|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 ^8 [$ M+ E# D5 n
+ |7 g8 V1 I2 X- d一.准备工作5 e% a% K/ U0 X1 |6 ^
: o( y& f/ L( w! ~( l! `" L系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0+ ]* R3 d4 s3 _9 S8 d: I2 ]7 N: i( N
# T# s& K1 e2 j7 Q9 z: p+ {" E! utengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
. ~8 U ~! h# K- V" T
9 b5 i6 {: C3 t" ~! y$ V& U kmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
- S4 e* j) r% u6 Q! W9 Y
3 m, S) u( ^% T% K8 \8 n/ h& tOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, M# C" j4 ~' c' c% a' ]
# Q ?) X6 O# E& E9 A
依赖关系:; s% b6 [7 y2 a
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:$ N5 [) ]$ c+ c& ^
" X/ P; r. e1 n) _9 P" Ryum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
7 h( |6 g$ E0 t( N* wmodsecurty依赖的包:pcre httpd-devel libxml2 apr5 z1 P0 E8 Q, Z6 I! p
" F% D7 K- c) u6 v7 Iyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel% @6 T% C( y, s
二.启用standalone模块并编译
! w: m3 Y+ y- P2 J; Y% e1 z* _* N# O2 m+ D d: L- ~
下载modsecurity for nginx 解压,进入解压后目录执行:3 U& I; y6 Y ~% Q" X) c0 D* U
) i6 C% t) {( g8 N% T! L
./autogen.sh# |0 i* X2 E* E+ v: X8 e
./configure --enable-standalone-module --disable-mlogc# L: n# S \% k, U c
make
3 {5 y/ j ^8 K( y: t0 S三.nginx添加modsecurity模块
5 k$ E3 x3 q+ q" _; h) _- e0 R7 ~' I# b
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
- F- {$ m G" T( F& Q4 H3 t% D
* Q g8 U9 e! F./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
. x4 _. p7 c+ f5 C$ Jmake && make install4 W$ J$ a) p$ f9 V3 m
四.添加规则
2 \0 H5 L* d, t$ \% z m# f$ Z' \% i
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
7 e0 ~2 r; r; ]! j5 T8 u) m4 _
1.下载OWASP规则:
) E ]# h) x( n/ ]$ _8 `
( z4 w2 a' W0 \: r0 egit clone https://github.com/SpiderLabs/owasp-modsecurity-crs- l1 [5 k8 d# w& D, b3 s \
- c) S0 k5 M7 w
mv owasp-modsecurity-crs /opt/tengine/conf/
8 O0 t8 A5 T9 |9 w- H4 X
# n: ]3 ]/ V! d4 n, T, _( U7 Q* _cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf @9 v) g+ v1 P* T i
2.启用OWASP规则:
5 q4 Q5 M: @: ~+ r# `/ J4 X4 n: |1 T' _/ M+ a0 b
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。2 ~: q8 s6 m$ o4 m- [' b
6 J) E1 ~$ |) U, ?' Q6 B
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on7 `0 `6 ]+ @4 n# c# Z3 @' a
. r' x, U/ r3 j: W. t
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。7 H1 D; _% o' B
0 C: V- ^! U, a& S$ L6 l& w1 p! O( Z. RInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( c- J+ |+ @2 D: l. s1 lInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; Y. t4 q7 y# V$ B1 a8 ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
0 P) s, {; h) rInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf; ?/ r+ f* C. s$ H0 l2 z. m1 g" F
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf1 A0 @, v6 P) O4 {: V
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf+ R+ x" A$ S, k( u5 F$ g& l$ S
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
" h5 [" z* g$ f0 v五.配置nginx
; o; ?) Z* I- B+ Z+ s
9 ?7 T- R, I1 p3 [, C6 O2 _3 f0 ]在需要启用modsecurity的主机的location下面加入下面两行即可:
6 x `1 S f) W, o2 P; |
) ^% ?$ W% s9 i0 c8 W( t% H9 A# pModSecurityEnabled on;
/ l$ F% }( @4 d9 R: L& {ModSecurityConfig modsecurity.conf;5 Q1 X- ?$ T1 ~- O* M* |0 @' J- F
下面是两个示例配置,php虚拟主机:
; \. k- c. w6 t+ U( `, b1 W8 r. |
3 k* V. P% K+ M4 n! cserver {8 V1 V4 m0 o4 ?6 g- ~# G- Y7 ^8 f4 L
listen 80;; t8 T, ~" I1 L7 z. h$ z
server_name 52os.net www.52os.net;2 x* H- @/ w& Q) s, b* `
4 a: I" `1 u S2 Z) q location ~ \.php$ {
% b6 F& c% r: Q- ~6 Y+ H ModSecurityEnabled on; 7 N1 r' V t) c
ModSecurityConfig modsecurity.conf;
0 A& m1 O) w3 J+ S$ ]5 J# z6 M+ F% `6 t5 Y9 w; p
root /web/wordpress;' n( c- j3 M! a
index index.php index.html index.htm;, G" s4 B' j' N5 Z7 l
% z6 Q( X7 a! ?# w3 X5 }, r
fastcgi_pass 127.0.0.1:9000;
4 D& `6 N: E- I- t4 N* D" U8 L fastcgi_index index.php;
6 g% _3 H1 s' U4 g: o5 O fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;9 J8 M% { t) y+ X; F6 ~9 \
include fastcgi_params;
7 M# Y/ v) g& d" u1 c }) R9 W8 C; \0 q% {
}" D' e# ^6 x# X7 l$ r2 q! L" v
upstream负载均衡:8 ~ n5 m! i1 C% d. F( s6 q3 H
% K6 ~: K& B' e1 ]upstream 52os.net {
& Z) I. Q7 b* z, C+ { server 192.168.1.100:8080;5 M8 B7 ^, A8 g
server 192.168.1.101:8080 backup;
: Q9 w7 o$ E0 q% x/ {5 [% w5 f- L q}2 a3 |$ f" s2 k" [9 w
9 o. O! X# |0 P9 L8 a, l" fserver {
1 m7 U' }8 B: \% S1 @listen 80;
/ G3 l4 E( t" vserver_name 52os.net www.52os.net;
: k, {" f/ B( |! X" b1 i: z0 J" X5 r7 Z/ w& l/ w! t7 i; C4 I
location / {, c. _8 L. p/ f/ l
ModSecurityEnabled on; ' P! z6 L5 k N% q
ModSecurityConfig modsecurity.conf;
0 T9 }* w$ O ]; N7 V, ?6 e8 X, z4 c
proxy_pass http://online;
9 }/ h$ L& R* C- w4 h0 b) Y proxy_redirect off;- x5 f/ @* _- `, y- e
proxy_set_header Host $host;4 i. v4 w# U0 v/ ]* h& C+ D( `
proxy_set_header X-Real-IP $remote_addr;: g8 H0 o* H; h4 s1 J
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 n9 _1 B$ ^4 X- v }
* m2 \. l3 X- g# E* P}
' t2 H) Q1 J- e3 x! j六.测试
9 \+ n, `% J M& F& R9 |6 ] f! G# z/ R' }
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为: ]* T+ I( P3 G/ x0 H% }0 K i4 ^/ n
* ~. S8 j7 i7 r8 _
<?php6 q: K E4 K) j4 V9 o8 d+ r
phpinfo(); 2 T7 I" b# C; H4 Y' t' _5 r! x) r
?> s1 x, X$ ?( J( `4 U- Y, n1 N
在浏览器中访问:
' g/ g+ c4 \. |3 l; a) n+ n4 a! _ S' I: _9 E- Y8 l! L
http://www.52os.net/phpinfo.php?id=1 正常显示。! a: o# O2 G* {2 F, t- B
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。8 g0 Q+ v4 b) m+ y
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
* N7 h5 X2 Z7 r1 f说明sql注入和xss已经被过滤了- ~7 P, _( c+ D# t- U# e8 d
2 G7 C. _" T- b1 ]5 o1 p& g) F七、安装过程中排错, C1 m1 Q( w0 P- ]
1 u. ~ W8 I% \% a' L1.缺少APXS会报错& X" g w3 O: @' r9 w! Z
: A+ h9 t0 }9 u6 s* h# T
configure: looking for Apache module support via DSO through APXS- V T$ j5 ]) |+ S6 i( X7 Q( Z
configure: error: couldn't find APXS9 G6 J6 u$ G$ ]1 v) A
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
1 c8 ] S3 c( K4 R+ ~解决方法:
8 m( p, W1 `" P; U' ~ h- f' r" ], Z; H! m2 I
yum install httpd-devel
: X0 K* Z7 u& W) D7 q2.没有pcre" f+ E: O& d' l9 M
8 s# U, a# \* S6 {2 M- j
configure: *** pcre library not found.$ P# ~( e3 U% v+ }
configure: error: pcre library is required, M2 Y; z/ W U: c0 A6 s
解决方法:4 g6 h6 ?. m7 Z. |8 X
+ h" r* h ~% g5 W. X: _2 Yyum install pcre pcre-devel
3 t1 }4 [" `% a" `3 L0 h. T3.没有libxml2: z# C" M# i3 W7 D) L' m
6 w* Y: Z4 n; j0 P- ^1 i$ Y& G
/ \" }. S$ k& I" o$ l9 B
configure: *** xml library not found.
" Q5 s1 u- |, h3 Q# B" w' Lconfigure: error: libxml2 is required
! e3 P t! L/ G解决方法:
1 a( w# N" b( z. P( ^! L$ j$ e7 n" e
yum install libxml2 libxml2-devel
9 k# R( \. t1 z4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ v6 r. l/ a) C6 @; W/ P) n& I; P4 [0 n+ c! P/ [3 m
Tengine version: Tengine/2.1.0 (nginx/1.6.2)8 o$ H: r: s) e4 h d. h' ?' e! G
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 p4 d) N/ _ C# W/ U原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
" {! Z" L" @4 M1 k8 ^9 p5 d& R4 W M& ^4 I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.1 c6 z& }4 T. r/ K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9". b% x/ n, C: C, E$ B1 V* Z% ^
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!$ T7 [$ p" |3 j Z9 C' D: U. @2 b! i: e, @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
7 R" l: t0 w, t/ _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
6 x, ]& N: a G/ |0 U2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 e6 ?4 B7 t; s/ ?( p; f% Z
解决方法,移除低版本的APR (1.3.9): s* q9 w2 ]! V c2 r; F& o
4 I2 k' M0 P# b: U& ]+ M9 n+ \! ^3 ]yum remove apr3 k( ?, T% l' T% K- K6 u
5.Error.log中有: Audit log: Failed to lock global mutex
& t/ z$ u3 S. U( u+ I8 L9 e* c5 Z% t; S: ?# c
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
& Z1 A) `3 L3 U( P4 S1 Uglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' b/ ^/ t6 P# v4 t4 b6 t: d8 g解决方法:
% Z* S) \3 U: }8 k8 k0 ]* X编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:1 Z' z2 l, L6 j8 T# a3 c" D" y
$ }5 G7 M f! w& |, o! ?SecAuditLogDirMode 0777
8 b8 H5 H/ n) d; c; y! kSecAuditLogFileMode 0550
# B5 p5 O4 T: X. f U. uSecAuditLogStorageDir /var/log/modsecurity
8 I+ H# @- d0 l1 H7 p1 cSecAuditLogType Concurrent& O) E( W+ ^8 g0 s! g5 [2 P
参考文章:
" E" L$ t5 R3 T' z9 R8 o! }https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
- T" y: S% T9 y" Uhttp://drops.wooyun.org/tips/2614 |
|