|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。# Q( N/ s5 B- l" M
4 z# r2 \/ L) z6 X# [6 S4 m
一.准备工作
5 a7 U3 {* u* b/ I. v/ f2 U' \& T; \# n! b3 s; g
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, i; [( r @/ f1 z T- C% X }+ ~0 T; h/ I# y# J$ _ W* L
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
' c( Q- i7 }# h$ `- j; `: X4 M, J V1 W
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz- |+ f9 T: X o% A9 ], E
3 _8 [) t, W! j# o( v% WOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs9 r1 R1 P' B1 \, U- F5 h5 d4 f
9 h5 R- A- n1 g9 ^4 V5 M依赖关系:4 u; N" G( n4 ~8 u/ [$ y
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 i; H" {- ?) t% f# c- ]- h0 J. H
# s" u. D% T+ v0 F6 c2 _6 ]' Byum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) N2 W6 t8 Q6 |+ }2 J! I$ E+ Mmodsecurty依赖的包:pcre httpd-devel libxml2 apr
" e% ]# P N9 B/ z& a) B' d/ o% w! e/ e$ [3 q) R
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
8 _. A8 q' [1 O" z& h二.启用standalone模块并编译
4 o ]* b& V* k4 m, w$ C- g! g, w- M: n# w* L
下载modsecurity for nginx 解压,进入解压后目录执行:
9 k; ]& F8 m; _$ u2 E, ~* w m2 z) `3 E, D; |0 b, T7 f
./autogen.sh
; o+ ?$ A% z) y& n& r D./configure --enable-standalone-module --disable-mlogc
2 ^3 a4 c$ [0 `% ^- @make
* r' z* Y6 G( @" K/ @三.nginx添加modsecurity模块 ^+ I! b; b' M, J/ N. Q4 X J2 ?/ m
8 r+ B& v D' [$ m$ ? z在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:; c$ M& o B* [- A8 D
' M x# c$ q: i, o
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# \/ o' H: k# |+ f7 t; Cmake && make install' y' r5 Q' U/ z! T
四.添加规则; [# N7 H% y7 W$ X
! s- [# p4 @& A( \2 G
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。2 o* h; F# C7 H2 h. g: @# Q7 ]6 ^
* E: w1 N8 N; X3 z: o
1.下载OWASP规则:
: ~! K. ^, W. _5 _0 R9 o
) _" ?4 E G/ I f& l4 Kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
" e, F- X. z2 H$ E3 N6 {6 B$ s; c2 x* }
mv owasp-modsecurity-crs /opt/tengine/conf/
7 |) v3 k/ {" z" W+ `
8 y0 w1 J2 e7 e- T. L. lcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* B" s0 i- u* {3 f6 Y+ \& ?
2.启用OWASP规则:) e+ ?& q0 r& R* m& O3 p# B+ n
! H& J, D# S# r3 R. X: ~* ~复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
5 K/ B w$ Q( I: D) a( \9 v! u, }6 e
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: [# ]* j7 ]' I
/ O$ A) \; L9 j4 R9 p: n/ p; @# Powasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; u) x! f* G* M. Q
7 f( ^6 |7 @3 t% @% U
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" [2 A" L; a; K, [' kInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf6 a! q1 i- ~3 `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf. C" Y% r0 {# T; G: g7 [) @
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf) x/ ~0 }. S9 U' j% u6 o# f$ j" ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
: D3 J+ G9 [( {Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf I) S; X; v( S' Y' C, [
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
0 |: h" }, j" e5 B4 O. }( f五.配置nginx
) d# _0 [( q- `! \6 g# {5 \* \7 Q3 m7 F. S$ L5 g" e4 e$ C1 o* [7 c
在需要启用modsecurity的主机的location下面加入下面两行即可:
" J5 R' G( A# V7 K- `3 Q+ x* D i& m7 c7 ?8 p. B
ModSecurityEnabled on;
6 t& l1 T0 }- r; |% n- AModSecurityConfig modsecurity.conf;, e; c1 Q/ l( @6 B
下面是两个示例配置,php虚拟主机:* B4 i) P G+ s; _
" p6 C$ c8 g& ]' W" `
server {, ?8 [4 t. k& I) j0 b- V( ^
listen 80;5 Y- J/ H: l3 p# @2 e
server_name 52os.net www.52os.net;! j% h. Z$ z) o v( z
8 l- v. X: p+ h# k# Q location ~ \.php$ {
9 N7 g& u" b! n# N, V! ^ ModSecurityEnabled on; 5 ~) V7 t _) c+ h! E
ModSecurityConfig modsecurity.conf;
) p9 L, c0 V6 s; B# q
$ _+ m- ]: D2 i8 W root /web/wordpress;- R2 X, E5 |- Q
index index.php index.html index.htm;
7 L0 v2 F' i ^0 T $ w: G. {& L7 G- [/ M
fastcgi_pass 127.0.0.1:9000;- X+ Q6 E. N* e2 H. j
fastcgi_index index.php;
" W' r4 C8 K; c8 w. \6 g. e4 V8 x fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; P; r+ p; ]0 @5 I0 J include fastcgi_params;
: L8 x) X# @, E# Q/ ?# { }2 n) P, _: q6 O P" b) j
}
! o3 r( X9 h1 U4 zupstream负载均衡:
3 F; t- W1 e9 X3 ^) k$ }7 T2 T' U" Q- k/ A7 J
upstream 52os.net {, t+ u6 s6 [7 ?6 t% C# U+ c& ?$ u
server 192.168.1.100:8080;4 E) k& r, t# V' p. |. I- j7 j8 P
server 192.168.1.101:8080 backup;
8 b* a9 j, W- }% [8 ~7 S4 c) r7 ^}
U# @' M* A4 {+ _5 n
0 z6 [2 ]% Y/ ^6 @, m+ qserver {
) z2 P* n( Z4 j3 v* P: G+ ?listen 80;7 Z% z% ^# h h6 n) b$ U
server_name 52os.net www.52os.net;
8 z! @' g" U/ b/ ]- E
- c( h& }) N' J0 M) |2 ~* Flocation / {
]" e( J# ~' n ModSecurityEnabled on;
% W8 B( y( b8 o: [ ModSecurityConfig modsecurity.conf; 5 K! Q- S1 V. Q7 K3 y
# m, P9 x+ k8 E+ B7 l- ]# N! C
proxy_pass http://online;
6 U0 _/ ?1 E% v' W6 ]+ H proxy_redirect off;4 v+ o: S% J% t/ }' [8 }0 J0 j& W
proxy_set_header Host $host;) t, K. h2 D; q
proxy_set_header X-Real-IP $remote_addr;0 Y- W- a) d/ N' ~+ T+ @' V
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ ] j& m4 d) X1 H4 j/ x
}
) Z, N. E+ H5 G}
2 J3 l6 z" U* N, e! l6 T六.测试7 n- k/ L9 w7 X
# y8 A. A: b V# k8 y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
) u* o ]- W4 j8 h+ X; A0 D7 R' W+ D6 e
<?php
% X& v5 k* J1 {0 s phpinfo();
/ E1 r, k, f, O, {! U, q' P?>6 y# E& ]( q/ t8 u2 o% n
在浏览器中访问:
* E/ D/ x5 }% I+ |7 {
1 [; Z( D4 j$ I. @; z/ f% }http://www.52os.net/phpinfo.php?id=1 正常显示。
$ |/ W$ D2 \: ~) [* ?1 Ehttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。' h$ `, R% U9 a+ p8 [+ @. r3 n
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
/ [+ ]0 K( K) l/ t1 ~3 c说明sql注入和xss已经被过滤了
5 i$ f) @4 z% Y6 z8 Z; y$ q
a) L3 R& J; o/ K l; U. Q' h七、安装过程中排错
% K" U4 i3 c* [( q7 H0 d& ?& J4 X% Z f" J3 D
1.缺少APXS会报错
, }1 M/ x* j& G k7 r* U
l) m7 U1 n k* t! k0 w! Oconfigure: looking for Apache module support via DSO through APXS
8 K2 h% b5 x3 d* e8 qconfigure: error: couldn't find APXS$ R+ [* y. m5 R; V B- ?
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。1 A z w& G7 B/ H- s% I5 f
解决方法:
5 t7 h( ?' G3 W" K* l% B9 S
" R* ?% `% P! T( s; g3 byum install httpd-devel1 B4 D% z& c/ l U3 F" v( }- P
2.没有pcre
" w" K1 _& W9 }! Z& k
; V) V# G0 [6 A$ ]2 x7 _configure: *** pcre library not found.& ?$ ]! |7 {8 P; r. B7 h
configure: error: pcre library is required
/ ]# h5 C! ?' O* i7 z9 Q: }解决方法:
9 F0 |( |& y; F$ c7 y1 V8 s7 Z# e6 R: J2 S
yum install pcre pcre-devel
; j' u, ]* {/ s# n3.没有libxml2: S, M! V& b$ x! H! O2 k- V
# p' T2 E9 A( E5 M. L& j' J
3 [) N' Q- n/ ?' Y E3 |configure: *** xml library not found.5 l9 x/ X& e/ R
configure: error: libxml2 is required
* S$ k4 `! m9 V# X3 {, Y解决方法:
) i. w* M1 s" a- Y
2 b& G. A S8 L- t; hyum install libxml2 libxml2-devel. {9 U; {+ d0 [1 k( q6 ]$ J
4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 \; ^ p1 r5 }# C' S, I% ^! A4 S( p6 i
Tengine version: Tengine/2.1.0 (nginx/1.6.2)5 V4 q O/ c) `$ W' P# {
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!6 l }5 ]% t9 L; W: |- j
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log1 L3 t! E( V, a
0 f' y# n% z2 v K/ j8 k! Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 D) P7 s5 d6 r u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"8 j, y O3 J* V& } J3 T) V
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!8 L' ^! a9 W6 q k; N% j% O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"3 A( n; n2 F5 j( U/ D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ T' v1 b$ }* z9 ?/ s. K+ x+ Q
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
* p0 r0 C* V3 C# c+ Z( h解决方法,移除低版本的APR (1.3.9)
_6 x& M, v9 ^# z+ G8 A) G1 d# `( O3 m; K. _
yum remove apr$ ~" l: r7 U+ p4 z* [: J5 N( h
5.Error.log中有: Audit log: Failed to lock global mutex# Z Z, ^5 P- |/ D- ?% G4 y" \2 _
8 Z; l+ L* f1 o" X9 P% e' E0 g; j2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 1 Z1 K( p# m( `8 Z
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
6 z* w: S# E' V% @8 v! x解决方法:' C7 w# B" X0 q4 m2 x
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- O9 C/ O, Z! j$ H2 q
6 _7 W/ k0 o- j% D R) M ^9 USecAuditLogDirMode 0777
9 Z% u7 g g1 X6 Z3 c6 ]SecAuditLogFileMode 05508 F" a" }# c. r' j5 Z
SecAuditLogStorageDir /var/log/modsecurity8 p! F) W" E) u* e' P2 r
SecAuditLogType Concurrent
- ]# \) b# J/ D. C& `参考文章:
8 B6 H1 f0 B0 v! S( L/ ^5 Y, Xhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX: M4 S$ ]8 A- h O, [
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡