|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& n3 R/ q# Y" r
4 G5 ]+ K% G1 b, K5 G" N6 R4 _一.准备工作
! r7 U) n3 {/ U3 n5 l
7 N" M4 ^; f" F# Q; S& U系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.07 }$ [+ p: @& B* c& R+ O# _3 [
0 z& _8 R3 o1 j! rtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
2 W, `* C2 m- q1 V
' g* F9 i" f& @- L- R- S" @5 Smodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz* q+ v1 b# ?, e# g7 I& T
/ D: z9 ^: [5 x# h O
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
& W- G4 b/ \$ h9 h0 G
$ G5 `% q6 h! k依赖关系:
3 e" r& Z! u1 | E5 ^ E5 ~tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; B' j8 t q: Y/ @! ]
( Z- L3 ^7 G9 L# Wyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel6 E; ~" z! E# l! V( n# {" [
modsecurty依赖的包:pcre httpd-devel libxml2 apr3 q4 |3 X! ?% t4 |! o! P
. A; B; g; ?* ~& i) }1 i* R
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
/ k, Z2 g- w' n9 u9 w二.启用standalone模块并编译( ^; c& U' U. k6 g
+ W$ C: o( k) I% N% d下载modsecurity for nginx 解压,进入解压后目录执行:
" m3 \* v$ a: G8 o: @4 \- @# z: \' M- n
./autogen.sh$ C; D5 k3 O6 A8 X7 \0 f7 H1 w, {6 D4 H
./configure --enable-standalone-module --disable-mlogc
' G1 B! C. R Wmake i2 |) |, E5 u
三.nginx添加modsecurity模块
X+ B; X3 B& J7 }1 A) I" M# D' K6 d% n% J+ ?% V% q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
& `# {7 m6 }+ U$ Q" m. V
3 E+ q, l! }) E/ v) n./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
/ }4 X' B- [& Tmake && make install5 y6 O n! i5 |
四.添加规则
4 f4 z; a) z. C! j1 a- K' t
; _9 i4 q' X1 O( n! T2 f' r: Ymodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ s7 N$ ^" R- q3 I1 W; n7 _" m' i, Y$ u" |4 ?/ R. ^# g8 z$ [
1.下载OWASP规则:
; T+ _1 B/ S, Q4 `. h) T( ?% Y5 V5 P/ k
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
n/ W' N g# M2 i* H. k4 \+ c9 [$ l
mv owasp-modsecurity-crs /opt/tengine/conf/
( ^. x0 }0 ?' a0 K
% b/ H, K* ] R9 j' E. P7 fcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ X9 E+ G" u0 r* x- ?, V2.启用OWASP规则:
1 z) P0 |7 i0 F9 `" c, w
8 ?5 f2 E! g* c+ A复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
# l$ l) U3 v2 ]! A3 M
9 A! M2 q# s+ z) @% S/ l* C编辑modsecurity.conf 文件,将SecRuleEngine设置为 on, S# J9 |3 x+ N, ^' M7 H4 E+ V
6 p: Z( X" x& t( x5 ], D1 l7 J
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。% w k% q& ^6 B
0 E4 q+ y% L' Q
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf! P8 }. o6 Z; R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf* y6 @2 K; P8 e. @
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) b5 v# O( r2 `+ J: W2 I6 N1 uInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 _7 { p/ t3 i8 I: S3 j! SInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf7 x& k( \/ i+ J$ \2 O9 p* e/ X
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
* }1 `( R$ K8 H$ i9 ]' r4 E5 Z3 `0 MInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( G3 @# Q+ ^7 p6 Z& T+ @- j五.配置nginx
- j; I7 P$ @) r! u" h9 f8 I5 \! C% [ D, Z2 X
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 s' @8 O1 P7 @$ _% s) c7 l, p+ n0 n) j; t6 m* }" |
ModSecurityEnabled on;
! h6 z! l! F9 [% W; B, NModSecurityConfig modsecurity.conf;+ B% W# g6 T, `3 b* d( y
下面是两个示例配置,php虚拟主机: T" k2 A' K7 o5 Q# j$ N
9 U8 e h3 Z% `3 z' y5 i
server {
, p2 U7 ?4 W& a6 ` listen 80;
8 T" P; |# t2 P% Z5 u) m4 K/ I server_name 52os.net www.52os.net;
M! ?) l* [" g @9 f& c 0 V0 W! a# U8 `% l' b
location ~ \.php$ {
- e0 O( p2 f# |9 ?! G3 X7 H ModSecurityEnabled on;
% D" x3 j1 b- y3 M# D: B ModSecurityConfig modsecurity.conf;5 w+ P6 l* Q4 q' S, l
3 }8 o: e( d. {1 ~ root /web/wordpress;
5 Q( l5 ]( l+ v( e/ X) K. h index index.php index.html index.htm;
_/ q" B1 l1 F& O4 l
0 ]8 @' `, v; W w fastcgi_pass 127.0.0.1:9000;
M& F- o! s5 y* P+ | J fastcgi_index index.php;7 L+ T+ {: J0 O) k* R9 F
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
* V2 Q( i) V; f8 j, C" R; ^( o# t) L include fastcgi_params;
( r) J+ a+ h5 n+ {0 R" s4 t3 O }
# o9 _4 [9 L' R. s& ^! N4 \ }+ j h9 P) x1 D) T1 w4 h6 [6 _4 x
upstream负载均衡:
- I1 t1 N- T1 a% Y8 q4 ^
' R. }3 n9 o' [' g$ o" _8 gupstream 52os.net {3 Y% i2 N* d- V( N1 B
server 192.168.1.100:8080;) L; M7 O! h/ w @1 a
server 192.168.1.101:8080 backup;
3 @" `1 d% m/ g# \/ O. Z}
, H# ~/ a: O! C/ m( B8 v- Z, k! _6 U- R5 G9 y
server {7 `; Q- r6 H( `3 e7 l) i8 d6 S! e. z
listen 80;- {7 O U% ]& A( ?$ ?, e7 f
server_name 52os.net www.52os.net;7 H( D" W1 j, i
$ V' a; Q: a* H! }
location / {- f1 y7 A2 f4 ^2 m" S3 Q! F- Z2 w* D' L
ModSecurityEnabled on;
( X/ u# t3 r! H5 F% H ModSecurityConfig modsecurity.conf; . B* U3 \* u6 m) H. S3 a) R$ f: T
" @& A( L: K0 S- @
proxy_pass http://online;0 L3 N% q0 C( X$ S0 D: L6 _
proxy_redirect off;
% H# F& k7 C5 ^: L4 t' p proxy_set_header Host $host;2 d1 t; w9 i# Z4 o5 T# s% ^" |
proxy_set_header X-Real-IP $remote_addr;
# }& d! S7 ~2 e proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;2 G; a @+ Z$ R3 c: Y
}
: U, i0 P* `5 \3 i9 _% m! _- P}
% b. S# |0 T1 ?+ L9 e/ n1 x0 B六.测试 s4 ~8 |, N. U" F, A
, X% _' @2 D/ O0 V7 a3 }
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
7 o8 B9 \ q% w& x' T
& _% u+ ]% c( H Y2 S6 J& `4 n* Z" ~<?php
6 {6 T- Y7 D3 c3 u7 f& N phpinfo(); 5 |$ u% w* z+ c y4 B: ]4 _
?>
* e3 M+ ~9 [. L% J- k) p. a, Y, F在浏览器中访问:5 j: o: R; A5 p1 q5 n' w$ ]
. i0 U6 u- [6 |9 k6 [" c u$ C
http://www.52os.net/phpinfo.php?id=1 正常显示。
* \; }: E2 s% ^http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。 V) S5 V* B5 O" W- ^
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。3 Y; {, d, c6 A5 `) n
说明sql注入和xss已经被过滤了0 ?1 i, H! o2 ]. l& _% I, f
. X# b. B. ^, i' Q/ u3 ]
七、安装过程中排错
. z9 Y' L1 _% l3 y4 o
& u. U5 x1 T: S' |, O8 H1.缺少APXS会报错
2 D2 ?. @5 n4 ~( e ^$ T
1 h- u# m: W' V9 j1 T4 [/ vconfigure: looking for Apache module support via DSO through APXS/ H5 V+ @- l V3 C2 p
configure: error: couldn't find APXS& u: f6 Z2 a0 Z: e) ~; M" D0 y
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。3 T$ N+ F1 v' h; s9 W8 \) z
解决方法:- A. T0 }, h& |) Y0 p+ p* X3 Z
5 ~& p) S9 M% g' E9 yyum install httpd-devel: b. a- `1 }1 U/ B" C
2.没有pcre( `9 l5 E0 P D3 n0 K
4 K$ u9 A0 X, {! e' ~5 z) Lconfigure: *** pcre library not found.
! o2 n3 e m3 dconfigure: error: pcre library is required
( ~, v# T& p9 I# j) G9 @3 ~' r7 e. d解决方法:& U' L) x e; h# p1 t6 {
, {9 n1 v( t; M0 Z* `3 R; Wyum install pcre pcre-devel
9 G9 b) ^+ {9 L8 i" h5 J# I3.没有libxml2
" ~- \& {; A% W' P4 A$ t
" }3 \9 n. P, P- P- B+ u- z" Z( J5 i' }: G5 E9 q2 J
configure: *** xml library not found.& R/ t" p; W0 ?) q, o
configure: error: libxml2 is required3 C- N% Z p& O
解决方法:4 X# h- s O- K( Z' g6 F# O& z
4 h. g* O8 E% A4 m
yum install libxml2 libxml2-devel
4 }, V* M% Z/ _! W7 T- j4.执行 /opt/tengine/sbin/nginx -m 时有警告
6 j, @ Y) `& ?5 Q2 Q2 u0 R2 { y7 j* N. d9 V- V- Q
Tengine version: Tengine/2.1.0 (nginx/1.6.2)0 H/ ^9 q' z* @: U$ W; X
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!* g* K- ^ {- C9 b( n
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ m% Y8 @/ ^5 D4 k6 x8 R/ o+ L. H" F5 j6 l0 |3 z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.- l- v' c0 m$ T/ x3 G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"6 e% C, L8 a2 Z
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
, ~, l9 B' Q \; k5 H5 U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"; s0 ^5 Y4 {" L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" i4 A% P, R. Y8 a0 x2 q% S2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ q0 j7 S! f' W( L& F1 Q$ _解决方法,移除低版本的APR (1.3.9)
( Q% _+ @) u4 j/ J3 M. e1 `- O' V* T5 F( d
yum remove apr1 I2 s0 f: J/ x" y& o# \- u
5.Error.log中有: Audit log: Failed to lock global mutex
/ G" o0 m2 Z! @& ^ a' e1 P
! U# P! v8 J, G/ ~* E ^& H; d2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock / f! z! f" T* a6 _7 |
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 j0 e V8 {- s% F
解决方法:
! F& @9 `! P3 P ` s编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
7 s7 k0 m/ d; h# H2 c: x" w8 R8 s) s3 k
SecAuditLogDirMode 0777
8 y1 @# K2 H/ I* Z& \9 L& HSecAuditLogFileMode 0550( D3 }0 X! c* T2 `' T0 O
SecAuditLogStorageDir /var/log/modsecurity
v, o1 B* d1 RSecAuditLogType Concurrent
# w8 p. E8 f( E/ [. W. w7 _- w6 S1 s) P参考文章:
3 b2 i" S, \ w1 p* Thttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX( k0 ^% }1 Q' l1 f' P! o& P0 b
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡