|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。' | R Z" z4 ]: M/ B
) q: ?! w+ Q! w1 X$ j$ N
一.准备工作. ^9 H" n* M& m7 [$ v/ \# ]
& ]2 }5 N% I' \8 K* o* D% N# _系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0% S2 n7 k8 L: A, L* F, L7 N5 D
2 i: |' a# y0 U" p5 T5 t
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
* n9 V$ @! a; ^4 b
. W. V+ n& S$ _6 pmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
9 P# @/ K4 j9 z6 [5 E$ [
; Q6 v2 ?; X- E, @OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs9 z; Y) r1 {% x: L q+ K
) w# w1 W8 Q( f$ C依赖关系:. F7 m/ a% x2 _1 a8 J" e, p, s
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 g2 M0 L# S( T% r7 m0 a: B$ I
6 c$ ?, Y! b8 H7 G; ~9 A- b
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel" l/ W" \( f W; g; M: G& V. r
modsecurty依赖的包:pcre httpd-devel libxml2 apr
3 U# c2 c0 Z) j' m; h+ y# M, b0 X0 i4 I: p9 ^3 O
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel) R: F0 v8 p7 B" X7 ^; A, b
二.启用standalone模块并编译) ~4 h# A; s9 j
" b) h' Y: y) Y' u下载modsecurity for nginx 解压,进入解压后目录执行:" |. _2 B$ Z0 |' h; ~/ r
. |/ e. q+ H5 G" t& F( K, F, O
./autogen.sh
- C8 d0 H( ]: z9 `/ B./configure --enable-standalone-module --disable-mlogc
8 o% q7 F2 ]& A+ h3 e* dmake - I4 K3 C( F. O+ C
三.nginx添加modsecurity模块1 W; w; _' O: n! S( S/ c( a
' W* y& n v! V" q, L# V* O; R在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
" X- z% K. r# ?' r# `( ?9 f
" D, {6 u/ ]! R# r0 M./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
& f. t$ C$ I9 [make && make install
5 r/ W6 z7 `: X7 b四.添加规则+ u5 d. s* M6 x7 I
. E# L$ C7 ?+ i0 l% {; x P) Vmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* x# T6 c, L9 O2 ?; t. I
6 z0 F; Z: s" T/ C
1.下载OWASP规则:
0 d0 }4 C- v) @ n6 y4 X% a" b( c3 {* S0 ~0 z$ t7 j% ]' G
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
6 Z7 f! ]+ k+ \# |0 O9 d/ R$ ?* y% k0 G% `& J: I$ K9 `; l
mv owasp-modsecurity-crs /opt/tengine/conf/. X5 L3 N4 e/ W+ \: p
8 {' s" H0 Q$ A; ]cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ n* ? x) G* O+ G9 ^
2.启用OWASP规则:
4 u& m! C" `1 m9 E/ Z& ?
6 `+ C( [, a" @. q7 V6 n, Z复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
% C2 Z& S7 Z% \' @9 m s4 k
4 ~' w+ [2 i' Z编辑modsecurity.conf 文件,将SecRuleEngine设置为 on* s' \( M4 ]/ E. w
' p- D* ^, H6 R
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ j2 @8 ]" l$ Z" `! Q3 ]
. V6 n( I* w Q7 dInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
6 L1 C1 C( D4 P; JInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 }0 K, m% I4 k" E- V7 X, bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 s& X m+ m" R& c) I% K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
. I* `( y. c, G+ {& e# zInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
3 J9 @' X! a; U# O3 p6 nInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
8 v& a9 L4 k& V7 fInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 W. k+ @6 T3 i9 \5 H# }* X. [五.配置nginx$ F' i5 e2 K+ d C2 \, U) N
) G4 Z% ]4 S0 b7 q0 z$ |. Z在需要启用modsecurity的主机的location下面加入下面两行即可:9 v$ M, s+ V* L0 O; ?
1 P5 _6 E0 r4 t/ L' bModSecurityEnabled on;
# y9 \& `1 z0 o* S- RModSecurityConfig modsecurity.conf;/ q- n7 H) _. e5 f3 x# @% |, H
下面是两个示例配置,php虚拟主机:9 z4 K6 Q- M2 k' ]- j' d% ?! b
2 D: D$ k; I) g; y
server {) X/ M2 `2 U- \% {. D
listen 80;" P N! C2 b% P! l
server_name 52os.net www.52os.net;# D/ |& {/ L1 h
3 ~5 f, m: p+ ~$ O
location ~ \.php$ {% I6 z6 |# C# k7 @
ModSecurityEnabled on; * A* `; c' t5 Z& k+ a! h0 I" [
ModSecurityConfig modsecurity.conf;: h& T+ t+ J; E& |" T8 E
! s; S, H$ @ q3 Y root /web/wordpress;
. _; C: @* o& F index index.php index.html index.htm;
/ j- K7 O$ s7 x9 t 9 f' D) ]. Z4 ?
fastcgi_pass 127.0.0.1:9000;* i8 w: e$ g: }' N! k
fastcgi_index index.php;4 C/ D" z2 {' S& d; E: R% g. L
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 P' g8 ~/ q! X
include fastcgi_params;1 S- P2 p- V# g1 a$ }5 J `, v1 t
}
9 Q8 Y( Y* H Y }) n J6 l+ C8 f2 I5 P0 Z+ X$ @
upstream负载均衡:' n9 l: k) [* C. c5 J8 E* }
2 A! Q# p2 [" s. K6 `upstream 52os.net { g ~2 U; Y% ]$ C% z
server 192.168.1.100:8080;& \" r6 a+ n$ A" C4 v
server 192.168.1.101:8080 backup;3 v$ O Z3 b7 q/ Q' ~) _( h
}
1 v# {. |; J( q1 c8 K: x% D1 t* n4 K2 B
server {
* Q7 n8 q1 W( q: }3 A: Nlisten 80;
3 @) s0 z9 g4 J9 `6 B) A, vserver_name 52os.net www.52os.net;
/ `% O! _- k/ e% E; C0 l. O0 b4 e
& r5 O. W- j* x% Glocation / {9 G) B0 V$ y6 n) I0 w8 `
ModSecurityEnabled on; & A4 g: g- a S) n) q
ModSecurityConfig modsecurity.conf;
& E. v) f( e# q' N( ?) `1 f, B- d N7 w" X4 L0 t0 }2 d! [
proxy_pass http://online;
0 M4 t. j7 |: l8 T1 `7 E* ]; S. u proxy_redirect off;
, c) }# ?3 K7 p: k! `. Y proxy_set_header Host $host;
# z+ T7 ?: I: z) K U+ Y$ G proxy_set_header X-Real-IP $remote_addr;
# r3 d+ G5 T( ?6 H# s6 j proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' t. @* P# _% C/ I1 K
}
/ ?. d$ f1 i1 E}
3 W* Z9 }% r4 M, J( k. D; j" c* V六.测试
. P, ?: B# \3 a b* K6 S% w5 a$ l2 A8 q9 T3 ]& M
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ Y5 s/ V# A& P& I$ S
/ N" w. K' \/ r- {
<?php4 M" {) v Y% `* K
phpinfo();
4 ~( Q5 v8 F) d! A2 w+ ^7 t6 K?>- B p# i" G$ c6 b4 t& D
在浏览器中访问:
9 U4 P7 _& Q4 ^ X
" E) I T( G8 H6 `( ihttp://www.52os.net/phpinfo.php?id=1 正常显示。
. N/ b+ p! u0 A& \; j" ]5 W, ~http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。2 u2 H$ e3 N$ x; B3 z3 J. d0 v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。3 @6 b/ Z" ]. |1 T
说明sql注入和xss已经被过滤了
; x. O9 i" T' ~ I/ b; V1 M I( h% z3 n9 Y* k
七、安装过程中排错
1 v; q4 W2 u% t( J+ T1 X
4 H7 T$ V/ m- O& b, R& ^1.缺少APXS会报错
5 y' \8 q& u3 E/ Y' i$ P$ P; ?4 ]: m5 c6 G2 T; D" p7 z9 ~
configure: looking for Apache module support via DSO through APXS
* M+ X6 F3 M$ E- Jconfigure: error: couldn't find APXS
: m( c5 S; t/ e, l, e/ gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。& U) v, k. W6 P$ A
解决方法:
`: Q6 o& f a8 C5 y+ Y! ^
( Z/ q0 k' q' G9 F; Vyum install httpd-devel
7 W1 r; x. ]' U6 z2 X2.没有pcre; z! w( ]/ a4 a
+ `7 @* M6 \' p$ w" B& u1 h) E
configure: *** pcre library not found.
8 M1 ?8 u" L0 l2 r. f& ]1 aconfigure: error: pcre library is required
( Z7 S) d: h' q解决方法:
. P) j9 i5 N6 l. h; M2 ]/ P4 c8 e4 A/ s" q8 _6 w- C/ F
yum install pcre pcre-devel
, w8 t/ A. V9 M; h7 l3.没有libxml2
' [+ p4 i* h6 K2 D0 G; U( z5 |. Q3 p9 R) n9 d8 s$ e- ~' X' x
0 f$ G V& V% vconfigure: *** xml library not found.% u- U ^' v% s1 k
configure: error: libxml2 is required
. T4 X4 r* S7 l4 ]7 b( B- y解决方法:: E; v$ y8 K+ ?% a
. K! }% k5 _% m2 l$ Wyum install libxml2 libxml2-devel5 o; m, \7 ?9 y5 | B
4.执行 /opt/tengine/sbin/nginx -m 时有警告8 K0 h/ T( G- N2 H% k1 }: j
; x* W& V5 ^) ^
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; u0 @* \8 w }9 Tnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 P6 n6 A7 E7 C* J, N原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 q6 X8 u8 U# p1 y4 Y1 ^: s2 O- r# g' l0 X8 \8 N5 j8 f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2 I& s$ d1 S/ s/ A' y5 n& X! ]$ p' d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
3 h: _8 ]7 u" S+ \' V2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 s0 {( T6 d9 W) ?+ v+ i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
8 z; U: F3 p0 E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6" b# r. P: [/ m! q/ W$ {7 o j
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
4 m5 m& G! P3 m1 |2 r0 `; {& I解决方法,移除低版本的APR (1.3.9)
7 Y9 U% m5 Z" @
& v, g" n3 T$ Xyum remove apr
5 S! k- ?7 ]2 M# r* L5.Error.log中有: Audit log: Failed to lock global mutex- V+ ~2 A7 Y2 X$ @9 f! c
. D. `) p0 u+ u% U) g# ]
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
$ [" f0 ]$ u& m0 F( i jglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]( `* u6 A* G$ U6 c9 P& _. B! S
解决方法:
6 a2 e) V5 \0 }* L1 g编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. k* r: e5 l& A7 Q4 J( P9 u& |6 l. x
SecAuditLogDirMode 07779 R( q& o- a$ k) Z& o$ r. A; B
SecAuditLogFileMode 05500 C- T5 i) b7 a0 M, r9 R. _' U( k
SecAuditLogStorageDir /var/log/modsecurity
- J/ ^! O; k& b+ qSecAuditLogType Concurrent8 s: g; C( {: ^' T' q# U) P$ X
参考文章:
& s+ H# }) g/ s9 e6 Thttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
. e3 t6 h* q# z( v& K5 R4 }! xhttp://drops.wooyun.org/tips/2614 |
|