|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" G6 S# E8 l2 E) `( q @+ N: e/ O' ]9 F3 m4 P! ~ q
一.准备工作- `' G- A1 t! o J O, _
/ p( E( d& E& D- y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
( ^' b5 E% z T F- u) x% h9 M& _4 T# o+ G+ {& I
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz& ]0 Y7 `- x1 r+ ~9 ^+ F
4 J3 C9 F& l6 G' b* [modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
7 B, ]' t C" G/ [' h+ R0 S. u$ z
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
b- U3 c" O: f
% C. F8 [6 Q" [. Y) Y依赖关系:: K% A, {# E b* J' A6 `3 M+ W8 ?# T
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
/ Y/ _- A4 s6 x! `8 f( U
; T0 M) `" }" p1 G$ myum install zlib zlib-devel openssl openssl-devel pcre pcre-devel- m. d7 j: E2 a4 y- j* S
modsecurty依赖的包:pcre httpd-devel libxml2 apr) V8 |4 ]: S- I
* a4 Z2 L! [0 Z p/ e4 {yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel8 R) x, h" d5 I( ]1 M/ {
二.启用standalone模块并编译
b5 m. N A! f. Z" V+ ] O( n1 z) G( Q" L- N& b. [+ w2 x* J
下载modsecurity for nginx 解压,进入解压后目录执行:) o* H: X9 a' ~; H1 @2 u$ Q8 g
5 ]: s& c" I# m" v. q: C8 m./autogen.sh
! n1 ~! d! \7 _8 S3 ^5 W6 q./configure --enable-standalone-module --disable-mlogc: e* H, v0 w, B
make
7 { Q+ f9 Z4 R1 b" W6 R4 T: H三.nginx添加modsecurity模块( h5 D5 B% a7 c$ }8 w
7 g0 X) N7 P9 l- o- x$ W
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:5 |4 S0 A% J0 P) V
5 z/ h0 Z. H: w./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine8 x @( N3 B0 E1 b
make && make install
* A* q2 i6 u$ y+ o2 Y' _ P四.添加规则
" Y5 E' a$ U8 g
) m6 M) r' N3 p R* kmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
. f Q: z" T* T: H! ~$ x! ?; T% y* C, J3 t' i
1.下载OWASP规则:# }7 W9 e+ c9 p D
% R+ z5 i, s5 H O# rgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 t/ g/ _- ?7 C. N2 a; B6 f- u; U/ j2 T1 V q) X5 R X
mv owasp-modsecurity-crs /opt/tengine/conf/
) Q# Z+ H0 H! u* j- t$ B+ e7 o% f# g
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
% v% G3 D( q, |2.启用OWASP规则:
8 z. s- b! G) _
5 n$ S7 N/ Z" I& Y复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
" b- |. J8 t0 z4 D& W: S4 v$ a4 M) o& T+ _$ t: e% L6 _
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on/ _" Z3 D' Q( i6 S
$ }6 R. P( [9 V3 z6 D0 X
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' q8 ^" o+ A5 H. q% n0 D3 Z. N- r# g/ j
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* D+ X$ l+ n/ [! ^. F
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf _9 J% |0 l4 K# ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf$ v5 v* p7 Q2 X0 F7 Q7 t4 B
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
+ \8 M+ ?* U& _1 v: x7 GInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf* P+ k/ e/ l3 a8 j' a
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
6 F/ v" C6 U! g' pInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf" A& g, F4 f4 b3 a1 H9 b
五.配置nginx
1 J+ B. U5 B* o' |* S& f0 Y# F: V* Q" { @) B: C
在需要启用modsecurity的主机的location下面加入下面两行即可:/ J+ ^, M7 v) @* `9 |( `- d
+ z, v4 Z' u; n' Y
ModSecurityEnabled on;
& q. y! m$ [8 e* R' w2 C: X1 ^ModSecurityConfig modsecurity.conf;
; m" k- U; S. A% f下面是两个示例配置,php虚拟主机:
3 p5 r2 h H- o# i: D0 R" |. o
# M) @" a2 K7 J/ a: ?' jserver { w$ w$ L- D. A. l3 u/ ~, `1 h
listen 80;
7 h: s3 V% v8 U server_name 52os.net www.52os.net;
; |* y! U2 H, s U1 t # u2 f. D7 C6 ]: R' u3 n( B
location ~ \.php$ {
8 U- v, N* B: L" y7 \ ModSecurityEnabled on; * i. F8 ^1 i2 ^5 z+ _- ]
ModSecurityConfig modsecurity.conf;
k6 q8 m. k3 c) D4 ?1 H# n O( o9 _. o0 p2 i3 K' a
root /web/wordpress;
% W) p; E9 A1 W+ b' g4 K1 Y index index.php index.html index.htm;
) ]" ?, x/ Z, `+ v/ Y4 s% @2 B `; L7 ], B7 n
fastcgi_pass 127.0.0.1:9000;
! H4 z# A3 h( L+ O8 L fastcgi_index index.php;
: X+ Y6 X/ _ z/ ~ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name; f/ ~3 y+ b% z* U n/ F; r
include fastcgi_params;# s& |% g _( P; G7 r. \
}
" O; ]' P7 ]3 @3 K1 a6 I6 h }
, S$ ]9 g# ~6 s% ?upstream负载均衡:
- x* q+ t: m7 O% b4 x/ a2 ?8 D" s% k/ v: H, e% k- p
upstream 52os.net {5 A7 `6 Z7 t4 S% c0 `+ d! A
server 192.168.1.100:8080;
0 Q% W/ g8 l* z# |, L- L! t2 ~2 E server 192.168.1.101:8080 backup;
, G5 O/ B, o/ T( g5 r* Z}
8 m n$ F& g) W& `4 r' X. N& \' A. s) f
server {
6 b) J! `; g- G$ r4 D7 l; dlisten 80;
' r( |0 d: R6 [. K: F, Y B" Wserver_name 52os.net www.52os.net;
; H+ q3 k \5 ~& P) Y: s! f2 ?& ]8 e) y+ _3 x+ \
location / {
& ~9 J1 V6 W1 b ModSecurityEnabled on; ( T* W3 K! f$ p. U6 S/ @
ModSecurityConfig modsecurity.conf; % T5 r; }; M1 C( c9 [
! f- T; \3 O) D" ?2 d' ` f7 m
proxy_pass http://online;2 T6 W6 b2 X6 b i! D6 q* O
proxy_redirect off;
9 a% g5 b( A9 E proxy_set_header Host $host;4 ]) _5 m/ h8 }5 `1 z, u
proxy_set_header X-Real-IP $remote_addr;. a. x K! R9 ?/ B
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
& n8 q( ?1 Y6 Y5 k6 r8 R }
; X; y; x& D2 l4 H}! H- W+ G1 @. z
六.测试2 K; q5 g+ a! \2 z' S' S
7 d& }; T6 Z& D% k2 b3 A% e) G我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
0 J4 k; s% ^1 N6 }) ] r8 o3 @* S' `$ m1 @; J6 l. j9 u) y% r+ ]
<?php3 U' Y. [0 a5 ^* r
phpinfo();
. Z- k& ?/ B9 P' U$ F?>! } S u- \; d2 H+ h* ?# E
在浏览器中访问:) g W5 q! u$ d, G. R: G
; \' F0 v, W6 K4 e/ d+ R8 Uhttp://www.52os.net/phpinfo.php?id=1 正常显示。
9 o$ W9 c9 A$ D& K: w4 l* g# Hhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。! H$ W' t( S D: a$ j
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
6 [2 r2 T8 i$ b8 p说明sql注入和xss已经被过滤了
" s0 x& _8 B2 m
$ f7 g$ g7 o3 e1 b" x七、安装过程中排错
3 W, P) p+ ^6 K; F5 G7 \% M& c( Q( U! F. d" u
1.缺少APXS会报错) e. z+ s& Q7 ?; v4 l) p: R0 ~* |( {
6 x6 t8 \1 D a% o7 S! e3 e P
configure: looking for Apache module support via DSO through APXS/ ^- _3 y- B5 E
configure: error: couldn't find APXS) n4 G" D, v9 Z2 b7 j$ i! l
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。" J- Y1 G. @7 r/ u2 p
解决方法:, H# s+ \6 x; x, p" }8 U. I
+ X+ D1 f& P3 V3 q y9 Hyum install httpd-devel7 v* `8 e6 f3 D' z& i
2.没有pcre
6 i4 m: g, ^' v3 o8 g' G. D. G7 y3 o! p0 d% n+ @- c
configure: *** pcre library not found.
6 x- ^2 n) W; }9 p% I0 w; l" uconfigure: error: pcre library is required% `2 p: F( ^; r
解决方法:1 L# W& A- p' N1 `# X# o+ H% L
3 t# N6 K3 X" O! ~* H; _
yum install pcre pcre-devel$ e3 B4 b* f' e2 b, E1 C: P
3.没有libxml2
/ p5 c+ G+ h! M( Q- v @; p% u" J
1 x: d( h2 i! H6 E
0 m' i* _* H9 J8 c& {0 M9 |' k: rconfigure: *** xml library not found.- h8 x" C+ n7 l
configure: error: libxml2 is required
# N( y9 p7 n/ \# n* I解决方法:
! P$ O( R7 r5 |: D9 k; X' \
6 C" Y! _7 f# ]" x4 ^) Hyum install libxml2 libxml2-devel
; ~) D3 N- n. h4.执行 /opt/tengine/sbin/nginx -m 时有警告$ H+ K2 S6 `+ x6 P E6 y3 J/ [( g
; ?$ w; d6 E: N n# k; O
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
" v) c a+ n! q3 }2 P8 s9 bnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
" }$ J0 M3 M$ V& _' w原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log5 Q$ T: M* M* j1 B+ `( L2 q" L% M) X- U
8 B8 b0 Y# K7 \( H1 @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
' J. {9 O( t, s* q3 U8 i$ H! h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
0 ~7 r8 F. f- T9 m2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
- ^2 m( g% E" z% @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"8 q7 }, n, E3 Q: J+ }: w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% Y) O6 S) s8 p- A, R2 A2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On." Y2 g& {3 \; k: m0 Y _1 t2 D
解决方法,移除低版本的APR (1.3.9)4 f ~ d" _% _, {) c( s! X
7 ?6 {3 ]/ l" u G, W, y" Q/ K
yum remove apr6 U: r: H, R2 H# b, f* N7 a
5.Error.log中有: Audit log: Failed to lock global mutex
! W2 n h, F4 G! R3 X
9 T! X" D7 v4 ~+ r9 @4 Z5 o2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock " p" `; k$ y' g( G( {# R
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"] u; f! C I' L1 I: P2 l2 p* k# ~: M
解决方法:
) C& v) K8 Y/ }5 @编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
* M$ J2 D- U+ S0 b2 u) T8 l! p
e# P) A$ u) r9 A9 b( w3 X9 S0 m# YSecAuditLogDirMode 0777
: l( B4 s7 q! {% I( j& p$ KSecAuditLogFileMode 05504 [1 C$ a9 V8 ]3 T
SecAuditLogStorageDir /var/log/modsecurity
/ m1 e% v/ K' X- r% h$ a( _, I. ySecAuditLogType Concurrent$ Z+ O. v. }) }0 M, g
参考文章:8 v: X* q3 g# u0 p2 B. d
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
- d" i: B, J' H0 J2 T9 q9 g- S2 S8 Fhttp://drops.wooyun.org/tips/2614 |
|