|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。: R/ z1 [0 D! G$ A. m! c
9 o3 s8 n4 \1 m& T1 U- q! P0 V一.准备工作
! A, y3 {! s( S) |3 H1 k
' @% k# ~4 R) U$ ^% x系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, I# v7 Y8 \* Z3 t+ A1 r8 {8 x7 e0 |
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
5 Y4 T9 i/ f+ ~8 @& P+ f) g; t
- K8 F/ ~% \- p* y' Y; m& r- W wmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( G/ q3 G. c' \7 I J
/ i. n9 z7 j" i4 b0 d e6 y+ sOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
! C" a, L7 v% J. l2 z; U7 ?& M' ]4 p3 R/ @
依赖关系:$ @& W1 v# j, Q, C( V0 L. Z
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 |, W( @8 Q- A9 `8 u' u
2 n1 ]& `+ J# U' `& }: W u: Y0 r
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel. K2 t4 v$ v7 ?+ G% ~
modsecurty依赖的包:pcre httpd-devel libxml2 apr
3 r, T5 A. R! V! e ?- s( Y$ g3 f. A! t) \( X
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
0 c+ z/ _2 @" ^- o二.启用standalone模块并编译
* w6 }$ P4 V" ^1 Y% L, w# w# n. ^
6 `4 P3 z! l' X3 c下载modsecurity for nginx 解压,进入解压后目录执行:, ]& T) Y" T9 g2 f2 Y
o0 n6 `7 l: v% u, l( {
./autogen.sh
' O0 R: `" V$ K; k1 M./configure --enable-standalone-module --disable-mlogc7 G& x* G, `- k3 d
make - q( C- n4 x% a6 n3 y
三.nginx添加modsecurity模块
& z- h2 h; e3 ?9 F; O S9 @% O6 j9 P
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
% X. B* o! W+ n% P& \
$ N& v, a M2 ~2 C./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
2 z% x( r v+ D# [2 w! L, i' l0 hmake && make install
+ s1 a) {( v: W1 R" |) [四.添加规则
( i* }* ^! f) T! D5 `4 L2 I# q a6 g8 Y9 X2 E0 D4 s# Z; Y
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
9 Q8 h; u! q U8 Z
6 b; }2 ^. j. n n1.下载OWASP规则:4 C6 o+ n# S5 ?
3 c# M n1 H6 \# |, o
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 [+ Z0 M: C2 U7 X2 k
& m7 I& z ^- ^% r* Fmv owasp-modsecurity-crs /opt/tengine/conf/
. r# w9 [, s, L1 n6 I/ Y) Z' \; P( a* w/ g6 l' }
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf2 ~. G8 X$ g7 [' C
2.启用OWASP规则:
' E6 q8 t- |2 V- B; e; H5 I4 {) F7 [
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% n/ a6 ?4 r" ]/ C2 d1 \
3 l% y' l% Y* }9 j- R编辑modsecurity.conf 文件,将SecRuleEngine设置为 on" \7 m) ?. c l3 C
& ]+ {& e% y. C; f' d# [
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
! i2 Y X3 M% O1 W5 M
4 ]1 p% j. U! n% G, n8 zInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 s5 K, O/ L) R. E5 o6 \8 d7 \
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+ b# g9 }9 H# y5 { c& u/ x: P2 fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
- [4 O& @( s tInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! b/ x0 c/ e9 D# U
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf; [( s6 l4 }5 ^- e
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 f: [* b; L4 o# N+ Q% @
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. [, i3 { y) l' W! k& E5 o1 Q
五.配置nginx
: b: j$ _2 x; y2 e7 |* O7 Z/ E6 U; V
在需要启用modsecurity的主机的location下面加入下面两行即可:& [6 c1 t% e0 s' J
1 M3 t4 J& ^* \; p/ ^9 bModSecurityEnabled on; ; N1 F& Z& M2 }4 _# p) N9 E
ModSecurityConfig modsecurity.conf;& X' f F- z# u: V- L) S
下面是两个示例配置,php虚拟主机:3 j6 I, }* e" F; J8 W" s
. _2 f4 I- g6 [9 j! O2 i0 u
server {2 t+ ?0 J% e# U3 j4 H9 V0 ]
listen 80;
: }/ }; x6 P& R/ C7 t: ^ server_name 52os.net www.52os.net;3 [, {3 w/ h9 @$ v* X, _/ a
: l, I) V2 }* g$ i8 z. o+ H
location ~ \.php$ {! `, g8 m' I9 v" V
ModSecurityEnabled on; " M. a% Y9 Z! p. G4 u( P
ModSecurityConfig modsecurity.conf;
: U8 y5 F' l' b0 |" p5 F$ ?- {5 \2 X" e7 z3 C" p
root /web/wordpress;0 E9 R1 o2 e& i7 ?& R& T
index index.php index.html index.htm;- U! l, }, }+ i, w: [+ |
( k6 C. k2 H5 l! D/ X fastcgi_pass 127.0.0.1:9000;5 j( G3 e1 g* I3 E7 S0 @
fastcgi_index index.php;& b( O) q0 U4 k! h$ G3 H6 w6 X
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; e2 \% Q) V& n include fastcgi_params;, {! |: w) d+ G3 `4 {5 }
}
1 c4 H5 b; n: Y& \8 C }* \7 A8 x* n+ u7 y8 W) L; ^
upstream负载均衡:: b" Y% }' A. h0 U V
+ {8 v1 `# w. S9 n* _ R, B% Cupstream 52os.net {
, w/ g1 P2 G6 G. D4 X7 T5 O- u& X server 192.168.1.100:8080;! c# u" M% h& t. i
server 192.168.1.101:8080 backup;- D$ i X3 s( y& R
}
! I5 w# [* P2 A- n' w- u( N: ~
& T/ P9 x! i0 \9 f; t F3 wserver {1 V) i. g( F) v. h0 p
listen 80;* m* u& p. b6 _5 i, t* d
server_name 52os.net www.52os.net;4 h* N. z* e8 p. Q$ c
: ~- i6 U; o5 A1 x, {
location / {7 X6 ]' k6 }2 ?" u0 z) c
ModSecurityEnabled on; & l' q* J, J* D' d `, r
ModSecurityConfig modsecurity.conf; $ r5 p5 [0 u' J0 v. X8 h3 I5 _
7 U+ u& U. ~: V1 g) L) |
proxy_pass http://online;
, p+ V: X) W' s. m1 G; ^ proxy_redirect off;
/ r1 ?' I. c+ p6 O6 c; Q proxy_set_header Host $host;
5 y& g5 w) S5 K0 {2 Q9 _ proxy_set_header X-Real-IP $remote_addr;
4 h7 W3 e" L6 u$ S, G1 H1 o9 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# X$ K) \& T) U; S! A/ Z& C" T1 B
}+ n1 r) `. T" F% z N6 ^2 Z
}" S. i. L6 x$ @# ~5 g* s/ T9 m) k$ f
六.测试
. D- N/ L! A j1 o7 Y5 e
V+ C9 \, ~9 s% l& U1 r我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:# a- e; [. s) q* N# c
: }6 y& L7 R, C& D4 o<?php* O/ J u7 w9 N1 N* g2 ?
phpinfo();
- f/ ~# X2 I3 a: C, l8 Y?>3 m' `8 _) U& R4 ]2 \
在浏览器中访问:7 y* B0 A D, p ^3 @ C* z
% y' q3 [9 \1 c6 g" G: n; F; Shttp://www.52os.net/phpinfo.php?id=1 正常显示。
! l- C& X: }$ F1 G$ A+ b; [% shttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 G: g4 a9 z# n' v, p
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
& Z; F# @5 ]/ v' A& {. g说明sql注入和xss已经被过滤了- {# K/ q7 \! H; C% l: y/ `
5 |' u3 h* x# i七、安装过程中排错( k g! P5 [; F' L* V" ^3 ^, I! E
. K, @ p: v6 M* X
1.缺少APXS会报错1 k" x5 O/ _# A- e, h3 {
7 w6 u3 D* @8 P; {: _* q, X3 dconfigure: looking for Apache module support via DSO through APXS
: L. u( x" B; c4 \ m' |5 n7 Gconfigure: error: couldn't find APXS
8 W( A) r( \: @8 Oapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
1 Z* f: q* a( N6 x6 D解决方法:5 r9 ?& f3 T5 r8 r* R% L
: e& I9 z V+ p _6 g2 Pyum install httpd-devel
% n/ T {$ t1 d- A! `1 m' Y, |2.没有pcre
. L' g Q5 [( b/ R1 I% U5 a' Q* L* q
configure: *** pcre library not found.% ^" ]0 i6 b1 |' ]
configure: error: pcre library is required
2 r* A$ ?6 V7 H2 U8 R; V解决方法:% j, Z( d0 }0 l8 r: X( ?5 x
1 e: S [8 ]$ h2 {6 S1 D9 byum install pcre pcre-devel+ a! L! I8 F) L4 W! ^% A) D8 Y
3.没有libxml2
8 G8 ]/ Y, {7 N$ L: N9 N: s* Q3 n3 S9 d" V. t4 P" V
2 _. b9 \! q/ lconfigure: *** xml library not found.
7 u8 c/ t- a- q& D( oconfigure: error: libxml2 is required
3 D& N. E( {. M. o解决方法:( V" a8 p% [( W4 R: L. G
% E. c) }! Q7 z/ _6 l( T
yum install libxml2 libxml2-devel
+ M/ p; n$ J6 `$ a4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ m8 O( M9 {. y* g I. c0 A, o, L& R4 L6 o
Tengine version: Tengine/2.1.0 (nginx/1.6.2)! c. a, _2 }. e; o4 X
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!1 N! ~9 y6 |& g3 s# Z5 e2 Z
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log- U2 ^2 ^$ u3 h
- t% c8 c& w* E8 X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.. W" w1 A. P5 e4 J @2 ?3 p% r" e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"* R, m1 T: V; w$ H2 T `6 @
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
) s9 q+ Q7 p% S2 g' q& f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"0 T8 y+ i/ e, C& P6 y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
/ D/ H [1 r% g9 {2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
H; i" [ ~7 [% S, O: |# F解决方法,移除低版本的APR (1.3.9) |) _6 Z2 Q' y3 }9 A$ q! s k
3 O2 |3 i4 [* M% Z0 h# Pyum remove apr! v5 s' D7 r6 u4 L" b7 Y' o
5.Error.log中有: Audit log: Failed to lock global mutex
- J( X( r! M2 _3 a! B' O+ k
" N0 `) J2 d9 s% U2 y2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 6 e: J! d- V8 m1 y
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]! q, e5 s8 K7 b/ i" ?% o6 |+ Q
解决方法:
9 B, s3 @5 F( W( A7 k编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
8 ]" o& X9 }1 o: o* n
Q8 o) u: n$ [( Q4 c! _SecAuditLogDirMode 07776 U) b4 C' P( r# d
SecAuditLogFileMode 0550
- M3 F, q5 u6 o1 }SecAuditLogStorageDir /var/log/modsecurity3 T7 o4 Q: t3 P1 c8 n
SecAuditLogType Concurrent- R; A$ b& G8 ]8 N: [. a! L4 K
参考文章:
" q: X3 d/ P$ ?https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 q/ A) w# N' p; A1 ?& N2 }
http://drops.wooyun.org/tips/2614 |
|