一直想找个开源的 WAF ,之前学习过naxsi,感觉简单易上手,但是,那个更新很少!ModSecurity 上手难度大一些,但是,更新和支持力度要好多了!
网上和官方文档介绍都是源码编译为一个新的 nginx ,重新生成了配置文件和模块,一般放在自己指定的–prefix=/opt/nginx-版本号,运行方式使用了命令行,例如:$ sudo /opt/nginx-1.18.0/sbin/nginx -c /opt/nginx-1.18.0/conf/nginx.conf
平时都是直接 sudo apt install nginx 安装的 nginx ,配置文件和模块都放在 /etc/nginx 目录下,运行方式使用了 service (或 systemctl),例如:$ sudo service nginx reload
如果从头开始的话,没有啥问题,但是,习惯了 systemctl 方式之后,改变就很苦恼!
因此,必须组合以上 2 个方式, 源码编译后,直接覆盖 sudo apt install nginx 的nginx
学习的时候,最好还是按照网上文章和官方文档,熟练之后,才组合覆盖!
这里记录的是组合升级的操作过程
本次环境
VirtualBox 虚拟机 Ubuntu server 20.04
IP : 192.168.1.205
预先安装nginx
$ nginx -v
nginx version: nginx/1.18.0
ModSecurity中文社区
官方仓库
SpiderLabs /ModSecurity-nginx Public
不同OS版本编译方法
Compilation recipes for v3.x
参考
手把手带你搭建企业级WEB防火墙ModSecurity3.0+Nginx
OWASP ModSecurity Core Rule Set (CRS)的基本使用
下载并安装ModSecurity
按照以上不同OS版本编译方法 Ubuntu 18.04 libModSecurity
抄录一下他的安装步骤,直接放在了 ~ ,没有放进 /opt 或其他目录
$ sudo apt update
$ sudo apt-get install git g++ apt-utils autoconf automake build-essential libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
$ git clone https://github.com/SpiderLabs/ModSecurity
$ cd ModSecurity/
$ git submodule init
$ git submodule update
$ sh build.sh
$ ./configure
$ make
$ make install
重点关注
$ sudo make install
......
Libraries have been installed in:
/usr/local/modsecurity/lib
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the '-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the 'LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the 'LD_RUN_PATH' environment variable
during linking
- use the '-Wl,-rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to '/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
......
make[2]: Nothing to be done for 'install-exec-am'.
/usr/bin/mkdir -p '/usr/local/modsecurity/lib/pkgconfig'
/usr/bin/install -c -m 644 modsecurity.pc '/usr/local/modsecurity/lib/pkgconfig'
make[2]: Leaving directory '/home/dhbm/ModSecurity'
make[1]: Leaving directory '/home/dhbm/ModSecurity'
以上生成的这些库文件,接下来将被 ModSecurity-nginx 引用
$ ll /usr/local/modsecurity/lib
total 335636
drwxr-xr-x 3 root root 4096 Mar 18 13:33 ./
drwxr-xr-x 5 root root 4096 Mar 10 14:56 ../
-rw-r--r-- 1 root root 269902108 Mar 18 13:33 libmodsecurity.a
-rwxr-xr-x 1 root root 1080 Mar 18 13:33 libmodsecurity.la*
lrwxrwxrwx 1 root root 23 Mar 18 13:33 libmodsecurity.so -> libmodsecurity.so.3.0.6*
lrwxrwxrwx 1 root root 23 Mar 18 13:33 libmodsecurity.so.3 -> libmodsecurity.so.3.0.6*
-rwxr-xr-x 1 root root 73766056 Mar 18 13:33 libmodsecurity.so.3.0.6*
drwxr-xr-x 2 root root 4096 Mar 18 13:33 pkgconfig/
完成后的结果
~/ModSecurity$ ls
aclocal.m4 build config.log depcomp libtool Makefile.in others tools
ar-lib build.sh config.status doc LICENSE missing README.md unicode.mapping
AUTHORS CHANGES config.sub examples ltmain.sh modsecurity.conf-recommended src ylwrap
autom4te.cache compile configure headers Makefile modsecurity.pc test
bindings config.guess configure.ac install-sh Makefile.am modsecurity.pc.in test-driver
后续主要用到 modsecurity.conf-recommended 和 unicode.mapping
下载ModSecurity-nginx
不知道为什么以上 Ubuntu 18.04 libModSecurity漏掉了 nginx-connector 部分
git clone https://github.com/SpiderLabs/ModSecurity-nginx
我还是给他放在了 ~ ,没有放进 /opt
~/ModSecurity-nginx$ ls
AUTHORS CHANGES config LICENSE ngx-modsec.stp README.md release.sh src tests
下载并编译、安装nginx
可能会缺少的依赖,记得安装
1. OpenSSL
./configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.
sudo apt-get install openssl
sudo apt-get install libssl-dev
2. HTTP XSLT
./configure: error: the HTTP XSLT module requires the libxml2/libxslt
libraries. You can either do not enable the module or install the libraries.
sudo apt-get install libxml2 libxml2-dev libxslt-dev
3. GD
./configure: error: the HTTP image filter module requires the GD library.
You can either do not enable the module or install the libraries.
sudo apt-get install -y libgd-dev
因为 sudo apt install nginx 安装的是 1.18 版本,也同样下载 1.18 版的 nginx 源码,也放在 ~ ,没有放进 /opt
~$ wget http://103.78.124.82:82/2Q2W63DFBBE670217E041DDCFDDD97CC3CCCA8E68209_unknown_AD9714AD62ACBE52D29D70495CC3C788435CEFDE_1/nginx.org/download/nginx-1.18.0.tar.gz
~$ tar -zxvf nginx-1.18.0.tar.gz
~$ cd nginx-1.18.0/
解压后,进入到 ~/nginx-1.18.0 目录
首先获取当前 install 的 nginx 参数
~/nginx-1.18.0$ nginx -V
nginx version: nginx/1.18.0
built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
在最后加上 --add-dynamic-module=/home/dhbm/ModSecurity-nginx 后,编译本次下载的 nginx 1.18.0
./configure --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/home/dhbm/ModSecurity-nginx
编译结果摘录如下:
.....
creating objs/Makefile
Configuration summary
+ using threads
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library
nginx path prefix: "/usr/share/nginx"
nginx binary file: "/usr/share/nginx/sbin/nginx"
nginx modules path: "/usr/lib/nginx/modules"
nginx configuration prefix: "/etc/nginx"
nginx configuration file: "/etc/nginx/nginx.conf"
nginx pid file: "/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/var/log/nginx/access.log"
nginx http client request body temporary files: "/var/lib/nginx/body"
nginx http proxy temporary files: "/var/lib/nginx/proxy"
nginx http fastcgi temporary files: "/var/lib/nginx/fastcgi"
nginx http uwsgi temporary files: "/var/lib/nginx/uwsgi"
nginx http scgi temporary files: "/var/lib/nginx/scgi"
~/nginx-1.18.0$ make
重点关注接下来的 make install,必须加上 sudo
~/nginx-1.18.0$ sudo make install
make -f objs/Makefile install
make[1]: Entering directory '/home/dhbm/nginx-1.18.0'
test -d '/usr/share/nginx' || mkdir -p '/usr/share/nginx'
test -d '/usr/share/nginx/sbin' \
|| mkdir -p '/usr/share/nginx/sbin'
test ! -f '/usr/share/nginx/sbin/nginx' \
|| mv '/usr/share/nginx/sbin/nginx' \
'/usr/share/nginx/sbin/nginx.old'
cp objs/nginx '/usr/share/nginx/sbin/nginx'
test -d '/etc/nginx' \
|| mkdir -p '/etc/nginx'
cp conf/koi-win '/etc/nginx'
cp conf/koi-utf '/etc/nginx'
cp conf/win-utf '/etc/nginx'
test -f '/etc/nginx/mime.types' \
|| cp conf/mime.types '/etc/nginx'
cp conf/mime.types '/etc/nginx/mime.types.default'
test -f '/etc/nginx/fastcgi_params' \
|| cp conf/fastcgi_params '/etc/nginx'
cp conf/fastcgi_params \
'/etc/nginx/fastcgi_params.default'
test -f '/etc/nginx/fastcgi.conf' \
|| cp conf/fastcgi.conf '/etc/nginx'
cp conf/fastcgi.conf '/etc/nginx/fastcgi.conf.default'
test -f '/etc/nginx/uwsgi_params' \
|| cp conf/uwsgi_params '/etc/nginx'
cp conf/uwsgi_params \
'/etc/nginx/uwsgi_params.default'
test -f '/etc/nginx/scgi_params' \
|| cp conf/scgi_params '/etc/nginx'
cp conf/scgi_params \
'/etc/nginx/scgi_params.default'
test -f '/etc/nginx/nginx.conf' \
|| cp conf/nginx.conf '/etc/nginx/nginx.conf'
cp conf/nginx.conf '/etc/nginx/nginx.conf.default'
test -d '/run' \
|| mkdir -p '/run'
test -d '/var/log/nginx' \
|| mkdir -p '/var/log/nginx'
test -d '/usr/share/nginx/html' \
|| cp -R html '/usr/share/nginx'
test -d '/var/log/nginx' \
|| mkdir -p '/var/log/nginx'
test -d '/usr/lib/nginx/modules' \
|| mkdir -p '/usr/lib/nginx/modules'
test ! -f '/usr/lib/nginx/modules/ngx_http_xslt_filter_module.so' \
|| mv '/usr/lib/nginx/modules/ngx_http_xslt_filter_module.so' \
'/usr/lib/nginx/modules/ngx_http_xslt_filter_module.so.old'
cp objs/ngx_http_xslt_filter_module.so '/usr/lib/nginx/modules/ngx_http_xslt_filter_module.so'
test ! -f '/usr/lib/nginx/modules/ngx_http_image_filter_module.so' \
|| mv '/usr/lib/nginx/modules/ngx_http_image_filter_module.so' \
'/usr/lib/nginx/modules/ngx_http_image_filter_module.so.old'
cp objs/ngx_http_image_filter_module.so '/usr/lib/nginx/modules/ngx_http_image_filter_module.so'
test ! -f '/usr/lib/nginx/modules/ngx_http_modsecurity_module.so' \
|| mv '/usr/lib/nginx/modules/ngx_http_modsecurity_module.so' \
'/usr/lib/nginx/modules/ngx_http_modsecurity_module.so.old'
cp objs/ngx_http_modsecurity_module.so '/usr/lib/nginx/modules/ngx_http_modsecurity_module.so'
test ! -f '/usr/lib/nginx/modules/ngx_mail_module.so' \
|| mv '/usr/lib/nginx/modules/ngx_mail_module.so' \
'/usr/lib/nginx/modules/ngx_mail_module.so.old'
cp objs/ngx_mail_module.so '/usr/lib/nginx/modules/ngx_mail_module.so'
test ! -f '/usr/lib/nginx/modules/ngx_stream_module.so' \
|| mv '/usr/lib/nginx/modules/ngx_stream_module.so' \
'/usr/lib/nginx/modules/ngx_stream_module.so.old'
cp objs/ngx_stream_module.so '/usr/lib/nginx/modules/ngx_stream_module.so'
make[1]: Leaving directory '/home/dhbm/nginx-1.18.0'
其中重点: cp objs/nginx ‘/usr/share/nginx/sbin/nginx’
但是 $ whereis nginx 会发现这里还有一个
$ ll /usr/sbin/nginx
-rwxr-xr-x 1 root root 1195152 May 26 2021 /usr/sbin/nginx*
也要替换掉
$ cd /usr/sbin
$ sudo cp /usr/share/nginx/sbin/nginx .
确认一下
/usr/sbin$ ll nginx
-rwxr-xr-x 1 root root 7883744 Mar 18 09:53 nginx*
下载 owasp-modsecurity-crs 规则
~$ wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip
解压,也放在 ~ ,不放进 /opt
~/owasp-modsecurity-crs-3.3-dev$ ls
CHANGES crs-setup.conf.example KNOWN_BUGS rules util
CONTRIBUTING.md docs LICENSE SECURITY.md
CONTRIBUTORS.md INSTALL README.md tests
后续用到 crs-setup.conf.example 和 rules 目录下的规则文件
处理 nginx.conf 和 modsecurity 规则
$ cd /etc/nginx/
-
modsecurity.conf 文件
$ sudo cp ~/ModSecurity/modsecurity.conf-recommended .
$ sudo mv modsecurity.conf-recommended modsecurity.conf
$ sudo vim modsecurity.conf
修改 2 处 :
1) SecRuleEngine改为 on
2)按照参考文档,加上一个黑名单规则,那个白名单规则比较复杂,暂时先跳过# wzh 20220318 SecRuleEngine on # DetectionOnly ... # add by wzh 20220318 SecRule REQUEST_FILENAME "/phpmyadmin" "id:10000,phase:1,deny,log,t:lowercase,t:normalisePath,\ msg:'Blocking access to %{MATCHED_VAR}.',tag:'Blacklist Rules'"
-
unicode.mapping 文件
$ sudo cp ~/ModSecurity/unicode.mapping . -
owasp-modsecurity-crs 规则集
$ sudo cp ~/owasp-modsecurity-crs-3.3-dev . -R
$ sudo ln -s ./owasp-modsecurity-crs-3.3-dev ./owasp-modsecurity-crs -
修改规则文件
/etc/nginx$ cd owasp-modsecurity-crs
$ sudo mv crs-setup.conf.example crs-setup.conf
这是从参考文档抄录来的
$ sudo sed -ie 's/SecDefaultAction "phase:1,log,auditlog,pass"/#SecDefaultAction "phase:1,log,auditlog,pass"/g' crs-setup.conf
$ sudo sed -ie 's/SecDefaultAction "phase:2,log,auditlog,pass"/#SecDefaultAction "phase:2,log,auditlog,pass"/g' crs-setup.conf
$ sudo sed -ie 's/#.*SecDefaultAction "phase:1,log,auditlog,deny,status:403"/SecDefaultAction "phase:1,log,auditlog,deny,status:403"/g' crs-setup.conf
$ sudo sed -ie 's/# SecDefaultAction "phase:2,log,auditlog,deny,status:403"/SecDefaultAction "phase:2,log,auditlog,deny,status:403"/g' crs-setup.conf
为了自己看得明白,还是 vim 修改并注释以下 2 处
/etc/nginx/owasp-modsecurity-crs$ sudo vim crs-setup.conf
...
# wzh 20220318
# SecDefaultAction "phase:1,log,auditlog,pass"
# SecDefaultAction "phase:2,log,auditlog,pass"
...
# wzh 20220318
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
...
-
将以上 conf 和规则文件统一建立一个 include 文件
重点关注这些 conf 文件的位置
回到上一级目录
$ cd …
$ sudo vim modsec-include.confinclude modsecurity.conf include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf # wzh 20220318 include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
-
修改 nginx.conf
修改以下 3 处1) . #加载modsecurity动态库模块 (关键点1) load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; 2). #开启modsecurity功能 (关键点2) modsecurity on; 3). #加载modsecurity配置文件 (关键点3) # modsecurity_rules_file modsecurity.conf; modsecurity_rules_file /etc/nginx/modsec-include.conf; 4). 非必须,为了自己观察方便 error_log /etc/nginx/logs/error.log; error_log /etc/nginx/logs/error.log notice; error_log /etc/nginx/logs/error.log info;
修改后的内容如下
/etc/nginx$ cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#加载modsecurity动态库模块 (关键点1)
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
# access_log /var/log/nginx/access.log;
# error_log /var/log/nginx/error.log;
error_log /etc/nginx/logs/error.log;
error_log /etc/nginx/logs/error.log notice;
error_log /etc/nginx/logs/error.log info;
#
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
#开启modsecurity功能 (关键点2)
modsecurity on;
#加载modsecurity配置文件 (关键点3)
# modsecurity_rules_file modsecurity.conf;
modsecurity_rules_file /etc/nginx/modsec-include.conf;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
测试
重启 nginx
$ sudo service nginx reload
-
正常访问
$ curl localhost -
黑名单
$ curl localhost/phpmyadmin
403 Forbidden
以下参考 OWASP ModSecurity Core Rule Set (CRS)的基本使用
-
测试是否存在SQL注入
$ curl -D - http://localhost/?id=‘1 and 1=1’
不知道为什么,再次测试的时候, localhost 不挡住了!
改为异地访问
$ curl -D - http://192.168.1.205/?id=‘1 and 1=1’HTTP/1.1 403 Forbidden
Server: nginx/1.18.0
Date: Fri, 18 Mar 2022 06:29:31 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive403 Forbidden 403 Forbidden
nginx/1.18.0 curl: (6) Could not resolve host: xn--sql-3v1ev9j9vfnwiinxz0nc2ad17v -
测试XSS
$ curl -D - http://localhost/?input=‘’
、HTTP/1.1 403 Forbidden
Server: nginx/1.18.0
Date: Fri, 18 Mar 2022 06:31:53 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive403 Forbidden 403 Forbidden
nginx/1.18.0 -
犯规访问
$ curl localhost/?and 1=1改为异地访问
$ curl 192.168.1.205/?and 1=1hello! wzh 20220314
curl: (6) Could not resolve host: 1=1
为什么可以访问到内容?只是后面加上了错误提示
原来这个错误只是一个警告(Warning)!ID 是 920350
后续查看日志后,再来处理!
查看监控日志
-
查看监控日志
$ cat /var/log/modsec_audit.log... ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `192.168.1.205' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "722"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "192.168.1.205"] [severity "4"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "192.168.1.205"] [uri "/"] [unique_id "1647585717"] [ref "o0,13v31,13"] ---JSLp34do---I-- ---JSLp34do---J-- ---JSLp34do---Z--
-
或者查看刚才本地创建的 error.log
$ cat logs/error.log
这里经常捕捉不到啊?... 2022/03/18 10:51:23 [info] 833#833: *4 ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `192.168.1.205' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "722"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "192.168.1.205"] [severity "4"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "192.168.1.205"] [uri "/"] [unique_id "1647571883"] [ref "o0,13v31,13"], client: 192.168.1.101, server: _, request: "GET /?and%201=1 HTTP/1.1", host: "192.168.1.205"
-
查找这个 920350 的规则
/etc/nginx/owasp-modsecurity-crs/rules$ grep 920350 *
REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf: ctl:ruleRemoveById=920350" REQUEST-920-PROTOCOL-ENFORCEMENT.conf: "id:920350,\
查看这个规则,他的动作只是 block ,不是 deny
-
修改规则试试
我给他改成 deny再来# wzh 20220318 block -- deny SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \ "id:920350,\ phase:2,\ deny,\ t:none,\ msg:'Host header is a numeric IP address',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',\ tag:'WASCTC/WASC-21',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.2.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
-
再来
这次直接 403 了!$ curl http://192.168.1.205/?and%201=1
403 Forbidden 403 Forbidden
nginx/1.18.0
后记
按照自己以上过程,重新安装了另外一个服务器之后,感觉有以下问题
- $ cat /var/log/modsec_audit.log 时间为什么对不上?他自己使用了什么时区?为什么会这样?
- 经常性没有记录 log
- 改用只记录log , 不 deny ,他好像基本上都记录了
- 感觉什么地方被缓存了似的,反正时灵时不灵?
- 也许是我理解的不对?