nginx配合modsecurity實現WAF功能
1、準備工做php
系統:centos 7.2 64位、nginx1.10.2, modsecurity2.9.1 owasp3.0html
一、nginx:http://nginx.org/download/nginx-1.10.2.tar.gznginx
二、modsecurity for Nginx: https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gzgit
三、OWASP規則集:https://github.com/SpiderLabs/owasp-modsecurity-crsgithub
四、OWASP規則集下載地址:https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0/master.zipweb
(yum install unzip && unzip master.zip)sql
依賴關係:shell
nginx依賴: pcre 、zlib、 opensslapache
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel(均已安裝好)centos
modsecurty依賴的包:pcre httpd-devel libxml2 apr
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
2、啓用standalone模塊並編譯
下載modsecurity for nginx 解壓,進入解壓後目錄執行:
tar zxvf modsecurity-2.9.1.tar.gz
cd modsecurity-2.9.1
./autogen.sh
./configure --enable-standalone-module --disable-mlogc
make (沒有make install)
3、nginx添加modsecurity模塊
在編譯standalone後,nginx編譯時能夠經過"--add-module"添加modsecurity模塊:
./configure (nginx –V獲得的參數) --add-module=/usr/local/src/modsecurity-2.9.1/nginx/modsecurity/
make
make install(如果nginx已經安裝過,看nginx平滑升級的文章解決,不用執行 make install)
4、添加規則
modsecurity傾向於過濾和阻止web危險,之因此強大就在於規則,OWASP提供的規則是於社區志願者維護的,被稱爲核心規則CRS(corerules),規則可靠強大,固然也能夠自定義規則來知足各類需求。
1.下載OWASP規則
https://github.com/SpiderLabs/owasp-modsecurity-crsgit clone
https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0/master.zip && unzip master.zip (wget )
#移動到nginx配置目錄下cp -r owasp-modsecurity-crs-3.0-master/ /usr/local/nginx/conf/owasp-modsecurity-crs
cd /usr/loca/nginx/conf/owasp-modsecurity-crs
cp crs-setup.conf.example crs-setup.conf #拷貝模板配置文件
cp /usr/local/src/modsecurity-2.9.1/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf #拷貝並重命名配置文件
cp /usr/local/src/modsecurity-2.9.1/unicode.mapping /usr/local/nginx/conf/ #拷貝配置文件
2.啓用OWASP規則
owasp-modsecurity-crs下有不少存放規則的文件夾,裏面的規則按須要啓用,須要啓用的規則使用Include進來便可。
vi /usr/local/nginx/conf/modsecurity.conf #修改添加
SecRuleEngine DetectionOnly #修改成SecRuleEngine On
#Include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
#Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
#Include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
#Include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
#Include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
#Include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
#Include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
:wq! #保存退出
5、 配置nginx支持Modsecurity
在須要啓用modsecurity的主機的location下面加入下面兩行便可:
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
下面是兩個示例配置,php虛擬主機:
server {
listen 80;
server_name localhost;
location ~ \.php$ {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
root /web/wordpress;
index index.php index.html index.htm;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 80;
server_name localhost;
location / {
root html;
index index.php index.html index.htm;
}
location / {
root html;
index index.php index.html index.htm;
}
location ~ \.php$ {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
upstream負載均衡:
upstream 52os.net {
server 192.168.1.100:8080;
server 192.168.1.101:8080 backup;
}
server {
listen 80;
server_name 52os.net www.52os.net;
location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
proxy_pass http://online;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
nginx配置好候須要重啓
出現「ModSecurity: Loaded PCRE do not match with compiled!」兼容性的解決方法,詳看文章《ningx配置ModSecurity重啓出現兼容性問題:ModSecurity: Loaded PCRE do not match with compiled!的解決方法》地址:http://www.cnblogs.com/sanduzxcvbnm/p/6128174.html
6、測試
咱們啓用了xss和sql注入的過濾,不正常的請求會直接返回403。以php環境爲例,新建一個phpinfo.php內容爲:
<?php
phpinfo();
?>
在瀏覽器中訪問:
http://ip/phpinfo.php/?id=1 正常顯示。
http://ip/phpinfo.php/?id=1 and 1=1 返回403。
http://ip/phpinfo.php/?search=<scritp>alert('xss');</script> 返回403。
說明sql注入和xss已經被過濾了,查看日誌:/var/log/modsec_audit.log裏面有詳細的攔截信息
7、安裝過程當中排錯
1.缺乏APXS會報錯
configure: looking for Apache module support via DSO through APXS
configure: error: couldn't find APXS
apxs是一個爲Apache HTTP服務器編譯和安裝擴展模塊的工具,用於編譯一個或多個源程序或目標代碼文件爲動態共享對象。
解決方法:
yum install httpd-devel
2.沒有pcre(注意版本問題,最好是源碼安裝最新版)
configure: *** pcre library not found.
configure: error: pcre library is required
解決方法:
yum install pcre pcre-devel
3.沒有libxml2
configure: *** xml library not found.
configure: error: libxml2 is required
解決方法:
yum install libxml2 libxml2-devel
4.執行/usr/local/nginx/sbin/nginx –t時有警告
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
緣由:modsecurity編譯時和加載時的apr版本不一致形成的,而且會有如下error.log
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
解決方法,移除低版本的APR (1.3.9)
yum remove apr
5.Error.log中有: Audit log: Failed to lock global mutex
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
解決方法:
編輯modsecurity.conf,註釋掉默認的SecAuditLogType和SecAuditLog,添加如下內容:
SecAuditLogDirMode 0777
SecAuditLogFileMode 0550
SecAuditLogStorageDir /var/log/modsecurity
SecAuditLogType Concurrent
8、官方說明
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
The Core Rule Set provides protection against many common attack categories, including:
| SQL Injection (SQLi) |
HTTPoxy |
The Core Rule Set is free software, distributed under Apache Software License version 2.
New Features in CRS 3
CRS 3 includes many coverage improvements, plus the following new features:
- Over 90% reduction of false alerts in a default install
- A user-defined Paranoia Level to enable additional strict checks
- Application-specific exclusions for WordPress Core and Drupal
- Sampling mode runs the CRS on a user-defined percentage of traffic
- SQLi/XSS parsing using libinjection embedded in ModSecurity
For a full list of changes in this release, see the CHANGES document.
Installation
CRS 3 requires an Apache/IIS/Nginx web server with ModSecurity 2.8.0 or higher.
Our GitHub repository is the preferred way to download and update CRS.
| HTTPS |
|
| SSH |
|
After download, copy crs-setup.conf.example to crs-setup.conf. Optionally edit this file to configure your CRS settings. Then include the files in your webserver configuration:
Include /.../crs-setup.conf
Include /.../rules/*.conf
For detailed installation instructions, see the INSTALL document. Also review the CHANGES and KNOWN_BUGS documents.
You can update the rule set using the included script util/upgrade.py.
Handling False Positives and Advanced Features
Advanced features are explained in the crs-setup.conf and the rule files themselves. The crs-setup.conf file is generally a very good entry point to explore the features of the CRS.
We are trying hard to reduce the number of false positives (false alerts) in the default installation. But sooner or later, you may encounter false positives nevertheless.
Christian Folini's tutorials on installing ModSecurity, configuring the CRS and handling false positives provide in-depth information on these topics.
Community
We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.
9、規則集說明
8.1基礎規則集
modsecurity_crs_20_protocol_violations.confHTTP協議規範相關規則
modsecurity_crs_21_protocol_anomalies.confHTTP協議規範相關規則
modsecurity_crs_23_request_limits.confHTTP協議大小長度限制相關規則
modsecurity_crs_30_http_policy.confHTTP協議白名單相關規則
modsecurity_crs_35_bad_robots.conf惡意掃描器與爬蟲規則
modsecurity_crs_40_generic_attacks.conf常見的攻擊例如命令執行,代碼執行,注入,文件包含、敏感信息泄露、會話固定、HTTP響應拆分等相關規則
modsecurity_crs_41_sql_injection_attacks.confSQL注入相關規則(居然有一條MongoDB注入的規則,很全)
modsecurity_crs_41_xss_attacks.confXSS相關規則
modsecurity_crs_42_tight_security.conf目錄遍歷相關規則
modsecurity_crs_45_trojans.confwebshell相關規則
modsecurity_crs_47_common_exceptions.confApache異常相關規則
modsecurity_crs_49_inbound_blocking.conf協同防護相關規則
modsecurity_crs_50_outbound.conf檢測response_body中的錯誤信息,警告信息,列目錄信息
modsecurity_crs_59_outbound_blocking.conf協同防護相關規則
modsecurity_crs_60_correlation.conf協同防護相關規則
8.2 SLR規則集
來自肯定APP的PoC,不會誤報,檢測方法是先檢查當前請求的文件路徑是否出如今data文件中,若出現再進行下一步測試,不然跳過該規則集的檢測
5.3可選規則集
modsecurity_crs_10_ignore_static.conf靜態文件不過WAF檢測的相關規則
modsecurity_crs_11_avs_traffic.confAVS(受權的漏洞掃描器)的IP白名單規則
modsecurity_crs_13_xml_enabler.conf請求體啓用XML解析處理
modsecurity_crs_16_authentication_tracking.conf記錄登錄成功與失敗的請求
modsecurity_crs_16_session_hijacking.conf會話劫持檢測
modsecurity_crs_16_username_tracking.conf密碼複雜度檢測
modsecurity_crs_25_cc_known.confCreditCard驗證
modsecurity_crs_42_comment_spam.conf垃圾評論檢測
modsecurity_crs_43_csrf_protection.conf與modsecurity_crs_16_session_hijacking.conf聯合檢測,使用內容注入動做append注入CSRF Token
modsecurity_crs_46_av_scanning.conf使用外部腳本掃描病毒
modsecurity_crs_47_skip_outbound_checks.confmodsecurity_crs_10_ignore_static.conf的補充
modsecurity_crs_49_header_tagging.conf將WAF規則命中狀況配合Apache RequestHeader指令注入到請求頭中,以供後續應用進一步處理
modsecurity_crs_55_marketing.conf記錄MSN/Google/Yahoorobot狀況
5.4實驗性規則集
modsecurity_crs_11_brute_force.conf防護暴力破解相關規則
modsecurity_crs_11_dos_protection.conf防DoS攻擊相關規則
modsecurity_crs_11_proxy_abuse.conf檢測X-Forwarded-For是不是惡意代理IP,IP黑名單
modsecurity_crs_11_slow_dos_protection.confSlow HTTP DoS攻擊規則
modsecurity_crs_25_cc_track_pan.conf檢測響應體credit card信息
modsecurity_crs_40_http_parameter_pollution.conf檢測參數污染
modsecurity_crs_42_csp_enforcement.confCSP安全策略設置
modsecurity_crs_48_bayes_analysis.conf使用外部腳本採起貝葉斯分析方法分析HTTP請求,區分正常與惡意請求
modsecurity_crs_55_response_profiling.conf使用外部腳本將響應體中的惡意內容替換爲空
modsecurity_crs_56_pvi_checks.conf使用外部腳本檢測REQUEST_FILENAME是否在osvdb漏洞庫中
modsecurity_crs_61_ip_forensics.conf使用外部腳本收集IP的域名、GEO等信息
modsecurity_crs_40_appsensor_detection_point_2.0_setup.confAPPSENSOR檢測設置文件
- 1. nginx配合modsecurity實現WAF功能
- 2. Nginx+Modsecurity實現WAF
- 3. IIS 7安裝ModSecurity實現WAF功能
- 4. 使用Nginx+Openresty實現WAF功能
- 5. nginx+lua+ngx_lua_waf實現waf功能
- 6. 使用NGINX+Openresty實現WAF功能
- 7. 使用NGINX+LUA實現WAF功能 和nginx 防盜鏈
- 8. Nginx 支持 WAF 防禦功能實戰
- 9. 開源WAF工具ModSecurity
- 10. 使用NGINX+Openresty和unixhot_waf開源防火牆實現WAF功能
- 更多相關文章...
- • 使用Redis和Lua的原子性實現搶紅包功能 - 紅包項目實戰
- • Hibernate整合EHCache實現二級緩存 - Hibernate教程
- • ☆基於Java Instrument的Agent實現
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. Duang!超快Wi-Fi來襲
- 2. 機器學習-補充03 神經網絡之**函數(Activation Function)
- 3. git上開源maven項目部署 多module maven項目(多module maven+redis+tomcat+mysql)後臺部署流程學習記錄
- 4. ecliple-tomcat部署maven項目方式之一
- 5. eclipse新導入的項目經常可以看到「XX cannot be resolved to a type」的報錯信息
- 6. Spark RDD的依賴於DAG的工作原理
- 7. VMware安裝CentOS-8教程詳解
- 8. YDOOK:Java 項目 Spring 項目導入基本四大 jar 包 導入依賴,怎樣在 IDEA 的項目結構中導入 jar 包 導入依賴
- 9. 簡單方法使得putty(windows10上)可以免密登錄樹莓派
- 10. idea怎麼用本地maven