|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。+ a0 a* Y6 h+ a: y: D2 ^
' d' q. O" D' K* p! s* t) i" x4 O一.准备工作
7 ]5 I# G" W# I; w! f
/ g6 F: X& P" j. j2 M5 S系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% ?* H/ P* F7 U9 W7 u
) U1 `. S/ O1 r6 g" o$ `tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 F" o6 Q2 D# L# H9 V
7 n4 V! G" r' \" o' p$ h9 n# X0 rmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
- ^& o1 m0 ~2 N0 l1 T6 Q, p9 \. L! ]- C/ \, g" V' a
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs2 \4 H3 ?1 f) B6 T. X0 F% M
$ B. R7 M# A! M# h
依赖关系:
7 x+ b0 n% ?! ~$ Gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 q- e: F" H D
1 p2 P8 r! D, V- fyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ Y8 j+ q) G% y' }modsecurty依赖的包:pcre httpd-devel libxml2 apr: j1 t9 O, l0 @; j1 Z8 D
- q' i" ?7 ~: V. ~ tyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel8 M( g% z# I) {2 A' g$ K( W
二.启用standalone模块并编译1 t0 N0 a3 g2 U
9 s' b4 Q+ e2 ], d u1 S3 X6 K下载modsecurity for nginx 解压,进入解压后目录执行:" e3 f7 v% P _! Z9 k2 |
! X& I( O$ a/ K./autogen.sh
4 _( D$ w0 p: Z, m4 Y./configure --enable-standalone-module --disable-mlogc
/ B7 T. T1 ]1 Z1 Vmake
l- h: W# o" k8 W+ @( M三.nginx添加modsecurity模块/ T( z) ]! R5 i3 j
) O, K+ A0 D, T& D. {1 u9 r6 d0 S
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
7 c5 B: {2 P6 }% w. \) x- g1 l0 t$ O% d0 m3 }
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ x: ~' Y( v6 L9 _. D! V2 imake && make install
4 v+ W" k# Y8 x) p- e; k7 Z+ \四.添加规则% `8 V4 ^0 T; Q, ?+ i- v0 y
4 A) ~. s1 p% w, ]7 i7 ~. }6 {modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 q" R6 N) ~+ B% @" G/ I5 D. J6 x" x* Z# t- l7 M
1.下载OWASP规则:6 k$ i! j- f$ `1 @
, s( V6 ^! I$ t4 E- f N# vgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
]7 \1 ~! q& e6 z' `
6 m1 Z/ r( E4 s; ?/ P v1 ?mv owasp-modsecurity-crs /opt/tengine/conf/
3 T; H9 {% Q0 C6 J4 ?$ U, x$ c; S$ m7 H0 k. G0 K
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
) q" {2 l' z8 J) k* @$ x2.启用OWASP规则:
0 q0 [; B' w% X8 Y; K4 [9 v
9 \, b+ C% L N2 f复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。! p( x$ B' z# K. @1 x- C
/ ^5 u* p# C/ U" X% Y8 z
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on, f! v# j$ f: P# C" M E o
) Q, q/ R0 I2 u* ~
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。1 ]2 N/ K4 ^- d8 ^
5 j$ n$ m: a, S" @$ F" BInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf( h/ K3 X. |, u3 A6 x7 C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- l9 d5 Z3 m( v* L% r3 OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf0 m3 v; R/ U. @8 N- t3 P: R( w" v; L% f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
, C4 a0 m! E$ O. c: xInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf* _3 }: S- I. ^& U9 V- N+ D! D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
0 {) f; j( t" [Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 T* z: [/ V( P
五.配置nginx( @ P0 y+ ?) s& J& P# L' G: {
6 Z% E8 t5 n! H* d5 k
在需要启用modsecurity的主机的location下面加入下面两行即可:& n* R* M) ]% U
& h; a9 W1 ~+ ~4 ]$ l9 a
ModSecurityEnabled on;
; x* Y, m7 p8 A. x KModSecurityConfig modsecurity.conf;
/ F5 o3 \9 o+ @2 U. n9 X! @ N下面是两个示例配置,php虚拟主机:4 n, E0 T. r" S9 o. l( R
6 V" T% F7 z3 X& t( _
server {: X" b) g! L5 S# K* F {/ m. ^3 P2 I
listen 80;
; J# j2 Z4 C" A4 r& H4 K1 k8 u server_name 52os.net www.52os.net;1 |! W7 ?- O- c
2 b0 E& h0 S$ o. \
location ~ \.php$ {7 N$ E6 ]; _8 C: E' Z# X
ModSecurityEnabled on;
8 f: b( i) i2 V" f ModSecurityConfig modsecurity.conf;4 E" z6 n: j+ |+ F: L0 W7 P
$ i; C! [/ h) y4 B root /web/wordpress;
: @; J" s2 C' K! y index index.php index.html index.htm;
1 y/ _3 C: p e) p$ ?7 l6 `; y! ^ / C0 l& o1 I8 B
fastcgi_pass 127.0.0.1:9000;
( [% W/ h# q! P, R fastcgi_index index.php;, k" F% z J# Z% Z" U
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
% V: P* R5 N% r- x( [' }* C include fastcgi_params;% c$ {8 _. s7 M0 M
}- E0 d6 |* C; ^- P- P
}
- H7 }" W7 t- nupstream负载均衡:
+ t. S$ D* L3 l: D* o: b2 p" N2 G( D% \9 d. P9 q9 R1 f* S% L
upstream 52os.net {
' V0 _2 R& k- y server 192.168.1.100:8080;
. h. @5 b+ T4 j! L' `5 E2 O. `8 q server 192.168.1.101:8080 backup;+ P/ o1 h) f/ n, K
}5 P9 \" b5 T( E+ E6 m8 r
' U5 ?' }4 b5 X* ~( }; d1 }
server {
3 ], ?' l* f/ u* G6 x+ k& slisten 80;
6 z5 b, f1 Y. G9 z' u) kserver_name 52os.net www.52os.net;1 e# e. C" U0 s6 ?
% \3 E. s- ~- J: B3 n- J) X
location / {
7 T; p/ s& T. j' {2 u# z* l' E ModSecurityEnabled on; 1 r" M3 |% }& O" _# ?! R
ModSecurityConfig modsecurity.conf;
" L0 o# l: b# p5 Y# A$ `
4 u8 e4 P2 T3 t1 a/ L proxy_pass http://online;
/ B0 t! w v7 J$ f proxy_redirect off;8 K% L$ c$ I- p
proxy_set_header Host $host;
+ {9 w( j8 n4 X! a2 d* K2 X proxy_set_header X-Real-IP $remote_addr;' Q0 J) O2 I, b' M
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
: h( u. C6 v$ h+ y }
1 u- \) C0 P( _$ X4 Z; ~}
- Y7 L- g- _1 F$ l: n# ~6 v o六.测试
: R+ j6 k9 Q1 X8 q$ E7 M& K- ^7 H7 _: @& F U! I3 h6 ]
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:- o) S- H0 }9 O7 ^& f
% Q8 F7 ^, U7 _2 y<?php
+ G; W2 S. m5 S6 L* p) ~ phpinfo(); 0 N5 C: G8 p" v1 f: ]
?>
8 S1 q; o: ^, N% Z' y在浏览器中访问:# g% T5 ?5 ]& n
' \; ] D8 `& I4 @
http://www.52os.net/phpinfo.php?id=1 正常显示。+ d9 t* U1 t1 T; {# @( u
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。, E7 U A$ ]# I) b* H
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
; f+ P4 b$ a3 n7 @) {说明sql注入和xss已经被过滤了
. {! g8 u1 Q) g! p! {5 z1 e W9 ?! E, T1 l
七、安装过程中排错
! y2 D, S: A, z# B1 R
- F' F2 i0 O8 ?/ \# x1.缺少APXS会报错$ t5 k0 o( a. m/ f5 {3 Z6 m
! |9 e" \7 x; R' uconfigure: looking for Apache module support via DSO through APXS7 q3 K. \- k. D
configure: error: couldn't find APXS9 a( R3 F; L" W/ w, w! ]
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。$ y* _4 n9 C$ |" z! ^ R% `
解决方法:
4 o$ V' Q3 Y( w3 D5 {# h' t( x! @. V, n" e$ G6 u1 o3 N
yum install httpd-devel
2 E; h' i$ P1 ?$ U1 L2.没有pcre
* u: f8 b1 o) M1 w: u) ^3 y% H3 w2 l9 t# m+ ` J& I
configure: *** pcre library not found.* t' e9 p( T- K
configure: error: pcre library is required$ I/ m( e# r: Y! N
解决方法:/ i$ k7 L# m K
2 r/ v9 V5 w0 J2 y- q' x$ cyum install pcre pcre-devel
' `; D. v! E3 U3.没有libxml2
: G7 |: Y% S" ] m. Y: y4 G# G* ?
% o# c+ i( Y# @- k; q4 y2 O8 f) ]9 x. v1 @
configure: *** xml library not found.
8 Z' `8 Z' n, S& N U6 Z' J: ^configure: error: libxml2 is required
D" \ n! u# r) P# V解决方法:
3 ~. `4 }4 p$ b1 P
" {0 V b. I- e& I7 r- _7 U) uyum install libxml2 libxml2-devel- u; r/ f# B G/ t1 `1 \+ B9 S
4.执行 /opt/tengine/sbin/nginx -m 时有警告
& Y B1 w, b% w& r' S4 f2 L- C; F$ ]7 k( B9 v" a# O& u" v
Tengine version: Tengine/2.1.0 (nginx/1.6.2)2 D! B1 f( ?: b, D6 Q
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
# K. W: [) U: j$ I原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log* m z# [! q9 }# F' u' |( E! E( @8 E* w
9 a% x( o: X! T4 y# b9 m% G/ Y8 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.3 }. z, S% m" f6 _0 m. Z3 m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 j- ^2 N* M6 D4 c4 B5 W8 k! m. K+ x
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!1 X/ u. c6 t4 e3 D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"- V$ c L. k- @/ O G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" F* K7 K v! j- N( B2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 w) w. r6 N+ w* r& c解决方法,移除低版本的APR (1.3.9)
* @7 d8 ?- |$ E' Y, l+ ?/ i/ \+ K' d: i) m
yum remove apr, @7 w- w2 N+ s
5.Error.log中有: Audit log: Failed to lock global mutex
* H5 t3 X# L2 n2 e. V& q( E+ w& K0 }( p O, G
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
0 k5 \! G3 ]) _8 _) x( w0 e% [; N7 Uglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]0 v6 n: {' t# z8 x5 T4 b; h) L; ]
解决方法:7 W% S- l. ^8 Q# W' u$ \6 V2 E
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
0 \$ J; j) ]+ u* x w. U& u) d# R; \; H7 Z& t
SecAuditLogDirMode 0777* r. o" b0 M5 h
SecAuditLogFileMode 0550: X- E4 M! q9 |, `1 [8 B
SecAuditLogStorageDir /var/log/modsecurity
; h) F& ~' U9 xSecAuditLogType Concurrent/ G- A, p* ]- m+ c4 e
参考文章:; P3 `. Q3 {; H3 K3 K8 v6 E4 T
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX8 B/ \) ~) H- T5 R+ @3 I" n
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡