|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。4 s. Z/ E8 U/ P; p- k
+ G9 ~, f2 [1 O* @/ @: |
一.准备工作
: ^' q! M0 e+ d: p3 J9 s0 q" N* m4 F7 Y' Y" T6 p
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0( D7 G4 W, e1 k
7 k# |% c! Q' D9 q9 T- a5 L
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz1 i6 f" B$ @2 }
, q# Z5 G5 [7 F# @. Omodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz. c& q1 e( y, r
6 n, q1 l' d e3 U' zOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
6 }1 N: ?& q( U5 y0 V
+ B' W. |5 ^$ w0 t( f; H依赖关系:
, f# T" y* p" q- ntengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
6 y2 w0 b8 T% s$ d5 q0 l/ }8 g; T2 m* k$ i, s
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel- q6 g5 ?# d6 Q; \- d1 a
modsecurty依赖的包:pcre httpd-devel libxml2 apr
: ]3 F2 L8 w' E9 C4 f9 i2 M
4 b5 B. N& O! H5 {yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 _) }1 m( a% I( j' X$ x/ _6 K二.启用standalone模块并编译
0 b0 h; ]( Z/ O9 e: A" y, I ?$ }& A6 e0 a1 y
下载modsecurity for nginx 解压,进入解压后目录执行:
( a& y# ~& r4 s+ f/ p7 q2 U; S+ S/ |
./autogen.sh# }- |1 t# v) [+ K# X0 l% q
./configure --enable-standalone-module --disable-mlogc' R! S. |( B7 E
make 7 y# P8 {3 J5 ]- j: s/ n, M, m
三.nginx添加modsecurity模块
) O. {# A' s" Q/ |! P' z
% A! K9 M4 p$ ?( e% @4 A在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:' r/ E- g" P' F0 g
2 ^2 i5 K% ^, i6 h: H9 X; U3 T$ @./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine/ n/ U; j7 V, @ t
make && make install0 b' U0 G# m7 N7 f
四.添加规则
5 } L; [) A: F- ^6 _# t. F, o6 n" G: |# {1 z
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
! p8 ^0 U8 Q, u' F0 ?3 v& ]
# f! c+ h/ u8 L7 t* y- K# J1.下载OWASP规则:4 ~6 _: v1 b' w8 I
0 }0 v6 C7 i( a' m$ O+ B
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs( E3 k" s6 l# p: u' S& [
# a, s* t3 J# a L4 V
mv owasp-modsecurity-crs /opt/tengine/conf/
5 x0 |& ~ k8 I6 b* ?2 z C( [6 v3 n3 D ^* R
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf& w/ U. B4 B3 `" P! {" z+ `
2.启用OWASP规则:. A5 N7 D5 ]1 M- w/ O$ x5 X
& _9 t# T7 @) ~复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( A" B/ J9 K' m! s! ]) m
: e! ?5 z8 ^4 z; k: \编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 ^! Q' g5 G! @$ i
0 I" t. M) Y" W. S* S' dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。5 C; s# e4 Z4 d! I4 i
! _% G8 A( z$ ~; h9 e3 VInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf7 p+ _. Y! X2 n) n3 n$ D8 K( ~9 J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf0 M& V: {, S9 w# k/ q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ O, Q7 }) A. O2 KInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
1 H3 a0 p# ~0 J# q1 y3 C `Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
( z8 o3 q! x& \' U2 MInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf8 ^! A; O. o( j( u$ Q; T
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
8 ]9 v6 V4 C' ?% I, x5 |五.配置nginx
0 u; v7 Y+ n! y2 M7 A' Y) Q/ y" x9 f( \% e5 i
在需要启用modsecurity的主机的location下面加入下面两行即可:
D! D1 p$ s1 e# P! a
' V( \" N6 q" W( [( n; o# s: u2 \ModSecurityEnabled on; 0 _9 h8 l- g& }& d3 M
ModSecurityConfig modsecurity.conf;
3 U4 B/ ^! p" i( ^0 w下面是两个示例配置,php虚拟主机:! l1 d, k) t" k, E
3 m' i1 q) @# C5 }! c: y9 [
server {
, x/ ^* T X B& t listen 80;7 c/ i j7 ^: B8 o6 K
server_name 52os.net www.52os.net;
- P5 B6 R% z) t, y
1 g2 x/ H5 ~9 r; Y' f, b* ^" q location ~ \.php$ {
4 v$ z+ ^* F+ j+ y ModSecurityEnabled on; $ {; u& S% t, {* f' W" r7 I
ModSecurityConfig modsecurity.conf;
& }0 \0 H" u: A) y
. D5 v! Z" E/ l" I' o root /web/wordpress; s7 S: Y3 l4 C: x, C) C( Q
index index.php index.html index.htm;/ X) K3 P- j# T: Y6 [3 X
- G% ? r/ `3 g- h2 o
fastcgi_pass 127.0.0.1:9000;/ P! l" |3 e- `! }7 Q
fastcgi_index index.php;
8 x- N+ T0 W3 T, o fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;' A6 X9 Z6 v' L7 _) `
include fastcgi_params;
9 Q, u5 z- p3 Y0 o0 I- N S6 B, M8 x }; z7 J9 Z$ J" k& A4 i
}1 C$ w* j3 b+ y8 W
upstream负载均衡:
5 V1 X3 I' P( E
; P5 f7 d9 F5 y9 h5 \upstream 52os.net {
. i! Z) X) U$ c+ ^5 v server 192.168.1.100:8080;+ |3 u$ Z7 h$ q. Q/ a
server 192.168.1.101:8080 backup;
' `+ A6 W0 _0 }+ b}! [" o9 M" \/ Z
9 e2 d* S2 G& R/ V% w$ T, ]2 e
server {
( \7 J4 @% E7 K2 ]% Alisten 80;
& i% V+ B) u. z9 Bserver_name 52os.net www.52os.net;
" k# f7 p1 f2 K [6 p# ?3 ?: l+ q, b; c
location / {9 L" j8 a2 W- |
ModSecurityEnabled on; 3 s6 T' N- ]7 j6 u* R
ModSecurityConfig modsecurity.conf; , H6 S I: R |+ |" f
5 @! I4 O9 v8 h! D6 B5 U proxy_pass http://online;0 u: [8 X d N: ^: P% ~" h0 V J
proxy_redirect off; Y; c# |2 g* X" |) l7 t& c
proxy_set_header Host $host;
/ s8 k1 m# w0 X9 d/ \# A: A proxy_set_header X-Real-IP $remote_addr;: O: ~, w2 s% n; v* Q* u2 @5 H8 f
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;: L9 Y: F) x' W5 }8 L! d: P
}
) q( ?, q# e6 j0 ~}# M2 q3 D: X7 r# t
六.测试+ v3 x8 L' a8 ~$ D
( H& T8 d1 J5 p) D9 |7 d; _我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
" W9 _& U: u+ m6 ?0 z
) } m5 `- A! c, z1 U0 d<?php! |* s8 c( ?" m6 q
phpinfo();
( r2 q+ [! d# V5 |. f0 e?>
/ N! i( z7 ~0 d+ t在浏览器中访问:- {& r# l/ U5 ?8 t
8 S# v- @( e! H9 c! W |' h
http://www.52os.net/phpinfo.php?id=1 正常显示。. }: T9 S V( ]: C2 ?1 f- R
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。5 ~& n8 h. t. z( n
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
/ d+ v# e j/ O6 V说明sql注入和xss已经被过滤了
6 l2 q3 {. ]. U8 {( [$ _
4 f% e- P$ ?5 o+ e/ a( C七、安装过程中排错1 q- { s8 P n, [ m
$ V0 r0 U$ A. l: ?' K7 \
1.缺少APXS会报错
9 a( @. A9 ^* i/ w/ A! R
2 {8 z6 i# d+ @. Cconfigure: looking for Apache module support via DSO through APXS' m! r) h8 a. @' q, D7 C4 t9 E5 c9 e
configure: error: couldn't find APXS
% @- o# w- T [1 a" v" Dapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
f' t" z8 f6 h5 L# ^解决方法:/ h8 [* N" T" h9 N1 M1 S2 W2 C
: H7 B `/ Y) F) k7 i& t& qyum install httpd-devel
6 S/ y* I( e! n+ n2.没有pcre% @' f! I: l! E5 e& k$ q* n8 [2 v+ ?
( J; y1 j, A, ?. c9 c" e* C5 m
configure: *** pcre library not found.+ }0 x% L5 m8 w; a* o |! X
configure: error: pcre library is required
. N% y: f+ c( i4 |/ M9 r. V解决方法:8 D, T: ~8 X* G0 M. n, n, t
# v& V0 F* N# w) n" Vyum install pcre pcre-devel
/ J5 U2 c0 D$ |9 G5 S* O3.没有libxml2
! H3 Y- S0 H( \2 v6 o0 b; m
8 @- Q& _: _% d$ i$ }
+ C: j. Y& N' _( h# M$ g6 O- D& Aconfigure: *** xml library not found.3 y" h( ^, R% D7 W0 A
configure: error: libxml2 is required/ y. o0 a* k' L4 g0 i) v
解决方法:
: A3 e& k1 R7 U5 J9 x* ?* S& N. l! X
yum install libxml2 libxml2-devel- ]3 r0 {2 D2 t# E8 e
4.执行 /opt/tengine/sbin/nginx -m 时有警告2 {, f9 K$ T, |4 ]7 J; [
9 ?: }0 _+ j$ r$ D, p
Tengine version: Tengine/2.1.0 (nginx/1.6.2)* D8 a1 i8 F; \
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!8 X- B# ^) Q, h: K; M0 o9 u
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log+ B2 _ f7 G" [9 @
: J( n" @; h, [& C5 \% b/ { I$ p
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.$ j4 M+ Z( p- j+ u p+ s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
6 g' B& ?1 w+ m" V) @2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!+ A/ q4 W! b! Y4 |& D' ~( m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" @3 J0 W: y/ n- H% ?& H
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"0 X2 A" U" l& `$ w4 g# c
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" _3 B% P* f% T解决方法,移除低版本的APR (1.3.9)
* F: R$ s# x! O6 N1 ?) Q4 j( p$ `/ i2 t3 @* Q {+ M% w
yum remove apr
4 H9 R7 N8 |; t! W9 ?' M5.Error.log中有: Audit log: Failed to lock global mutex
k- \" n5 W7 {# C0 ?* F! M9 ?$ i [) z4 q2 [. o; b5 o1 v
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 3 J/ X% r4 a' @. z5 O/ a
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
7 Z7 Z3 \+ x+ j% @9 {) g7 D解决方法:+ O, Q( \" Y q/ ]6 i2 e; z
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
! J" T7 F9 S3 u* r1 ]6 s# _7 ^6 i9 A! K( Z
SecAuditLogDirMode 0777- O4 I, x; ]+ u3 p' I `
SecAuditLogFileMode 0550( e7 Z: w; U4 H& L8 j! U
SecAuditLogStorageDir /var/log/modsecurity
' h1 h4 y9 v' T/ S) t0 fSecAuditLogType Concurrent
7 k1 {( z2 J; H5 q2 d8 X b2 Q8 N: F/ u参考文章:6 V! _& ?7 n2 o* ]
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX C [5 i5 r% M% C
http://drops.wooyun.org/tips/2614 |
|