|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
; T) k Y% {# C; P! j# Z. X: z3 S1 P5 F4 B) e4 B
一.准备工作! `, @6 x1 I; U0 |* G' q5 t
: V1 f/ }! J ~+ n% {& F5 D
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
' h; m3 x7 l* w- c! M/ i7 N+ |: `5 h( G
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
$ K5 n5 o: @ W" s1 M$ \
) A ^: b, M4 y4 w+ O s( @' qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
/ c! Q) ^, H8 B1 d5 k) k0 T+ S% D/ q/ C$ |5 \+ ~* N$ e/ O
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs9 I$ y, n3 b% o9 ^- ]% F
2 v+ r) o+ d q0 t4 s* m* d2 B
依赖关系:
" i! s- W& T( t6 j+ l1 g! y0 dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 ~( t7 S: y. w3 E# p9 C% C/ M3 j/ q* F+ o5 J
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel& ]- l9 @: M, v; [: t* D
modsecurty依赖的包:pcre httpd-devel libxml2 apr
7 O7 G1 t+ S3 t0 L5 ^* Q
9 d' k6 F1 J' s' m' kyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
& P9 r! c2 O" J' x, c+ y( e/ `二.启用standalone模块并编译
a$ W# a5 L2 W7 P+ |9 ^; [+ N) v3 |) m2 f+ _) x% z R
下载modsecurity for nginx 解压,进入解压后目录执行:: G D4 @( W4 G0 S7 j
" C! H5 D) ~0 H8 Y; z; H+ Q `./autogen.sh
. W: E$ o; S! f# Z./configure --enable-standalone-module --disable-mlogc
- e, j5 N# z* `5 z& I% Smake
2 Y3 \! i7 f" U三.nginx添加modsecurity模块, _2 t J2 {& M7 e4 g! Y, w
6 h* g! w. b- L# A1 L5 H# X
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:6 c Z0 h3 q# m' @* @/ m
$ M8 ~' X" R* \, p
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- }8 f% }9 U0 u+ P8 d
make && make install5 G' p2 w6 B4 c2 e3 Y9 ] v4 S
四.添加规则& y6 i* I; P5 U0 h& h. j# W3 I
( l- `, m0 g, a+ P8 Hmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 A$ N5 L' Y9 R" S1 o/ X
. A: @7 { A. r1 E1.下载OWASP规则:
$ N. ]" f* R8 H. p$ t D
( w% n1 g. @, g( }8 j5 ?6 [git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
8 V j8 \" y& n
* U7 E+ u! M6 ^- @* I: r/ z: omv owasp-modsecurity-crs /opt/tengine/conf/
& p+ ~# ]8 c5 ]* U) O1 b' N5 y( ~9 v/ `
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf b* a' W! U/ o* H! b
2.启用OWASP规则:7 T3 o0 i% c( g# Z8 t# l* d4 [
: J. D: P+ r) V( G( t
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
1 }4 C$ D" J/ T, a1 E
9 V$ Z* l# H! `! ?编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
* M' t6 v. L/ @( P7 f
" u$ c$ k) G. t! j' M' wowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
+ T# [2 X% v0 I7 `4 M2 M3 ^
! V9 F9 z J+ Z8 ~5 d; w6 j; eInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
8 k: g- [. g6 i# H" mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- W3 ^& m' G7 f- l2 c# U
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
# g8 K$ p8 ?3 Q' t% u8 R LInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! y. j# _0 e5 H6 y. D z9 k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf) P! Z z$ Y+ O6 H2 Y# {. H+ j8 @
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
0 C1 ^ ?; T3 H% J& Y$ X2 jInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, F# u2 G+ E. z$ N1 _2 w+ l9 d
五.配置nginx# G3 f6 s; f; K1 P- ]( x4 B
* e; Y7 k1 |# t
在需要启用modsecurity的主机的location下面加入下面两行即可:& t) j0 `. _2 k1 ]& k9 [: c7 c
/ z2 N, M# u: l
ModSecurityEnabled on;
. ^. ^$ f& h; q* M( J1 ^6 A1 tModSecurityConfig modsecurity.conf;; } L0 ]( @ y2 k$ W$ x0 d. f* p
下面是两个示例配置,php虚拟主机:
6 _6 ~4 m8 y6 m+ U p1 W5 W* n$ @2 \5 Y; z- ~4 k
server {/ S2 Y3 W# Z/ ^; E8 O: T
listen 80;
1 l1 s2 ^# |; B% ~+ {6 w1 b server_name 52os.net www.52os.net;
, ^; W2 |8 T& n2 K ) _9 G( U) M( b3 o
location ~ \.php$ {5 F V( K3 Y3 n# o
ModSecurityEnabled on;
8 K% f! x; m6 E7 v$ Y0 x ModSecurityConfig modsecurity.conf;
, c7 q* A6 _& y7 _' A1 l( b
9 N9 m/ _- m; R% a( b1 T$ w! v root /web/wordpress;, i$ ~4 w% u% O" p) {+ E! t8 @) l
index index.php index.html index.htm;
3 v. j% Y$ k/ a: D0 F 1 K# U& d' {' j; x
fastcgi_pass 127.0.0.1:9000;
- z- Q7 s$ m7 ~' N, Y fastcgi_index index.php;
1 }6 |/ W6 C, }6 [3 e fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;% L8 d$ t8 S2 c6 o4 n( n3 ?3 ]
include fastcgi_params;- |4 m* Q P3 F% |6 e s* e
}% b: J Z( t P4 M/ ` j
}
8 r8 @. C/ r# z' cupstream负载均衡:
+ O- m( [: \8 ?! l4 |. @
" m. {% f' u! G. F5 O& Eupstream 52os.net {
8 D$ Z0 J) l9 X" ?3 m8 p4 h+ i server 192.168.1.100:8080;; B/ u% D/ T1 w! \
server 192.168.1.101:8080 backup;9 O) [ e5 c- l1 f! N3 ~# k2 d
}4 H6 w( X2 c" V/ S' {$ Q$ `/ I
$ u5 o/ z2 S0 T- Vserver {+ m. |, @3 x3 c7 H& n) S
listen 80;
; L6 ` g% q& {* `server_name 52os.net www.52os.net;2 K) n5 ]8 d3 O
+ L- Q+ I6 j! n6 Q! h) \location / {' i* s* G5 x" b4 H% a; a) d- G
ModSecurityEnabled on; : R9 h3 N# |0 V- ~9 p( |
ModSecurityConfig modsecurity.conf; : @$ t+ b! K. R: f) v
, S& H8 A) O Z, X6 e* D0 N3 m4 H+ e5 v
proxy_pass http://online;
6 S3 j9 W0 P8 y, e% t proxy_redirect off;! f; z \( e( Z8 K \
proxy_set_header Host $host; O: J% m& x$ C7 V9 e$ x9 m
proxy_set_header X-Real-IP $remote_addr;
. B7 p7 Y2 z3 i; \ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;/ e/ W7 z1 p4 J& [6 O6 w0 C
}
" j3 r+ s# G% Y$ Y5 p* F- G; R}
7 y+ t. b. \* H- C1 E六.测试$ c5 p& n! [! C2 \7 m
{3 |4 L# k: ~; [我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
. n2 \( t: B5 p
4 N- Z v8 r+ }6 S' a4 T<?php
0 z# U4 Q9 y V* l phpinfo();
8 X) `5 L' _; D$ O# R?>
) S7 s; c, q0 X' l在浏览器中访问:
Y+ ?5 Y- J1 m/ U
$ U/ b- H7 ]% fhttp://www.52os.net/phpinfo.php?id=1 正常显示。
7 S& Y0 Z8 Y* i) W2 Hhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
+ n, J3 V5 x8 T, c* Ghttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 z% T- D3 B. _9 T+ x
说明sql注入和xss已经被过滤了
2 h3 t$ o' D! F( T% ^8 z O# o6 ~& o" e2 H& E" v% x! [2 A8 K
七、安装过程中排错0 P. e) X; i" Y2 a' J: _- x# {
: P7 k$ l5 A- v1.缺少APXS会报错
1 Y/ h3 j; g! R( x: P6 j! K
# v) S, t! N, a/ W# nconfigure: looking for Apache module support via DSO through APXS
6 n' n. O2 R; a3 uconfigure: error: couldn't find APXS* K7 c4 D) ^! n/ p$ ^
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
9 r. z" P& [9 w8 d7 _) D/ |6 G: n解决方法:
# a R5 ~8 a$ x1 D- q9 j$ S+ A0 T r$ }$ x4 F! D
yum install httpd-devel1 _- {$ N& c9 U( E" W$ o& ?
2.没有pcre E7 h9 N# `7 h$ R& u3 O2 S2 _$ e9 i
' i, \4 N h( p" B' Q
configure: *** pcre library not found.
* F" {6 C! N3 ~+ J8 M) n& A" ]configure: error: pcre library is required
8 _. B( T1 W9 D- b( g! c5 q8 ]5 z解决方法:; X$ S- N$ B/ |& z) f
6 P1 B8 ^, f) o6 Ryum install pcre pcre-devel7 P9 d q, b& k v
3.没有libxml2
; ~$ Y9 ~; [+ s: N# I, b$ z
n/ d& ]2 v% _" M- a2 C7 _3 k2 g3 i+ @- e
configure: *** xml library not found.( ~4 Q" m1 H( l8 l) b
configure: error: libxml2 is required
0 R, e. t9 T0 {3 r) j解决方法:
# L; c( k2 R( X# u! }# T0 W0 ~. k) @$ I# C# C1 q
yum install libxml2 libxml2-devel& A" V+ U% }7 o. Q5 P8 ]5 M
4.执行 /opt/tengine/sbin/nginx -m 时有警告: S/ _' l! \7 a! J
6 y+ n9 z$ e1 eTengine version: Tengine/2.1.0 (nginx/1.6.2)# M6 T- H5 p$ L% d' Z) {
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 r2 |" a0 l1 r* P4 Z
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log/ Y4 e0 U, b( @" K
9 V; m4 F6 d0 d1 e2 P- J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.2 _9 `0 N7 a9 O$ s8 v/ d! b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"% k( N, ?( h& U
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
" W. ^6 l6 T- O+ q) t n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05": G, ]* @/ K6 B- c' m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"* f, F2 S+ X# W
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On., I0 X# O" ?# p9 H$ u
解决方法,移除低版本的APR (1.3.9)1 r5 }% W& q, C6 }0 a* P0 {2 e
0 s% U2 s1 v7 K, l* @yum remove apr3 P1 q5 A! P0 s+ @
5.Error.log中有: Audit log: Failed to lock global mutex* T3 P7 C$ A4 g: a7 ~: K3 d0 i. a8 R! ~
: N& L6 r/ C1 L- ?2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock : w; A# n; ] ?# @9 b
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]& B$ i. g3 Y; L3 K* G3 a$ L
解决方法:
+ ~; g& Q& z: w+ [+ V编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:4 c8 o( v9 E, ]
$ c' F; [6 R: W) O, g
SecAuditLogDirMode 0777
$ M; C! k& E' a1 b7 dSecAuditLogFileMode 0550
' Q! @& F3 u' a! n9 _$ O$ Z. {SecAuditLogStorageDir /var/log/modsecurity% l0 e$ v0 F8 F+ h: x4 N
SecAuditLogType Concurrent
) ?3 y) F) W! a% e5 v( ]' K参考文章:5 l2 a3 s+ o: ~! `( u! A) t
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+ Q- s! M& z' J# X* {* }http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡