|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 {6 k( I3 ~) D9 B- m% D! u3 I# c$ @
3 }) O9 ^( s$ @% `6 D* F* e6 x一.准备工作
% p/ u3 `" L/ Y9 g; ^; U! |4 h& I9 h" o j/ U/ A" f7 }
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.02 u8 U2 I8 D; v L8 d
8 B1 y, L9 p% m7 N3 [4 \
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz8 W8 |$ _, X+ T
/ F% t2 S/ b. k. b# j% J# Qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz3 G# r3 R9 S0 O2 }
. } |" c! i6 a Q$ d2 k8 ^& O
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs- r4 f3 |( ?' @, F2 x1 M! [$ x+ H
* ^* _' e9 S6 ? d. L- ^
依赖关系:
* Q3 ]3 G0 p0 Y- e2 otengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 L2 G+ }# |$ l& B. o/ |. X
# H; ^+ f7 t1 C, g$ m
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 p4 R2 h% y/ N5 e- x1 \# f9 c. L
modsecurty依赖的包:pcre httpd-devel libxml2 apr
! q& f8 y; v- c. e. J# Q
i& t( Y0 \ H3 E7 Q/ H4 t8 B+ c" _yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ f8 `9 N% P0 l" i; a3 O
二.启用standalone模块并编译6 a! l$ D) L. m; Z& |
6 ?; m, ~6 _- y/ }8 y
下载modsecurity for nginx 解压,进入解压后目录执行:
: C) C$ e# }& k# y& Z* |# w; ~7 b9 k' G# k6 z' w
./autogen.sh
2 N3 E! A" M. q9 X5 C7 z! \0 m./configure --enable-standalone-module --disable-mlogc* m; v- \. T6 P
make
- x9 w* P9 M' y/ W% R: U/ N三.nginx添加modsecurity模块
% m% B2 c& v \) { M8 N2 v/ ` T- C. j; y2 k- B
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 i( o9 k( w& u4 h/ i. c
7 Z' l, Z2 h5 t, J$ t9 e./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine) [8 q; D6 f$ m8 g3 q
make && make install
. N- H. Z3 ~9 H# g2 V4 e. {四.添加规则, e7 b7 {9 v) r1 M! T0 b3 S; a: Y
1 j/ }2 z8 Z: g' Dmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( e/ p7 @0 R$ b4 x2 \; A
/ i" i2 ?5 Z9 M8 O& y8 l; R/ ]! ]1.下载OWASP规则:5 B' [3 o, g0 E
[3 g- b' Y4 Z! Y" o: d
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
* F% b; j* ]! X; j& @$ n' z0 p
& c0 P. v% Y7 q6 Amv owasp-modsecurity-crs /opt/tengine/conf/
5 d0 @ Y. L$ b% K1 y4 r% `
- d" A( m, v' M6 O$ i/ acd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf: H- t; y: p6 b( U
2.启用OWASP规则:3 o$ x. G( m; b# b0 c) o- D, a
" g. `" }/ ?* S7 {9 c: Y- q
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。+ {" g( Y0 E. n+ [) v ]" I
1 I. H2 y, ]7 V5 q$ d编辑modsecurity.conf 文件,将SecRuleEngine设置为 on. K* N( U8 L5 j- m
" h* A( X# d" Z# }8 s
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: P) l! f. p+ K, F
% p8 ~) n2 p% E
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
0 i4 x) O9 j8 G2 bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf p3 a5 b8 n- h" S5 L% @4 n! o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 |+ @# ]' T0 c9 Q1 x) x( s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 k6 y4 x4 D/ q6 w6 B; B7 h* xInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf! w: z. q' P7 q$ P3 j0 [6 x0 s$ x2 `$ d2 W( Y
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf# `1 g* V' I, y+ ~' k: Q3 M3 E; H
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& q- @% L& j, e; E! P五.配置nginx
) ?* C" o" Q: \4 M, H
; Z8 f- r& x# W在需要启用modsecurity的主机的location下面加入下面两行即可:8 o" ?* Y" _: e& g$ i
7 Y! J. u5 \9 q* Q: @" E
ModSecurityEnabled on; _7 W4 j1 E+ L' N# R" |
ModSecurityConfig modsecurity.conf;: k2 O {/ T1 \5 U' W
下面是两个示例配置,php虚拟主机:- q: H% P) T7 S: i# u
: E6 u, [; r# ]server {
E( R5 u R( }) k/ Y9 Y8 a listen 80;5 ?7 D. v v- L2 O! I# @
server_name 52os.net www.52os.net;
: Z8 V- T, t0 g! C% ] " Q) `! M1 c/ G$ e3 D9 h, w$ n+ ^
location ~ \.php$ {
8 R5 ~- p. c( F3 e ModSecurityEnabled on; ' m. S. n" _+ E
ModSecurityConfig modsecurity.conf;
. a" r. K$ @1 b5 c# P' q1 R v( U! X, z5 l
root /web/wordpress;! V5 f7 \+ g0 i! ] l' Y
index index.php index.html index.htm;; h: I3 k8 {, a/ P4 z: z7 M- R1 L1 q
5 ?% d1 T$ c! W- [# f2 ~+ w4 X fastcgi_pass 127.0.0.1:9000;
: R* Y: X( [) ^6 j fastcgi_index index.php;
B4 s6 ~5 [+ V- p( X4 s# ` fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;) Q j2 ^1 X+ e {/ y. _ x# l
include fastcgi_params;
; g- z1 y. D9 f }
4 c! P% S: @. l8 ?: Y }
" d4 W _! z" f; Kupstream负载均衡:6 F; ]( ? ^+ G6 r0 p: O
0 @6 B- X' j. G X) _# eupstream 52os.net {
; K& d0 o2 U6 \/ a6 q: l1 X server 192.168.1.100:8080;" R% `; F; {+ u* h' x: `! U a
server 192.168.1.101:8080 backup;$ ?$ e6 y( O$ n% x! y$ I; I
}
; \' Q. |2 ~, d5 H6 S8 p9 C/ @
; |7 o& m8 a: O- u% D5 y2 userver {
" v2 z9 n0 U ]9 Clisten 80;2 q5 f6 z8 D$ |0 w+ o
server_name 52os.net www.52os.net;9 t1 ?: L: P& F) f h/ q; W8 q/ S9 w
% {$ `" R) q* a+ {% T: l$ E* Clocation / {
* l( B: c# G! o ModSecurityEnabled on; , W* e& x9 e! ?- ?% {3 G! s9 m+ \. N
ModSecurityConfig modsecurity.conf; + a; N/ a/ Q9 U- E
( y* \; K6 Z' |( m* t5 Z7 K proxy_pass http://online;
; s& E F7 x5 q6 ?' U4 q, \0 H5 c proxy_redirect off;. d" x; C! `2 u2 z; D3 m
proxy_set_header Host $host;) O( I) r: n# y, @- B2 Q' R
proxy_set_header X-Real-IP $remote_addr;
. Z) S+ Z* v+ a. @" q proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
1 z8 ~: `' T" Z: b/ Z' k }
# r& N% I; H* o. u0 L: ~. [}
' x8 U# ]: E. Q5 K% F# n六.测试
8 K$ Z; r% g5 G3 W W7 k# S
+ l4 ^( N) V6 U我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:# g! {& v) F/ n S* g1 O
, g/ _% ]- s$ B. \% y$ x) r
<?php3 _4 p( J5 x9 p/ t: C
phpinfo();
" ?0 X* x- r+ s8 B?># c1 s1 ]' n. v& S% h" J# o
在浏览器中访问:' h7 r( Y% U& S+ ~
" ?( M. T6 {: U( M6 ?
http://www.52os.net/phpinfo.php?id=1 正常显示。1 [# i2 X. d0 x0 ?
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。8 c" `) M; U- p& `- V2 _! f4 |4 a
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
) Q+ J2 |/ S+ \说明sql注入和xss已经被过滤了
: p9 R- m# @/ K2 R. M2 T* ?/ g' w6 ?+ y
七、安装过程中排错
' f$ O4 f. |' P0 c6 G
6 G7 Z5 ]2 O! r+ E1.缺少APXS会报错& T. L$ K! M' ^) E. Q$ X7 a
: {% q, b) r, S
configure: looking for Apache module support via DSO through APXS
) w' w" q8 A. N- z7 S7 o1 `% Bconfigure: error: couldn't find APXS! X) _- \0 C0 _! ]
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。- Q0 _. z: b5 G0 H
解决方法:' T/ ^+ @$ O! Q! F4 ~
8 h) G, u3 t3 ^ m) }) X0 nyum install httpd-devel& ~8 ~6 y9 y; V5 M+ M& {
2.没有pcre
; C; o! p/ U d k) o+ s0 S6 d' U* ^9 P# E7 r
configure: *** pcre library not found.
1 i) m4 p$ [5 h3 A4 [; q0 y% ?( \configure: error: pcre library is required
0 K9 w1 `' A$ ]" e解决方法: L9 y( a5 s0 Q5 @" X
3 m/ {3 J) z0 g4 j3 y9 Z
yum install pcre pcre-devel$ @- H# E$ t" }, f1 @, Y
3.没有libxml2
9 B. l6 x c2 u3 [8 S: h/ P+ u a) F7 L; q! b+ l. T
( F% K0 W$ H3 Z% I1 q# M" ?configure: *** xml library not found.& N2 |: B7 q* B4 S$ Z$ a0 H3 c6 V
configure: error: libxml2 is required7 ?2 w( L4 S. b0 t
解决方法:
+ P( f5 q$ `4 g! p9 T" j2 ^) I9 }5 h5 Q- j* d$ U
yum install libxml2 libxml2-devel* W) U5 j; ]7 G. b
4.执行 /opt/tengine/sbin/nginx -m 时有警告. `- Y \2 L7 c& Z9 c w$ Q
" \& I% Z( T2 U( u- OTengine version: Tengine/2.1.0 (nginx/1.6.2)
" f9 _ }- q( b7 Nnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
% ~: H. q( F3 r! _原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log0 J* f7 S# L- S w% L I6 y* S
* q3 |! ]+ |6 j8 S6 }( i- J9 S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
; A0 u7 _1 h4 d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"6 r: I0 H& t$ D4 s) W1 J
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 v! N* t6 S0 d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: Z4 d( p$ ^( N1 d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 A* V" C/ z) T5 D" j$ K0 G% _2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On." x: j0 I% T2 |0 ?4 S3 X
解决方法,移除低版本的APR (1.3.9)
6 M, [$ l, g7 F3 g. \+ j# b. a! Z) P( b7 c
yum remove apr
+ d- M4 C. B# }- C5.Error.log中有: Audit log: Failed to lock global mutex
# K4 C/ Z9 d' s: X+ E* ^ S: r! E0 J5 \9 }0 m- G
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
. Q# F4 E4 H0 c; u. @8 pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]5 W! u9 h& F# @" [+ v* N
解决方法:* ?9 V2 B+ V* R0 ]% l r
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:: K9 r* ?. b/ E1 v7 ]
1 [3 [+ t& r- Q/ C- ~) [0 e. `4 LSecAuditLogDirMode 07770 k9 D3 M) \ ~' M) D( r" @ ~- l7 }
SecAuditLogFileMode 0550
# Y5 m; ~, @$ i, v r& fSecAuditLogStorageDir /var/log/modsecurity6 s! L1 a# {1 |% W! L
SecAuditLogType Concurrent
* @0 S0 s1 Y- T) P$ M( H6 R参考文章:8 u8 a% K( V; n2 @( x5 Y0 K2 `, W
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX: q# i) Q3 z9 J6 j! W: ^
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡