Nginx security configuration research



0x00 Test environment

操作系统：CentOS6.5 
Web服务器：Nginx1.4.6 
Php版本：Php5.4.26

0x01 Introduction to Nginx

nginx itself cannot handle PHP, it is just a web server. When a request is received, if it is a PHP request, it is sent to the PHP interpreter for processing and the result is Returned to the client. nginx generally sends the request to the fastcgi management process for processing. The fastcgi management process selects the cgi sub-process processing result and returns it to nginx.

nginx involves two accounts, one is the running account of nginx, and the other is the running account of php-fpm. If you are accessing a static file, you only need the nginx running account to have read permissions on the file; if you are accessing a php file, you first need the nginx running account to have read permissions on the file. After reading the file If it is found to be a php file, it will be forwarded to php-fpm. At this time, the php-fpm account needs to have read permissions on the file.

0x02 Conclusion of research findings

1. linux下，要读取一个文件，首先需要具有对文件所在文件夹的执行权限,然后需要对文件的读取权限。
2. php文件的执行不需要文件的执行权限，只需要nginx和php-fpm运行账户的读取权限。
3. 上传木马后，能不能列出一个文件夹的内容，跟php-fpm的运行账户对文件夹的读取权限有关。
4. 木马执行命令的权限跟php-fpm的账户权限有关。
5. 如果木马要执行命令，需要php-fpm的账户对相应的sh有执行权限。
6. 要读取一个文件夹内的文件，是不需要对文件夹有读取权限的，只需要对文件夹有执行权限。

0x03 Security configuration involved in Nginx server

1. Nginx.conf的配置
2. php-fpm.conf的配置
3. nginx和php-fpm的运行账户对磁盘的权限配置
4. Php.ini的配置

0x04 常见需要配置的操作方法

1. 禁止一个目录的访问

示例：禁止访问path目录

location ^~ /path {
deny all;
}

可以把path换成实际需要的目录，目录path后是否带有"/",带"/"只禁止访问目录，不带"/"禁止访问目录中的文件;注意要放在fastcgi配置之前。

2. 禁止php文件的访问及执行

示例：去掉单个目录的PHP执行权限

location ~ /attachments/.*\.(php|php5)?$ {
deny all;
}

示例：去掉多个目录的PHP执行权限

location ~
/(attachments|upload)/.*\.(php|php5)?$ {
deny all;
}

3. 禁止IP的访问

示例：禁止IP段的写法：

deny 10.0.0.0/24;

示例：只允许某个IP或某个IP段用户访问，其它的用户全都禁止

allow  
x.x.x.x;  
allow 10.0.0.0/24;  
deny all;

0x05 需要解决的常见问题

1. 让木马上传后不能执行

针对上传目录，在nginx配置文件中加入配置，使此目录无法解析php。

2. 让木马执行后看不到非网站目录文件

取消php-fpm运行账户对于其他目录的读取权限。

3. 木马执行后命令不能执行

取消php-fpm账户对于sh的执行权限。

4. 命令执行后权限不能过高

Php-fpm账户不要用root或者加入root组。

0x06 Nginx安全配置方案

1. 修改网站目录所有者为非php-fpm运行账户，此处修改所有者为root。

命令：

chown -R root:root html/ 

<img  src="http://image.codes51.com/Article/image/20150610/20150610084337_2340.png" border="0" alt="Nginx security configuration research" >

2. 修改nginx及php-fpm的运行账户及组为nobody

nginx.conf

<img  src="http://image.codes51.com/Article/image/20150610/20150610084337_4840.png" border="0" alt="Nginx security configuration research" >

Php-fpm.conf

<img  src="http://image.codes51.com/Article/image/20150610/20150610084337_7965.png" border="0" alt="Nginx security configuration research" >

3. 取消nobody对所有目录的的读取权限，然后添加对网站目录的读取权限

nginx configuration error leads to directory traversal vulnerability

命令：

chmod o-r –R / 
chmod o+r –R html/

4. 取消nobody对于/bin/sh 的执行权限

chmod 776 /bin/sh

5. 确认网站目录对于nobody的权限为可读可执行，对网站文件的权限为可读

6. 对于上传目录或者写入写文件的目录添加nobody的写入权限

7. 配置nginx.conf 对于上传目录无php的执行权限

8. 配置nginx.conf禁止访问的文件夹，如后台，或者限制访问ip

9. 配置nginx.conf禁止访问的文件类型，如一些txt日志文件

漏洞描述:nginx是一款高性能的web服务器，使用非常广泛，其不仅经常被用作反向代理，也是一个 IMAP/POP3/SMTP 代理服务器。 Nginx 
是由 Igor Sysoev 为俄罗斯访问量第二的 Rambler.ru 
站点开发的，第一个公开版本0.1.0发布于2004年10月4日。其将源代码以类BSD许可证的形式发布，因它的稳定性、丰富的功能集、示例配置文件和低系统资源的消耗而闻名。

在nginx中开启autoindex，配置不规范而造成目录遍历漏洞。

配置如下：

1.    server {

2.    listen    80;

3.    server_name sebug.net;

4.    index index.htm index.html;

5.    root  /home/wwwroot/www;

6.    access_log off;

7.    location /paper {

8.    alias /home/wwwroot/paper/;

9.    autoindex on;

10.   }

1. Whitelist

First of all, these two modules support whitelist, that is There may be some IP addresses that we do not need to restrict, such as search engines or your own IP, so you need to set up a whitelist. If not, you can skip this step. Specific method:

Insert the following format content into the HTTP segment and declare the whitelist IP

The geo directive defines a whitelist $limited variable with a default value of 1. If the client IP is within the above range, $limited The value is 0.

Then use the map command immediately after the above content to map the IP of the search engine client to an empty string. If it is not a whitelist IP, the real IP will be displayed. In this way, the search engine iIP cannot be stored in the memory session of the limit module, so Access to whitelisted IPs will not be restricted.

11.   }

2. Access frequency limit

Access frequency limit uses ngx_http_limit_req_module, which needs to be configured in two places. First, in the HTTP section, declare some parameters of this module. If a whitelist is set, set it as follows

If the whitelist is not configured, all incoming IPs will be restricted. The configuration is as follows

注意 这里/home/wwwroot/paper/;  有个/

Explain the above parameters. The first one represents the IP group that needs to be restricted. This is easy to understand, and the second z/s is like this.

Finally, the parsing section of php configured to Nginx

specifies the use of a zone named one, and then the buffer queue is 5, without delay. If no delay is not set, access will be stuck.

3. Access connection restrictions

Access connection restrictions use ngx_http_limit_conn_module, which also needs to be configured in two places. First, in the HTTP section, declare some parameters of this module. If a whitelist is set, set it as follows

当你浏览http://sebug.net/paper/,正常情况应该遍历/home/wwwroot/paper/这个目录，但是如果访问http://sebug.net/paper../， 
这个的话就会遍历/home/wwwroot/这个目录了<* 参考

If the whitelist is not configured, all visiting IPs will be restricted. The configuration is as follows

The meaning of the parameters is similar to the above and there will be no further explanation.

The next step is to set it in the server segment, which can be specific to a certain directory or something.

http://luoq.net/ais/1191/

You’re done. When you’re done, remember to nginx -s reload~

*>

安全建议:sebug建议：



The above introduces the Nginx security configuration research, including aspects of the content. I hope it will be helpful to friends who are interested in PHP tutorials.