|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
; z. j' b4 }. N- P* \. j
7 l1 v H2 f% g- e! t! ? d& @0 P$ O; Y& h一.准备工作
/ m6 d0 R6 T; i+ j( N8 c/ Q5 b+ \6 ]% K+ _" P! N0 h
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0 ?9 v7 T8 p; c' c( a8 q
, L2 \- i/ \4 v5 h7 x/ @1 b f
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
1 O& I! p4 c7 A# |
1 A6 q Y/ H7 gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 v+ J5 [: d; c8 H/ R' z+ f, Z# u7 p* W7 f
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs6 C, ^" R) d/ B, b5 G
9 Z" @/ {$ q/ f) Z \1 V依赖关系:2 S9 l$ Y" H/ B
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 x/ w6 Y2 B/ |" E
* ?' I* }' L+ L& A' u3 Y$ w/ S. `
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ N2 v( K- R# G- \. \) J; xmodsecurty依赖的包:pcre httpd-devel libxml2 apr
$ I# L" v+ n3 i* e6 w; j% _! L
3 P* v0 O7 D) P- gyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
7 b [/ B+ {/ u二.启用standalone模块并编译6 K4 {4 L- n/ ~& t9 ~/ u/ O
- ~" _. d. K( Q; A) J; A- U0 {下载modsecurity for nginx 解压,进入解压后目录执行:
( V3 A( M1 a9 f' E
4 e7 X3 z5 }$ p) ]& g./autogen.sh' u, H. \7 r7 }' Q
./configure --enable-standalone-module --disable-mlogc0 W0 a% z/ d, I7 o& e/ @
make ) G5 c1 I3 k2 x& G: Z8 P. b# d8 W
三.nginx添加modsecurity模块
) D. z$ G1 M, A9 ~
$ b; j7 B4 ~5 r6 e. j! d1 j- I6 E/ b在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 O1 I8 W2 Q7 W9 ^! e1 D
; K1 G6 y/ U* t8 V
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine& \4 A; n( A# v) e: r$ M
make && make install
9 g4 Y- t! h; e( m) q' X四.添加规则/ P! s) V' c* ]" u! b9 P
4 r' S8 E: s5 D/ T
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。6 n8 j* A: w- z7 I! Q
4 f" o& m2 R3 L3 D1.下载OWASP规则:
& Y2 H3 u5 o: a( S; F5 k( b9 N; g! s, I: u3 D2 o* @
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
2 ^: W2 Y) u! ?. E
+ {" N6 L& i, j* gmv owasp-modsecurity-crs /opt/tengine/conf/0 o. I( n5 Z6 B) w+ o, s; J9 B
7 y+ s3 s, z# x: a8 f# p
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* J' _: [& I; `2 g- Y
2.启用OWASP规则:3 X& @: ~' ~: {( B* v+ A4 e7 z7 o
0 _3 B8 C1 X: d1 }
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
+ ]/ h" O: ]; A" |: r
- N" Z# I7 h' H9 j, H+ R8 B编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
1 @! S8 A2 {. r! ]/ T3 O7 a- a) [2 V8 P3 O
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
( a4 Y/ O, h9 ~- K! y
3 ^6 [# b% {% j/ C4 Q" eInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
5 I& V: Q% |7 w1 {Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- G5 j; U8 r$ w4 K$ F3 {. i$ N2 e. B
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
, Y+ ]. T' D- GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf1 M" f0 J% Y& S% s* @( g# u0 ^( {
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf: i( I+ H( W3 t; I9 V b
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
0 u3 r) p+ F+ _0 A aInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
7 z1 `* b$ B# m0 B4 ~五.配置nginx Z x( h6 x3 B3 i }+ P7 r
: D3 i$ i# W8 X0 @
在需要启用modsecurity的主机的location下面加入下面两行即可:
2 D% B( `$ Q2 W3 _9 a+ U) z$ @6 j7 S- r. ^
ModSecurityEnabled on;
4 r% Y/ k) N- J( a ~( FModSecurityConfig modsecurity.conf;# y7 _- }1 t1 F, B# ]/ \' R
下面是两个示例配置,php虚拟主机:
3 V+ O6 g/ ]8 o
+ O- c1 M/ ^1 E; u5 q% _server {
* Q- `7 I( z6 t8 e9 A& d( M2 Z listen 80;
- g& C' P% d( P6 V( c5 S server_name 52os.net www.52os.net;
$ o! h" }; T( t' D a! f
& K9 k( E0 E& o! b location ~ \.php$ {2 R6 k) L! ~/ A1 r
ModSecurityEnabled on; % X, D7 R. j& b! \
ModSecurityConfig modsecurity.conf;& [7 E7 K8 q6 t
4 g: D, ] u- U4 o" y+ P root /web/wordpress;* y" }% P$ z; f* O
index index.php index.html index.htm;5 b6 R' O# v: \4 m( h* J
6 w6 `. u: {: X0 t5 `( D fastcgi_pass 127.0.0.1:9000;
z I0 g) T; u' T6 l fastcgi_index index.php;3 O4 i: \9 }0 q9 b' K( p! q8 p
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
0 ~9 `" }' A2 u! r6 x2 I# a) \2 S include fastcgi_params;
) |5 K' G; T" K2 A5 ]% u }6 M, M( B0 ^. i! ^2 g: K3 i2 o
}
" L. n9 q6 ?. N8 a# X) i1 {* C1 Gupstream负载均衡:! L2 E( E3 a. {( D: R7 ~8 v
# b& X- x5 d4 |/ c$ j5 v% c
upstream 52os.net {
* j8 y% O2 p( x; I server 192.168.1.100:8080;
0 |0 G) Y2 g* h9 d7 y server 192.168.1.101:8080 backup;
) X1 T- C6 T$ ~8 ~+ [}
; d8 \/ L& Y3 |2 G# s; O
' J8 \4 W4 s( r; Lserver {. K" H b! x9 F2 D3 S. C# C" r
listen 80;
, ^4 A" O+ g3 ~0 c; X7 |2 rserver_name 52os.net www.52os.net;
7 q& F9 L: k2 n, |0 f; v% @
+ m! ?) L L5 D" B8 n0 slocation / {8 P E, W# T6 }5 ?
ModSecurityEnabled on; + _# ?( Q7 O% b0 ]8 m/ }8 V
ModSecurityConfig modsecurity.conf; 1 ~8 E9 ?/ }6 ~) p) z0 y% `: I
@4 H' Z; O: t/ c4 [' p @. w proxy_pass http://online;) {8 ]. ~: U( [+ j/ j$ T( q! ^
proxy_redirect off;
8 k% a6 b4 a9 Q proxy_set_header Host $host;
Y, d$ [8 Y" O4 Q" P" b. G. M proxy_set_header X-Real-IP $remote_addr;
7 r0 |( M% Y1 ?" |, f proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- W* e. p9 J! U; c }
/ `/ S- l `+ s6 y8 ^ m}# |5 B7 s: b% H- q, y% M
六.测试7 a4 u' g2 G% ?: O- @
_" ~7 |9 e) \' @. o7 d& r
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
9 ` Z( w. o5 O: ?( h/ x1 m
; H9 V$ d% r% V5 l; r* K! n( ?<?php
6 |5 P, s% Q: I1 Z( o: f' T9 a phpinfo(); 6 p% S6 f' ~) m( G+ ~+ c. ] z% A b
?>' C9 B5 s a, S# O5 l/ L1 ]
在浏览器中访问:
+ a, e2 {+ W( Z2 S% n
# S) l( O1 e& `0 O) Ghttp://www.52os.net/phpinfo.php?id=1 正常显示。
; f% {6 _5 y, R; y. d2 h7 Ohttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
7 ?* w- ?5 \6 M w. Q& C8 z5 ~http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
+ f$ A6 k. E5 R J说明sql注入和xss已经被过滤了( i! Q, w9 V8 b, f; d
3 O; P& [1 B0 _7 C$ |4 L, x! X! q
七、安装过程中排错
: \; C2 V8 x) R, e: P' `
% `! u" \! c& `% [" @1.缺少APXS会报错% f% C5 x2 S1 S/ N3 W
- m8 R! U, T# f$ M1 l0 _# l8 E$ Kconfigure: looking for Apache module support via DSO through APXS
3 I5 r6 ^- D. K& B' W# G# pconfigure: error: couldn't find APXS
8 `1 u: D+ K3 ^+ e# t# Qapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
) S/ p9 ?7 R3 I& P. Z解决方法:2 U( I) n9 U3 y1 C b) \
* w) }3 ^8 e! M; K$ P4 Uyum install httpd-devel
# z* x: A6 g/ \# h7 O5 c2.没有pcre3 B7 X: l7 q& d& ?* R, j! P. O
; y- j. E" j4 h6 _
configure: *** pcre library not found.
7 |! T7 B# Z2 h2 g& N# Aconfigure: error: pcre library is required
7 ~( }8 X4 \* R4 b9 b8 {解决方法:
8 E5 e8 Q% p+ l3 y4 O8 O ]. Z i* Y9 K- V! ~6 [0 ^) p3 g) o
yum install pcre pcre-devel& E+ w0 {% t% G2 X2 ? C. R
3.没有libxml2
0 p7 ~* R$ @& m5 a d+ {" k4 H8 W' O# D
A9 d, i6 p4 u$ ?2 M* b, n
configure: *** xml library not found.
/ B0 {( B1 d+ U* K& G$ Rconfigure: error: libxml2 is required ]5 ?6 ^, o% G8 c4 e ~
解决方法:
) @# ^+ o* F% Y/ S0 D# ?2 v
9 h' e- G a& w; L4 Vyum install libxml2 libxml2-devel
9 V* o* L4 ~/ M& v" i4.执行 /opt/tengine/sbin/nginx -m 时有警告
& V9 Y6 {5 s& M0 S" V' O
1 n) [- {7 N2 H3 f. [! H/ [6 f9 }Tengine version: Tengine/2.1.0 (nginx/1.6.2); A1 e$ L/ N9 P) k0 ~' _/ g: ]
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!! n% c: h' b" u) I: B; e1 Y" P0 ^9 K9 Y
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
8 E. a6 D( g4 f! n4 x. e3 P' [
3 T* A: |3 O7 s% G8 H! {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.5 V8 ] l- U" p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"5 @0 \4 F! S0 e1 G3 P) a# p
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
& w+ `5 w! n4 G5 v" O5 N9 m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
* W: r4 E+ O! j- y% G& M8 C2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
0 F- R; J5 Y' w, X6 y8 f* Y2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! h8 F) S5 u( s4 Y1 F; h
解决方法,移除低版本的APR (1.3.9)
5 ], Z0 x4 L+ L$ b! o9 R8 S% Y) R% O3 b: M+ B2 C; f; v$ F( B0 Q
yum remove apr9 } Z" e! W, j q/ J. A3 b8 o' M; u
5.Error.log中有: Audit log: Failed to lock global mutex
. s/ x7 R# R# U/ w
2 |+ w$ e+ e1 R$ P0 Y+ m2 F2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
! O% k2 w* L5 k( P1 M. ~/ dglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
! ?- t' l. e6 h% h9 g/ l6 g k解决方法:
; W+ P/ A) S1 F1 v! K编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) M$ z6 w* F$ X7 S
- B& m5 r' K% _SecAuditLogDirMode 0777& S; c7 L) L! K& I: g
SecAuditLogFileMode 0550+ y0 Y+ U1 W+ p7 H# I& V
SecAuditLogStorageDir /var/log/modsecurity
7 S5 x% \, G8 h' XSecAuditLogType Concurrent! a' |- L' z) l7 O
参考文章:
: A8 A7 v, ]. e4 t, W: A9 o/ E, dhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
5 c$ K6 O' W" Z/ ~1 i& jhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡