|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 Q o6 S9 P, P! B
. B( Q* ]! \8 r) Z( G7 b! A* s一.准备工作
; ^! A' p; Y4 s+ o" e
- _. `4 _6 p3 O( m系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0 Q( a) r, a$ v6 q
- f) Q$ Y1 ]7 c/ S$ K7 m& gtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
: H2 f# r8 c; t. w( E& h4 d* }- ^6 [: y; k! S( A* F; w3 @
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz8 L J$ W( G L, Q) N R
9 [0 ], o: p- ~* T+ c
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
( H5 H$ T, ]. g0 c9 v$ d j3 a+ n3 q
3 Z8 C2 g. R% i) v/ h& o依赖关系:
' {% \$ l6 f- k# f4 Ztengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; N& F! O: ~/ R6 o
) A4 d9 m$ \0 N' h; ], yyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' U' b& [% l9 K& L9 H1 I6 \4 r
modsecurty依赖的包:pcre httpd-devel libxml2 apr# o# Q* c- P4 s+ |) b( C* m
; Y' i. K& Z7 k# c q" I; ayum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
8 t$ \ |5 w, ?2 b) ^4 ~+ @0 t6 D二.启用standalone模块并编译, \( u3 C+ h9 }2 ~5 {
- @0 B& [6 P$ V/ h4 W下载modsecurity for nginx 解压,进入解压后目录执行:! B6 C* W g$ _ }6 t/ a+ t0 q$ X
6 N( |$ S4 v9 a
./autogen.sh
% Y6 N! f+ s0 w& H; r, r./configure --enable-standalone-module --disable-mlogc
* K/ |/ M. K6 U) ~- u* z) c" hmake
' ?8 R* `+ `$ Z* n4 t7 k2 {三.nginx添加modsecurity模块
( E$ K3 O/ D7 \: B9 b0 x: E- f6 h8 r5 j a' U2 T
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
; v- u# J3 ]6 D* `/ G( Y
; i7 s3 j5 O, E5 W/ w! @./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
* N3 \2 v! i# A8 e$ l& s5 w% ^make && make install
$ ]; M; r- ]0 j& B0 P& C) Z四.添加规则
; f4 i- t8 V; B/ J/ n- X; e2 v0 t
0 ?4 c; O+ Q( p3 p: B _modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
. j6 _) Z% G* u; [ K* R" G* |0 `! p3 v9 ]
1.下载OWASP规则:; W; u6 D) Z+ g
6 E {' a6 Q- z+ R& Tgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs* t# I4 W7 @* n8 M
j2 ?" [* l( F# S- a
mv owasp-modsecurity-crs /opt/tengine/conf/
3 @5 ^( [2 f& }1 |3 x8 o- i5 Q! B( m8 [6 w. r; W
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf, a' Z6 U* _# Q
2.启用OWASP规则:/ Y/ T. ]2 X2 M+ K1 R! _
. ~) G. G. ~8 L
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
: X2 T5 t7 |4 x- A4 y. b6 a/ o3 P$ }. k+ O* M1 f
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on- D6 L/ k3 `* l7 ~# K! ]7 Q4 P
! f& b/ [6 N& W, V! ?! K! o7 howasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。9 X1 B% Z& N1 E% x
1 f: S4 |+ O8 H
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf# v3 A5 ?# H7 H' i7 K( r3 \/ a- n
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
( L, D; {4 |7 _3 T7 o: V; _1 b, HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
7 Y1 {$ y0 L7 x$ v& ^. S& [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
+ C* E+ m& z9 ^. GInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 \" d- r/ H7 S# `" s( ^ h; U/ f
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf u9 U& @# C" t9 ~( s
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& e1 {; z6 D" w# s# b- |% T五.配置nginx
+ k( | w5 M3 t3 x9 M2 g/ d$ `1 e3 C. q* m0 ]5 ]
在需要启用modsecurity的主机的location下面加入下面两行即可:" g' v# `2 [, ~& I2 N
8 t: \- m$ T( h7 b) p/ J
ModSecurityEnabled on;
4 _+ A1 U( t2 z4 q: iModSecurityConfig modsecurity.conf;
6 y* F, V" }0 _, a下面是两个示例配置,php虚拟主机:1 e, a; u, e0 u& m- {) v4 I" \
+ p7 Q E" `. X2 jserver {
5 ?0 b- C0 h( ^( W; S listen 80;& k4 r) K2 h: V! o
server_name 52os.net www.52os.net;
$ K( A- g' W: W, ]3 f0 q- I 7 y0 R0 `4 I& V8 E! f5 S
location ~ \.php$ {0 K0 I2 ?8 v: o0 M
ModSecurityEnabled on;
1 f; ?) r u# A; A ModSecurityConfig modsecurity.conf;! j; _7 J. C! Z( A# B' {2 K2 R5 e
/ B' ?; H3 [/ V2 R root /web/wordpress;/ z0 F$ j9 V+ i4 [* I
index index.php index.html index.htm;2 a8 q+ v" Q7 c% q) {
2 G. c1 c* i. p8 V8 t5 X5 i& {
fastcgi_pass 127.0.0.1:9000;3 W7 |. ]$ d$ W _( ]+ Z! s
fastcgi_index index.php;
7 Z i+ g1 H2 r' v" a fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
4 [0 e1 F) D7 A9 r; K/ ^ include fastcgi_params;
" q, F0 z" W* Q: }# N: Z1 R }% l3 Z# g; T" B S' T0 l# ]
}
- z* \( B7 A0 `/ Q+ aupstream负载均衡:' T9 a& z* n) Q
$ a/ \* p" V0 g2 Aupstream 52os.net {
. D/ a: p, [9 \ server 192.168.1.100:8080;+ n6 S" Z0 Z5 F0 i8 a, m
server 192.168.1.101:8080 backup;: R9 K( G0 d: H C! u7 M, ]2 ~* `
}8 i7 b( e# f/ k! C [
' Y5 l! {: q- G- kserver {( V; G2 V* H7 A3 ?
listen 80;7 d9 h( R" N6 c6 Z2 v9 w
server_name 52os.net www.52os.net;
3 k7 |8 Y) ~; i, M4 Q2 e" q( a q0 \) J% p. ?
location / {
; d+ K: r- u/ m' Z! L$ [ ModSecurityEnabled on; ( ^' t: ~8 S! l' O( V! Y0 v+ a3 L, r
ModSecurityConfig modsecurity.conf; 0 R( a! [! b2 b- [1 n
' z; t$ K3 p- ~ proxy_pass http://online;5 j0 J! Z! C/ E& g# s: F2 X
proxy_redirect off;
( f, b+ ]# U, y- A2 q! Y proxy_set_header Host $host;6 H" k8 U) a% u4 q; A2 L
proxy_set_header X-Real-IP $remote_addr;
6 o; X) u; _! D proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
' c) o9 o- B [8 _# M3 T! k }
' l+ c8 k' M1 G7 l/ p5 y1 y4 }}3 b6 R& c5 P7 c0 O! q7 @. R0 V
六.测试9 X. \0 N) s H
) q* {, X* Q8 Q" W, e我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
* e8 J- i9 R9 A; x6 N9 u4 a T- Y8 p3 C3 c, N
<?php
# i% c- U4 W7 z; [1 z phpinfo(); 0 s. ^, }9 B3 w$ o; [
?>% Q7 |" Y- [, L1 Y, x
在浏览器中访问:
0 R7 U3 }+ J8 Y2 l0 N0 l& ~* Z% c6 i$ C( K' r, \# I
http://www.52os.net/phpinfo.php?id=1 正常显示。" [: g( w8 X0 W c1 ?" A
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。1 R4 q& d- ^- X+ M+ |
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
6 o7 z' j% I' s7 J H说明sql注入和xss已经被过滤了+ R* u8 H3 v6 x* U* W3 B+ k
& p7 d# r' x* m- L) Z* g
七、安装过程中排错
" P7 X' a' r4 I9 [1 M
( E$ R; k( p/ g1.缺少APXS会报错" I# G% l5 h ]& e4 T) z2 d
}, T0 M# U6 ?; Y) }6 f' }8 Mconfigure: looking for Apache module support via DSO through APXS. p2 V1 n0 M2 c, l% p
configure: error: couldn't find APXS
, S, D7 B, }+ ~, c2 [, xapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。% l# W S/ Y: J4 O" I7 j
解决方法:5 ~) p" _7 c) @+ ^% O
6 u8 S- j/ V' q. w4 ~7 X% A' x
yum install httpd-devel0 e5 ]5 j; z9 H* O: O( ~; L8 f
2.没有pcre
5 u7 k, @+ E$ N+ E, l- Q
6 o) c& @6 e. r& x( k+ o8 R0 w9 Sconfigure: *** pcre library not found.
/ B* @/ x# F# n6 e& j( j8 wconfigure: error: pcre library is required3 m+ Q+ J% X9 P' e
解决方法:3 F+ U9 z% q) u9 N1 ?) t$ p6 `
1 c4 X2 A4 \% v' e& z4 k' C" k" dyum install pcre pcre-devel
/ d' E8 ]/ ]( R+ o' @3 G3.没有libxml2) a R$ ~! `. h) k; f
3 V" I' k8 `, C a# ?
& G- c0 l; x5 O+ X
configure: *** xml library not found.# Z" y V! s" q9 Q
configure: error: libxml2 is required+ W- S+ {" }4 m1 S) V) y- R% E
解决方法:# i- }* l" N9 s D/ _
J% x- ?6 e! z3 o& byum install libxml2 libxml2-devel2 C3 I& K" W. G5 C8 R) @9 b1 l
4.执行 /opt/tengine/sbin/nginx -m 时有警告6 }: m8 V3 W1 _
8 W7 c, j) T+ G& z
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
8 \ N/ y7 q1 [7 A! M3 x7 Inginx: [warn] ModSecurity: Loaded APR do not match with compiled!$ A7 H1 z% k+ l* L* |$ V9 Y
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log7 f$ v- S3 v# y/ S5 n) s5 H( r
, W3 c) V. J$ \, E% N+ f' C
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 D4 t/ E; k# ?) g* ?! J* p* d; [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 y; s k k/ n3 _* e0 t: g" w2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!+ n- p+ B" `: e4 ]$ g! Q2 r# f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2 R$ E% K3 M1 W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 F8 a/ R* S0 F8 B3 u8 P& P2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
8 n9 I4 n9 P; K( Q+ ^1 ~9 `解决方法,移除低版本的APR (1.3.9)8 t3 J5 Y3 e/ [
8 h* ^0 t+ j; v: iyum remove apr$ M7 Y$ q- D" u4 I+ |" r
5.Error.log中有: Audit log: Failed to lock global mutex
! E" K( d4 H3 d+ N# q3 q: r& r$ Z8 x" o0 I' Q
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock : P2 X, Y' E) U5 U0 o% Y+ l
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
. \' _' n' D( ]* b6 ?$ ]/ J- G$ ]: r解决方法:
' m% e! ^6 L9 x" G) u% W# a编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:% P) I) s# O$ [& k
, Z" M5 d7 v, h4 A7 k+ K$ L8 V+ f
SecAuditLogDirMode 0777
& m; b/ v7 v* A* F# U: VSecAuditLogFileMode 0550
) @8 S1 S7 o3 m Y' h: g* o) {SecAuditLogStorageDir /var/log/modsecurity) ^ I9 F5 x7 O6 D, ?( F2 N; f
SecAuditLogType Concurrent* V- E: T- A8 X, g7 m5 F; m
参考文章:0 o! ~& c0 A) p# p- g2 s
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX9 ~3 t, T1 X7 i" y" J* {- u' ]
http://drops.wooyun.org/tips/2614 |
|