|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。% Q4 Q' q' |* }2 |. G
! p, k* H0 Y/ c/ ?0 h
一.准备工作
! W) F) e3 h# c% s' b$ ]
9 {& B$ }, F/ @# v& a系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# d" T+ X& h! k3 K& R
! o* f' j6 n& @' Y- g* S1 u
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
S/ K1 }1 I2 f1 _& G" V( Z7 x
0 Y% I8 ]' ]0 }2 p+ |1 ^6 h9 zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
4 |! B) K0 _7 r4 [
) ~, s+ ]7 j! _" f/ {$ F) |OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs0 N1 u5 u9 a4 P3 e# e/ X- \! z
+ G9 m* ^, C: L0 {8 G依赖关系:" h2 y2 L" n: p, |8 j8 u
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 K; O- `' A& v& L1 T3 w- O. N) }
' s/ Q1 u; S" b d4 |2 qyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
: k8 @7 ]3 }% y. [4 dmodsecurty依赖的包:pcre httpd-devel libxml2 apr" K& N! D# c, N; B2 ~0 b6 V
4 r" q# w9 O5 y, E; F7 r8 V1 f' n: jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
1 R1 z( _. T" z2 f6 I2 X: u7 |- K二.启用standalone模块并编译9 v/ c$ {# D f" L; G! _7 ^
; d* s, A4 }8 }9 `2 I* X. z& i+ K下载modsecurity for nginx 解压,进入解压后目录执行:+ W8 B, Y: C+ u, p6 p. A
# }# ^4 ~+ i1 _! F6 G* B./autogen.sh! |; G5 J: J0 q6 O
./configure --enable-standalone-module --disable-mlogc
0 F" P# E( M& Gmake
/ i" P9 n% `& e8 n7 A三.nginx添加modsecurity模块- }- ~2 I% D* `! R) H- n& P+ o( n
$ i X0 U2 M+ u& v+ N8 W在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:1 n( U& H' K* E' ]7 o6 s, `3 }2 D
" ~1 p( }7 r/ i) F/ G V
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine0 J! v' A0 [; h; p3 J
make && make install T5 k# V d4 c
四.添加规则
: y8 }5 g5 S7 c6 \4 s8 u# w
7 O# }5 s, {! ]5 E, {modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
+ K3 B1 W! M. j: m9 y" e8 G) T1 ?( y9 V4 k0 [, l5 F0 t
1.下载OWASP规则:
7 O& h B- b' y' U" {
1 P0 D3 m0 S# Egit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
& Z9 M8 w$ @. i) Y* U
5 i& T9 V: j$ s. ^- q& I- F M4 zmv owasp-modsecurity-crs /opt/tengine/conf/- _# G$ Z) [1 Y
$ a9 E3 A7 d$ g) Z: {7 scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# @: a1 ^5 o7 T$ H2.启用OWASP规则:% f, t& z& a$ l
& N* ]% Z$ K' |复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. p7 M& b6 W, M, m
r: x: Z g3 Q" ~2 c5 K编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; U* O8 [; p! Z: y, ~8 X# q2 R7 B. H1 n* \' h. D
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: l+ J& F5 i0 G: s% b& l
! M" W- K2 @4 }) C( ~- o& k5 Y% O+ d
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf9 M/ T2 v/ h. V4 j p
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
, X. p* S; a: |1 NInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf) d6 Z" U2 B7 c
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' i) H Z ~9 w$ |5 w6 U
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf. @0 f3 `* P! S- ~
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
+ ~8 ^/ S2 y* ]2 F/ r- fInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. E& Q/ ~2 \! F' s( R: x0 @
五.配置nginx* B* ^2 Q! b* F e6 }
! ?) i. d: ]) U* |3 v, p在需要启用modsecurity的主机的location下面加入下面两行即可:
, ?* t8 \) c* \) |# x* q* Y! @) J9 \( ~ i* @/ \5 ^# \+ d
ModSecurityEnabled on; & o" X3 J: ^. |! p( _* ^
ModSecurityConfig modsecurity.conf;* T$ _0 x) R# C- n) G, m. i J5 P
下面是两个示例配置,php虚拟主机: B5 e6 U, a0 v3 u+ y; Y
2 q# |' Q: V7 c0 ?7 M# f! ?
server {
0 J! {! n) l8 E( }, q, S# x$ x listen 80;# p# R" ] P3 Q( n
server_name 52os.net www.52os.net;
/ k% W, H+ s$ v6 Z+ v, Y4 P& _8 @
! P, [1 a2 w0 m. }: b5 F location ~ \.php$ {; x: o3 q; F7 K2 f
ModSecurityEnabled on;
) F4 R: q U2 d0 V, D ModSecurityConfig modsecurity.conf;
" M" a* T# f- A$ ~9 {3 U( @
# ?: l. l* X& a5 r% p, E% E root /web/wordpress;
: J' N1 j3 _3 { index index.php index.html index.htm;
6 Y3 s( h7 t* k& A* H' o; w6 c 5 j5 A$ e/ C0 {9 z, o9 Y
fastcgi_pass 127.0.0.1:9000;+ w a2 [1 \/ v$ P- s. [# \# G
fastcgi_index index.php;
' \# p" H; H3 R4 G! S$ G* j; ` fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;, a) F; k6 O2 H( m
include fastcgi_params;" N: M3 I2 ?1 O$ E% n. a' n2 m
}
5 w0 }" _$ A3 l2 g- ^0 ? }' J* `7 ^& n- S3 ~
upstream负载均衡:
; Y3 m1 q5 \ g- }
$ Q6 K/ h2 m& W6 r+ [$ Jupstream 52os.net {% ?5 L/ R3 `9 N! Q5 B$ Q$ B' ~/ u
server 192.168.1.100:8080;
, H" N0 e% b% U1 F/ y8 R server 192.168.1.101:8080 backup;; g' ^0 ]; s7 ?6 ~. F
}
; M: q% r% r( d S2 g' o; A
O# m9 h" E' D3 F& q5 I% I! |server {
' b% t$ A9 ]; I7 r- V* G( q2 R. Blisten 80;. C2 n3 O/ L* O* l5 C+ p
server_name 52os.net www.52os.net;
7 i" R' g& O9 p4 j9 K* k2 h
0 ^7 t0 {! b: R! c7 ?location / {- @, I1 p: i, W
ModSecurityEnabled on; ) C! k: L1 @# R# q9 v
ModSecurityConfig modsecurity.conf; $ l+ b: R4 w w/ z+ U# L
. a& w1 O/ S, {1 A1 q$ t3 I proxy_pass http://online;
@- c( W5 J) L2 V proxy_redirect off;4 q7 D- j0 ]$ g/ ~% O
proxy_set_header Host $host;
3 t1 n4 I' m$ _' s) l5 D proxy_set_header X-Real-IP $remote_addr;4 |9 r+ g. Y! n4 Z z) U3 k2 \
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;! {; I& H3 v) V* i: o/ A
}
) e4 X# J5 x4 e8 f9 X& I9 ^}
% T4 u! a, b. l1 D6 a9 J) |4 Y六.测试
, v8 ^- p) y; ^! s! G8 }) w" i9 c/ C! e: e! z" y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
+ Z! \7 X7 ?/ U2 a1 n0 }/ f2 Y+ O
% q* y& P7 I' m% N<?php% d' ~" |9 `: _9 ~' a& `# i$ y3 P
phpinfo();
) {6 Q$ X; d. Y6 F?>
' S+ v+ w+ j; g8 L6 L) p, O9 q在浏览器中访问:
# E2 {+ S2 w) M# ]3 G- g
) [7 c6 f2 }. \- |) O: mhttp://www.52os.net/phpinfo.php?id=1 正常显示。' F+ f* Q5 F. u; D. t
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
" E2 m) v' n9 A+ ^8 L1 hhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。& H0 R' b7 j W
说明sql注入和xss已经被过滤了1 Y5 \$ X0 e7 |; x" T( m0 b
! m; F% D7 N2 f8 y/ d. n# e* j3 G七、安装过程中排错* w# l( I, I3 P
8 C) S. Y3 i' ^9 D' Z: t) Y1.缺少APXS会报错
& a4 D+ Q! g2 Z- i* G, |1 y: {; F8 e8 d1 L, A
configure: looking for Apache module support via DSO through APXS+ [/ h$ E9 l8 D0 i3 u, C
configure: error: couldn't find APXS
, P/ _/ [+ `# O, n" dapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
5 X2 w0 u) a6 `9 A4 Z2 H解决方法:9 a7 `; B7 P4 F7 }8 T4 v: C
9 \. n5 C7 Z( B, H+ ]6 u- V( }yum install httpd-devel
9 {. r' E7 N5 {8 Q7 c4 i( H2.没有pcre
1 R( b4 c7 G! t/ G- j. {# M6 ~4 \% b+ h
configure: *** pcre library not found.& N7 J* u+ Q" }+ K- @2 `! W
configure: error: pcre library is required
- o6 Q9 H$ H/ y4 d解决方法:
3 v3 T% n. R7 x Z# B+ ]1 {$ Y1 {+ w- `3 H4 n1 [
yum install pcre pcre-devel
- y, j3 L" Y {, E* v" A5 D3 k6 X3.没有libxml2
" V% m k5 t' j/ `3 H4 C' t1 z
* R3 J) Z7 i$ z) j) [$ H# M
+ C' o1 C* h8 E2 Y- {+ iconfigure: *** xml library not found.
0 ]* e. B1 J/ a D2 s) F0 wconfigure: error: libxml2 is required9 p( S' H# @% L2 }! |
解决方法:2 o+ q A* L$ u+ a& x8 Z+ N/ ?
6 U! }$ E" F5 J B/ b& y
yum install libxml2 libxml2-devel
, r" g# m Y$ ?* ?; T4.执行 /opt/tengine/sbin/nginx -m 时有警告# _& V4 w3 [' B4 S
: e: o' m. ~! Q! s5 ^7 u
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
( q5 o; ^0 h% f6 Q2 @6 D, V% _nginx: [warn] ModSecurity: Loaded APR do not match with compiled!- M" b9 X' ~7 `
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log4 S: J3 s+ x% G) b9 d
! q5 R* X# u) v$ j# a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
/ a- j5 `; g" {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"( v% z+ \9 g9 I$ i+ K# e# K
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!1 y0 i* t( K! _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"9 B5 g. H" G9 E1 i4 e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
& w* g, T1 m1 c5 b" c2 b2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.8 r/ W3 ?" J& G6 d' S
解决方法,移除低版本的APR (1.3.9)
, Z5 I/ m3 r6 P! K# ]6 @; \
" j* H! {" z. E2 r+ Nyum remove apr: g* P8 F1 |( P# v' a+ i
5.Error.log中有: Audit log: Failed to lock global mutex
7 V3 \: t9 ~: z
4 Y. i0 V @% I; y2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
. U! W& V- o3 T# kglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]( K3 i- r* H; D1 D& S
解决方法:
' t1 }8 O- y: b+ R: |; O编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
6 ?! Q( t! G O" ]2 Q/ T; y! W& E+ P- |9 Y# ]- k6 f! b
SecAuditLogDirMode 0777
3 ~; O' {# ]2 j# T5 [' K3 o; {, eSecAuditLogFileMode 0550- z2 U$ Y# k; }) Q
SecAuditLogStorageDir /var/log/modsecurity
9 d' G: f4 f+ E7 J3 vSecAuditLogType Concurrent" V, J% E6 o- b3 G% K) I
参考文章:7 N7 h% A8 z( ~
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ }0 D- j1 a9 @9 }+ Y- d. L
http://drops.wooyun.org/tips/2614 |
|