|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。1 [. g( t0 x2 ^9 z
& a/ e/ @/ _$ m( V& _
一.准备工作
8 j+ o, t4 D, {9 L. g0 s2 P9 b
- ?2 u; \( C% ^+ X* n系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
) y9 G7 [& V7 L$ h0 V$ }) Y2 @# |
* U. _. ]4 t3 V, T$ Ctengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz4 s7 [3 i2 i; w8 r5 r. K; M
, x; C5 k. c3 g# ]# n' ?
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 W9 u* ~: M8 l7 F, Q, o# v) C! n( H/ m: H# N
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs5 y, G' v' D9 D( M. Q5 j
% `: [2 p% Z. J5 C! [
依赖关系:0 }" Z9 y, ?$ M, k
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
: J" }! b+ j; d$ F# R& D2 d3 H/ f7 H h
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
5 T! Y$ Y) W3 q1 [* Umodsecurty依赖的包:pcre httpd-devel libxml2 apr
# Q2 `/ n" L2 X0 D% _3 m. m* r3 Q0 P2 [' M6 C0 a
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
' x; k' I( [1 L& \1 M8 U$ a二.启用standalone模块并编译
' }& I$ X. [5 q$ l! Q1 E! P3 L
5 r( L9 K) R4 o3 g, j! b* y下载modsecurity for nginx 解压,进入解压后目录执行:- t) [4 V( h0 B1 W% s4 ^4 r% I. T. h6 {
! R5 t6 B/ f9 h+ f, [+ E./autogen.sh9 s, J+ P/ c# u& m
./configure --enable-standalone-module --disable-mlogc k1 R: R U. F3 {
make
N; l- ^ a$ n$ ?, f9 J" b% R三.nginx添加modsecurity模块
2 ]: P% p: Y0 O
& g. G3 _. r9 N4 q) Y在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 X. p0 X+ A: ^5 R
{' e2 y; |7 t& l+ O% H. x8 [3 ]./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# V( K: m3 @8 S0 s2 e1 O6 omake && make install' u0 z) w: H( q: t$ r, M9 o4 C" Q8 A
四.添加规则
@* T7 W4 u9 \" t7 L" |4 p8 ^2 v8 ]0 i) K5 b) L. ]" h
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
( c; y w2 ], K8 L, v9 y
- K: h0 F" G' x5 u4 Z6 ?& p1.下载OWASP规则:; n5 [$ D6 n6 Z& w# D4 G
9 y! J; R9 B0 p& sgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
" H3 a4 R1 a9 v4 X/ c% K5 X# G' b$ w
mv owasp-modsecurity-crs /opt/tengine/conf/
. ^; J7 b. }: D
5 ]& D4 {4 ~/ _ j2 M' Ncd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
1 T4 |8 U- P" I& V, Z. \5 Q0 E2.启用OWASP规则:' h+ }, _4 b8 S7 _" z
& G; z# o6 \$ j- A7 ^ F; t+ }复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。# O% l' G$ ]. X: O# e
* [) r$ R& E2 \; K* h- y
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 ]7 ?9 N- F" y' \; H" T- C7 g# O
, S6 I) v9 ?: S0 \owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
1 F9 ^/ K, Y1 t& N/ Z# h
$ H8 p$ I/ T! i" U% w6 A8 CInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
6 A+ V7 ?6 N6 \+ U( S' J) h# m. x: yInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf. b$ T, P3 Z% E# |, w" a5 h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf0 i) B. Q( S3 H6 Q3 e. z! f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
: y. ] g9 ]1 M+ Y5 m( m. TInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
+ i) s3 i* y" O7 ]! g2 f% TInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf3 [. u5 a" H1 E. i. I1 ]7 Q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
$ y, t3 S( K; t+ u- }五.配置nginx$ P' O9 z4 |6 e6 _" z) u8 a
/ P2 I+ r& K6 G6 i在需要启用modsecurity的主机的location下面加入下面两行即可:. A$ K6 z% Y9 Q$ R
J2 @- ~4 Z+ z+ B s3 b5 b3 R
ModSecurityEnabled on; 6 X$ G9 {5 _0 w
ModSecurityConfig modsecurity.conf;1 E. H& ?& [8 A0 H9 ]9 o: E: C$ T
下面是两个示例配置,php虚拟主机:
4 ]9 ]+ s7 a# r2 J5 E
0 |1 \' j' w) g- y# dserver {2 x0 O/ i6 b1 w9 ^' k( j# d
listen 80;
" w$ D) ]- |# h D" p server_name 52os.net www.52os.net;6 `/ Y" j& l. S
) ?! M# k& d: J7 s1 n% L" [1 [% j2 O3 m location ~ \.php$ {
( U( Z' @3 a7 n ModSecurityEnabled on; ) E+ v& J) o9 S4 H
ModSecurityConfig modsecurity.conf;
1 b8 q- z m# j4 a: U( q# J5 t/ t: q
# U8 ]2 a) K3 W& S- @/ j% {5 e root /web/wordpress;& ]8 H/ B+ T' s. ]8 q) }
index index.php index.html index.htm;
0 |2 g! Q% D j5 k ; u P5 s8 d1 r5 t7 W
fastcgi_pass 127.0.0.1:9000;
3 {, X! F9 @3 c fastcgi_index index.php;. E0 M' k6 ^+ l! n$ ]
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 x* M- n6 k: b" R' D1 C9 M
include fastcgi_params;( X! o- v7 g9 ?
}$ B% ?( K1 b; R0 N g9 L u" e# B
}3 |& d9 l& w, T: t
upstream负载均衡:
& ^2 E x1 v( @% u
' \1 i1 q. T5 N" Jupstream 52os.net {4 w$ \$ @2 f! b) b
server 192.168.1.100:8080;
/ g" D9 X8 } h! k server 192.168.1.101:8080 backup;
, |9 c# P) P1 Z- @3 b) ~}
" j5 z5 U* a# L6 s" E o
, }- h1 p( L& R+ J' oserver {/ K! o/ v) r; g. g
listen 80; J8 B7 Y9 P. z2 Z2 o8 c
server_name 52os.net www.52os.net;7 k' j. ~' m) [) Q) K0 Q7 @
2 b9 l/ e2 S2 n" Qlocation / {/ i$ r, H6 w) p# w$ G
ModSecurityEnabled on; 6 w/ n4 a$ h) ^5 Y9 d
ModSecurityConfig modsecurity.conf; 8 l! a. _! N9 w- f* W7 h# }$ _
1 P; M8 }/ R% i* g9 d5 `/ I proxy_pass http://online;
' j( A3 v$ f4 n+ A- t proxy_redirect off;/ |' o6 r* {, h: b4 D" n
proxy_set_header Host $host;
& f8 ]; |6 O! | proxy_set_header X-Real-IP $remote_addr;0 I/ }3 M2 d. ] ^0 f
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
1 t, x- k9 T% r) V }, {- w* e$ W) Q& p- e j
}6 I8 e2 ^4 V: ]4 m9 P8 Q
六.测试, o, x3 |# c! C& }
) |: ^9 R- m) b$ l3 [5 q
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
0 |6 z' o2 m: ?+ r4 M0 M" e8 K. A5 |0 e% s+ Z
<?php
) g0 K$ w! C+ x: Q phpinfo(); " v( ^4 s5 H) F3 J
?>
- [- F: U/ `8 ]8 U在浏览器中访问:
2 f9 r [9 T9 C8 D, Y; I- c" t5 g# E
http://www.52os.net/phpinfo.php?id=1 正常显示。! \4 |- `- o- P8 a/ e; `7 j' @+ h
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: l$ i# X1 U& Hhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
6 q% i: Q5 x' z8 g说明sql注入和xss已经被过滤了
: p0 T. B2 ^, D1 i* V5 }1 ~' V. n' A- C# I; f. r9 P0 H
七、安装过程中排错# h* J; o6 F/ k4 g* L0 k2 P
# @8 z( F! ~# t6 M
1.缺少APXS会报错) w9 n) o) u: N9 _6 y
7 t R7 e; F; K+ J% \5 z
configure: looking for Apache module support via DSO through APXS
) ^1 T$ e" x3 b" c0 m( B+ S8 t4 Rconfigure: error: couldn't find APXS
$ P5 S1 v, q6 {1 ~, z; a6 Gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# n& W- N! x% X' Y9 R8 K解决方法:1 H% |& a$ C* o7 u1 w- ]
) f5 n# p8 n6 h. Iyum install httpd-devel
* t# F9 M8 v1 P& o8 U& ?( I& y \2.没有pcre
. P; k1 V7 o* ~+ P1 I$ { |; B. _6 y! T: p1 a- g
configure: *** pcre library not found.
7 _! {9 E8 n, h3 O1 u; econfigure: error: pcre library is required2 z, B6 c8 F' e5 e
解决方法:
( G1 s- f7 g+ V2 N# [
6 Y; E7 p1 C0 ]- s: y/ ryum install pcre pcre-devel
$ {/ Y- a0 ]% C$ ?! f6 Q3.没有libxml2
2 I$ ?$ Q8 K- f- p1 k, k
. b5 Y5 P2 x2 k, U p6 x6 J9 ]! j
7 c' N, _& j* e4 k. d1 Z2 o6 o. econfigure: *** xml library not found.
4 `5 M" @6 ~) d; r0 n: x& d% cconfigure: error: libxml2 is required5 C' V9 j \6 {3 D; ~* J3 l
解决方法:. Y$ f! o4 R7 g5 X- J9 P+ R
0 P1 D, Y; ~# \: Ayum install libxml2 libxml2-devel
1 w9 {4 u% I# ?5 U9 _# ~4.执行 /opt/tengine/sbin/nginx -m 时有警告4 D& {/ V# [" G* a. f; E
8 J' N; B+ \% \1 u
Tengine version: Tengine/2.1.0 (nginx/1.6.2), W: ^& r0 ]! X+ Z) v; Q
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!" O" g" S, w, J' \( x9 d
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# b* n! I8 g/ u, k
8 P3 e$ v# V: _4 {; p; N, b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
) r! c2 ~6 l8 u& R2 X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
0 ^5 s! y* T5 C3 f5 U/ a, a. Y2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 N6 \ _5 P, [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05", g y$ e$ g( z5 L( r* b" j! X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
, o4 n0 z( x& Q& t$ Z- W% S2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' ]3 K1 f" R; g G$ t W" l解决方法,移除低版本的APR (1.3.9)
/ E H! u7 \( U2 o* J2 e5 L: ^, d' {; S, v- {( ?$ o
yum remove apr
& k6 V* o1 D* U" u. I7 Y- Z; p5.Error.log中有: Audit log: Failed to lock global mutex* x: l1 z7 W+ Z8 a0 \* i0 m0 F
6 \5 q# R' ?6 j0 \# f2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% r+ l8 u1 H+ E3 _global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' F4 e. A: u/ O a. C! y
解决方法:
% ]4 D# X" Z- X- C5 F编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
( k8 e1 A4 P* X" ?. @6 }) S7 C3 \8 R8 d4 Q- T/ }! T3 c0 y
SecAuditLogDirMode 0777
6 ^/ }0 Q' M. ^4 q" @SecAuditLogFileMode 05505 r) R. H, h. O. }
SecAuditLogStorageDir /var/log/modsecurity
' ]5 R; O& @* k+ ^- nSecAuditLogType Concurrent
0 g, p o( {. n/ f* g i N& |参考文章:
" y2 [/ i6 x* qhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
' j$ z$ z4 J+ |& chttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡