|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( m4 x; m6 v |5 I) [& B) v- y4 G2 O9 B. c; B8 X& s+ u
一.准备工作/ v/ `0 M+ b$ c8 ^9 p6 B. ?$ q
- d0 v) s# y' p' H# N系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0/ O- H5 c+ P, k, t
7 @& F4 H/ w) A, }1 j; C% j6 X4 g
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz- b( h( x: \) Y( k
; a6 n" s: H* d3 ]4 K2 \* s5 Gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
! t2 b! G& K! z2 O
$ V2 j, q# ^& X$ }) o( pOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs) G( {* G* K! L5 h2 R# y9 l
( j7 E9 b0 N7 V. j* @! k9 \9 [& a
依赖关系:' b ~8 q; r1 Z3 L) G5 K& z
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
0 c x S+ R/ k6 |9 k. ?$ a: e$ {* l% N. X& q6 W, n* |
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
, ?4 Y( \" D0 P% dmodsecurty依赖的包:pcre httpd-devel libxml2 apr4 J& s$ R2 D. Q
7 o; C3 o3 f# t) M+ [
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
% C6 P2 ~/ Q( e& r2 ~二.启用standalone模块并编译
$ h. L3 m/ E q3 U
4 ` S# z$ J9 R/ ]" Y3 S7 ~下载modsecurity for nginx 解压,进入解压后目录执行:
( P1 k+ |/ E- @+ G
# V7 ~: e; P5 p$ Y./autogen.sh
& m, O8 j4 ?& l2 w% c./configure --enable-standalone-module --disable-mlogc
) m+ g% e' ]: m5 G$ g1 L. B+ Xmake 8 w2 N/ d+ j: Y3 v( d5 ~
三.nginx添加modsecurity模块6 W7 Z9 G# ^' a X8 ]
$ ^4 I" K0 K$ N& N- Y
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" l8 X# f7 B- e' c6 V5 ^# v7 v
- `- c( I5 q+ Z: ]1 ]% a. y. l6 n
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
" N8 c. w4 q7 g3 ~+ X: Z& I7 b. Amake && make install& a! [4 J" g. v9 U- K v# C6 P
四.添加规则
8 j7 N; k W7 H( g& l8 |7 d: M' p$ L5 x3 I+ q% A* g& g4 h
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
3 J% d/ F9 S8 O, a& L1 w! {% b- ~ `- t4 c0 u
1.下载OWASP规则:# p% Q ]" S, n# W+ V4 V
2 y) o V: H! N& p2 I7 @. ~git clone https://github.com/SpiderLabs/owasp-modsecurity-crs8 t) \0 k9 Z& Y- f4 K
+ U, O6 b2 T: Xmv owasp-modsecurity-crs /opt/tengine/conf/
) H2 J6 @6 D7 t, R
% x& u5 T0 ]: n) h: P( ]& D1 scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
7 ~" m q5 j2 [$ B0 D7 c9 l2.启用OWASP规则:
W2 u0 ]% ~* v1 @9 d$ u) a$ _: P% I
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
( N8 L, S+ j. Q9 m
0 }3 {3 m! |, Z& o/ X6 y& c; v编辑modsecurity.conf 文件,将SecRuleEngine设置为 on) G% E3 @( C$ t! Q0 V
; |, W3 o+ C6 G+ r
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
( ~1 b; W" M9 }+ O% t3 A/ S& H, b: M
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
9 w) D' J! v; S+ \5 @# R' a: JInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf* }) w4 B5 J. z7 g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 C( l( D7 j. M0 n( b! ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf l$ |. S* t& T( I- V8 d' T
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
- [6 Y/ R& q4 uInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; }0 `2 R1 L( @ y
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. i& M( r) V9 v" f) d" P
五.配置nginx1 x8 b7 i2 G$ E; K- w* G
6 s# h# j8 _; D; y1 C
在需要启用modsecurity的主机的location下面加入下面两行即可:
" s1 M* D$ u8 h' C |0 c1 U# W; g0 t0 p* ]! ~
ModSecurityEnabled on;
5 m3 M* x$ l2 ZModSecurityConfig modsecurity.conf;
. T* \, d. [* i+ f$ h下面是两个示例配置,php虚拟主机:7 v q) l9 Z$ J, l/ @! A K" A7 E+ m
4 D$ P, Y& m; z( W0 y% l
server {
1 o$ s% t8 h7 c" U4 t/ F6 ` G' K4 c2 S, a listen 80;
# h2 S9 U; h2 D3 p2 z$ U server_name 52os.net www.52os.net;! h3 H' ?7 L2 z g6 H- r) \
, r/ b$ o/ m1 V& a8 x location ~ \.php$ {
) z% t# u, x. `6 J. m9 ]# ] ModSecurityEnabled on; 0 f; L, t$ h8 {0 h6 w
ModSecurityConfig modsecurity.conf;
- X- ?0 _8 l& t* g, D( e3 @2 t+ I: ]+ r% g
root /web/wordpress;' c# J/ q. f) s8 g# r- L j0 Y
index index.php index.html index.htm;
' U$ Z8 P0 T1 k6 ^0 O$ M
( p" x/ `2 p) t0 n! N fastcgi_pass 127.0.0.1:9000;
/ F% U7 {! V6 J# N/ U0 _: q fastcgi_index index.php;
7 \# ?( [/ d6 r: x* C fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;1 N; G U, n* d8 {
include fastcgi_params;& m9 H3 O3 [" E B
}! \; \8 U+ _! ]( g0 A
}! }3 P1 M/ F2 e/ ?
upstream负载均衡:3 Q& l* R( K2 U6 Q8 y
- ? d r/ O# \/ g3 @" f0 i0 j
upstream 52os.net {7 R! h4 p9 [# {* N: R+ P
server 192.168.1.100:8080;
5 U7 E$ b4 I" d4 | Q( M server 192.168.1.101:8080 backup;
$ B5 ?4 I% z( w1 a- t}
6 {: O L$ ^+ [: L% A3 z' J- M/ R
server {- l# r2 c" N& j0 g: `3 }0 ]# k
listen 80;
: a4 J1 ^! C, `# Q: ]7 m; F+ vserver_name 52os.net www.52os.net;
$ B \# i, j4 |4 L4 i7 v+ L& Y) \ q6 L% r* l' Y w$ v' r
location / {
7 h' u# Y& `& W ModSecurityEnabled on;
2 }8 y) U! a1 O7 J4 _ ModSecurityConfig modsecurity.conf; ; }: g0 j9 W3 |5 ?% n
: p* z. R8 S3 F proxy_pass http://online;
& [ o5 ]) p" W9 c proxy_redirect off;* @0 n) n0 F) w6 n) O0 | e( Q: Q
proxy_set_header Host $host;( P7 ]3 h& h4 c; s" G
proxy_set_header X-Real-IP $remote_addr;" ]& R8 o; z' j( v. W, T
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- ?' a5 V. Q& H. H: x }; S* C. E, j2 K; Z: s4 O
}# _9 `8 n3 X( O/ @' S6 R8 p
六.测试2 ?# K4 v$ q3 U$ v8 Y7 G" a/ f X
b+ j9 ^* B8 e% C+ |2 q" e; g
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, P( C. N3 z; O' M' V3 R7 t: f
: u& t" s: t+ f' X& p& ]<?php
. `" k6 g: t& \8 b phpinfo(); ' s1 K" p, F5 T
?>
) P0 @% C3 N) Q( c$ {0 T在浏览器中访问:
1 O) I3 |- ]/ q6 Z. W }) ~
# O) w5 g8 j7 e2 F/ X1 e Yhttp://www.52os.net/phpinfo.php?id=1 正常显示。+ [% `2 q z) {0 Z# D' @2 B
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。 M$ b2 u& f4 |/ D4 G+ m0 {1 p
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。+ Q5 P8 J m( U8 Z2 q
说明sql注入和xss已经被过滤了& Q% g2 U+ E3 Y( y
2 H/ B ~; D* j Q$ T$ U# ]
七、安装过程中排错& F, S2 n% o# _% T- ]& j6 z8 C
" B4 |# v$ a3 S _
1.缺少APXS会报错9 h3 L- u6 d2 \) n6 h
0 F* X; _& x4 I& a! i2 I
configure: looking for Apache module support via DSO through APXS
$ W5 K6 m- ]0 Z( r# w8 e1 Zconfigure: error: couldn't find APXS% @# p% D" ^' p
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 T( T3 t z: [, l: W/ G$ }5 n" ^
解决方法:
) I, U S1 i! X9 w! x( W& X* s% } j2 j9 l7 o: N$ C
yum install httpd-devel2 H2 a, O2 d: l
2.没有pcre0 o4 ^6 L8 ~! I* M
6 H- t, D J; j ^7 fconfigure: *** pcre library not found.7 Q/ d/ q! G$ U2 v/ y6 ?
configure: error: pcre library is required
5 Z6 l3 a6 g8 {1 h' g( Q3 j解决方法:; B+ u+ h5 f9 o- r9 K* X
" _6 f/ o) d/ i, S: O+ T; A
yum install pcre pcre-devel
* G! \# W7 p1 l: J8 ?5 J3.没有libxml2
0 F) _/ | p* k" T. j: A; f: K! L& G. x6 G
3 k \1 u( I& Dconfigure: *** xml library not found.
1 M1 w! u3 L% N: X* Jconfigure: error: libxml2 is required! n4 h0 X" w- b9 @( r, u t
解决方法:
5 Q$ {5 m+ }1 Y2 I& P* Z
) J e8 Z& k5 D: |0 {yum install libxml2 libxml2-devel
: l. O! Z- u+ u5 A' P2 o% S1 z4.执行 /opt/tengine/sbin/nginx -m 时有警告- H0 ?: T9 N( X- _+ W( z
3 F# i w7 M5 \0 s, F1 S
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; j% R5 }9 Z$ u0 ]" h ^nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
4 m' O9 f* Q/ ^( l2 W- q* m+ _7 @原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
4 Y$ R( s; K; \; p$ |0 n' S' K: X/ P" T6 `4 z, k4 Q) L3 a5 O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.8 q; t( l3 J; H b. T, J* S( F
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# M, D8 q; E g. }8 Z0 [
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
+ a6 P& A# c. r+ |) S" ^3 u$ {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"5 _" t' \2 g6 p$ K2 ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 f5 V, J( V2 c0 l8 C( n& z2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 K! c. V# [7 o
解决方法,移除低版本的APR (1.3.9); m" J9 W% H0 j$ U: H4 B! Y- q0 `2 Y
0 O2 _9 W5 S2 z) N/ N }yum remove apr9 b+ u6 i3 [6 w" y, v" u
5.Error.log中有: Audit log: Failed to lock global mutex
" Y+ X0 q5 [5 r, f' N. j$ L4 o
2 J1 K( j4 \/ L2 Z: K" m2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
0 U- b1 k( M x* f# e [: U, Jglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
, L7 \/ P* ]) r2 z6 z; _解决方法:$ G7 p3 R2 f4 j0 W) W
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. y2 J4 A1 d0 O' G1 O) e# x; i& f1 x/ F' Y3 |$ M+ ?4 d
SecAuditLogDirMode 07777 H7 [: O: Y' J2 y/ P
SecAuditLogFileMode 0550
, ~* M% H5 p% ^" Z# X9 d; MSecAuditLogStorageDir /var/log/modsecurity3 h) T" L! A/ o! Q) Z2 ?
SecAuditLogType Concurrent
! F/ N, s4 l2 {' F参考文章:/ ^4 o; Z7 h; k+ K
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX3 ?, a5 z' O' P4 L
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡