|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
1 n2 [# H' |/ S0 S; d* o7 V4 b" @9 i% d a
一.准备工作
- \/ O F1 P4 O7 k& a
' `' h9 `3 i4 X4 ^% ]6 U' v* _0 M系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# X* A" p- U9 a% M
& F0 a- J9 C9 }6 F$ B# h
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
: @8 g6 w. s6 D/ A- Z/ w# E6 K( C( Y4 w$ Z" q- n5 N9 K5 _
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz3 |# }+ Y+ e4 g; Y; @9 B- X' ?
: |- a8 e; D( M/ w
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs1 s$ D2 m3 h, F4 A) n- c
. y$ V# ]4 y" G2 a$ M- E2 ~7 o3 d依赖关系:
/ V* u0 a+ Q* M- j$ X2 I& m7 Ptengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
B. T2 Z5 H1 U; g9 m1 S" i# @
; i5 c7 M* f6 |9 o% ~! Gyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( X$ G1 V$ o0 y- U6 m+ n+ j y
modsecurty依赖的包:pcre httpd-devel libxml2 apr
5 q" ~! }5 K, q. w: {. Z( T# _; { l& e7 a8 _, R. a$ y
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
# ^9 M! f) w0 v! B二.启用standalone模块并编译
2 m/ T6 I( [0 H4 n2 G9 ?+ D
: B. c0 i5 w# @9 L下载modsecurity for nginx 解压,进入解压后目录执行:% N* L# v" F: r. A9 q. a
( U) G) y Y& h( S* {- z./autogen.sh
" X) ~: L0 d+ J, _./configure --enable-standalone-module --disable-mlogc8 x0 c. }& _1 s; j9 {) R
make ( z6 I; m0 E- Q+ B7 }# i# o" a
三.nginx添加modsecurity模块7 s6 S1 O' U3 G( H
2 t9 K8 Q Z$ h. E在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
* Y5 n" m. D v8 X- _$ q( \) A: y0 R {
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
9 L/ I" Q, g9 \& i) Y1 Jmake && make install
& L: y D3 I7 T" ?0 X1 _四.添加规则, a( t8 Z) q, N4 n# O- O1 h% Q+ |
; y' V! w7 f9 |! d& Y: Q% }modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 O2 _2 o# a* l9 Y5 O
- B$ `, O8 u+ I2 N' O* q2 T: ?1.下载OWASP规则:2 f2 T c9 R& S. K/ s5 K; n
. M- m% q! I8 e: `* D' J/ |git clone https://github.com/SpiderLabs/owasp-modsecurity-crs- H n K0 C( h; ?6 G. \* f
0 \- S' x" O: {3 e9 J( `' `mv owasp-modsecurity-crs /opt/tengine/conf/ j" x: i. x ?8 B6 J; x( Q, L
6 Z' `' [- w. u: ^
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
6 D: |9 z5 u4 ?$ W9 [% ?# E2.启用OWASP规则:
1 r' A5 Z% ~8 h2 R" J1 {* N+ a7 a* G2 r) h t3 p0 A" h9 W
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. s# c% S1 l7 M- m
3 \& d( m" R/ u
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
" g+ r' G7 G# @. A. H. @5 E! N
( h* h# [0 B6 y- Jowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' [+ B$ r# N9 ~, M7 y4 N; d# R, ?0 l, b9 D/ C
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
% S. h8 j3 K2 g5 |0 t' n* [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/ H, L8 z) M8 q9 V: B- xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
W: z- z( b) k' _3 fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
% D7 F6 n1 Z" o/ jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# T, R a2 i$ ?Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
& f8 W) a1 d3 I* L! Y' HInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. g( b, K0 ~. V: S
五.配置nginx
8 J0 L& h& E2 Z; F- i" D" V; C' V6 K' _+ Z
在需要启用modsecurity的主机的location下面加入下面两行即可:
: V3 u! i. n0 x8 e2 a/ h. Y W* E% |+ S* `# b4 F
ModSecurityEnabled on; / g6 [/ W# |0 v8 v- A/ {" o/ `8 O3 |
ModSecurityConfig modsecurity.conf;
$ K# a2 j$ v9 [% B$ J4 l9 {1 x, B. A5 q下面是两个示例配置,php虚拟主机:/ D; g' R [* E# g1 |' A
. @$ O: [6 h$ w( s5 ^/ {+ F
server {
5 L0 [4 r* B3 r- k Q listen 80;
- m$ j7 D7 \& n& R7 H# _, v server_name 52os.net www.52os.net;
: }" o- w- q* E 9 r0 Q: e w! b. O) d
location ~ \.php$ {
6 C2 G$ p+ U& L; m3 E/ ? ModSecurityEnabled on; . e9 v v5 [1 x) G: x T
ModSecurityConfig modsecurity.conf;
% v7 u# s8 ~: b- W9 u; r; v, [$ h, V, r
root /web/wordpress;
, s. D; |/ N9 }" Y index index.php index.html index.htm;; Q4 ?2 X8 B+ T8 I* q H
: P ]+ r. G5 T0 K
fastcgi_pass 127.0.0.1:9000;
1 o: ]& i' R+ ]+ X fastcgi_index index.php;
+ U& s! i) R' @' G0 t- N fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;( \8 k( `: F1 {- y; A
include fastcgi_params; Q! T) C9 V/ ?
}
}! a) _2 g& s }3 i4 R; j# l: [& i
upstream负载均衡:
( J2 g% H+ X1 S- L: n( D( u, Z! W
upstream 52os.net {( p- F+ K' _8 s: \
server 192.168.1.100:8080;6 g5 s6 m% a$ R( ?
server 192.168.1.101:8080 backup;
6 V* P7 X! n% ~+ K* J, ]: f& u}
; E, a# A3 i3 m% n
! T& d; H# K( |' T4 Eserver {; d9 S2 t/ r6 ^- L* d. W& y/ E
listen 80;
2 X, s2 a. X8 m1 ?server_name 52os.net www.52os.net;
( Q b: }* W( m# A& J G: {& V, R5 ?8 ^6 Z
location / {
* [$ V# r4 [4 a( c$ @# k ModSecurityEnabled on; : W, A; z( r# \ I \
ModSecurityConfig modsecurity.conf; , ^5 n: _+ i4 O, K7 Q" Q
1 q9 O& R- p# I) S% `
proxy_pass http://online;
% n) Q0 m, h4 R4 }5 @. Z/ |& B8 {& s proxy_redirect off;6 m! y* m' d2 @" W: X1 f- x/ l
proxy_set_header Host $host;
! y1 w; E4 Z6 {9 w proxy_set_header X-Real-IP $remote_addr;
" G% w' m* ]) V+ p# {% Z proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
" x4 w9 t& P- Z5 [4 w& J+ i }2 o! J. l- I; I' J) \+ e
}
- ^6 Q+ i" r5 a/ J( B六.测试. i) k; f T' ?8 Q+ {
( W! f& Y& S0 C我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:" Z! M5 v I7 ~' R
2 ~* Q7 G: ~) ]+ {, R+ n
<?php$ D ~% L' H1 S7 d' A# z" k
phpinfo();
7 P ^' Z, V5 W: \' A7 d8 e3 J?>
1 g% g( Y2 ~# S/ Q, u$ S f1 U0 ^/ ^6 `3 H在浏览器中访问:
/ S3 E: R9 ^; |/ I! @
& N/ |9 U7 D& k" w$ Khttp://www.52os.net/phpinfo.php?id=1 正常显示。
" F6 @3 W! Y# N+ [- v% K0 Vhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。2 O7 d \* }+ n2 E3 R
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。+ v2 F( f% a; {$ f- r9 ~6 T8 ?6 S
说明sql注入和xss已经被过滤了; N' W Q- T; K$ V. d+ g
d N# W0 @' G, E' {+ v4 J& i七、安装过程中排错9 q0 T$ X$ V7 _" a2 B
) @" t# _* L5 i! Y* O
1.缺少APXS会报错/ [1 V, H k$ C4 z: g; R
$ E' A# {! Y- R: O
configure: looking for Apache module support via DSO through APXS
+ r( E; i: v7 K8 X3 v( }) ?2 C" ]configure: error: couldn't find APXS0 c' Q3 l/ N, R1 r4 u4 Q# c
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
1 v) K! Q/ _+ Z7 | k解决方法:
- }2 u% Q0 E" [$ i. I5 v' e5 S1 g+ k9 J( _/ ]7 U! w8 ^
yum install httpd-devel- q2 W# j8 a8 w
2.没有pcre
4 k' a6 ] U! I: I/ ^
7 [6 I6 J1 w9 w+ C7 j- vconfigure: *** pcre library not found.
! M. i3 P; E- a8 |: ~; k1 e" mconfigure: error: pcre library is required
* P1 B' L& J- Y2 O: y; e解决方法:
5 n& ~+ j/ r8 ]$ V) J* o, a# @' b
; J5 J. Q- L+ K, t! H- K+ f ^yum install pcre pcre-devel+ _% e; b' Z t+ |8 a# A7 A, ~8 s
3.没有libxml2
, Q; l' J3 _4 m' C* G7 E: H8 ^. o, O
0 g- d" C& Y& q" W( ]3 ^4 V2 K3 d7 t: a; h/ z, M( ^: q
configure: *** xml library not found.
$ M N; S# r; A' j8 l( D2 wconfigure: error: libxml2 is required
# U6 X4 i h! A& v$ ]& I解决方法:! e; s6 m8 O) a4 Y9 W" y- S" O6 C0 O
; S. M9 a' h9 q0 Uyum install libxml2 libxml2-devel
( W% r+ J/ ^" F6 m: W4.执行 /opt/tengine/sbin/nginx -m 时有警告7 P3 ^2 |$ @. y. X9 m4 {; n
3 K$ G. y- x8 f2 x5 Z( d/ h2 X
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
. Y. }9 O/ ]3 T% q+ P# Q5 ~nginx: [warn] ModSecurity: Loaded APR do not match with compiled!) E* x$ p6 x; }; V9 r2 b5 G
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
* ^- w) C" }. x& c+ E! \
; t9 p0 t" W3 M) _( N# D7 T( V% r4 }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
/ V& j/ f* P5 t6 y% u$ [. ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
u* ?: }; G: U# @$ V V2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!( v* A! l; ~7 J0 q& y' p9 J' C$ P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
. \& Z( r3 u+ ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
9 F. w* R4 X/ T1 t2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
! [8 \+ ^9 L& C9 }解决方法,移除低版本的APR (1.3.9), l4 u) m0 C( a' W) J9 W
, a0 o" R; w a: Nyum remove apr
9 F; C( y2 X5 u1 _5.Error.log中有: Audit log: Failed to lock global mutex
6 m9 ]7 ?) @+ Y1 V B" ~8 D
0 K4 u1 ^$ l, V9 d7 Q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 K3 }& @& L! t, @/ u$ Lglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]; r4 b: `6 M. G
解决方法:" M6 l/ C" i9 `' [0 L( t8 j
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
A8 v; L1 L1 x" s2 D. G' a' H; U" q" m1 ]( b, v+ [* ^
SecAuditLogDirMode 0777
_, s0 m0 D; M: r! d8 iSecAuditLogFileMode 0550% C6 D; r Z7 A2 Z; F/ G C
SecAuditLogStorageDir /var/log/modsecurity' \( {! c0 p2 N! U0 a. i7 y
SecAuditLogType Concurrent
+ A! P. i( S8 Q- t- w参考文章:3 S8 s( {8 n, @' W
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX! |2 H7 J# {* z
http://drops.wooyun.org/tips/2614 |
|