|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
# f3 N2 T- C: J. D5 H$ s0 n$ z' s# l+ k2 h' P) i
一.准备工作& t8 m% f# G5 B; X+ b; D% c) L
) E6 G1 p& C7 T: g: P6 Y
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
, ?+ v6 N; v/ u6 U
: Q. t9 I9 v$ xtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz7 z$ k( p4 h4 H- n& d
7 ^+ C6 B' U* n# ^) dmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
& Y3 Y3 Q1 Z$ j
1 d0 u/ i$ E$ V" `! FOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 Z/ J6 I9 C+ Z% G! y) Y% T6 }3 B1 P' @9 a' U
依赖关系:2 z3 s+ n' k0 u4 Z
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
% z: J4 h' f% X1 J, N
$ \" s. j$ I. X6 a1 fyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel3 L" |$ c, V* E( l/ b o( V
modsecurty依赖的包:pcre httpd-devel libxml2 apr
& r6 C& w1 a8 t/ ^9 I% D( F0 I- v4 n0 R! q6 h$ \' V' e
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
0 s* w5 x6 K3 I1 I [二.启用standalone模块并编译0 Z& M6 U6 i8 N: e( w9 e
) e5 W, Q8 R- j8 p& h1 N下载modsecurity for nginx 解压,进入解压后目录执行:
7 {) ^5 r4 v/ v
) A1 L- |+ N) P# v! z& x( i./autogen.sh
7 o. s" x; _* H7 V. e, f./configure --enable-standalone-module --disable-mlogc
" q2 G C' r2 g9 i; gmake 8 [% h' Z+ p, x5 Q
三.nginx添加modsecurity模块
( p0 l' i& @( O0 q+ d. @9 d3 K$ v) N! Q% r& T9 E, @1 g/ G; W" d
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ t3 F! G* V4 I5 S7 r% I% x+ t, Q! ]7 J
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine. b+ V% D; R# j* }5 ?4 t8 u, X
make && make install
4 R* B3 L% R$ q3 B四.添加规则& S! m- _" T' E" c; T6 X+ z6 {
1 R1 r( x2 Z) g! Lmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
" l' P# q1 B- N$ q6 a6 T6 u" o( Q" H) @' S% l9 r5 I* h- G# A( B
1.下载OWASP规则:
& w6 }8 C$ E6 Y5 N) E
0 Y) k- o% x8 W9 ]. {0 n. `: [git clone https://github.com/SpiderLabs/owasp-modsecurity-crs1 w s7 b) d( B. O
9 z' h# o$ U" @7 _8 k! A; emv owasp-modsecurity-crs /opt/tengine/conf/1 \2 u+ b4 l v) Y
9 w9 U" V/ u- J: c: f0 x' Fcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 b( o9 t2 I4 a S) x1 c/ |. T8 ?
2.启用OWASP规则:; x* @: N% i* I9 C
& @. V8 W# l* t5 m0 T+ o& _% u复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
) i, L6 h$ v6 l7 V& m: k- X$ a6 j, p& ]% D9 i! ]
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
/ T3 H) B$ b. Q
9 p5 F5 D% G& R/ a% i- Fowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。0 s) A- _( F6 t% l& R: }* u
5 L' Q% c' k1 Q! e2 h, wInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
& Z2 p1 Q, C# ^; n1 u% |2 \: S- cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
5 X3 M& N) u/ Z8 JInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 H/ S' f) R, t& J6 o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
' l2 {1 j0 P; G' @" t3 kInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf. D4 m: Y' l3 I2 z4 \2 B/ ?
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf8 T9 p! `# q' T3 k
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
1 G% n3 A' F( S0 C五.配置nginx# U3 a3 Z" X. C
+ T' r4 h3 |, I4 R. ~. F- R; J
在需要启用modsecurity的主机的location下面加入下面两行即可:6 o4 r0 y5 c4 ^% l% s$ r
' `, K- J- V' TModSecurityEnabled on;
3 |: D/ e* Q& L/ _+ }- WModSecurityConfig modsecurity.conf;* ~' U9 }# u9 v! |$ o, Q5 k3 d: ?
下面是两个示例配置,php虚拟主机:
: n; m4 k0 ]. U4 s4 ^2 ~, d' P" ?5 t8 S
server {
; T& ^: [& F9 a: o7 L) e listen 80;
+ Q H1 P @, J server_name 52os.net www.52os.net;2 m& W9 X) E6 ?% [! l7 b
' S4 r/ U7 G% e; R
location ~ \.php$ {- U" b, u/ I7 y; m
ModSecurityEnabled on; : Q$ j8 M$ j" D D$ V# Q" k# R0 W0 v
ModSecurityConfig modsecurity.conf;
0 }! D: x% n0 W; }% \" i1 K+ u/ D }" |6 [0 W
root /web/wordpress;
9 J' d' l/ E3 Y) s index index.php index.html index.htm;
& ~" g$ D8 ]6 G2 k* B" m: G
, {5 `# B/ G5 |5 k$ m fastcgi_pass 127.0.0.1:9000;
6 `# D8 l) T' s1 V) M0 g9 W fastcgi_index index.php;
" r" [" M( @3 C. x fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
+ C# C# v9 S) S2 S+ G( n: [ include fastcgi_params;# A# O. V; s. {: o* t4 f" T
}
[9 B0 K( C2 F4 ? }
* K, ^8 }0 q: W1 @+ G( O8 _& zupstream负载均衡:& h$ H/ s7 Y& c' ^
6 g8 j# g. f P1 e e) F% u3 i
upstream 52os.net {. l# [' E: A+ H' o2 ^; X
server 192.168.1.100:8080;9 |: x" C$ F* b% M0 W3 d
server 192.168.1.101:8080 backup;
0 t+ V! ^/ [- I" [* t7 W- Q}
. {% `6 C* m8 `% I2 u
1 X! P: o: M1 H: E# ]server {
$ M; z% l& [1 S- ]: h2 W4 glisten 80;
! s1 f z+ H3 b) Nserver_name 52os.net www.52os.net;
8 J: E( D# R0 F+ I, Q
$ ~1 }. [' V+ rlocation / {7 S% i/ q/ s8 h
ModSecurityEnabled on; + N0 W* K+ J* j O6 ~4 n( t
ModSecurityConfig modsecurity.conf;
: v1 h6 |8 a4 F8 u5 t; z4 J5 O4 G9 `! j8 X$ P# g+ m: S! H$ ~; r
proxy_pass http://online;
5 e) {) m9 H! f' B( ] proxy_redirect off;
/ s F& |: w2 _2 m4 Y! z proxy_set_header Host $host;+ g Z" p9 B) y- G n. c
proxy_set_header X-Real-IP $remote_addr;
, Y: g2 b1 S- Y2 d7 h7 C' F2 g proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }+ o# V& `/ H! [
}$ d: P. a& e# ~2 r
}# y$ F* `1 `3 g2 [
六.测试2 Q; J3 M2 o8 a
- {' N" u- s: m1 {
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
( Y* a4 p: U7 V/ c' e, K. u1 C/ U8 ^1 N$ f
<?php
* X5 A0 o Y! Y, I( D$ `9 B" _7 X6 ? phpinfo(); : y& _- h; i4 ]: U' _
?>
: V9 b+ f8 l! k$ L在浏览器中访问:1 E9 w6 i. ?) H) U! G# b' T [
2 g4 N( h/ K- U1 L6 A# v1 ]http://www.52os.net/phpinfo.php?id=1 正常显示。
$ c/ O- p- K0 F- o' d, |http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。1 y) H: i2 a$ o4 l
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
' o% v r# @9 D- d5 ?说明sql注入和xss已经被过滤了' O3 t7 v/ q! h* W5 {. S
9 V: E- f( \6 C3 ]七、安装过程中排错
- |7 ~/ j; u. M: P! B# z8 S
+ ?! l- F8 M5 F& ^3 e1.缺少APXS会报错3 c7 B4 Y: Z2 ?: l5 [' L+ p
& L1 T3 L2 X8 C/ W8 `
configure: looking for Apache module support via DSO through APXS
p7 k s1 O2 Gconfigure: error: couldn't find APXS' u2 L5 v' l; o9 r1 Q
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* ]/ l- w; e$ g
解决方法:
( b* f4 h3 \3 Y& x
7 n; ^$ e! c2 w; b4 c- Kyum install httpd-devel) j9 y1 P9 ]9 J, c; j
2.没有pcre$ k, B9 r0 J1 d* r8 D$ Z
5 w( S- d( w% v; @# ]* G' z
configure: *** pcre library not found.) c }9 h3 c/ B; z7 E8 o
configure: error: pcre library is required
+ X8 m @1 p" s. s解决方法:- U3 w! g$ v6 F1 V5 V/ i& u4 I- q) b9 r
2 l& ^% P; b- ?1 _ Cyum install pcre pcre-devel
5 z# a6 ^7 A* M- Z b* A3.没有libxml2
. Y$ ^9 }3 [2 s+ S+ }2 G4 x( Y% E% O/ y% S' r4 D! r
8 D# I# q! p' }- Y z! t9 d
configure: *** xml library not found.* c( r) y9 N9 I% [# t
configure: error: libxml2 is required
# l7 c* O" w* q& w7 q2 A( [; y4 p2 e/ H解决方法:
. F' }( e. D' A0 B
% V( ^6 |8 U3 N8 q: C: d; syum install libxml2 libxml2-devel
* A' _1 E2 i* W( X4.执行 /opt/tengine/sbin/nginx -m 时有警告, d# f. a9 X$ l8 d2 s
" V2 a5 i2 ?$ E% j1 p; Z0 V" _Tengine version: Tengine/2.1.0 (nginx/1.6.2)
* D- _; M1 @, ^/ ^nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
% [3 c6 }* t' c7 G/ J& T* u" W$ y) t2 I原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log7 w8 G5 K0 X" [0 D9 ]) m: s: z9 l
$ u$ c- B- U8 |4 m. R- M6 d2 P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
$ j, r' t, i6 _9 M3 f2 T0 p$ V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
# P2 M0 ?1 W% {2 E. }; @2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
+ u, M) {* r0 x l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"& ^' A3 y6 l' A4 I9 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" U/ N3 ]" t; h+ F' \2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
4 q" U! d3 E) z( p& X, W解决方法,移除低版本的APR (1.3.9)
) ?2 W# n- a" e6 I* F7 P, E2 b/ s% R. B
yum remove apr
: @6 E' b! E" R5.Error.log中有: Audit log: Failed to lock global mutex2 D# s& g* ]8 S" K$ z* V4 L
5 g: x6 k9 Q1 ]7 O/ @) f2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock # k4 N! D" v6 `1 Y& `; j; c
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
" w& W* U, p; I0 N0 B; T解决方法:5 B5 u" t$ }3 x1 S9 O7 \! L
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ c! L8 ~2 W/ Q6 A
+ f# g9 f: \+ K
SecAuditLogDirMode 0777
% |1 z1 t$ E \5 D% J& eSecAuditLogFileMode 0550% C/ C0 l2 U9 p$ ?5 c
SecAuditLogStorageDir /var/log/modsecurity$ h1 I0 |7 X* A* {! m/ b. M3 r
SecAuditLogType Concurrent2 t: O1 l/ E5 y6 i' N1 T) p1 V u* M6 [
参考文章:
8 e* Q8 w: f J! J% S8 L" h2 f5 c( }https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
5 d# G0 q' k0 ?6 `1 y4 bhttp://drops.wooyun.org/tips/2614 |
|