|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" n/ y. L3 c& n3 `4 Q o! A0 O. S0 Y8 L9 L8 [( b4 E7 ^% G1 _/ I
一.准备工作
+ H5 Z- E4 p' K. r5 h+ v0 g. D6 M8 M+ n, V+ a
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.00 O$ i: j! } C5 O
7 d3 u0 m* W5 y% n; ?# Mtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz8 q/ Q& m3 T R
2 J9 f3 [1 q) L+ I8 A) B
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz6 K& S9 @- `8 S$ J3 n8 g
/ l0 |8 u. A+ P- V% B; i# u% \
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; l; c$ Q0 S6 @' X) K% b! H
5 | T, o+ g+ T% _/ f9 W/ p: }: z m依赖关系:" L/ ~% r7 K0 c, Z6 l
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:0 z3 d9 K( y- `4 u2 V$ T
" i+ b0 r/ F* x! ^1 a% Qyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% i9 F" A: C8 H/ r) H3 v
modsecurty依赖的包:pcre httpd-devel libxml2 apr
0 E9 g: l, X1 D5 D. h
# k6 J( M9 E: I. M. Xyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* b1 @6 ? ^9 C3 |2 n0 F1 @二.启用standalone模块并编译& k# c5 _$ }+ Q* s7 L" T2 c, x4 k' }5 w
/ w1 k; ~: i# O( Z
下载modsecurity for nginx 解压,进入解压后目录执行:* T) [0 m w' [" l) [* Z
& F8 X- ~% H k$ p. G/ [
./autogen.sh5 S) ?4 R) w) E7 A
./configure --enable-standalone-module --disable-mlogc! i" G+ x# D7 g5 b$ f& H) k
make
* n. g& T8 T5 d# [6 S! A三.nginx添加modsecurity模块( O/ o3 A, H' L% V1 \: L/ c) F3 d% `
8 ~6 Q) W ~# b8 T3 {: _
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:: V$ w) [# E9 {: a3 O9 B& C
8 D8 B+ J0 K5 T! Q3 n" k./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine9 z% v7 u. R. h
make && make install, j$ T% k" G7 @! l4 |7 G) F# e4 p
四.添加规则
+ P: _1 t( [* R2 Y0 E. K& o" y: x5 j) W/ s$ X2 ~
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。- [$ M0 A1 d8 S
' }" F' `- O5 r0 w1.下载OWASP规则:/ U3 r7 ?6 s1 U% z
r+ p. v. `. E2 Q$ {git clone https://github.com/SpiderLabs/owasp-modsecurity-crs* Y! X6 E# ~; h. Z" [# n
& s! w3 |+ L, V( ?4 {
mv owasp-modsecurity-crs /opt/tengine/conf/
$ [8 k$ T, Y" R/ W& y* A3 T* W7 M# b5 Z0 H" Q8 p7 X% b( J
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( |* ^! T$ b% L! Y6 R" K: C, O
2.启用OWASP规则:
# A) {7 \0 q7 r* W0 K0 r! ~8 P
6 `! Z& M: R' D复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。2 a2 |& c4 t) R7 A: r6 o: h1 i3 l
5 B! Y7 m: C% y2 B编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
/ W6 f6 M5 v/ N# D8 g6 M( y6 j* L
9 M) T5 B9 g# u8 |3 e9 Yowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 b- z7 z- ?2 ]& k9 ]4 G n F! S+ p1 h5 q8 {0 M
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ ^3 V: C# c) A9 h* JInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf& `* h$ _% i& F, B4 U+ @# v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf' U' T' R1 p* F1 T
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf* O3 J2 L! n! s2 t
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 t* _9 I. V: L/ H' Y( qInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ |, p, y: l/ X' _$ d/ ~) J, AInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf+ L! S2 a- M. E7 h2 j& y5 H
五.配置nginx! C" m7 K: q( q! h! {3 ^; |
: G! ~: N2 G% k在需要启用modsecurity的主机的location下面加入下面两行即可:
+ u9 H( `1 e4 J; o' \- y; w- W) S6 X6 W# h9 R) f
ModSecurityEnabled on;
7 `$ S& }6 Z6 i+ R. m6 q% DModSecurityConfig modsecurity.conf;
1 m, N: [, @$ X+ X2 O. N" E' G! T下面是两个示例配置,php虚拟主机:
8 C7 z- H' G- K: z
4 @9 G6 G3 o5 Q% `# [/ [, Aserver {
* z( {2 E) l4 q$ ~ listen 80;
! O& X) f5 p5 x) m3 c r( d server_name 52os.net www.52os.net;
1 s6 ]6 E2 ], u7 |, l
; a$ F# n% Y: A- ~4 G7 X' y6 ^# Z- ` location ~ \.php$ {. j/ w8 ]( I- M
ModSecurityEnabled on;
# d2 d% {& Z2 E' v2 q ModSecurityConfig modsecurity.conf;
! o, P) U7 R4 h2 ~& j6 ^9 |
: c9 N1 E1 Z) I! s$ R: Z root /web/wordpress;
. x l4 g9 Q/ U index index.php index.html index.htm;1 \/ Z: r" q \3 d
& f) @0 `! k, |& E# r) D( q
fastcgi_pass 127.0.0.1:9000;+ B5 w# ^- K$ _$ T- }1 t
fastcgi_index index.php;; z; Y0 ?( o- n0 \
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 p' j# X% X4 S) G include fastcgi_params;2 d, H8 ~ E/ Z; E4 p
}! i8 [9 _& G" x9 I/ f2 v* }' Z" p
}3 U$ t: e T( y, [2 S K
upstream负载均衡:
9 w3 w* f5 z9 Z3 z G) O) _" t3 D, Q( o+ ?3 k
upstream 52os.net {
! A: F( R' j# o( `4 S! B* H9 _ server 192.168.1.100:8080;
7 A6 r8 I" {4 k0 F5 ~" T server 192.168.1.101:8080 backup;) T5 n0 f1 v8 B1 m# J
}
' `, [# G: ?5 @3 N3 C9 d9 @, u+ [8 B2 P; H- L0 P, ?7 c' H- L
server {
u5 P1 c4 Z0 ^2 J/ G, Mlisten 80;& Y7 A6 n# j' N! d
server_name 52os.net www.52os.net;! ^. }: a( v5 G0 F; ~* w/ U0 U
* R( I: O2 H, P0 M0 f
location / {
9 d6 V5 N( p3 U' v. n( _ ModSecurityEnabled on; X! S' M& A8 [, \6 U8 D
ModSecurityConfig modsecurity.conf;
1 [3 ^2 F$ h5 V* K8 q1 K1 X( t
6 m( r9 j6 \9 c5 t proxy_pass http://online;9 b9 y7 S7 s: ?. B' v
proxy_redirect off;
, G8 |% b- y- y7 j, k8 D proxy_set_header Host $host;/ U: H9 W, t' i6 u9 P0 k% z$ v- I9 O% N
proxy_set_header X-Real-IP $remote_addr;
3 @. R v: h. D1 I4 n; U( g" u3 \3 k proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; Z( j; U* o8 f \+ ?: }) B0 d
}
, {& S9 U, ]) p% u3 U) n. S}
% B9 P' W( N1 a! Z8 U六.测试6 r: ?- _6 I, B% U2 N1 n$ n
2 w2 J, @# ~ A# Q% k6 q* m我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
5 F3 \& M' J( T# r3 Q$ W+ [" R! A% v: A- g' K; x E9 B
<?php, ~ L8 x% j7 [+ n- w/ @5 Z5 F
phpinfo();
+ w, A+ K- Z. C% j: L1 N" h?>9 W; v6 R' q: w3 _. z
在浏览器中访问:
9 w3 x% {3 L4 q" Q3 h/ s2 z. j- U5 ^/ d
4 n4 _( ?: @) D% {/ i, `$ G8 ohttp://www.52os.net/phpinfo.php?id=1 正常显示。
5 H; E( z) u, X5 p- n' `http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
) w4 f3 u& E; c6 `& B2 `http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。5 ~8 J: A7 E0 O* [
说明sql注入和xss已经被过滤了
' X# p/ g0 w- O- D2 M! p* W y& x3 y9 p& q+ z, v
七、安装过程中排错3 \7 `: E H: ?, e+ n$ N3 E
3 ]7 o3 b7 O7 H, C1 h5 \! x1.缺少APXS会报错& D, D5 ]7 ^% O' {7 y) p8 z5 Z
0 u* N( j* C; s4 R/ V; e
configure: looking for Apache module support via DSO through APXS
; U' Z5 D* _, C' }, J0 P1 _configure: error: couldn't find APXS
, q& h6 f! f( d: R" ]apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。5 C1 e1 [; D7 T: I1 \
解决方法:$ I. V+ D9 {* V2 b
4 n8 |8 d0 r0 Z- T; S4 l
yum install httpd-devel7 I% {/ Z& C f$ R A5 I( _
2.没有pcre7 z" G# G# L( R# d: ?$ K x
% _( A. X, M0 i5 c/ o$ s( v
configure: *** pcre library not found.# p3 H7 `% L# j# J% ~; [3 d8 u
configure: error: pcre library is required
1 Q5 \4 |/ w/ U7 X解决方法:
/ O7 h3 M: |& A& f6 y" r( F/ {0 c. t8 O/ M- D" F2 \' A! M
yum install pcre pcre-devel
3 ]& l# h5 R) ^1 z7 t# H5 n" \3.没有libxml2) m( l+ q+ J# b# E
6 T# H2 ]: M4 B- P1 f8 y
: z6 v) H4 f% U7 {; n2 K5 \! sconfigure: *** xml library not found.
- T( q) v1 l+ V9 cconfigure: error: libxml2 is required3 h! r. p$ A* Z4 O' x. H
解决方法:9 I9 X& v2 c; X7 u) j& I
+ y8 L/ ?& K. t( o# _2 k
yum install libxml2 libxml2-devel
: N# ^2 X" x+ ^. z4.执行 /opt/tengine/sbin/nginx -m 时有警告* v- l: W q) N
& }6 \9 Q |( E$ VTengine version: Tengine/2.1.0 (nginx/1.6.2)1 Z6 T5 `- I, B( P
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
( i+ M6 [. o. w# B8 Y) D$ D! P9 k. ]原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
7 j% O- w1 R. j: |$ h! i
! I+ n+ ]2 j& ~6 L1 `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 y% @2 z' {6 K$ h; Y' |1 G' [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"7 v* i1 |5 c Q0 H% l$ ]; V- O
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled! e) t+ E3 G4 h9 u. N: J5 P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"4 j# `& e/ F0 ~5 E3 E, u
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"' j. Q0 m4 ]7 z
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On., m* w! H3 R0 L4 u/ M* N
解决方法,移除低版本的APR (1.3.9)
$ ~ {3 R/ W2 c+ O" n! }, |8 N1 {. u9 m5 E
yum remove apr; b- v1 S/ D3 N* W
5.Error.log中有: Audit log: Failed to lock global mutex8 N8 \: R& O# ?& j
9 X1 H9 y) w/ _4 @, q
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
/ v8 [5 [. g9 u g& E9 y& rglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]2 L0 I, }1 r- P
解决方法:) q# o6 C: k, d
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
* R f9 K3 U* a f8 z$ \3 A; I3 [0 G% J% ~0 c- \0 ?7 {
SecAuditLogDirMode 0777
9 h, M6 H1 f* r2 lSecAuditLogFileMode 05505 G3 m9 X# h; k! Y
SecAuditLogStorageDir /var/log/modsecurity+ {8 s" P# j' P# ]: f$ j* g) ]+ F
SecAuditLogType Concurrent% v( J% \4 A8 p3 V5 S
参考文章:
. e' v9 U7 C* i$ phttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
^& V3 n; N K& _4 q! A0 ^http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡