|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
1 s1 m. g u8 } J7 U9 u4 b0 X$ R1 u" b3 b
一.准备工作
" Z- w0 b2 B% C! ?) m% N* w1 `6 H7 F+ t4 x5 ?
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 P1 B: m5 A5 y0 w1 L* l
7 o+ e P5 q8 ?: {' }5 G6 P: wtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
# o5 \; N7 I1 E' I! `) n2 e
& y# n( t- J. s% {* imodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz& M4 c' M5 s( B8 W3 }1 B
$ _. C& h3 o: W5 e0 b; N# ]
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs: K- G) w9 o6 Q3 B
5 D5 m7 ~$ }+ h* R5 N3 q依赖关系:
( c2 H3 \# p& W* wtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
& V6 v" e- w( p2 r" v' x6 @
. T( }6 g% m' t% m5 Zyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* x! B8 [' c% U% {9 f: g0 R
modsecurty依赖的包:pcre httpd-devel libxml2 apr
: H2 r7 @- N. k/ S# B: O3 L! @' x( F+ I& z4 N, o/ {, q
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- u& J; e2 Y. q6 ^
二.启用standalone模块并编译3 A, p! c) e# |* A4 E6 R4 e+ R
5 B2 O1 g( ~5 Z# G! Q/ c% r
下载modsecurity for nginx 解压,进入解压后目录执行:
3 d4 C1 l& w* f( o( Y8 D8 ?, C7 @$ L. Z+ [2 C
./autogen.sh- y2 y# ]8 H4 N' F0 \
./configure --enable-standalone-module --disable-mlogc
$ ]. j& v% H `. ymake * i& b& _6 |6 s! l! r
三.nginx添加modsecurity模块
4 m* [% X1 f; g0 O, h' C
0 c4 e7 k! u" l/ H在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:& ?6 `( g0 g$ R) ?# z1 w
+ K3 S! j! X( w./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine! V- c$ T( p. p, D- E. J% D7 |
make && make install. C, ^9 z0 @" r8 A2 ]4 F; E
四.添加规则
" ~% Y* Y. Z" O" I9 V4 n+ r: P+ W) m: D$ V/ t8 p: r, Q
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: L. k8 i9 L! W) O
. n Y3 P G1 _
1.下载OWASP规则:
) ]6 O# i% U4 A* B) `; O7 f+ K. D8 x
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs4 o% \9 s* e1 C) T
' t; Y$ h* J! G2 C. R/ Q' y
mv owasp-modsecurity-crs /opt/tengine/conf/
9 ]) Y' t7 n% K) w2 t, ^
% W3 X ~8 n& V: |% bcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
4 _3 F ]3 o5 _* ?7 G3 C8 w2.启用OWASP规则:
* ~, G P! K! g( a: D0 P' L/ m4 y
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
T; F [& { B' n5 H( ?2 f% Q% L" K" Y- T6 Y
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
* _ \# Q* Y! L2 O* h0 r
3 s' |/ c+ h, M6 Eowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。' M& F/ f' e R7 P, j: a. S9 e
1 X8 A6 c4 E* g4 b5 _Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
6 O% T5 H( ~- A: {' W$ HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- o2 D: `: H0 s `0 g( l2 D
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf3 U) g, f5 o# @$ M9 x2 Z2 v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
& R4 T5 ^/ Q L5 u% G9 ^3 rInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf: W! a3 q6 x0 y7 U: u
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf Y/ J& i5 }+ q8 n) {
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
v- c3 p" f3 ]6 C! O3 ~五.配置nginx
/ F( z" d6 L( l: O: X
7 j( g# X$ ?; U. r) R( \在需要启用modsecurity的主机的location下面加入下面两行即可:
6 D- v) L( Q1 W3 p) C6 {5 M$ y& c1 T# }8 f, @/ T6 H1 z
ModSecurityEnabled on;
2 n6 c1 r' l5 m9 Z+ J6 Q9 f UModSecurityConfig modsecurity.conf;
3 s+ p2 F, h1 y9 Z! J+ I下面是两个示例配置,php虚拟主机:6 V& u4 A! q6 {* K! d
0 _0 n! g% d9 }" _0 y
server {
D% V L, s( M o* ~" b+ l5 ^! b listen 80;
+ I7 d8 _! u- L0 u8 o6 P, C/ E server_name 52os.net www.52os.net;
7 e. Q/ G z$ u" k, @7 G1 S6 c
( }7 }2 A3 D+ V8 N- a; A location ~ \.php$ {
& n7 t f2 v( w- I! y, u3 J ModSecurityEnabled on; , O5 }' N0 [8 e( p9 {6 @: j8 H
ModSecurityConfig modsecurity.conf;7 v3 b @. O- j- O# R
, I% W0 U+ r9 L root /web/wordpress;
}9 N$ k6 Y( @; u index index.php index.html index.htm;
: L" T# L5 y3 `! G; s8 E3 t5 P
9 E j& [* o: v# l0 W7 i; v( X8 v fastcgi_pass 127.0.0.1:9000;7 j0 G- T9 s! e R
fastcgi_index index.php;* z( V J% z+ n$ c( Q
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; F7 D& V8 _: g: A/ O9 y3 Q include fastcgi_params;
0 [1 Q, m* s8 X$ U5 z* {; e }
0 s( i; {' T' _- D% w }$ S; t$ l& c8 T
upstream负载均衡:0 X: A7 X" z1 r0 p* E, Z2 W
( b( r4 `, j' o* J l
upstream 52os.net {9 i; ^9 A! E- n2 w! p, x6 b( H# t% R
server 192.168.1.100:8080;
2 g; N0 V* l6 M: T3 K server 192.168.1.101:8080 backup;: u/ a3 v1 s5 X5 L, `2 q7 l/ ^
}
9 t3 c: G: H& q7 S+ Z
- J8 v/ G3 }$ x3 m+ ~0 u' rserver {
6 J! X9 p: s: Z) qlisten 80;
$ h+ G7 H$ Z+ z3 F1 {server_name 52os.net www.52os.net;
6 [+ K2 E" J) ]1 n5 y4 a: E8 X6 I: G! R% Q- d% ^+ D* B
location / {% B; ~/ }% i5 Z1 e
ModSecurityEnabled on;
! o0 a6 V/ `4 Q, m; C* i2 R# k& b" A' { ModSecurityConfig modsecurity.conf;
% i' H+ p( d. {* _
6 S) o2 @) G9 L8 o: g' g% ~ proxy_pass http://online;3 n. Y1 [, v% `
proxy_redirect off;
- `0 e* e7 c0 ?! s7 K proxy_set_header Host $host;4 A# u: r9 q5 L. n: w3 |8 S
proxy_set_header X-Real-IP $remote_addr;# d& \' }# D1 }& R" _5 X7 O: @* C
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;* G: M/ T2 ]' I* N6 O, }* f
}3 \/ b) y d/ a: R; e
}4 t0 U$ M" X5 Q
六.测试
* }* y+ d) P2 C; U
% N( Y8 T* ~9 s; T2 S+ _. O我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:" g0 X% O2 O& z3 C8 T
0 C0 [& g) H% b<?php
- g4 n. `: M; y; @* |, ^ phpinfo(); ( V1 u3 E5 R1 Y# t' \- {! x
?>
) ]- s+ ~& }) y* y在浏览器中访问:4 G0 J' k: H' x3 t3 ~. M
6 o. h9 ?( Y: C4 g1 k9 \6 X# k
http://www.52os.net/phpinfo.php?id=1 正常显示。. a# q8 c2 a& P% [# L7 R7 k
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。9 s+ W+ Z: K B: @' s1 e* @
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
$ x) s6 M4 J6 F) i* P9 G说明sql注入和xss已经被过滤了
4 g" _3 v1 I$ ]2 N& }: b# p% R
/ Z* I+ f) S% d$ F七、安装过程中排错) Q) _7 S) Z" S- b! F0 e
% ?8 U, R2 r$ M
1.缺少APXS会报错
* e$ v$ v+ d2 n- F
0 D% y/ d5 A& G! w% X6 q; c; hconfigure: looking for Apache module support via DSO through APXS
; \7 \/ R8 ^5 D1 k6 G. v4 ]configure: error: couldn't find APXS" ~# C6 B @/ d7 S( t% E/ z
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。6 D0 D i! f+ f$ U. U! S1 p
解决方法:2 @( P- w. z+ P2 J( Y
, ^: o$ }& [2 W- i5 ?" D/ pyum install httpd-devel
2 `0 ^0 K0 }6 |& I# h: D5 D3 a2.没有pcre
/ _$ I/ Y7 I; [3 |% l( c9 O& ^3 w9 v% ?$ ^$ ^& @( E
configure: *** pcre library not found.
a7 e% Q3 X2 I6 j; B; n. Kconfigure: error: pcre library is required
6 {0 Q! |2 u0 }$ W- O7 o7 x0 ^2 R; i解决方法:0 n5 C3 _$ t! H0 y3 \- P
6 M1 e6 E' {# W7 o1 W0 q0 d. A
yum install pcre pcre-devel
2 f1 e9 _$ Q9 k9 W. {" j3.没有libxml2
" i: d0 `8 I& m4 q' E5 a: A
1 g2 d) c6 y5 S* ?/ q+ R, k7 R, G S* q) T+ d. z
configure: *** xml library not found.: @% P: E) o0 F7 f9 c+ j, `
configure: error: libxml2 is required( Y- C5 U6 V# W; E b* U
解决方法:, ` p% Z" D( J+ k
+ t6 W) j6 |& V Y# Kyum install libxml2 libxml2-devel7 K2 Y; U/ Q: Z. E, U6 t
4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 k& {; f6 A) J8 H0 S$ _. j, p6 o# s! V7 @% `
Tengine version: Tengine/2.1.0 (nginx/1.6.2)( |3 ?9 ^3 P: z, c9 ~" y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 J4 Y N1 a) ~" }: f' {原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
4 m6 o" a! x1 w( o* V
! ^, ?& N' E* h5 C: F5 K9 P' r" v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.0 Z$ G+ y: b3 c" `$ [; V! m1 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": E! v. ?$ e7 x
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
4 c2 V$ V+ z: u5 i6 G# I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"2 w' ] Q3 h; x% a) k3 Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
& A5 S+ G7 j3 e1 J7 Z0 E, ]4 B; o2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.& C* R# q/ V' f4 h9 V
解决方法,移除低版本的APR (1.3.9)9 L9 ^. I' n! f
% w: W) q5 q8 E t
yum remove apr
f- S1 Z; {' [. l5.Error.log中有: Audit log: Failed to lock global mutex
; [* [8 t/ ^5 W
* l; y+ s( K5 s% K$ ], v8 Z$ k5 ^ |2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 8 n, V" w7 `& x" y. S: P
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
) a4 s2 k. Z; |1 Q( t解决方法:
6 N0 I" o% q/ o) H4 T+ e编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- E. ^' N# J q, s$ a- h9 B# W3 Y& q7 y# M0 G
SecAuditLogDirMode 0777
4 c1 n3 x- |; ~2 D+ _! tSecAuditLogFileMode 0550
8 @. ~7 Q+ Z+ P% A0 P6 @SecAuditLogStorageDir /var/log/modsecurity# _, v4 o N4 O. |3 f$ \
SecAuditLogType Concurrent
8 M1 G" c+ S5 k* h& D; J. {参考文章:
2 [+ _% x, I8 Y9 d' u0 `https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX; n" x) u+ ]) h e$ ?) b, z3 K
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡