|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。6 k5 P7 A7 n# F* ~
$ q9 m2 v2 y2 a/ q" G一.准备工作
% g) H& A) q6 ~3 C$ u7 H% {( a
2 l% j8 @0 V6 n系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.03 _/ I6 B. ^3 s
' ?/ i$ J6 Z+ p, k3 h; [/ q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 V. `3 [% D, f& A% l/ t, @; C* p
1 b/ R% o1 ~/ m/ h$ P9 ~modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
% k0 ^: q4 |2 j3 E& y( g( H/ G$ d
" t" O& l) X# x8 _8 f9 A- F5 EOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
0 X* p2 {% \( ] W+ y+ ~& Q5 N8 F9 ~
依赖关系:7 H" o) A i3 m/ c- W
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
6 V' y+ e8 q0 H
2 _. R4 ]* o+ `. ]yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
! ]) @4 o4 i) C; }+ Amodsecurty依赖的包:pcre httpd-devel libxml2 apr/ `6 U2 {( g+ Y' b) y" ?1 B) R
8 H: m1 n2 y2 e% H2 k
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
R) F3 M+ |0 Q+ u# l6 C二.启用standalone模块并编译
b+ s- P" A( J, Q z( N9 G; L2 @/ W1 \; F& p: L% Y& J7 D' w4 M0 _3 u# q
下载modsecurity for nginx 解压,进入解压后目录执行:
7 ?7 f4 G5 j& _0 C& I, X
+ {1 x& j* }; t./autogen.sh3 m- g/ o) i* f* V- S1 x
./configure --enable-standalone-module --disable-mlogc
/ n3 X' y7 V: ?make ! Q2 s4 {4 V( v' L4 L
三.nginx添加modsecurity模块
) }# G1 G3 p+ A( U+ L: i0 S
: r1 _& ?3 w* z4 V3 f% h" Y5 c在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
+ q6 g" q, Y8 n( t2 V' D* i$ f) g- a( {6 W; n$ S% ]1 x9 y
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
: [) M8 b" a. u- A+ ]$ v" rmake && make install, J* b8 {! r% x
四.添加规则
l$ D$ A% p' p4 I9 D
9 t0 \9 \& C; W5 H* F4 Ymodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' J D8 F; f4 d
5 q( D' o/ `; K
1.下载OWASP规则:7 B7 V: B3 t. i9 }& ~
' o' F5 v/ \$ j" P
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs% c9 E; \$ e3 `0 l6 ~
4 z! e! g& V/ d
mv owasp-modsecurity-crs /opt/tengine/conf/
: m3 ] S7 z# T @8 I3 \6 u
0 M5 j) j9 a3 i! F9 E' @" bcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# Q! j' E. `' Y9 k. M/ m8 k
2.启用OWASP规则:
/ D7 y: \. D* z! p4 m7 H( b* L9 V/ |+ O8 Q9 I# n
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ ]/ [# Z3 V) ]) T1 h0 b$ U* g/ z+ W: q2 T
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
2 n4 y# x5 X* k' c# l$ d# J/ g1 b
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。5 ?/ Q2 c. N; D1 V# v/ G. u) v
; c" j3 e" b0 i; x
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
6 R! n* Q8 K; p0 l5 W- ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf, f+ L% @2 d8 f ~& U; j; |) ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ Y7 Z% D1 ]2 _6 E5 q9 E& fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' R7 D- f9 q3 p5 r1 l, K% W& ~; _
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf8 D# j; X' x4 x7 s t; Q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf1 R$ b5 _' S, M) `9 k0 b6 W
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf5 k, T; N' d# c" J' j1 \
五.配置nginx+ ?$ j3 u: F! Z! p( w* v
' z& t/ P; q' z在需要启用modsecurity的主机的location下面加入下面两行即可:
% {2 t0 _( G- [! @. W6 m" l
- r" d- @( ^+ kModSecurityEnabled on; 7 y/ W7 c& n) e' N/ h: B' a" P
ModSecurityConfig modsecurity.conf;
( K7 c3 E1 L1 D. X- _% P下面是两个示例配置,php虚拟主机:
, N5 h4 y3 B5 N- F) t! v/ f$ \$ S. y# m/ U9 W8 K$ s0 t
server {
. O1 u; h. U* t0 F7 Q listen 80;
9 d& ]/ l/ E5 Q W2 I5 c; x+ D server_name 52os.net www.52os.net;' L1 |9 S7 K6 w! L( ~1 L
1 f& {1 ]; x# R4 d+ G8 N location ~ \.php$ {
|: Y+ z& O% P* o2 v Z ModSecurityEnabled on;
$ z# D3 P6 O6 u1 a ModSecurityConfig modsecurity.conf;/ h- B# w& X# }. Q
2 S2 D: F0 {6 N, Z$ l$ r root /web/wordpress;
7 C' F( k! L" q5 q& t index index.php index.html index.htm;
# d# ^2 D: X, _! o/ P" Y
- S# j5 y2 D+ ^7 p* [% I B9 S fastcgi_pass 127.0.0.1:9000;2 Y4 \7 d/ w' l$ }. {0 j* \: w/ Z, a
fastcgi_index index.php;
! }4 D1 J3 f6 f @% m. r; ~# I' t fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
+ T$ R/ L: V% x) m include fastcgi_params;
2 u. P" `. q; u7 Q }! N* x! l4 U5 A# G9 ?
}
% \' j1 c( X* }/ O) n+ e. n# mupstream负载均衡:
- X0 v; `9 r: X4 `7 ~6 a$ | X' l" [, W- z2 W/ u! ^/ V( |$ z6 x1 }
upstream 52os.net {
8 A% c1 J& u5 g- ]: g' J server 192.168.1.100:8080;
* N7 P) w9 F/ U" A# @) Q5 H server 192.168.1.101:8080 backup;
! W2 t' t& i* h* I0 o0 _+ ]}
3 G: w7 s1 M+ C6 W5 g: @/ D1 `1 k( J- C7 ^% G2 i# B7 x
server {+ ?% ]+ N* d4 {8 U8 M
listen 80;4 V, z y( ~! o! V
server_name 52os.net www.52os.net;
! ^; s, C1 O: J6 i: Q0 ?; `
: J+ r7 {0 E7 [* i% I+ N8 n7 ^2 f5 jlocation / {) {( a) k* O' X/ N& D- B
ModSecurityEnabled on; $ L# t0 ^" Z$ E+ a, H, {- V
ModSecurityConfig modsecurity.conf;
; O2 H7 _) G! n: I& i8 [. u; }' x W/ w3 Y. y2 ^
proxy_pass http://online;
0 i) O: t% D+ h proxy_redirect off;
, R/ h# o g5 s0 V# P. X" o proxy_set_header Host $host;
5 v0 \9 ~6 O9 f/ `5 w proxy_set_header X-Real-IP $remote_addr;
1 ]* d1 y1 j$ k proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; \8 { [* U* O1 t- \
}. J. y1 H% _- l$ r* i; O
}0 W& z! S2 _- I! T8 P) j/ @
六.测试8 n; J+ y7 F) s6 ^: _
3 x8 J5 B8 a0 d `8 @: R7 Z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
9 }# X: l! b: [8 s* j& K5 D, E3 }, [2 x7 l
<?php
2 ?* e1 v% a. I phpinfo();
* Z1 t0 Z( D: y& }4 d0 h5 Z?>' @$ a! P+ d e" g9 o# }' ?
在浏览器中访问:
% q8 Q- r7 d! B* R/ L2 I9 i) B: W; e) t1 X% \! p% s" Z+ U# W
http://www.52os.net/phpinfo.php?id=1 正常显示。
, r1 K: ]/ q0 @0 v+ k4 o t1 s, Q; Z# Yhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: N2 [$ U q' A( L0 Jhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。 M, t$ ^5 i% H* z0 W1 z
说明sql注入和xss已经被过滤了% h" V6 s6 l1 N/ A- i9 \
9 a1 H% B1 n2 O( m1 V, {七、安装过程中排错
; t8 O& A- Q+ K j a. b3 O6 G& E' `) V8 X( q1 e
1.缺少APXS会报错
# R: Y2 Q: o$ G7 p/ J, {* [% S+ }/ v. S9 S
configure: looking for Apache module support via DSO through APXS
( e9 W0 W y' O1 mconfigure: error: couldn't find APXS
' _& Y f& ]* ]% t/ Vapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
5 X% F) }' c! G& g' c解决方法:* Z# I* G3 g m7 M# p v
2 Z5 D. h) O9 ]/ y) y& D1 E- K' Dyum install httpd-devel
, Z" g4 x* t4 Q9 h* f+ d2 R/ B3 O2.没有pcre$ v- P, V5 E4 U& K
9 Y q. ^$ s0 C8 C9 Iconfigure: *** pcre library not found." ~: Q. N2 l9 l1 n& G
configure: error: pcre library is required* I( t `- A* I9 W8 W* h+ |4 E
解决方法:
. T1 H3 L' h! O$ {6 f( k n
+ K6 o, f: @+ U( |1 _- `! _ H2 Kyum install pcre pcre-devel
5 Q0 v- B4 t* _+ v& h( |3.没有libxml2! k6 U0 ^( L; d. f& C8 p+ n$ o; s; o
# |/ f. }& W/ W/ q; H* n T8 W5 ^% ?" w( B$ ]8 r: Q
configure: *** xml library not found., {; U" T7 C2 K
configure: error: libxml2 is required7 I5 o/ p; V. ~8 `. c! `: ?
解决方法:
% @! _5 i+ P: b: p k% ]
- O! I8 x; Y E, S/ B1 E; M g: jyum install libxml2 libxml2-devel
2 ]; z$ V% t3 g; F4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 |7 x: _& k0 p& s. N; Q
6 P! R6 ]/ a, T: S# Z4 }) ]Tengine version: Tengine/2.1.0 (nginx/1.6.2)9 w0 b) F6 \! d* F1 y# `8 ]
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!, G) D# `/ m5 K" }+ t5 I U; U
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 ]0 j9 D. ?% F; U1 n$ _/ e
9 S+ }5 N- V+ Z0 A; N7 P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.+ J6 Y+ h5 f4 d) S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": @. a1 ^; [: k
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. a* n f* Q. e2 ]( n+ R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"+ d3 J: n& \; S+ _1 e/ p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
6 [. J5 `9 l/ m- w2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On." v& S! D. A" D6 o) n" W. J
解决方法,移除低版本的APR (1.3.9)
) }# K2 i! u, D2 R9 k$ n0 D) X" M: }7 E+ @
yum remove apr/ ~2 |$ A7 X1 `* {
5.Error.log中有: Audit log: Failed to lock global mutex4 Y/ x l3 N6 g0 L. `
1 u9 r$ B, `# g* ]) A% @2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 0 {: H2 {1 Y$ o; V l
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
$ y% [ A# T/ ^) G解决方法:
: C' }( p5 i/ J i/ ~# E6 q i. ?编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:$ @5 L+ J) ~, B
, R [$ P7 I! v. Z }0 l0 Q& t$ ~
SecAuditLogDirMode 07777 u; i) k' \4 _+ O3 B" G
SecAuditLogFileMode 0550
7 N! U [' |' H. H" dSecAuditLogStorageDir /var/log/modsecurity* Q" u8 K! A0 R2 j
SecAuditLogType Concurrent! X7 [- e2 T. _6 Z1 q/ Y
参考文章:
, m5 W0 y2 L9 R* Y) _https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
6 k e5 e8 A. F( Ahttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡