|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
5 j. a5 {" {- o+ A7 n5 y" p! d) X* j. P+ @8 K) V7 {7 }
一.准备工作
5 b0 E% h w+ H& O5 N4 `0 y, ?3 j% l& |2 b3 ^& F
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.04 I o) O) T* u( Z( t
- k$ M% Z$ E- B3 P) g% a1 n4 ?
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
0 u2 S1 {' y3 i5 g. }
2 V, c' D* i, Z3 cmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz$ T a$ e5 I1 j+ G
- S- a) C$ p" W3 D0 |! O; F& ^
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
" p/ w3 ^2 s% F: j$ c
9 { W: Y0 m$ c8 Y* B3 Y" O- O& L依赖关系:" y) m3 u* ~1 [6 }! Z6 G
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:6 q- O% R) ^5 r+ Z/ }
+ M& @" d: j0 u3 f7 myum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
6 P6 p" z7 R. j" t4 Wmodsecurty依赖的包:pcre httpd-devel libxml2 apr! z6 p" ^; J9 j4 K# ]$ ]
3 J; J, K( e; ]
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
! x: @% k- }9 B( g( ]二.启用standalone模块并编译
9 s, v( W$ V4 W- F
9 ^, O; ^4 r" X9 p9 D) P3 L下载modsecurity for nginx 解压,进入解压后目录执行:+ N3 M9 E1 d' h) V4 |* M
; K0 f {. k9 [" e( j: S3 \2 ]# G
./autogen.sh- O; g# e8 i/ R; Z7 E% A
./configure --enable-standalone-module --disable-mlogc$ f% v9 t; g" j+ y$ w8 c
make 7 g$ q+ t+ k$ v: ?: Z
三.nginx添加modsecurity模块
# {: T3 G2 m/ T3 L K6 f/ T
1 m" D9 ^5 |4 Y. R! e: K7 K1 o/ ~在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! c- `% X" n8 [# t$ x$ ^ T& y0 b
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
4 t( P7 Y& }- H% @5 Amake && make install
+ i+ [4 ]$ Z# Q! J |* ~四.添加规则
4 g; i2 _# @. s/ l& Y" U) B, b6 R! F! B
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。4 G5 f: d6 J' V6 y
; V. I' Y5 y$ f0 g7 h7 l% \
1.下载OWASP规则:
7 J+ r9 g8 X$ e& M. C4 X) J0 I) g, @' W3 C
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' l$ P4 b- H# R& F7 V3 n, \/ O# J3 p2 }3 Z. O1 k
mv owasp-modsecurity-crs /opt/tengine/conf/4 H' s, _; i: f: R
0 g R4 }8 O% K
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
4 q0 _% S, b e/ R$ V5 w: f ?2.启用OWASP规则:# I. z3 `9 C* W
% B% [3 S; D6 K2 k* ?2 K. |复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
+ q4 x- f, i, Z+ X1 _6 ~% }( h9 D4 d
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 A) I% ? I5 q- q4 M; ]# i- J5 C* H0 r+ o) @ v7 ^
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
3 n1 f5 D% r& M$ Z% `: A0 _+ p" k4 M6 J# j! c: Q* y j5 e
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
. k* G7 m5 Q/ t; nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
3 H- M2 t; U- }/ Q. l3 `1 rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% V9 b, M3 {: S/ iInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf3 { t+ z1 @8 J
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
% E: [, s1 c u! ~9 y: N5 dInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
) _6 _; k' B! L6 ?) U; O6 HInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
- @; |0 p8 c5 i% y五.配置nginx
/ [1 ?$ a6 i* Q/ Y. ]- K* \7 s+ e8 R! r5 H
在需要启用modsecurity的主机的location下面加入下面两行即可:
! i* C3 X9 A6 b7 h( V
2 Y3 n) o, H1 }ModSecurityEnabled on; * {7 b+ [$ N2 c4 I9 E6 N4 A
ModSecurityConfig modsecurity.conf;0 v3 M w1 L8 T- G! s# X7 B
下面是两个示例配置,php虚拟主机:
: Z0 a7 N4 i$ Y- r
4 E; c% [; o7 lserver {
d c. {; r: ?: q/ B/ ^+ T1 Y3 ~7 m7 E listen 80;: O9 a8 f! C9 S1 O
server_name 52os.net www.52os.net;
l- g& N2 n4 N ; P/ v' B: M3 l& q# D6 H
location ~ \.php$ {
8 t g8 Q% `% ?. C: E4 h( N3 ~2 R ModSecurityEnabled on; " Z( B& O2 d# L. ^
ModSecurityConfig modsecurity.conf;
* ~3 N; e0 R! ~% b$ c" T5 U: O; \( [% R
root /web/wordpress;* [7 U- p7 _2 k1 t9 W/ S
index index.php index.html index.htm; E/ p) j+ @. Q5 |# g
9 ]+ ?' y, K. t6 r$ i fastcgi_pass 127.0.0.1:9000;8 ]+ S7 x9 p: W
fastcgi_index index.php;
# b! }# N6 z. S; e fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 z% H1 S9 u4 T; N7 v: Z+ e
include fastcgi_params;# \8 B0 t- e5 a4 G: _6 E
}
) q5 v. ^/ }7 l* t9 n# d }$ P" d* y+ a: Q: j. L
upstream负载均衡:0 v3 r' y* D& Y- V6 w
5 M# O# A: L F- ^+ P; T2 s4 supstream 52os.net {6 S$ f: O9 }3 e$ F
server 192.168.1.100:8080;3 w: @* a, ^* F+ w/ r3 j# e
server 192.168.1.101:8080 backup;) M8 r4 J' |7 w2 G7 i- V1 D7 o7 `
}
4 c% N% r& M: G" p+ m
I( l8 }) j$ t. Fserver {6 w8 m8 g5 P, _+ u6 V4 V
listen 80;; E# w/ [ n1 l7 r- g- ~: E
server_name 52os.net www.52os.net;
; d! n/ e W$ W1 [& h2 M
" _3 |. @! e& z8 }; f+ Llocation / {
% ^9 N i1 F) i3 [. s, n ModSecurityEnabled on; 6 O( }+ [! I. N4 Q, l
ModSecurityConfig modsecurity.conf; ; C) }3 l" [0 M
9 N9 O$ J; o* c0 V a4 x1 U7 d& L! `( x proxy_pass http://online;
k5 R, X8 U. `9 b6 R9 n6 o- i; {$ _4 h proxy_redirect off;
% i& J3 t' C0 }! T2 ]- o proxy_set_header Host $host;& [2 A7 X8 r* D' E, A" |# D- G
proxy_set_header X-Real-IP $remote_addr;
c0 P5 Q6 {! C# F0 J+ n1 ^0 q# R proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
$ ?* D5 ]1 e+ v4 h }6 ]& M7 u/ ^: k1 G9 d/ X: E2 j; g2 H
}5 a' S' R- Y3 A, g Y7 w# f
六.测试
% B3 P; M% i' I5 ] S8 `2 A: W1 K1 t' |- Z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:( l3 u, T7 R" \1 L- [
7 ]' C2 O& C. E3 e, F" Y0 G" G<?php3 v- Q- [% d( E$ ~" R% P) ?" _* V
phpinfo(); . }" m$ h( u# b% v
?>' N' Z; B8 B2 H) ]+ A
在浏览器中访问:+ [7 ?2 w: `; o
3 l* U+ F! B) f: b4 W% G& t
http://www.52os.net/phpinfo.php?id=1 正常显示。
! h& F. W3 M% K+ J: N4 z/ Qhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。. Y+ r# j, x6 h: q$ C* W
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。- ?. M$ l$ r9 J; G9 ]! G0 u; h
说明sql注入和xss已经被过滤了
5 t* M5 ~8 |5 P1 b8 E3 J u! U. R; D: U2 K
七、安装过程中排错
1 e( R3 P1 ]: {' z3 q& z% z" n' E+ \$ [+ _; \2 X! O
1.缺少APXS会报错( G5 x3 L0 o) d8 p2 F$ B4 ?! B; D
. Q. h' _' r# n2 |# hconfigure: looking for Apache module support via DSO through APXS
4 s* ?' M. K9 |) I" Bconfigure: error: couldn't find APXS& t7 Q; K& H/ ]; n4 I p4 s
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ w$ J9 l$ C1 \/ h解决方法:2 J) o6 e. T! g2 \" j. @- ]
w- i5 p& g7 R2 uyum install httpd-devel
9 D% o' h2 d7 c# ~2.没有pcre
5 L6 B2 V" c! y1 N; U s X4 @' e! Z9 n3 F% ]2 z
configure: *** pcre library not found.: v; k" `8 o1 @( q4 k
configure: error: pcre library is required6 U, J6 R/ [3 u
解决方法:
! R( m7 h( ?" m: V9 o V5 D7 T% c% _+ [
yum install pcre pcre-devel
0 p% z, Z! h6 L* y/ Q3.没有libxml2+ S8 ?, k) Q. i: J9 m- V# Z3 M
1 W& r( X* q" \% j* N# G Y! {% L7 s8 ~5 H: L
configure: *** xml library not found.
. @! o) ]# L+ y; Kconfigure: error: libxml2 is required
- \. p3 v# b" H* X$ t解决方法:- j9 @: x/ `; U- @% X
' a) B0 v, s o/ C6 m4 [
yum install libxml2 libxml2-devel
& f* k0 R; }% p. E4.执行 /opt/tengine/sbin/nginx -m 时有警告; s0 M1 V1 U3 T3 I
8 R* F4 r5 A. `5 M
Tengine version: Tengine/2.1.0 (nginx/1.6.2)( x, Z" g% F6 p$ t: F F8 D
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!6 n; @" b8 L6 b+ E9 Y" F, G7 G: W
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
: R3 K$ r' q0 Q" L Y9 F# d4 i$ U' _, s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
0 `. N0 P# L6 s7 m7 O$ u9 f7 v, ~2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", c; o K0 \1 b7 k) f& L
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!" h/ t& Y% r! B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05") r$ w! M o1 _, H
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"; u3 x4 c; v7 `7 \% ^
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.: ?8 I" l" O5 |1 O, u" m! O
解决方法,移除低版本的APR (1.3.9)
2 m( N( d* r9 d% m+ b( [; @
t! W9 z) U# h) R5 Yyum remove apr
6 @# d z; k, J( ~1 X5.Error.log中有: Audit log: Failed to lock global mutex
: [3 G+ F# \1 R% z( ]7 ~* ?+ n! ~6 E: ]
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 z3 w3 f8 ^9 m: bglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]6 Y# v* }: x) P
解决方法:' M9 v- R0 C% F2 s2 X
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
_$ |$ @$ G/ X' R0 R: D% i
- t) e7 l# W# e3 o& m! [SecAuditLogDirMode 0777$ a, ?! G) J1 u) m! C2 ]! g
SecAuditLogFileMode 0550
5 p8 a6 S& D2 C$ ~( ?SecAuditLogStorageDir /var/log/modsecurity _7 B- @, N3 M- r" o, q* b
SecAuditLogType Concurrent; |* a4 `, D- C, R1 e: F
参考文章:
3 d; \, [5 [7 e* O' P1 Lhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
* Z% m0 [. ?$ `& r: Rhttp://drops.wooyun.org/tips/2614 |
|