|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
[: ]( s' G1 g6 b$ j( F
. D8 B4 o: g6 E2 t5 a {6 }一.准备工作
, j, r4 g3 w$ ^$ i. g: j& Z, Y: ?- D4 L5 F5 e& I* w. E
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
/ D% K5 F+ ]9 {) ~6 i, W) r+ ?, N1 G1 `1 M, q+ H
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz5 m4 }# c5 t$ R* O' r i1 m
% g$ m- r D+ Z, D* N( jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
; n$ \: _: K3 { N9 u; d$ t. D+ y# q. y. X/ s6 A/ ]
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, m- {$ d7 h! r, x
2 [( ?+ O% f7 k, n0 S; l依赖关系:
% f' A9 R8 ~8 p- W( {1 P/ otengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:: p) d4 [, @- U
4 |- J8 a! d) I2 R9 p
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
0 Z+ w2 c3 s* kmodsecurty依赖的包:pcre httpd-devel libxml2 apr4 f3 u! j; y% \: N' ]
6 \- o$ A" f0 v: L
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel0 e, f: i5 n4 a
二.启用standalone模块并编译
6 b# R/ W% U# q! a0 |- F( [, u' w* {# i) }
下载modsecurity for nginx 解压,进入解压后目录执行:" A6 L, y* w- ]: }: Q
* P7 Y5 N; w5 r% Q./autogen.sh
- D5 {5 ~2 x D./configure --enable-standalone-module --disable-mlogc4 ~+ r+ @" j% L# x4 S' \
make
6 |3 H H' |5 M5 j0 u三.nginx添加modsecurity模块2 e9 t4 F) l5 ?5 j: ]/ u
; _* C9 T# H, m. l7 ~
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:2 j* F+ [1 l( y" s# N1 h, i7 j: a* j
7 q3 m, l0 s. ~4 q2 N3 N6 g./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine* f) q9 i4 k9 f, s2 v. } Q$ S
make && make install
f* c/ Z; ^7 w; k四.添加规则
$ x z/ F! _: p2 B$ T0 w8 X6 f
7 o/ R6 q; \3 u+ V6 a' O: K% Cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。% Z, E, H F# E
6 X% ?( |. j& O+ n6 A
1.下载OWASP规则:
! E. V5 E( A- E3 |
3 N8 X7 h4 a; h. c2 ngit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3 w7 x- {+ w$ A6 @- {3 {+ G# Y2 W0 \* u0 e" k5 y
mv owasp-modsecurity-crs /opt/tengine/conf/
; |# V2 g) P: {' A+ K5 ^* z7 d) @8 @# B1 G$ Y
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
8 U" k# B: U2 H* j: z6 g! P2.启用OWASP规则:- O8 [3 j& Y2 D) Q
6 X7 R7 j) i2 d" C* a复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( \5 j2 q0 \' b; X) \ |* V" O) }
& N4 ?0 m8 g# W- m
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on7 w2 N; V Z6 n. B) {5 k, u7 @: k; @, w2 }
8 h1 X4 C6 E1 ]! n2 m
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
9 e7 u; }" J q( O: r
3 ]; t/ z, K# ?Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
5 F# t4 ?8 {9 w. W7 D; x) i% OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
( x) U3 q F, k. x$ TInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf# ]2 ~1 J) f. [7 Z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf) d& H/ B0 c- }* z8 k8 P
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
! }6 V- }; P' tInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
1 t0 n2 d1 \! v7 j$ r, l" QInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) [" {; P. U3 l5 @五.配置nginx
# W9 g4 E. |. \. @* m7 R- v: p; B' b2 N* A
在需要启用modsecurity的主机的location下面加入下面两行即可:
$ D: T% W5 c \$ s7 C- V4 u# G
ModSecurityEnabled on; / _6 }; C2 C5 Z: J0 [: Q2 z
ModSecurityConfig modsecurity.conf;0 b, e f% s8 u8 R5 i2 \
下面是两个示例配置,php虚拟主机:
4 P( C% c' [$ F1 I
- u/ [/ @4 N# J- V6 A, Nserver {* u+ O2 z' V4 M; N
listen 80;4 L- M2 E$ J. C/ l9 K. a% A
server_name 52os.net www.52os.net;
; M) ~- s: y0 Z1 h) x% q
) B. ^0 n' q+ ^ location ~ \.php$ {
8 H& W4 q/ \! w6 I ModSecurityEnabled on; ! @' F2 a" N" r' ^5 E& B1 E3 x, W3 d
ModSecurityConfig modsecurity.conf;' l! }5 x5 x8 B+ x: G( y2 ^+ t
2 ? m/ P9 R. }; T' Q3 d3 c
root /web/wordpress;; \# q- i% M7 o3 I; I5 I" ?/ S
index index.php index.html index.htm;8 N6 p# O, T" `
, {' t+ K5 z, S2 q1 o7 z# T
fastcgi_pass 127.0.0.1:9000;
7 W0 M3 L" l, n; y fastcgi_index index.php;, A6 r6 @; Y/ W& R9 D4 v
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;4 s' w" [; W- ?* R; I# w" ^
include fastcgi_params;
& H8 w7 l* o8 S9 `8 V }
- t1 O& A9 o" t9 P }4 N* U0 C1 Y. b
upstream负载均衡:
, r( J2 d1 N6 g8 I; b3 {
8 X$ v$ z7 m, I+ {. u: I/ u3 fupstream 52os.net {0 X5 D, h' `/ {2 s0 z
server 192.168.1.100:8080;
* E0 j* H4 }7 h5 J' E b8 @ server 192.168.1.101:8080 backup;
+ ^4 j7 S7 G3 g; r( n% f) E}
& B5 p5 E2 n0 g/ I
2 X8 d {# Y( Vserver {9 {7 d- |- Q9 t: w' G, k( g2 e
listen 80;# c- `* w$ v, j$ e9 W
server_name 52os.net www.52os.net;- z+ r6 l% j7 T" A; ?9 u A! x
# Y( ]0 z/ V6 I3 u$ [* tlocation / {6 s* @' c8 Z3 c9 \
ModSecurityEnabled on; ! g2 O8 g* i" M6 F) N
ModSecurityConfig modsecurity.conf; 0 r, ~6 Q+ [* T+ W+ n1 z
1 y( {: P: x6 e9 o' _! m0 F0 h
proxy_pass http://online;
2 {. Y( k$ K+ \ proxy_redirect off;
, v! ~" q& z0 F0 b; }! r proxy_set_header Host $host;1 g0 y; }' _( s% u' L
proxy_set_header X-Real-IP $remote_addr;) r) i# n. k# ~
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
1 y1 Q/ K/ m! S+ b/ l* J }
* d9 H1 g9 s* w0 Z9 n}8 H& g0 P8 o, I* \ N" Z! v
六.测试
$ \1 P" C% L/ m- N t. o
0 V! z+ A# J7 c: x7 x* P我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:; R4 o& Y8 |9 T; o% x
3 c3 K7 ?0 a" ^3 k( m9 x6 H' w0 a+ b
<?php
- ^0 w/ x. y: Z- Z! [' ^( Q' C3 r' p phpinfo(); 4 O0 F; R/ c e2 Z5 i; X8 H0 U
?>$ K0 d- |( S8 d, D P
在浏览器中访问:' b8 ^2 i; _( @- i0 O
) b x1 B u& M4 J7 n
http://www.52os.net/phpinfo.php?id=1 正常显示。& N( r- b4 [4 c+ p( a3 y( ]
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。% {& _8 C$ n& X& z- I
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
( B0 P) p: F& y" ^/ b Z- Y说明sql注入和xss已经被过滤了
* c8 h+ I0 d1 K }3 T- y7 N, `7 o t+ n* [( o7 U. L! p
七、安装过程中排错& k3 [( E6 p; t; D" B
2 k: g$ X/ \5 W2 |1.缺少APXS会报错
) W+ N- B- e/ {6 r$ V
6 A* f6 x% ^5 o1 C8 F6 g( xconfigure: looking for Apache module support via DSO through APXS
& L+ b- @/ E5 J- _5 Nconfigure: error: couldn't find APXS
Z, s% i1 C4 C/ @* Yapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# ?- I4 A% {9 q6 v解决方法:1 _+ f! X- h" B6 l& X
, j3 D( q4 @0 F( ~
yum install httpd-devel2 M8 ?0 }; r8 t! e' J
2.没有pcre2 U* C" Y; W# }0 C, w: R! z) k8 `
- E F. e. G" u# I+ L- d7 yconfigure: *** pcre library not found.
3 Z! V! |" L5 }configure: error: pcre library is required
* ^: X9 [( ?4 j9 J' B. a解决方法:
) h" M q* w& K* l) n
. g) o" O) d' m6 w4 w. V! fyum install pcre pcre-devel8 T% H! f* b3 E" c( e3 |
3.没有libxml25 H- p1 p; v8 ^. z% I$ O2 G
0 u6 M: V; K. j) r6 m
; w# W9 L6 @$ b( ^& Wconfigure: *** xml library not found.0 g2 _* o- f# ~1 z( X
configure: error: libxml2 is required U: \7 |% `; A4 f6 M& @
解决方法:
, h* z3 n9 x8 Q/ e2 T
; I: k' U1 u% N7 ]: E7 \+ ?yum install libxml2 libxml2-devel
/ p7 V+ s7 j; _1 V# k- l( |4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ {' s) v9 O: \- }7 T* s; U
1 f1 a+ k. ?7 E, o# uTengine version: Tengine/2.1.0 (nginx/1.6.2)" o. B8 \/ H5 L4 L' t4 R
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
7 ]$ q% Q! S T$ A; ?原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log3 Z. |" X% W8 R: }& e6 c4 m
, P2 p% L+ q) ^) ]+ ]# ^8 h- s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2 ^, I& X$ ]& @1 W% L+ `% v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"5 }( Z# u" o& M- T- A( M1 d' |6 \
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 h2 x' N! q3 u. z( m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 l1 y; n+ R2 a. M3 K2 G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"* K0 M' }& Z6 B5 j+ a5 ?2 y
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
7 m) p+ J: L; k# ]; Z解决方法,移除低版本的APR (1.3.9)
; \; W. S( H1 ]; f" o- [) D; S8 f6 i
yum remove apr
* k$ f, \4 }9 O3 h6 V5.Error.log中有: Audit log: Failed to lock global mutex
/ K. j# s- m! L7 R7 t3 w. ^$ s7 ~. I( i/ [
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( l6 v: q5 i h' c
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
( D' d9 Y' c1 T1 @1 v% U! j解决方法:
/ u8 f8 n5 t2 l. o3 W( X编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
/ E# t# S. }( n+ g5 w% b
6 h4 s9 Q8 Q5 v- dSecAuditLogDirMode 0777' ~5 H/ o$ A ?
SecAuditLogFileMode 0550+ f0 @ Z& K# m9 S9 D% |1 t- g+ u9 Y; A
SecAuditLogStorageDir /var/log/modsecurity6 J' u2 g# b7 ?7 {) O" o
SecAuditLogType Concurrent
5 U4 i: c+ ^* [3 @. Z参考文章:
0 J' f( O+ [! {( I+ vhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX! M/ Q, b. q+ C$ _: N
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡