|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
/ a. X$ T9 L; d5 j E/ u, c: X/ m8 Y& {: @" q9 F* o
一.准备工作# ?! o. W; ~* u, r9 L6 |/ S
" Q$ a( s; f7 I& X" F( S8 ~& _. B2 `- g
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
@, i, R6 c7 Q$ Z6 K& {7 C: _5 Q" U z, K6 H
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz2 S: ? D C" G* O% c
* _% g7 G+ p5 e8 f6 Q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) _2 S# u8 E9 u" V; c7 ^( s
7 D1 s* S K1 l9 V: h& j. A+ fOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- X; ]* c% P* a. @9 F! H- b1 W/ _6 w& E
依赖关系:8 h1 H. Q* `% J3 J6 C
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' C2 _8 F% C" @) U! H# D. ]
* ~& P6 g$ z0 ~9 H& Dyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' S1 b) W v* m- _: v
modsecurty依赖的包:pcre httpd-devel libxml2 apr, Y: H9 Q/ a0 Z" \* k- G5 W* e
* o8 ?& m9 _5 \
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel3 p$ H8 T) P4 X! [5 t2 T, E
二.启用standalone模块并编译
- _1 i+ W x" ~- i* g: T; m+ z! L6 \) U5 X* F
下载modsecurity for nginx 解压,进入解压后目录执行:
" y; g. A9 ~( k" X7 E9 f# J, k. C) G
./autogen.sh( h- A: w; n- L5 M) p/ D! |, J
./configure --enable-standalone-module --disable-mlogc! i5 o; F/ _( o3 i
make 8 Q/ c" c; ]" I: g- X5 ^- H
三.nginx添加modsecurity模块* S: I/ i/ g- q- x
! r" Q- d" R) T8 r8 V在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:/ J$ L6 Q- j7 C
, c* f; ]& z: g" s4 W6 h./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine, o0 `: {0 R2 t/ v) [# k0 }( ?$ f
make && make install1 X9 s. ^: u7 N! j2 ?7 k
四.添加规则
2 M) o ~0 V8 e2 Y+ I: ` ~' b+ E# x2 ^! O. N* [8 J4 v7 {# O- ]* J
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
h+ `0 o; g5 C% {% x
, x+ s2 D5 A+ R( |. ^4 g, A9 [1.下载OWASP规则:! l0 y6 `. [6 n: R3 U1 a8 z0 T
$ v' N3 l# U8 ngit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; h; l2 v/ q# d8 Q5 y8 l5 Z) t) b% a* ~- q- y: S
mv owasp-modsecurity-crs /opt/tengine/conf/
2 e( i3 u+ x! x0 i, g8 ]
6 y. @# O# L1 R3 Ecd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf" y- t/ p2 N/ Q4 U/ W
2.启用OWASP规则:9 D( |& x+ Y1 X
& m6 l3 ~* m5 Q& h/ I复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ G v, D- _5 c/ ~ g
4 V: w E1 d: ^' m" l: ]编辑modsecurity.conf 文件,将SecRuleEngine设置为 on% G2 n, O4 c; h( o* o
/ Y; I: F! q; ~owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。0 u* U1 T t* U1 j
% c8 W/ m( I6 l2 ^! n4 d9 T2 [8 \
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
8 R9 |* d) q8 D6 Z6 \/ L+ F( KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+ a! U8 S, p8 j4 \3 [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ D! o) Q0 e9 R% @Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf( h# V; Q: J6 m1 M9 E
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf% M1 C5 R `8 }/ \& j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf8 |& j" ~0 l) S6 @8 E
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 C: @9 G5 I9 L/ v) @" c
五.配置nginx
! g) }% [. o" j+ m y5 X- _4 D! V ]5 }$ U
在需要启用modsecurity的主机的location下面加入下面两行即可:
) h! a% F' C6 T- A7 X+ O) m8 v/ s
- u% o8 Z# @ d/ t0 U5 I+ FModSecurityEnabled on; 2 L. J" J& l; ~5 Q% c' _
ModSecurityConfig modsecurity.conf;0 k) \: F; b5 n. p- p7 y5 q
下面是两个示例配置,php虚拟主机:$ I6 x9 w3 C9 W S4 O0 F
. m# Q) S1 r: y s V8 }9 pserver {; `( n! z. z" ~/ {/ ]
listen 80;* J- H. s7 E& j- C: S
server_name 52os.net www.52os.net;8 M' p. ] r2 J7 N. ]1 O4 m
, [8 [' P' [2 x. o$ ^5 ~ _ location ~ \.php$ {
% v |. w; \ D A" f( E- b ModSecurityEnabled on; S, d( B; E* R
ModSecurityConfig modsecurity.conf;9 j: Z0 o6 z: Q# h3 v
3 _# `! W4 h' K4 G! H8 k
root /web/wordpress;
8 d6 i( ~9 \% J& i( H3 s2 J% ~ index index.php index.html index.htm;! [% u* E5 p" F
# A( Z& T2 J$ g! ~6 P
fastcgi_pass 127.0.0.1:9000;
3 ], ]: ^. {. k+ m. @ fastcgi_index index.php;
) \' O( o; m: e3 j$ z( g1 b$ q fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;% \( _) p2 ~- }9 W7 R
include fastcgi_params;
, W( s. s6 L2 P }
6 s8 ^: R" V+ E, F$ K$ a& G }; y; P! k, ~$ x; ~$ l
upstream负载均衡:
( s) V9 t- m/ P9 |) n8 E% ]# l/ n6 u3 D6 o' k
upstream 52os.net {
; H* y2 J4 k; p server 192.168.1.100:8080;, Y0 S' d3 D. j" q# q* K* c! Q
server 192.168.1.101:8080 backup;
7 T, }, w. W! X4 ?& b5 ~0 H}
0 g8 t7 |2 R2 D( z& d- N
; J; f! c: z2 x/ K5 @( Iserver {
" Y8 w: A+ G" Q- q E4 `$ Ilisten 80;
/ w, ^; ~- k% E& {# [) y6 f% mserver_name 52os.net www.52os.net;
# n% _2 C% |0 D* Z7 \
, E- |* Y! `" Z& H5 Z" u6 P$ Slocation / {+ g' r7 L4 W- u
ModSecurityEnabled on; , ?, ]/ r( L/ V) Y+ z% K- T x) c
ModSecurityConfig modsecurity.conf;
+ p- y; I) `' i+ _, q8 G: L' g1 E( r0 s
proxy_pass http://online;" k- \; a4 v* ]
proxy_redirect off;
. L; j$ _: n1 B# D+ s proxy_set_header Host $host;% d5 M3 B( z* b2 m" X& p
proxy_set_header X-Real-IP $remote_addr;
2 e a9 O7 S" [/ s/ _. O proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
. T7 @' o8 x) u7 q# c }
6 E; T' s8 b. t2 u! O( X4 y* b}
9 L3 a( L6 J( o, q, Z: M% _六.测试
/ u4 A) t$ Z# _! J2 y
v7 O: @$ h4 x, B我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ O* J" z6 F& c" t/ g9 a5 {0 B$ ^
+ h% k( m' R1 ?& h
<?php
+ a% }6 O( C0 P9 ~ Q! S3 e U phpinfo();
* Y4 u9 t$ i* H+ @6 t @# {/ ^?>
' H' O( S' ~$ Z+ N& V9 Z在浏览器中访问:
# H# Y' l7 Q i
5 s: c; v! P9 w l. s) ~http://www.52os.net/phpinfo.php?id=1 正常显示。+ R8 k' l( [0 x: b+ N, H$ o- q
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 y; F4 J) ~* T* H) ghttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' r1 f6 N4 q) T2 [$ H" h6 |
说明sql注入和xss已经被过滤了
, b5 P( x! O2 \9 j9 d7 r8 J
% Y- k9 k; ?4 ?2 `' U- e七、安装过程中排错
( h3 b# n& j/ E
' {& Y2 g/ I4 a: d$ M. A3 {1.缺少APXS会报错( K2 t/ t7 ]9 J1 B
* p C3 |! R, c' K5 {% Cconfigure: looking for Apache module support via DSO through APXS9 E8 w5 B z2 g$ Q1 J! P. X
configure: error: couldn't find APXS
) t9 _) C' E* O' ~7 G% O) \apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
. o& ^: d, L7 f8 N9 c# E* {, H8 R& E解决方法:
' p, {" X! }+ t% M% ~
* J; n* U4 U' h, m) Ayum install httpd-devel
) i1 d, |2 ^0 I* V7 ^$ V3 w2.没有pcre( [8 ^& ?2 X' p) K7 z/ k% \
& I2 R6 t9 G0 b1 R# } T$ M% Fconfigure: *** pcre library not found.
) Q6 D: N$ E Y Y5 oconfigure: error: pcre library is required0 [* d8 j$ X( _3 I' y( I
解决方法:0 e: \ i# n( s! n" P+ c
! r: F; P: \( {& U! H9 Q: r
yum install pcre pcre-devel# R5 @+ a5 E. M6 c0 {9 Q! e
3.没有libxml23 J: r/ X; h4 i6 G. U4 g- G% H4 \1 C
# r2 r/ o0 m1 X2 V) Z& \5 b( v
3 @ J! ~3 `1 ^: i* w nconfigure: *** xml library not found." L+ x5 P- x R3 y
configure: error: libxml2 is required
. y E6 ]# ]7 p A; ~8 ^解决方法:( C0 t# T" v5 n3 V
+ G. v7 [ u' M" m4 H3 wyum install libxml2 libxml2-devel
. e/ R( }7 j7 B4.执行 /opt/tengine/sbin/nginx -m 时有警告
3 C/ h( W( p8 P5 W: g% a. C% Q
; R* F' H, K v: tTengine version: Tengine/2.1.0 (nginx/1.6.2)- L( N% o# J& ^3 J/ ]$ u
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!; T0 \2 Y3 B1 c( J4 M' Q; U
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
& w- S) Q6 E3 K8 ~' e7 P3 t7 p; r. y5 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.% A' f1 K* l" g( ?+ D) `, P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
8 S. W: |/ W3 ~1 u9 K. r2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!" F, V" q4 x' I* j4 J; P$ z6 e) A+ B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
; E, d& O5 d! [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 k% t' V; N/ l5 O# f: E$ q+ w
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.; G4 O/ @" n8 d2 W
解决方法,移除低版本的APR (1.3.9)* u7 U& w+ B, _3 j' j7 [
" E+ N% I5 \; T( P$ J: o
yum remove apr) w o% N/ [0 H" G
5.Error.log中有: Audit log: Failed to lock global mutex
# w' W5 Y" p1 G, u7 Z6 c' `- d* L/ e! b
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
& C8 H) p, y& {; Kglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
Q1 j7 i+ c+ r解决方法:
* D" B; }! h+ |! O4 e$ ]: n% ^编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 d& `6 v, \* b4 D" K
8 Q0 e; B' I( ESecAuditLogDirMode 0777# L2 J$ h& ^! Q0 P( Y( E& z- x
SecAuditLogFileMode 0550
) L1 k6 T7 x' ^SecAuditLogStorageDir /var/log/modsecurity
% q7 @: V, {$ ?! D3 z5 JSecAuditLogType Concurrent
4 S& P4 G' Y! o7 y参考文章:8 p5 d0 S" K) l
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' A1 {) q% ^9 \) G+ V; ]( H
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡