|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
1 X' B" g- t+ B2 w$ H) f) N3 m% v2 m6 d! v* L, G: \
一.准备工作: K( ?& T% m1 L- k; N/ k m+ a& `% p
* Y( o$ [! }* `3 b# b( Q# O系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0; E: z% r! N- K; d/ F
7 q% x6 Q3 j% K1 L- `- y* ftengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz5 k7 ~# F3 P' U) |. T F
0 g$ [! |3 O4 j5 z( x. Vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
' {8 X( Z; @" k7 k( @2 y5 X% k4 {/ _' _% W# T# B% t0 I( P
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs$ M; X% @$ [" x, V3 K# g% q8 I
: p7 _7 a4 _* r" M/ }9 l4 G0 W) Q依赖关系:
) z$ {2 B# i" [* M5 jtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 ?' X G+ ^5 x" w
. O* j( v5 I/ M I. O8 t; Jyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( b4 m! F( t, J5 F; G# s) _
modsecurty依赖的包:pcre httpd-devel libxml2 apr
3 w9 w, z+ k# s& r+ x' S& x# ]) i- B' S% B$ _, ?
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
}6 e5 `$ z n二.启用standalone模块并编译* t/ P9 M4 K0 J. _* [. D* N r
2 F0 |- P& C& D( A下载modsecurity for nginx 解压,进入解压后目录执行:# ^+ m. W" ]3 e# I
9 Q7 n$ ?) s" D$ u/ X. O& I./autogen.sh
, s/ G6 R/ D- D./configure --enable-standalone-module --disable-mlogc
3 M) j4 _( c8 E: ?9 }0 V7 N8 h3 ymake
8 A; v6 g; h. }) Q( @三.nginx添加modsecurity模块
/ j9 e' }% `2 }5 Z1 [1 [4 I: M9 p, N7 M9 S
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
a! n& I: |8 _7 \3 l& g0 [
Y4 i- J+ U4 @7 U2 }./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
, b1 l2 A2 C' K/ p# [7 d; Y. fmake && make install
4 v4 R4 i5 `0 F- {% W四.添加规则6 H/ Y4 k! u1 p# I% }# ^" ]& }& z- c
0 M( L; q& L# r5 o7 [- B
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
' O/ W- X) L; d0 K0 W9 \6 H+ h( S5 N0 p' S; n7 s h. s9 c4 `
1.下载OWASP规则:
9 @/ f, D3 l. C2 l8 [1 M$ O
5 f z" h: j+ Ogit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
$ S+ q( G: v# \5 S! a: |* X2 S9 v" ~. F) K' ^# t
mv owasp-modsecurity-crs /opt/tengine/conf/4 ?; D( o$ p3 M/ |- X0 u8 C1 ]
4 A+ |5 A' o7 h* C3 Pcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
1 @9 W/ p+ @% A% a) |2.启用OWASP规则:. \4 r: o' m; W: M+ L
* B5 ^/ k+ S; k5 ?3 p复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
- N, w1 t, O% v* M" x: B3 q, {
. R# W1 s9 q3 v( A) g7 \编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
( z- g+ n$ ?# P( k
3 e9 p0 m2 V+ A& B! kowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" F! ]8 f8 O/ o- f
8 S/ b! M+ }: v" k2 {+ AInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
; j! h9 d8 }( b0 _' fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
" }3 U0 b+ C1 G; G% ], ^9 I; lInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
/ W, g' v* K9 A. \6 CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
1 i& h/ f- R, E% `Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 @2 {5 ]# E9 M1 Y8 Q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
6 T2 M. Q# N2 l |/ f y1 E/ c, ZInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
/ Z! L* k/ g+ c2 D- U2 u五.配置nginx
+ Q- c1 G0 A3 B6 `$ a
' k8 }% E9 z7 d在需要启用modsecurity的主机的location下面加入下面两行即可:
: y2 L. A8 }2 |9 z, p
/ I2 z7 T5 W4 a, ^" A! OModSecurityEnabled on;
& j8 P* W6 }! q0 zModSecurityConfig modsecurity.conf;
- ~6 Q, K: i' t. O$ ]下面是两个示例配置,php虚拟主机:# f+ Y; O( ^2 F! |
5 \) T$ e0 \6 Z7 {/ o% x
server {
1 P, p) Z1 q2 |; z# U- v) Y7 ^ h listen 80;3 x3 e! c7 @ q1 {
server_name 52os.net www.52os.net;
5 H6 o9 d5 P0 V1 _! F9 c4 @* o ) |* n( o+ Q& b4 ]3 e
location ~ \.php$ {
# R1 N2 l% k& g ModSecurityEnabled on; $ e1 X7 C) p) p4 [! p' U0 n
ModSecurityConfig modsecurity.conf;- n! l6 {7 c4 ]1 I$ v, P
& F9 p& m4 ^3 j5 `8 ?
root /web/wordpress;" L! r! w3 ^# [# z/ i! _
index index.php index.html index.htm;
! x3 _0 [3 w4 j8 [4 H' i) G
4 y( ?9 A& M/ T8 _7 F" U& A: _ fastcgi_pass 127.0.0.1:9000;3 i5 M+ y6 P, |3 d+ w# @: A
fastcgi_index index.php;
( o: l( v. G. { X# b3 @- { fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
6 L2 C0 G. K. M4 ~ include fastcgi_params;
( U- ?! p2 b, x+ ^# Y% ] }
! ?& H; O$ d* i$ d4 m7 e; f- z }- ]1 }6 @" j3 h
upstream负载均衡:
% a* Q; o" E# j; ]) M- O( R: D6 k! \8 I; q8 d! b2 o5 ?
upstream 52os.net {$ ]; g% }: z. g3 H
server 192.168.1.100:8080;
9 M8 Z4 `/ i+ ~6 P4 p2 H: ~ server 192.168.1.101:8080 backup;0 J% f2 X, V6 R; U: M
}: R4 G7 s# b% y& [# ]1 U N
. p6 [+ F* I: h. v/ T, Vserver {
( y" T% A- ?9 x7 I) [! h3 K# ^. A3 `listen 80;9 T! u/ {9 q) p$ A/ K7 A0 Y
server_name 52os.net www.52os.net;3 d; j( m1 n5 ?
& g2 r5 u( S) k/ J; ~location / {
% W$ X- X- f/ U8 n* \6 k ModSecurityEnabled on;
; f2 u+ E- B' i ModSecurityConfig modsecurity.conf; , m- D8 t9 m: h& E) P
* F! K# k; w/ b+ p& F% l proxy_pass http://online;) z. n, S7 c' Y0 r, i) ^7 c
proxy_redirect off;, B5 p; Z% T8 V! k! }
proxy_set_header Host $host;
: N% S" M$ R- X8 y A proxy_set_header X-Real-IP $remote_addr;
8 g3 \2 ]0 P" f9 @ g, ~% w5 G+ f proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
( i0 J+ l" A3 r8 G' h; U }3 G/ M$ s, C _1 a4 s: h
}! U! u& w9 X$ X" @
六.测试- Z4 c/ {) p, N: b
6 G( b! ]* c% d l我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) \3 w) n f+ K: ~
6 |9 y( Q7 }; S% ~" o- T<?php
2 F. [) ?, F7 Y6 u/ D5 \3 N- K8 x8 t phpinfo(); ( p0 S2 ]- w+ J/ P
?>3 |. J* ]3 K2 n5 o& [
在浏览器中访问:
/ V; j$ G2 r1 @6 H k
9 P" o* h: X% ^! d/ r/ [* {- ghttp://www.52os.net/phpinfo.php?id=1 正常显示。7 Q& |; Z0 O s
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
7 a9 _9 S5 q. F8 shttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。$ z# y1 u# k8 s
说明sql注入和xss已经被过滤了
9 ^ K& ?- A7 `# i" W. @
, X- g7 {+ j$ z1 [+ C七、安装过程中排错
l) k- \5 w% g. _8 a' _) ^2 u9 u6 ? ]+ T7 e. C
1.缺少APXS会报错
9 c9 ?+ X5 j1 H
" I" l& l# S& K" Mconfigure: looking for Apache module support via DSO through APXS
# z& w+ S1 z" l O1 {; Wconfigure: error: couldn't find APXS+ T$ F0 d: K$ R+ o$ U0 H; |4 k- c) K% S
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& J- o7 A7 M* p' e3 L! Y: ^解决方法:- A1 t6 F4 t) ]4 e, H
7 ` F+ }2 ^5 ` ~) y" |: g
yum install httpd-devel& S; [) k0 P8 s0 A- R0 T: V( a* _
2.没有pcre
0 A7 R5 e, I4 z: q' c W
6 d+ ?2 Y4 g" R1 \1 aconfigure: *** pcre library not found.
7 A: l! Z; y5 t6 y3 econfigure: error: pcre library is required5 m! ]9 L) v7 \) G; ]
解决方法:
& v. W) q0 _" j8 I" |7 j5 d# Y
6 o) n% H' R2 H ?" qyum install pcre pcre-devel
* X4 y6 i+ X8 c; D% N3.没有libxml2$ k4 x. k) K# \& ]% E
5 @! v- a$ t/ z+ l7 p, e& g& c; x& z
7 H& n6 g1 H( v4 U. ? B, N
configure: *** xml library not found.; C! Q( z7 c6 A( [$ ]
configure: error: libxml2 is required) Q2 ~) u; u0 a2 Q$ u
解决方法:
- C8 A& d' n l; @7 \; r) d: P
+ S0 b g! k ?1 Ryum install libxml2 libxml2-devel
" E1 M. U. C0 j- T* m# b4.执行 /opt/tengine/sbin/nginx -m 时有警告3 G9 R- D2 ?$ B9 f6 N( P$ _
' @! z( Y/ c( Z/ b1 gTengine version: Tengine/2.1.0 (nginx/1.6.2)
4 S# A# V0 I" B( m. P, }9 ?5 Y3 d7 cnginx: [warn] ModSecurity: Loaded APR do not match with compiled!% O' {% K# B7 T2 ]8 ]8 p
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
D7 h0 c6 l$ F
# J; o3 \, @& s$ K* N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
/ I f, w( q! ^% {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 v3 Q/ D& S- G# |" \2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
' X z# |9 d& z% A Z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 K3 F2 h$ |. j; I' a" Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% ?: r3 h8 f* h2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 `) V' e; i6 j
解决方法,移除低版本的APR (1.3.9)% i5 G1 [- v$ S! x P: |
$ s8 |& j" O' c( a- p
yum remove apr& u( K5 @) A u: V7 ]/ X
5.Error.log中有: Audit log: Failed to lock global mutex
1 f; D! ?* j) F7 Q. R+ K( N* {+ y# D& T2 F9 W1 z
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
& `8 s' M" c$ \global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
" _5 ?" K! T5 n" e. Y解决方法:
2 v3 A# @+ g) D$ C编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:+ t3 N5 u$ r7 M/ m- T6 Z
9 Y. s2 U0 S |' m% Y: L j, V2 b) H
SecAuditLogDirMode 0777
$ x J6 C1 I- O# d; v. kSecAuditLogFileMode 0550! Q+ c r7 a! L: D y
SecAuditLogStorageDir /var/log/modsecurity3 k/ l" v, I' q' `+ S2 @
SecAuditLogType Concurrent
% V; ~! j: k$ `/ v( }4 G* V参考文章:
8 T- ^: j+ F0 ?) y/ \6 f; i2 O' ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
" q! [0 Z. X& A' Y" Vhttp://drops.wooyun.org/tips/2614 |
|
|Archiver|手机版|小黑屋|第一站论坛
( 蜀ICP备06004864号-6 )
窥视卡
雷达卡
发表于 2017-10-19 16:53:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡