总字符数: 15.35K

代码: 13.73K, 文本: 0.64K

预计阅读时间: 1.04 小时

0x01 前言

最近利用awvs以及Wpscan对网站进行了漏洞扫描,扫出来一堆漏洞,然后就对服务器进行了一次大升级,才有了这篇文章

0x02 准备

因为我应用环境的需要,所以需要建立临时文件夹并下载相关文件

模块 说明
lua-nginx-module 用于支持lua模块
nginx-ct 启用证书透明度
ModSecurity 用于编译ModSecurity
ModSecurity-nginx 用于连接ModSecurity与nignx

安装依赖

1
yum install -y libxml2 libxslt-devel gperftools pcre-devel libuuid-devel libxslt* libblkid-devel libudev-devel fuse-devel libedit-devel perl-ExtUtils-Embed at gcc-c++ python subversion gperf make rpm-build git curl bzip2-devel libcurl-devel gd gd-devel t1lib t1lib-devel libmcrypt libmcrypt-devel libtidy libtidy-devel GeoIP-devel libatomic_ops-devel zlib-devel unzip libstdc++* net-snmp net-snmp* gmp gmp-devel openldap openldap-devel libpcap-devel glib2-devel GeoIP-devel libxml2-devel redis vim wget git htop iftop libtool make automake mlocate pam-devel unzip gcc screen iptables-services bash-completion* pcre-devel libxslt* perl-ExtUtils-Embed at python subversion gperf make rpm-build git curl bzip2-devel libcurl-devel gd t1lib t1lib-devel libmcrypt libmcrypt-devel libtidy libtidy-devel GeoIP-devel zlib-devel unzip libstdc++* net-snmp net-snmp* gmp gmp-devel openldap openldap-devel net-tools luajit

新建文件夹

1
[root@web-dev ~] mkdir /opt/nginx

进入文件夹

1
[root@web-dev ~] cd /opt/nginx/

下载 ngx_http_headers_module

1
[root@web-dev nginx] git clone https://github.com/openresty/headers-more-nginx-module.git

下载 lua-nginx-module

1
[root@web-dev nginx] git clone https://github.com/openresty/lua-nginx-module.git
1
2
# 下载nginx-ct 
[root@web-dev nginx] git clone https://github.com/grahamedgecombe/nginx-ct.git

下载 Openssl

1
[root@web-dev nginx] wget https://www.openssl.org/source/openssl-1.1.1q.tar.gz

下载 ModSecurity

1
2
3
[root@web-dev nginx] git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity 
#下载ModSecurity-nginx 
[root@web-dev nginx] git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

下载 Nginx

1
2
3
[root@web-dev nginx] wget https://openresty.org/download/openresty-1.21.4.1.tar.gz 
#下载OWASP ModSecurity CRS 
[root@web-dev nginx] git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

最后解压被压缩的软件:

解压并删除nginx压缩包

1
[root@web-dev nginx] tar -zxvf openresty-1.21.4.1.tar.gz && rm -f openresty-1.21.4.1.tar.gz

解压openssl压缩包

1
[root@web-dev nginx] tar -zxvf OpenSSL_1_1_1q.tar.gz && rm -f OpenSSL_1_1_1q.tar.gz

最终,该目录下会有这些文件夹:

1
2
3
4
5
6
7
8
9
10
[root@iztsvh228msdkjz nginx]# ll 
total 32 
drwxr-xr-x 6 root root 4096 Sep 26 14:09 headers-more-nginx-module 
drwxr-xr-x 11 root root 4096 Sep 26 14:20 lua-nginx-module 
drwxr-xr-x 13 root root 4096 Sep 26 14:45 ModSecurity 
drwxr-xr-x 6 root root 4096 Sep 26 14:45 ModSecurity-nginx 
drwxr-xr-x 8 wordpress wordpress 4096 Apr 21 22:09 openresty-1.21.4.1
drwxr-xr-x 3 root root 4096 Sep 26 14:22 nginx-ct 
drwxrwxr-x 18 root root 4096 May 28 2019 openssl-OpenSSL_1_1_1c 
drwxr-xr-x 8 root root 4096 Sep 26 14:53 owasp-modsecurity-crs

0x03 编译安装

0x03.1 配置安装openssl

配置

1
2
cd openssl-OpenSSL_1_1_1q
./config --prefix=/usr

编译&&安装

1
2
make && make install 
ldconfig

查看安装版本

1
openssl version

0x03.2 Modsecurity Lib

先编译Modsecurity Lib,进入ModSecurity源码文件夹并运行以下命令:

进入文件夹

1
[root@modsecurity openssl-OpenSSL_1_1_1c] cd /opt/nginx/ModSecurity

初始化submodule

1
2
3
4
[root@modsecurity ModSecurity] git submodule init 
Submodule 'bindings/python' (https://github.com/SpiderLabs/ModSecurity-Python-bindings.git) registered for path 'bindings/python' 
Submodule 'others/libinjection' (https://github.com/client9/libinjection.git) registered for path 'others/libinjection' 
Submodule 'test/test-cases/secrules-language-tests' (https://github.com/SpiderLabs/secrules-language-tests) registered for path 'test/test-cases/secrules-language-tests'

更新submodule

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@modsecurity ModSecurity] git submodule update 
Cloning into 'bindings/python'...
remote: Counting objects: 38, done.
remote: Total 38 (delta 0), reused 0 (delta 0), pack-reused 38
Unpacking objects: 100% (38/38), done.
Submodule path 'bindings/python': checked out 'bc625d5bb0bac6a64bcce8dc9902208612399348'
Cloning into 'others/libinjection'...
remote: Counting objects: 9937, done.
remote: Total 9937 (delta 0), reused 0 (delta 0), pack-reused 9937
Receiving objects: 100% (9937/9937), 5.45 MiB  1.24 MiB/s, done.
Resolving deltas: 100% (6083/6083), done.
Submodule path 'others/libinjection': checked out 'bf234eb2f385b969c4f803b35fda53cffdd93922'
Cloning into 'test/test-cases/secrules-language-tests'...
remote: Counting objects: 232, done.
remote: Total 232 (delta 0), reused 0 (delta 0), pack-reused 232
Receiving objects: 100% (232/232), 89.18 KiB  85.00 KiB/s, done.
Resolving deltas: 100% (131/131), done.
Submodule path 'test/test-cases/secrules-language-tests': checked out 'e6b03e46046ce9ce6dcfc0e6ad0820194e21db35'

完成后,在根目录下会有一个build.sh的可执行文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@eef51b ModSecurity] ll -h
total 172K
-rw-r--r--  1 root root  202 Sep 23 18:53 AUTHORS
drwxr-xr-x  3 root root   20 Sep 23 18:53 bindings
drwxr-xr-x  2 root root  275 Sep 23 18:53 build
-rwxr-xr-x  1 root root  273 Sep 23 18:53 build.sh
-rw-r--r--  1 root root  18K Sep 23 18:53 CHANGES
-rw-r--r--  1 root root  17K Sep 23 18:53 configure.ac
drwxr-xr-x  2 root root   85 Sep 23 18:53 doc
drwxr-xr-x  7 root root  176 Sep 23 18:53 examples
drwxr-xr-x  3 root root   25 Sep 23 18:53 headers
-rw-r--r--  1 root root  12K Sep 23 18:53 LICENSE
-rw-r--r--  1 root root  18K Sep 23 18:53 Makefile.am
-rw-r--r--  1 root root  10K Sep 23 18:53 modsecurity.conf-recommended
-rw-r--r--  1 root root  377 Sep 23 18:53 modsecurity.pc.in
drwxr-xr-x  4 root root   78 Sep 23 18:53 others
-rw-r--r--  1 root root  13K Sep 23 18:53 README.md
drwxr-xr-x 12 root root 4.0K Sep 23 18:53 src
drwxr-xr-x  9 root root 4.0K Sep 23 18:53 test
drwxr-xr-x  3 root root   44 Sep 23 18:53 tools
-rw-r--r--  1 root root  52K Sep 23 18:53 unicode.mapping

运行build.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[root@modsecurity ModSecurity] ./build.sh
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.
libtoolize: copying file `build/libtool.m4'
libtoolize: copying file `build/ltoptions.m4'
libtoolize: copying file `build/ltsugar.m4'
libtoolize: copying file `build/ltversion.m4'
libtoolize: copying file `build/lt~obsolete.m4'
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
configure.ac:44: installing './ar-lib'
configure.ac:119: installing './config.guess'
configure.ac:119: installing './config.sub'
configure.ac:39: installing './install-sh'
configure.ac:39: installing './missing'
parallel-tests: installing './test-driver'
examples/multiprocess_c/Makefile.am: installing './depcomp'
configure.ac: installing './ylwrap'
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.

在build的过程中会出现以下错误,忽略即可:

1
fatal: No names found, cannot describe anything.

然后是configure、编译和安装:

编译安装三部曲

1
./configure && make && make install

完成ModSecurity的编译安装后就可以准备nignx的编译参数了:

1
./configure --prefix=/usr/local/nginx/nginx --with-cc-opt=-O2 --with-ld-opt='-Wl,-rpath,/usr/local/nginx/luajit/lib -Wl,-E' --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-http_gunzip_module --with-pcre --with-pcre-jit --with-http_perl_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-select_module --with-poll_module --with-file-aio --with-http_degradation_module --with-libatomic --http-client-body-temp-path=/var/tmp/nginx/client_body --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --add-dynamic-module=/opt/nginx/ModSecurity-nginx --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/opt/nginx/headers-more-nginx-module

0x03.3 Nginx编译&安装

1
cd /opt/nginx/openresty-1.21.4.1/

configure

1
./configure --prefix=/usr/local/nginx/nginx --with-cc-opt=-O2 --with-ld-opt='-Wl,-rpath,/usr/local/nginx/luajit/lib -Wl,-E' --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-http_gunzip_module --with-pcre --with-pcre-jit --with-http_perl_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-select_module --with-poll_module --with-file-aio --with-http_degradation_module --with-libatomic --http-client-body-temp-path=/var/tmp/nginx/client_body --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --add-dynamic-module=/opt/nginx/ModSecurity-nginx --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/opt/nginx/headers-more-nginx-module

编译

1
[root@web-dev nginx-1.13.10] make

安装

1
[root@web-dev nginx-1.13.10] make install

创建目录

1
mkdir -p /var/tmp/nginx/client_body

最后查看nginx版本与检查编译参数:

1
2
3
4
5
6
[root@localhost nginx-1.18.0]# nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.1.1c  28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/nginx --with-cc-opt=-O2 --with-ld-opt='-Wl,-rpath,/usr/local/nginx/luajit/lib -Wl,-E' --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-http_gunzip_module --with-pcre --with-pcre-jit --with-http_perl_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-select_module --with-poll_module --with-file-aio --with-http_degradation_module --with-libatomic --http-client-body-temp-path=/var/tmp/nginx/client_body --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --add-dynamic-module=/opt/nginx/ModSecurity-nginx --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/opt/nginx/headers-more-nginx-module

0x03.4 Nginx与modsecurity配置

modsecurity灵活性很高,你可以将ModSecurityEnabled这个指令放置在server或location块,以此控制modsecurity的启用与否.以下使用nginx默认的配置文件nginx.conf进行修改,首先在文件顶部添加以下内容:

1
load_module /usr/local/nginx/nginx/nginx/modules/ngx_http_modsecurity_module.so;

让nginx加载动态模块,这样才能识别下方ModSecurity的配置内容.然后将以下两行内容放置在location块中:

1
2
modsecurity on;
modsecurity_rules_file /usr/local/nginx/modsecurity/modsec_includes.conf;

到这里nginx配置文件的修改就完成了.

0x03.5 Modsecurity配置文件准备

1
2
3
4
5
[root@iztsvh228msdkjz nginx] mkdir /usr/local/nginx/modsecurity
cp /opt/nginx/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/modsecurity/modsecurity.conf
cp /opt/nginx/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/modsecurity/crs-setup.conf
cp -r /opt/nginx/owasp-modsecurity-crs/rules/ /usr/local/nginx/modsecurity/
cp /opt/nginx/ModSecurity/unicode.mapping /usr/local/nginx/modsecurity/unicode.mapping

然后在/usr/local/nginx/modsecurity 目录下新建一个名为modsec_includes.conf的文件并填入owasp modsecurity crs配置文件与modsecurity.conf的路径:

1
2
3
include /usr/local/nginx/modsecurity/modsecurity.conf
include /usr/local/nginx/modsecurity/crs-setup.conf
include /usr/local/nginx/modsecurity/rules/*.conf

最终该目录下有这些文件

1
2
3
4
5
6
7
[root@eef51b modsecurity] ll
total 108
-rw-r--r-- 1 root root 32931 Sep 24 19:31 crs-setup.conf
-rw-r--r-- 1 root root   156 Sep 24 19:23 modsec_includes.conf
-rw-r--r-- 1 root root 10199 Sep 24 19:30 modsecurity.conf
drwxr-xr-x 2 root root  4096 Sep 24 19:21 rules
-rw-r--r-- 1 root root 53146 Sep 24 19:32 unicode.mapping

0x03.6 Modsecurity实施拦截动作

编辑

1
vim /usr/local/nginx/modsecurity/modsecurity.conf

修改SecRuleEngine

1
SecRuleEngine On

打开crs-setup.conf

1
vim /usr/local/nginx/modsecurity/crs-setup.conf

注释以下内容

1
2
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

取消以下内容的注释

1
2
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

Modsecurity日志文件

1
vim /var/log/modsec_audit.log

0x03.7 Nginx配置文件修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
load_module /usr/local/nginx/nginx/modules/ngx_http_modsecurity_module.so;
http {
    server {
        listen 80;
        server_name localhost;
        rewrite ^(.*)$ https://$host$1 permanent;
        location / {
            #启用modsecurity
            modsecurity on;
            modsecurity_rules_file /usr/local/nginx/modsecurity/modsec_includes.conf;
            root html;
            index index.html index.htm;
        }
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
            root html;
        }
    }
    server {
        listen 443 ssl;
        server_name localhost;
        location / {
            modsecurity on;
            modsecurity_rules_file /usr/local/nginx/modsecurity/modsec_includes.conf;
            root /home/wwwroot/wordpress-1258894728.cos.ap-beijing.myqcloud.com;
            index index.html index.htm index.php;
        }
    }
}

可以看到本站已经启用了WAF

许可协议

本文由 kill3r 原创,采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

分享文章

快来参与讨论吧~