|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 n2 ]+ n6 z. M* P% y; m
/ o3 u2 w9 c9 J5 o/ K一.准备工作
8 o3 _' O! m3 [6 a" F) a, Q! w1 q6 `0 l3 q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 w/ o: F) T! k
! D1 I) }# J0 G" Ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz3 q- t p0 m% O$ S
+ B* l2 `- d: e! `: Q9 |* \! smodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
$ z5 C9 Z0 Y; s% l% k. y2 l x, l
, R/ \3 s4 G# ]+ R& w2 FOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ ^" B+ i6 X# S% d- t2 ^/ o
% O" g: l6 S( W9 |! n依赖关系:
( A7 k* w# ?) m0 @tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
8 {. ~% j6 F$ C6 W
8 N/ g3 s4 }9 ] C- p( tyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel5 ~% y+ V. A5 K1 o6 k
modsecurty依赖的包:pcre httpd-devel libxml2 apr5 f1 D. U+ V* x. ~
% z* E5 G2 e$ M: B
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel3 \3 G1 t: |7 }' H, S0 f* w7 H
二.启用standalone模块并编译
& Q* M% K+ U/ L8 t+ }; `6 K6 \+ ~8 H& V/ Q [# `7 J7 W
下载modsecurity for nginx 解压,进入解压后目录执行:
% I; A! ?0 B" u' z3 ~' R
4 M5 |2 M! H3 t4 }6 ?./autogen.sh5 c+ P0 f) |% G8 d
./configure --enable-standalone-module --disable-mlogc
# B+ b9 b5 N9 ?( lmake 6 Q, s. `0 t# a5 P0 K6 k" E
三.nginx添加modsecurity模块/ |* {! Z# e1 E M# o
! f& D' _+ D; J1 t* G, I y
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
. [- H2 x+ o8 X1 }+ w4 i
# b S' z! u. y6 M0 l9 g./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# P7 ] D8 w. s. z( Smake && make install
! T8 Y- O2 I9 B: v四.添加规则' }) V; S) f6 x( y
+ N6 o" W4 B" Emodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
; E# ?8 U8 y! E/ C( R
$ w) G* r3 z5 k" E1.下载OWASP规则:
( Q( B6 h: C; D% Z; c! p9 B6 }# u& J8 n# |. F
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
# S5 c1 J! V8 A0 E2 R5 x# u6 Q M, W
p- }1 o2 \6 Y9 jmv owasp-modsecurity-crs /opt/tengine/conf/: m/ ^7 H! b* x( K
, i0 ^. k; M2 d* `* ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ W" @& C* ?6 b+ h: s
2.启用OWASP规则:
! `5 R6 a, T, _0 q9 | B5 Y* a* [. v" i) ^- Y$ H {( K
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。3 t$ [( N5 H, m; T) H
7 W$ s' ~) o% C" o3 r9 z7 @ i4 H* j5 L编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
H6 I v2 E7 f5 |! x( g
( Y% ^, w/ n* Q' Mowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
* }3 T7 M' C; d( \- G5 I; g! ^* Z, |& s
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" M( I) M% I" L7 }9 ~/ oInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf( \! {) b/ i8 X. i1 T- G! s+ r
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ F" R2 l! ?. Q4 u* @* g& G. EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
0 m* w1 x7 c" Q+ y" o7 N% z' e9 oInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 q6 T+ A: {: r" A# V: ?, pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf3 S! h( s) j9 ^- {
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf1 j" i- M5 G b% ~0 ?# A! \
五.配置nginx4 A* F5 p) P$ ?8 w2 i( t* S1 q
7 F* a0 M9 {" R3 U8 I+ H在需要启用modsecurity的主机的location下面加入下面两行即可:
2 }8 s6 ~, q/ a H6 j" L
: g' a/ l- D' Q5 q" g% i2 r mModSecurityEnabled on;
' r- e- s2 L, v3 DModSecurityConfig modsecurity.conf;# W0 [: H- B; S5 \* D
下面是两个示例配置,php虚拟主机:
/ [# ?) V; Q1 I. U$ u4 i2 ]* Z4 y7 O$ m
server {. U" B x+ a4 y+ P& o& }3 V
listen 80;
" r3 ~; Q2 U4 ]0 U server_name 52os.net www.52os.net;
) w& B/ Q x/ e% v( P5 W! X " Y' X& a6 K6 |' L! x
location ~ \.php$ {8 E( Q3 n9 ]( l9 ~, l
ModSecurityEnabled on; 1 \% k& S) L$ |% J1 p
ModSecurityConfig modsecurity.conf; g' M3 u' M* v) Z4 ?
) k1 \$ i; V$ n# {( H
root /web/wordpress;
8 R" }4 s, u; T+ Z index index.php index.html index.htm;$ C0 o8 y. L8 F2 W( _9 A, o
# w" _" C: v' V n2 [9 ^ fastcgi_pass 127.0.0.1:9000;
( v6 x- N5 R- _: ? fastcgi_index index.php;! h% v; x, o" G2 {" E+ i/ e- j
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
# Z) B3 n" l- P+ `6 J1 F4 ?1 B5 N include fastcgi_params;( T) ?% ^1 l( M% R5 x0 Q
}( l- q {* K& ]9 d2 X/ J
}
. M* W: V. H. T+ s2 v; b. }- D/ Kupstream负载均衡:/ y5 t- ^1 `! v" u7 }' k
, l7 U# M4 O5 q. }* g% r; z& Gupstream 52os.net {
5 K2 n8 d8 L" l: Z, N- E! g) y server 192.168.1.100:8080;
/ v8 q8 ]; _) O9 ?1 K/ t server 192.168.1.101:8080 backup;/ e7 h i+ f, Z
}
* v* W2 v q; ]3 x" d- h
* i x" D! \: u2 H# [server {% J" \4 {: y0 O2 E8 v* ~3 S2 F1 X
listen 80;
6 Z/ V& F$ \2 y* G" Eserver_name 52os.net www.52os.net;
) J7 q4 B8 e' S5 K$ x; c. ~" ?- k# U
location / {
2 \% N6 ^# ~. N ModSecurityEnabled on; & t! w" s6 N8 I
ModSecurityConfig modsecurity.conf; 6 c# C5 N `2 [. S7 k( _7 O
9 a2 L, p" m# Y/ a$ S5 F% C7 R
proxy_pass http://online;+ m0 ]1 n# D' Z4 k7 r7 O j
proxy_redirect off;
1 e$ _1 K, p# |! c: z proxy_set_header Host $host;4 f: n H9 u& b' u4 o" ?9 n
proxy_set_header X-Real-IP $remote_addr;1 t" C2 b, V# K+ \' ]
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; z9 s8 |$ L7 K: w# [4 i2 g! v
}6 E0 |- W, { w% E" [1 z! y9 K5 \
}+ ^0 z" }% O+ `& t
六.测试1 V# M$ x1 m8 E1 [7 A6 B
8 O; c' h& I1 F; O" o6 i3 I
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
2 t3 i5 S" B9 H/ F& L
+ M9 w7 w% M. V6 O<?php5 m! Y5 K' F# Q, K& _8 g
phpinfo();
$ t' k# I2 F) w. T?>
. | j5 R/ Z- I! N3 Z4 l在浏览器中访问:
2 m) R" r, e* z. E& Y' d/ e. n- {+ R1 j! S- S( z. I
http://www.52os.net/phpinfo.php?id=1 正常显示。/ |1 b, Y- w. P. D6 w
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。& Z4 p" L7 W6 c
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
p: k4 J6 w9 N, m说明sql注入和xss已经被过滤了
: v. ]% n2 M, r8 f) W& n$ s% s2 f' b3 c) A/ y- L6 p
七、安装过程中排错' E8 G6 f0 V* {- e4 i6 W8 X
- [" m8 m2 h: x: `2 J* Y3 P
1.缺少APXS会报错
! R1 l7 }, t6 Q# V" @
7 y% Q0 k, O$ \+ ]; x* w' @( h6 nconfigure: looking for Apache module support via DSO through APXS
. x0 \) @3 G% n# t! {configure: error: couldn't find APXS( }8 ?4 L/ W3 }
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
2 s3 K- `: m# s- h3 g% f% i+ G解决方法:8 Z% `5 }2 O5 C0 a
; u* K4 R5 B1 w6 k A+ v% w, Nyum install httpd-devel
( n) O" G. W E# b) s2.没有pcre2 q4 Q. {; Z5 I% _
5 f8 r3 h" `! [# v( V+ _" L' ^
configure: *** pcre library not found.
- Z* a7 H! J5 o& k3 Wconfigure: error: pcre library is required
' B, i7 o# G+ e解决方法:
3 o9 o! z4 h$ G5 M( l
# c6 Q% |* |' `+ c6 ]! \# Fyum install pcre pcre-devel
5 g4 E8 }: T! {% Q3.没有libxml2
3 {9 d4 S/ |8 ~) x r- p
- k" R7 L8 F" H: T, ]4 h, D# m2 k6 b
configure: *** xml library not found.
8 P# }: e" ~9 dconfigure: error: libxml2 is required
0 v0 ~3 x M; c$ K3 P. o! v解决方法:
7 P2 Q: Q3 K+ {$ g1 q
. x, n1 @# V0 x' ]5 fyum install libxml2 libxml2-devel
; W* h* x }% p( R4.执行 /opt/tengine/sbin/nginx -m 时有警告
& Q, z9 V* @7 z+ u! ^# H' C
& u) M( k/ G8 ]0 bTengine version: Tengine/2.1.0 (nginx/1.6.2)/ d* u' W8 C# `3 f: x
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!% T# i$ a8 G' K6 E3 `
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ y% T- D; P6 I/ k- t8 E, b6 n/ W
8 ?* h m6 Z# M# b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.! C$ e4 [" U" B5 P5 U
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"8 }) a( t$ i. S& n- s5 X
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
) m) R5 V4 u4 D7 D6 G# m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"- D/ A6 z$ s, ~5 p4 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"5 W0 D) t1 U, o& }, V
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
( g4 b: p2 l8 ^8 @解决方法,移除低版本的APR (1.3.9); ~4 Z; e/ Y5 f% d3 ]2 a! s
3 Y R6 a/ f; v6 D! N
yum remove apr
$ H) G7 J$ k( G2 I6 l9 Y- O5 V5 b5.Error.log中有: Audit log: Failed to lock global mutex, |: d: ^! @: o- B* b
2 S( _5 D4 o2 U8 R2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 1 x. }$ o. [+ T$ t
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
, N+ J' t. A, G解决方法:
& z9 |6 t; j8 f: ^) I" g- v编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
' A+ u6 B/ }- S- `* c
" }, b" l8 R4 s& VSecAuditLogDirMode 0777% P5 C+ d$ U3 u/ o8 G
SecAuditLogFileMode 0550
7 n# C9 `/ o! B- HSecAuditLogStorageDir /var/log/modsecurity' f7 R$ Q( ]5 F5 N+ b0 O" i
SecAuditLogType Concurrent
5 C5 K- D+ r) e& ^. X2 p4 E, @" [参考文章:4 p( T8 i0 }, R; _
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ p; }* a& W& I1 g0 {8 d* _
http://drops.wooyun.org/tips/2614 |
|