|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
' s5 [& t7 g3 W; _' E7 A W: g/ N1 o# H2 i9 N
一.准备工作
4 x% Z% j5 U" g9 U7 q& H% E
, A# F8 a1 L+ S4 K系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0) X! f$ h. `5 n, r
8 U! h/ E1 Z! \# z# `
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. }) a! g$ u0 i% y# j/ y" V
- s4 Y, s' m2 R6 [) p/ jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) m' ]5 i5 d" L
$ _9 y- e) X% i9 s5 t% wOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs/ U, N" j6 X* S3 w
: {5 f) c5 F6 D0 [7 `% u+ Z$ u依赖关系:
8 Z; ?9 L: Q, p6 {0 c. ytengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
: N& A) H" h( q6 ?- }3 U" ~) i8 r
' ]3 A- l+ M- g, D2 y4 m/ O3 }. V1 p- Eyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# a. @5 L \2 p* B$ Tmodsecurty依赖的包:pcre httpd-devel libxml2 apr
" X+ k1 ^. L, {% V- E
2 c- D4 c+ G$ O4 q0 p- ~ I3 myum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
3 a+ P( j4 }3 m0 ^7 ?二.启用standalone模块并编译
8 A, X6 c) M( O! d7 S3 D! ]& A @! Z1 r8 v7 S& f6 ]
下载modsecurity for nginx 解压,进入解压后目录执行:
) j4 j3 k0 q5 |
; T1 T; w/ V2 o1 j./autogen.sh0 {- e" F: V8 N
./configure --enable-standalone-module --disable-mlogc& V" H# E. b* X4 c# K* b
make 8 L& R: L; i1 f0 }# Y V! |- I
三.nginx添加modsecurity模块
. E& {! s X" a) J8 z" S' }" `3 d1 f: q3 |0 G7 f. i/ f
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 h4 G( e9 ]% `- V d. j* V/ o. T8 @4 E- O6 u- u
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
8 i; i' y& i2 W2 I- l8 U- ]make && make install* j0 k y S) q1 C5 f. D, o1 Z
四.添加规则
$ n4 k R2 D' E- z1 r7 L0 b3 b0 \! f' Q9 v+ l: |) W8 U& ^
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* P1 |. x- _7 u3 j* f% a
' b! k) t) G3 g; I
1.下载OWASP规则:2 I+ W3 z R1 _! [
+ h e+ p7 A% y5 K J6 zgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 _( e) A1 q- \6 ` V" G0 c/ s! b& x2 v4 W! W3 k
mv owasp-modsecurity-crs /opt/tengine/conf/" H9 ?; P) p6 C D9 W/ v0 b
a- O$ {$ p+ `" j; B' \; u$ fcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf" m3 O1 d0 [$ z3 S& h5 Y
2.启用OWASP规则:
' g# @! A8 ?3 K u- |& W( G8 K% R+ H
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ H0 @( d- ~/ V" |2 A x7 m, l, \7 y7 N ]/ ` u( n4 [
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on+ | O; k* w0 r) t. L1 \3 K( B
7 v, Y# g" n- O- }3 x( V/ Kowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
6 m- s. B/ {* p; O# F- A6 u1 O1 A! b2 Y" b
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf( Z; i Z$ b5 X' y6 ]: r) z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf9 ^ T/ c7 k, j- @, L$ Q6 c. @' ~$ T+ m
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf! d5 I1 n# M* e% l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf, H2 f! {: e. u. ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
6 K& U9 X: p& H: a6 V% I/ TInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
9 m1 w; V# I- H3 M9 W+ G: DInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 Z5 P2 g" P/ R3 q' _+ R
五.配置nginx
* J7 o' z; x3 r& d B$ l. y! Y
9 f) u9 w! s4 _) K5 z在需要启用modsecurity的主机的location下面加入下面两行即可:
9 B/ i/ o0 X; R$ P
3 J& I/ L7 l4 G4 i, CModSecurityEnabled on;
3 r J6 _7 k# O% q) y; xModSecurityConfig modsecurity.conf;: }/ D9 U! | c
下面是两个示例配置,php虚拟主机:
4 @" l. {& }5 F- N+ J" a
; q* Q5 Q+ o; Y* E/ xserver {$ z* |$ C% Z' m% [) f
listen 80;/ }) L# h: m" s u3 {
server_name 52os.net www.52os.net;
/ T9 K' w0 O$ U
6 R/ a% R; V3 { location ~ \.php$ {3 e. J9 I) l; f
ModSecurityEnabled on; + n( e0 U; i! e7 }3 F: L* z
ModSecurityConfig modsecurity.conf;5 V/ G1 [/ k4 W2 F) @& @
, ?# O" q4 t& o root /web/wordpress;
/ W+ Z) S3 Q) K5 i$ _/ z6 l index index.php index.html index.htm;% m F' ^0 V: m0 [9 Y* [4 b
- q( @ O( x! G
fastcgi_pass 127.0.0.1:9000;
6 k; v. ^5 u# f1 m: _ fastcgi_index index.php; L+ D: {8 T. e$ o
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;% @% b* m& H) d8 k' @
include fastcgi_params;
0 h' S3 y% U8 \, e' i2 U# h2 ]2 T3 r }
$ x3 D6 T: [( [2 _- O* u }
. L6 _$ J V/ |6 Zupstream负载均衡:9 O9 K- C; L' L5 K
% I6 e# H7 k5 m1 K+ P# j) O
upstream 52os.net {; K2 }3 T% W8 Q! T4 ^/ k& {
server 192.168.1.100:8080;1 y) T, s( x. b6 i% n; f' v ~
server 192.168.1.101:8080 backup;
" c9 L. A% b* Q}8 e/ i1 a2 g* h! ?0 A
: \) F$ `- M2 r6 Q
server {
# Q+ l* M6 g3 elisten 80;
2 e1 h. Z2 r3 O" `- t/ N! yserver_name 52os.net www.52os.net;
! u" Z8 o2 Y6 U9 q$ }$ k
5 U g; N9 |2 a( V- W6 N- Vlocation / {
$ i f- O3 w" y& u5 n ModSecurityEnabled on;
7 ~# ~7 H- ^- E e9 E t5 e& ?, h ModSecurityConfig modsecurity.conf; # t) v0 y+ U0 q' V& z* Y
7 Q% O1 A, I4 ?3 `9 y; G proxy_pass http://online;& ^: c4 Y* u0 q/ K8 j" E6 F; Z" }
proxy_redirect off;
9 A. Z5 b4 P6 y& l1 q proxy_set_header Host $host;& g! j% w9 o+ w! G3 u
proxy_set_header X-Real-IP $remote_addr;
3 \ p8 ?" X/ I proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, Z6 z' m# V% @# d9 k
}
) @! R* N9 Z2 _$ g' [}" _/ w' g9 Z# q5 N% w6 T( L: E
六.测试
) ?% \) S4 ~) E8 P: a: ?7 T. A4 R( H9 @" F4 A8 r& z- V
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
& A, n( ?7 Z4 g3 a& \: }5 e- Z; l2 R* ]1 ]# d! O6 }
<?php
+ t, a- P2 ]4 D2 s7 N, y$ R phpinfo();
9 k! F# `/ q c9 E* _?>
* e! K' l1 b" s在浏览器中访问:5 N t3 Z) v& T" F
3 P8 L3 h0 d$ i, l& j" ?, s/ ?% j/ k
http://www.52os.net/phpinfo.php?id=1 正常显示。
% |3 X. V: ~) ]2 ?: Thttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。. B3 `2 P7 O8 Q0 \ T+ l
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。* b G* C; }& a( ^/ s* Y) t( `
说明sql注入和xss已经被过滤了5 R$ m. _- n; |9 M6 j
$ O0 A0 u) r* P3 E" b" M七、安装过程中排错0 o4 ?; N# k, D
3 |$ E9 ^7 b1 d+ z1.缺少APXS会报错1 O" }( b' H6 X7 P0 s8 n
! o1 y, h$ s1 j9 S% m: ]+ a8 ]6 V6 T
configure: looking for Apache module support via DSO through APXS: Q4 n; M3 s; Z- m7 e4 [7 a' Y6 d+ H
configure: error: couldn't find APXS
8 C9 d: ], k6 {, Napxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
i% C) D6 s4 R2 {' _2 W解决方法:2 _, U+ R* ^" l3 K' [
' y% h ]/ R% i! \/ p6 [: ]yum install httpd-devel
9 @: w* t+ t; p6 Y) a2.没有pcre2 \( _% F9 B+ Q) R8 t! f- E+ C0 Y
" Q* p' a# ^5 ~configure: *** pcre library not found.
% s5 {* f# n' h- a+ k9 Gconfigure: error: pcre library is required/ t' {) B! e# J7 ~& l% L
解决方法:$ Z, e! `* L9 ^
: E9 y' @) u# @9 n' o) K
yum install pcre pcre-devel$ x, ~; k- K$ P; ?7 X ?; J/ t
3.没有libxml2
9 [9 [3 q: U2 @$ ]0 y" E6 A
, J7 G! a& S: ]: l2 D) F/ T. U3 I
9 A9 x0 m8 p; A! I5 `# ?& nconfigure: *** xml library not found.' a. ^9 A1 @2 \# u
configure: error: libxml2 is required# ?, l8 J' u, C# c C
解决方法:& F9 a: Z' ~" q
( k8 B; P2 E r% F( |6 v8 ayum install libxml2 libxml2-devel
, P1 w7 W! ]2 m$ h2 `1 l; @4.执行 /opt/tengine/sbin/nginx -m 时有警告
# |7 ?/ ^4 }7 k0 y1 i/ d% e# |/ R( a' C( h* K# R# m/ R0 l/ }7 o; h
Tengine version: Tengine/2.1.0 (nginx/1.6.2)6 \; \/ X( t$ ^# `1 h9 m5 X; z9 G
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
' a1 b2 o1 ?7 H1 e: Y" }) C原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log' I. D5 n' C- P! y
9 C _% J8 Q# c# N0 V, }2 Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.+ A2 h+ U, n" `/ |( o0 q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
! s. |9 ?. _* ]8 L' E/ s- U2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 Z. o% A% H# X" |/ l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
) `% {: |' S6 |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
) \) ^% P0 M+ B2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 \: ^# {4 l2 C$ ~. k6 X3 M4 _8 S解决方法,移除低版本的APR (1.3.9)
3 S' i4 i5 B! F
) K0 ?! H/ {1 i; H. d9 {yum remove apr8 I6 T8 E- d: O5 S& a n9 N
5.Error.log中有: Audit log: Failed to lock global mutex+ c( S! u: v* B- v, S
. v! q7 z6 f) }, I" l9 N4 u" s2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 2 R% t" ^* d, h& d3 D% ]8 e
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
" N1 h$ F6 c: h/ S: `2 t0 o% Q$ R解决方法:) @9 l2 D% b# ^! `
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
+ s& D: |4 m% W8 c! R% ]9 m& R: A2 }! e7 Y# k
SecAuditLogDirMode 0777
' ]3 L3 r' w) N+ ZSecAuditLogFileMode 0550& i" x' {+ |( t, ~0 a
SecAuditLogStorageDir /var/log/modsecurity; b- k& g, ^7 N: X% `8 p
SecAuditLogType Concurrent1 U- e9 O8 Z% s# N2 ]$ c J
参考文章: D2 `! Y- p% Y7 x; [9 L3 V p% B1 \
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX! J9 F8 R* t* N8 i' S- K$ d$ C
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡