|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。* U( m; ?' q3 g1 r; M
! _$ k A- x3 |/ Q+ m k
一.准备工作
2 t1 H- a; k7 b0 e# }( q7 \$ j, p! K; d X% P
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0" G7 w2 l) m7 |2 F9 S' i8 c
# s8 [; L6 q/ v M7 G; T& p- ctengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz1 C, ^5 X( s8 l
" H% Q P; r8 Y0 F$ f
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. m4 I% Y' S4 x# E" V
1 o' b1 A6 R; }# _7 U! vOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs5 Q+ B2 W* k! Q8 h
+ `5 c6 E% n0 Z9 n+ c/ V依赖关系:
6 w' M" W' @" Ctengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:' q4 z: f# x' t2 d7 Z3 g3 u
2 k4 _! z2 E3 z& V# Q8 f' h
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
& I" T1 _) q( x B+ {, Z+ W3 n) umodsecurty依赖的包:pcre httpd-devel libxml2 apr
8 l3 N8 T; f: H2 J% O7 Z: m O: M P. d2 |
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
r& P' B. t4 l% d二.启用standalone模块并编译3 V- L) F) ~1 }% [" ]
, `2 |/ \+ B' U5 c& H$ [
下载modsecurity for nginx 解压,进入解压后目录执行:
0 k" e, b8 U! [) [4 c6 w, x- \, G! T! ]+ S) H+ M ?
./autogen.sh) j( A$ h! x$ X; z/ m
./configure --enable-standalone-module --disable-mlogc
. x& T8 ]( g6 L+ D/ S) Dmake , r* F8 c; u$ V1 s% r- J* Y
三.nginx添加modsecurity模块% n% W* h8 I5 d
, V8 ^: c+ b! I在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 \6 S T8 x0 O. w0 Z$ w8 p' j$ q" v( M& D) Y; m$ E0 k
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine' H$ ~* v$ m7 B7 K
make && make install/ M) i s; R) x8 C5 ^- w3 O5 j7 i
四.添加规则
4 e9 v$ {2 e5 m% H0 s& A; H' J6 V* D/ V- Q
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 P5 h& e P$ v% F
3 K/ m- W' y7 V9 g1.下载OWASP规则:$ m/ P; I/ H* V) o) u. e6 O) b" i
! Q2 ?0 b j4 p1 }* D V0 L2 i
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
- }4 e$ r. n5 Z# `+ k) Y9 J5 j% m5 o) f
mv owasp-modsecurity-crs /opt/tengine/conf/
+ A% | C# c) e. J8 K: M( j
9 H0 a6 B' E7 |( W5 icd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( C/ U8 y) G2 F2 ]5 p
2.启用OWASP规则: ~2 W- P9 Q% v9 P
- G- q; j7 T7 m; Q& B s复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. N& T) z. _7 t9 n; i1 A* t9 L
8 T$ Z. v( `( j: U$ X; `) D% A0 R; w
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
9 o; Q0 j6 h( ^, i! r" V D0 l% N0 A
; w5 N. [4 u: a7 Q: ]$ Eowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。# h2 l& [8 x7 c
" t3 k( \! z, b& u
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
) T" ^$ T( R. q- c, Q6 sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf, D3 |3 r; o8 C; f3 ^/ [6 L% f# C. c N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf; E& G+ C7 t* T6 l. P
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
; U8 u& @; z! n$ \: i7 IInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% {0 D$ T( I8 [1 ]( s: M8 j' X( iInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
/ E2 B8 z4 ]/ Q5 yInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf" w2 W9 J8 E. `0 j
五.配置nginx/ q' }( Z u1 K0 y* l" v9 b }% q3 L& ^
! ?9 A6 B& K. u$ J
在需要启用modsecurity的主机的location下面加入下面两行即可:% N" _$ }' a8 K, C0 { m
% n. r' E- Z7 B+ ]/ ZModSecurityEnabled on;
- _9 A" I8 K% n+ w# M% JModSecurityConfig modsecurity.conf;
4 p3 S% X, o, @: A. ^7 u下面是两个示例配置,php虚拟主机:
, ~; F7 o6 ^# p6 j1 C) m& U, l/ g% m2 w( j& }9 B% T
server {0 G$ ~) B7 C. l" M. ?' m
listen 80;
9 G% T5 S' n4 d B0 h' ~ server_name 52os.net www.52os.net;
+ ?) \- v8 L: k% v . L& ` }6 }5 `. o6 [) v+ o1 P
location ~ \.php$ {( k- N3 _1 i' t0 v, g# _5 t
ModSecurityEnabled on;
: [. Q& _% m* ]) v ModSecurityConfig modsecurity.conf;2 z+ h7 \% r+ Z
, M8 Y5 B8 Z' e% F w root /web/wordpress;
3 R0 v, K/ i5 N6 b8 s6 \ R+ Y index index.php index.html index.htm;" j! ?6 A" j$ f. n( [- C+ H% t8 K
; e7 i$ b- J9 k8 ?6 G F) p( N: \
fastcgi_pass 127.0.0.1:9000;
) J3 o8 H) T: W" Y fastcgi_index index.php;2 y5 R3 B T* e4 y* N- X& c
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;8 e6 x% `7 w6 m7 T
include fastcgi_params;
. ~/ [( j' P% Y2 G' q/ M! d }
7 _/ p& V4 D$ f( j8 B5 K# t& j }, G# a! j$ F( {5 Z" E
upstream负载均衡:6 b/ G" a4 X% T9 g) }- o1 K
- D- h5 Y8 x1 J, q+ p. Yupstream 52os.net {0 I- @& K; H, T: }) h
server 192.168.1.100:8080;
7 B, k; x& y, C$ h2 ^ ~ server 192.168.1.101:8080 backup;* z7 n9 H4 _6 k+ e# B! L$ D
}
, J# l+ \) e- d0 o: T' z# D- [9 r, V7 q
server {
d+ g/ P/ b1 r- C/ C5 C; u9 Ulisten 80;
0 i/ |7 O' ]4 ]server_name 52os.net www.52os.net;" K( a2 p" ^( n. P) S5 U- ^
; S8 y" @9 g+ H$ a: {9 b
location / {& M9 f* f% v/ p( F" s4 z/ j1 o7 W8 {
ModSecurityEnabled on;
' K0 c0 |! t/ _* `* Q& k ModSecurityConfig modsecurity.conf;
' x( ]6 `- a: ~& G/ A! S8 g5 a5 B, l$ r/ e
proxy_pass http://online;
% c, Y, `, R2 Q. p! O0 d9 W7 C5 W proxy_redirect off;
" ~+ b0 j0 A0 G% l$ Q0 W proxy_set_header Host $host;* ]& i4 g% I# |0 u
proxy_set_header X-Real-IP $remote_addr;* L/ W; `' G1 Y% W5 t
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
& @ v* B% R1 U* @ }
0 [, a; I# \4 Y}
' J$ ?( r; x1 e, l. l六.测试
/ h( l. x; S& E; q6 N2 i7 I. [. A B5 j" o
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
8 }3 N0 e u4 Y6 M7 a( b% N
# z- c% g D ~- I3 N6 X- i9 t. Z<?php
! L4 c2 N( ~5 E phpinfo(); , i/ _% h1 e& i( n
?>; G$ A9 i5 v7 N/ T$ T) H
在浏览器中访问: F* m, n' z$ F( l" ^; T5 E1 m- C6 v
4 N" M+ Z, ]+ Q3 u+ k) thttp://www.52os.net/phpinfo.php?id=1 正常显示。
' A$ r1 H; C8 C/ Y; N: N3 mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。0 a |9 k9 }8 ]" D+ v2 }* @& M V& I
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
4 D: Y2 \5 g- U# P) H' }7 g说明sql注入和xss已经被过滤了
+ }; P+ m+ S4 F8 t$ s
* Q$ ]" p, Y1 H七、安装过程中排错& U. p: q5 K6 _7 c4 K; O7 p
5 r$ _& Z1 P. @! @) H& v3 H# f1.缺少APXS会报错
: R& z) H6 ]; Q; F& M" s& S2 W: o
! \5 F0 D3 H* f- L# Cconfigure: looking for Apache module support via DSO through APXS
$ J; i2 n$ B. m. P, Yconfigure: error: couldn't find APXS
4 x: O" T& B p% P; zapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
7 f. O7 F, L+ L+ _- V2 c解决方法:& X. n, g9 j1 T
7 X5 ]! K8 x; E; K
yum install httpd-devel+ Y7 w9 f2 M& | Z, ^ n5 z& b
2.没有pcre
5 A7 w: s( |7 y3 @$ G: }
3 v- G6 r4 N* D! ?3 S- ]configure: *** pcre library not found.6 v0 L5 f0 a: i M1 z: d0 u2 ]2 V$ a
configure: error: pcre library is required
1 I4 L1 R e/ }3 N9 v解决方法:" v1 o# X( V7 H5 t$ e3 u
" P$ }5 ]/ n4 d* _2 p9 Jyum install pcre pcre-devel
8 Y( b4 ]% ]/ L) S0 |( j" B4 w, N5 a3.没有libxml22 Y5 } R" U9 i0 e$ }. f
, C/ c+ {9 @' {" {( L3 g2 C
. O8 D/ X- a. U% h. c3 I$ Nconfigure: *** xml library not found.. K* T S9 `+ S8 y0 _# o- o
configure: error: libxml2 is required
8 ?. M8 b& ^% E4 S5 N解决方法:. V# G# W3 E5 G; O6 y( ]6 c9 {
% g3 }0 d8 d8 {$ v) T6 a5 M8 a9 X
yum install libxml2 libxml2-devel
1 ?2 w: J4 |9 w$ a$ C# N0 _4.执行 /opt/tengine/sbin/nginx -m 时有警告
/ N+ H) }9 F9 a. y2 i! D, L0 y: T, ? g7 J
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; ~/ W7 F+ g5 X% s' Rnginx: [warn] ModSecurity: Loaded APR do not match with compiled!- y) @4 D J- u, H# P! T
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
# B% G* {9 y% S6 p9 m6 |4 F, e& n& s. M8 I* O2 Y8 a$ q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.: q/ p x# `( f/ b7 [( K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
2 k- S* @5 F" C' f( N2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
, d8 l) y# ]# J' [8 Y) M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
1 V% v2 u: z# E5 Q$ o4 a: X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"& e& _1 v L# S) ~
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 [5 M/ A0 p% W" |9 b. z# ~ a
解决方法,移除低版本的APR (1.3.9)
5 B. Y! X" @( ?; p( z/ N! Z9 L; }$ f9 w3 ~. J) s, X/ ?! V' k% x
yum remove apr% x+ v3 L, Q p# `& A! w8 `2 G6 a
5.Error.log中有: Audit log: Failed to lock global mutex, C) ~; }0 W0 o' z
8 D$ J) G( U, j, f' x2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
6 R" d4 w: W% o, z+ Y# @global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 v8 q1 `: B7 W; X" N" l9 K解决方法:6 L5 w4 r' A' O! t
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:, P; t; S$ q4 v, U1 N
# x2 j# p A1 c& r3 ^2 C) ?$ F
SecAuditLogDirMode 0777& M0 ^) M- i8 A4 v3 `$ N9 X
SecAuditLogFileMode 0550
0 | R9 h7 X P) p" lSecAuditLogStorageDir /var/log/modsecurity0 c& t' d2 E6 \/ D- w
SecAuditLogType Concurrent! z- k P8 v6 V$ z$ e
参考文章:& H8 z9 A. k ]; Z# X0 o
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) p5 {4 n) j# J: N4 M2 v5 ehttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡