• 开源WAF工具ModSecurity


    0 前言

      ModSecurity是一个开源的跨平台Web应用程序防火墙(WAF)引擎,用于Apache,IIS和Nginx,由Trustwave的SpiderLabs开发。作为WAF产品,ModSecurity专门关注HTTP流量,当发出HTTP请求时,ModSecurity检查请求的所有部分,如果请求是恶意的,它会被阻止和记录。  

    优势

    完美兼容nginx,是nginx官方推荐的WAF
    支持OWASP规则
    3.0版本比老版本更新更快,更加稳定,并且得到了nginx、Inc和Trustwave等团队的积极支持
    免费

    功能

    复制代码
    SQL Injection (SQLi):阻止SQL注入
    Cross Site Scripting (XSS):阻止跨站脚本攻击
    Local File Inclusion (LFI):阻止利用本地文件包含漏洞进行攻击
    Remote File Inclusione(RFI):阻止利用远程文件包含漏洞进行攻击
    Remote Code Execution (RCE):阻止利用远程命令执行漏洞进行攻击
    PHP Code Injectiod:阻止PHP代码注入
    HTTP Protocol Violations:阻止违反HTTP协议的恶意访问
    HTTPoxy:阻止利用远程代理感染漏洞进行攻击
    Shellshock:阻止利用Shellshock漏洞进行攻击
    Session Fixation:阻止利用Session会话ID不变的漏洞进行攻击
    Scanner Detection:阻止黑客扫描网站
    Metadata/Error Leakages:阻止源代码/错误信息泄露
    Project Honey Pot Blacklist:蜜罐项目黑名单
    GeoIP Country Blocking:根据判断IP地址归属地来进行IP阻断
    复制代码

    劣势

    不支持检查响应体的规则,如果配置中包含这些规则,则会被忽略,nginx的的sub_filter指令可以用来检查状语从句:重写响应数据,OWASP中相关规则是95X。
    不支持OWASP核心规则集DDoS规则REQUEST-912-DOS- PROTECTION.conf,nginx本身支持配置DDoS限制
    不支持在审计日志中包含请求和响应主体

      以上内容摘自:ModSecurity:一款优秀的开源WAF

    00 Preface

      本篇介绍如何在CentOS7.6上安装ModSecurity。上面的给出的链接内容比较杂乱,故重新整理以记录。

    安装

    安装nginx

      如果有nginx,可忽略;如果没有请参考:RHEL/CentOS 安装最新版Nginx

    安装依赖

    # yum install epel-release -y
    # yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre pcre-devel libxml2 libxml2-devel autoconf automake lmdb-devel ssdeep-devel ssdeep-libs lua-devel libmaxminddb-devel git apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev ibpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev -y

    编译ModSecurity

      我们用的是v3版本,我们在/opt目录下进行安装。

    复制代码
    # cd /opt/    # 切换到/opt
    # git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity    # 下载
    # cd ModSecurity/
    # git submodule init      # 初始化
    # git submodule update    # 更新
    # ./build.sh
    # ./configure
    # make
    # make install
    复制代码

    【注】在执行build.sh会出现如下错误,可忽略。

    fatal: No names found, cannot describe anything

    ModSecurity-nginx连接器

      我们现在需要将ModSecurity-nginx编入。

    # cd /opt/
    # git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
    复制代码
    # nginx -v            # 查看当前nginx版本
    nginx version: nginx/1.17.5
    # wget http://nginx.org/download/nginx-1.17.5.tar.gz
    # tar -xvf nginx-1.17.5.tar.gz
    # ls
    ModSecurity  ModSecurity-nginx  nginx-1.17.5  nginx-1.17.5.tar.gz
    # cd nginx-1.17.5/
    # ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx      # 如果出现不兼容的问题,请去掉--with-compat参数
    # make modules                                  # 会生成如下*.so
    # ls ./objs/ngx_http_modsecurity_module.so 
    ./objs/ngx_http_modsecurity_module.so       # 查看
    # cp ./objs/ngx_http_modsecurity_module.so /etc/nginx/modules/   
    # 移动位置
    复制代码
    # vim /etc/nginx/nginx.conf        
    load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;     # 添加到配置文件首行
    # nginx -t                                     # 测试通过
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful

    测试

    ECHO测试 

      新增配置文件:/etc/nginx/conf.d/echo.conf :

    复制代码
    # service nginx start   # 启动nginx
    Redirecting to /bin/systemctl start nginx.service
    # vim /etc/nginx/conf.d/echo.conf 
    server {
        listen localhost:8085;
        location / {
            default_type text/plain;
            return 200 "Thank you for requesting ${request_uri}\n";
        }
    }
    # nginx -s reload    # 重载配置
    # nginx -t        # 检测
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    复制代码
    复制代码
    [root@localhost ~]# curl -D - http://localhost:8085
    HTTP/1.1 200 OK
    Server: nginx/1.17.5
    Date: Mon, 18 Nov 2019 05:35:40 GMT
    Content-Type: text/plain
    Content-Length: 27
    Connection: keep-alive
    
    Thank you for requesting /
    [root@localhost ~]# curl -D - http://localhost:8085/notexist
    HTTP/1.1 200 OK
    Server: nginx/1.17.5
    Date: Mon, 18 Nov 2019 05:35:49 GMT
    Content-Type: text/plain
    Content-Length: 35
    Connection: keep-alive
    
    Thank you for requesting /notexist
    复制代码

      可以看到正常echo。

    配置反向代理

      新增配置文件:/etc/nginx/conf.d/proxy.conf ,内容如下:

    复制代码
    [root@localhost ~]# cat /etc/nginx/conf.d/proxy.conf 
    server {
        listen 80;
        location / {
            proxy_pass http://localhost:8085;
            proxy_set_header Host $host;
        }
    }
    复制代码

      因为正常安装后,nginx是有默认配置的:/etc/nginx/conf.d/default.conf,这个会影响到上面的正常生效。

    [root@localhost ~]# mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
    [root@localhost ~]# nginx -s reload
    [root@localhost ~]# nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    复制代码
    [root@localhost ~]# curl -D - http://localhost
    HTTP/1.1 200 OK
    Server: nginx/1.17.5
    Date: Mon, 18 Nov 2019 05:43:05 GMT
    Content-Type: text/plain
    Content-Length: 27
    Connection: keep-alive
    
    Thank you for requesting /
    [root@localhost ~]# curl -D - http://localhost/noexist
    HTTP/1.1 200 OK
    Server: nginx/1.17.5
    Date: Mon, 18 Nov 2019 05:44:06 GMT
    Content-Type: text/plain
    Content-Length: 34
    Connection: keep-alive
    
    Thank you for requesting /noexist
    [root@localhost ~]# 
    复制代码

      可以看到访问默认的80端口,会反向代理到8085端口。

    启用WAF

      配置NGINX WAF以通过阻止某些请求来保护演示web应用程序。

    [root@localhost ~]# mkdir /etc/nginx/modsec
    [root@localhost ~]# cd /etc/nginx/modsec
    [root@localhost modsec]# sudo wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
    [root@localhost modsec]# sudo mv modsecurity.conf-recommended modsecurity.conf

      修改modsecurity.conf配置文件

    [root@localhost modsec]# vim  modsecurity.conf 
    # -- Rule engine initialization ----------------------------------------------
    ... SecRuleEngine On <== 设置为On

      修改nginx waf配置文件:/etc/nginx/modsec/main.conf ,添加响应规则。

    # cat /etc/nginx/modsec/main.conf 
    # Include the recommended configuration
    Include /etc/nginx/modsec/modsecurity.conf
    # A test rule
    SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"
    • Include:包括modsecurity.conf文件中建议的配置。
    • SecRule:创建一个规则,当查询字符串中的testparam参数包含字符串test时,通过阻止请求并返回状态代码403来保护应用程序。

      修改nginx配置文件,来启用WAF防护。

    复制代码
    # cat /etc/nginx/conf.d/proxy.conf 
    server {
        listen 80;
        modsecurity on;
        modsecurity_rules_file /etc/nginx/modsec/main.conf;
        location / {
            proxy_pass http://localhost:8085;
            proxy_set_header Host $host;
        }
    }
    复制代码
    • modsecurity on:启用Nginx WAF;
    • modsecurity_rules_file:指定规则文件路径。
    [root@localhost modsec]# cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec/    # 需要先拷贝下unicode.mapping文件
    [root@localhost modsec]# nginx -s reload        # 重载配置
    [root@localhost modsec]# nginx -t            # 测试
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful

      测试参数中带有test,会被禁止。

    复制代码
    [root@localhost modsec]# curl -D - http://localhost/foo?testparam=thisisatestofmodsecurity
    HTTP/1.1 403 Forbidden
    Server: nginx/1.17.5
    Date: Mon, 18 Nov 2019 05:59:10 GMT
    Content-Type: text/html
    Content-Length: 153
    Connection: keep-alive
    
    <html>
    <head><title>403 Forbidden</title></head>
    <body>
    <center><h1>403 Forbidden</h1></center>
    <hr><center>nginx/1.17.5</center>
    </body>
    </html>
    复制代码

    日志记录功能

      修改nginx配置文件:/etc/nginx/nginx.conf,

    复制代码
    # vim /etc/nginx/nginx.conf 
    load_module /opt/nginx-1.17.5/objs/ngx_http_modsecurity_module.so;    # 加载模块
    user  nginx;
    worker_processes  1;
    
    error_log  /var/log/nginx/error.log info;      # 将错误日志设置为info级别
    复制代码
    复制代码
    [root@localhost modsec]# nginx -s reload       # 重载配置
    [root@localhost modsec]# nginx -t           # 测试
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    [root@localhost modsec]# curl -D - http://localhost/foo?testparam=thisisatestofmodsecurity      # 再次访问
    HTTP/1.1 403 Forbidden
    Server: nginx/1.17.5
    Date: Mon, 18 Nov 2019 06:02:09 GMT
    Content-Type: text/html
    Content-Length: 153
    Connection: keep-alive
    
    <html>
    <head><title>403 Forbidden</title></head>
    <body>
    <center><h1>403 Forbidden</h1></center>
    <hr><center>nginx/1.17.5</center>
    </body>
    </html>
    [root@localhost modsec]# tail -5 /var/log/nginx/error.log       # 查看错误日志文件
    2019/11/18 14:01:57 [notice] 24845#24845: worker process 25847 exited with code 0
    2019/11/18 14:01:57 [notice] 24845#24845: signal 29 (SIGIO) received
    2019/11/18 14:01:59 [notice] 25880#25880: ModSecurity-nginx v1.0.0 (rules loaded inline/local/remote: 0/7/0)
    2019/11/18 14:02:09 [error] 25879#25879: *11 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Contains' with parameter `test' against variable `ARGS:testparam' (Value: `thisisatestofmodsecurity' ) [file "/etc/nginx/modsec/main.conf"] [line "4"] [id "1234"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/foo"] [unique_id "157405692985.199277"] [ref "o7,4v19,24"], client: 127.0.0.1, server: , request: "GET /foo?testparam=thisisatestofmodsecurity HTTP/1.1", host: "localhost"
    2019/11/18 14:02:09 [info] 25879#25879: *11 client 127.0.0.1 closed keepalive connection
    复制代码

    参考

  • 相关阅读:
    【原创】大叔经验分享(53)kudu报错unable to find SASL plugin: PLAIN
    【原创】大叔经验分享(52)ClouderaManager修改配置报错
    【原创】大数据基础之Impala(3)部分调优
    【原创】大数据基础之Kudu(3)primary key
    【原创】大叔经验分享(51)docker报错Exited (137)
    【原创】大数据基础之Logstash(5)监控
    【原创】大数据基础之Logstash(4)高可用
    【原创】Linux基础之vi&vim基础篇
    【原创】大叔经验分享(50)hue访问mysql(librdbms)
    【原创】大叔经验分享(49)hue访问hdfs报错/hue访问oozie editor页面卡住
  • 原文地址:https://www.cnblogs.com/chinasoft/p/15800007.html
Copyright © 2020-2023  润新知