nginx配合modsecurity实现WAF功能

一、准备工作

系统:centos 7.2 64位、nginx1.10.2, modsecurity2.9.1 owasp3.0

1、nginx:http://nginx.org/download/nginx-1.10.2.tar.gz

2、modsecurity for Nginx: https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz

3、OWASP规则集:https://github.com/SpiderLabs/owasp-modsecurity-crs

4、OWASP规则集下载地址:https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0/master.zip

(yum install unzip && unzip master.zip)

依赖关系:

nginx依赖: pcre 、zlib、 openssl

yum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel(均已安装好)

modsecurty依赖的包:pcre httpd-devel libxml2 apr

yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel

二、启用standalone模块并编译

下载modsecurity for nginx 解压,进入解压后目录执行:

tar zxvf modsecurity-2.9.1.tar.gz
cd modsecurity-2.9.1
./autogen.sh
./configure --enable-standalone-module --disable-mlogc
make (没有make install)

三、nginx添加modsecurity模块

在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:

./configure (nginx –V得到的参数) --add-module=/usr/local/src/modsecurity-2.9.1/nginx/modsecurity/
make 
make install(若是nginx已经安装过,看nginx平滑升级的文章解决,不用执行 make install)

四、添加规则

modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。

1.下载OWASP规则

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
(wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0/master.zip && unzip master.zip 
cp -r owasp-modsecurity-crs-3.0-master/ /usr/local/nginx/conf/owasp-modsecurity-crs #移动到nginx配置目录下
cd /usr/loca/nginx/conf/owasp-modsecurity-crs 
cp crs-setup.conf.example  crs-setup.conf   #拷贝模板配置文件
cp /usr/local/src/modsecurity-2.9.1/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf  #拷贝并重命名配置文件
cp /usr/local/src/modsecurity-2.9.1/unicode.mapping /usr/local/nginx/conf/  #拷贝配置文件

2.启用OWASP规则

owasp-modsecurity-crs下有很多存放规则的文件夹,里面的规则按需要启用,需要启用的规则使用Include进来即可。

vi /usr/local/nginx/conf/modsecurity.conf   #修改添加

SecRuleEngine DetectionOnly #修改为SecRuleEngine On

#Include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf

#Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

#Include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf

#Include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf

#Include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

Include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf

Include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

Include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf

Include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf

Include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

Include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

Include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

Include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

Include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf

Include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf

Include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

Include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf

#Include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf

Include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf

Include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf

Include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf

:wq! #保存退出

五、 配置nginx支持Modsecurity

在需要启用modsecurity的主机的location下面加入下面两行即可:

ModSecurityEnabled on;  
ModSecurityConfig modsecurity.conf;

下面是两个示例配置,php虚拟主机:

server {
      listen      80;
      server_name localhost;
      location ~ \.php$ {
          ModSecurityEnabled on;  
           ModSecurityConfig modsecurity.conf;
        root /web/wordpress;
          index index.php index.html index.htm;
        fastcgi_pass   127.0.0.1:9000;
          fastcgi_index  index.php;
          fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;
          include        fastcgi_params;
      }
  }
    server {
        listen       80;
        server_name  localhost;        
        location / {
            root   html;
            index  index.php index.html index.htm;
        }
        location / {
            root   html;
            index  index.php index.html index.htm;
        }
        location ~ \.php$ {
            
            ModSecurityEnabled on;  
            ModSecurityConfig modsecurity.conf;
            
            root           html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }

upstream负载均衡:

upstream 52os.net {
    server 192.168.1.100:8080;
    server 192.168.1.101:8080 backup;
}
 
server {
listen 80;
server_name 52os.net www.52os.net;
 
location / {
    ModSecurityEnabled on;  
    ModSecurityConfig modsecurity.conf;  
 
        proxy_pass http://online;
        proxy_redirect         off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
配置好候需要重启nginx

出现“ModSecurity: Loaded PCRE do not match with compiled!”兼容性的解决方法,详看文章《ningx配置ModSecurity重启出现兼容性问题:ModSecurity: Loaded PCRE do not match with compiled!的解决方法》地址:http://www.cnblogs.com/sanduzxcvbnm/p/6128174.html

六、测试

我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:

<?php
    phpinfo();    
?>

在浏览器中访问:

http://ip/phpinfo.php/?id=1 正常显示。
http://ip/phpinfo.php/?id=1 and 1=1  返回403。
http://ip/phpinfo.php/?search=<scritp>alert(‘xss‘);</script>  返回403。
说明sql注入和xss已经被过滤了,查看日志:/var/log/modsec_audit.log里面有详细的拦截信息

七、安装过程中排错

1.缺少APXS会报错

configure: looking for Apache module support via DSO through APXS
configure: error: couldn‘t find APXS

apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。

解决方法:

yum install httpd-devel

2.没有pcre(注意版本问题,最好是源码安装最新版)

configure: *** pcre library not found.
configure: error: pcre library is required

解决方法:

yum install pcre pcre-devel

3.没有libxml2

configure: *** xml library not found.
configure: error: libxml2 is required

解决方法:

yum install  libxml2 libxml2-devel

4.执行/usr/local/nginx/sbin/nginx –t时有警告

Tengine version: Tengine/2.1.0 (nginx/1.6.2)
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!

原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log

2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.

解决方法,移除低版本的APR (1.3.9)

yum remove apr

5.Error.log中有: Audit log: Failed to lock global mutex

2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]

解决方法:

编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:

SecAuditLogDirMode 0777
SecAuditLogFileMode 0550
SecAuditLogStorageDir /var/log/modsecurity
SecAuditLogType Concurrent

八、官方说明

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

The Core Rule Set provides protection against many common attack categories, including:


SQL Injection (SQLi)

Cross Site Scripting (XSS)

Local File Inclusion (LFI)

Remote File Inclusion (RFI)

Remote Code Execution (RCE)

PHP Code Injection

HTTP Protocol Violations


HTTPoxy

Shellshock

Session Fixation

Scanner Detection

Metadata/Error Leakages

Project Honey Pot Blacklist

GeoIP Country Blocking

The Core Rule Set is free software, distributed under
Apache Software License version 2.

New Features in CRS 3

CRS 3 includes many coverage improvements,
plus the following new features:

  • Over 90% reduction of false alerts
    in a default install
  • A user-defined Paranoia Level to enable
    additional strict checks
  • Application-specific exclusions
    for WordPress Core and Drupal
  • Sampling
    mode
    runs the CRS on a user-defined percentage
    of traffic
  • SQLi/XSS parsing using libinjection embedded
    in ModSecurity

For a full list of changes in this release,
see the CHANGES
document.

Installation

CRS 3
requires an Apache/IIS/Nginx web server with ModSecurity 2.8.0 or higher.

Our GitHub repository
is the preferred way to download and update CRS.


HTTPS


git clone
https://github.com/SpiderLabs/owasp-modsecurity-crs.git


SSH


git clone [email protected]:SpiderLabs/owasp-modsecurity-crs.git

After download, copy crs-setup.conf.example to crs-setup.conf.
Optionally edit this file to configure your CRS settings. Then include the
files in your webserver configuration:

Include /.../crs-setup.conf
Include /.../rules/*.conf

For detailed installation instructions, see the INSTALL document. Also review the CHANGES and KNOWN_BUGS documents.

You can update the rule set using the included script util/upgrade.py.

Handling False Positives and Advanced Features

Advanced features are explained in the crs-setup.conf and the rule files themselves. The crs-setup.conf file is generally a very good entry point to explore the features of the CRS.

We are trying hard to reduce the number of false positives (false alerts) in the default installation. But sooner or later, you may encounter false positives nevertheless.

Christian Folini‘s tutorials on installing ModSecurity, configuring the CRS and handling false positives provide in-depth information on these topics.

Community

We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.

九、规则集说明

8.1基础规则集

modsecurity_crs_20_protocol_violations.confHTTP协议规范相关规则

modsecurity_crs_21_protocol_anomalies.confHTTP协议规范相关规则

modsecurity_crs_23_request_limits.confHTTP协议大小长度限制相关规则

modsecurity_crs_30_http_policy.confHTTP协议白名单相关规则

modsecurity_crs_35_bad_robots.conf恶意扫描器与爬虫规则

modsecurity_crs_40_generic_attacks.conf常见的攻击例如命令执行,代码执行,注入,文件包含、敏感信息泄露、会话固定、HTTP响应拆分等相关规则

modsecurity_crs_41_sql_injection_attacks.confSQL注入相关规则(竟然有一条MongoDB注入的规则,很全)

modsecurity_crs_41_xss_attacks.confXSS相关规则

modsecurity_crs_42_tight_security.conf目录遍历相关规则

modsecurity_crs_45_trojans.confwebshell相关规则

modsecurity_crs_47_common_exceptions.confApache异常相关规则

modsecurity_crs_49_inbound_blocking.conf协同防御相关规则

modsecurity_crs_50_outbound.conf检测response_body中的错误信息,警告信息,列目录信息

modsecurity_crs_59_outbound_blocking.conf协同防御相关规则

modsecurity_crs_60_correlation.conf协同防御相关规则

8.2 SLR规则集

来自确定APP的PoC,不会误报,检测方法是先检查当前请求的文件路径是否出现在data文件中,若出现再进行下一步测试,否则跳过该规则集的检测

5.3可选规则集

modsecurity_crs_10_ignore_static.conf静态文件不过WAF检测的相关规则

modsecurity_crs_11_avs_traffic.confAVS(授权的漏洞扫描器)的IP白名单规则

modsecurity_crs_13_xml_enabler.conf请求体启用XML解析处理

modsecurity_crs_16_authentication_tracking.conf记录登陆成功与失败的请求

modsecurity_crs_16_session_hijacking.conf会话劫持检测

modsecurity_crs_16_username_tracking.conf密码复杂度检测

modsecurity_crs_25_cc_known.confCreditCard验证

modsecurity_crs_42_comment_spam.conf垃圾评论检测

modsecurity_crs_43_csrf_protection.conf与modsecurity_crs_16_session_hijacking.conf联合检测,使用内容注入动作append注入CSRF Token

modsecurity_crs_46_av_scanning.conf使用外部脚本扫描病毒

modsecurity_crs_47_skip_outbound_checks.confmodsecurity_crs_10_ignore_static.conf的补充

modsecurity_crs_49_header_tagging.conf将WAF规则命中情况配合Apache RequestHeader指令注入到请求头中,以供后续应用进一步处理

modsecurity_crs_55_marketing.conf记录MSN/Google/Yahoorobot情况

5.4实验性规则集

modsecurity_crs_11_brute_force.conf防御暴力破解相关规则

modsecurity_crs_11_dos_protection.conf防DoS攻击相关规则

modsecurity_crs_11_proxy_abuse.conf检测X-Forwarded-For是否是恶意代理IP,IP黑名单

modsecurity_crs_11_slow_dos_protection.confSlow HTTP DoS攻击规则

modsecurity_crs_25_cc_track_pan.conf检测响应体credit card信息

modsecurity_crs_40_http_parameter_pollution.conf检测参数污染

modsecurity_crs_42_csp_enforcement.confCSP安全策略设置

modsecurity_crs_48_bayes_analysis.conf使用外部脚本采取贝叶斯分析方法分析HTTP请求,区分正常与恶意请求

modsecurity_crs_55_response_profiling.conf使用外部脚本将响应体中的恶意内容替换为空

modsecurity_crs_56_pvi_checks.conf使用外部脚本检测REQUEST_FILENAME是否在osvdb漏洞库中

modsecurity_crs_61_ip_forensics.conf使用外部脚本收集IP的域名、GEO等信息

modsecurity_crs_40_appsensor_detection_point_2.0_setup.confAPPSENSOR检测设置文件

时间: 2024-11-05 17:29:30

nginx配合modsecurity实现WAF功能的相关文章

nginx+lua+ngx_lua_waf实现waf功能

用途: 防止sql注入,本地包含,部分溢出,fuzzing测试,xss,×××F等web*** 防止svn/备份之类文件泄漏 防止ApacheBench之类压力测试工具的*** 屏蔽常见的扫描***工具,扫描器 屏蔽异常的网络请求 屏蔽图片附件类目录php执行权限 防止webshell上传 1.下载并解压luajit 2.0.5wget http://luajit.org/download/LuaJIT-2.0.5.tar.gztar -zxvf LuaJIT-2.0.5.tar.gzcd Lu

使用NGINX+Openresty实现WAF功能

一.了解WAF1.1 什么是WAF Web应用防护系统(也称:网站应用级入侵防御系统 .英文:Web Application Firewall,简称: WAF).利用国际上公认的一种说法:Web应用 防火墙 是通过执行一系列针对HTTP/HTTPS的 安全策略 来专门为Web应用提供保护的一款产品. 1.2 WAF的功能 支持IP白名单和黑名单功能,直接将黑名单的IP访问拒绝.支持URL白名单,将不需要过滤的URL进行定义.支持User-Agent的过滤,匹配自定义规则中的条目,然后进行处理(返

nginx增加modsecurity模块

modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器. git clone https://github.com/SpiderLabs/ModSecurity.git cd ModSecurity/ ./autogen.sh ./configure--enable-standalone-module --disable-mlogc make cd 

小前端大能耐——Canvas与Javascript配合实现几个功能

1.粒子化 function Dot(X, Y, Z, R) { this.dx = X; this.dy = Y; this.dz = Z; this.tx = 0; this.ty = 0; this.tz = 0; this.z = Z; this.x = X; this.y = Y; this.r = R; this.paint = function() { context.save(); context.beginPath(); var scale = 250 / (250 + thi

开放Nginx在文件夹列表功能

nginx在列出的默认同意整个文件夹.你怎么转Nginx在文件夹列表功能?打开nginx.conf文件.在location server 要么 http段增加 autoindex on;另外两个參数最好也加上去:autoindex_exact_size on;显示出文件的确切大小.单位是bytes. 改为off后,显示出文件的大概大小,单位是kB或者MB或者GBautoindex_localtime on;默觉得off.显示的文件时间为GMT时间. 改为on后,显示的文件时间为文件的服务器时间

开启Nginx的目录文件列表功能

nginx默认是不允许列出整个目录的.如何开启Nginx的目录文件列表功能?打开nginx.conf文件,在location server 或 http段中加入 autoindex on;另外两个参数最好也加上去:autoindex_exact_size on;显示出文件的确切大小,单位是bytes.改为off后,显示出文件的大概大小,单位是kB或者MB或者GBautoindex_localtime on;默认为off,显示的文件时间为GMT时间.改为on后,显示的文件时间为文件的服务器时间 配

Nginx+Modsecurity实现WAF

一.软件介绍 ModSecurity是一个免费.开源的Web(apache.nginx.IIS)模块,可以充当Web应用防火墙(WAF).ModSecurity是一个入侵探测与阻止的引擎.它主要是用于Web应用程序所以也可以叫做Web应用程序防火墙.ModSecurity的目的是为增强Web应用程序的安全性和保护Web应用程序避免遭受来自已知与未知的攻击 OWASP是一个安全社区,开发和维护着一套免费的应用程序保护规则,这就是所谓OWASP的ModSecurity的核心规则集(即CRS).Mod

[security][modsecurity][nginx] nginx安装modsecurity

参考文档: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx nginx不支持动态加载模块,所以需要重新编译,将modsecurity和nginx整合. 一: 软件准备: ModSecurity-2.9.1.zip nginx-1.10.1.tar.gz 根据文档所述,有一些依赖包需要安装. yum install httpd httpd-devel pcre pcre-d

Nginx反向代理后端多个Tomcat、Nginx+PHP服务器(Nginx的代理和负载功能)

需求分析: 现有3个二级域名,一个IP地址,要实现将这3个域名通过1个IP地址对外提供web服务,可使用IP+端口的方式对域名进行解析,且互不影响.如: Domain1:www.huangming.org     IPADDR:192.168.1.33:80 Domain2:web1.huangming.org    IPADDR:192.168.1.33:8080 Domain3:web2.huangming.org    IPADDR:192.168.1.33:8080 其中Domain1作