|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" a7 X) N+ ]; q5 s, o' i% }$ b0 `2 u9 Y( V5 }
一.准备工作" }0 ~$ s6 h. e
9 j/ e9 L, X1 i; X7 g; O系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
7 z" M, V X* ^. B7 ]5 ~
u, M/ g- f/ s, @tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; |6 b6 w9 A$ Y3 n& ]! Y
3 t7 K9 K1 O" ^- ^modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz7 `1 x7 g% x7 y3 n% |, \+ V
; ?% k+ R# l) |: ]! W1 I) l' Z
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs8 j5 l5 E7 l* H( _6 f( A
" |3 N4 C- z* l5 |( W5 N) I# O依赖关系:# {" z9 s/ Z1 E$ Q* B$ e
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:! b- g" n; {1 [7 [- c, q& J1 N
G4 ]2 ]2 i7 Y6 L
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
( r2 M) Q; P; F" Omodsecurty依赖的包:pcre httpd-devel libxml2 apr7 S/ u2 U- V0 f0 |
, o! f* C# @ @' B( T( l' O0 Myum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel4 {) N: o6 _. g7 X) B$ }
二.启用standalone模块并编译7 @" x1 O# v {
8 R( U" k+ Z# u$ K+ R
下载modsecurity for nginx 解压,进入解压后目录执行:' f y9 y& R+ W1 a9 Z
! z+ A3 e$ K6 J
./autogen.sh
: R- G i" c4 g; `! q3 p./configure --enable-standalone-module --disable-mlogc
" r7 R$ k7 T0 T; j" ~make , U* r% `0 r3 L0 w2 Q: t
三.nginx添加modsecurity模块
, }1 ?+ |( x/ S7 `$ A4 A# z1 [
, Y0 o( S: y1 f% _! a在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:* a! h$ b" e+ }+ E; t' P
1 V# T' z+ H N) O$ U$ c./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine4 Q( x2 e! f( a9 ^3 M F& Y
make && make install
9 \) L( \: M. @四.添加规则
+ y$ Z) A# O: M; t
0 G- V$ j( ?$ R T% G) T/ ?modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。# v3 Z! X' f1 D: ^7 I
8 O R. g3 w M6 K' [+ U9 Q
1.下载OWASP规则: ^8 t" m! f3 R6 B" ~9 L6 ^0 [/ p
$ {5 a. ]' O) M" v; }git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
6 D. f$ C1 d" R" M! L$ {! I& \2 E
mv owasp-modsecurity-crs /opt/tengine/conf/
j4 L( W+ o) G4 g" ~1 p+ p! ~8 h9 U8 d9 R; Y z* n
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* ^, E8 ^8 c" m z: F
2.启用OWASP规则:
7 `* s# A7 P; n7 S$ g
1 {: z6 m' p+ Z- q- w$ i复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。$ p! d( v4 O1 h
1 [- M6 H& x. h2 @0 y4 O
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: ^6 @9 \3 D0 t& ]' g/ _6 J. }4 n/ e( |8 _
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。, q) G) ^6 z( }( ?1 D2 G' W
% c: F+ q, Y. w$ ~/ Y2 P- w, m* M
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf3 Y( O$ U/ |8 T- m6 G! {
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf* t% }* H' o3 Z* B9 \% Q/ `0 \
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf/ F7 l( E9 {+ z: v) ^! {$ `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf8 U& M. @# ~2 T# u d
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% D% {/ k& p) ` ]9 ^, Q5 JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; y1 o# ~8 B" b
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
4 Z. p1 g1 b" r# F4 _3 {! c五.配置nginx
, Y* x% `. E' U/ h3 G( c8 c6 T
, R' A: k) @) N/ ?2 ^: I4 E在需要启用modsecurity的主机的location下面加入下面两行即可:
7 l& {, G3 y3 S( Z7 e- ^* P) W- N3 V% U6 r3 v9 F0 |6 l2 |; @
ModSecurityEnabled on;
* F9 w9 o; n7 V+ Y2 H8 G' A* b. ]ModSecurityConfig modsecurity.conf;- E" M. z8 E. k
下面是两个示例配置,php虚拟主机:4 _9 Z8 m& @ Z
, N3 |% D2 l+ y! F, s2 T6 r/ H$ {$ x
server {
2 X7 H8 ?8 u5 n& J4 X/ P% m" | listen 80;
s6 a8 D. V$ K/ c* D6 V server_name 52os.net www.52os.net;
6 s* f; \0 {7 m- m6 L
7 O2 l# z8 O C3 _ location ~ \.php$ {- W4 u; T- S Q4 f2 ^, C
ModSecurityEnabled on;
7 M+ q* b- ^; N7 R+ j8 z) Y( u ModSecurityConfig modsecurity.conf;
$ ? M' ]3 @5 d1 r5 C( ?0 a7 j
) @6 Q5 g9 N" P" N' B8 S root /web/wordpress;: ]' Z# k# O. ^1 l5 ^
index index.php index.html index.htm;5 Z2 q5 ]6 S9 k, m0 b$ S9 Q5 |
1 d+ e8 b& S1 z5 R9 y' l" B$ | w fastcgi_pass 127.0.0.1:9000; w k1 e9 T0 a. P6 O& w
fastcgi_index index.php;5 e% c( B8 q, d" W
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
% K3 C: l* v; M6 F. r+ R3 L; H( G include fastcgi_params;% M! b) A. w: d' ~! k
}
0 Z9 u6 [: y v: t# E/ G }
3 s T5 N4 {; @- A1 C; \4 }' Gupstream负载均衡: Q9 Y# O3 W$ ~" q0 Z
9 L) d$ |- H9 {: }$ z! gupstream 52os.net {' V" X0 r; N+ T W5 x
server 192.168.1.100:8080;$ Y* g( l6 o4 b. V1 H+ C8 h; K
server 192.168.1.101:8080 backup;9 g& g: P2 W/ T4 E$ q3 l9 m+ _
}4 R$ B: H0 @6 g' z5 o3 i
9 c* k8 T! g: ]6 l
server {+ D4 i! W* s3 y- m V
listen 80;
1 k, \( D" `1 \" v1 I4 gserver_name 52os.net www.52os.net;( V/ e* y4 F- l0 M6 z
0 b m- ~* A6 A
location / {' x! r) ~6 x: S/ p0 q
ModSecurityEnabled on;
4 H. J/ s$ u5 g1 d) \ ModSecurityConfig modsecurity.conf; + H, [* E: Y( E" D
" X0 V$ k S( W+ _( L& T5 b- ~ proxy_pass http://online;
, c4 i" ]' f. C proxy_redirect off;
# I5 @% H9 j/ M, O" j5 d( s$ m proxy_set_header Host $host;
4 e. t& I* D1 ]7 [( b$ i proxy_set_header X-Real-IP $remote_addr;
, K/ B' p. g' b# q- n9 _ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ W4 j$ _/ V% Q0 K& j, m. u }6 G. b# s; c x7 P2 t
}
8 u" V2 c' J+ h* V7 L. k" `六.测试- Z0 y0 C4 ^ N# r: T& z8 s. E
' e# G u4 _% y! N. u
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: }6 a6 \8 i. T3 x+ d1 Y- u: h+ n9 o* ?
0 d* g; r+ z5 w" [; |<?php
& N+ D. S+ R. d9 k ?* b% d4 s phpinfo(); ! \ U; U( g1 Q0 e! H- c' F
?>
* j! {( V4 F# G, ?在浏览器中访问:
$ `( z0 ]$ ~& w) J9 b. U; e; ^9 t( E8 C$ b( {+ f
http://www.52os.net/phpinfo.php?id=1 正常显示。
Y) x& a! C$ ~, w3 E' ihttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
( [# p: k& n: V7 j% [http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
1 [1 k' P: P% P \9 J1 T9 A! n说明sql注入和xss已经被过滤了
: U& z+ T+ m. b. y# V6 z
m: `+ i% B$ r" K6 r七、安装过程中排错. D' U# H7 ?: E( r& ^( B
* N$ H1 o9 A0 A+ c! @, A2 B/ h1.缺少APXS会报错, y" L9 x& R9 L1 i8 e
) T" @8 d# c( U! jconfigure: looking for Apache module support via DSO through APXS
2 W+ \2 _( n) |, Econfigure: error: couldn't find APXS* J1 [5 ?( p s" S. p0 c2 J
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
) \9 e4 i0 S; H7 ` |解决方法:
' W5 j2 ^! v3 N
- S( i7 {+ @& cyum install httpd-devel
! H0 O2 ^) M7 H2.没有pcre' n. S3 n) Y4 j1 n) D9 m
' }( m! A3 {, r& z$ d0 T; Lconfigure: *** pcre library not found.
) Q! L, V+ {2 R. B# B2 t9 Bconfigure: error: pcre library is required
# ?4 A8 N( |! D) l% k3 X解决方法:
: c0 a6 {+ j, Q7 ^9 L# x, q) W6 `6 j# k
yum install pcre pcre-devel, n+ P" u) {" H! o# n
3.没有libxml2
' B* a+ _9 K$ c; o# W! q" Z3 z n
4 @" |/ Q$ J$ j6 {- h) \configure: *** xml library not found.
$ I' Y/ e4 c9 r" U! }# v* Sconfigure: error: libxml2 is required
) H4 Z% M4 x( D0 ~" q! e4 G3 h解决方法:$ |1 d: ^1 x) A+ Z' v
+ r3 @' W! h: C6 a% a3 myum install libxml2 libxml2-devel7 `8 n/ v& J' C# b$ v% Q2 i
4.执行 /opt/tengine/sbin/nginx -m 时有警告
# J9 p" ^: K' w, P8 ?/ _4 N& x
# I# \$ ?/ k% p0 L- ETengine version: Tengine/2.1.0 (nginx/1.6.2); y" v& _" y) C7 f ~" Q
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 A3 Z! m/ Z8 R- q* d原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log3 l7 S1 N- u$ p5 q
& g, P3 Z" u/ H. t, _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, E3 l: r1 O/ T1 Y1 N# L8 U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9". v: t9 L: T9 f+ P: C
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!9 f% u: W! I: ~- i% p' n8 g
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"# K" N3 h; G! H1 Q0 r0 n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"2 K6 s4 c! U& T, n2 I& [+ A, x* d
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! V" a' z" I; g% B1 d3 E9 P0 V4 g
解决方法,移除低版本的APR (1.3.9)4 |& i. ^3 r# n2 X) {/ l0 t' h8 n
`' q& X. S2 ~* R9 E! V
yum remove apr3 o' v$ j* w- Y: e
5.Error.log中有: Audit log: Failed to lock global mutex8 o1 ^6 r# I5 k" W
( k# y2 F' D5 m/ F" {& q1 g
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
) B# Q5 _+ O8 s- S1 tglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
J8 Y# C( I U; S; b8 `4 O) _解决方法:4 M; J9 J' }/ W0 L6 N" M$ I
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
: p \+ S1 n, H- m# {# u3 l7 u) {4 ~0 }* [% ?
SecAuditLogDirMode 0777
. z1 L: C7 Z3 U, X# ySecAuditLogFileMode 0550
3 R$ q/ ]2 @( M- ]! A$ L l) b' SSecAuditLogStorageDir /var/log/modsecurity% b" L4 ]1 O+ y
SecAuditLogType Concurrent
; f" Q4 G! N* v参考文章:2 p3 U z B1 M# n) n+ I
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX! Y$ c5 ]' K: F0 m8 `: |
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡