|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。8 V2 w8 n6 S9 D4 g9 T( O# V
! o$ n# j7 K& V# w7 a一.准备工作0 a! h7 u4 V1 r3 y5 k5 y% Z$ n8 B
3 E/ V6 C) ~; K系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.09 K1 g8 @; G& e S9 L5 A
. E% e" r" `* a: N
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
) U. e( p. V4 Q2 O& A( `4 k" V6 t. S! U4 ^- \; v
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
/ Q1 G" ?2 N' V3 B: B' ~- e5 s2 _' w' s# }; d1 h+ T P
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
% y. U3 ?6 D2 y2 E
7 `* n* r. K: v1 a) j8 I依赖关系:
. h. g) m8 ^( v1 }: m. q: y. vtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( ?9 J% U3 h [6 e+ ^7 t+ |
- Q5 {8 Z) r- k u3 u% Byum install zlib zlib-devel openssl openssl-devel pcre pcre-devel, \8 r4 B8 @8 k2 N& C
modsecurty依赖的包:pcre httpd-devel libxml2 apr
$ t0 j; P1 [3 j N
" v$ \; D. d# P. C+ _- hyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel9 f Q& T0 b8 F+ H6 u$ \, x
二.启用standalone模块并编译3 v) K5 t* [) d5 e4 K7 J6 {
; d* j+ f2 ^: p3 h% G下载modsecurity for nginx 解压,进入解压后目录执行:
) E# c; q( r4 P+ |6 z7 |
- B( L8 s9 J- O* r6 L./autogen.sh+ J. K1 e9 E2 x% H4 C- O
./configure --enable-standalone-module --disable-mlogc
3 n4 j8 w5 g: E0 m- o, w# ~7 t' Amake
" C4 Y0 I3 w. x/ i/ W$ W三.nginx添加modsecurity模块
8 F6 P: \# A4 q& M/ h/ _) K
7 B1 s3 L! N4 W/ [. j在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:8 F( s9 g, c: G* A0 V. X o
8 t. A; g3 w1 `3 `' h/ o" N7 d./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
5 v, b0 C6 A; {! r7 r# |( xmake && make install' I8 Y/ o1 l) }$ @" z' _
四.添加规则
3 s) A# {" r5 t5 `4 h+ ?, R/ l8 ]
" o" S) t) f1 n6 W6 V! s! omodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
5 f; p: n( x( H6 P& l" W
3 ~3 P4 a0 o0 Y9 ~, ~1.下载OWASP规则:. e& X, |& a) w) B9 w3 b6 a
9 u/ O2 ?" `. y# U; u2 d+ a1 Q& k
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs# u! P9 D6 v: w7 l. t p
( {, ]! U" `5 [# ymv owasp-modsecurity-crs /opt/tengine/conf/
! o& Z% r( A2 i5 C# P/ h! V/ j6 E1 v
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' B7 s2 o5 v" k" d2.启用OWASP规则:; p; ~) {+ W( |- F4 I" u; W) K
. h' W6 Z+ O6 v复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
( ?; Z1 A$ Y1 n. ^0 q3 d
+ W5 u/ r% Z/ h9 l编辑modsecurity.conf 文件,将SecRuleEngine设置为 on p4 F5 h1 G! M' i/ s
" W' F( M! X3 P1 q7 V' |* X: e9 Z4 D
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* I* ?7 s9 k8 p' g! I8 E2 R) Z2 N) B
: r: H$ ^0 M7 {/ D( ?/ q. wInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf7 \) b+ M. b# \6 s* S1 I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf$ l7 Z- k7 D F
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 ?2 D& J1 \/ e, c5 Y. I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# O' B* ?0 M# Q b" i/ G: ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf. [# J- s% `' D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; {7 p3 f" f6 ?Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
1 r0 Y$ t( x" S+ x/ V五.配置nginx
5 b9 |2 M) R* y( r" u5 b' N$ \9 k$ N. r! {! Z4 V; C) F& k4 L
在需要启用modsecurity的主机的location下面加入下面两行即可:
2 h$ E8 D7 l5 |: m$ N
+ L7 X4 I$ G1 e: c) AModSecurityEnabled on; : u D7 J c5 E. |6 q/ N
ModSecurityConfig modsecurity.conf;
3 w; p0 ^" o# R5 u* |下面是两个示例配置,php虚拟主机:
0 c- [+ C# J; v0 E5 d. T$ N; Y$ K7 }$ M8 e2 A! |0 A) H5 U7 b9 k
server {' d* _* k& H& O9 c2 P+ Q
listen 80;- s7 D6 ]/ V4 x! Q4 z
server_name 52os.net www.52os.net;: A1 M7 @& @6 i. g! Q# g
: v1 Y) E( Z8 G4 m% _& n location ~ \.php$ {
* n( A8 B5 |5 Z: S" g( d7 a# g ModSecurityEnabled on;
2 I( m) Y7 F' t' g ModSecurityConfig modsecurity.conf;
, w$ J! }' O# E5 v' d& u& |0 G8 z: C6 ?% C+ [. }- I2 W) u* t
root /web/wordpress;
* I8 @2 Z: v9 O' r" [7 |1 X) f- w index index.php index.html index.htm;' O5 J$ u& ~* N# U2 |
e" \1 d! f% T6 h fastcgi_pass 127.0.0.1:9000;
: Q5 `+ J8 K6 ~& s! G# D) ] fastcgi_index index.php;
$ I2 y1 g3 k! K: l O: I* T3 g fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 \6 g( c p0 ]) z* [' ~! ?% t
include fastcgi_params;% {4 _2 u/ R: y g* e1 ]2 m
}
7 J# L3 {7 z/ x }' q8 s- |' c5 G& c+ p
upstream负载均衡:" f: C# V9 o! ?' W" V# o
( P3 b$ a* T; u9 J) U
upstream 52os.net {
" g, d# j9 D' S1 d server 192.168.1.100:8080;/ j1 ]: n; o2 q, q- ]4 I
server 192.168.1.101:8080 backup;1 |6 ~# m5 Q" Z$ x* `, {0 h! R
}
4 J6 G3 s$ l& s* n- _# J& j3 S1 E: l4 i7 E
server {
- o3 A+ ~7 X) v) X4 S4 Q& vlisten 80;+ w, Z" N* ^, O6 |9 h3 `) G
server_name 52os.net www.52os.net;9 f2 ], b3 b& C, b8 Z7 B9 g
5 f, e% c3 @* q9 S
location / {* o x/ p0 J& l4 E9 y [! x3 c: l
ModSecurityEnabled on; 7 u2 s3 V3 O$ L; y# N
ModSecurityConfig modsecurity.conf;
# Y+ O* t# D! _0 Y1 o( _. Q+ q$ J9 G: V0 q
proxy_pass http://online;
9 {+ a& `+ l! L! h- C4 ~ L; g! _* ~ proxy_redirect off;
' Q7 n# G. k/ g" ]; ~* H& C+ A proxy_set_header Host $host;
0 ^' p: z1 J6 Z5 u proxy_set_header X-Real-IP $remote_addr;2 x4 E2 i2 B3 E! J5 M4 D3 D
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' {# h# w' i" E: b" f7 a8 X: c
}
- \$ @( z6 l) o/ J. ]; z}' {# P+ U9 P3 i7 z; Y& [
六.测试
. q# B5 {0 O& O' g# u: e$ _+ a: N" G$ E
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
" h" u5 N' o h% _$ t/ V8 w
3 Z3 }- ?3 v% W3 Q<?php) U% l+ g# _( E4 y7 \# y/ {. B9 G
phpinfo();
& P! {7 W; d7 |6 j?>- Q3 u7 \$ Z+ t( C! [; {" I: P
在浏览器中访问:
7 @ Q# {2 D d. r
' |1 ? ]# O* {, C* U6 w3 f5 _http://www.52os.net/phpinfo.php?id=1 正常显示。
: a) x) ]% c( `, Ihttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。7 M; n0 S2 i* G0 K
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。; g5 Z( W& X- m, S
说明sql注入和xss已经被过滤了
$ m: Z# l9 d# g7 @! c
& C+ m- x; @- h- B# g$ k七、安装过程中排错$ I1 k7 V8 _ ~8 L0 |* u0 Z2 H
0 r- T0 F& n. X) r: `4 j5 C; Z
1.缺少APXS会报错
6 R1 ? f7 O3 d! S# o5 v3 G1 o# g: s( R& n
configure: looking for Apache module support via DSO through APXS
( f* K" a* p' u% fconfigure: error: couldn't find APXS" Z! l7 R3 j9 O
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。0 D4 I, q0 d! i. q- Z
解决方法:
9 V- J* u/ U& h9 J# C% {% d8 m0 f/ F6 V0 n5 z7 r2 |) Z
yum install httpd-devel( _* G: }4 R- d$ w! d8 y5 |0 q
2.没有pcre
6 j6 \+ B: S# A$ B# R% X$ k* I) b$ \* g: u
configure: *** pcre library not found.$ k1 o$ R+ D3 S, r6 B* s
configure: error: pcre library is required
9 j$ \/ @ R: d: c! k8 O; M解决方法:3 y7 Y. y0 a) v3 t. j( _
6 Q; ]3 }! E( p) ]6 pyum install pcre pcre-devel- F% l2 V" ]: |* J; D" l# Y
3.没有libxml26 l& [. y5 U4 h9 t
, F6 i: s2 H7 p) |1 R
3 ]# X3 M! R; _" q" Z# ?9 Y' n! Zconfigure: *** xml library not found.% x$ i9 ]) l% u( p% f# G
configure: error: libxml2 is required6 z* H6 k1 S6 `+ z+ k
解决方法:
: H# W {% O8 C+ K! O8 d" t$ {- `2 d1 H) y! L# {
yum install libxml2 libxml2-devel
+ {0 O% O2 J9 @: v6 G4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 s9 t! p! Y3 p, d l! V1 U$ A5 R) Y$ M5 ~
Tengine version: Tengine/2.1.0 (nginx/1.6.2)2 H: X t0 V( v/ s3 b
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!, e( R X) ~& N
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 I5 |. w7 \% _1 X2 j- a7 N
. C' r& ? J1 k$ r$ i" B" g9 y5 r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
# ?: Y$ v! s' g9 E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 r# B% V! v+ S7 H. W9 x2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
4 X8 Y3 p. X8 l0 E1 c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
6 v9 }3 y1 X6 C6 j4 u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
( c0 M% s1 Z8 s# q, ~1 s2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On., L! w8 b" `+ S$ W! l% i
解决方法,移除低版本的APR (1.3.9)( e! O. [9 V$ I; G* |6 t$ ? i* F( Z: I
$ M! }" H$ ~1 R" I( W
yum remove apr
/ x, i q$ @" y5.Error.log中有: Audit log: Failed to lock global mutex1 ?7 H5 _8 U2 W
/ c4 c4 f: E$ ^' z: E# h2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
9 \7 z( B' L& a6 w( r9 oglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
}, N9 w% ?* @1 k8 l解决方法:
' N; G3 B$ R9 O! U0 R( e5 |9 Z编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) x+ |9 |0 Y0 [( K+ A; u
( a$ W6 J) u7 o- T( W" FSecAuditLogDirMode 0777
A+ I* _. W1 Z' d* {) fSecAuditLogFileMode 0550' G2 v; K2 y- x7 n# D9 V8 }
SecAuditLogStorageDir /var/log/modsecurity, m. a o4 p: r9 T
SecAuditLogType Concurrent3 C# h: }2 z4 S, A
参考文章:% {) ?* y+ m0 e6 C
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
- v3 X- `2 Y; t: Yhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡