前言
公司有一个项目有重大的struts2漏洞,可通过web注入十几秒拿下整个服务器的系统权限。由于年代久远且合同当初没有要求提供源码,已经无法从web框架升级上来解决这个问题了。尝试了许多方案,综合考虑后,使用软火墙来暂时解决注入漏洞。
方案使用nginx将原地址进行反向代理,然后再通过waf来进行流量清洗。
环境信息
CentOS Linux release 7.8.2003 (Core)
nginx-1.22.1
ModSecurity v3.0.8 - 2022-Sep-07
需要访问github,请自行科学上网,或在文末下载离线包
1.编译安装ModSecurity
$ mkdir /home/modsec
$ cd /home/modsec
#如果yum安装报GPG错误,在安装命令末尾加--nogpgcheck来跳过检查
$ yum install -y wget vim git libtool pcre pcre-devel gcc gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel libxml2 libxml2-devel lua lua-devel
$ git clone https://github.com/SpiderLabs/ModSecurity
$ cd ModSecurity
$ git checkout -b v3/master origin/v3/master
$ sh build.sh
$ git submodule init
$ git submodule update
$ ./configure
$ make && make install2.编译安装Nginx以及modsecurity插件
$ cd /home/modsec
$ git clone https://github.com/SpiderLabs/ModSecurity-nginx.git modsecurity-nginx
$ wget http://nginx.org/download/nginx-1.22.1.tar.gz
$ tar xzvf nginx-1.22.1.tar.gz
$ cd nginx-1.22.1
$ ./configure --add-module=/home/modsec/modsecurity-nginx
$ make && make install3.下载owasp规则集,移动到Nginx配置文件中
$ cd /home/modsec
$ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
$ cp -a owasp-modsecurity-crs /usr/local/nginx/conf/
$ cd /usr/local/nginx/conf/owasp-modsecurity-crs
$ cp crs-setup.conf.example crs-setup.conf
$ sed -ie 's/SecDefaultAction "phase:1,log,auditlog,pass"/#SecDefaultAction "phase:1,log,auditlog,pass"/g' crs-setup.conf
$ sed -ie 's/SecDefaultAction "phase:2,log,auditlog,pass"/#SecDefaultAction "phase:2,log,auditlog,pass"/g' crs-setup.conf
$ sed -ie 's/#.*SecDefaultAction "phase:1,log,auditlog,deny,status:403"/SecDefaultAction "phase:1,log,auditlog,deny,status:403"/g' crs-setup.conf
$ sed -ie 's/# SecDefaultAction "phase:2,log,auditlog,deny,status:403"/SecDefaultAction "phase:2,log,auditlog,deny,status:403"/g' crs-setup.conf4.将Modsecurity的配置文件,移动到Nginx配置文件中
$ cd /home/modsec/ModSecurity
$ cp modsecurity.conf-recommended modsecurity.conf
$ vim modsecurity.conf
SecRuleEngine On #配置为SecRuleEngine DetectionOnly时只记录异常访问,不会阻止
$ cp modsecurity.conf /usr/local/nginx/conf/modsecurity.conf
$ cp unicode.mapping /usr/local/nginx/conf/5.在Nginx配置文件中,创建modsec_includes.conf
$ cd /usr/local/nginx/conf/owasp-modsecurity-crs
$ cp rules/*.data /usr/local/nginx/conf
$ vim /usr/local/nginx/conf/modsec_includes.conf
include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf6.修改Nginx配置文件nginx.conf
$ vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
#启用modsecurity插件
modsecurity on;
#配置modsecurity规则路径
modsecurity_rules_file /usr/local/nginx/conf/modsec_includes.conf;
#配置被代理服务器ip入口地址
proxy_pass http://x.x.x.x:xxxx/;
root html;
index index.html index.htm;
}
...
}7.验证nginx.conf配置文件语法是否正确
$ /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful8.启动Nginx
$ /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf9.火墙端口放行
$ firewall-cmd --zone=public --add-port=XXXX/tcp --permanent
success
$ firewall-cmd --reload
success10.测试
测试直接通过ip访问页面提示403,说明waf已经生效了,这是一条不允许通过ip访问的策略
可以去查看modSecurity日志查看策略生效的具体信息
$ vim /var/log/modsec_audit.log
可以看到匹配到的具体规则,规则所在的文件,以及规则号
$ vim /usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
找到对应id的策略,进行注释
然后重载nginx配置
$ /usr/local/nginx/sbin/nginx -s reload
再次访问发现可以访问了
参考
附件
rpm:https://pan.ihawo.com/s/BWUL
所用到的rpm包,解压后进入目录执行yum install -y *可替换步骤1中的yum install的命令进行离线安装依赖包
modsec:https://pan.ihawo.com/s/7wSn
/home/modsec文件夹压缩包,解压后放在home目录下,可不执行以上步骤中的所有git clone以及git submodule update
相关文章
waf流量清洗nginx反向代理+ModSecurity(二)