|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
0 ~) |! T# Q6 m# i: m0 j4 p' r7 M9 ?& T1 _
一.准备工作' m1 |) S+ z! M( y
3 [& b$ g- x" I, Z# f4 M3 S$ Q0 K8 O系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 F4 ~8 x, |8 V2 [
: f0 t* y* z0 U" H* etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz# B. a- P: g; e& a9 T/ Y, ?, W
$ g0 y) H& Q cmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 ^! Z8 p5 G4 d' O( X
8 Q& V3 m+ a8 U& Y1 ]& g# YOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
/ l3 i) T/ f6 W `* I8 k
8 f$ ~" e+ \% q. g依赖关系:
3 K3 ^' t+ ^# w$ E/ utengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:/ u* n$ K3 s3 m+ ^7 A0 R4 l
' G3 Y1 L9 V; \. Cyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel3 A4 U, ^# w6 T7 Q; t% J, v
modsecurty依赖的包:pcre httpd-devel libxml2 apr8 G+ C% Q3 a5 M4 G* Y+ A3 J6 |
; S# D: B/ `% e- l, v$ X+ {# ]yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
7 R8 ^$ [; m; M1 v' S! I二.启用standalone模块并编译
0 h& ~9 `6 T) ]$ T5 ^
& j, o7 M; J) R: z( ^下载modsecurity for nginx 解压,进入解压后目录执行:
: ~! u, t. r( g" `4 l# A9 q/ y
7 Y3 i: o4 {, M7 u/ |& h0 A./autogen.sh) {( U1 P0 `2 ~7 e
./configure --enable-standalone-module --disable-mlogc
+ R$ B' q3 B8 {9 A: rmake
- j9 p6 A2 z; T# _6 [8 P0 j5 w三.nginx添加modsecurity模块
0 \2 ] ^* y# S( S
8 F7 e, T* a! a( O g/ z# G在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:0 ]' D9 Z# G1 h9 G6 j2 w& c4 q
: q/ B3 p$ y: a I+ F0 n, [
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
7 a- I5 o# n# |, @make && make install- N! I2 I7 o* M3 z" Y; i0 H
四.添加规则. A+ g$ X! I: [* N9 L
@* ~, e b7 \- |/ |* ?3 ]% Smodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
( w6 o& V( n* Q A$ Y* }! T8 P, T- a7 V
1.下载OWASP规则:# \# V R* _5 p4 _' {
. U$ ~7 x& B/ I2 B( m; @git clone https://github.com/SpiderLabs/owasp-modsecurity-crs: C6 h# U# w" c7 ]' M. _' M
/ w7 z! r- X' W. i0 `2 h
mv owasp-modsecurity-crs /opt/tengine/conf/
" r4 |3 h" L; x9 P6 o" w) i0 m; b" n8 b+ [" b+ L5 N3 Y: W
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ Y) z6 r" V2 o% ]( O5 u! c. l
2.启用OWASP规则:4 f! |2 P& [7 V; e3 g- s
9 K0 \- t" W9 G0 |; e# B
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 ^* [% ~* V* C1 H5 C
8 r$ L3 f6 p6 J/ [# x. I编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
0 ]- W7 @ {9 d. I @) e4 G! [
8 x# a0 V- G) Z8 R2 s0 |- H$ @owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。8 N9 e& S( f' B/ ]" a$ D; C
* ~" g( m3 d! T9 l7 x. i6 \/ bInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* F( c+ d! N* N4 q0 e( ?7 `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf9 L$ i9 D) e; Q9 |
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
* l1 e6 r% U( J7 K0 ]5 M- l- PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
# m3 F) M' R% S+ t' c' w1 r3 P" r* `Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
, A+ u4 G9 I: O3 N' ^) ~4 RInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. ^6 h3 \1 b) l# Z5 t6 f- s4 e
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
$ t8 v* f- O8 N- K3 q五.配置nginx' T; [! E [: {0 q0 A
) ^/ b7 O7 x- S4 I6 O在需要启用modsecurity的主机的location下面加入下面两行即可:
* _7 I/ d) F, V5 i8 N4 C8 i8 i
" }- K) v' y8 r' @* m2 UModSecurityEnabled on; 4 n7 F. b$ d2 t! j, h
ModSecurityConfig modsecurity.conf;7 j2 ~. L% {! S6 k1 \/ Q" m6 ]
下面是两个示例配置,php虚拟主机: O# c8 @4 {: e/ |
3 Z. E4 H- e$ ~5 Y: I" R7 _9 S3 ~& \server {
* n) k/ O# ~$ N% ^5 L3 d listen 80;, h2 h! g# {& N" ^- s" O5 l
server_name 52os.net www.52os.net;
+ W `, E2 q. g7 r0 m3 _! E & ^6 A' z/ D, j! b
location ~ \.php$ {
6 J: H& ` [- l8 U! {4 f) U+ q ModSecurityEnabled on;
8 N$ Y m+ ~0 m& P6 V ModSecurityConfig modsecurity.conf;
( P# j: F2 Z8 F- E+ ^& D J6 Z! |, ~& t0 v; z8 B( l( V
root /web/wordpress;; C) R* m3 K% K/ V: k
index index.php index.html index.htm;
$ g8 c7 B9 w6 F+ b. Y% F
: H2 r1 j0 i6 b+ _ fastcgi_pass 127.0.0.1:9000;
& R! W, b6 w- q5 ?8 Y3 B5 G# I$ h fastcgi_index index.php;
' ` @( h7 t, U' m; p fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
3 k9 q/ s! k' X' c include fastcgi_params;
3 D* U5 ?2 W) P$ E" K }( S; L5 c. {5 L: ]
}
, ]: `# D0 i) n% h9 f3 n8 }1 Xupstream负载均衡:
L) O+ g9 \" V& ?; m; u" c0 s1 d$ D! }& Y
upstream 52os.net {% [3 |% E2 ~) D0 o0 Z% e( V5 ~
server 192.168.1.100:8080;
1 [/ V7 }0 @9 l7 I- Q1 k! I server 192.168.1.101:8080 backup; z9 s: S4 ]# p4 R" ]# F' I
}
, p5 d5 O8 r. G
* M5 w# `' ?2 h3 A% Vserver {
0 M4 }1 ^" }8 N! f3 E0 R, wlisten 80;7 p3 y- ~7 S- C; V+ ?
server_name 52os.net www.52os.net;9 X* o7 `# H, b3 d" @$ _' T
6 @8 P+ d" r: q/ Q% @( }
location / {
2 J# E) ~2 k7 |* W. y/ L* Q% i4 T ModSecurityEnabled on; / M" f- ] r* f; k5 l
ModSecurityConfig modsecurity.conf;
0 u0 K6 T0 h e- f8 B
& o" ]1 X/ f: e7 D& z" G* ?6 K) P; Z proxy_pass http://online;
: y, T: s& s4 M- S0 G! O' D: u proxy_redirect off;
+ M5 I8 I7 X, G, ]5 m proxy_set_header Host $host;+ X- Q- O+ w7 ^
proxy_set_header X-Real-IP $remote_addr;; c" P/ ?8 T ^" V
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
$ z. }* W" Z+ G, J( r }. r9 X) d9 S8 @6 ~& I* \$ U# M
}6 t; J7 P% \* ~* V* g
六.测试
~/ H8 m6 i+ W& `1 U/ E
" N# I" u$ J$ X. F" \8 u+ a我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:8 r# @9 W5 r2 ]' a
. a# ?4 v# V o2 `% U<?php4 J. p' r0 V! o, ]8 a
phpinfo();
/ L2 z" g6 h- j. {4 }9 O2 [# ^?>5 F) w6 J4 ?4 l
在浏览器中访问:8 b/ i! b% p3 V& p& e9 f
3 J" F* w B+ s! K- E" j& a
http://www.52os.net/phpinfo.php?id=1 正常显示。
# C n9 g7 u) r6 l# p/ Mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
+ `8 ]! m: f7 y; @http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' ~7 |4 i; D; S; l6 I
说明sql注入和xss已经被过滤了
e! l0 Q* F# a
g- U' |6 z+ p9 g h( v x( ~3 @七、安装过程中排错6 B5 _6 M; ~( M' ^. S! n
7 s1 J, C* B, R' H) M
1.缺少APXS会报错( `6 v1 R9 r& K' F1 a) s' m
6 j( E7 o$ s7 }$ D
configure: looking for Apache module support via DSO through APXS6 R9 ?9 H1 Z8 |- e4 p% E
configure: error: couldn't find APXS0 D0 R1 S: {3 A7 p: X u
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
4 G6 ]5 E; U6 k) S( D解决方法:
D6 D; o, A. I" |
. [& K( M( T" V. @+ C0 ] m. |8 G( _+ Myum install httpd-devel
& b: L' t$ V h2.没有pcre
2 Z; I; n; g/ B
1 ]% ]/ a$ I- H4 Z# Iconfigure: *** pcre library not found.) D1 R% D M0 r }
configure: error: pcre library is required
% i4 }/ Z6 X! \! ]2 g5 q+ a解决方法:
( j: F" S7 [0 s
) r" ^- H }8 H( Yyum install pcre pcre-devel
* A# c* H- t9 q' k3.没有libxml2
% `6 ?& Q- @- _1 E ^. B: J& r+ | D1 P1 ]0 g; h5 K
- u/ R/ S. |: x3 x% y! Kconfigure: *** xml library not found.! S' Q1 ^2 g" E: b k4 Z. ^
configure: error: libxml2 is required/ t$ h# S$ }2 \. i, H
解决方法:
3 B+ {1 j, m) t, T2 H
* ^( `& \- P1 F5 g; R' xyum install libxml2 libxml2-devel! A2 f# A5 w9 q1 g1 P0 t) P
4.执行 /opt/tengine/sbin/nginx -m 时有警告
/ y- o7 z6 Q$ a" `
1 j7 b- G' G" a- o; PTengine version: Tengine/2.1.0 (nginx/1.6.2); \5 ]: @7 P0 J0 L8 U' z# W! }: c
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!1 `! D0 E4 r! j2 Y( J
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# C/ c9 Q$ s& C1 _( z$ z
9 ]$ l+ y7 D+ d) B- U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.8 @% R4 t) q+ Z1 V) x1 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"8 \7 i" M5 i' }+ d- ]% D* G; M
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
5 ]$ h6 `$ a1 h# W: x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"8 k+ X7 J- }5 B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"' Z; b6 j! d9 |% i4 m6 _& m$ K
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.6 r8 P9 _: \3 {; E. i1 W
解决方法,移除低版本的APR (1.3.9)
1 ]& x1 f ?' ?: {+ X9 g7 j# _, l$ b9 T) |6 w
yum remove apr
4 X3 d3 p# P: H1 A( A5.Error.log中有: Audit log: Failed to lock global mutex
- I: h7 f: {3 Z* O. {, `( r/ H
% C; |/ F% D& r1 O+ _/ \9 h) a2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
" X% o. L- @. N% nglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' \$ @1 Q3 l: R9 g9 _: x) O' H
解决方法:9 W O2 z/ K9 g. s- B- Z
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
: T7 j' s, n. X* @( x& \$ ?; u; I: H/ g/ G7 u8 B; V8 }
SecAuditLogDirMode 07777 J4 t( C4 _3 @7 O& {3 g B
SecAuditLogFileMode 0550) w: C J' _7 R8 w- T, Q/ w0 x
SecAuditLogStorageDir /var/log/modsecurity' e1 l: q: p0 [; i
SecAuditLogType Concurrent+ W: j X# d4 A# [$ y
参考文章:4 b, E" i# j* A) F/ A/ { x& m
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
' b' a7 N2 V' n- J: dhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡