 ^: u$ M p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf a* g; B- X S0 P" {9 t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf8 c8 `5 B' ^1 A
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
( R; W d. I* l# B! P+ LInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! Z9 C* t) Q, n* ?( e3 kInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 N" \( E9 \ m- |5 h+ s五.配置nginx8 R; l# `. W( G, e
% X% @: X' G6 M/ ^在需要启用modsecurity的主机的location下面加入下面两行即可:
! o- ] E$ i& k( a
1 r) O4 q" a& @/ E4 RModSecurityEnabled on;
* k1 c. d. } L- C% e4 K/ CModSecurityConfig modsecurity.conf;
" F" W: i1 J- D5 a, r; k7 q/ t下面是两个示例配置,php虚拟主机:# S: s8 _& V/ T' t- v# `$ M' ~
( j# }( @! b* D5 }9 zserver {) {) @* @- p8 d6 u$ R
listen 80;
% Y$ e" K% E8 D7 O7 c1 E8 K Y server_name 52os.net www.52os.net;" ]2 b! o/ G* }5 V2 E- z, ^1 ~$ K& E
; X" V9 [: ?9 j/ H, f: `+ g location ~ \.php$ {0 m/ M/ G8 u/ u M+ X
ModSecurityEnabled on;
( f+ r3 W5 v: q5 g1 v$ T ModSecurityConfig modsecurity.conf;' n# ~5 v8 {; p# T5 i
0 d% H, U* T1 e* F4 n2 r* W& ]+ Q root /web/wordpress;# u8 k/ h3 G9 C
index index.php index.html index.htm;
' M4 }7 r' R5 @% P3 s: }( y4 j+ [ ; l/ ^. t3 j2 k' c5 G3 r4 F) R1 e
fastcgi_pass 127.0.0.1:9000;
; p$ Y% @ H6 I. J) X fastcgi_index index.php;6 V h# F/ w* w
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 W7 ]- A# @* [ include fastcgi_params;
7 Y' X5 c2 I: ~: y }
7 U i# `7 Y& p" \, _) {% R }
+ T/ |( y- S& gupstream负载均衡:) \8 v3 B5 o) v. f7 N7 l- d
, Y4 `% n' d: e. t9 n6 I8 K: p0 [1 Wupstream 52os.net {& G+ m/ H- T0 a3 X3 t/ b5 J$ b/ t
server 192.168.1.100:8080;
' c- D$ ^' P: `5 R: H# _% P4 V& P server 192.168.1.101:8080 backup;
8 ~8 l: S( D4 [, G# _}
8 D% U1 D) E9 S$ B; @/ g2 E6 { L4 a( A! B3 J3 {! s8 R! a
server {6 g! N$ o+ f3 k6 c; s2 ~5 X+ W
listen 80;% p* ?( k2 s z: F% A* b }
server_name 52os.net www.52os.net;
8 i, [# i3 X+ h) X4 @" R x$ A' L, m; K5 }: \
location / {
1 N5 a1 h1 J. R3 E. V- C2 \ ModSecurityEnabled on;
+ g0 p$ @3 U* h4 a0 q ModSecurityConfig modsecurity.conf;
5 G) _, k' U5 r- R# ?
% E. T& Y' ~7 ^8 j) ] proxy_pass http://online;& u7 I5 B. H5 V. k: ~5 ^4 `$ D
proxy_redirect off;3 }+ g7 m, A' o" P
proxy_set_header Host $host;
9 D; K$ S4 |* E7 @5 _! M3 { @ proxy_set_header X-Real-IP $remote_addr;1 L3 B7 k# m, }- z$ Q
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 |) `+ z9 _% _# { }: _. G7 T W: |) V% f# }
}
X/ `/ Z/ H8 X! s六.测试2 G4 r# T* R; }' c5 h
1 Y1 F& a1 z" v* u/ [0 B: d
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
. A" G( i$ H& ]& \0 |
2 T. r L) @2 N0 N; n j+ H<?php- n; P" _! s( h* F+ }
phpinfo(); 9 S% m4 w$ F q7 l
?>
" j4 R; n. b+ `& g0 h+ _ P. g$ z在浏览器中访问:: q4 c/ N2 B( o2 ?! Y) L7 d
5 F( y5 _; o r- ]0 z" Z2 R2 h
http://www.52os.net/phpinfo.php?id=1 正常显示。
1 k; m1 g3 H; |- \( Fhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
& j9 F( M+ B& Z" Hhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
/ Y! O5 t4 F. C2 O# O! E说明sql注入和xss已经被过滤了
2 ^& e6 o4 l4 l+ n' r* ~3 I2 Y* Y* M( z6 @! ~
七、安装过程中排错5 n' E+ s* T; D8 h8 j; u
' Q9 m! w6 N' e1.缺少APXS会报错
$ b& W& _1 ]" B. E X: `5 `+ J* r# o3 g' o) L0 w2 K
configure: looking for Apache module support via DSO through APXS% f# `3 f( \! l: s8 \( p, C
configure: error: couldn't find APXS7 R D( e/ g# ^
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ }% Q; F* I6 c5 o5 }解决方法:/ O( ]7 a: D" L2 b! k! K% ~
3 f* _7 X) F: B$ @. ~
yum install httpd-devel
: z& j- ~# s! |$ ^ B- I2.没有pcre2 g3 l \1 k U" }) M
+ n& g. Z" Z, U A# }configure: *** pcre library not found./ e* ]+ ?, F2 m
configure: error: pcre library is required
" G& I+ V2 @8 a解决方法:7 U* F! C/ } w: O0 |
8 o" p# c$ d. N/ V/ c" y% q+ Eyum install pcre pcre-devel; Z3 m1 P& B9 r4 n. T% K
3.没有libxml2
% i8 I- h2 f$ @" o; v5 f( W: ?6 A, n6 y- v9 c6 P) u
~3 p- y; T1 }' s* `1 sconfigure: *** xml library not found.. A4 t. q+ v$ I N
configure: error: libxml2 is required' Q. M# c" G0 O- Y
解决方法: Z6 }. i; k [/ |
1 z" [7 {( N% r$ ?1 U5 xyum install libxml2 libxml2-devel2 @, F5 Q% d# i
4.执行 /opt/tengine/sbin/nginx -m 时有警告; ~* {# r x. s- b7 Y
0 S6 v5 V* x1 t, o) @Tengine version: Tengine/2.1.0 (nginx/1.6.2)
$ M# V9 [6 G' Z+ F+ B% anginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 b/ i% U- O1 B原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 s" ~' N9 F$ P i5 e
8 c1 y+ h/ K2 n/ v, Q$ D7 l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 X) f0 S; _ O1 J# B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"' B/ l+ [0 `$ H2 S5 s& V
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
5 \6 q) l- f% l6 q# o" B0 i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: N7 U2 x5 {2 ^8 r, p7 P$ x- o6 b3 R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
6 e8 |# Z5 U7 O! w2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 i; v- u7 d' o0 p' X& c) g
解决方法,移除低版本的APR (1.3.9)
+ ?' |9 ^$ \ w J) I8 s( Q5 E# {
( O1 H4 t9 S% v$ U0 i/ g% Xyum remove apr
& ~# H* L% y5 y5.Error.log中有: Audit log: Failed to lock global mutex( v6 w& ^% ~! |" D# @
V7 F8 ~# [: y7 b* M
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( y4 ?9 {2 d- @3 u1 ?2 D! m
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
+ W" H& M" Y7 n# ^" X! E解决方法:
f$ u4 H2 F# Q; c1 b9 u编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
8 y* g2 w1 G% Z2 L1 `8 I0 l0 d D4 @3 ^: i* K
SecAuditLogDirMode 0777
% w* t9 [" U% n( }& }4 R! \SecAuditLogFileMode 0550
3 K. L$ {: W0 e" ~' W" X! F7 OSecAuditLogStorageDir /var/log/modsecurity) q9 Q1 J; c" e s& B; J2 a9 f
SecAuditLogType Concurrent x8 T [; Z8 u+ [6 P4 X$ p
参考文章:' O$ V6 k8 U4 R% j) S- ~4 o$ A
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX% V6 K: r+ m2 l% L
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡