|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
- N/ n# \+ e% }8 L% p! q0 r1 }* z( |" o1 J! ~
一.准备工作0 H6 v6 H; e$ L! c. l" J
7 {" B0 g. p6 Q6 N% q系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
6 H; e3 t5 x- K8 c+ X' K+ Y+ t3 e* P% R5 Z9 m
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
; O+ \4 _3 n5 E+ S! q* g+ I8 ~; i4 ]$ j8 \( B
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
+ h5 K" R5 G. n- s4 Z- t
: v$ |0 ]& y3 [3 ~6 Z IOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
( k; D2 f# Y) F- X: p+ O" X6 @; J/ [" d: I4 _( a
依赖关系:
; b3 R" q% b3 J* L$ ~* |" ?tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:2 F" b7 c% I; N$ \4 k) X
# C! U: [& I# A% j( Y2 D& L$ xyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% I' h9 E: L; `8 ~' d* F7 A# ^modsecurty依赖的包:pcre httpd-devel libxml2 apr0 l$ g( y) G# d5 z [
$ r, c9 Q/ ] X* P# s' |3 zyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* D( I6 |( o3 y' G3 W8 b- g二.启用standalone模块并编译
) u2 ^- g9 G. b4 s+ D% f5 g' W7 k+ D6 M* t, B" s; H
下载modsecurity for nginx 解压,进入解压后目录执行:
( ]9 X: s' q5 i" c4 u8 y r8 p, |: G+ `$ |# d8 r4 R8 Z( r
./autogen.sh
" P& M6 ~' Q/ P, ?./configure --enable-standalone-module --disable-mlogc* H& e" X7 d/ B
make
0 s+ b$ G$ \1 }三.nginx添加modsecurity模块
$ ] r8 [7 D8 b8 x
$ d2 x4 o9 a9 V/ P在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
* x! A! M, J# i% A. f$ p( z; x3 v" R
8 [5 e4 L% H% u' _( O./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine# H z0 k" ?/ M# C+ R f* E
make && make install& l2 {$ [* A+ v. M& ?6 Q
四.添加规则+ m# I. e0 `9 ~$ B' Z' U1 ~$ D
3 Y) A. J* N- @, M3 B2 l0 {
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。0 M2 X s7 R1 b$ E. M
3 R3 g" q# [: y) K
1.下载OWASP规则:# ~8 A# D0 d% J" {. }- ^6 t2 E
" v) e# a' `5 |" y) n1 h. A# D egit clone https://github.com/SpiderLabs/owasp-modsecurity-crs3 t. u3 O, X5 a$ a* i
4 L+ u" \1 o, I& D/ r- y, S
mv owasp-modsecurity-crs /opt/tengine/conf/
8 X# E' {% o$ |& i6 c% c4 n5 O8 E3 m% }4 O; F
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf ]5 y9 U! T( n( B5 t% }
2.启用OWASP规则:! m/ b8 R$ v+ F. h: l
# o- V- r0 j/ m/ c) |! r复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. _3 S' O$ l, ?9 M" @3 z
& q" D: ]" x6 F" @* s编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
- b [% u& {2 y2 t8 m* L; I: g* g' d
5 q3 c" v& {6 _7 m) W% P3 I$ bowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
5 Y2 O$ _; K2 ?1 G) P" q2 \( D" x9 J/ H' T& c1 V
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
, N! u# A/ p3 @* P5 zInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf& v3 C+ J# _. C0 z2 x" ^' a. B! k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf% L$ q3 m4 g b) d% h8 z" P
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf$ X: c' g% o' X4 |6 U/ k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% L) G4 o" V) N% T& b5 YInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
" [9 N( M& v- @, x2 iInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
7 t/ s E* ?9 s# ~0 v" [五.配置nginx
9 z4 I& X) Z$ `% H+ g u* B4 @! a/ Y; H. L
在需要启用modsecurity的主机的location下面加入下面两行即可:! B7 E4 F( ? {4 b. ?
; \# |- i( ]0 B8 l) p. ~4 }- p; UModSecurityEnabled on; ) x" j8 U' ? j2 Z
ModSecurityConfig modsecurity.conf;
$ [9 s- ^( u; j下面是两个示例配置,php虚拟主机: N- }% K- u/ Y+ O F
3 f0 x6 K9 r7 o' Tserver {
) M$ ^8 o& ^5 | listen 80;
* G* a) R$ e8 r8 F* k server_name 52os.net www.52os.net;
8 A% d9 O b6 {7 U 4 |+ R+ [ X# I' s
location ~ \.php$ {
# C! x8 _' |# k$ s) p ModSecurityEnabled on;
1 Q3 L5 R/ o' s/ x4 E& g1 g ModSecurityConfig modsecurity.conf;
- Q. B8 Z3 n# T* P! _+ P- K2 ]0 a
8 Z, A# N# h4 U. S: W, ], p root /web/wordpress;0 R6 Y0 [4 O( J& e, ~. ^2 e
index index.php index.html index.htm;) c$ {9 J% x4 q% q2 v: H9 h
: O/ w# k, e: o9 ~) N
fastcgi_pass 127.0.0.1:9000;3 v- F6 E. k( A/ _
fastcgi_index index.php;0 y/ O9 w" H, H w0 i
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& ^2 T# \9 t5 l
include fastcgi_params;6 ~ ^! L$ @2 B% M$ q B
}
4 L5 w/ ]# W1 h# E% o$ a }
* d( d& f l0 h' Q- Q' j+ e4 _upstream负载均衡:6 t% n, Q; Q8 t) D/ z; _6 a% |0 w
' D5 z' W% |# ~2 c- h, B
upstream 52os.net {( B' p3 i2 ^+ _* b
server 192.168.1.100:8080;$ B6 s: Q; s: G/ n
server 192.168.1.101:8080 backup;
4 H; D4 [- t: f" W}& ^$ w! W: i! M. K2 ] i6 S/ z
1 n- ~4 t* n `8 o, |3 B
server {
3 r) ^2 z: a4 ?2 K9 j+ elisten 80;
! J! B2 w7 y; N6 l- Y" o1 m- u' eserver_name 52os.net www.52os.net;
! I3 n0 R( c0 D$ O! W* {% E$ G
3 E$ X6 d+ p/ J$ ~ W% @% z+ Klocation / {
: X/ X2 F' e/ c3 D* K ModSecurityEnabled on;
) w* ?# t. Z2 l8 Y ModSecurityConfig modsecurity.conf;
# }9 b% \# C0 f% o1 \
2 Q5 X9 Z& q8 w proxy_pass http://online;/ }) Y/ p: c( Z/ T! ~6 E, ~6 ]
proxy_redirect off;
" p5 } c. B( {/ d proxy_set_header Host $host;8 j. W1 ^5 y4 M' A
proxy_set_header X-Real-IP $remote_addr;
2 L+ B' @3 w( |2 A; h9 z7 p7 U proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 `6 \9 J3 j- N/ J8 R3 T
}
% _( s9 F+ t' s, e/ k2 O}: ~# P. _% D. q: u' |2 O' v
六.测试
# V$ y0 u3 c, `6 o0 Y9 i8 D3 X8 G& Y6 R$ d+ H9 C/ V
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
$ X, b' s; B, Q% {
4 x# I: d [# F/ y+ V* ?2 X<?php
& \- { b/ \% x8 ~& G5 O. Y7 {+ c phpinfo(); h6 t# v" w5 M8 a+ }5 J
?>6 `# Y T5 O: R8 u
在浏览器中访问:
( E8 K; @+ {) X/ H1 w3 [
2 L3 U9 e$ u7 n+ z( ahttp://www.52os.net/phpinfo.php?id=1 正常显示。
/ @ q# V' {5 g) v7 F$ u5 O2 Qhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 o# B p5 u. o. P
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
" `$ Q6 u; {/ S$ w Q说明sql注入和xss已经被过滤了
. V& z+ K6 q4 @! |' I$ v1 P0 o2 H+ @- V4 z- U, L
七、安装过程中排错9 _- f3 j- U: y; r1 c' J2 ^
! I& ]; ?: U* P! I* H
1.缺少APXS会报错
8 g {# n! `, C* B' b% m+ D+ K+ n$ D b# u: E/ R& f
configure: looking for Apache module support via DSO through APXS0 C7 q: C1 Y n* A4 t
configure: error: couldn't find APXS, B( V2 J2 _% O, `, Q( P0 V
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。. E' c; T$ {+ v' L! @
解决方法:1 I$ X& X1 M6 m& c. \% b6 g
$ Z7 b+ `% L, |4 G; y$ _. z
yum install httpd-devel+ N) T: b. L" R# T8 A0 x$ h
2.没有pcre
: O2 p: S+ `, E3 A5 c( G; w
1 R; z7 \7 |" @/ E( Gconfigure: *** pcre library not found.
3 M4 N" {+ d! f5 _7 D* ^6 p7 M2 Y6 {configure: error: pcre library is required- A; `5 E" z( x! s: D
解决方法:
`5 r2 U; P1 H7 \1 B& j4 q! P6 \' ~/ v
yum install pcre pcre-devel
& Q. _0 U# e: u4 ?3.没有libxml28 U/ W7 Y5 Y6 C* n3 F ~# W' n
' k% R4 }8 R) r, J- W5 G3 J& E- s2 B8 r' w1 o% x0 G4 A
configure: *** xml library not found.& m8 v- v. l h: C5 E% V. E
configure: error: libxml2 is required+ ?2 u( i, X+ T" b) i$ F% c
解决方法:
, y, H/ q) z2 @- x6 j) D
) ]/ n4 ~9 Y; ryum install libxml2 libxml2-devel: p7 G3 o: ]/ b& D! n/ D
4.执行 /opt/tengine/sbin/nginx -m 时有警告
3 [% V. \8 M4 n Z- q# m+ x7 |1 a3 F
: ?+ I8 O) {. I* N/ u" a: A/ H; GTengine version: Tengine/2.1.0 (nginx/1.6.2)6 V% K8 ]1 m) M
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!1 t5 y. E$ E9 H
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log; y2 A6 D/ `, ^, N
2 p- |# X4 @2 c1 l8 `; ^, [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured. @: c$ E' W/ }8 T6 r/ i7 I- _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 V4 n' o( Q7 G2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 I) i$ [0 w3 v: R" U i. T! O- `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" M* C/ w8 U0 L7 c/ u4 y/ Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
8 K' L7 v& U% D: o7 d2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
% D& t# x. D A6 J% M. ^6 |0 H9 G6 B解决方法,移除低版本的APR (1.3.9)
/ d' o @- R5 j9 Z9 S1 w
& T6 Q8 U6 A5 y# x, W) ^# S8 nyum remove apr3 G. A8 W: `1 Q3 \
5.Error.log中有: Audit log: Failed to lock global mutex
5 A& ^( i" t, d- O' ?: Q0 W' B* p, \* a1 M4 G4 t! ]( E' e
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 S9 h2 m4 z- {2 h
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]( u$ [7 a8 U! w4 _% V
解决方法:
! g2 e& n w8 X" H& W% b编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 [1 `2 v M9 C$ t, a- j6 _8 q" Y) V. A- l
SecAuditLogDirMode 07774 ]3 l* F# M: X) X+ ]. B
SecAuditLogFileMode 0550
. S0 K3 \0 L' Y! e9 ], e. U2 _SecAuditLogStorageDir /var/log/modsecurity4 l( R" Q$ O" ~) T+ L7 _ q
SecAuditLogType Concurrent5 |) x+ C) u; ]3 d
参考文章:/ Y8 u1 k, N1 u( s; J
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX x( V: D( }6 A
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡