|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 N4 G6 @4 _' H5 _! k7 z2 O& H( u9 I
& ?) F4 s! @# |+ w. W
一.准备工作
4 Q8 { O( Q& p) U' X" p7 o
& i9 p2 g; B, N1 N* M# _0 ^4 \系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.04 m$ U- N! [0 ^- A& `7 {6 C; t
' E6 D: T$ C; q3 e; t9 G5 M5 T3 gtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz" c' m0 p6 J7 w1 e
0 s& j5 v5 K/ g8 s# S) Q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
1 K) {2 ^2 P0 y7 ~: v' U# H. ^. {" \$ x) n- V
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, _( M ] u) H( r( M
l/ i$ g1 e3 O, {5 O. H- {依赖关系:1 F' y: D4 U4 L& [! F5 Q
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
* q0 i! V3 l9 c, i& U9 q# S ~$ _; R0 A4 h# ]7 W4 g
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
+ X4 H% F5 \* M( Mmodsecurty依赖的包:pcre httpd-devel libxml2 apr
; [9 D- m- e) f" Q" a7 X* h$ P; S! P$ X% w+ J
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
7 y2 h' D: h7 Q3 C3 p4 ?4 ?二.启用standalone模块并编译
( K$ u; [7 ?% n, i, |
! P+ m0 M1 ?1 s @( ?6 l( y下载modsecurity for nginx 解压,进入解压后目录执行:
7 ?+ ^& B* }; q& t' ~ K0 S
- d1 `1 Z* M' ?% \, T./autogen.sh
- w5 b6 t; c' S8 y- o8 F. _/ e. b./configure --enable-standalone-module --disable-mlogc
9 U4 w. S& p3 R2 I$ X: ]make # \1 u8 Z0 P: I
三.nginx添加modsecurity模块0 C$ x/ S3 x" }7 ^( _: r
- u. z3 u/ a8 w ~+ m {" Y
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 {6 p% K+ L' \! h
& N* a/ w' R/ |* B# _./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
9 h$ r0 L8 N+ y# X! emake && make install- b% W+ L+ H N. k
四.添加规则
) @; v# g* Y9 `6 b; _% F0 m/ K) n, M2 F+ {( s5 l, Y' g
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
" L, Y3 d# S& w {/ N+ b( u" r. Y( j
1.下载OWASP规则:
( Z3 D+ T9 y p4 K& K1 t8 a! V0 o4 R$ |4 j, L+ l1 c
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs: {9 E s L5 a! {7 e
) x( z; a" D7 n5 Z
mv owasp-modsecurity-crs /opt/tengine/conf/6 j; y, M9 A' e) F
7 p8 U7 }5 y q# U: E4 D9 ~cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf% W! ]( o7 @- B# j# k$ f0 X: w
2.启用OWASP规则:3 d8 ?2 o) z0 _: N5 _
/ z6 O7 j' Y6 E* P6 }& q3 f
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* e! F: V. k2 e
' ~- G0 R+ m6 u8 M7 m编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
4 a3 m; ]% i5 ^ w
# S. s& e3 B& e" Zowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. ~, F* n6 u. |; N) m! r
. c8 E0 z- H2 a6 u% v$ ^! nInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
& r) A! z, [! |, c( _( iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
" g* t) N% Z6 m PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
- B6 s3 ]0 }$ nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
* S: h& \ }+ J9 jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 j1 v: E/ u% Q! ?8 y. F- JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf9 R- |5 S2 {5 K6 K8 f
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf0 i; E8 L' ?: Y) B7 |' q9 M
五.配置nginx
) N3 {5 Z$ q; @, H. g* O1 s* Z. ?
5 u& J) `$ z7 L# `8 y" |在需要启用modsecurity的主机的location下面加入下面两行即可:- _) G2 C6 A- V+ s: B
# L: M% T }1 t7 r( q& q, ^4 ~ModSecurityEnabled on; 0 ^) ^4 P1 B# w
ModSecurityConfig modsecurity.conf;6 }9 ?1 {$ W- F- O$ F- M
下面是两个示例配置,php虚拟主机:
' Z2 V' P( ~- {( K$ ]
! }6 z4 r3 E5 @0 T* G" i ^server {% w2 Y9 [# V. s
listen 80;8 N* Z7 L: T/ _# _0 m, \
server_name 52os.net www.52os.net;
% e/ N: b" I9 ^ P* |8 N
- V- @: X3 \" T" G d location ~ \.php$ {# E% p, A4 A' m( Q" b
ModSecurityEnabled on; 5 J0 ?: U0 r8 F5 j1 r7 Y
ModSecurityConfig modsecurity.conf;
/ ~) t7 M4 |& q
. l0 j; L* K; }2 s) s o root /web/wordpress;
: e# l" [. G1 ^% U" t index index.php index.html index.htm;
( u4 Y& x( l7 @% Q! ]2 U+ N! M " y1 H: J* M8 u; e P5 K
fastcgi_pass 127.0.0.1:9000;
2 N, Q& F, h# ] fastcgi_index index.php;
6 u- K( Q0 I! I fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
* V! H9 g1 z. @: H+ h6 ` include fastcgi_params;1 a; ? s# Z7 g# E
}5 x) @5 e# U. o- ` B( |
}. Y. U, w, E* W9 [9 F
upstream负载均衡:* I7 O6 W, f' V0 r/ y1 Z" U! @3 @5 z
: k; s; L I9 n
upstream 52os.net {7 x3 ]) n" w7 a$ r
server 192.168.1.100:8080;: _# Y. @. ]1 C0 c* Z9 g2 P
server 192.168.1.101:8080 backup;
$ }+ s1 B( d" e# m) e3 O}, L2 K V( u, F; F/ ?5 C7 `
9 ? @" ~# K8 ^; s' ?7 s. F+ Nserver {
2 O% k$ N8 I. \, i6 Wlisten 80;
6 Y6 T* V; C( \3 E7 {: Sserver_name 52os.net www.52os.net;
' i2 S5 @' ~$ B8 [6 G
$ x- W/ H7 f2 P: [6 slocation / {
4 D- r# E3 ]0 u$ _2 p ModSecurityEnabled on; # B" h `2 ?- W" z
ModSecurityConfig modsecurity.conf; : s$ w# f' p+ ^6 h
6 f& [6 I: }8 @5 l# _3 m: d
proxy_pass http://online;
9 P# i! W; l! P! m& l" k0 ] s proxy_redirect off;
4 ]2 @$ X' j4 x/ B& g( T+ w proxy_set_header Host $host;) A% ?- `0 ~1 ?; c! h
proxy_set_header X-Real-IP $remote_addr;
, g& G5 y V3 k0 h, O- M R$ ] proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, _" B# u0 P; h" W. F( @ }
2 F: Z \6 |* s! x# O}( d8 R0 y* [2 h% A
六.测试% f) l. `0 K! X4 Q
/ s# f7 O" u! b# y4 j
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
( A2 ?9 Q5 m/ {& ]& z7 x% V b( m/ p- K }' Q
<?php
1 K* E& ? M: F" b phpinfo();
( s) D5 B$ V3 W% D! c; _- m8 a- a?>! Y- T- K5 u! W2 \1 M
在浏览器中访问:
( Y$ r1 ?& w0 y
) n6 [8 u# f! v/ K- q4 Whttp://www.52os.net/phpinfo.php?id=1 正常显示。
4 s& r- G3 x% B' G7 t N5 ohttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。* {: q6 U3 d0 U' h4 E- v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。; t! R8 L7 L: |8 _
说明sql注入和xss已经被过滤了) S9 k) m8 O* W
/ }$ O# A" H' m- X
七、安装过程中排错
/ b1 e9 Y+ h7 y4 l; d2 Z4 V r! B* v1 C% u! G+ F
1.缺少APXS会报错: c. K- J1 s9 Z3 L+ H
0 x' K; F' v3 _2 i. vconfigure: looking for Apache module support via DSO through APXS
2 u/ k8 z- n0 X( Q2 Uconfigure: error: couldn't find APXS2 N0 o0 D) b3 M4 S* V; I
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" F) }! x2 W; w+ _6 V9 X/ g3 _3 ]解决方法:
* x* I1 R- W P+ X2 V- d" E, Y2 ^. d: H7 J
yum install httpd-devel
2 T) \. j4 k5 f* {+ T2.没有pcre; _* X s) `- v' H, R! h
3 M8 c) i9 `/ K
configure: *** pcre library not found.
+ J& o' f, C, s9 }: M1 W5 R) jconfigure: error: pcre library is required8 X8 E, _1 y$ E/ H) }5 s
解决方法:
) L$ A7 M% P, f h+ ~& a+ J) D& j' i, s& l" n
yum install pcre pcre-devel3 O' f" c/ l4 y- ]9 X
3.没有libxml2
5 |# t" G8 I( | q+ v: M
$ ?1 e- i& d) b& f8 L6 t* i
' K4 \5 o. A# c+ r Fconfigure: *** xml library not found., C/ {/ i n' c- u1 W( I# ^4 g
configure: error: libxml2 is required
4 [5 j4 ]9 L9 M s解决方法:5 ], S, T% R" L; K4 Q5 W& P
% e+ s7 k3 }& P
yum install libxml2 libxml2-devel
C/ S0 N+ F: M; O' {4.执行 /opt/tengine/sbin/nginx -m 时有警告6 L7 {" R! N3 D2 c' ~8 R
4 f4 W0 V. w' Z' ZTengine version: Tengine/2.1.0 (nginx/1.6.2)
5 {* {4 s) K) g( t, N7 w, E4 e! Lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
" @0 Z( E0 w. ^4 |& Q- ~, h- V8 {0 Y原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
$ l" L, y) ]% o. i9 ?3 a2 |6 c) P+ [) g ~# [ q* d7 Z: @+ `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.2 L$ w K2 [3 F( R! {% M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
' z$ V6 Z4 ]2 D: O; k2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
5 L2 s: }( O: X+ F2 L' q/ \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05": ~. v2 p" z% m! T2 Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6") `, w' A/ @7 }! y0 a1 ^& {# j
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
0 Y6 @& s+ z/ Q解决方法,移除低版本的APR (1.3.9)
4 y/ v, w5 y- S0 I1 ^6 B$ X6 y( Y2 V7 K* m: k
yum remove apr- I2 T7 m" i2 p) K1 y# i
5.Error.log中有: Audit log: Failed to lock global mutex3 F* z) N* K" H G4 c! w1 l
% G( A: x- c- J
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
9 C6 j; n+ e% H |global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' u( d: p- Y1 u$ G' h. u( S( \* b
解决方法:3 V8 w& [6 O2 W. G. D
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ L4 n; l, k# o: r Y# [
; ?9 l! b$ U6 D0 fSecAuditLogDirMode 0777$ h v, x% F" N- p' |% K5 p/ [
SecAuditLogFileMode 0550* z) T3 ~" a1 ?5 p- U- t
SecAuditLogStorageDir /var/log/modsecurity- t, M- K5 I" ~! B- x- u7 {! U7 X
SecAuditLogType Concurrent
& d, g( t( }. f4 U参考文章:+ B: y3 B0 M# X& {
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 T* B: z& o5 b7 I3 u
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡