|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
3 @9 g3 [; ?& f
4 r# Z% r! O3 Z$ o. J一.准备工作
7 ~ N N& ]( u6 T
8 Q0 ]4 R/ V- X系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0, Q" `* I+ [2 F
0 d q0 l# T9 d& \2 J# ~tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
5 j2 q0 P/ ^* z j+ p6 C+ N$ ^
3 h3 C- x* }5 M3 M+ A1 @- gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
1 \4 r& w* r; G! `( P6 l! J( o j) D# ^
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
" r# c5 n& ^/ C/ D( a
9 T/ @; Y, d) A( T. \% b依赖关系:
' L# w9 a) { w+ ztengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:5 X- A! ?8 D. X$ M! o/ L. K' Y( y
+ @. E. Y' Y5 Hyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ R2 v! m$ z: _) b3 u$ Rmodsecurty依赖的包:pcre httpd-devel libxml2 apr
& [) y+ ~, {" A0 `$ y5 V
1 P! _1 U& T1 Oyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
+ U' Z# @% a3 d1 ~$ b2 A5 t9 K' \0 k二.启用standalone模块并编译
& b' @! R! _" E: @( J* S4 e0 }1 @4 A4 h3 Y/ j( s
下载modsecurity for nginx 解压,进入解压后目录执行:
& O; N7 n& g5 I* I2 ^; L) x _% g( q9 U# R
./autogen.sh! W: ^) Z" b: t* e% I- u
./configure --enable-standalone-module --disable-mlogc# @% G2 w! ^) q1 f' d# W; [% F
make 2 }# Q% T' D3 b; h
三.nginx添加modsecurity模块
! K1 b9 O! z7 m8 d( r5 P( u+ g# h
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" \4 z* F+ g( i4 {
( p- f' ^2 _" V& A/ M! i% ?8 T./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine- Y3 y. U y$ H0 i* d3 E4 P4 t0 o
make && make install4 B. K. ` T+ U" Z% g; S
四.添加规则5 U5 v+ k- l5 q% g6 o
, @, R- V' A6 S
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。% \) K2 N6 ]% S, K+ L* ^$ ], \
2 [1 {2 s" D% `* a- q }
1.下载OWASP规则:4 Z# G/ l p Y0 C' l5 L% I' |
% h1 T, S* j" G; M( Sgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
6 J2 n1 G. L0 ?2 T0 [ A: B* S
! d* E/ f6 b4 L& a! T. Kmv owasp-modsecurity-crs /opt/tengine/conf/* b7 J3 z; o3 u9 f1 \% X
: h, n8 l, ^6 g3 j, v
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* [8 J# m3 U* L$ a: _1 m
2.启用OWASP规则:
6 N* O. `- X$ [! t2 S2 Q, f( Z: O. M
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
' u$ w) K" K, Y( P
4 A+ u+ C+ S. ], R编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 ^2 t8 k* t6 p9 m9 F4 s
/ b, p! @4 O2 j5 t3 n: ]5 xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, i1 H- ]8 M" H
; l) O( c; S1 Q) a% V8 M/ ~4 ]Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
8 ?. e L6 M9 O: G; d( C; ^; dInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 g4 ^! D+ A# F5 ?0 N( }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 \- }! |2 |9 M) hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf3 h/ x7 H5 J* j! j% p c
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
V- j1 }; n% d( rInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
7 o8 T& i/ F# W6 W3 n0 W8 v! oInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
+ C0 e" i" F* H9 U7 }* c5 t, v/ _五.配置nginx$ h" T) A/ }* r$ B" k* B+ U
! [& C% B. D. H% Z1 t0 B
在需要启用modsecurity的主机的location下面加入下面两行即可:. Y& e6 a" ^6 r# T- P' j/ a5 i
9 l$ f, S( [1 f
ModSecurityEnabled on; - L+ S; }; @ f; e4 m) K
ModSecurityConfig modsecurity.conf;
u T6 Q9 |4 Y! x下面是两个示例配置,php虚拟主机:
, W+ N! w, |. @! F0 g
/ l0 h/ |* `) iserver {" J" b+ ^/ c/ h
listen 80;: C/ Z0 Z1 V! O, Q& [. `$ w2 P3 f
server_name 52os.net www.52os.net;" L& H: k, N! _7 u1 l
+ o/ D( }% f" V. x6 O
location ~ \.php$ {
6 M) r/ X8 h* x8 ^1 z! [ ModSecurityEnabled on; $ x8 d, Y8 L! t5 \; c+ P
ModSecurityConfig modsecurity.conf;" Q' g+ w0 Y. r* Q; D I* ^; g
, L$ j: K# F. m J root /web/wordpress;
- ` [4 F- k& [& h7 y; A6 [ index index.php index.html index.htm;
% X# B- J4 w) Y0 t3 M: c# N0 t6 j ; a8 O7 Q& ~, d! p4 F. p, q5 {
fastcgi_pass 127.0.0.1:9000;
9 |0 h3 e+ X6 G. G' }2 p fastcgi_index index.php;6 x7 C: @" q+ Z5 C
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
6 J; `9 R7 T! q( {& F! E# S7 T* p8 { include fastcgi_params;# x$ G# | f. e
}
- w8 s" l* s6 l/ A; I9 j }# P0 I3 u$ o! S3 L
upstream负载均衡:/ Y, L. p5 ^% Y0 @1 d8 @2 I$ }
8 Q( V5 }8 f. i2 K1 e' I; R, M R
upstream 52os.net {
; j. x2 f$ b# x' ?+ V. ?( f+ C* ~ server 192.168.1.100:8080;. p3 G: V; L4 m, h; v# |
server 192.168.1.101:8080 backup;$ X- P( t4 k4 ^
}
; \6 \) L$ o: ]% N& p$ ~4 ~. b1 q3 g* J; C8 i/ ~
server {" W& [& s7 u: { `
listen 80;( o! Y6 ]2 N/ X5 t
server_name 52os.net www.52os.net;
' T6 Z3 I/ x: s: K/ I+ _. V1 K* @$ J' m
location / {5 X( ~2 R" N! Q3 D. \; h( m
ModSecurityEnabled on;
/ ~: T) i4 \) x ModSecurityConfig modsecurity.conf; % J' d: X7 P: M$ @- ~
% w: H+ |1 u/ d- v/ s. F proxy_pass http://online;
! \ E1 w- E# z% V2 H+ z! _9 n' ?5 u proxy_redirect off;
0 U) F% z8 O. x+ L) e+ E% _& ?4 \ proxy_set_header Host $host;; D( \ s' i( L+ c. s# I. [ o/ h
proxy_set_header X-Real-IP $remote_addr;9 O9 l" y! ]2 L- U* o. {% q) H& P
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;& g& b7 y( `2 C% t
}
2 x% z5 g, n* ~/ e}$ o) M& v3 m, G
六.测试8 f2 _# X$ V' ?+ z. v4 }; z
6 m/ f6 Y% J9 m, R) u
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 _: X1 T. a( G7 v
7 ?. x n: s, T
<?php
- }- D& ^6 z# |, p3 i/ t phpinfo();
; W) _( i% r1 [$ [7 s c. }?>
( `; e3 i! |. a- C# [( ]0 I8 `在浏览器中访问:/ U; T" S; i; y- T# d5 `$ _
; j5 ~' i7 s# m, W
http://www.52os.net/phpinfo.php?id=1 正常显示。
: J+ ?2 h: Y* _http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: [0 v" I5 L" H; a- _) m5 Y+ [http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
* i0 o4 c5 t0 [; Z$ z) i说明sql注入和xss已经被过滤了
8 C! j; A# C- r4 y3 k0 x U; Y8 K" z1 I% X
: Z+ G4 l1 D r& V, G七、安装过程中排错
# I6 p) Y5 [3 G6 E( o, n: {
2 B; C' O5 w$ U4 K `9 p1.缺少APXS会报错7 |; d' N' }+ V& P) `9 Q
% {; p8 ^- y: Z: y7 R2 m$ B( W: z. ]3 ~
configure: looking for Apache module support via DSO through APXS
5 ~1 Q6 ?' L! l3 i, c8 k) C# uconfigure: error: couldn't find APXS
% O2 I$ t9 x" d- h- s) Qapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 w4 f0 l+ g. ~8 U解决方法:4 o: n2 k) e$ {9 ]6 h) C
( ^7 X; L, a- s+ z& A5 J% g0 ayum install httpd-devel
g0 D. _* v* u; H! u0 z/ t2.没有pcre9 ]7 Q1 r: f. v# R5 {5 e5 i/ O
/ z" O% [& H7 L4 d, s8 ?
configure: *** pcre library not found.
: Z7 v6 G4 [! \2 n; o" q8 [configure: error: pcre library is required
+ Z# C) F e- g) X7 N$ N解决方法:
$ A5 S7 P0 a6 i
! \" S" F% _; g3 Q& iyum install pcre pcre-devel
: u/ m. v* i- |% a o+ h9 }* W3.没有libxml2
+ H- V. i u/ H. U; D4 O5 }) ~: U. A) g& s: t& s! c
3 U1 A( `0 H0 }$ M8 H! ^
configure: *** xml library not found.
0 g( O6 A( w! w Cconfigure: error: libxml2 is required
) x( t/ p" E! c2 M. l' U2 p解决方法:! U7 F2 M+ W- L, ?: [8 q! |
' z, g; T! J! H3 c" U$ z& e, Byum install libxml2 libxml2-devel6 x; m" [5 Z9 ?$ P$ u- m
4.执行 /opt/tengine/sbin/nginx -m 时有警告
- o ?! L7 ]) f# L/ K% N& h- g+ `4 i
) Z# R% [8 e, o9 C) }! y' Y4 U) NTengine version: Tengine/2.1.0 (nginx/1.6.2)
3 m! i2 O2 D; b/ D5 lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ X- i" l. e3 t! ?0 g6 Q2 C6 S% I原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log+ \2 g. x1 L, Z9 }( d
" `: F& C- N8 }& t/ c; M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured." R/ J( ]( y7 M$ y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 _2 D7 ]. h8 `8 G. |/ j8 k2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% o$ P- R; N0 y6 j& W- ?/ c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"2 t( P7 W% Q0 Z) X: v( R& G% O0 J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
7 [1 c( p7 ~7 D6 N. E2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 @1 F" x( c* |5 X解决方法,移除低版本的APR (1.3.9)) |5 n+ x+ ` a# S, G+ ]
' w1 `7 ]8 F" L. E
yum remove apr
* `( k5 D7 F" o5 m9 i5.Error.log中有: Audit log: Failed to lock global mutex+ `2 Z& t9 B3 j6 s- F& H" j% o" a; ^
) }9 T3 T- f6 n6 Z- `6 b
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ; q1 W' c( ?( R3 S% \- r; S% x8 ^
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
! I$ R9 J$ q% D. h: T; N' {解决方法:- A2 L5 D; j7 _7 p
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:; j* z. F" l. B6 j( O1 s8 m3 O
- X9 |! q' T1 i, x0 r" U9 j
SecAuditLogDirMode 0777
7 g5 e9 }9 b4 P2 ~SecAuditLogFileMode 0550% U1 ~6 G4 f8 |& B+ z; ?
SecAuditLogStorageDir /var/log/modsecurity
6 P5 q' U9 _) I: f( F; o1 ZSecAuditLogType Concurrent
, ^( d) [5 L" v; S0 A% U/ a. V参考文章:3 A; m f2 J! K7 o' e# ~
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# w1 c7 t9 L* R& p; i. i2 b" x
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡