|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
9 A; L' T4 |* _) D# P( c; e" @7 O P7 G8 L* x2 P' y. \
一.准备工作& ^9 N: R) [& n
5 {* L7 y) S2 w$ U* j! j3 ] Y
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.09 o9 o. y1 s3 r* s* y0 E+ r
1 k/ e5 L5 ]# K+ F
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: r w) v* \5 ?. e
8 {. q7 ~: T' p4 j; k& z; amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# Z2 ^% f: f( q0 {3 R d
1 B2 l( z# L2 `9 x
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 w/ M4 q( D8 Z) S, a1 O% y- h% A/ v3 e
依赖关系:1 ^) V- C( v/ K$ z: q3 C, O
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
! R( F* ]1 _* u$ c
1 C) M: p$ t9 S7 q5 lyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
1 n3 e2 Z* X' U5 Tmodsecurty依赖的包:pcre httpd-devel libxml2 apr
6 w* |: z. w+ m& \' m8 r, V7 h- L) m8 ~9 ?; p* _
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* L9 d8 Z! f4 y2 p7 K9 S: J二.启用standalone模块并编译3 s% M: i/ w w1 u# Y! H3 H+ \( n: U0 n
* J8 c: L r- r
下载modsecurity for nginx 解压,进入解压后目录执行:/ K- Z4 o! @- S& X7 e
, k$ C7 s) q* I+ h. n4 b. j" H3 Z./autogen.sh
* f( ?" P2 M' E# Z( x# W./configure --enable-standalone-module --disable-mlogc
3 L' X' {/ t7 D; k* Hmake
0 P9 N S- S4 U. d- |$ k三.nginx添加modsecurity模块* V0 P' ?& ?& e1 L) X# L0 D
# Z# ?! K: W: k6 }- j3 t9 v在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
# i5 r- n) r2 }/ B: u$ i3 i r0 o
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
9 ^8 ?/ {$ K& x% ymake && make install/ x/ r# O F# ]+ j
四.添加规则* g3 t. q! }0 F- _! v; K
! E+ W/ r& H, s- d: L/ y# v* s2 j
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
* W0 u4 @7 V, j$ J6 c/ f& q4 F/ k& d2 Y B A; n
1.下载OWASP规则:
+ ]" ]! h# I4 r& V W1 y
, ^+ i$ c( W" Zgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
, G a6 u6 u( F: j0 i* T. L& H, a+ u& m2 z p
mv owasp-modsecurity-crs /opt/tengine/conf/
; N/ w% Z" Q- X+ B6 i
2 `6 n5 T. O& w7 |cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf, R; s9 L& h5 |$ h/ A/ l' B
2.启用OWASP规则:8 I' S" H! i% b$ ^
( v# J/ p7 \" X/ L9 i! Y复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
9 r" _# V0 L1 D# q
6 _6 b; K) e& H( Q, ]编辑modsecurity.conf 文件,将SecRuleEngine设置为 on* q, J$ M% s S% u- f" |( `+ A9 p
4 c5 ? a2 R W, a: {- C
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
9 |' o) l) {- O R' }- _0 q2 M$ m: ?* O& x5 r8 Q7 \
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf" Z+ e6 j) Z' l( K$ z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
7 X' A# D; Z1 ?6 Y( d2 ]# o# YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% s$ q' F/ ] p9 j( L( O# q$ wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
, o& `3 i6 j; k! p# w. lInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 F5 ?7 d: s1 S% t
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf3 O5 H- L% {! R
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf% i" s4 [# x9 o- R4 C
五.配置nginx8 d/ Q! w1 N# z5 b2 s* t
3 i, J% w q- X& s6 L
在需要启用modsecurity的主机的location下面加入下面两行即可:
. v2 J5 u6 s, U/ S( l5 b1 n
) h) y, P. ?, r' U3 kModSecurityEnabled on; $ s. v* e$ l( ^& `9 G
ModSecurityConfig modsecurity.conf;
$ I4 [, u) L# O/ t( B- J8 s下面是两个示例配置,php虚拟主机:
8 @: P5 x0 u% s! Z8 t
/ J8 w. w& G5 ~3 ]+ n/ I& Iserver {
% \+ _6 p x; x2 g listen 80;- K+ D, ~2 ]- y& Q) V
server_name 52os.net www.52os.net;' M1 G( z! o, S1 \ U6 _! E+ E9 X
% C$ L, w$ X- |: S( U) k
location ~ \.php$ {# _0 Q4 y; `) b5 H! C& Y
ModSecurityEnabled on;
1 w* f: v& K' |( |+ i* j ModSecurityConfig modsecurity.conf;3 [! _. W$ u2 H- k
9 a/ l7 ?* N" s" A1 P- v root /web/wordpress;$ z7 @) @8 e$ i+ R: g
index index.php index.html index.htm;
& `+ Z- v; V% W+ t6 r5 r ' Y7 e+ K6 O/ d3 {1 k& n
fastcgi_pass 127.0.0.1:9000;
, o" S& u* R) v. i+ ?7 h. b fastcgi_index index.php;
/ z1 J# Z' |9 \* ]% q& H' T fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
" @. D6 w. x, ^3 s! _$ B4 N( ]$ T include fastcgi_params;
? M# Q& F$ P }. |+ s: k/ k$ E; p
}9 G( D* f0 G$ h2 t
upstream负载均衡:$ B5 H D5 A3 E# [# F
" F6 _$ i# o! q; B) A" R A: ?+ Mupstream 52os.net {( g" S. M; o3 d# e+ {
server 192.168.1.100:8080;1 n! C/ E W5 C' [; X+ o! i; a
server 192.168.1.101:8080 backup;% n8 J( x, H! V0 ~
}
4 j j" m" e) N/ N! s3 D5 C# {- v% c5 h; x: o7 f" C8 H
server {
* h1 i+ n# [9 F$ xlisten 80;* u3 k; c8 j; ?( Q* P4 i: H- P
server_name 52os.net www.52os.net;( s/ t7 d6 i6 k" E }0 y3 m3 l$ P' @
( Z: J- i) [ w- W. r* Qlocation / {
6 ?7 n4 G& F3 o8 X2 z y+ E ModSecurityEnabled on;
( X0 x# D2 r# }8 Z/ V$ R ? ModSecurityConfig modsecurity.conf; # s- g- X2 {( q4 [1 W
$ \$ ?/ E% Q1 F( T7 G proxy_pass http://online;! R. j4 b* Z" b* q+ \' ~3 N8 s9 u5 A
proxy_redirect off;
3 k9 F7 J ~& J, _# x proxy_set_header Host $host;- y4 Q5 L5 v( Y* H# q
proxy_set_header X-Real-IP $remote_addr;
1 J* i% F# p- | S- t9 U proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/ T# n1 c- o7 ^, Z9 Q+ L5 Y }
, \- J: Y$ q2 b4 i3 k$ Q6 V}
2 _$ I; T" V: e& _$ |六.测试5 f9 T' A# K% S% h
/ B u) C% g9 |' d/ t6 r; H- t我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
9 q: Y( }0 G* D: F! D; r0 |$ m, O- X$ ?
<?php
" A: }0 G; r; Q( H; b- G% v: F1 q phpinfo();
% \ j$ ?! s I4 a' K# F?>
! v& q; [# m: N7 J K p/ G在浏览器中访问:# W) r; o' N3 P* O1 ?
% n4 f) F& B3 Q, ~& F. n+ i5 i; I5 B) Yhttp://www.52os.net/phpinfo.php?id=1 正常显示。+ v. ~ i- E! K. P
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。/ F6 \ {# I- c: n- |+ \
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
$ J& S/ n5 E3 p( M$ O/ N说明sql注入和xss已经被过滤了# @5 J& B7 w1 \9 |0 t, g, F
) u: _6 x6 L! C! J8 }
七、安装过程中排错
t& ~8 d( ^% F% F5 L& c3 | A$ U! f7 A/ w
1.缺少APXS会报错 _" J0 \" Y- I* X- A
% a% `1 y2 ~1 _1 R
configure: looking for Apache module support via DSO through APXS
. q% r+ a0 R7 Wconfigure: error: couldn't find APXS
9 k- z; R" ^6 Mapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。& l0 K% b/ X, B7 x1 L7 z- _
解决方法:" E( d1 {6 e, m- [& W9 ]$ p
- s6 N# F* l% _4 \/ g4 z+ N3 A
yum install httpd-devel
" a I5 x0 B! J$ P2.没有pcre
7 b& U2 u8 x/ f$ w: D
+ [* G- z6 j' h9 k+ Aconfigure: *** pcre library not found.) L1 D4 x% u! |" [- h
configure: error: pcre library is required
3 G2 Q+ V, i# f5 ]解决方法:
1 j- q+ W# O/ P h9 ]
) Z% N& M* t" i! Q6 K) Cyum install pcre pcre-devel6 x2 h7 ~" l' n6 L3 i
3.没有libxml25 T7 _6 z/ d3 @. ]1 r: z5 X# O
4 J F" d) w, Y1 w4 m) a$ m$ ?; i+ S2 `( p) O3 S3 F, |1 z
configure: *** xml library not found.
3 h- l) |5 m5 J! Z, Econfigure: error: libxml2 is required+ E' B0 r7 d" ~1 u+ }
解决方法:# E/ o" k! _% _+ ?7 r7 l! g
8 Q, H0 U: [* |3 D8 Z- i' P, ryum install libxml2 libxml2-devel4 \) V) c$ o8 ~7 I" I! [4 y
4.执行 /opt/tengine/sbin/nginx -m 时有警告
/ A* u) B9 o, Y* W/ Z! E7 Y# b. t; e6 g0 o/ W7 B) a" R5 C" ^8 c) V
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
2 z# A; X% }: ~( Znginx: [warn] ModSecurity: Loaded APR do not match with compiled!* S+ S# F5 h; |: h6 H
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 d5 g D8 I. y I, V8 p
0 b2 A+ g# I; i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
# y Y( t) o c$ W% p% q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 r. u" K+ `, E* B W+ Y7 U
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
- G& @$ Q* S/ f2 D" E2 p- Z- x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"1 Y; Q4 K2 `6 g/ ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"; K, |! r! x; z: N0 L* l- m# G0 g
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.. m' t1 x5 h/ D2 e# v+ n
解决方法,移除低版本的APR (1.3.9)
0 b2 ]: j9 F5 z) s7 t+ ]3 p5 W. }
yum remove apr2 z; q& x; X3 H4 f
5.Error.log中有: Audit log: Failed to lock global mutex: Z* ~8 _! ]4 h# k6 W5 K- Q2 ~
" O; h* Z% u; s6 d# Z# J
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock p q# @: ^7 b" ]/ q
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; Q+ l: y+ C$ d- Y解决方法:7 D2 T' L! ]- H T. u" o
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
7 o3 n/ s, b2 U5 M6 a0 d' C* N7 @+ U2 D4 B+ M4 |
SecAuditLogDirMode 0777+ {1 @$ `9 W6 O2 D8 W( W
SecAuditLogFileMode 0550! p( v8 I1 J! e' T9 H
SecAuditLogStorageDir /var/log/modsecurity
- A( p3 k* O: |! ^$ KSecAuditLogType Concurrent& p' t5 G' |- z& _1 X* Z" G
参考文章:* i( a. D7 p' A' T( B0 \
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX( T, k' u Q; ~- D* K& I
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡