|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
/ a- v. ~ V( \- L3 y: s
4 F i, T" x" O, Q一.准备工作
% c4 g7 t3 H3 Z( I% {# [% @' ~' u$ u6 ]3 L
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
0 [ N$ w; L, i
. ^% i* M2 ]% F: atengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz5 M. Y) Q% A# A K. c* M
' o+ `1 N' F' T) P% [9 L
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 h+ ]: X/ a* T( m9 U! g1 ?& V7 x) L% m4 c$ p7 D
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 Z7 W* ~* Z* X8 t1 v+ w# q
: ]/ ]* y5 o" E7 ? c. i& n依赖关系:+ d B% _+ _$ ^+ z5 R" P
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:1 K. R& I& L8 t) Z. q5 r. w
: T) v7 g1 V4 V) R: jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
h) t. @/ F' A. Omodsecurty依赖的包:pcre httpd-devel libxml2 apr
! a, E+ F/ C f3 b' t, C# u6 B% W/ K9 U' r$ N
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel2 g5 b5 a7 R6 A2 z
二.启用standalone模块并编译
6 U) R) [/ B" T# N9 C$ C* Z) D m! A( X, f( m% P+ d
下载modsecurity for nginx 解压,进入解压后目录执行:4 H4 W$ L p& F
9 Z) L( h% S* f0 f; {) O2 g6 `
./autogen.sh
/ n4 F5 f4 ]3 u" P$ z./configure --enable-standalone-module --disable-mlogc/ c) ?, Y/ p7 S& [" l( Q* C+ U
make
8 z1 c: l, S c2 e7 [4 q三.nginx添加modsecurity模块
( |; {0 Q5 @( x& V e' i) a" V" s0 z$ M. b, ^# |7 U& O. T
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! c& ^6 P' Q# J" w/ a
) X' g" Y. a, f) ~/ [! Z./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine! @% l8 C7 W5 q. q4 N1 Q, T
make && make install
' p) S% F1 X. E) n8 W四.添加规则6 ~/ H$ M+ _: ]2 Z
6 v- S9 J3 _/ }# i
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 r& D% L4 M% \# A- G
) E& M! T( w, D8 P" _# }, w& l$ B1.下载OWASP规则:
% K( }# |( ~5 Z* f( s) ^. h v) i, A2 s* Z' v. `
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs( [6 @! R1 |; P( |/ o# b. m- Y( I. I
! [- \" v" b) T5 {
mv owasp-modsecurity-crs /opt/tengine/conf/. R; W M3 o l2 ?7 F2 E8 g
+ }$ y9 s$ F5 ?7 g* n: Z
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
0 T* E) S! @& E$ l: D/ _8 `; \+ K2.启用OWASP规则:
+ i+ @0 b4 V4 N0 H, h
4 q( X- g" u7 v% t复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ [+ v: ^' u9 q& C) n* a2 A: H5 H+ o1 B, T* M/ D) X5 |! q
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on$ Y0 O, G' U3 n- j
6 @. @0 x/ [3 I) P% h. A' ~$ q
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。% s! ]4 V' u9 J! F. B4 d# E2 @
' n* e8 E, n/ e" @8 Z6 R
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf, `; [3 f5 k8 W+ l& J( N$ d' N* d
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
4 l4 \( p. F! n1 Y% U0 R6 MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
. s7 ]+ J0 H. G8 S1 |Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
% @4 ]+ H# j# cInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
9 s' y( L y* s& |" t0 M0 YInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ O$ d2 ^- y# h6 G1 Q$ h7 kInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& w! Z8 n' j# O0 p4 B7 b五.配置nginx
$ C0 q/ k/ E4 v `9 m: n3 t. i" j2 ?( E, ?5 \' i1 Y
在需要启用modsecurity的主机的location下面加入下面两行即可:
/ U( _$ d& C- i5 r! D% }6 ^. a- x. `# K2 P, D9 U3 b
ModSecurityEnabled on;
2 q# O" l) V. R1 a8 U" PModSecurityConfig modsecurity.conf;! Z- r, z- i+ W) |# F# c
下面是两个示例配置,php虚拟主机:
( s7 j. x3 ]/ f, e0 q! d3 f- P* v. N& G
server {
4 [; e0 O% @" |9 W4 u3 ]# e. F* n listen 80;
; M' i+ j' K/ s0 }; z3 G server_name 52os.net www.52os.net;8 g/ s8 Y% ]5 y
+ P' ~) u5 r; B! T5 A1 b# u9 f3 h location ~ \.php$ {
2 x. E0 m! J [/ @: A ModSecurityEnabled on; 3 J6 [- B4 v T& O- m- ]" t
ModSecurityConfig modsecurity.conf;0 w5 s1 y8 S2 R6 D
$ p8 r, Y/ k4 m3 t, n4 @( n/ b root /web/wordpress;
2 X$ q5 h( O; q" P7 G" `6 `6 ` index index.php index.html index.htm;6 Q* ~6 l! t6 T7 Y) V& N$ O
7 G# w. q3 s! g, P! h0 f6 Q G0 Q7 x fastcgi_pass 127.0.0.1:9000;' j0 e, K6 O' Y' y) Z; W; c
fastcgi_index index.php;
7 b. d9 j' b. ` t% |$ y0 h0 V fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;4 N5 N* r7 V: D- {5 ~6 r7 o
include fastcgi_params;" ?& j. S* i7 t1 p
}
! E* \$ W1 V; `/ `* |* B; k }9 S6 c& ?6 w! d! d" n0 q
upstream负载均衡:
, B9 W. ]" n4 Z1 z+ u; A, l! n; B4 I8 ~4 {
upstream 52os.net {3 J( |4 q# S! @2 H+ G, [
server 192.168.1.100:8080;6 s! n; O+ i* C6 g
server 192.168.1.101:8080 backup;
8 ]. M8 i, D, w5 o}
* y; {9 Z" t8 h
0 f3 Z5 x1 S |, pserver {
9 s# ~+ K! l$ R, k- b! xlisten 80;
9 G! H6 R9 p- ]server_name 52os.net www.52os.net;
" w" ^4 h* \8 l: D( _) |- e0 D
% ~' v3 S; J+ h, x4 Nlocation / {- r) ?* w4 X; x* a
ModSecurityEnabled on; ) e- E! ~7 c5 W7 D' h
ModSecurityConfig modsecurity.conf;
% L( J7 ^# S" ^3 M/ f
9 H& I0 K" J" J3 f proxy_pass http://online;- Z0 P S. r4 D4 O! E7 q0 Q# }
proxy_redirect off;. a0 O8 w2 p" G
proxy_set_header Host $host;
3 ]1 F' n7 @% A m0 t/ ? proxy_set_header X-Real-IP $remote_addr;
# b/ F; y4 s6 o3 U7 J8 r; n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# N8 L* {8 |9 r9 b0 s' d: ]0 F
}
+ ~& ~/ y7 r+ v' @* s, @' W% f/ w}
2 J( }) f$ F- v k6 s六.测试( c5 w- ]" X8 ~1 w" e8 m7 h
R: }5 T! |# o% _% s# L
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
4 t6 ]; o) Z7 k" C. X# T8 c) f |, R2 w' J" Z0 ^1 t" S
<?php
7 A3 U" {5 I6 L) J. p* M$ s phpinfo(); $ }, f* b$ c& D# G- w( y8 o
?>
/ H6 O! b$ G* s+ D( ?3 ^在浏览器中访问:
* }+ h1 @2 K6 S8 P6 F, I
6 o: d( x z2 C0 w& S/ d9 b3 V8 shttp://www.52os.net/phpinfo.php?id=1 正常显示。6 o+ d+ k) I1 G) V& l
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
I2 J4 j6 J& mhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。3 C% v# @! H/ A9 X
说明sql注入和xss已经被过滤了8 `3 h9 R4 @8 r) Z/ Y- {# e
7 F" s6 P) h: n1 D q& ?3 r七、安装过程中排错3 ]/ G" q- [- ^
( L" U" X7 D) }' v. {6 ^! S
1.缺少APXS会报错- Q( t( D n) a! e( M0 A) R/ ]1 E5 N
! M! o2 x) |/ p( U/ p+ ^
configure: looking for Apache module support via DSO through APXS
2 m! G* m s0 q3 D/ econfigure: error: couldn't find APXS/ X4 r7 x+ V6 ~) }
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
8 J: A6 K+ N+ |# a& J解决方法:& Q3 R* y; @4 P6 |) u
* w' V9 Q! V" F& `8 u3 z7 K' byum install httpd-devel
+ C8 v! e- j" }: d0 @2.没有pcre
6 P2 p/ [8 U/ c2 E
b! c) }# \1 {& _" g* @5 vconfigure: *** pcre library not found.
! e l, L, D: E, I; v1 Gconfigure: error: pcre library is required
: P: E* v, G9 |( G, y解决方法:
8 S. I. n# s4 S6 ]0 {9 s
9 L. P6 f; G. k' dyum install pcre pcre-devel. p3 Z/ n; B; l3 z
3.没有libxml26 R0 J% L2 U: n" b4 t
3 T7 Q4 G# t- t, @, O
M2 _" J* h( Vconfigure: *** xml library not found./ q6 _& o8 S/ E7 I9 k9 O( Y- _7 H
configure: error: libxml2 is required5 f- b6 u) H9 h, I
解决方法:
7 h6 S: I( m% S+ k( @) T2 a- l% x
yum install libxml2 libxml2-devel
' w) F: {5 `, q3 ?4.执行 /opt/tengine/sbin/nginx -m 时有警告6 n/ `3 p6 T( y! l8 @7 `& l E
! b3 B8 m: M7 t. T) I( S2 a" n/ ETengine version: Tengine/2.1.0 (nginx/1.6.2)
. c- o8 c5 ]2 C7 L5 Gnginx: [warn] ModSecurity: Loaded APR do not match with compiled!+ n9 G7 G8 R* V' b( g% w
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log; E _' q6 b$ d. D
. G3 ]2 S2 \3 f/ s# m% g% Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* C1 R7 C: \$ B1 N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"6 y# m8 A3 r2 ]3 N9 G
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 R( |$ s! R7 s6 c- a3 S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 S$ y+ R2 G+ D3 }5 I2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
6 D ~' ?. `+ M' D" S2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On., b2 \! c2 x" o- L& j9 e
解决方法,移除低版本的APR (1.3.9)
6 y4 V2 W2 Y1 d& q5 I1 ^+ y, y2 x) w8 i; p9 Y
yum remove apr
, @, O& f% J1 Z5 i8 Y" q( k5.Error.log中有: Audit log: Failed to lock global mutex* l y3 U$ U% a; `- J. U4 C
; j9 c3 V- I: T a2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
0 Q& Z4 z8 Y- _2 J( iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
$ Y% J2 x9 W) b: P! ]7 b! a+ v解决方法:
( w8 A/ y8 c7 A6 F5 ]7 k7 A3 C编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 W" l- E7 c9 m" H8 j
: B9 R. T) j/ |% M* xSecAuditLogDirMode 0777
5 H! `( `+ o g* p5 ZSecAuditLogFileMode 0550
1 W G* D+ ]; Z/ t1 w* \SecAuditLogStorageDir /var/log/modsecurity
- D6 M7 Y! y- m3 k" V0 k" dSecAuditLogType Concurrent! ` J( b- H4 Y& c' [+ G8 P
参考文章:
$ q2 a* j$ t! b- R5 g0 Thttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX* E) Q5 g# T- e5 a
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡