|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。( ]4 b) f' N' G' X5 d! z
# k% a* @" p7 s一.准备工作5 h# d+ P9 l# O, V7 L* j
# W1 u5 f8 D* B; M; s
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; B( u# V' T' q' i" f, t! `& y
! O+ ?, n. g& ]" ?6 ptengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: Y" z; q7 q v% d" w4 e
3 G4 ?0 a( I1 @# C' q9 t5 f& q
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz; C! u, q& ]1 T: S" k+ E
0 M% Y4 a' h" @$ r- d: Q2 C/ N. @3 l
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs: X( I# n6 y+ V- x4 W
4 C) {- r# R/ E+ K依赖关系:0 N- O$ d" s4 c6 q
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' s d4 q7 [- |' p8 c
+ q1 y* q0 x6 s, Fyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
4 ^7 N5 N# [7 N4 B' omodsecurty依赖的包:pcre httpd-devel libxml2 apr _( Q) m) a/ q8 h4 x, m
+ w9 ^' _8 E, T" q% ~% r: D
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
; |( \- a! g& n% Q# R b) b二.启用standalone模块并编译
$ C5 z& }5 N6 {9 t
( T! f% p3 b# R$ P& e7 J; Z" d( Q下载modsecurity for nginx 解压,进入解压后目录执行:
; D( m7 \) V; G3 ?4 c) Y( @5 K5 Y1 I& u% F P
./autogen.sh8 a. g6 M/ p/ _
./configure --enable-standalone-module --disable-mlogc
0 L% U1 |; P0 f/ Vmake ! H$ D9 W+ C0 m, c
三.nginx添加modsecurity模块
) K+ Z& Z, ^6 f) s% I1 F
+ m- b" x( _- [! f3 K在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
8 F% B& q9 C: u) A) L4 I
7 `; e2 [2 u& [ v! o./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
: L- S6 ?' ]; qmake && make install" Y6 K' t% _" }& m+ k1 N# Y: A
四.添加规则/ e4 p p3 }+ i3 A; w
( Q/ W- H$ D8 t S5 y8 M/ y/ |+ jmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。7 @6 u& C% o* _2 a1 Q7 C" K
6 U1 |9 X" z" X% ?' A* h
1.下载OWASP规则:, _1 n- M# t; ^6 j8 M
9 Q, `9 m# x, R3 ?+ Q0 U) {
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs/ V% d: v% i9 _* d2 @- ~3 G2 b
/ P( a- |( Q) V- h
mv owasp-modsecurity-crs /opt/tengine/conf/% p) a. e/ _9 A( t1 m
; `$ G, j8 J) M+ G& {# c
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf$ V/ }' N6 E" p' o" C
2.启用OWASP规则:
: h& E; w/ w* M+ d5 Q$ \& z @7 t! @/ e/ Q. ^* w/ K
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. E: C v8 U1 [# a& K6 c9 P
% f3 T) }/ ]3 `" @6 G" S! N, r& R) S编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
4 T, F) \9 F5 g. L
* Y6 C& \6 X% \% ]9 qowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。7 D S0 P2 L! `) B* d
- ^: S2 [: S! T/ q5 F
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' S9 @# ~' D9 M0 @. G) R H; r3 r
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& n, G9 ^: N7 ]7 B, f4 uInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
9 x+ U) x2 i4 i# d" `/ sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
$ f# v8 Y: y8 y A' v: Q' M. aInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 d( R' ]. G* Y% s0 V MInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& `7 A- v$ ?3 H# U# w
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf/ b" `" Z( F! P1 }& x2 d
五.配置nginx3 e8 C) z2 V; r; H
9 O" g% L3 P4 f% M n在需要启用modsecurity的主机的location下面加入下面两行即可:. i3 ^3 s5 ^' h5 D8 k) X2 Y* f6 w+ I
( ?' E5 p4 I7 h4 S8 @8 h/ a% WModSecurityEnabled on; 9 r) k5 ]7 z% h: ~3 l% [7 p
ModSecurityConfig modsecurity.conf;
% g" r- e6 U& N8 _% ^: h& ^, P7 N下面是两个示例配置,php虚拟主机:
3 p$ ^ h4 ~9 w) `" t. x- u
# R# k9 p- D2 ~8 ~server {
2 t$ N/ G7 P+ L7 o: O' o8 A listen 80;
& {# n4 O# ~0 z3 }# p server_name 52os.net www.52os.net; j( ?2 H5 O0 A& o- z" C) w% o, g
7 P0 q( A5 d P$ t( |: X1 t3 f
location ~ \.php$ {
7 Z0 \' ~0 Z1 o0 w! g6 J! U# n; r ModSecurityEnabled on; ) |" ~) b0 Z; I0 `9 Q. j" G
ModSecurityConfig modsecurity.conf;) ?% K8 R2 R+ C) @5 ]' G, _2 j
, m4 p% L$ u1 T) Q8 D
root /web/wordpress;
3 Q- `4 K0 n. q0 C! n0 m index index.php index.html index.htm;
4 `' N5 X3 f, u( x7 w
# s6 N( P. k& m+ {) C fastcgi_pass 127.0.0.1:9000; U+ \- ]" Z; a% H' Q
fastcgi_index index.php;
) R# l! b; Z+ T6 d. e fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;9 ]$ C D) S4 e% d ?1 {8 G- D
include fastcgi_params;( i' z2 R- I! V5 N0 F& _7 k1 l1 N
}) b6 f! D7 W' a3 P! b0 n4 d- }
}
( l0 d" Y, g$ g9 o) e- `9 O( u% cupstream负载均衡:. S3 @, e7 e0 \1 z1 L/ S2 y0 k
% @% R+ U/ E E' mupstream 52os.net {
/ X3 e: c" z, P+ U server 192.168.1.100:8080; z$ P: G- ]# U) @
server 192.168.1.101:8080 backup;
$ c" o! O* G% @; S" b, j7 S( S/ [}. W( b# C4 |& q
& c7 w+ N1 N5 F
server {
7 X( ]8 p5 P) V+ klisten 80;
2 ]; q" r- N( p- Gserver_name 52os.net www.52os.net;
$ c7 V: @: a5 W5 P) P8 r ^/ K5 @. X/ n2 w( L% j; N2 r
location / {
- O: s/ L2 f2 q& }8 k ModSecurityEnabled on;
% A9 o" I" ? a, _$ l ModSecurityConfig modsecurity.conf;
4 Y+ N1 m/ a9 X" B2 h. I- P7 e: Z6 S1 O9 P; d8 Y9 w5 m
proxy_pass http://online;
% T0 n7 u) d1 |0 }" P proxy_redirect off;
5 k( L$ u0 K5 r3 C1 ]# } proxy_set_header Host $host;# ^% `, o" Y1 y) _, K# m- P4 t
proxy_set_header X-Real-IP $remote_addr;
/ ^) m0 |# z2 N9 ^9 S proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' w, B( s% q& m4 L5 D* e }$ r1 @' g: A; s% A" ]/ Y
}* G1 h& X) n3 h( q
六.测试9 `$ ~# o4 G& K
3 x% a' C3 W" V
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:+ I9 Q+ o/ W; m6 i
2 s0 F8 i/ k) G& k. N<?php
& }3 Y* |: U" T2 v8 }; z6 d phpinfo(); 9 a% [6 ?$ b2 M. W/ T0 t- A% \
?>
; S5 E+ E: m' }' D! C! G5 S# N5 Q在浏览器中访问:- m/ s, @6 N5 q
* P3 v. L( d5 Y6 a Rhttp://www.52os.net/phpinfo.php?id=1 正常显示。0 T/ f; x# f+ i$ G4 I7 P; {! F( }2 f
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。7 N# e, B7 j% q2 Y% F
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
8 \1 n( f2 e1 }. K$ c# u说明sql注入和xss已经被过滤了, G9 C3 s0 K2 {' x
* h X" E5 j, R- T4 R, X七、安装过程中排错
5 j6 g/ E/ V' Z: A! d0 q' v; T3 I. r7 ]# S2 C* R' R0 h+ X. ?
1.缺少APXS会报错0 |/ t% ]% H$ o6 n, ~. U
& \( H# O4 _1 J U8 N$ uconfigure: looking for Apache module support via DSO through APXS
; l! X: ^9 w( L& L( dconfigure: error: couldn't find APXS6 |: E6 e, E4 d9 m. r; |
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 A& N3 Y4 t* V% x8 G( W0 h! x解决方法:( L4 z' n9 {5 m: h6 S* w3 w6 C
' L1 ]" d Q& P) Q! a4 p
yum install httpd-devel* l" ~4 s* d- n6 b$ L. o% b9 E! G
2.没有pcre
- }. Q' b6 d$ p; u' P) ?5 Q, D* s7 G7 {& A8 {$ ~; z7 {
configure: *** pcre library not found.
5 c3 @1 I) V e& dconfigure: error: pcre library is required
1 Q8 Y: E- J! S- U6 L$ h- e7 U( P解决方法:
8 x# I0 K" u( p# _2 y; _/ k
) s4 I3 F) b0 k: }& l2 ~0 qyum install pcre pcre-devel
5 h6 V2 I0 W" E: V% ]' x; G6 K! D3.没有libxml2
: k% T5 D' x# n: {
2 r1 |8 h0 h5 P1 Y0 [/ W2 o7 d' F; }# L" E7 g
configure: *** xml library not found.: `6 B. Q: b8 ~' w0 r$ N
configure: error: libxml2 is required
* ^# ~' {4 z3 I; g9 W2 C解决方法:0 w9 u* j; R/ H$ r( U% v
% P% f. M% H8 ?( P
yum install libxml2 libxml2-devel
* |3 p |$ D0 v* }. R9 m7 y$ j4.执行 /opt/tengine/sbin/nginx -m 时有警告; Q+ ]+ ], Z% m7 l+ A
$ T n8 U3 B, j' ~+ ~. ^! t$ HTengine version: Tengine/2.1.0 (nginx/1.6.2)) b6 L* E% ?+ {! x! F1 u: u3 R. {
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& O2 ^& c+ Z# N; j原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 r$ C0 O- q3 r' H1 F5 N' | ~2 h, a
" C! W9 C, H* ^# v1 a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
( }- ?5 t' F$ W8 G9 Y6 ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", z1 x8 a8 q& ^
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ X+ A" M$ M6 V% ^# T- u% m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 k: J8 E4 a+ y! ^2 G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 r4 \( V# ~2 s w' V, ~
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' M: {) i l R0 C0 W6 J解决方法,移除低版本的APR (1.3.9); n( W3 g ^# M
. J% T( ~! w' v: nyum remove apr
( ?, g& S' s2 D- Z5 X# e5.Error.log中有: Audit log: Failed to lock global mutex
7 j9 J; D4 n4 a% I8 Q
( `5 r9 o9 T/ ]4 X' c& T5 G# b2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 0 U; P$ ]4 ]( {' F, r' z" N
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
. _" @3 K: }& [ ?) P$ A9 _解决方法:
) k2 H1 f$ K$ l/ o1 ?' ]2 P6 T编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
! V$ i* Z* b# a) {' {% L" k- {( {2 Q! X2 s# z" D
SecAuditLogDirMode 0777
+ Q$ j8 D# D: `' j: L) kSecAuditLogFileMode 0550/ ], `, p& [* D1 j0 A
SecAuditLogStorageDir /var/log/modsecurity2 J. X5 a$ L' R, w
SecAuditLogType Concurrent. d1 [, b4 n6 M' |
参考文章:6 A1 I* g+ J. M: V
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX- Q2 H8 s m9 o5 t" o
http://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡