|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
- r* i% b+ s+ q$ i+ @4 r$ @) s8 j& V |, P
一.准备工作
) G# t+ \! R2 m
# E" [( J$ f+ i' w系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
1 ?2 R0 _. I2 c' u" Q. U H7 M3 ]6 W: Q+ k7 B" o
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ W) A- t9 z/ c. s) I
+ `' }7 J' O# o+ k. o# H- c& jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& k9 Q+ j V! j2 U/ d- \, t I( Z9 }# p3 a s1 g2 m
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs: r* i$ |. A4 h" i. j3 n$ J
' K; X$ K/ F( l! t9 d依赖关系:0 k/ [' f" ^9 {0 K
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:! z: C9 S0 b; Z( z
- j# ~& s6 |5 uyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel2 e5 C8 H, _6 v# D
modsecurty依赖的包:pcre httpd-devel libxml2 apr
2 R* d5 t, i0 L# F5 o. C* w7 X
6 Z0 j2 s, n. H2 Eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel+ m3 V$ W' i8 u- B* q$ N
二.启用standalone模块并编译
% W% A N7 ^6 I. D5 n! H$ N" Q- P! W" P4 P5 Z
下载modsecurity for nginx 解压,进入解压后目录执行:
% t0 k* i1 S3 B, o3 n7 d2 k( q. l+ o
- ~ o% {# ]/ U./autogen.sh$ T6 [0 o) Z2 {. x4 e7 k
./configure --enable-standalone-module --disable-mlogc
2 Z: Y( Q2 E7 Y) j' S# Fmake & c% t# r7 m* P2 D( [; w9 N
三.nginx添加modsecurity模块5 g: L6 _+ w. [% j, p' E
0 }# b- L8 j& u: X/ m% C
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:* m2 Z0 v+ U6 ^
) S2 k6 m! L# o/ t1 ~8 H3 B
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine0 j( y2 B5 G) Z4 _8 P& w1 H
make && make install( W; u$ f6 _. `1 c: H
四.添加规则1 u5 ?- h$ v2 O8 J# p% g9 f
5 s2 i. t7 W W0 D9 U' e: A5 P
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。3 h7 ]" F S$ E, ~: t( d! \7 O$ |( b2 ?
" ~9 O0 ~( r/ z. J9 g: e1.下载OWASP规则:$ ?% c& v! P9 |$ f0 {$ U8 t
* V' c8 l6 H3 u6 R7 }0 Cgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs9 }" i# c, x6 h% R8 |
1 E% H7 G" R* r: e: amv owasp-modsecurity-crs /opt/tengine/conf/+ C" d4 p. }) _1 _
5 `" I6 s3 @/ Z2 l
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf! F! p7 v0 G1 C& h P) o+ ]
2.启用OWASP规则:6 N; \7 W2 D4 C# o) k3 p
: k5 v& F& n3 D5 q复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
. Z' c% L( U$ m# Q* u+ _. G; ^9 u1 r
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
3 I! Z$ N. V- T+ i# |/ I+ L2 v! C, G# f' `
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。' R0 Y0 J3 w% @' K0 B/ Y1 O
$ L4 _: }& G( d0 AInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf9 I9 ^6 ^ v0 E i2 u4 D
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
) L/ o! F( K" [" CInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf8 g* S- A0 Q+ K% J6 ]* a, z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
# q8 e* I; b$ ]9 [1 h- A4 \Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf! Z7 o. y4 D/ N! A
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf- b9 O9 K0 ^' V- T
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
- X) i* B+ s, S五.配置nginx4 n" _6 f( o# B% B- a
# n0 p& a* z6 m2 `7 D: Z在需要启用modsecurity的主机的location下面加入下面两行即可:
8 P! Z# z# d1 T i# q$ o, U# h) m% P' x0 R( l
ModSecurityEnabled on;
) ]/ x: i% D# F- sModSecurityConfig modsecurity.conf;% ^$ T5 ]% O* b; o" k, s
下面是两个示例配置,php虚拟主机:% M% Z6 h& @# }# T, K
# k7 |& x% h% B' _' S0 W+ N" d/ h, J
server {
' c$ u( \% K, m* _; P$ b% r$ W listen 80;. b) P- B4 K7 T$ J0 C2 V+ h
server_name 52os.net www.52os.net;6 D2 ?: u' _% i* }5 F6 Z
5 [5 K5 ]( x' i. ?' E location ~ \.php$ {* U( @, d, D1 b! b/ H) _/ G; [
ModSecurityEnabled on;
$ a- i4 m4 z3 b) U1 g ModSecurityConfig modsecurity.conf;
8 D K1 W Y8 E$ S3 `( a' R+ a% a
root /web/wordpress;' B* W- Z" _7 ^2 X2 q
index index.php index.html index.htm;/ }- X) F- b" @7 Q
3 U$ P0 o7 Q5 H, e! f$ b, D
fastcgi_pass 127.0.0.1:9000;1 t$ I" X1 ~+ U; D! X6 q
fastcgi_index index.php;
% ~2 @1 e4 X5 E! ]1 M' a: I fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;3 Y. g, n: e, L7 k
include fastcgi_params;( c5 M8 y# U2 P( b& n
}
8 I$ J% P4 ~2 {# ]2 h3 s } [ o U% `2 M2 D1 i4 ~% S1 N
upstream负载均衡:
G. \6 I4 I- R" i5 I
6 V0 i( U* z# S2 rupstream 52os.net {. @3 c: u! O+ H) B
server 192.168.1.100:8080;1 U; _9 t* F) V
server 192.168.1.101:8080 backup;" T [9 S: F E* c
}
* L- W9 n3 Z W$ J! j: p- t# i4 M1 X
server {
& ~% ~/ [5 O/ h7 Y! ~5 Zlisten 80;6 Y/ |$ h: l5 c( G
server_name 52os.net www.52os.net;0 s2 i! b3 [- f# N6 W- s" N6 y4 j
4 @+ z( i6 g( k# t. R1 y6 Q4 f
location / {
: p0 l6 _. F) q8 f: B: C# z ModSecurityEnabled on; ! f9 D R( G0 o0 X/ g; J$ w' U
ModSecurityConfig modsecurity.conf; 3 i4 |+ w+ s3 `1 q* Y
7 s5 d8 V, E* S proxy_pass http://online;
- r H2 E: z1 g proxy_redirect off;! ~7 Y) x. }2 e2 U5 T
proxy_set_header Host $host;
* U% E5 t- B/ @2 Y( ^ proxy_set_header X-Real-IP $remote_addr;3 h- K9 y; i: T, a" w" Z
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4 h- y% c2 h, `1 y6 _! A }
6 C% F7 m! v8 v {}0 e" s9 d# F, D, g7 A
六.测试
* x% o" o `, ?: y2 h
, _3 N, h) F! S9 r4 I我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
. I5 l% `# p5 }/ x1 `1 p9 |
/ C& X- Q# [' V$ f. W% ~<?php
' s* ], n6 l% P( ]) r$ m' T% N phpinfo(); 7 T# H; |, }4 k1 E% j3 n; r
?>
; I8 m$ W# F* j2 L在浏览器中访问:
1 I6 U6 l7 F9 W* u+ f+ c0 b: C/ W! r6 E/ \
http://www.52os.net/phpinfo.php?id=1 正常显示。6 \0 D( `7 M1 X l# e
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。* [/ ^% h4 Y; ?
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。/ W* `" J4 i; [" i' x: s2 V
说明sql注入和xss已经被过滤了
& b( C1 x0 N5 j m4 s* q7 Y5 c! I2 T0 s7 }0 m6 G
七、安装过程中排错
( M$ R4 y- ^+ z, y, G$ k; D& |
) F! G" q; w3 {6 @* g, T1 f6 B/ h1 B1.缺少APXS会报错
3 i4 E7 S6 i+ S" I. E* B' j2 a7 I( j8 Q* p8 A! V3 Q* m
configure: looking for Apache module support via DSO through APXS% ]- a- ]7 l7 H: ^: l+ s+ [8 Y3 @
configure: error: couldn't find APXS. s% F/ p4 S7 T6 k
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 \% C+ @" J+ I8 @
解决方法:- r' g& R x6 v- g/ S
$ n% N: p% W8 x/ K& R+ h: Y. t* |yum install httpd-devel+ N7 p) m X3 _, d$ j
2.没有pcre
% {# N- t7 _" ]; ~ D1 [( ]' ~$ ?3 D( v- L! ~6 u1 I V
configure: *** pcre library not found.9 a6 \3 W: m9 w" q
configure: error: pcre library is required1 Z8 `6 @5 Y1 b$ F( K
解决方法:9 ]- B1 Z$ l( ?$ M, z& f' t6 T" Q1 k
* D8 F2 X1 x J k: h1 d% T
yum install pcre pcre-devel
; h' T x! Z8 {# ^1 S% p3.没有libxml20 z- j: E' o9 y' G% f2 x% |) r
1 h, Z" t# k% Q- J& t. w5 X8 u) o
" G, }2 i' D; |1 Gconfigure: *** xml library not found.
+ M- }/ ?. J* Qconfigure: error: libxml2 is required
. a }3 d4 w9 \% o解决方法:# o. v: i- V. N! H
1 o7 {4 Z( R( d$ } ]
yum install libxml2 libxml2-devel# Z7 i2 z% H: q) ^- O
4.执行 /opt/tengine/sbin/nginx -m 时有警告
3 O0 o) [1 Y. p4 ? G
5 q* j% u- q ]8 gTengine version: Tengine/2.1.0 (nginx/1.6.2)
7 y M$ i0 Z8 p! y. j( fnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ v( ~& u0 L* x1 m. p原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log1 A. X; N6 s0 ]; W
, N2 @2 n$ j. j1 N3 u1 M3 f2 I w% T# [9 e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.$ Q% k7 d, l" N4 C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9". X) m: h0 c) t% K: i
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% b' P5 k* e7 T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 y- r! G# s& C- E/ J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
) Y8 U! ^# K' C# |" o: w( s5 ?2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ }; @# N1 }- t0 Z& |. S解决方法,移除低版本的APR (1.3.9)
8 g& V4 r6 k% D7 ^ ^2 I; D& M' P0 t) m) E2 N- a
yum remove apr% m8 v4 \+ T' |) [ J
5.Error.log中有: Audit log: Failed to lock global mutex0 _- S8 b( [/ l. C# V/ C# T
" L {. N0 t0 ]) P" L% s4 J2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 ~! m" u& w0 A& x+ [1 c3 Fglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 k) a2 |, z2 g6 w J' X
解决方法:
$ [7 ]8 b) o5 \, X! W, Q: O编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:: U8 \9 G9 j0 s! v
1 |9 A& K* d- f" g8 Y5 d& hSecAuditLogDirMode 0777- i% _* c6 l- S4 A& }4 l
SecAuditLogFileMode 0550
0 a* t) y) I8 T# h! JSecAuditLogStorageDir /var/log/modsecurity8 e$ t% p( e; z$ V5 O: w
SecAuditLogType Concurrent
7 l* P! C/ x2 k参考文章:
& W% t" V: e0 O& f; |) k6 Thttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX5 t/ X& s- K k; q
http://drops.wooyun.org/tips/2614 |
|