|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 z8 i3 P3 \- \, w7 [1 G) Y" j3 D2 u; x
一.准备工作# F; r* g" ~ T7 ?
( s1 b3 R7 a6 B; K7 C6 U系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: G* D- J0 F; k% L& ]
9 s7 [% O* \; w; w, ^& Ktengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz0 h3 a/ l' e; O' D9 D3 P
& \$ v, S0 S* p& N
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
7 V' b8 y. P. E$ }& E5 i- S" ?# r7 W
5 v; j# x) f+ _1 G3 OOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs. t4 @/ }- ~4 e- b+ w7 C' u
% ^ I9 W3 _/ J: ^ E
依赖关系:
3 \( ^- b7 T3 g2 ~) O; Ptengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 p3 a$ l: K5 {4 w3 k; O. ~! _- M( |) r
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* T) V/ `2 S+ i' a2 I
modsecurty依赖的包:pcre httpd-devel libxml2 apr
% L1 |5 a7 J* f; h- |3 p1 ?7 h
5 a/ d- F) y: G/ @; w, Q cyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
. P+ V( ?; A8 R2 H5 T二.启用standalone模块并编译
- W8 v( t8 }% G8 L' H6 `# b
8 a7 Z7 H% X* w$ f下载modsecurity for nginx 解压,进入解压后目录执行:
( H" F( r& y S8 L( O3 W
8 ]7 t$ D& g/ c* X7 B/ x; r4 k% t./autogen.sh
3 y r8 ]+ l7 x, ~4 o./configure --enable-standalone-module --disable-mlogc
' ^- h+ g! q. c8 d) h! B) Umake
9 c7 r8 ^( j5 \9 @& g* D6 b三.nginx添加modsecurity模块
# Z* k3 o! ?- U& l1 _3 i% B7 M$ I* I. Y G
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( i, ^$ L$ H* ~; b4 H+ {6 c* [
' R6 K8 o7 O: G! D V* b+ r; F4 ]
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine, X% g1 }. V3 y7 F0 I$ s. A# T2 a
make && make install! t) F8 H% o/ e
四.添加规则% \: h+ p4 z8 ]; x% _, w. U8 @
* P _+ j ?: Y- i3 a3 l
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。! X& o+ l" B/ D- v! a8 O# h4 G
$ Y1 ]" p+ w- Z4 `1.下载OWASP规则:
2 o% \6 C' y8 z; T
' C# g% v- n3 Y* Y& Igit clone https://github.com/SpiderLabs/owasp-modsecurity-crs8 t. g4 W9 x k$ ]/ h
; U/ @, V, Q4 q1 g" B
mv owasp-modsecurity-crs /opt/tengine/conf/5 f5 A7 Q. V$ d. p1 X! G# A
z1 T; u* R; u2 i$ A3 Ccd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf& I+ y* j( c D' q" m
2.启用OWASP规则:
9 b* r! E: c2 r& _8 k' q$ K/ L Z8 H7 ?8 D' y: M+ }! ~: y5 w3 }
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。0 {) R3 W- Y0 a1 }* x, O
?6 N: c. N! q! y4 K2 C9 M: F
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on$ P$ m$ _7 r+ ]+ }# j
* u( z, {8 y0 Eowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
- r3 _& i M5 m$ h2 ]& i( z9 W X- x4 u. N! h4 A Y
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf& @! Y4 o% Q* p0 A4 y. O' c
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf" ], F' h! E1 p0 E9 z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
M1 H+ F* H E6 v% _Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
/ e9 a- T0 W' eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf& k3 F& @) d$ n6 S: P. M
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf+ A5 \8 \1 H6 z/ U% I
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf( f, k/ `, g2 M& r. J. [! E0 H
五.配置nginx
8 T. @) b+ H& k# W) q6 U; @/ h- V
# k7 ]( M- n: f! t) m& C在需要启用modsecurity的主机的location下面加入下面两行即可:
& X' l* G, p4 Q. r! g' E( g5 C6 c0 c5 v' V: q, ~
ModSecurityEnabled on;
9 S( s! u9 I+ p% m" TModSecurityConfig modsecurity.conf;
- }5 A2 x6 G' `! h) ^ S$ ^9 m' ?下面是两个示例配置,php虚拟主机:2 _. ~- o5 @ y& I" ^
8 a: Z5 d: {' R" E
server {+ {2 i% ~5 h7 y. `4 t8 G
listen 80;
2 b: w' ]" ^/ O- ? server_name 52os.net www.52os.net;. l g$ |7 o" \! G/ ?# {
8 |( V* {+ A7 ^3 O( q4 R* p+ h2 i+ i location ~ \.php$ {
9 n2 l8 M3 i: H+ E! G ModSecurityEnabled on; + T+ N! J3 F' J% [
ModSecurityConfig modsecurity.conf;
4 ^# F* i& s* f/ J7 O- \7 \3 `' V! D W1 R: I1 D
root /web/wordpress;
& }! |8 X2 _; H/ N' ~ index index.php index.html index.htm;
: ?5 v( s! e: p' }* l6 u* k7 W1 E 8 G; l5 i y: G5 F1 k7 l
fastcgi_pass 127.0.0.1:9000;7 S+ z8 i* j8 o' N
fastcgi_index index.php;7 T2 X ]+ ]9 W" L3 G0 }" e
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;4 R8 @7 [! K7 t- p5 ~! G
include fastcgi_params;
+ @3 g& V: U8 U5 N6 R5 y( H3 S: Q9 p }
7 p3 x( H! q; t0 Y8 c }
: _+ v: o* W. T- y9 ]/ Mupstream负载均衡:- n" O! [% M- z O" x( P6 x
: _5 ^3 {- e" P4 u( ^) D
upstream 52os.net {- u7 s* L- ]7 D4 _
server 192.168.1.100:8080;
/ x9 F6 c4 z! y I( a6 R4 F; R server 192.168.1.101:8080 backup;% ?2 {. G6 P% ^* ]' @
}1 U" p, T/ a0 s$ t" }
( L5 S M$ i: S* s @3 B/ lserver {6 b+ a% {& \- B% N, |6 o9 Y
listen 80;
. n$ q& u$ T: J4 j$ w" {- l9 \ wserver_name 52os.net www.52os.net;% _# s% T! [. Y6 [: F/ I. }
8 P' @" I, U" r! Z- t
location / {8 u4 m8 k' }. F- S2 D! d
ModSecurityEnabled on;
( p2 `( ~' r x7 `% Q ModSecurityConfig modsecurity.conf; ; a! l' T7 D/ @- P4 ^
5 x, U7 ~( i g0 [
proxy_pass http://online;. M3 Z& d) c+ r. i2 d
proxy_redirect off;
: r. P% D4 ?+ m5 W proxy_set_header Host $host;
8 m- i6 B( M" x proxy_set_header X-Real-IP $remote_addr;4 C+ c% p+ v9 e% U8 `$ Z! o
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;/ c3 D( ]: p8 R- \
}
# W+ ~+ W- U6 C: M6 |9 M! P$ r/ v/ X$ G}
3 d" M0 K0 @; |; M' C% X六.测试* X3 w" s0 O( a
& D+ U* b' A4 C' U4 i5 D& M( k$ v, Y! \我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
& G2 k. S. J5 ?6 k2 s& s( @, Q. w; W+ f0 I( {- m
<?php# K+ `( e6 K" E
phpinfo(); 5 t2 c) T# S( Z5 i& e4 @4 D
?>9 V& a$ z. M+ W3 O. z* }7 L$ L7 G
在浏览器中访问:/ V- U/ ]. T* ~& _+ R, f0 x
3 _# w7 T, f" }% I' t
http://www.52os.net/phpinfo.php?id=1 正常显示。; I( B4 p( ?* D/ O2 w0 M0 D
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
; D6 m" l: E5 P [. khttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。; W5 ^- |! z* |3 @: [
说明sql注入和xss已经被过滤了/ r3 y" {8 d5 X0 k, M
% R' V" a2 Z, ?/ a
七、安装过程中排错
, [' T; k, ~0 X7 T
- m- F+ D. `1 ~! Y; @5 e4 N1.缺少APXS会报错+ w/ Y* c7 h$ l2 W
0 O/ T3 v C0 M1 n
configure: looking for Apache module support via DSO through APXS
! D+ f V* u, N) t% B* q2 f' V( D jconfigure: error: couldn't find APXS( M4 }% y. @: @/ K' q$ ~
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
n; G) R) x$ e- L1 s! e解决方法:% A: P8 }/ c, \. N( S$ z
% q8 W8 n7 a3 p5 Kyum install httpd-devel9 p5 X8 W7 G. k: O! W, m
2.没有pcre
6 v4 f \- m) T% n1 i$ J1 O4 x3 H
configure: *** pcre library not found.
) H% K1 Y/ h/ Z( Dconfigure: error: pcre library is required
% z# q: {, A: T( S- _8 u解决方法:, Z. K# F7 b' G8 h3 [" q6 n
9 v2 ^" T8 }( a& G- t
yum install pcre pcre-devel
6 A2 O3 P; S2 ?3 ?: |* [% N' D! E. O3 g3.没有libxml2
; l, |# @' e: k* W3 j! \' _' O- L
+ _1 r. ?5 \* f$ p
configure: *** xml library not found.- B8 F1 \0 g2 K i! j8 J ]
configure: error: libxml2 is required
* w; J" ?4 `2 A z- _解决方法: C/ d( D. [0 u
, Y" g- v- [0 C9 J9 Myum install libxml2 libxml2-devel
3 K4 @+ b+ e; @5 p) [* {* n4.执行 /opt/tengine/sbin/nginx -m 时有警告- I5 z) W6 Y6 F: d" y
* J/ G( x9 n) \ f y5 u; z7 _, ~( RTengine version: Tengine/2.1.0 (nginx/1.6.2)
9 I1 t, J4 ^+ ~: c, Y/ R8 E% }nginx: [warn] ModSecurity: Loaded APR do not match with compiled!4 c; e" V. ?) ~: u
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log' o0 ^& j8 `' K; \) X2 m
/ u/ Y x% g0 E0 {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; P( ^2 P$ P: `: Y5 F6 {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
+ N! L8 @% L) C. P2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
/ e; H& Y2 {+ r# C; z- L/ u+ g- a4 n: S9 k2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ w, ?" ?$ @ z( j. ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"/ t4 E; B7 R' O0 x+ D% F I
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.$ r9 F& l Y( F* i! `& f
解决方法,移除低版本的APR (1.3.9)& k& J2 a/ O7 J y+ T( w' }
3 S9 ]: y* g! y/ C6 A8 Tyum remove apr
" D. M3 M6 W( Z/ j' B5.Error.log中有: Audit log: Failed to lock global mutex2 ]5 A0 Y9 f0 }9 X; A
4 f' b* C8 j! J' @; |$ d: F9 x9 K& q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
0 f1 k; U Y! q' C/ z% pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
7 Q+ l; {, b' V% H4 n+ V% r解决方法:
% a' }5 s% R6 K; o编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: P$ m/ I W W% j
& J S5 G1 A/ l& p$ Z5 I* v6 x# FSecAuditLogDirMode 0777! v/ K; s# i, b1 k
SecAuditLogFileMode 0550# b6 D% m# j' H
SecAuditLogStorageDir /var/log/modsecurity
+ Z1 e9 Y: R4 \4 {( TSecAuditLogType Concurrent
3 y+ Y9 p4 B( @; O5 v# N5 @参考文章:. o" J: A& ~9 w, n+ o5 p' Q" }
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
8 Z/ I+ |6 E8 P: e& q( r! _+ ~http://drops.wooyun.org/tips/2614 |
|