开源WAF:ModSecurity探究与部署
零、防火墙
观察nginx日志发现恶意扫描 什么/shell #$%*
调研方案很多,但部分收费,收费的功能多但也比较耗费服务器,这里使用经典的web防火墙ModSecurity3
一、ModSecurity3.0介绍
ModSecurity是一个开源的跨平台Web应用程序防火墙(WAF)引擎,用于Apache,IIS和Nginx,由Trustwave的SpiderLabs开发。作为WAF产品,ModSecurity专门关注HTTP流量,当发出HTTP请求时,ModSecurity检查请求的所有部分,如果请求是恶意的,它会被阻止和记录。
优势:
完美兼容nginx,是nginx官方推荐的WAF
支持OWASP规则
3.0版本比老版本更新更快,更加稳定,并且得到了nginx、Inc和Trustwave等团队的积极支持
免费
ModSecurity的功能:
SQL Injection (SQLi):阻止SQL注入
Cross Site Scripting (XSS):阻止跨站脚本攻击
Local File Inclusion (LFI):阻止利用本地文件包含漏洞进行攻击
Remote File Inclusione(RFI):阻止利用远程文件包含漏洞进行攻击
Remote Code Execution (RCE):阻止利用远程命令执行漏洞进行攻击
PHP Code Injectiod:阻止PHP代码注入
HTTP Protocol Violations:阻止违反HTTP协议的恶意访问
HTTPoxy:阻止利用远程代理感染漏洞进行攻击
Shellshock:阻止利用Shellshock漏洞进行攻击
Session Fixation:阻止利用Session会话ID不变的漏洞进行攻击
Scanner Detection:阻止黑客扫描网站
Metadata/Error Leakages:阻止源代码/错误信息泄露
Project Honey Pot Blacklist:蜜罐项目黑名单
GeoIP Country Blocking:根据判断IP地址归属地来进行IP阻断
劣势:
不支持检查响应体的规则,如果配置中包含这些规则,则会被忽略,nginx的的sub_filter指令可以用来检查状语从句:重写响应数据,OWASP中相关规则是95X。
不支持OWASP核心规则集DDoS规则REQUEST-912-DOS- PROTECTION.conf,nginx本身支持配置DDoS限制
不支持在审计日志中包含请求和响应主体
二、安装部署
#已安装nginx(apt-get install nginx)
#安装依赖
apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
编译安装modSecurityLib
#克隆GitHub存储库:
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
#编译安装源代码
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install
cd ..
#注意:安装中有报错fatal: No names found, cannot describe anything.是正常现象
NGINX连接器
#下载用于ModSecurity的NGINX连接器:
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
#确定哪个版本的NGINX是运行在主机上的ModSecurity模块将加载:
nginx -v
#nginx version: nginx/1.17.3
#下载与安装版本对应的源代码:
wget http://nginx.org/download/nginx-1.17.3.tar.gz
tar zxvf nginx-1.17.3.tar.gz
#编译动态模块,复制到模块标准目录:
cd nginx-1.17.3
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/
#将以下load_module指令添加到/etc/nginx/nginx.conf的main中:
load_module modules/ngx_http_modsecurity_module.so;
#确定nginx模块加载成功:
nginx -t
三、配置 开启 并测试防护效果
#接口能正常返回
curl -D - http://localhost/foo?testparam=123
配置文件
mkdir /etc/nginx/modsec
#使用推荐的ModSecurity配置文件
cp ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
cp ModSecurity/unicode.mapping /etc/nginx/modsec
#更改配置中的SecRuleEngine指令,将默认的仅检测模式更改为主动丢弃恶意流量。
sed -i ‘s/SecRuleEngine DetectionOnly/SecRuleEngine On/’ /etc/nginx/modsec/modsecurity.conf
配置
#创建ModSecurity的主配置文件
#vim /etc/nginx/modsec/main.conf
#内容如下
#Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf
#A test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"
开启 并添加配置文件 到/etc/nginx/nginx.conf
server {
# …
#隐藏版本信息
server_tokens off;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
}
测试
nginx -s reload #重新加载nginx
curl -D - http://localhost/foo?testparam=test #则返回"403 Forbidden",说明前面配置的那条modsecuriy规则生效了,并阻拦了testparam参数中带test的请求
#在/var/log/nginx/error.log中可以看到拦截的详细日志
部署OWASP规则--CRS(Core Rule Set)
https://coreruleset.org/docs/deployment/install/
#在此之前复现没有拦截的样子 下面请求正常返回
curl -D - http://localhost?foo=/etc/passwd&bar=/bin/sh
#下载OWASP CRS 仓库更新了 独立出去了coreruleset
#wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
#安装规则
mkdir /etc/crs4
tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /etc/crs4
#配置
cd /etc/crs4
mv crs-setup.conf.example crs-setup.conf
#在modsecurity主配置文件中include CRS的配置和规则
vim /etc/nginx/modsec/main.conf
#内容如下
#Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf
#OWASP CRS v3 rules
Include /etc/crs4/crs-setup.conf
Include /etc/crs4/rules/*.conf
#测试CRS
nginx -s reload #重新加载nginx配置
curl -D - http://localhost?foo=/etc/passwd&bar=/bin/sh #则返回"403 Forbidden",说明配置的规则生效了阻拦请求
拦截日志 tail -f /var/log/modsec_audit.log
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:foo' (Value: `/etc/passwd' ) [file "/etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "97"] [id "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:foo: /etc/passwd"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname " 172.129.15.195"] [uri "/"] [unique_id "172178055710.904907"] [ref "o1,10v16,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin"]
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/bin/sh' ) [file "/etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "556"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin/sh"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname " 172.129.15.195"] [uri "/"] [unique_id "172178055710.904907"] [ref "o1,10v16,11t:cmdLine,t:normalizePatho1,6v32,7t:cmdLine,t:normalizePath"]
ModSecurity: Access denied with code 302 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname " 172.129.15.195"] [uri "/"] [unique_id "172178055710.904907"] [ref ""]
也可以使用扫描库nikto进行测试
git clone https://github.com/sullo/nikto
Cloning into 'nikto'...
cd nikto
perl program/nikto.pl -h localhost
- Nikto v2.1.6
...
+ 7531 requests: 0 error(s) and 324 item(s) reported on remote host
参考链接:
https://www.cnblogs.com/zgq123456/articles/17714325.html
https://blog.nginx.org/blog/compiling-and-installing-modsecurity-for-open-source-nginx
https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/
https://github.com/owasp-modsecurity/ModSecurity
https://github.com/owasp-modsecurity/ModSecurity-nginx
