|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
, G+ J3 L& d7 E% `. P2 J x" F; E1 {2 f# P
一.准备工作
2 B' H/ f# n( f$ `7 k, c0 ?# i# a4 p
7 q/ Q$ z0 r: V9 {/ ?系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
$ P# ~ k. Z" y3 O3 D' L, O. r
8 \" Q8 V! E3 e+ Etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ m& h& u6 ~- o, }. y+ f
( E$ k0 C/ P9 s# C0 u) s; R8 t$ Hmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
7 I4 b& E: z1 L
& Q" d. r9 L: b: p. B' n6 V5 o$ ^OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 o; k6 d# g w K
( U4 x* F7 h2 J' o- r
依赖关系:) k2 }0 \3 U& C! T' [
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 r$ S0 D7 _6 f w4 D" [
* Q) ]1 X$ o6 n+ W! Z2 g* y, zyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel k% h7 P- g! }% ^: Y7 m3 U+ c
modsecurty依赖的包:pcre httpd-devel libxml2 apr$ ^4 n# F6 G9 U$ `: ?
2 Q/ L6 l- J/ _6 B$ f7 E" `- Vyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
& z) s8 J% q7 U" o二.启用standalone模块并编译8 r3 K- D, q b% w5 ^
8 O. E- B1 C& l2 \
下载modsecurity for nginx 解压,进入解压后目录执行:7 {) B8 ]" z3 M: Y( k; W# a7 i
* Y1 s! e: m' @9 G$ d5 L
./autogen.sh3 _/ W3 V$ S. L: L% f* o: ~
./configure --enable-standalone-module --disable-mlogc
; \) r+ j5 t7 C* m1 `, R* q Imake
H- _) ?3 B& B2 t/ L' w; K% w三.nginx添加modsecurity模块2 V% h: W$ z- k1 X
! m# V6 I5 E$ l( U$ z在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
5 J5 C n, V' z1 \
* I( O m: [8 \+ c& h9 J. @./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
: \! e7 [2 L5 `8 Y* v {$ jmake && make install
: @$ J; n; d; L6 y0 E四.添加规则0 c! R( y$ I6 X7 m( S
+ c4 Y/ z+ R5 @3 W
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
1 D0 ~- H* G% t6 _: Y0 Z: b4 v0 q( E- n8 Q! F$ C) c
1.下载OWASP规则:
& {% {2 h- T$ U l6 q1 y: K' o' }7 B/ Z4 `# u2 D" U# w# a( v
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
7 n6 h h7 b0 \3 A1 P1 Z6 B! I; N8 |1 Q
mv owasp-modsecurity-crs /opt/tengine/conf/
* H8 Y" ]% a9 L9 _- w- Y9 M1 _% B# S% C. `! o
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
& T+ l' A1 I( l. v! j" _ F% K2 {2.启用OWASP规则:
& e& f2 s, d" M7 H, b+ b' I3 [
/ S* X* E5 n0 S4 R6 B复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。/ O# k/ Y3 b! u# h C4 P
8 F" s( o) k! T% y* H3 k# o编辑modsecurity.conf 文件,将SecRuleEngine设置为 on0 Z2 m. O' w" U0 m9 m/ Q. e
) Y U: @" V3 @' D. ?& @# y
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
7 y6 ~) b H& _' y& |6 W8 _8 [
2 t) n! b: q/ `: F0 NInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf2 Q/ T: w! E% U
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf6 _/ x6 \3 C5 E' P) P
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 E8 d% F" V7 C' p* x& G5 s: n
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
, R7 p) X* S% Q2 D9 P6 J: JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% O8 \7 `$ `8 p( R' g( Z! fInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 e: f9 s s J+ w. N, ]+ J/ g ]
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf: \4 X, h2 f5 W% ]7 G2 W+ n( h$ m/ K# o
五.配置nginx
4 q( a3 y4 U. g2 S' ?7 `7 i$ w" [5 |* R. b
在需要启用modsecurity的主机的location下面加入下面两行即可:
1 J: }0 W# H/ P! T q; {: b8 n* K& f8 i Z" U! F6 [* }1 }5 }3 g
ModSecurityEnabled on;
0 P3 x2 v( @' \' j! tModSecurityConfig modsecurity.conf;
2 E# s% f; L5 P3 O1 E3 y- @) m下面是两个示例配置,php虚拟主机:( ]! X( ^1 Z" N c- Z
. \8 q0 \- R7 F
server {
/ T# h; u: z2 O: r0 R$ A' C listen 80;4 d9 F/ i/ a) \* k' m/ s: L
server_name 52os.net www.52os.net;
5 F+ X1 J$ F+ a6 X5 ^8 } ) K1 o' E9 o" C. v
location ~ \.php$ {: e/ k Q7 b+ ]" m |: A5 o
ModSecurityEnabled on; / C9 \$ c; k ~6 t/ D. d. p
ModSecurityConfig modsecurity.conf;5 C* {3 B9 c- r7 V$ J9 ], V
0 W( l% @. [- l4 T2 S/ B root /web/wordpress;
# k8 N9 C8 }6 w) A5 @7 `! U index index.php index.html index.htm;5 D+ z9 p: _, F$ b3 l- C: y" q
. [0 j; N6 F; L0 d/ n fastcgi_pass 127.0.0.1:9000;! e% l# x: k7 `5 f8 B
fastcgi_index index.php;" l" W+ N+ U, `5 q1 q5 n" \
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 ]! n E9 s) o1 A1 `
include fastcgi_params;
$ ^% G! G% q8 x* {* ?' O+ ~ }) q4 @+ d0 C$ `! H0 _; x- i6 g
}% w- w5 e/ r8 ]0 T3 w
upstream负载均衡:
$ o3 q1 E9 H! i% e
1 \/ }' ~; H2 m$ ?upstream 52os.net {, D- b4 h* r, {/ f5 I& x0 F
server 192.168.1.100:8080;
9 `! l6 ^/ E: A: z' m/ `; [9 @ server 192.168.1.101:8080 backup;
- x. @! ~2 F2 s+ i1 W& k$ H}' H4 \* Y$ V* `2 n$ g
0 l Q2 f6 A% ~# P+ _
server {# ~7 ?, j8 b' c% I
listen 80;
. l, L) b, X# f% {server_name 52os.net www.52os.net;
% A" m, R* t# v5 a5 T
( O9 P3 Q3 r0 I/ Plocation / {+ v: J# {/ C2 @/ q2 }' N" v
ModSecurityEnabled on;
7 o. [6 | \2 P! v( a; D ModSecurityConfig modsecurity.conf;
$ I7 N1 C# j5 E& W* z' ^5 f4 _7 a* H5 g3 r, C {7 M T; C( s* R$ D
proxy_pass http://online;4 q" s+ o. f, g5 Y1 E, x D
proxy_redirect off;
$ }5 E8 X" A: }6 n. X2 Z( J; E) g proxy_set_header Host $host;
) E, y3 s9 v# f. Y! D proxy_set_header X-Real-IP $remote_addr;0 \- Z% G3 U& J
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
" y1 z8 M" A7 N0 ^; J& }+ U }1 Y4 f; i, t2 R3 o' t: R
}
& z# h9 p, ]$ @) S; A5 B六.测试$ W6 x r9 [; g& r1 o
" w# y: ~+ L$ U; I
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:7 j# w, u/ }# b) e( }
: }% I1 O3 W+ E7 T9 z( g<?php
3 t% X+ Y: S' C( G) P phpinfo();
9 a' x7 T _" G6 b- f5 q- p- `?>8 V8 M# d) |6 v& i* \' Y; N7 r
在浏览器中访问:
( `2 h# a) C( @! |8 Z
1 |( K& C( E' d3 @# S2 [http://www.52os.net/phpinfo.php?id=1 正常显示。
% U$ D: z* T, K( B9 y- j3 Whttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
+ N. ~5 S5 y8 k( Yhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。4 f$ f2 L3 F% _) V! d
说明sql注入和xss已经被过滤了
8 H0 Y- f5 o$ u: U1 g+ n6 X( p, M8 ^
七、安装过程中排错4 j! C2 }, l% p9 {4 x2 W
1 h$ C( J1 m9 v8 C* I: u j( u7 a
1.缺少APXS会报错
2 l( H5 o/ i' T7 q2 C! w. Z2 n( i- i6 M
configure: looking for Apache module support via DSO through APXS
6 a! z& C! m9 E1 Uconfigure: error: couldn't find APXS. K3 E/ z( F5 y' F. h
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
: ] S4 G! f( P- k8 x5 G( R, H2 U! H解决方法:
3 _- g1 s; G6 T0 V/ H' |: J1 p; w' H7 W' Y, Q; O! Y% T
yum install httpd-devel; s: o$ _ d- Z+ L1 N9 S( s: t
2.没有pcre- K7 {2 Y' _" W
( V+ l0 Z% a( R: U/ Mconfigure: *** pcre library not found.
3 L* H+ D8 n% W) Q1 B U/ }8 D" aconfigure: error: pcre library is required' c! d9 h. ~, Z( j$ k
解决方法:$ B6 V y) z: Q: _& ~6 ?5 H
, K3 u. {8 _0 pyum install pcre pcre-devel. a0 ^+ u, p8 @- e% {( X' e
3.没有libxml2
8 T, U' z9 q3 O2 `; V% r0 j
) F7 d" k, W$ F8 g% c q3 s/ s8 b
, D) w) K6 [! w1 cconfigure: *** xml library not found.
9 I# \5 \# k2 h7 @3 j% @configure: error: libxml2 is required- V# {# _: A" o# e8 N
解决方法:' O0 O- p7 ?$ m P9 g: f. F/ o
3 p' [7 L1 b7 ]3 o( o P* p
yum install libxml2 libxml2-devel
8 O1 _9 n. f: y4.执行 /opt/tengine/sbin/nginx -m 时有警告
; v% T! l) r$ o8 j2 Q8 b
4 s2 I2 l6 C; w* @0 bTengine version: Tengine/2.1.0 (nginx/1.6.2)
, h* I; [ J( P8 d0 y9 u# z; n. Unginx: [warn] ModSecurity: Loaded APR do not match with compiled!" C# X/ Q. ^5 J" ?0 ~3 }4 w. C
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
3 L5 a4 G5 C& S) ]5 M$ D( d: d: n: V6 k v8 W1 }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
" B' N( o, \- |& [! j2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
_( ]0 ?& s4 m# z6 G" T2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 K r% a( l3 f% {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 h/ u P7 [, n# t3 c0 t0 V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6", t7 w% N% @5 S0 ^
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
# v' _1 E( S* X" c Q3 Z$ ~解决方法,移除低版本的APR (1.3.9)
9 i: S8 f3 Y4 _" K3 s# [5 k5 H# N) |# |2 y+ F! w8 A3 R
yum remove apr
: m( S: F- l5 p' i5.Error.log中有: Audit log: Failed to lock global mutex* X L1 o. h9 c/ a& [
- f. A8 `0 ^4 \: k$ s2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 n; ]- X1 \$ G# g; o! Dglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
" z) c2 u2 |( g! q解决方法:
1 k) @- h5 |( r编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:. w9 F; L/ n# n1 G+ F0 u1 m2 `' }& r
; w- w4 g* K8 P1 nSecAuditLogDirMode 0777/ d1 L* l2 _9 ]6 e
SecAuditLogFileMode 0550' i& w" s2 _7 j6 C+ Y, ?- b9 C
SecAuditLogStorageDir /var/log/modsecurity
1 Q/ @: L) {( BSecAuditLogType Concurrent$ N% m/ j% g c& \( W. ~* X& t
参考文章:
: H1 \) M+ ?; k& M! M v! i! }https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
6 u! E- c/ y2 X1 C5 K& `http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡