|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。! M& k3 c, T) L9 W- a* \
2 ?* a7 p8 }% X$ |' E一.准备工作
. @+ t9 l1 \! F( }8 K+ K
- m2 Y: N- w' _$ o; C- O; B系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0% S, T; t6 j ^" t5 t
: l% Y0 }8 y3 o2 o! G4 Gtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ M/ b9 P8 e; j, w$ g3 N
( T; w2 r$ r0 Y
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 M2 ~: b( q6 P+ r# t A1 O+ H+ p: u) T# }: a
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs2 \0 {$ F* }, P7 V6 r
& [( }; i" `- f* {, W, @$ h8 @
依赖关系:
7 g }! e1 e, h& Qtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:/ C7 O$ Y& a# q
2 A) Z1 v4 e- L5 p8 u4 A8 p* B
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel. u$ b: \7 S" b, Z& `/ {. q
modsecurty依赖的包:pcre httpd-devel libxml2 apr$ K/ u' p; [( ], U7 O9 [9 [, ]
, R2 `* O: N$ V0 Z9 ^
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel2 u) ? M9 B: D. m2 G5 {
二.启用standalone模块并编译
: J5 W% [ @! }( w+ D) }" a: d7 S
下载modsecurity for nginx 解压,进入解压后目录执行:
' n: n% ~! I K- A, b
9 j1 h z# P+ o* l# x0 M$ G2 A./autogen.sh: s7 c3 R7 ] h' c, `: `
./configure --enable-standalone-module --disable-mlogc: I8 x5 @$ q. K+ y2 {7 B' D2 q
make
' U: K7 {1 P0 L( H三.nginx添加modsecurity模块
3 c& Q3 _1 X5 D: {' i/ z3 S7 h6 L7 W9 ?' ]
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' F! U% P3 W- b, S) r8 q0 g( X- I9 q1 Q0 m7 i/ Z/ N5 ?2 V
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine( t0 `3 x/ S% f- J; f$ U
make && make install
& w, T; [5 v$ E2 G四.添加规则3 z' g A0 o( C8 o1 p
: u3 b6 j+ V; o9 y s& a
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。7 e: |: Q( g& S' [: B
6 U; ^1 U2 w' z' C
1.下载OWASP规则:
8 s. `' u/ }' W5 B: r
9 q$ a" S. |, T# c) W- y& H0 ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
# t, L* ?( g! u. l7 ^2 }) U: \8 h( b% q
mv owasp-modsecurity-crs /opt/tengine/conf/
( b. F# T% ^- w1 m$ |3 J1 \0 b4 s6 u/ \9 C4 Q5 e$ L* I
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf: e8 ]; G& \" N, g0 V
2.启用OWASP规则:6 r# P% T% x; n) g+ s
0 ?! \5 {5 c1 l' E$ c复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。- R+ |7 B/ w/ A4 V9 d B
8 R0 V c1 o t1 ^3 I+ }编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
* a- C2 A$ ? l" C @
4 K+ f. }% D& a6 E; Cowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。2 ^+ @* S3 i8 m9 q5 H2 u
1 o1 S5 e/ @/ v% \: I0 D
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' d% U' a3 O2 a- L* w3 ?2 U, _1 xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf U& D3 N( ?( y% V- U- |/ Z$ v6 O
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 c. R+ x2 i; Y9 cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
3 f8 E) W+ ]7 x; [1 ]+ W- J: ]% wInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) i l5 P* j# E- N [8 t
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; G v) g, E4 W. E
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 o2 U0 w" n: F6 [
五.配置nginx
* S: I# G; Q5 _6 E+ j
, R1 S! C* u1 g( ^9 ]0 A在需要启用modsecurity的主机的location下面加入下面两行即可:
5 i# r v- [% w1 s( Q; z
0 t* O, l B4 P( F# s2 WModSecurityEnabled on; * W, L/ Y- C9 x! t/ W% K( [7 g" ]
ModSecurityConfig modsecurity.conf;
# @2 {( e& E7 D: m# k下面是两个示例配置,php虚拟主机:
) \5 j# a2 G: x T' i }) J) }% b1 e$ _( i2 W, K
server {
' b2 m- V9 S5 Q: r listen 80;3 B$ g5 {+ T& I$ `# H/ q
server_name 52os.net www.52os.net;5 J! Z$ _- t+ y8 o9 s0 W2 P
- {! y2 X$ A, E( d$ E6 h* E
location ~ \.php$ {
% O8 R2 W" v3 a/ N! L$ J8 p3 |6 a ModSecurityEnabled on;
9 g( \: R7 G/ Z* B% Q6 P7 E ModSecurityConfig modsecurity.conf;: I! B- w r. O* P, g3 Q
0 }4 R. m, m6 Z" E9 G
root /web/wordpress;
9 ]/ w [: P4 B( c index index.php index.html index.htm;$ e; E) _' f4 P, [% p" {
+ W; H0 l, B) l! ^* r' q1 ] fastcgi_pass 127.0.0.1:9000;8 ^7 f6 O5 d( `/ T' \
fastcgi_index index.php;! L; V. i# l8 C/ [# _7 U
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;# o# T7 X3 ^, i' ^( J2 {3 n
include fastcgi_params;2 V5 U! t) W$ s& y7 N
}! U# Q/ w' L+ v( A4 R2 b
}8 }2 E3 `0 K+ k4 G
upstream负载均衡:
* Q% g" @- g+ \! U
: n# m- g% s6 H0 Q1 Lupstream 52os.net {# ]7 n* |0 l$ ~. t) \/ a2 M: f+ q
server 192.168.1.100:8080;
1 X5 R/ B. g0 A8 U0 p server 192.168.1.101:8080 backup;
. D. p# P" A# a4 ]! w' B}
6 w, Y7 H' h) Y$ J' z, h
% g& C% t0 B. s4 a0 A5 cserver {+ @# X3 W5 {7 h4 W# J; s* J
listen 80;% G- i5 y- l& ~- Q5 f/ P
server_name 52os.net www.52os.net;
+ h+ t8 @! w% l! n) L/ L4 t. a- p5 s$ P: t3 v% ?
location / {
% a8 O1 C' G/ d" P! i5 s( | ModSecurityEnabled on; z* I9 K) F3 S0 v% _( c
ModSecurityConfig modsecurity.conf;
1 ?/ k% b8 X. \6 E4 h% P7 P
. A# x; { Q, P2 r4 A proxy_pass http://online;
# r1 ~8 p3 _$ w2 C3 M$ {) B4 r [ proxy_redirect off;
0 a( S( S/ L6 V4 E4 j% T proxy_set_header Host $host;. \; Y" r/ t+ G+ x0 X. X I, S
proxy_set_header X-Real-IP $remote_addr;
( C8 P1 U3 H3 x7 ?, m4 h/ Q proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) @/ D) I* L% n( H. p" }5 H5 q }1 o$ l3 a/ u8 C/ Y$ M1 |
}
- V0 B9 B# u/ {六.测试% M4 m f$ p/ u0 [8 ~
5 O3 O4 L2 s7 ^
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
V4 [4 {3 v. N2 Y7 ? ^! D! @% i1 }; A" t9 l
<?php2 }9 {. ^1 C) ~7 w
phpinfo(); 0 g5 J ^, Q' {9 q
?>
5 i% x& m& F& B. A% W7 @. Q在浏览器中访问:
/ m- |* `4 @) \9 }; G. H- @& B; E6 J
http://www.52os.net/phpinfo.php?id=1 正常显示。& p4 `8 h ~* L& U# Q
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
7 |4 x( u9 }) U m: F% Fhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. m' @! X- |2 W( |9 X }
说明sql注入和xss已经被过滤了
( v% }9 H% i' G, E# w/ Z4 [# L. d) K& N: B- L* a
七、安装过程中排错' Y X( @ ~* l* ]
- E; O3 z5 g8 r+ ~
1.缺少APXS会报错
; y4 N% W z$ @% L# {+ L1 H5 Y3 I7 {( ^; v5 U0 U
configure: looking for Apache module support via DSO through APXS
+ H, n$ D& N' e3 y1 dconfigure: error: couldn't find APXS
u" X( n3 P9 {apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& |: y. N3 B/ r7 P% H* I# O解决方法:! Y$ ]: B E7 Q4 K% }
6 B h9 m/ h7 x
yum install httpd-devel7 i) G: {3 r# \
2.没有pcre
6 R0 { v0 i$ ~) Q: Q4 M& o) k- q2 p7 j$ G( X, T- i: }; y* C
configure: *** pcre library not found.
; f. g2 k* }0 x$ p* R: {. o8 G& Iconfigure: error: pcre library is required
1 @' W5 j9 Z! Q* B解决方法:4 j6 V# y5 @8 y8 Z
! j% O3 G. J; B
yum install pcre pcre-devel) G y1 B h7 v- C) N# g
3.没有libxml24 w% c6 L8 U# u- K \! ]
# R& r- s/ N! w5 k: M) H3 `; f" H! ^- W$ z" F
configure: *** xml library not found.
0 Q" n1 X& m) l7 y2 `' J1 Zconfigure: error: libxml2 is required
# d5 P! J# x6 Q0 ?2 Y& N解决方法:3 C& Y7 s0 x4 W/ ~+ K
! I5 G# i' E" R( \- dyum install libxml2 libxml2-devel3 ^5 j! c7 q; L7 i
4.执行 /opt/tengine/sbin/nginx -m 时有警告0 X' u2 t9 _( }$ v
% i% T1 H/ p) b: M9 F, w2 e
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
, z! K# L2 T% |( V6 G- p" Nnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
* x8 y- x7 a. {原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
. j; B& w& C r) ?! T' [: Z: R6 F$ i# Q( {+ Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* H0 f) ^, J h6 C, H/ i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
8 U v, i Q. A$ C$ T8 k' B2 K/ v2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
7 o. _6 M) j9 n5 n0 b3 A8 d6 z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"' L% M8 |# n- a1 z+ i" O7 A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"( d2 G6 d8 S2 z4 W
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
2 V/ G3 y0 `' X- x- B解决方法,移除低版本的APR (1.3.9)
# i5 p' F# E% `7 l
& `; ~ V+ k$ v. `+ d: Z. `yum remove apr
% M7 j, T& C7 P, h% W5.Error.log中有: Audit log: Failed to lock global mutex
( \5 V1 G1 G h* g6 q4 i8 c5 X `/ Q. L/ Z* S2 U# T" s* Q$ D9 n
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 P, j9 X# S3 z6 V0 X! ]$ ~/ ?& \+ N' S6 \global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& M+ K2 r" i3 Q5 @3 L9 A7 h7 z解决方法:
$ m. c# f# K6 f/ B编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
# H6 J7 Y+ Z7 k/ d
- h3 X( j% z3 T' _SecAuditLogDirMode 0777; F- P- I* W% ^4 w) U8 ~5 s
SecAuditLogFileMode 05506 V0 M& o6 g- U& x6 `0 A' ]5 p
SecAuditLogStorageDir /var/log/modsecurity0 v! y( y% u0 z4 f. b* a ~$ ?
SecAuditLogType Concurrent
* C$ C* g5 v0 S/ a参考文章:! |% J/ j# Y: ^6 A8 N, s: F0 w9 O
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+ V2 X' a6 Y4 O \+ Nhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡