|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 |5 d1 v4 o- y# m7 n
, y3 w) v( Q% _' A4 B
一.准备工作
6 j6 N, H j+ E0 t% ?/ P0 E+ Q# r( _
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0 Q0 i' s( l9 P+ |9 t
5 i7 A; R9 }) O
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz6 o/ ^1 [/ ?% S9 l: \
& G* B6 q- }# n# amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) i" K/ \1 l% J4 X* L
3 F5 @) B) Z% ?7 nOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs4 c0 S& i0 s8 b; e6 b' D8 H* \0 _3 I8 N& U+ e
6 O$ Y' o4 s( i* K% F0 ?依赖关系:
; s$ G* C: }! ^: \% s, ntengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:$ s: W8 d! A" A1 O2 G
; B2 `6 {' a7 u0 M5 v% @/ y
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel4 e) l! s I) e. @7 k" [
modsecurty依赖的包:pcre httpd-devel libxml2 apr
9 w5 |* }& L6 C4 f) Y, R/ G' f3 r2 Q' F S/ I/ Q' C
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: P: t9 i- s4 F7 e
二.启用standalone模块并编译
) a3 j! v4 B7 ~: g0 Z H" m4 s3 Q6 N; y; x5 @$ R4 `
下载modsecurity for nginx 解压,进入解压后目录执行:) |# S! ]# Z$ o& F
4 U2 o' R- n7 w6 ~
./autogen.sh/ G/ A* X! t; ?2 D/ O2 R
./configure --enable-standalone-module --disable-mlogc
. @- }' k# m+ R: o2 n3 P; Emake 9 b2 M2 {# W# Z. n1 I
三.nginx添加modsecurity模块
" N/ I2 u' q' m6 k. S& f, Q$ ?) \" P# J; H; L( S" N( Q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:! O$ E7 }. z2 c# [ g
3 g6 T2 j" ?( N, D: t/ ^4 O5 K
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
: h3 U) t; U4 z) Y1 z% hmake && make install
7 |( a" Q* {! j- Z四.添加规则
. q8 y* t5 h, M: y. R1 y6 Q3 |/ a& Y* e3 u6 E( c* D
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
' m; X" C- U+ v8 t" ?
- b4 b6 D" t4 ^ g9 s" q1.下载OWASP规则:) O; R, u; d! _; L* J- H
?5 Y8 Z2 Q: _7 Y$ r/ qgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs0 N! b" C$ _6 v$ @; Y
3 n |9 L' I( U' X$ ?" [, l3 G
mv owasp-modsecurity-crs /opt/tengine/conf/
0 G4 ?) J# y ^$ m3 T3 x ~6 S1 E9 c( l" G# u0 P
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
% }7 b5 a& g) v4 w/ S3 _0 K$ |% T/ s2.启用OWASP规则:
: m8 t% i9 {! v, O
+ Q! E; w6 J+ N @3 T4 a复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* K6 s4 b- A6 o3 R1 Q8 F
. U+ s# D5 `2 Q编辑modsecurity.conf 文件,将SecRuleEngine设置为 on$ I3 \ E0 J) z1 w% m' J: T
& G% H4 f$ a! s: l# g4 b! P3 F% o
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。2 B/ p6 V7 H' K) j- s! G
5 V5 a7 O3 R9 w$ K& J
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 s' Q( T/ z; w" Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 I: I9 s2 O7 `5 `# HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 J' @& a8 W3 s, L
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf2 v& _, w5 |: D* }1 a
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf+ a8 z- o' Z1 b& U
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' I+ F9 [" m1 d. {2 i! [Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& K+ ], @: m. m' L ?/ L7 d
五.配置nginx' q" s$ m2 R M+ I, H
: \ f7 V- h+ p& v* s在需要启用modsecurity的主机的location下面加入下面两行即可:
$ v8 L: q9 A4 T& ^6 u
" K& B8 B) _$ t; N' F+ sModSecurityEnabled on; 0 o/ k# O# r5 S+ Y
ModSecurityConfig modsecurity.conf;
0 A2 X# {* u8 k4 ~/ ?, U下面是两个示例配置,php虚拟主机:
/ p" o' i! s9 U/ t# @$ Z( }$ K: q: p- ~
server {
* a9 U9 T5 A1 E; s' N* ~) o listen 80;$ ]& Q* f a& F: H- E6 p0 e
server_name 52os.net www.52os.net;
+ Q8 K- f2 y6 h, K / a0 \& Z, I/ `0 O
location ~ \.php$ {( x1 Q5 y$ h- \
ModSecurityEnabled on; ) z: \5 j7 ?7 }
ModSecurityConfig modsecurity.conf;# H; j8 P$ ?$ t' G2 _2 x
f3 N- ^) B4 u: ^$ ]1 |6 r
root /web/wordpress;
: k/ o+ k1 h q' B# B9 [ index index.php index.html index.htm;
4 x2 H. e4 R! T 4 ^/ k* A4 s2 N
fastcgi_pass 127.0.0.1:9000;( t; C. x$ M: n3 G5 v! D. `
fastcgi_index index.php;& v, u: Y- O7 F; ^: d" g! ^9 j
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 [, |: q% S- D0 ^2 N; A include fastcgi_params;9 J% N9 [5 h4 g1 @% @& [# i( [
}
% b0 e- P) T: k0 ` x }
, v' X5 V1 n' h+ U" kupstream负载均衡:
6 J0 ?/ C L$ W) H) U% {5 _
3 c' b# t# B9 Z. `' c" d. u6 k' bupstream 52os.net {: ^0 c0 Q; o( M6 u, j. H9 E
server 192.168.1.100:8080;
1 k2 T0 `0 t2 _ server 192.168.1.101:8080 backup;
+ s6 r) p T3 k, `7 u}
* Q c5 R+ m. i/ M( x+ g
7 y7 \" N$ I8 O1 c' v: \& B( |7 y/ W# ?server {; U1 [% G" ~* | f
listen 80;4 |! o4 i2 x4 n3 F
server_name 52os.net www.52os.net;/ d# t5 w5 |$ p+ i7 p+ E
% ]2 n5 }) q& m$ L* R" Hlocation / {
* z ^$ P% E7 v# H ModSecurityEnabled on;
6 E3 v+ {- I( u* T5 E! C ModSecurityConfig modsecurity.conf;
' P! L T4 d* {* x
2 p- L, A% [* ~( C" ^( I+ T& |2 A proxy_pass http://online;# F% X+ l( d( \& O- C3 r
proxy_redirect off;
, e% _3 X; p4 m* g8 |$ t proxy_set_header Host $host;
! z" F6 T; D: V! y- V2 a3 w proxy_set_header X-Real-IP $remote_addr;
2 T: }4 y( F" p+ {0 w# u proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;7 S U- I) x* }% y/ U4 }5 Z* ?2 C
}9 }8 H1 Z7 n# e# z
}
7 u: p: _+ b1 h+ O% `9 h六.测试
& T8 [9 m# w. s- [, D: h* ~" i5 L" h/ c; o) m" n/ a3 r# `) I
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:; Q) d1 t2 O/ a( A$ o7 N
. _% n7 `3 s7 H e+ r) f% B* }5 a
<?php. S* @3 t% X" S @
phpinfo(); 1 E; t0 Q9 @8 n1 }* R" S2 M
?>, M: N5 h3 }' q$ s0 k( e
在浏览器中访问:
( N I$ B2 {+ R* `* `, ]. a/ M
0 V: g' w( H8 B" h% }http://www.52os.net/phpinfo.php?id=1 正常显示。" c6 h# `8 t: u
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。6 j0 B; A2 q" N8 ^8 I
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
1 f Y' h' b9 f3 h$ V3 \2 n: Y说明sql注入和xss已经被过滤了
$ P. ~, g# W8 r4 j: \; W
' V6 B5 X( G0 s" l# }: x& T七、安装过程中排错
: n3 Z4 H. p1 M. |/ F; A8 A3 n3 s5 g) l6 F* }+ i
1.缺少APXS会报错
3 q; H( |. O4 d4 x' ]8 T9 I. x9 j( o, ?0 B4 p$ D: O" L9 b, _
configure: looking for Apache module support via DSO through APXS4 s. K1 g# ?5 q7 l( }" v
configure: error: couldn't find APXS
$ h+ P6 @1 r2 K( g' _- |7 Bapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& P8 e- w( l% \" @) N, y H3 r解决方法:+ y: |5 W" l* s/ q$ Z% Y5 v
4 q' t* A c+ p" F3 G5 v$ ?yum install httpd-devel
8 `3 H" m1 J. j7 G4 X- G* a5 G% q. G2.没有pcre" C# M: b8 R2 n( _$ s% u
8 `" _( \" }& R# }9 e
configure: *** pcre library not found.6 y/ I: Q2 S! H! n
configure: error: pcre library is required% `- m% M9 O5 K& Z! J7 w
解决方法:% x9 d+ z& Z6 e/ b) p, a
2 V) ]* q( |3 }6 \1 j3 i$ W7 i4 Jyum install pcre pcre-devel
8 J) x4 b4 y* @3.没有libxml2
( F" C5 K. w+ _5 F2 e7 F) D+ U* T# U) [; |: r' u# i- j/ l! G" E4 N
" f; @* D% V+ n9 Y7 y9 {0 Fconfigure: *** xml library not found.( e! |7 l$ {9 Q9 A2 Y! R5 j
configure: error: libxml2 is required
1 y$ q; [0 z- W0 ?解决方法:
, |8 d" Z5 R0 i. R5 d5 S6 O% t# X
yum install libxml2 libxml2-devel
2 M" B& u" i' [6 G- S7 F! y& z# V7 r4 \4.执行 /opt/tengine/sbin/nginx -m 时有警告% F) p7 c# |1 l8 ]# Y3 F. L
Z& E: w) L6 @3 d$ T4 I6 |# ^* }; NTengine version: Tengine/2.1.0 (nginx/1.6.2)% p0 ^: L; f' I V, w. w4 Q( z
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!, e8 M7 s! S2 X2 u; | H
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% q K' Z! D8 T7 Y& Y
& w; X1 v4 l, C0 B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.3 f) z8 D3 ^$ S* v9 \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
( O' }9 X* s9 ~0 L# ^1 `, ?2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!( n- X% w6 o% h* m" c7 { ^ W
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"7 _% u& L# W5 a) X, ]6 B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
4 @- W3 V% Y& R0 r2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 v5 n# ] e7 j- h7 k
解决方法,移除低版本的APR (1.3.9)+ D% `0 L1 {0 ?. ^: w+ ~
) ^7 Z: Q% ?, M2 [
yum remove apr" S, v( |& M' m: U4 t4 ^
5.Error.log中有: Audit log: Failed to lock global mutex
0 [( q; M( m7 ~ V, D
' h6 K! v( L' y3 o2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ( l; x( R i) W; p/ ^
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' c0 r/ g; Q' n6 @3 ]# N) R解决方法:; n5 W4 d6 A9 @; T
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:9 p3 F# m& T4 R$ ~; b) d/ r, V
% j. i, A5 t! z9 \0 ]
SecAuditLogDirMode 0777
. c6 i( }5 G0 N: [- W: BSecAuditLogFileMode 0550! Q. _' Z! z9 e; \) s# U: f& J& v3 h
SecAuditLogStorageDir /var/log/modsecurity
/ [ @" _9 }% O- Q) l5 dSecAuditLogType Concurrent) I5 ]6 E8 ~* D* i* {" g! ^/ h4 r
参考文章:
& b, h) `+ @! Y. i$ f0 n9 Lhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX" Z# F2 |% j- W5 y3 W# T! b4 D1 _
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡