|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% y0 a8 ?" F+ m' V j" r" W
) c+ k V F" Q' o, z' p
一.准备工作: }( X& Q3 i0 V; Z) j! e
& x+ U5 |6 V) _ c9 m% |
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# J) F, I9 o5 b
( A. i) V$ \; F J5 z( vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz3 A. `) v) S2 r' o1 l
: e* Y! A. p1 G- i& Z, U8 O" Z K5 ~
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz8 ]" C1 H: G* h2 V9 o
/ O6 |4 d1 B% t6 R7 o
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
( }6 I- I" G* J+ h* I( Z5 K
% B' c7 n' @! v3 J依赖关系:
0 S& J0 J2 {' a# ^0 @, |tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
$ W2 D( W: h, P$ }$ a' d( u+ C k& {
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel6 n% u0 V% w4 f9 H, O
modsecurty依赖的包:pcre httpd-devel libxml2 apr
5 p+ {, e9 d) P# ~7 S3 n( \2 L7 r5 l- K/ \7 L( R. v/ M! b
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel, \5 }# v4 H+ u6 }' s E
二.启用standalone模块并编译
# d2 C$ m, J8 {* M1 X4 T* t. [8 s* c" y% `1 d
下载modsecurity for nginx 解压,进入解压后目录执行:: t. l2 y% g9 |. X: p% ~8 G
* Z3 l: C4 Y4 W./autogen.sh
. w+ H0 B _! f8 c3 e. E8 i./configure --enable-standalone-module --disable-mlogc
: ^! [, \7 b6 s* W3 Emake
* M& J% y. E, x0 S* t) j三.nginx添加modsecurity模块
! ^) Q8 V8 a* }, S& O4 p. H
- h7 `$ v- q& @7 W3 {在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:4 B3 D) ?8 C6 n0 }' F W3 F. ^ z
K3 R; l/ l1 Q# d./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
0 A) {6 ~5 {( C# f4 Rmake && make install5 w+ T/ o* q9 Y4 O8 @% r. X
四.添加规则/ g5 H7 F9 n( u! i, p
/ M9 W w" u+ G' |modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。# O, @4 p# F. J3 W2 `; P
& K6 B& B* @* z9 {) s3 E3 B0 _- n
1.下载OWASP规则:5 {# u" o. r% v$ K* N( y- k
( ~- e# J. x$ Z1 l
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
7 d- ?2 `/ ?. R# Q6 Q; {! K# r b) Y" W- k
mv owasp-modsecurity-crs /opt/tengine/conf/ T9 C# [ p7 x3 I
% I" K+ @1 s N x z; G
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf i9 g* Z8 e; n) H, s/ j% C. z
2.启用OWASP规则:
3 z+ U. {6 ^. _! }/ q D/ ^8 B1 |7 C% R$ k8 m
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 {$ [4 N; u" D- [3 R* J2 J) ~0 y2 N; d1 `) p
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
$ y' L ?; v2 I1 P L3 ^; ?9 d% n; L
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
; A& t4 H& W) \- W) E/ g/ X; o" W8 E6 C6 c$ ~- k
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf; D" E* u: p3 ~7 ~" f. g" \0 F% c
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf3 r% @2 ?$ [$ I, B( M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
# c+ V# D% `8 x8 L8 F% BInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
r& k; W/ Y4 v# AInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf' A e/ [) V# a6 T3 h1 ^* k6 ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf1 p) y9 s# Y1 b2 R9 z
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf# v/ Y" u# s; Z6 X+ e# H P3 k
五.配置nginx
3 Q4 i4 t8 e3 N k$ R: C2 T0 H4 Y5 U% h* h# A
在需要启用modsecurity的主机的location下面加入下面两行即可:0 z) |' `0 X( ?7 l6 Y6 U5 y3 t7 Y/ B
+ K$ `# w# d" U6 f+ sModSecurityEnabled on;
2 ^2 W9 o& z! e aModSecurityConfig modsecurity.conf;
+ H' I7 n9 J9 @; s9 F/ o下面是两个示例配置,php虚拟主机:( h8 m6 p' x5 H8 x9 Y
) W- t3 ]2 ^" x" @% U4 c7 q; W# l
server {
2 |- I0 L& @2 `; ~2 |% V listen 80;
0 ~9 p: J( e {6 @* X, k# q server_name 52os.net www.52os.net; m' g* p, N4 Z
! F0 Y! ]8 K; b( l( V1 [$ Z location ~ \.php$ {, l8 q3 F% u5 N% f! L
ModSecurityEnabled on;
; ^ Z; q J. p% u ModSecurityConfig modsecurity.conf;
5 {" a' |. y: O
) P# R7 V2 `- |3 L: R3 V root /web/wordpress;2 O* X2 h' M5 @
index index.php index.html index.htm;7 h1 V `- p2 d
0 j" |' q5 U- ]6 b- \
fastcgi_pass 127.0.0.1:9000;8 n9 \% B$ a* \
fastcgi_index index.php;
; x$ v2 ?) g6 A1 O# O+ F- f& h fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name; c9 B) A1 ^) D0 ]# ^
include fastcgi_params;' n& J( h* l. M, K. I
}+ [3 L' V* H* E) J1 b1 w
}
# Q+ R9 ~7 I; \2 P" z8 qupstream负载均衡:
& j6 i* _+ O, P8 q3 j$ b9 M/ e
8 @- i9 `3 I& p4 kupstream 52os.net {
/ ~, N9 p# h0 I" ^% U1 N# _! O server 192.168.1.100:8080;# A) u- g' Q6 y+ |$ Z/ m
server 192.168.1.101:8080 backup;
: f \$ D4 w4 @4 j3 ?& K}
# X/ o. L# v5 u# ?9 o: H7 [& K& o. h4 ~& G. J
server {
0 a# w* ?7 e) Elisten 80;
! m8 d0 |6 o# i- w6 z) |' G2 \server_name 52os.net www.52os.net;7 \7 I. k- V4 f1 ?7 L# N
, {8 j( ]* g+ F! Y, c% p$ z8 H- dlocation / {- J1 r0 U" P' j
ModSecurityEnabled on;
4 h s1 ]8 g: K0 } ModSecurityConfig modsecurity.conf; / P) Q) w; ~& @* _2 N
& O1 o; k8 S; \ \5 [
proxy_pass http://online;1 y! M" m# @. A" l8 o
proxy_redirect off;
% t# E4 F) w) i+ [: N: I4 D proxy_set_header Host $host;, o- B: G& A7 h" ?# N- |
proxy_set_header X-Real-IP $remote_addr;! }3 O5 ?% ~: j3 v2 V- [% @% o
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
: P- w& Y8 D) L4 N# ^: c }! d6 c& t' P3 \
}$ T4 _0 {: W: P8 Q$ H) F
六.测试7 `, M8 }* J, i% `0 G/ z* }
; K* R( F3 g) S& Z1 R
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
$ x( `5 {# B; l1 l, M7 z
, r8 w, e7 M& [' I<?php
+ E; p$ |+ F8 ?* S" @2 c phpinfo(); 6 J# ? H2 v3 t1 L$ i
?>
* q/ O3 \# n2 M7 ~在浏览器中访问:
" [4 h Y% }2 F. C/ Y: @$ \' w7 o1 ^
5 |8 I$ n+ }. n/ k7 ^$ k' khttp://www.52os.net/phpinfo.php?id=1 正常显示。5 ?7 r3 h' K* r0 Y1 {+ G! Y& O
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
, }9 G/ t; ]0 V, xhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。4 @9 i) G! @/ H6 M" f2 a( W' Q' C
说明sql注入和xss已经被过滤了
! a: q0 V& }( \' G" c6 q- t
N5 ?( z S: m七、安装过程中排错
3 X- l6 { k) C1 W8 Y6 [. d) _+ u3 F- h3 X0 n0 D1 r
1.缺少APXS会报错, d$ A! q# I9 p' o& b; x
H2 }, K4 j; J5 k( Fconfigure: looking for Apache module support via DSO through APXS
2 k: i8 j7 J. c f8 F, W4 r# |configure: error: couldn't find APXS% ?7 _0 {8 C9 x# h! b. B
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。 J s% f( K8 s u
解决方法:: d) O5 c+ R$ j" `; x6 c- p
/ z3 ^' ]$ O4 ^5 ~+ I6 v6 H6 r
yum install httpd-devel/ s; X. Z; n( M; b" v
2.没有pcre) c* U5 f) g6 l
1 k0 e& K1 K$ K+ r. @configure: *** pcre library not found.* A4 S, X8 l; C. U# M% Z
configure: error: pcre library is required
" X2 b. g8 T, b4 o, ^解决方法:
" u/ [: K* U! B- p. ]; O8 k3 @4 n& j9 }, ^2 I+ N+ y. |+ e
yum install pcre pcre-devel2 K, o$ ^/ ]! v1 U% K
3.没有libxml2
1 A6 c& }$ r: v' r1 V7 ^
3 J0 o# h/ s% t% l2 P9 y/ E/ _0 U% e9 k2 y$ m- C" T
configure: *** xml library not found.1 m2 G ~. q! L A
configure: error: libxml2 is required
; y/ J. e" w3 O5 ~$ L解决方法:
/ E0 R9 y3 e" v; n! h) s- J3 V) f6 g6 n3 c2 e% s
yum install libxml2 libxml2-devel9 x0 \: O, s4 }. Y: H$ d
4.执行 /opt/tengine/sbin/nginx -m 时有警告7 X4 [7 q5 y3 |0 t0 G, X
8 e( C0 M$ e) r. Q$ K B3 S: Q3 vTengine version: Tengine/2.1.0 (nginx/1.6.2)
3 n, C2 y, l4 z. Nnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
! q4 H: r( A! ~8 O- q% j+ I原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log/ a% n7 t; H* ^
4 b: ]/ G! p# t# F+ ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.3 J5 O) A- P, U% \- j$ G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"; X0 C* ^+ j+ N
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 B0 f8 Z5 R6 T. b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" @, `- A( d) h4 @% p' {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% V. T+ A# y# `% ~2 ~2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
) V1 a$ v: O# d# p1 D/ O, |* \( }! O解决方法,移除低版本的APR (1.3.9)
# y4 `* `8 j6 Z6 _
0 K$ \) D& b% s; [+ m5 Myum remove apr; r1 s& J6 H. z, C1 e
5.Error.log中有: Audit log: Failed to lock global mutex0 I, m, Z2 \4 N O
+ `% F: `9 s1 y) A( _- b
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ]- ]5 I# a9 N: l2 ?1 X2 R
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
7 M* p" A9 _5 u8 @! X. k$ i1 l0 t解决方法:+ Q) R3 P5 l& L2 T
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:6 D- D+ t, A8 [
+ J2 ~* x E6 w* h7 |
SecAuditLogDirMode 07779 Y" r9 y% l5 |; b
SecAuditLogFileMode 0550' @% B/ I8 r, J( J
SecAuditLogStorageDir /var/log/modsecurity3 ]2 O9 a6 D5 [" u+ G: E4 S% O
SecAuditLogType Concurrent' Q! `! d! _& H2 B
参考文章:
9 J$ C" s: o% m& o. `* K. w2 Mhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
6 f8 Q$ k; W5 S5 Rhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡