|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 w' X; x+ q2 R9 L. [% p' B# C4 W2 t
! u" u$ D4 n- H: k* y \( v
一.准备工作0 F8 ?0 T i# t/ @0 }! Q
" j |; |8 t/ {3 P0 Z' _* R3 V系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 C3 v5 H/ H5 J* b8 U2 N! F
" ^; O s5 {" U8 O- U; W3 z; ]tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz" P( n7 o! E$ `% b6 Q* e
3 X6 y7 g) L. F% Jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 Q' u; n2 r$ n9 s6 M6 ~9 h8 r
3 n; y" _6 Z0 {6 S: KOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; _* R+ s3 T* }0 y4 v/ h, w/ J
! x# t- h# T l4 I/ D: A0 g$ F依赖关系:8 @* o& V4 ?1 y" q- d3 O" b: S
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
6 t( g" I d6 t& U. o
Q, G3 X+ P5 U t* E% Kyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 F/ t- f. l0 {! R. ]5 J2 mmodsecurty依赖的包:pcre httpd-devel libxml2 apr/ |! v( i d2 P2 l
( d2 K z; ? S3 u8 T7 i% m
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel1 ~! ]& R7 `; y+ h& S5 b$ V
二.启用standalone模块并编译' Y. s U7 M9 a5 X" |: G! r
! a( Z# I9 o- Z, A下载modsecurity for nginx 解压,进入解压后目录执行:
" G7 g8 ]0 ]; Y* [
& h& g7 s' {; Q; x: e* t- u./autogen.sh8 e/ n- Y0 s; I; C- [# Y. L$ d
./configure --enable-standalone-module --disable-mlogc
! I7 p% ]5 c+ m% Ymake & Z; C8 {2 l" s' Z; |4 c c9 _
三.nginx添加modsecurity模块
- t6 D8 m9 ?( J* e6 S
9 C, O$ P, ?, P* n在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! n( ~: E# c5 ~, S1 [; n+ r
% @6 S" {- \& I f) V./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine5 R3 q2 J i2 [7 T; K8 r
make && make install' a) ]: l+ L" [5 G$ Q4 B
四.添加规则
' _1 I" j. p D$ J$ Q& g( s9 r
! f2 Y! S' w) F6 tmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。& p* q4 T( g. H3 F
3 c2 h. z7 k" x' }0 m- j1.下载OWASP规则:
# b0 f( Q2 C( _! u0 w# l6 M S2 c' J1 t. C0 v- O
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ l5 Y( N1 c4 J9 J* a1 l* W3 d
$ m$ f* A! y G5 v, J
mv owasp-modsecurity-crs /opt/tengine/conf/
% W% g* p: ? Z* P3 C: [4 a* J0 f* L3 ~' {4 ?- [* ]" f
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, @) p$ S3 c5 S g' @# h% a9 a2.启用OWASP规则:: r4 v. [. W/ P7 I9 a
; Z+ |/ m; m7 \' Z复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
% z& d, S; |/ Q6 n* S/ H
6 A0 P! m( i7 l5 Z6 O t; |$ W1 }编辑modsecurity.conf 文件,将SecRuleEngine设置为 on. _) }7 m+ S8 b' S
% ?1 g, M. v9 j5 j2 f: l
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
+ D% c0 \: n3 I4 E+ [+ w! `1 m, m, o9 r' K% X$ |) y( {
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 o5 u; f+ o2 N- l1 m0 _8 w1 w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf2 ]' @& {2 ?# s# t0 i4 b
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
5 y! Q2 o- `7 U& u4 }4 P) w' Z* H1 H9 XInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
+ P) r; y1 q( |- m3 vInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf, X) ]2 ^+ s8 o" h$ v: E' Q5 e
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
1 b4 u; X y, sInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) { ?' ?$ W( K2 i5 p! [6 {五.配置nginx( t T, q1 @- A2 M4 Z) r6 f7 ?
$ I" I* W5 _; z8 M3 M5 Z# `在需要启用modsecurity的主机的location下面加入下面两行即可:% R9 y. c+ S' j. P" f
# S6 M S. O( J8 sModSecurityEnabled on;
; x4 }- x- K/ K- p$ T5 f8 wModSecurityConfig modsecurity.conf;+ j& [( S: g5 H9 v( s. y
下面是两个示例配置,php虚拟主机:# k% y' L) p) i
7 h( ?6 q8 J( u: o1 eserver {
3 v" C* v- Q/ v) l4 H, _( P listen 80; g" C5 J8 @+ [4 j
server_name 52os.net www.52os.net;
( n; L. \) R. G- F& h0 J
$ M8 i; i& k2 Z8 f, m. j location ~ \.php$ {
0 ^6 @$ q" F, Y! {* S( b ModSecurityEnabled on;
1 g9 P2 N8 X4 u$ ? ModSecurityConfig modsecurity.conf;
6 D4 R) o5 q# |! Q4 h& Q+ ^2 O
5 _' o9 L* Q) v! a+ W root /web/wordpress;9 i8 T/ c- _ \- {* t
index index.php index.html index.htm;
0 f, r' G2 [# g" R. n
' O4 A% _# _3 q( s# m fastcgi_pass 127.0.0.1:9000; P+ T! a) n. d0 }7 F2 o
fastcgi_index index.php;, Z' I5 {5 G2 q9 S" o5 ]; ~" W
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 u# E/ e. U0 m4 U
include fastcgi_params;
8 j. j9 K+ V( ^6 x }
( M* h/ k: \3 }1 c+ B' y1 t! p( Y }% b. x- p4 L5 I: @0 G- S- q
upstream负载均衡:
0 O( K1 Z8 X, H( l9 c+ [) t/ O/ L2 j
) R0 L5 A2 P, m7 mupstream 52os.net {
5 T2 D7 d9 H- G" k4 p- ?5 E X3 V2 h server 192.168.1.100:8080;" p0 n' v* g* _. ~0 ], a, t
server 192.168.1.101:8080 backup;9 z+ b$ R/ x+ x& x; k( h
}
# A n: {: W* R/ Q4 z* Z4 a: C) {$ R y* K
server {
) H* g* O( f/ |$ J, Q5 Plisten 80;
4 n" N9 X6 [. r, D- Sserver_name 52os.net www.52os.net;4 z( Z [) |4 _0 L |/ ?9 z
1 y7 f' X1 C4 \7 zlocation / {, M6 V, u" T. ^: n
ModSecurityEnabled on;
9 E8 x1 R+ W- `: d, Z; R# |% g ModSecurityConfig modsecurity.conf; 7 {4 ~- A0 E2 @ I; B
% l8 ?9 ~0 f" s( x4 m; u# C
proxy_pass http://online;
9 _- `. F! F9 c1 t$ S4 A% Y proxy_redirect off;
8 ?3 Y3 B; G1 L1 E- j2 }6 A8 L proxy_set_header Host $host;8 {" e) O6 d% C6 f% g& ~5 c+ `
proxy_set_header X-Real-IP $remote_addr;
4 B; d1 [. A6 U5 w( I proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, J! i8 N0 m% Z6 J$ l& b
}- p4 L9 m0 b Z3 N8 c
}
* l1 [3 ], y7 \- z( [+ X六.测试' ]1 W1 ? U5 y2 `
( F: Y" ^/ s" B$ G2 ]! o
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
7 _. j) Z2 ^7 E$ [$ G1 v* S/ _% p; @
<?php/ @3 O3 O0 D1 Q: g
phpinfo();
, g# S! t; l" t) Q! C0 c" F?>* ?, U% Y9 }$ [( e* K; j. E
在浏览器中访问:
" g5 Q8 R p7 Z `
, O% x) e8 ^9 F0 }) xhttp://www.52os.net/phpinfo.php?id=1 正常显示。; z" O6 Z3 x7 z0 V6 @
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。 K+ O8 I8 T( j H% i/ x
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
& F6 H ]0 j: y) D* x6 c说明sql注入和xss已经被过滤了0 w) h+ M! E# P7 J- ]' R
% K- b- n$ u' ^! Y% U7 l: k七、安装过程中排错
. D% e. x6 n# Y5 y4 h* s+ z5 X& |! s$ b: E0 D7 P S
1.缺少APXS会报错$ y, N- X/ b& h7 w/ b* G9 Z
( D8 x+ [! ]/ N
configure: looking for Apache module support via DSO through APXS' D5 \+ v4 c% f3 E- M! X% G; w6 g( }
configure: error: couldn't find APXS
/ D- c. B" S( z% Kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ } B2 N6 n7 i7 r8 {解决方法:
% J- M$ E* i. h* Z/ P
3 w B4 w. z1 J4 N% h8 N9 A, Gyum install httpd-devel9 J; S' ^- I( g5 y9 T$ ?9 a9 h
2.没有pcre0 D" }- a8 N7 S
9 S5 y* s) b* q0 X/ A. n- j6 h1 E
configure: *** pcre library not found.8 p# O6 ]: c. N' R) m+ @
configure: error: pcre library is required
/ B( w* [; Z. h V B) r解决方法:
4 D: k% T& |; X
. X7 D1 D' ]& y$ [* y4 [yum install pcre pcre-devel4 `" X% w6 g6 s. g' U* {" @2 L; H c
3.没有libxml2( t" z7 R* L; _3 g r6 g
1 |4 o( z# [+ |. N- f/ _/ \
0 R( H8 N# v: x' Jconfigure: *** xml library not found.2 X: k O% q& q6 l
configure: error: libxml2 is required
3 J7 @; w2 y) ]7 K解决方法:
! H8 n7 ~# K! G( `" G2 `4 \6 ?+ B; |" B4 Y, U, @4 }3 I
yum install libxml2 libxml2-devel
0 h0 z t. A( @; r# w6 o4.执行 /opt/tengine/sbin/nginx -m 时有警告
; Z3 @5 F5 _! u; E* d: Q/ Z( B0 x( Y7 q8 Z: B+ }1 t$ F
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
6 x! u! s& @( ]& X8 X; I& C1 ?nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
. N4 [: ^1 y% @0 r2 K. T4 Z2 y4 K原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 _2 ^: z* L% q& e' v# Q
8 i: ]) p, I! g' k" h% Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.7 T" R% k# d6 ?
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
0 |5 B6 L& N( G y' k2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
& U" B/ S4 `* R- H1 M& Q g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"$ Q4 o3 I* l5 y6 s2 h+ S# ^$ g
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 E5 t- o; ^# \2 I2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# L0 i: g5 `1 Y" k2 j
解决方法,移除低版本的APR (1.3.9)) N. k ^# D2 E8 s% D$ V( F3 k
3 J* k: m( Q. f, H: A4 s9 J+ t
yum remove apr: o4 w" c/ C! U9 \* ^
5.Error.log中有: Audit log: Failed to lock global mutex
" G5 Z/ q Q. I t8 |: q {' {( {
- ?0 E; r W! _2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 4 G E) S V: e# k; q" x2 y3 h
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
1 j v9 v+ L& x0 d$ q0 ^解决方法:
- D* x- Q* C' F+ E编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
5 [7 n- {+ O3 C+ Q6 `+ ]) x
: G6 a; h! i T7 \SecAuditLogDirMode 0777
1 n6 R/ u. a1 H* M: eSecAuditLogFileMode 0550
( R' C0 V4 N) w( ]$ K9 ]! M" [SecAuditLogStorageDir /var/log/modsecurity
& @% k$ t" Z; t1 V, r) |5 P! l) _SecAuditLogType Concurrent
5 u2 L2 D& i; |) D& m参考文章:3 s0 |' i7 O8 [
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 q4 X, T" @0 O: n
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡